From dshaw at jabberwocky.com Thu Sep 1 05:05:16 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Sep 1 05:06:12 2005 Subject: [Sks-devel] Re: zero-length MPIs (was: Re: mpi error with check-trustdb in 1.4.2 - resolved) In-Reply-To: <20050824130716.GA4211@suse.de> References: <42F97044.9050603@comcast.net> <42FAC641.9040507@comcast.net> <20050811160217.GC358@wilma.widomaker.com> <20050811182144.GA33562@wilma.widomaker.com> <20050811195459.GB12783@opium.palfrader.org> <20050812002243.GD358@wilma.widomaker.com> <20050824130716.GA4211@suse.de> Message-ID: <20050901030516.GA20299@jabberwocky.com> On Wed, Aug 24, 2005 at 03:07:17PM +0200, Klaus Singvogel wrote: > I noticed that these messages are coming from > mpi/mpicoder.c:mpi_read() and had a closer look at it. :-) > > The second if check, for "goto overflow;" seems a bit doubtful (maybe > a copy&paste without to much thinking whats coming next ? :-) As > there are no mandatory reads from the iobuf coming, only optional > reads, I changed the code to "if (++nread > nmax)" and the problem > was gone (see attached patch). I think this is very close, but not perfect. You must also protect against accidentally reading too many bytes, as then you can't parse the rest of the stream. Try this patch. David -------------- next part -------------- Index: mpicoder.c =================================================================== --- mpicoder.c (revision 3878) +++ mpicoder.c (working copy) @@ -80,16 +80,20 @@ mpi_limb_t a; MPI val = MPI_NULL; + if (nread == nmax) + goto overflow; if( (c = iobuf_get(inp)) == -1 ) goto leave; - if (++nread >= nmax) + nread++; + nbits = c << 8; + + if (nread == nmax) goto overflow; - nbits = c << 8; if( (c = iobuf_get(inp)) == -1 ) goto leave; - if (++nread >= nmax) - goto overflow; + nread++; nbits |= c; + if( nbits > MAX_EXTERN_MPI_BITS ) { log_error("mpi too large for this implementation (%u bits)\n", nbits); goto leave; @@ -112,7 +116,7 @@ for( ; j > 0; j-- ) { a = 0; for(; i < BYTES_PER_MPI_LIMB; i++ ) { - if (nread >= nmax) { + if (nread == nmax) { #ifdef M_DEBUG mpi_debug_free (val); #else From alon.barlev at gmail.com Thu Sep 1 12:54:52 2005 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Thu Sep 1 13:09:42 2005 Subject: OpenPGG Card In-Reply-To: References: <84ee92c719bd8f3b10caaec695f20cc2__25836.3736131743$1125141464$gmane$org@www.pythagoras.no-ip.org> Message-ID: <4316DDFC.5060804@gmail.com> Hello, I am sorry to intrude... But I had a discussion with Werner Koch about a similar issue. I think that gpg should support PKCS#11 interface for smartcards, so that it can be used with all smartcards that support this standard. PKCS#11 is the most used and most implemented standard. I don't understand why gpg developers choose to implement their own smartcard standard... The most reasonable claim I've got was the licensing issue... But nobody succeeded in proving that there is a licensing problem. You can look for messages with "PKCS#11 support for gpg-agent" subject for future information at gnupg-users. Best Regards, Alon Bar-Lev. Joe Smith wrote: > There is no need to post a message to the list three times. > >> Is it possible to obtain further details on the OpenPGP card? >> >> I have such a card and a working smartcard reader but, ideally, I'd >> like to >> obtain copies of the sourcecode and program my own cards. However, it's >> extremely difficult to track down any specific information! > > > You can get aditional information, but unfortunately the information > available is not to particularly satisfying. > > That said these are the details I know: > The openPGP cards are manufactured by PPC Card Systems using a chip > created by Atmel, running BasicCard OS, and code written presumably by > Werner Koch. The cards are non-reprogrammable, they are set to state > 'RUN'. > > The last I asked there were no other manufactures of OpenPGP Card > complient smartcards. > > ----- > > Ideally one should be able to just buy a smart card with rsa support, > download OpenPGP card source, and compile it. Then flash it and any > other things you wish to have on the card. However it sadly does not > work that way. > > Source code is not available. Here is a quote from an email Werner > sent me: > >>> Is the source for the program on the card available? >> >> >> No, this is not possible because the chip vendors supply chips only to >> large card vendors due to fear of litigation through Pay TV channels. >> They had pretty bad experience with that in recent years. Same goes >> with the firmare supplied with the chip which is the base of the >> (actual very small) application we did. Atmel will even stop the >> production of the chip we are currently using due to force by Pay TV >> lawyers (the same chip is used in many Pay TV scrambling systems; and >> they all use security by litigation). Its all a very sad and >> ridiculous situation. > > > If you can somehow manage to get ahold of a BasicCard OS-based > smartcard that has support for RSA, it would not be too difficult to > program it. Most of the crypto stuff is handled by the chip, so the > code needed to be written is mainly interface code. > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From andihartmann at freenet.de Thu Sep 1 14:37:53 2005 From: andihartmann at freenet.de (Andreas Hartmann) Date: Thu Sep 1 15:20:01 2005 Subject: gpg-agent with preset passphrase Message-ID: <4316F621.1050608@pD9F87584.dip0.t-ipconnect.de> Hello Richard, the problem is, that the passphrase supplied with gpg-preset-passphrase is stored native and not as a hexstring. I did the following changes in agent.c: --- command.c.old 2005-07-27 16:18:13.000000000 +0200 +++ command.c 2005-09-01 14:30:46.000000000 +0200 @@ -807,7 +807,10 @@ unsigned char grip[20]; char *grip_clear = NULL; char *passphrase = NULL; + char *hexstring; int ttl; + int i; + unsigned char *p; if (!opt.allow_preset_passphrase) return gpg_error (GPG_ERR_NOT_SUPPORTED); @@ -843,7 +846,18 @@ else return map_to_assuan_status (gpg_error (GPG_ERR_NOT_IMPLEMENTED)); - rc = agent_put_cache (grip_clear, CACHE_MODE_ANY, passphrase, ttl); + /* map passphrase to hexstring */ + hexstring = gcry_malloc_secure(strlen ((char*)passphrase)*2+1); + if (!hexstring) + { + xfree (passphrase); + return map_to_assuan_status (gpg_error (GPG_ERR_MISSING_VALUE)); + } + + for (i=0, p=passphrase; *p; p++, i+=2) + sprintf(hexstring+i,"%02X",*p); + + rc = agent_put_cache (grip_clear, CACHE_MODE_ANY, hexstring, ttl); if (rc) log_error ("command preset_passwd failed: %s\n", gpg_strerror (rc)); These changes are probably not the best way, but they are working. The developpers do have a better solution for sure :-). But now, I have a question: How is it possible to get the KEYGRIP? If I do the following, I'm allways getting errors: andreas@athlon:~ > gpg-protect-tool --show-keygrip tmp_key.pub gpg-protect-tool: invalid S-Expression in `tmp_key.pub' (off=919): Bad hexadecimal character in S-expression andreas@athlon:~ > gpg-protect-tool --show-keygrip tmp_key.sec gpg-protect-tool: invalid S-Expression in `tmp_key.sec' (off=1017): Invalid length specifier in S-expression Probably wrong file format of the keys? Kind regards, Andreas Hartmann From cmetzke at gmail.com Thu Sep 1 23:51:31 2005 From: cmetzke at gmail.com (Cameron Metzke) Date: Fri Sep 2 00:46:43 2005 Subject: FTP Server Message-ID: <431777E3.50407@gmail.com> Hi there, I'm trying to setup a mirror of gcrypt folder at ftp://ftp.gnupg.org/pub/gcrypt/gnupg/ so i can fully mirror gnupg. Any idea of when the ftp server will be back up ? From wk at gnupg.org Fri Sep 2 13:05:20 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Sep 2 13:11:20 2005 Subject: FTP Server In-Reply-To: <431777E3.50407@gmail.com> (Cameron Metzke's message of "Fri, 02 Sep 2005 05:51:31 +0800") References: <431777E3.50407@gmail.com> Message-ID: <873bonlogf.fsf@wheatstone.g10code.de> On Fri, 02 Sep 2005 05:51:31 +0800, Cameron Metzke said: > I'm trying to setup a mirror of gcrypt folder at > ftp://ftp.gnupg.org/pub/gcrypt/gnupg/ so i can fully mirror gnupg. > Any idea of when the ftp server will be back up ? Its running. For mirroring you might want to use rsync ftp.gnupg.org::gnupg Salam-Shalom, Werner From wk at gnupg.org Fri Sep 2 13:14:36 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Sep 2 13:16:15 2005 Subject: PKCS#11 support for gpg-agent In-Reply-To: (Alon Bar-Lev's message of "Wed, 31 Aug 2005 09:46:08 +0200") References: Message-ID: <87y86fk9gj.fsf@wheatstone.g10code.de> On Wed, 31 Aug 2005 09:46:08 +0200, Alon Bar-Lev said: > I still don't understand where is the licensing problem of using PKCS#11 in > a GPLed application. Most pkcs#11 stuff is not GPL compatible. > This makes gpg UNUSABLE with smartcards, and I regret this fact. Despite the fact that it is used on a regular base by hundreds of users. Check scd/app-*.c to see what cards are supported. Well, to support a card (-application) the specs of the card are required to be available w/o an NDA. > Opensc uses PKCS#11 and is release under LGPL 2.1, although it LGPL I don't > see any reason > why the "L" is PKCS#11 depended OpenSC is not usable because it links to OpenSSL which is legal for LGPL but not when you want to use it with GPL code. > you have a problem only with PKCS#11... Because it is such an ugly "standard" [the quotes are on purpose]. > When user buys it's email signature/encryption certificate he expects to be > able to use it in > all smartcard enable applications... PKCS#11 provides this ability, and is Yes he expects this and will soon see that it was just an expectation. > Yes, I know that I can write my own agent... But I still think it will be a > mistake. I don't meant to write another agent. Write a pkcs#11 driver which uses gpg-agent as its token. Shalom-Salam, Werner From alon.barlev at gmail.com Fri Sep 2 14:30:29 2005 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Fri Sep 2 13:40:27 2005 Subject: PKCS#11 support for gpg-agent In-Reply-To: <87y86fk9gj.fsf@wheatstone.g10code.de> References: <87y86fk9gj.fsf@wheatstone.g10code.de> Message-ID: <431845E5.3090002@gmail.com> Werner Koch wrote: >>I still don't understand where is the licensing problem of using PKCS#11 in >>a GPLed application. >> >> > >Most pkcs#11 stuff is not GPL compatible. > > But it does not say that GPLed software cannot use PKCS#11 interface in order to access none GPLed tokens! >>This makes gpg UNUSABLE with smartcards, and I regret this fact. >> >> > >Despite the fact that it is used on a regular base by hundreds of >users. Check scd/app-*.c to see what cards are supported. Well, to >support a card (-application) the specs of the card are required to be >available w/o an NDA. > > Yes... despite this fact... >>you have a problem only with PKCS#11... >> >> > >Because it is such an ugly "standard" [the quotes are on purpose]. > > I am sorry to read that... I think it is a good standard... Just like any RSA Security PKCS#* standard... at least it is a standard that most programmers agree on... I don't understand why you guys did not rewritten the PKCS#7, PKCS#1, PKCS#8, PKCS#9 standards... And maybe to stay with PGP standard and not migrating to S/MIME... The whole new work of gpg 1.9 was to migrate to S/MIME... Why!?!?!?! You could have been very happy in your close PGP format world. Even if the standards are ugly, they at least work! >>When user buys it's email signature/encryption certificate he expects to be >>able to use it in >>all smartcard enable applications... PKCS#11 provides this ability, and is >> >> > >Yes he expects this and will soon see that it was just an expectation. > > I am afraid you are totally wrong here... I hope you will wake up some-day... I am responsible of replacing software/suggest correct software for using smartcards. Currently gpg is on my black list... And because of this I tried to talk with you first to make you understand what you do wrong... It seems that I've failed! You don't understand or don't want to understand what the user expects, so you fail to provide it. >>Yes, I know that I can write my own agent... But I still think it will be a >>mistake. >> >> >I don't meant to write another agent. Write a pkcs#11 driver which >uses gpg-agent as its token. > > This is the WRONG WRONG WRONG approach!!!!!!! Sorry, I won't bother you any more, Alon Bar-Lev. From benjamin at pythagoras.no-ip.org Fri Sep 2 13:47:36 2005 From: benjamin at pythagoras.no-ip.org (Benjamin Donnachie) Date: Fri Sep 2 13:52:32 2005 Subject: OpenPGG Card Message-ID: <85000712c0e502626e38ba79992949d3@www.pythagoras.no-ip.org> Alon Bar-Lev wrote: >I think that gpg should support PKCS#11 interface for smartcards, so >that it can be used with all smartcards that support this standard. I've had a quick look at the PKCS#11 and I think that you may have a point! >I don't understand why gpg developers choose to implement their own >smartcard standard... Nor me - the OpenPGP card seems to be anything but open to me! >The most reasonable claim I've got was the licensing issue... But nobody >succeeded in proving that there is a licensing problem. I think MUSCLE (Movement for the Use of SmartCards in a Linux Environment http://www.linuxnet.com) uses PKCS - I could be wrong though, I need to read through it in more detail. >You can look for messages with "PKCS#11 support for gpg-agent" subject >for future information at gnupg-users. I saw that... Perhaps we should "fork" GPG and work on a PKCS#11 compliant version... I'm fairly new to smartcards, but I have a fair bit of other programming experience... I don't think it would be too difficult to implement with the libraries that are available once I get hold of a suitable card... -- Benjamin benjamin@pythagoras.no-ip.org From alon.barlev at gmail.com Fri Sep 2 15:13:45 2005 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Fri Sep 2 14:23:39 2005 Subject: OpenPGP Card In-Reply-To: <85000712c0e502626e38ba79992949d3@www.pythagoras.no-ip.org> References: <85000712c0e502626e38ba79992949d3@www.pythagoras.no-ip.org> Message-ID: <43185009.6060206@gmail.com> Benjamin Donnachie wrote: >Alon Bar-Lev wrote: > > >>I think that gpg should support PKCS#11 interface for smartcards, so >>that it can be used with all smartcards that support this standard. >> >> > >I've had a quick look at the PKCS#11 and I think that you may have a point! > > >>I don't understand why gpg developers choose to implement their own >>smartcard standard... >> >> > >Nor me - the OpenPGP card seems to be anything but open to me! > > Finally someone who understand... I had no such luck with Werner Koch, who argues that OpenPGP card is standard... I've promised him to not bother any more with this issue... >>The most reasonable claim I've got was the licensing issue... But nobody >>succeeded in proving that there is a licensing problem. >> >> > >I think MUSCLE (Movement for the Use of SmartCards in a Linux Environment >http://www.linuxnet.com) uses PKCS - I could be wrong though, I need to read >through it in more detail. > > Yes... I don't think there is a problem with licensing... All problems are in result of an approach that each application may define how its smartcard should be built. This approach like any other proprietary approach will disappear along with its software, as it was with other software that did not support generic devices like printers, modems etc... >>You can look for messages with "PKCS#11 support for gpg-agent" subject >>for future information at gnupg-users. >> >> > > >I saw that... Perhaps we should "fork" GPG and work on a PKCS#11 compliant >version... I'm fairly new to smartcards, but I have a fair bit of other >programming experience... >I don't think it would be too difficult to implement with the libraries that >are available once I get hold of a suitable card... > > I don't think it is wise... There are some suitable cards that provide PKCS#11 in Linux, forcing your card to use gpg will not allow you to use it with your browser or with your standard mail client. Just a thought... why do you use gpg? which feature you require? Maybe there are some alternatives without using proprietary hardware. Best Regards, Alon Bar-Lev. From alon.barlev at gmail.com Fri Sep 2 16:36:14 2005 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Fri Sep 2 15:46:08 2005 Subject: OpenPGP Card In-Reply-To: <7943d9fa200163fbe9684445b2e55afd@www.pythagoras.no-ip.org> References: <7943d9fa200163fbe9684445b2e55afd@www.pythagoras.no-ip.org> Message-ID: <4318635E.4090409@gmail.com> Benjamin Donnachie wrote: > Alon Bar-Lev wrote: > > >>Just a thought... why do you use gpg? > > > Mainly because of my paranoia, and partly because I've used PGP since it was > a DOS based > program! :) > > >>which feature you require? > > > Signing / encrypting messages. However, I quite like the idea of > restricting admin access to my > server using smartcards - it would plug a few potential security holes. So why don't you use standard mail client such as mozilla thunderbird? It support S/MIME and PKCS#11 so that you can encrypt/sign messages and using smartcard!!! You don't have to use gpg for this. > Can you recommend any further smartcard reading? Yes... But you need to focus... What level? Programmer? Administrator? 1. Most popular for linux starting point is www.opensc.org. 2. Be sure your smartcard support PKCS#11 interface http://www.rsasecurity.com/rsalabs/pkcs/pkcs-11/index.html. 3. Be sure your smartcard support pcsc-lite http://pcsclite.alioth.debian.org/ 4. Be sure your USB reader supports CCID driver http://pcsclite.alioth.debian.org/ 5. There is PAM PKCS#11 at www.opensc.org... 6. If you need one smartcard to be used on Windows machine and Linux machine - talk to me... Best Regards, Alon Bar-Lev. From patrick at mozilla-enigmail.org Fri Sep 2 16:06:35 2005 From: patrick at mozilla-enigmail.org (Patrick Brunschwig) Date: Fri Sep 2 16:09:44 2005 Subject: PKCS#11 support for gpg-agent In-Reply-To: <431845E5.3090002__6606.12952565334$1125661480$gmane$org@gmail.com> References: <87y86fk9gj.fsf@wheatstone.g10code.de> <431845E5.3090002__6606.12952565334$1125661480$gmane$org@gmail.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alon Bar-Lev wrote: > Werner Koch wrote: [...] >>> you have a problem only with PKCS#11... >>> >> >> >> Because it is such an ugly "standard" [the quotes are on purpose]. >> >> > I am sorry to read that... I think it is a good standard... Just like > any RSA Security > PKCS#* standard... at least it is a standard that most programmers agree > on... > I don't understand why you guys did not rewritten the PKCS#7, PKCS#1, > PKCS#8, PKCS#9 > standards... And maybe to stay with PGP standard and not migrating to > S/MIME... > The whole new work of gpg 1.9 was to migrate to S/MIME... Why!?!?!?! > You could have been very happy in your close PGP format world. > Even if the standards are ugly, they at least work! I think this is a misunderstanding. gpg 1.9 is not about _migration_ to S/MIME, it's about _adding_ S/MIME to gpg. There is no reason why gpg 2.0 would not support OpenPGP. What is true, though, is that so far, gpg 1.9 was only about adding S/MIME to gpg. But AFAIK it is the goal to merge gpg 1.4 with gpg 1.9. >>> When user buys it's email signature/encryption certificate he expects >>> to be >>> able to use it in >>> all smartcard enable applications... PKCS#11 provides this ability, >>> and is >>> >> >> >> Yes he expects this and will soon see that it was just an expectation. >> >> > I am afraid you are totally wrong here... I hope you will wake up > some-day... > I am responsible of replacing software/suggest correct software for > using smartcards. > Currently gpg is on my black list... And because of this I tried to talk > with you first to make > you understand what you do wrong... > It seems that I've failed! > You don't understand or don't want to understand what the user expects, > so you fail to > provide it. > >>> Yes, I know that I can write my own agent... But I still think it >>> will be a >>> mistake. >>> >> >> I don't meant to write another agent. Write a pkcs#11 driver which >> uses gpg-agent as its token. >> >> > This is the WRONG WRONG WRONG approach!!!!!!! Why? The _only_ purpose of gpg-agent is to ask you for a password and to keep that password in memory. You could use gpg-agent for _any_ application that requires a password. - -Patrick -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDGFxq2KgHx8zsInsRAnLtAKCjMa79eIC7lrpJJvr+ZMl8Xt+AqQCeI9Ur 0bVPspo5/6JELGR1fEP6MgI= =kNSw -----END PGP SIGNATURE----- From joerg at schmitz-linneweber.de Fri Sep 2 16:13:40 2005 From: joerg at schmitz-linneweber.de (Joerg Schmitz-Linneweber) Date: Fri Sep 2 16:14:01 2005 Subject: OpenPGP Card In-Reply-To: <43185009.6060206@gmail.com> References: <85000712c0e502626e38ba79992949d3@www.pythagoras.no-ip.org> <43185009.6060206@gmail.com> Message-ID: <200509021613.47029.joerg@schmitz-linneweber.de> Hi Alon! I would like to see support for PKCS#11 too but... (won't elaborate on this now ;-) Regarding the "open-ness" of OpenGPG: Why do you (and Benjamin) think its not open (enough)? The specs are there and you are free to implement "both sides" of the (smart) card. For me the specs allow(ed) it to try implementing OpenGPG on a IBM JavaCard (and it *would* be possible to have a JavaCard implement OpenGPG in parallel to PKCS#11...) Just my 2cts... Salut, J?rg -- gpg/pgp key # 0xd7fa4512 fingerprint 4e89 6967 9cb2 f548 a806 ?7e8b fcf4 2053 d7fa 4512 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050902/dd21d257/attachment.pgp From alon.barlev at gmail.com Fri Sep 2 17:21:06 2005 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Fri Sep 2 16:31:00 2005 Subject: PKCS#11 support for gpg-agent In-Reply-To: References: <87y86fk9gj.fsf@wheatstone.g10code.de> <431845E5.3090002__6606.12952565334$1125661480$gmane$org@gmail.com> Message-ID: <43186DE2.6010508@gmail.com> Hello, > I think this is a misunderstanding. gpg 1.9 is not about _migration_ to > S/MIME, it's about _adding_ S/MIME to gpg. There is no reason why gpg > 2.0 would not support OpenPGP. What is true, though, is that so far, gpg > 1.9 was only about adding S/MIME to gpg. But AFAIK it is the goal to > merge gpg 1.4 with gpg 1.9. Yes... But why? What was the reason to work so hard in adding S/MIME? The answer for my opinion is that IT IS A STANDARD!!! Likewise PKCS#11 is a standard to access cryptographic tokens. When PGP was invented there WAS NO standard to send and receive signed and encrypted messages, so PGP have implemented a proprietary method. Then, PGP tried to propose it as a standard... OpenPGP... But they have failed... It was not widely adopted... S/MIME was the standard adopted by the world, and PGP and gpg had to catch up. I thing one should learn from history and not invent any new standard, especially when such already exists, implemented and adopted. >>>I don't meant to write another agent. Write a pkcs#11 driver which >>>uses gpg-agent as its token. >>This is the WRONG WRONG WRONG approach!!!!!!! > Why? The _only_ purpose of gpg-agent is to ask you for a password and to > keep that password in memory. You could use gpg-agent for _any_ > application that requires a password. No... the purpose of gpg-agent is to allow gpg to access private (secret) keys that are located in different physical location such as smartcards... From my point of view this is THE MAJOR feature of gpg-agent... Best Regards, Alon Bar-Lev. From alon.barlev at gmail.com Fri Sep 2 17:45:53 2005 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Fri Sep 2 16:55:58 2005 Subject: OpenPGP Card In-Reply-To: <200509021613.47029.joerg@schmitz-linneweber.de> References: <85000712c0e502626e38ba79992949d3@www.pythagoras.no-ip.org> <43185009.6060206@gmail.com> <200509021613.47029.joerg@schmitz-linneweber.de> Message-ID: <431873B1.3050703@gmail.com> Joerg Schmitz-Linneweber wrote: > Hi Alon! > > I would like to see support for PKCS#11 too but... > (won't elaborate on this now ;-) I will be glad if you will... It seems that I am the only one that don't understand gpg motivation. > > Regarding the "open-ness" of OpenGPG: Why do you (and Benjamin) think its not > open (enough)? > The specs are there and you are free to implement "both sides" of the (smart) > card. > For me the specs allow(ed) it to try implementing OpenGPG on a IBM JavaCard > (and it *would* be possible to have a JavaCard implement OpenGPG in parallel > to PKCS#11...) > > Just my 2cts... Salut, J?rg > This is EXACTLY the problem. If you have a RSA private key and X.509v3 certificate that refers to the public key, you expect this key to be shared among all applications that you use. If you had to write an separate applet and provider for each application you make the cost of smartcard integration EXTREMELY high! On the other hand, if you implement a software API for accessing a generic smartcard, then you don't need to implement any special software in order to use smartcard type A or smartcard type B. This is all PKCS#11 is about (Or Microsoft CSP in Windows environment...) It provides a generic API to access cryptographic tokens. Most smartcard vendors, including IBM, provide PKCS#11 library that communicates with their card. PKCS#11 application can benefit from it as well as the user... No proprietary code should be written in order to make your software work with your hardware. Best Regards, Alon Bar-Lev. From og at pre-secure.de Fri Sep 2 16:54:08 2005 From: og at pre-secure.de (Olaf Gellert) Date: Fri Sep 2 16:59:56 2005 Subject: PKCS#11 support for gpg-agent In-Reply-To: <43186DE2.6010508@gmail.com> References: <87y86fk9gj.fsf@wheatstone.g10code.de> <431845E5.3090002__6606.12952565334$1125661480$gmane$org@gmail.com> <43186DE2.6010508@gmail.com> Message-ID: <43186790.6050605@pre-secure.de> Alon Bar-Lev wrote: > When PGP was invented there WAS NO standard to send and receive signed > and encrypted messages, so PGP have implemented a proprietary method. > Then, PGP tried to propose it as a standard... OpenPGP... But they have > failed... It was not widely adopted... > S/MIME was the standard adopted by the world, and PGP and gpg had to > catch up. > I thing one should learn from history and not invent any new standard, > especially when such already exists, implemented and adopted. You are wrong in this regard: PGP is widely adpopted (and what is your definition of "the world"?). And it makes perfectly sense to have both worlds. OpenPGP offers a completely different trust model which suits the needs of some users very well (you can establish a web of trust with anyone without overhead) while S/MIME (or better: X.509) uses a centralized, CA- based model. For some applications I would never trust a commercial certification authority, so in X.509 you have to operate your own CA... Both S/MIME and OpenPG are standards (S/MIME v.1 was more or less proprietary stuff), you might have a look at the according IETF working groups (http://www.ietf.org/). >>>> I don't meant to write another agent. Write a pkcs#11 driver which >>>> uses gpg-agent as its token. >>> This is the WRONG WRONG WRONG approach!!!!!!! >> Why? The _only_ purpose of gpg-agent is to ask you for a password and to >> keep that password in memory. You could use gpg-agent for _any_ >> application that requires a password. > > No... the purpose of gpg-agent is to allow gpg to access private > (secret) keys that are located in different physical location such as > smartcards... > From my point of view this is THE MAJOR feature of gpg-agent... Well, you might have a look at KMail, which uses all the GPG 1.9 stuff. I was impressed by having a key manager, a smart card daemon and the easy interface of gpg-agent. This framework does far more than any PKCS11- implementation: For exampel it is able to handle revocation lists and OCSP-queries. This enables applications to use S/MIME without re-inventing the wheel. So please be fair: Both S/MIME and PGP have their advantages and disadvantages. And GPG seems to be on the way to be able to handle both. This sounds like a good idea to me. Cheers, Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE og@pre-secure.de A daily view on Internet Attacks https://www.ecsirt.net/sensornet From wk at gnupg.org Fri Sep 2 17:45:31 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Sep 2 17:51:30 2005 Subject: OpenPGP Card In-Reply-To: <431873B1.3050703@gmail.com> (Alon Bar-Lev's message of "Fri, 02 Sep 2005 18:45:53 +0300") References: <85000712c0e502626e38ba79992949d3@www.pythagoras.no-ip.org> <43185009.6060206@gmail.com> <200509021613.47029.joerg@schmitz-linneweber.de> <431873B1.3050703@gmail.com> Message-ID: <87vf1jiick.fsf@wheatstone.g10code.de> On Fri, 02 Sep 2005 18:45:53 +0300, Alon Bar-Lev said: > environment...) It provides a generic API to access cryptographic > tokens. Most smartcard vendors, including IBM, provide PKCS#11 library > that communicates with their card. Again: Feel free to provide one. The only thing you need is libassuan to connect to gpg-agent. libassuan is even under LGPL so you can use it with any kind of application - just put it into a shared library. If something should be missing in gpg-agent to implement this, I will help by adding the required facilities. However, I don't have the time to write a pkcs#11 library for gpg-agent/scdaemon for free. If this is that important for you and you don't want to do it yourself, well ask me at my company address. Shalom-Salam, Werner From alon.barlev at gmail.com Fri Sep 2 18:42:51 2005 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Fri Sep 2 17:52:51 2005 Subject: PKCS#11 support for gpg-agent In-Reply-To: <43186790.6050605@pre-secure.de> References: <87y86fk9gj.fsf@wheatstone.g10code.de> <431845E5.3090002__6606.12952565334$1125661480$gmane$org@gmail.com> <43186DE2.6010508@gmail.com> <43186790.6050605@pre-secure.de> Message-ID: <4318810B.70507@gmail.com> Hello, > You are wrong in this regard: PGP is widely > adpopted (and what is your definition of > "the world"?). And it makes perfectly sense > to have both worlds. I won't argue with that... But the trend is not in favor of PGP. > OpenPGP offers a completely different trust > model which suits the needs of some users > very well (you can establish a web of trust > with anyone without overhead) while S/MIME > (or better: X.509) uses a centralized, CA- > based model. For some applications I would > never trust a commercial certification > authority, so in X.509 you have to operate > your own CA... You are wrong! You can use self-signed certificates in a trust model similar to PGP. > Both S/MIME and OpenPG are standards (S/MIME > v.1 was more or less proprietary stuff), > you might have a look at the according IETF > working groups (http://www.ietf.org/). True... I know... But S/MIME standard is the one which is implemented in every mail client program... not PGP... > > Well, you might have a look at KMail, which > uses all the GPG 1.9 stuff. I was impressed > by having a key manager, a smart card daemon > and the easy interface of gpg-agent. This > framework does far more than any PKCS11- > implementation: For exampel it is able to > handle revocation lists and OCSP-queries. > This enables applications to use S/MIME without > re-inventing the wheel. You don't understand what PKCS#11 is!!!! Maybe that is the reason for all of these arguments... PKCS#11 is an API needed to access cryptographic token. PKCS#11 is NOT OCSP or PKI or X.509. It just specify how application should access a cryptographic token that can perform hashing, symmetric and asymmetric key operation, key handling etc... A typical application need to use PKCS#11 __ONLY__ for the following purposes: 1. Perform operation with private key located on token. 2. Fetch X.509v3 Digital Certificates from the token (User identities). > So please be fair: Both S/MIME and PGP have > their advantages and disadvantages. And GPG > seems to be on the way to be able to handle > both. This sounds like a good idea to me. I am sorry, but I don't agree. I don't find any advantage to keep OpenPGP formats. There is PKCS#7 for signed/enveloped data and S/MIME that uses PKCS#7 for email. Using self-signed certificates and PKCS#7 and S/MIME you get a full replacement for PGP... It will take several years, but eventually it will happen. Even pgp corp (www.pgp.com) understood that its future is in S/MIME and PKI, so they adjusting their product toward it. My initial request was to consider supporting PKCS#11 standard in order to access keys that are located cryptographic tokens, in stead of using a proprietary card format... This should be done regardless of our small debate regarding S/MIME and PGP. I hope you read more regarding PKCS#11 www.rsasecurity.com/rsalabs/pkcs/pkcs-11/index.html and understand its role in cryptographic application and that gpg can benefit from it. Best Regards, Alon Bar-Lev. From wk at gnupg.org Fri Sep 2 17:56:30 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Sep 2 18:01:22 2005 Subject: PKCS#11 support for gpg-agent In-Reply-To: <431845E5.3090002@gmail.com> (Alon Bar-Lev's message of "Fri, 02 Sep 2005 15:30:29 +0300") References: <87y86fk9gj.fsf@wheatstone.g10code.de> <431845E5.3090002@gmail.com> Message-ID: <87oe7bihu9.fsf@wheatstone.g10code.de> On Fri, 02 Sep 2005 15:30:29 +0300, Alon Bar-Lev said: >> Most pkcs#11 stuff is not GPL compatible. >> > But it does not say that GPLed software cannot use PKCS#11 interface > in order to access none GPLed tokens! Read the GPL again and you will see that this is not possible. > I am sorry to read that... I think it is a good standard... Just like > any RSA Security > PKCS#* standard... at least it is a standard that most programmers like PKCS#12 :-) > I don't understand why you guys did not rewritten the PKCS#7, PKCS#1, > PKCS#8, PKCS#9 pkcs#7 is nowadays called CMS. It is used by gpgsm. pkcs#1 is even part of OpenPGP. > The whole new work of gpg 1.9 was to migrate to S/MIME... Why!?!?!?! > You could have been very happy in your close PGP format world. > Even if the standards are ugly, they at least work! Depends on the standard. > I am responsible of replacing software/suggest correct software for > using smartcards. > Currently gpg is on my black list... And because of this I tried to As said in my other mail to gnupg-devel: If you have a commercial interest. talk to me about implementing pcsk#11 - but don't expect to get something for free. I have laid out the path on how to implement a pkcs#11 library to make use of gpg-agent/scdaemon as a token. It is also possible to write a pkcs#11 thingy for just that card. >> I don't meant to write another agent. Write a pkcs#11 driver which >> uses gpg-agent as its token. >> >> > This is the WRONG WRONG WRONG approach!!!!!!! Well, my opinion is different. Salam-Shalom, Werner From wk at gnupg.org Fri Sep 2 18:09:45 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Sep 2 18:11:21 2005 Subject: PKCS#11 support for gpg-agent In-Reply-To: <43186DE2.6010508@gmail.com> (Alon Bar-Lev's message of "Fri, 02 Sep 2005 18:21:06 +0300") References: <87y86fk9gj.fsf@wheatstone.g10code.de> <431845E5.3090002__6606.12952565334$1125661480$gmane$org@gmail.com> <43186DE2.6010508@gmail.com> Message-ID: <87hdd3ih86.fsf@wheatstone.g10code.de> On Fri, 02 Sep 2005 18:21:06 +0300, Alon Bar-Lev said: > Yes... But why? What was the reason to work so hard in adding S/MIME? > The answer for my opinion is that IT IS A STANDARD!!! I am sorry to correct you. No mental sane hacker would voluntary implement X.509 stupidity. The reason why we wrote gpgsm was real trivial: We have been convinced by means of money to undertake this. > When PGP was invented there WAS NO standard to send and receive signed > and encrypted messages, so PGP have implemented a proprietary method. PEM dates back to 1987 (rfc989) quite some years before PGP was written. > Then, PGP tried to propose it as a standard... OpenPGP... But they > have failed... It was not widely adopted... It may not be widely adopted but nevertheless it is the standard to make sure that confidential information can be send over the Internet. It is used all over the Net and major industry players are using it and even requring that suppkiers are using PGP. The IETF has not decided whether OpenPGP or S/MIME will be the preferred standard. > No... the purpose of gpg-agent is to allow gpg to access private > (secret) keys that are located in different physical location such as > smartcards... > From my point of view this is THE MAJOR feature of gpg-agent... The major feature is to encapsulate operations involving a private key into one modul - optionally to be run on a different device. For practical reasons gpg-agent also allows the use of smartcards. The passphrase caching is a bonus so that no second tool (like Quintuple Agent) is needed for gpg versions which are not yet able to delegate private key operations to the agent. Shalom-Salam, Werner From alon.barlev at gmail.com Fri Sep 2 19:08:37 2005 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Fri Sep 2 18:18:43 2005 Subject: PKCS#11 support for gpg-agent In-Reply-To: <87oe7bihu9.fsf@wheatstone.g10code.de> References: <87y86fk9gj.fsf@wheatstone.g10code.de> <431845E5.3090002@gmail.com> <87oe7bihu9.fsf@wheatstone.g10code.de> Message-ID: <43188715.7080601@gmail.com> Hello, >>But it does not say that GPLed software cannot use PKCS#11 interface >>in order to access none GPLed tokens! > Read the GPL again and you will see that this is not possible. I have... and did not find the place. Can you please refer me to the exact item where you find the restriction? >>I am sorry to read that... I think it is a good standard... Just like >>any RSA Security >>PKCS#* standard... at least it is a standard that most programmers > like PKCS#12 :-) >>I don't understand why you guys did not rewritten the PKCS#7, PKCS#1, >>PKCS#8, PKCS#9 > pkcs#7 is nowadays called CMS. It is used by gpgsm. pkcs#1 is even > part of OpenPGP. Well... so what is the problem of using PKCS#11 why can you use all the other PKCS#* and cannot use PKCS#11? >>The whole new work of gpg 1.9 was to migrate to S/MIME... Why!?!?!?! >>You could have been very happy in your close PGP format world. >>Even if the standards are ugly, they at least work! > Depends on the standard. Well, PKCS#11 works for everyone... except for you guys... >>I am responsible of replacing software/suggest correct software for >>using smartcards. >>Currently gpg is on my black list... And because of this I tried to > > > As said in my other mail to gnupg-devel: If you have a commercial > interest. talk to me about implementing pcsk#11 - but don't expect to > get something for free. I have laid out the path on how to implement > a pkcs#11 library to make use of gpg-agent/scdaemon as a token. It is > also possible to write a pkcs#11 thingy for just that card. I don't have a commercial interest, I just want to help... Lately I've tried to use gpg to encrypt some of my stuff, and found the proprietary requirements... So I searched and searched... and read the gpg-agent source, I could not believe that you invent the wheel! And here we are... >>>I don't meant to write another agent. Write a pkcs#11 driver which >>>uses gpg-agent as its token. >>This is the WRONG WRONG WRONG approach!!!!!!! > Well, my opinion is different. When I understood that I've promised not to bother you again... :) Best Regards, Alon Bar-Lev. From alon.barlev at gmail.com Fri Sep 2 19:46:33 2005 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Fri Sep 2 18:56:29 2005 Subject: OpenPGP Card In-Reply-To: <87vf1jiick.fsf@wheatstone.g10code.de> References: <85000712c0e502626e38ba79992949d3@www.pythagoras.no-ip.org> <43185009.6060206@gmail.com> <200509021613.47029.joerg@schmitz-linneweber.de> <431873B1.3050703@gmail.com> <87vf1jiick.fsf@wheatstone.g10code.de> Message-ID: <43188FF9.4000608@gmail.com> Werner Koch wrote: > On Fri, 02 Sep 2005 18:45:53 +0300, Alon Bar-Lev said: > > >>environment...) It provides a generic API to access cryptographic >>tokens. Most smartcard vendors, including IBM, provide PKCS#11 library >>that communicates with their card. > > > Again: Feel free to provide one. The only thing you need is libassuan > to connect to gpg-agent. libassuan is even under LGPL so you can use > it with any kind of application - just put it into a shared library. 1. Athena smartcard http://www.athena-scs.com provides Linux and Windows PKCS#11. 2. Algorithmic Research smartcard http://www.arx.com provides Linux and Windows PKCS#11. 3. Aladdin smartcard http://www.ealaddin.com using opensc. 4. nCipher HSM http://www.ncipher.com 5. SafeNet HSM http://www.safenet-inc.com I can find more... You can refer to opensc and see some more (I didn't tried them)... http://www.opensc.org/files/doc/opensc.html#opensc.status.cards Then you can use the opensc PKCS#11 library http://www.opensc.org/files/doc/opensc.html#opensc.pkcs11 > > If something should be missing in gpg-agent to implement this, I will > help by adding the required facilities. However, I don't have the > time to write a pkcs#11 library for gpg-agent/scdaemon for free. If > this is that important for you and you don't want to do it yourself, > well ask me at my company address. I don't understand why you keep insisting of writing a library... You need to use a library not implement one. All you need to do is to use several PKCS#11 methods: 1. login, find correct object, perform decryption (RSA), logout. 2. login, extract X509 certificates, logout. May I understand that you agree that gpg-agent should support PKCS#11 as a mean to interact with cryptographic tokens? This was my original request... The when and how can be determine... But I will be glad if we can agree that it should be done... Best Regards, Alon Bar-Lev. From jeffreyt at OWWCO.com Fri Sep 2 18:32:36 2005 From: jeffreyt at OWWCO.com (Jeffrey Tadlock) Date: Fri Sep 2 19:09:24 2005 Subject: GnuPG Large File Issues - Windows Message-ID: <80F531F0459B2749B98E8634E931193BD13559@domcorp.corp.owwco.com> I am hoping to use GnuPG to encrypt some database flat file backups. My initial testing worked great, no issues. However I have started testing with some slightly larger files - currently 5.7GB in size. I have tried it with the default compression on and with a '-z 0'. The gpg file gets created with no issues in either case. When I try to decrypt it though I get the following error: gpg: encrypted with 2048-bit ELG-E key, ID C8D07746, created 2005-09-02 "System Administrator " gpg: [don't know]: invalid packet (ctb=00) gpg: WARNING: encrypted message has been manipulated! gpg: [don't know]: invalid packet (ctb=06) This happens at the 1.5GB mark every time. I saw this from the archives: http://bugs.guug.de/db/13/1361-b.html Has this been fixed in the newer releases? Or am I missing something obvious? Additional Details: Running on Windows 2000 SP4 Using GnuPG 1.4.2 (installed via the installer package to c:\GnuPG) To encrypt I am using this command line: 'gpg --encrypt-files -r "System Administrator" -z 0 ' To decrypt I am using this command line: 'gpg --decrypt0files ' Any assistance or suggestions would be greatly appreciated! Just let me know if I left a piece of information out that you may need. Thanks! Jeffrey From wk at gnupg.org Fri Sep 2 17:37:52 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Sep 2 19:22:16 2005 Subject: OpenPGP Card In-Reply-To: <43185009.6060206@gmail.com> (Alon Bar-Lev's message of "Fri, 02 Sep 2005 16:13:45 +0300") References: <85000712c0e502626e38ba79992949d3@www.pythagoras.no-ip.org> <43185009.6060206@gmail.com> Message-ID: <87zmqviipb.fsf@wheatstone.g10code.de> On Fri, 02 Sep 2005 16:13:45 +0300, Alon Bar-Lev said: > Finally someone who understand... I had no such luck with Werner Koch, who > argues that OpenPGP card is standard... Well it is as much a standard as pkcs#15 is one. Who decides what a standard is? RSA Corporation defines standards known as PKCS, we define an ISO7816 compliant standard for a card, dubbed OpenPGP card. You may use this one or do it like 99% of the smartcard vendors and use a proprietary card application where the specs are in the best case only available under NDA. > an approach that each application may define how its smartcard should > be built. > This approach like any other proprietary approach will disappear along > with its software, Huh? It is not about a particular application, it just happens that gpg suuports this card. There are other application unrelated to gpg also using this card, for example the Poldi PAM. I also know of other projjects using this card - just because it is well defined and the specs are open. > I don't think it is wise... There are some suitable cards that provide > PKCS#11 in Linux, Please go an read the standard before talking about it: No card implements PKCS#11 because that is an API between a token provider and an application. No ISO compliant card will be able to implement PKCS#11. You might be thinking about pkcs#15 - this is indeed a standard which defines how a card application may appear to software. However there are many variants of pkcs#15, it is complicated and experience showed that it didn't helped much with interoperability. Given that card application are pretty small beasts, it seems to me far easier to add its counterpart to the host application than to hammer it into a limited framework. Salam-Shalom, Werner -- An engineer, a chemist, and a standards designer are stranded on a desert island with absolutely nothing on it. One of them finds a can of spam washed up by the waves. The engineer says "Taking the strength of the seams into account, we can calculate that bashing it against a rock with a given force will open it up without destroying the contents". The chemist says "Taking the type of metal the can is made of into account, we can calculate that further immersion in salt water will corrode it enough to allow it to be easily opened after a day". The standards designer gives the other two a condescending look, gazes into the middle distance, and begins "Assuming we have an electric can opener...". - from Peter Gutman's X.509 Style Guide From og at pre-secure.de Fri Sep 2 21:03:07 2005 From: og at pre-secure.de (Olaf Gellert) Date: Fri Sep 2 21:09:04 2005 Subject: PKCS#11 support for gpg-agent In-Reply-To: <4318810B.70507@gmail.com> References: <87y86fk9gj.fsf@wheatstone.g10code.de> <431845E5.3090002__6606.12952565334$1125661480$gmane$org@gmail.com> <43186DE2.6010508@gmail.com> <43186790.6050605@pre-secure.de> <4318810B.70507@gmail.com> Message-ID: <4318A1EB.5050702@pre-secure.de> Alon Bar-Lev wrote: > I won't argue with that... > But the trend is not in favor of PGP. And I won't argue about that... >> OpenPGP offers a completely different trust >> model which suits the needs of some users >> very well (you can establish a web of trust >> with anyone without overhead) while S/MIME >> (or better: X.509) uses a centralized, CA- >> based model. For some applications I would >> never trust a commercial certification >> authority, so in X.509 you have to operate >> your own CA... > > You are wrong! > You can use self-signed certificates in a trust model similar to PGP. But it's not easy... There is no initial trust in a self signed certificate but there may be a lot of trust in a PGP key signed by some special people. An S/MIME implementation will normally refuse to import self-signed certificates from emails, it will only import certificates issued by an already trusted CA. >> Well, you might have a look at KMail, which >> uses all the GPG 1.9 stuff. I was impressed >> by having a key manager, a smart card daemon >> and the easy interface of gpg-agent. This >> framework does far more than any PKCS11- >> implementation: For exampel it is able to >> handle revocation lists and OCSP-queries. >> This enables applications to use S/MIME without >> re-inventing the wheel. > > You don't understand what PKCS#11 is!!!! > Maybe that is the reason for all of these arguments... Well, you might have a look at this report that was done by myself and a colleague of mine: http://www.dfn-pca.de/bibliothek/reports/pki-token/ You might think twice before saying such things again... But if you integrate Smart-Card functionality into the GPG framework, your application does not have to care about the smart-card at all. If your application uses PKCS11, it still has to do CRL-checking, certificate-validation and stuff like this. PKCS11 is on quite a low level, I would prefer to simply ask the GPG-agent, if a used certificate is stil valid (and GPG in turn might have a PKCS11 interface to actually access the smart card)... > I am sorry, but I don't agree. > I don't find any advantage to keep OpenPGP formats. There is PKCS#7 for > signed/enveloped data and S/MIME that uses PKCS#7 for email. > Using self-signed certificates and PKCS#7 and S/MIME you get a full > replacement for PGP... It will take several years, but eventually it > will happen. You do not seem to understand what a web of trust is. I do have more than 140 signatures under my PGP key. So whenever someone gets my key, it is sufficient if he trusts one of the 140 persons to identify persons. So how would you do this in X.509? Creating 140 CAs (one for every user)? Then I would have 140 certificates for the same key? X.509 uses a centralized model of trust, only CAs can issue certificates (and a self- signed cert is only signed by itself, like a pgp-key without any foreign signatures). X.509 is different from PGP... You might read a little bit about cross certificates and stuff like this, maybe you figure out some creative ways to build a web (but I ensure you: This will not work with many S/MIME implementations: Loops in the trust paths in X.509 are not supported too well). See: http://www.dfn-pca.de/bibliothek/reports/pki-linking/ Unfortunately this report is done by myself, too... ;-) > I hope you read more regarding PKCS#11 > www.rsasecurity.com/rsalabs/pkcs/pkcs-11/index.html and understand its > role in cryptographic application and that gpg can benefit from it. For sure, I have read much more about tokens and PKCS11 than you think. And even if you cannot believe it: It may well be that some people have different experiences and different opinions and these do not necessarily have to be wrong. There are more things than black and white... Cheers, Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE og@pre-secure.de A daily view on Internet Attacks https://www.ecsirt.net/sensornet From btober at seaworthysys.com Fri Sep 2 21:01:57 2005 From: btober at seaworthysys.com (Berend Tober) Date: Fri Sep 2 21:55:00 2005 Subject: Multiple signatures on a single file Message-ID: <4318A1A5.6040705@seaworthysys.com> Is it possible to have multiple persons sign a single file? If so, how is this done? The particular scenario is currently this: Employees submit expense reports for business travel using a spread sheet. Current practise is the the employee fills out spread sheet via computer (or optionally prints blank spread sheet template and writes by hand with a pen), physically signs using pen and ink, physically delivers signed hardcopy to supervisor for supervisor pen-and-ink signature prior to payment processing. Desired practise is to eliminate both producing hard copy and pen-and-ink signatures, and then re-work the process using gpg electronic signatures. Thus, employee would enter data into expense report spread sheet, save, gpg sign, mail to supervisor, supervisor would (presumably) open and review spread sheet, close without changing, gpg sign, and then return to employee or forward to accounting dept. Sounds straightforward, but I didn't spot in the various manuals/guides/how-to's for gnupg how a second individual could add their signature after me. -- BMT From alon.barlev at gmail.com Fri Sep 2 22:47:13 2005 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Fri Sep 2 21:57:05 2005 Subject: PKCS#11 support for gpg-agent In-Reply-To: <4318A1EB.5050702@pre-secure.de> References: <87y86fk9gj.fsf@wheatstone.g10code.de> <431845E5.3090002__6606.12952565334$1125661480$gmane$org@gmail.com> <43186DE2.6010508@gmail.com> <43186790.6050605@pre-secure.de> <4318810B.70507@gmail.com> <4318A1EB.5050702@pre-secure.de> Message-ID: <4318BA51.3090408@gmail.com> Thank you Olaf, I see your point regarding PKI, I am familiar with it. I want to focus the discussion for the smartcard support, this was my original issue and we then moved to a different discussion... I have a lot to say in that matter... but first I will study you documents to understand your position more clearly... I want to come back to the issue of using a standard API to access the cryptographic token. > >>>Well, you might have a look at KMail, which >>>uses all the GPG 1.9 stuff. I was impressed >>>by having a key manager, a smart card daemon >>>and the easy interface of gpg-agent. This >>>framework does far more than any PKCS11- >>>implementation: For exampel it is able to >>>handle revocation lists and OCSP-queries. >>>This enables applications to use S/MIME without >>>re-inventing the wheel. >> >>You don't understand what PKCS#11 is!!!! >>Maybe that is the reason for all of these arguments... > > > Well, you might have a look at this report that > was done by myself and a colleague of mine: > > http://www.dfn-pca.de/bibliothek/reports/pki-token/ > > You might think twice before saying such things > again... First I am regret if I offended you. But having written this document how could you state your previous statement? "This framework does far more than any PKCS11-implementation"??? I am confused... If you know that all what PKCS#11 is - access objects on cryptographic tokens... why did you raise the OCSP and revocation stuff? > > But if you integrate Smart-Card functionality > into the GPG framework, your application does not > have to care about the smart-card at all. If > your application uses PKCS11, it still has to > do CRL-checking, certificate-validation and stuff > like this. PKCS11 is on quite a low level, > I would prefer to simply ask the GPG-agent, if > a used certificate is stil valid (and GPG in turn > might have a PKCS11 interface to actually > access the smart card)... > I think otherwise... In current gpg-agent design the smartcard access should be perform by it. I think current design is correct one... But I don't care... As long as a standard PKCS#11 API is used to access the smartcard... I will be happy. > > For sure, I have read much more about tokens > and PKCS11 than you think. And even if you > cannot believe it: It may well be that > some people have different experiences and > different opinions and these do not necessarily > have to be wrong. There are more things than > black and white... > Again... I am sorry if I offended you. But I think there are two separate issues here that are some-how merge together. Decoding and verifying the PKIX/PGP/PKCS#* data, and accessing the cryptographic tokens. These are two separate issues... One the one hand I have your position that PKCS#11 is not enough... but you don't provide any replacement... for standard access to cryptographic token. On the other hand I have Werner position that states that only low level APDU access should be defined as low-level card interface, and every card should be tailored in order to work with gpg. This demonstrate the need of adopting a software standard for gpg for accessing smartcards... and PKCS#11 is the most suitable standard... I just want us to agree on that. Whether it is implemented or not is not an issue... I just wanted to understand why people are developing their own standards. Best Regards, Alon Bar-Lev. From btober at seaworthysys.com Fri Sep 2 22:49:10 2005 From: btober at seaworthysys.com (Berend Tober) Date: Fri Sep 2 22:53:18 2005 Subject: Signing MS-Excel spread sheets Message-ID: <4318BAC6.4000100@seaworthysys.com> I hate to admit that I still use MS-Excel rather than an open source spread sheet tool, but workplace requirements constrain my fate... Anyway, the problem with MS-Excel that I'm finding is that if I sign (detached signature) an MS-Excel XLS file, then me or someone else opens the file and then closes it even without making any changes, the signature no longer verifies successfully. A binary comparison of the "after" file with a "before" copy confirms that the four or five bytes are changed by the simple fact of opening and closing the file. I figure it must be some kind of time stamp Excel records. Has anyone else managed a work-around for this flaw? (Aside from the obvious -- "Stop using MS-Excel!" -- because that is a failure I cannot control...) From oskar at rbgi.net Fri Sep 2 23:27:39 2005 From: oskar at rbgi.net (Oskar L.) Date: Fri Sep 2 23:28:26 2005 Subject: Signing MS-Excel spread sheets In-Reply-To: <4318BAC6.4000100@seaworthysys.com> References: <4318BAC6.4000100@seaworthysys.com> Message-ID: <1623.213.169.24.192.1125696459.squirrel@mail.rbgi.net> Unless it is possible to configure Excel not to update the time stamp, then the only solution I can think of is to mark the file as "read-only". Oskar > I hate to admit that I still use MS-Excel rather than an open source > spread sheet tool, but workplace requirements constrain my fate... > > Anyway, the problem with MS-Excel that I'm finding is that if I sign > (detached signature) an MS-Excel XLS file, then me or someone else opens > the file and then closes it even without making any changes, the > signature no longer verifies successfully. A binary comparison of the > "after" file with a "before" copy confirms that the four or five bytes > are changed by the simple fact of opening and closing the file. I figure > it must be some kind of time stamp Excel records. > > Has anyone else managed a work-around for this flaw? (Aside from the > obvious -- "Stop using MS-Excel!" -- because that is a failure I cannot > control...) > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From fizban at slackware.it Sat Sep 3 01:48:30 2005 From: fizban at slackware.it (Andreas Liebschner) Date: Sat Sep 3 02:35:45 2005 Subject: OpenPGP card and gpg-agent --enable-ssh-support Message-ID: <4318E4CE.3050909@slackware.it> Hi, I own a OpenPGP Card, I run gnupg-1.4.2 + gnupg-1.9.18 (so I have gpg1, gpg-agent, scdaemon, gpgkey2ssh). I started playing with the card today, but I had no problems at all, beside when trying to use the "A" key stored on the card in addition to 'gpg-agent --enable-ssh-support'. This is what I tried: $ gpgkey2ssh $ID_OF_THE_A_KEY > key $ scp key user@box:/home/user [login to box] $ mv key .ssh/authorized_keys Also, since I thought ssh-add was of no use in my case, I touch'd .gnupg/sshcontrol (on the box gpg-agent is running from), and added the fingerprint of the A key stored on my card. Then I tried: $ ssh box But it still asks me the actual password for the user, not the pin or the passphrase of my gpg key. So I thought I should have added some other fingerprint to sshcontrol, and added the 2 remaining fingerprints. Still, it will always ask me the actual password. So I thought gpg-agent wasn't running properly, and I created (ssh-keygen) a keypair on the fly, added with "ssh-add", scp'd the public key to "box". ssh to box went as it was supposed to go; so gpg-agent is going working just fine, I guess. Well, then I'm doing something wrong when trying to use the "A" key stored on my card? If so, what's the right way to do it, any hint? Also, I noticed gpgkey2ssh will always produce a ssh-rsa key, even if I pass it the CS or the E key, is this normal? Thanks, -- Andreas Liebschner From harob02 at earthlink.net Sat Sep 3 04:10:43 2005 From: harob02 at earthlink.net (Dan Mundy) Date: Sat Sep 3 04:15:00 2005 Subject: Lost Private Key Message-ID: How do i regain a lost private key? if i can't, how can i generate a revoke certificate for it? if i can't, can i delete it from the servers? what should i do? i need help!!!!! From harob02 at earthlink.net Sat Sep 3 04:39:52 2005 From: harob02 at earthlink.net (Dan Mundy) Date: Sat Sep 3 04:42:22 2005 Subject: Signing MS-Excel spread sheets In-Reply-To: <4318BAC6.4000100@seaworthysys.com> References: <4318BAC6.4000100@seaworthysys.com> Message-ID: Berend Tober wrote: > I hate to admit that I still use MS-Excel rather than an open source > spread sheet tool, but workplace requirements constrain my fate... > Has anyone else managed a work-around for this flaw? (Aside from the > obvious -- "Stop using MS-Excel!" -- because that is a failure I cannot > control...) use openoffice.org: it is opensource and fully compatible with microsoft. now it is a failure you can control. see http://www.openoffice.org/dev_docs/instructions.html#win for how to install it. From harob02 at earthlink.net Sat Sep 3 04:58:36 2005 From: harob02 at earthlink.net (Dan Mundy) Date: Sat Sep 3 05:00:38 2005 Subject: Lost Private Key In-Reply-To: References: Message-ID: Dan Mundy wrote: > How do i regain a lost private key? if i can't, how can i generate a > revoke certificate for it? if i can't, can i delete it from the servers? > what should i do? i need help!!!!! nevermind... i found an old backed-up copy of my private key... sorry for the fuss. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050902/bddac95c/signature.pgp From alphasigmax at gmail.com Sat Sep 3 05:31:42 2005 From: alphasigmax at gmail.com (Alphax) Date: Sat Sep 3 05:34:15 2005 Subject: Multiple signatures on a single file In-Reply-To: <4318A1A5.6040705@seaworthysys.com> References: <4318A1A5.6040705@seaworthysys.com> Message-ID: <4319191E.3090900@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Berend Tober wrote: > Is it possible to have multiple persons sign a single file? If so, how > is this done? > > The particular scenario is currently this: Employees submit expense > reports for business travel using a spread sheet. Current practise is > the the employee fills out spread sheet via computer (or optionally > prints blank spread sheet template and writes by hand with a pen), > physically signs using pen and ink, physically delivers signed hardcopy > to supervisor for supervisor pen-and-ink signature prior to payment > processing. > > Desired practise is to eliminate both producing hard copy and > pen-and-ink signatures, and then re-work the process using gpg > electronic signatures. Thus, employee would enter data into expense > report spread sheet, save, gpg sign, mail to supervisor, supervisor > would (presumably) open and review spread sheet, close without changing, > gpg sign, and then return to employee or forward to accounting dept. > > Sounds straightforward, but I didn't spot in the various > manuals/guides/how-to's for gnupg how a second individual could add > their signature after me. > Use detached signatures? Generate a key to sign the document with, and have that key signed by the supervisor? Just my 2c... - -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDGRke/RxM5Ph0xhMRA53ZAJ4jpjIAJ8nqCr/xgVBRbO1IUfK3PQCeMYTy I6huYlEG2z2zt1cc1pPqTNE= =6zNZ -----END PGP SIGNATURE----- From JPClizbe at comcast.net Sat Sep 3 05:22:47 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Sat Sep 3 05:35:36 2005 Subject: Lost Private Key In-Reply-To: References: Message-ID: <43191707.9080402@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dan Mundy wrote: > Dan Mundy wrote: >> How do i regain a lost private key? if i can't, how can i generate a >> revoke certificate for it? if i can't, can i delete it from the servers? >> what should i do? i need help!!!!! > > nevermind... i found an old backed-up copy of my private key... sorry > for the fuss. Good deal. And you've generated that revocation cert and are storing it with the backup copy of the key? Oh, BTW... Make another backup copy of public & private keys and that revocation cert -- and store them on different media, and b) in a different secure location. The answers to your questions wouldn't be very pleasing. How do regain the private key? You can't. There is no way to reconstruct a private key from the public key. Generate rev cert? You can't without the private key. Delete from keyservers? You can't. Servers are add-only. - -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3-cvs-2005-08-29 (Windows 2000 SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDGRcGHQSsSmCNKhARAiRIAKCEcZzUSWKrH+e548y+vX9UAuoXJQCcC4xZ q1WV+4Vgtb756ssb4CtSSr4= =rT+w -----END PGP SIGNATURE----- From alphasigmax at gmail.com Sat Sep 3 05:35:38 2005 From: alphasigmax at gmail.com (Alphax) Date: Sat Sep 3 05:38:00 2005 Subject: Lost Private Key In-Reply-To: References: Message-ID: <43191A0A.3050504@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Dan Mundy wrote: > Dan Mundy wrote: > >>How do i regain a lost private key? if i can't, how can i generate a >>revoke certificate for it? if i can't, can i delete it from the servers? >>what should i do? i need help!!!!! > > > nevermind... i found an old backed-up copy of my private key... sorry > for the fuss. > Generate a revocation certificate NOW and store it in a secure offline location, along with a backup of your key. - -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDGRoK/RxM5Ph0xhMRA2I0AJ9GK7avq28dAjyuDpdKb0mhBhOldQCgriy9 CBYTuINxYwo48WU1+2GpK9U= =MxOi -----END PGP SIGNATURE----- From wk at gnupg.org Sat Sep 3 08:42:20 2005 From: wk at gnupg.org (Werner Koch) Date: Sat Sep 3 08:46:23 2005 Subject: PKCS#11 support for gpg-agent In-Reply-To: <43188715.7080601@gmail.com> (Alon Bar-Lev's message of "Fri, 02 Sep 2005 20:08:37 +0300") References: <87y86fk9gj.fsf@wheatstone.g10code.de> <431845E5.3090002@gmail.com> <87oe7bihu9.fsf@wheatstone.g10code.de> <43188715.7080601@gmail.com> Message-ID: <87zmquhctv.fsf@wheatstone.g10code.de> On Fri, 02 Sep 2005 20:08:37 +0300, Alon Bar-Lev said: >>> But it does not say that GPLed software cannot use PKCS#11 interface >>> in order to access none GPLed tokens! >> Read the GPL again and you will see that this is not possible. > I have... and did not find the place. > Can you please refer me to the exact item where you find the > restriction? It is a matter of wether something is derivative work or not. When using a library and thus using combining GPL and non-GPL code in the same process, this is in almost all cases a derivative work. > Well... so what is the problem of using PKCS#11 why can you use all > the other PKCS#* and cannot use PKCS#11? You are comparing apples to baskets. The taste of the apples does not necessary induce the quality of the baskets used while reaping them. Shalom-Salam, Werner From wk at gnupg.org Sat Sep 3 08:56:18 2005 From: wk at gnupg.org (Werner Koch) Date: Sat Sep 3 09:01:22 2005 Subject: GnuPG Large File Issues - Windows In-Reply-To: <80F531F0459B2749B98E8634E931193BD13559@domcorp.corp.owwco.com> (Jeffrey Tadlock's message of "Fri, 2 Sep 2005 12:32:36 -0400") References: <80F531F0459B2749B98E8634E931193BD13559@domcorp.corp.owwco.com> Message-ID: <87r7c6hc6l.fsf@wheatstone.g10code.de> On Fri, 2 Sep 2005 12:32:36 -0400, Jeffrey Tadlock said: > 'gpg --encrypt-files -r "System Administrator" -z 0 > ' I recall that I once tested it and it used to work. However it is a long time ago so no guarantee. My current test machine has not enough space to run a test right now. What will always work is to use gpg --encrypt-files -r "System Administrator" -z 0 < FILENAME > FILENAME.GPG Note the '<' and '>'. Using redirection gpg won't know anything about the file seize and simply encrypt everything coming in on the stdin to stdout. Decryption work similar. Shalom-Salam, Werner From wk at gnupg.org Sat Sep 3 09:03:34 2005 From: wk at gnupg.org (Werner Koch) Date: Sat Sep 3 09:06:22 2005 Subject: OpenPGP card and gpg-agent --enable-ssh-support In-Reply-To: <4318E4CE.3050909@slackware.it> (Andreas Liebschner's message of "Sat, 03 Sep 2005 01:48:30 +0200") References: <4318E4CE.3050909@slackware.it> Message-ID: <87mzmuhbuh.fsf@wheatstone.g10code.de> On Sat, 03 Sep 2005 01:48:30 +0200, Andreas Liebschner said: > But it still asks me the actual password for the user, not the pin or > the passphrase of my gpg key. So I thought I should have added some What does ssh-add -l give? You should see the fingerprint of the card's key as well as the card's number. Note that there isno actual need for gpgkey2ssh; I simply do ssh-add -L which gives me the public key directly from the card. To better debug what's going on, the first thing you should do is to run ssh -v host this will show you what keys are offered to the server and whether they worked. > Also, I noticed gpgkey2ssh will always produce a ssh-rsa key, even if I > pass it the CS or the E key, is this normal? Yes. Salam-Shalom, Werner From alon.barlev at gmail.com Sat Sep 3 12:05:50 2005 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Sat Sep 3 11:15:58 2005 Subject: OpenPGP Card In-Reply-To: <87vf1ihccq.fsf@wheatstone.g10code.de> References: <85000712c0e502626e38ba79992949d3@www.pythagoras.no-ip.org> <43185009.6060206@gmail.com> <200509021613.47029.joerg@schmitz-linneweber.de> <431873B1.3050703@gmail.com> <87vf1jiick.fsf@wheatstone.g10code.de> <43188FF9.4000608@gmail.com> <87vf1ihccq.fsf@wheatstone.g10code.de> Message-ID: <4319757E.10402@gmail.com> Hello Werner, > >>May I understand that you agree that gpg-agent should support PKCS#11 >>as a mean to interact with cryptographic tokens? > > > No. > > I now completely understand your position, and know that I have no other arguments left to try and defend my position... I am sorry if I was too harsh during this discussion, it hurts to see people inventing standards of their own thus limiting the usage of their own great software. I want to thank you for this discussion. Best Regards, Alon Bar-Lev. From fizban at slackware.it Sat Sep 3 12:03:57 2005 From: fizban at slackware.it (Andreas Liebschner) Date: Sat Sep 3 12:04:02 2005 Subject: OpenPGP card and gpg-agent --enable-ssh-support In-Reply-To: <87mzmuhbuh.fsf@wheatstone.g10code.de> References: <4318E4CE.3050909@slackware.it> <87mzmuhbuh.fsf@wheatstone.g10code.de> Message-ID: <4319750D.4070705@slackware.it> Werner Koch wrote: > On Sat, 03 Sep 2005 01:48:30 +0200, Andreas Liebschner said: > >>But it still asks me the actual password for the user, not the pin or >>the passphrase of my gpg key. So I thought I should have added some > > What does > ssh-add -l > > give? You should see the fingerprint of the card's key as well as > the card's number. Note that there isno actual need for gpgkey2ssh; I > simply do > > ssh-add -L > > which gives me the public key directly from the card. Oh that's true, it works.. I used gpgkey2ssh because I saw a post from may where you were talking about creating such a tool >>Also, I noticed gpgkey2ssh will always produce a ssh-rsa key, even if I >>pass it the CS or the E key, is this normal? > > Yes. Okay. Well thank you, it's working just fine! -- Andreas Liebschner From wk at gnupg.org Sat Sep 3 13:19:40 2005 From: wk at gnupg.org (Werner Koch) Date: Sat Sep 3 13:21:23 2005 Subject: OpenPGP Card In-Reply-To: <4319757E.10402@gmail.com> (Alon Bar-Lev's message of "Sat, 03 Sep 2005 13:05:50 +0300") References: <85000712c0e502626e38ba79992949d3@www.pythagoras.no-ip.org> <43185009.6060206@gmail.com> <200509021613.47029.joerg@schmitz-linneweber.de> <431873B1.3050703@gmail.com> <87vf1jiick.fsf@wheatstone.g10code.de> <43188FF9.4000608@gmail.com> <87vf1ihccq.fsf@wheatstone.g10code.de> <4319757E.10402@gmail.com> Message-ID: <87hdd2e6ur.fsf@wheatstone.g10code.de> On Sat, 03 Sep 2005 13:05:50 +0300, Alon Bar-Lev said: > I am sorry if I was too harsh during this discussion, it hurts to see > people inventing standards of their own thus limiting the usage of > their own great software. No problem. > I want to thank you for this discussion. Its always good to discuss things, it helps to get to new ideas or to reconder things. Shalom-Salam, Werner From jeffreyt at OWWCO.com Sat Sep 3 16:02:31 2005 From: jeffreyt at OWWCO.com (Jeffrey Tadlock) Date: Sat Sep 3 16:03:08 2005 Subject: GnuPG Large File Issues - Windows Message-ID: <80F531F0459B2749B98E8634E931193BD1355A@domcorp.corp.owwco.com> -----Original Message----- From: Werner Koch [mailto:wk@gnupg.org] Sat 9/3/2005 2:56 AM >What will always work is to use > > gpg --encrypt-files -r "System Administrator" -z 0 < FILENAME > >FILENAME.GPG > >Note the '<' and '>'. Using redirection gpg won't know anything about >the file seize and simply encrypt everything coming in on the stdin to >stdout. Decryption work similar. First apologies for whatever mangling Outlook Web Access does to this email. I tried the command line above on a smaller file (which has been encrypting and decrypting with no issues) and received the following error: gpg: input line 1 too long or missing LF Am I typing something wrong? Here is what I typed: gpg --encrypt-files -r "System Administrator" -z 0 < sql-db.bak > sql-db.gpg The files I am trying to encrypt/decrypt are Microsoft SQL Backup flat files (DB dumps). Thanks again! Jeffrey From harob02 at earthlink.net Sat Sep 3 18:51:52 2005 From: harob02 at earthlink.net (Dan Mundy) Date: Sat Sep 3 18:54:45 2005 Subject: Lost Private Key In-Reply-To: References: Message-ID: Thanks for your advice all... i will generate a revocation cert and backup everything now. thanks! Dan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050903/aaac0dc2/signature.pgp From oskar at rbgi.net Sun Sep 4 02:29:00 2005 From: oskar at rbgi.net (Oskar L.) Date: Sun Sep 4 02:29:43 2005 Subject: Transparent keyboards In-Reply-To: References: Message-ID: <2689.213.169.30.40.1125793740.squirrel@mail.rbgi.net> Hi, Can anyone recommend a transparent keyboard, or any kind of keyboard witch makes it easy to check that a keylogger has not been installed inside whilst you were away. I only found this one: http://www.directron.com/kb603cl.html Oskar From jdbeyer at exit109.com Sun Sep 4 02:48:31 2005 From: jdbeyer at exit109.com (Jean-David Beyer) Date: Sun Sep 4 03:31:10 2005 Subject: Transparent keyboards In-Reply-To: <2689.213.169.30.40.1125793740.squirrel@mail.rbgi.net> References: <2689.213.169.30.40.1125793740.squirrel@mail.rbgi.net> Message-ID: <431A445F.7000907@exit109.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Oskar L. wrote: > Hi, > > Can anyone recommend a transparent keyboard, or any kind of keyboard witch > makes it easy to check that a keylogger has not been installed inside > whilst you were away. I only found this one: > http://www.directron.com/kb603cl.html > If I were going to put a keylogger in a computer, I would not do it in the keyboard. Why bother. Put in inside the box; have it email a report every time a newline character is typed, or queue it up until next time the machine is on line. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 20:45:00 up 80 days, 14:41, 3 users, load average: 4.09, 4.16, 4.09 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDGkRePtu2XpovyZoRAkVwAJ9GEknXpQ8k0BqiTPHLSn10DCpzpgCgsFOS 8IEEwDeVgheni/jHVZWHi1w= =SErb -----END PGP SIGNATURE----- From linux at codehelp.co.uk Sun Sep 4 10:02:25 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Sun Sep 4 10:02:28 2005 Subject: Transparent keyboards In-Reply-To: <2689.213.169.30.40.1125793740.squirrel@mail.rbgi.net> References: <2689.213.169.30.40.1125793740.squirrel@mail.rbgi.net> Message-ID: <200509040902.26194.linux@codehelp.co.uk> On Sunday 04 September 2005 1:29 am, Oskar L. wrote: > Can anyone recommend a transparent keyboard, or any kind of keyboard witch > makes it easy to check that a keylogger has not been installed inside What makes you think a keylogger goes 'inside' a keyboard? The cable connection is just as easy and an internal unit (on the inside of the socket on the box) even better. > whilst you were away. If someone has physical access to your machine whilst you are away, all manner of things can be done to compromise the system - a keylogger would be the least of your worries. -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050904/4e125a62/attachment.pgp From wk at gnupg.org Sun Sep 4 10:28:42 2005 From: wk at gnupg.org (Werner Koch) Date: Sun Sep 4 10:31:28 2005 Subject: GnuPG Large File Issues - Windows In-Reply-To: <80F531F0459B2749B98E8634E931193BD1355A@domcorp.corp.owwco.com> (Jeffrey Tadlock's message of "Sat, 3 Sep 2005 10:02:31 -0400") References: <80F531F0459B2749B98E8634E931193BD1355A@domcorp.corp.owwco.com> Message-ID: <87zmqtb5j9.fsf@wheatstone.g10code.de> On Sat, 3 Sep 2005 10:02:31 -0400, Jeffrey Tadlock said: > Am I typing something wrong? Here is what I typed: > gpg --encrypt-files -r "System Administrator" -z 0 < sql-db.bak > sql-db.gpg Sorry, I missed that you are using --encrypt-files. This command is deifferent to --encrypt in that it takes a list of filenames from stdin or a given filename and encrypts all files given in this list. This is not what you want. use gpg --encrypt -r "System Administrator" -z 0 < sql-db.bak > sql-db.gpg Salam-Shalom, Werner From oskar at rbgi.net Sun Sep 4 11:59:28 2005 From: oskar at rbgi.net (Oskar L.) Date: Sun Sep 4 12:00:18 2005 Subject: Transparent keyboards In-Reply-To: <200509040902.26194.linux@codehelp.co.uk> References: <2689.213.169.30.40.1125793740.squirrel@mail.rbgi.net> <200509040902.26194.linux@codehelp.co.uk> Message-ID: <2773.213.169.30.40.1125827968.squirrel@mail.rbgi.net> "Neil Williams" wrote: > What makes you think a keylogger goes 'inside' a keyboard? The cable > connection is just as easy and an internal unit (on the inside of the > socket on the box) even better. I keep my case open, so I would notice that. There enough space for a keylogger in the average keyboard. What makes you think this is not where a keylogger would be placed? > If someone has physical access to your machine whilst you are away, all > manner > of things can be done to compromise the system - Can you give me a few hardware related examples, that will work against someone booting from a live CD/DVD (or better, booting from an USB-stick and first checking the hash of the CD/DVD before using it)? > a keylogger would be the least of your worries. Well that is debatable, but I'm sure we all agree on that it is one of the easiest and cheapest ways of compromising someones computer. So if anyone know of any transparent keyboard models, please list them. Oskar From pats_comp_solutions at hotpop.com Sun Sep 4 12:48:32 2005 From: pats_comp_solutions at hotpop.com (Patrick Dickey) Date: Sun Sep 4 12:50:43 2005 Subject: Transparent keyboards In-Reply-To: <2773.213.169.30.40.1125827968.squirrel@mail.rbgi.net> References: <2689.213.169.30.40.1125793740.squirrel@mail.rbgi.net> <200509040902.26194.linux@codehelp.co.uk> <2773.213.169.30.40.1125827968.squirrel@mail.rbgi.net> Message-ID: <431AD100.5020706@hotpop.com> Oskar L. wrote: >"Neil Williams" wrote: > > > >>What makes you think a keylogger goes 'inside' a keyboard? The cable >>connection is just as easy and an internal unit (on the inside of the >>socket on the box) even better. >> >> > >I keep my case open, so I would notice that. There enough space for a >keylogger in the average keyboard. What makes you think this is not where >a keylogger would be placed? > > > >>If someone has physical access to your machine whilst you are away, all >>manner >>of things can be done to compromise the system - >> >> > >Can you give me a few hardware related examples, that will work against >someone booting from a live CD/DVD (or better, booting from an USB-stick >and first checking the hash of the CD/DVD before using it)? > > > >>a keylogger would be the least of your worries. >> >> > >Well that is debatable, but I'm sure we all agree on that it is one of the >easiest and cheapest ways of compromising someones computer. > >So if anyone know of any transparent keyboard models, please list them. > >Oskar > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users > > I don't know of any transparent keyboards off-hand (I can check our local computer store tomorrow, since they have one there). But, I will say this. There is a keylogger out that goes between the keyboard plug and the case. So, unless you are able to see through the back of the case, or are so paranoid that you turn the case all different directions before you turn it on, you'll never see it. However, I would have to ask you where are you located that you worry so much? If you're in a corporation, then I'm pretty sure that your company has policies about the use of keyloggers. If you're in a library, then I agree with the others when they say a keylogger that is implanted in a keyboard is the least of your worries (plus, I think the library will have serious concerns about you bringing your own keyboard in) (This also applies for schools and colleges). And, if you're at home, and can't even trust your own family, then anything computer-related is the least of your concerns. I'd be more inclined to be looking up a good psychologist rather then a transparent keyboard. -- avast! Antivirus: Outbound message clean. Virus Database (VPS): 0535-3, 09/02/2005 Tested on: 9/4/2005 5:49:30 AM avast! - copyright (c) 1988-2005 ALWIL Software. http://www.avast.com From wk at gnupg.org Sun Sep 4 13:42:45 2005 From: wk at gnupg.org (Werner Koch) Date: Sun Sep 4 13:44:40 2005 Subject: GPGol released Message-ID: <8764thawju.fsf@wheatstone.g10code.de> Hi, I have just released a first version of GPGol, the new GPG plugin for MS Outlook. The intention is to replace the old G-DATA plugin by more modern code. We basically rewrote it from scratch and thus a lot of bugs are to be expected. Successful tests have only be done with Outlook 2003 and there are reports that it does not work at all with OL 2000. The general design of the plugin has basically been carried over from the G-DATA plugin; however we are currently investigating whether it will be possible to make use of custom forms for better integration and to avoid some of the more ugly hacks. ftp://ftp.g10code.com/g10code/gpgol/gpgol-0.9.0.zip (274k) ftp://ftp.g10code.com/g10code/gpgol/gpgol-0.9.0.zip.sig Noteworthy changes for version 0.9.0 (2005-09-04) ================================================= * Major rewrite. Renamed the package to GPGol. Note, that there used to be intermediate versions unter the name OutlGPG * The package as been renamed to GPGol and consist of only one DLL named "gpgol.dll". Installation of gpgme.dll and libgpg-error.dll is required. * It may by now only be build using the Mingw32 toolchain. * GPGol now uses the standard GPGME. Installation ============ To install this plugin, copy it to some directory (e.g. where gpg lives), make sure that the libgpg-error.dll and gpgme.dll are available in a directory where Windows searches for DLLs (e.g. c:\winnt\system32), stop Outlook, run the command "regsvr32 outlgpg.dll" and start Outlook. You should then find a new tab named "GnuPG" in Outlook's option menu. Note: For building in src/ you need to throw an original mapi32.dll into this directory. This is due to a bug in the binutils: ld is not able to properly read a DEF file but will happily use the same information from an actual DLL. The problem is that symbols like HrSetOneProp@8 are actually written without the "@8" into the import table when used with a DEF file and generated import lib. Needs more debugging - any BFD cracks who can lend me a helping hand? (wk). Bug reporting: First click on the logo on the GnuPG options tab to check whether a newer version has been released - try this first. If this does not help, check out the mailing lists and also the bug archive at http://bugs.gnupg.org (use username and password "guest", select "query" and there category "gpgol") if you did not found any information there please send a report, including all relevant version numbers to the address given at the top of this AUTHORS file. Subversion access ================= The code is also available in a Subversion repository: svn co svn://cvs.gnupg.org/gpgol/trunk gpgol An online version is also available: http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/?root=GPGol Failure and success reports are greatly appreciated. Salam-Shalom, Werner -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org Join the Fellowship and protect your Freedom! http://www.fsfe.org From oskar at rbgi.net Sun Sep 4 14:01:12 2005 From: oskar at rbgi.net (Oskar L.) Date: Sun Sep 4 14:02:00 2005 Subject: Transparent keyboards In-Reply-To: <431AD100.5020706@hotpop.com> References: <2689.213.169.30.40.1125793740.squirrel@mail.rbgi.net> <200509040902.26194.linux@codehelp.co.uk> <2773.213.169.30.40.1125827968.squirrel@mail.rbgi.net> <431AD100.5020706@hotpop.com> Message-ID: <3542.213.169.30.40.1125835272.squirrel@mail.rbgi.net> pats_comp_solutions@hotpop.com wrote: > I don't know of any transparent keyboards off-hand (I can check our > local computer store tomorrow, since they have one there). Thanks! > But, I will > say this. There is a keylogger out that goes between the keyboard plug > and the case. There are several, see http://www.keyghost.com/ and http://www.amecisco.com/hkstandalone.htm for examples. These are too obvious, and the police most likely will put the keylogger inside the keyboard or inside the case of the computer. > So, unless you are able to see through the back of the > case, or are so paranoid that you turn the case all different directions > before you turn it on, you'll never see it. I have my computer on the floor, and can easily see all sides without turning it. Mounting a small mirror behind the computer might be a good solution to this problem for some. > And, if you're at > home, and can't even trust your own family, then anything > computer-related is the least of your concerns. I'd be more inclined to > be looking up a good psychologist rather then a transparent keyboard. I choose to live alone (for security reasons) so what I worry most about are keyloggers and microphones. Here in Finland the police have a special group investigating us (animal rights activists), and we have caught one infiltrator, so considering this I don't think that it's a sign of paranoia for me to occasionally check for keyloggers. Oskar From jdbeyer at exit109.com Sun Sep 4 14:24:18 2005 From: jdbeyer at exit109.com (Jean-David Beyer) Date: Sun Sep 4 14:24:25 2005 Subject: Transparent keyboards In-Reply-To: <3542.213.169.30.40.1125835272.squirrel@mail.rbgi.net> References: <2689.213.169.30.40.1125793740.squirrel@mail.rbgi.net> <200509040902.26194.linux@codehelp.co.uk> <2773.213.169.30.40.1125827968.squirrel@mail.rbgi.net> <431AD100.5020706@hotpop.com> <3542.213.169.30.40.1125835272.squirrel@mail.rbgi.net> Message-ID: <431AE772.8020205@exit109.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Oskar L. wrote: > pats_comp_solutions@hotpop.com wrote: > > >> I don't know of any transparent keyboards off-hand (I can check our >> local computer store tomorrow, since they have one there). > > > Thanks! > > >> But, I will say this. There is a keylogger out that goes between the >> keyboard plug and the case. > > > There are several, see http://www.keyghost.com/ and > http://www.amecisco.com/hkstandalone.htm for examples. These are too > obvious, and the police most likely will put the keylogger inside the > keyboard or inside the case of the computer. > > >> So, unless you are able to see through the back of the case, or are so >> paranoid that you turn the case all different directions before you >> turn it on, you'll never see it. > > > I have my computer on the floor, and can easily see all sides without > turning it. Mounting a small mirror behind the computer might be a good > solution to this problem for some. > My guess is that if someone serious about this, such as a large government agency, were to do it, they might do something really simple, like replace some board in your machine (modem?) with another one just like it but with the keylogger on it. It would see everything going down the ISA or PCI bus of your machine and do what needs to be done. And if they were _really_ _serious_, the replacement board would look exactly like your present one, but the keylogger would be between something else and the board, or a new chip would be there that did everything it used to do and keylogging besides. Unless you check the board everyday with a large magnifier, for the obvious; or just replacing them all from a private stock hidden from this hypothetical large government agency, you would not stand a chance of finding it. So you better have your machine in a suitably armored steel box, preferably at a secure alternate location, one that locks with an unpickable lock. > >> And, if you're at home, and can't even trust your own family, then >> anything computer-related is the least of your concerns. I'd be more >> inclined to be looking up a good psychologist rather then a transparent >> keyboard. > > > I choose to live alone (for security reasons) so what I worry most about > are keyloggers and microphones. Here in Finland the police have a special > group investigating us (animal rights activists), and we have caught one > infiltrator, so considering this I don't think that it's a sign of > paranoia for me to occasionally check for keyloggers. > Thank you for clearing up that point. Once a computer or other device that needs secure access is sufficiently protected, it becomes cheaper for a large government agency to resort to bribery or torture to get the information it wants. Assuming they do not wish to try bribery, are you sure you want your machine that safe? I assume you are using gnupg for all your correspondence with everyone. If you encrypt only your sensitive communications, it will be painfully obvious which of your e-mails to decrypt, saving the black hats a lot of trouble. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 08:10:00 up 81 days, 2:06, 3 users, load average: 4.19, 4.20, 4.13 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDGudyPtu2XpovyZoRArdvAKC1pn4BfQPGgk9BWc1jY9NuoGDx9wCghbN9 Q7NxXL9WS2TqvVN4hj7K42w= =Z0ly -----END PGP SIGNATURE----- From jdbeyer at exit109.com Sun Sep 4 14:48:38 2005 From: jdbeyer at exit109.com (Jean-David Beyer) Date: Sun Sep 4 14:48:44 2005 Subject: Transparent keyboards In-Reply-To: <431AE772.8020205@exit109.com> References: <2689.213.169.30.40.1125793740.squirrel@mail.rbgi.net> <200509040902.26194.linux@codehelp.co.uk> <2773.213.169.30.40.1125827968.squirrel@mail.rbgi.net> <431AD100.5020706@hotpop.com> <3542.213.169.30.40.1125835272.squirrel@mail.rbgi.net> <431AE772.8020205@exit109.com> Message-ID: <431AED26.3040102@exit109.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jean-David Beyer wrote: > Oskar L. wrote: > >>>pats_comp_solutions@hotpop.com wrote: >>> >>> >>> >>>>I don't know of any transparent keyboards off-hand (I can check our >>>>local computer store tomorrow, since they have one there). >>> >>> >>>Thanks! >>> >>> >>> >>>>But, I will say this. There is a keylogger out that goes between the >>>>keyboard plug and the case. >>> >>> >>>There are several, see http://www.keyghost.com/ and >>>http://www.amecisco.com/hkstandalone.htm for examples. These are too >>>obvious, and the police most likely will put the keylogger inside the >>>keyboard or inside the case of the computer. >>> >>> >>> >>>>So, unless you are able to see through the back of the case, or are so >>>>paranoid that you turn the case all different directions before you >>>>turn it on, you'll never see it. >>> >>> >>>I have my computer on the floor, and can easily see all sides without >>>turning it. Mounting a small mirror behind the computer might be a good >>>solution to this problem for some. >>> > > My guess is that if someone serious about this, such as a large government > agency, were to do it, they might do something really simple, like replace > some board in your machine (modem?) with another one just like it but with > the keylogger on it. It would see everything going down the ISA or PCI bus > of your machine and do what needs to be done. And if they were _really_ > _serious_, the replacement board would look exactly like your present one, > but the keylogger would be between something else and the board, or a new > chip would be there that did everything it used to do and keylogging > besides. Unless you check the board everyday with a large magnifier, for the > obvious; or just replacing them all from a private stock hidden from this > hypothetical large government agency, you would not stand a chance of > finding it. > > So you better have your machine in a suitably armored steel box, preferably > at a secure alternate location, one that locks with an unpickable lock. > >>>>And, if you're at home, and can't even trust your own family, then >>>>anything computer-related is the least of your concerns. I'd be more >>>>inclined to be looking up a good psychologist rather then a transparent >>>>keyboard. >>> >>> >>>I choose to live alone (for security reasons) so what I worry most about >>>are keyloggers and microphones. Here in Finland the police have a special >>> group investigating us (animal rights activists), and we have caught one >>> infiltrator, so considering this I don't think that it's a sign of >>>paranoia for me to occasionally check for keyloggers. >>> > > Thank you for clearing up that point. > > Once a computer or other device that needs secure access is sufficiently > protected, it becomes cheaper for a large government agency to resort to > bribery or torture to get the information it wants. Assuming they do not > wish to try bribery, are you sure you want your machine that safe? > > I assume you are using gnupg for all your correspondence with everyone. If > you encrypt only your sensitive communications, it will be painfully obvious > which of your e-mails to decrypt, saving the black hats a lot of trouble. Come to think of it, once they have access to your box, why would they not just replace your gnupg software with their own version? And while there, replace your version of tripwire with their own version of that, too, so you could not tell they did anything. Why not just move your enterprise to a more accepting location: hills of Afghanistan, for example? - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 08:45:00 up 81 days, 2:41, 3 users, load average: 4.29, 4.21, 4.17 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDGu0mPtu2XpovyZoRAtk4AJ9odwkEhWbp2LPVdqpe4Owp4LwHZgCfRlpb uCWYhfpIAUj2HgFaRp3Ewmk= =+55I -----END PGP SIGNATURE----- From greg at turnstep.com Sun Sep 4 15:23:58 2005 From: greg at turnstep.com (Greg Sabino Mullane) Date: Sun Sep 4 15:24:39 2005 Subject: Transparent keyboards In-Reply-To: <431AE772.8020205@exit109.com> Message-ID: <381d1646f1dc19ec951fb45d2de75818@biglumber.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Once a computer or other device that needs secure access is sufficiently > protected, it becomes cheaper for a large government agency to resort to > bribery or torture to get the information it wants. Assuming they do not > wish to try bribery, are you sure you want your machine that safe? That's a silly argument. Because they are ways of obtaining your passphrase by force, you shouldn't bother using one or take other protective measures? Last I heard, the government of Finland was not known for torturing its citizens. > I assume you are using gnupg for all your correspondence with everyone. If > you encrypt only your sensitive communications, it will be painfully obvious > which of your e-mails to decrypt, saving the black hats a lot of trouble. A lot of trouble in what way? Do you know of a black hat agency able to decrypt exiting gpg-encrypted messages? The original poster may want to check out "Tinfoil Hat Linux"[1] which has some interesting capabilities, including an anti-keylogger measure. A laptop or PDA with its own keyboard could be useful as well. [1] http://tinfoilhat.shmoo.com/ - -- Greg Sabino Mullane greg@turnstep.com PGP Key: 0x14964AC8 200509040917 http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8 -----BEGIN PGP SIGNATURE----- iD8DBQFDGvUcvJuQZxSWSsgRAuBNAJ9MyKp4Vgqb+Q1++Jlqq0u+FIxo3ACg1Gkj WReipnoNerGwxTTCI8oeZgE= =zyQY -----END PGP SIGNATURE----- From benjamin at pythagoras.no-ip.org Sun Sep 4 14:12:44 2005 From: benjamin at pythagoras.no-ip.org (Benjamin Donnachie) Date: Sun Sep 4 17:19:25 2005 Subject: Transparent keyboards Message-ID: <930e1e99569fea23ae3a3472204110b5@www.pythagoras.no-ip.org> Jean-David Beyer wrote: >My guess is that if someone serious about this, such as a large government >agency, were to do it, they might do something really simple, like replace >some board in your machine (modem?) with another one just like it but with >the keylogger on it. Seems a lot of effort and potentially risky... Why not just use electromagnetic radiation eavesdropping - such as TEMPEST? -- Benjamin benjamin@pythagoras.no-ip.org From roam at ringlet.net Sun Sep 4 16:40:48 2005 From: roam at ringlet.net (Peter Pentchev) Date: Sun Sep 4 17:41:25 2005 Subject: Signing MS-Excel spread sheets In-Reply-To: References: <4318BAC6.4000100@seaworthysys.com> Message-ID: <20050904144048.GD911@straylight.m.ringlet.net> On Fri, Sep 02, 2005 at 10:39:52PM -0400, Dan Mundy wrote: > Berend Tober wrote: > > I hate to admit that I still use MS-Excel rather than an open source > > spread sheet tool, but workplace requirements constrain my fate... > > Has anyone else managed a work-around for this flaw? (Aside from the > > obvious -- "Stop using MS-Excel!" -- because that is a failure I cannot > > control...) > > use openoffice.org: it is opensource and fully compatible with > microsoft. now it is a failure you can control. see > http://www.openoffice.org/dev_docs/instructions.html#win for how to > install it. Hate to point out the obvious, but unfortunately, it just might be that Berend canNOT control whether his coworkers also use OpenOffice or MS Excel, in which case the problem of a coworker opening a signed spreadsheet and invalidating the signature still stands. G'luck, Peter -- Peter Pentchev roam@ringlet.net roam@cnsys.bg roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 Hey, out there - is it *you* reading me, or is it someone else? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20050904/f6f42cf5/attachment.pgp From wk at gnupg.org Sun Sep 4 19:29:06 2005 From: wk at gnupg.org (Werner Koch) Date: Sun Sep 4 19:31:30 2005 Subject: GPGol released In-Reply-To: <8764thawju.fsf@wheatstone.g10code.de> (Werner Koch's message of "Sun, 04 Sep 2005 13:42:45 +0200") References: <8764thawju.fsf@wheatstone.g10code.de> Message-ID: <878xycagil.fsf@wheatstone.g10code.de> On Sun, 04 Sep 2005 13:42:45 +0200, Werner Koch said: > directory where Windows searches for DLLs (e.g. c:\winnt\system32), > stop Outlook, run the command "regsvr32 outlgpg.dll" and start Small bug: Run regsvr32 gpgol.dll and not outlgpg.dll (which was the old name of the DLL). Shalom-Salam, Werner From skrewz at skrewz.dk Sun Sep 4 18:36:06 2005 From: skrewz at skrewz.dk (Anders Breindahl) Date: Sun Sep 4 19:40:13 2005 Subject: Transparent keyboards In-Reply-To: <431AED26.3040102@exit109.com> References: <431AE772.8020205@exit109.com> <431AED26.3040102@exit109.com> Message-ID: <200509041836.10942.skrewz@skrewz.dk> On Sunday 04 September 2005 14:48, Jean-David Beyer wrote: > Jean-David Beyer wrote: > > Oskar L. wrote: > >>>pats_comp_solutions@hotpop.com wrote: > >>>I choose to live alone (for security reasons) so what I worry most about > >>>are keyloggers and microphones. Here in Finland the police have a > >>> special group investigating us (animal rights activists), and we have > >>> caught one infiltrator, so considering this I don't think that it's a > >>> sign of paranoia for me to occasionally check for keyloggers. > > > > Thank you for clearing up that point. > > > > Once a computer or other device that needs secure access is sufficiently > > protected, it becomes cheaper for a large government agency to resort to > > bribery or torture to get the information it wants. Assuming they do not > > wish to try bribery, are you sure you want your machine that safe? > > > > I assume you are using gnupg for all your correspondence with everyone. > > If you encrypt only your sensitive communications, it will be painfully > > obvious which of your e-mails to decrypt, saving the black hats a lot of > > trouble. > > Come to think of it, once they have access to your box, why would they not > just replace your gnupg software with their own version? And while there, > replace your version of tripwire with their own version of that, too, so > you could not tell they did anything. > > Why not just move your enterprise to a more accepting location: hills of > Afghanistan, for example? I believe you're missing the fact, that the OP uses a live-CD and USB-flash-memory. The only thing he has to care about then, is the hardware he's using [0]. By the way -- why Afghanistan, of all places? Regards, Anders Breindahl. [0] And the transport used, when he fetches the live-CD-images... And the way he accesses sites on the web... And the integrity of his home/workplace... And whether he leaves the live-CD when he goes to sleep... And whether the distributor of the live-CD-images has become corrupt... And whether the headers of the mail he sends are too revealing... And of course, the lone crackers... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050904/f6cea3c7/attachment-0001.pgp From btober at seaworthysys.com Sun Sep 4 18:45:00 2005 From: btober at seaworthysys.com (Berend Tober) Date: Sun Sep 4 20:02:41 2005 Subject: Signing MS-Excel spread sheets In-Reply-To: <20050904144048.GD911@straylight.m.ringlet.net> References: <4318BAC6.4000100@seaworthysys.com> <20050904144048.GD911@straylight.m.ringlet.net> Message-ID: <431B248C.1090107@seaworthysys.com> Peter Pentchev wrote: >On Fri, Sep 02, 2005 at 10:39:52PM -0400, Dan Mundy wrote: > > >>Berend Tober wrote: >> >> >>>I hate to admit that I still use MS-Excel rather than an open source >>>spread sheet tool, but workplace requirements constrain my fate... >>>Has anyone else managed a work-around for this flaw? (Aside from the >>>obvious -- "Stop using MS-Excel!" -- because that is a failure I cannot >>>control...) >>> >>> >>use openoffice.org: it is opensource and fully compatible with >>microsoft. now it is a failure you can control. see >>http://www.openoffice.org/dev_docs/instructions.html#win for how to >>install it. >> >> > >Hate to point out the obvious, but unfortunately, it just might be that >Berend canNOT control whether his coworkers also use OpenOffice or MS >Excel, in which case the problem of a coworker opening a signed >spreadsheet and invalidating the signature still stands. > Indeed, and I even included in my original post "(Aside from the obvious -- "Stop using MS-Excel!" -- because that is a failure I cannot control...)". Kids these days.... Anyway, I've looked at WinPT and GPGee and one other GUI wrapper around gnupg, but they all of course are victims of this MS Excel "feature", and furthermore none of them satisfy my other need to be able to support multiple persons signing any given document, either (cf. other mailing list message thread "Multiple signatures on a single file"). A little further roughhousing with the command line shows that a DOS batch file script with gsign.bat: @echo off attrib +r %2 gpg -b -u %1 -o - %2>>%2.sig accomplished 1) setting the target file read-only attribute, which prevents MS Excel from doing what ever it does to modify the file, despite the user's intention otherwise, and 2) satisfies my other need to be able to let multiple individuals sign a given document Then a companion script gverify.bat: gpg --verify %1 will list the several valid signatures written to a file. Of course, I really don't think anyone that isn't enough of a geek to appreciate the command line will be able to accept a solution like this for signing documents, even if it does eliminate the need for producing hard-copy document print outs just for the purpose of marking with a pen-and-ink signature. Gosh, I might have to roll my own GUI. From cmetzke at gmail.com Sun Sep 4 22:20:27 2005 From: cmetzke at gmail.com (Cameron Metzke) Date: Sun Sep 4 23:20:03 2005 Subject: Expired Keys Message-ID: <431B570B.8070303@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Is there any command that will delete expired keys from a keyring ? I have had a look through the docs but cant seem to find anything, so i thought i would ask the guru's :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iD8DBQFDG1cLiJKCWGgxIoARAs7JAJ4m8/i+mWjDW6HYaPBv/KWXkAe0nwCfTKj3 8hXFPwsE3gJ5gw93Y1BzI4o= =JzJV -----END PGP SIGNATURE----- From linux at codehelp.co.uk Sun Sep 4 23:57:52 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Sun Sep 4 23:57:31 2005 Subject: Expired Keys In-Reply-To: <431B570B.8070303@gmail.com> References: <431B570B.8070303@gmail.com> Message-ID: <200509042257.53066.linux@codehelp.co.uk> On Sunday 04 September 2005 9:20 pm, Cameron Metzke wrote: > Hi, Message was signed on 01/01/1970 12:59 am with unknown key 0x68312280. The validity of the signature cannot be verified. gpgkeys: key 8892825868312280 not found on keyserver If you are going to sign emails, PLEASE make sure your key is on subkeys.pgp.net! Ta. > Is there any command that will delete expired keys from a keyring ? From previous discussions here: gpg --batch --yes --delete-key `gpg --list-keys --fixed-list-mode \ --with-colons | grep "^pub" | grep -v "^pub:[u|f]:" | cut -f5 -d":"` That deletes anything that is NOT u (ultimate trust) of f (full trust). Adapt the regexp ^pub:[u|f] to suit. If, like me, you run this regularly as a cron job to filter out the useless keys that clutter up many keyrings, use: #!/bin/bash gpg --check-trustdb gpg --batch --yes --delete-key `gpg --list-keys --fixed-list-mode \ --with-colons | grep "^pub" | grep -v "^pub:[u|f]:" | cut -f5 -d":"` gpg --import /home/neil/documents/gpg/people/*.asc gpg --refresh-keys gpg --check-trustdb The import line brings back keys that I want but which I have not yet had a chance to sign. The refresh-keys command updates every key still in the keyring - you could run that FIRST but it takes longer. It depends how likely it is that some of the "junk" keys will turn out to be trusted once refreshed. Of course, one man's junk is another man's gold. YMMV. -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050904/2ff6dfc3/attachment.pgp From cmetzke at gmail.com Mon Sep 5 00:31:13 2005 From: cmetzke at gmail.com (Cameron Metzke) Date: Mon Sep 5 00:31:57 2005 Subject: Expired Keys In-Reply-To: <200509042257.53066.linux@codehelp.co.uk> References: <431B570B.8070303@gmail.com> <200509042257.53066.linux@codehelp.co.uk> Message-ID: <431B75B1.7000709@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Neil Williams wrote: > On Sunday 04 September 2005 9:20 pm, Cameron Metzke wrote: > >>Hi, > > > Message was signed on 01/01/1970 12:59 am with unknown key 0x68312280. > The validity of the signature cannot be verified. > gpgkeys: key 8892825868312280 not found on keyserver > > If you are going to sign emails, PLEASE make sure your key is on > subkeys.pgp.net! > > Ta. > > >>Is there any command that will delete expired keys from a keyring ? > > > From previous discussions here: > > gpg --batch --yes --delete-key `gpg --list-keys --fixed-list-mode \ > --with-colons | grep "^pub" | grep -v "^pub:[u|f]:" | cut -f5 -d":"` > > That deletes anything that is NOT u (ultimate trust) of f (full trust). Adapt > the regexp ^pub:[u|f] to suit. > > If, like me, you run this regularly as a cron job to filter out the useless > keys that clutter up many keyrings, use: > > #!/bin/bash > gpg --check-trustdb > gpg --batch --yes --delete-key `gpg --list-keys --fixed-list-mode \ > --with-colons | grep "^pub" | grep -v "^pub:[u|f]:" | cut -f5 -d":"` > gpg --import /home/neil/documents/gpg/people/*.asc > gpg --refresh-keys > gpg --check-trustdb > > The import line brings back keys that I want but which I have not yet had a > chance to sign. > > The refresh-keys command updates every key still in the keyring - you could > run that FIRST but it takes longer. It depends how likely it is that some of > the "junk" keys will turn out to be trusted once refreshed. > > Of course, one man's junk is another man's gold. YMMV. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users Well thats a great bash script which i will incorperate into my *nix box :). Basically what im trying to do is build a php frontend to gnupg which can act like a keyserver. The keys are imported using --fast-import which i belive doesnt touch the trustdb, so all im really trying to do is basically delete all expired keys in the pubring (and possibly keys that have been revoked). I intend on using a bash script to run the delete script via cron. Unfortunatly my skills have alot to be desired lol, so best i get to work on it :) If anyones has any tips I would love to hear them :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iD8DBQFDG3WwiJKCWGgxIoARAjMUAKCUBiFhvg2Hh7acpNcAZ27T8hBD3ACgmYiv /kmOIg8M5OegatAvVuJ0nfM= =z+qZ -----END PGP SIGNATURE----- From cmetzke at gmail.com Mon Sep 5 00:53:44 2005 From: cmetzke at gmail.com (Cameron Metzke) Date: Mon Sep 5 00:54:26 2005 Subject: Expired Keys In-Reply-To: <200509042257.53066.linux@codehelp.co.uk> References: <431B570B.8070303@gmail.com> <200509042257.53066.linux@codehelp.co.uk> Message-ID: <431B7AF8.1000909@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Neil Williams wrote: > On Sunday 04 September 2005 9:20 pm, Cameron Metzke wrote: > >>Hi, > > > Message was signed on 01/01/1970 12:59 am with unknown key 0x68312280. > The validity of the signature cannot be verified. > gpgkeys: key 8892825868312280 not found on keyserver > > If you are going to sign emails, PLEASE make sure your key is on > subkeys.pgp.net! > > Ta. > > >>Is there any command that will delete expired keys from a keyring ? > > > From previous discussions here: > > gpg --batch --yes --delete-key `gpg --list-keys --fixed-list-mode \ > --with-colons | grep "^pub" | grep -v "^pub:[u|f]:" | cut -f5 -d":"` > > That deletes anything that is NOT u (ultimate trust) of f (full trust). Adapt > the regexp ^pub:[u|f] to suit. > > If, like me, you run this regularly as a cron job to filter out the useless > keys that clutter up many keyrings, use: > > #!/bin/bash > gpg --check-trustdb > gpg --batch --yes --delete-key `gpg --list-keys --fixed-list-mode \ > --with-colons | grep "^pub" | grep -v "^pub:[u|f]:" | cut -f5 -d":"` > gpg --import /home/neil/documents/gpg/people/*.asc > gpg --refresh-keys > gpg --check-trustdb > > The import line brings back keys that I want but which I have not yet had a > chance to sign. > > The refresh-keys command updates every key still in the keyring - you could > run that FIRST but it takes longer. It depends how likely it is that some of > the "junk" keys will turn out to be trusted once refreshed. > > Of course, one man's junk is another man's gold. YMMV. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users There you go my key is now on the http://keyserver.mine.nu/ keyserver for ya :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iD8DBQFDG3r4iJKCWGgxIoARAkidAJ9uw9vgskYt4UJqxJGHzN9OtytIrACfeADo M+v7qRBOkqmkmKitNoPdgNc= =bqoV -----END PGP SIGNATURE----- From kfitzner at excelcia.org Mon Sep 5 01:21:10 2005 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Mon Sep 5 01:21:29 2005 Subject: Multiple signing - is this a common desire? (was Re: Signing MS-Excel spread sheets) Message-ID: <431B8166.2080809@excelcia.org> Berend Tober wrote: > Anyway, I've looked at WinPT and GPGee and one other GUI wrapper > around gnupg, but they all of course are victims of this MS Excel > "feature", and furthermore none of them satisfy my other need to be > able to support multiple persons signing any given document When I started with GPGee I debated the idea of handling multiple-signatures. I decided not to deal with the added complexity because I didn't think it was a much called-for feature. If this is something that people would want to do more often in the real world, I'll happily add this feature. I can even drop in something like "Set target file read-only after operation" - well, if I can figure out a shorter description to use for it. Anyway, is multiple-key signing more common than I gave it credit for? Kurt. From linux at codehelp.co.uk Mon Sep 5 01:40:55 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Mon Sep 5 01:40:34 2005 Subject: Expired Keys In-Reply-To: <431B75B1.7000709@gmail.com> References: <431B570B.8070303@gmail.com> <200509042257.53066.linux@codehelp.co.uk> <431B75B1.7000709@gmail.com> Message-ID: <200509050040.58798.linux@codehelp.co.uk> On Sunday 04 September 2005 11:31 pm, Cameron Metzke wrote: > Basically what im trying to do is build a php frontend to gnupg which > can act like a keyserver. But then keyservers don't delete keys - expired or not. Think about it, when I use a keyserver, I still want to be able to retrieve an expired key - so that I can KNOW it's expired! It's even more important with revoked - simply saying the key isn't listed does NOT protect me from an attacker using a compromised (and revoked) key! There are established protocols and packages for running keyservers - expired and revoked keys should be retained. If you really just mean, as I've done, that you want a PHP/Perl web interface to a small group of users' keys then use gnupg and don't set any keys to ultimate trust - then there is never any trust to check. Put some other authentication in the web site and you could consider using a trust always model that allows you to encrypt to any key in the local keyring. Use gnupg on the box and something like GnuPG::Interface in Perl to handle the key selection and updates and take your updates from *public* keyservers that can be relied upon to give you complete and up to date information. -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050905/b3f3dd78/attachment.pgp From cmetzke at gmail.com Mon Sep 5 02:12:47 2005 From: cmetzke at gmail.com (Cameron Metzke) Date: Mon Sep 5 02:13:34 2005 Subject: Expired Keys In-Reply-To: <200509050040.58798.linux@codehelp.co.uk> References: <431B570B.8070303@gmail.com> <200509042257.53066.linux@codehelp.co.uk> <431B75B1.7000709@gmail.com> <200509050040.58798.linux@codehelp.co.uk> Message-ID: <431B8D7F.4010109@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Neil Williams wrote: > On Sunday 04 September 2005 11:31 pm, Cameron Metzke wrote: > >>Basically what im trying to do is build a php frontend to gnupg which >>can act like a keyserver. > > > But then keyservers don't delete keys - expired or not. > > Think about it, when I use a keyserver, I still want to be able to retrieve an > expired key - so that I can KNOW it's expired! > > It's even more important with revoked - simply saying the key isn't listed > does NOT protect me from an attacker using a compromised (and revoked) key! > > There are established protocols and packages for running keyservers - expired > and revoked keys should be retained. > > If you really just mean, as I've done, that you want a PHP/Perl web interface > to a small group of users' keys then use gnupg and don't set any keys to > ultimate trust - then there is never any trust to check. Put some other > authentication in the web site and you could consider using a trust always > model that allows you to encrypt to any key in the local keyring. Use gnupg > on the box and something like GnuPG::Interface in Perl to handle the key > selection and updates and take your updates from *public* keyservers that can > be relied upon to give you complete and up to date information. > Yep your dead right, In essence the frontend im scripting up, is for my own learning curve. It has allowed me to pull apart many aspects of gpg that i would not normally touch on. I doubt there will ever be a production version of it, as it would be like reinventing the wheel. But it does allow me to learn exactly how to incorporate gpg into regular php applications that i would like to have this feature. Thanks for all your input, it has been a great help :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iD8DBQFDG41/iJKCWGgxIoARAi38AJ48Tui4zBX4q2oqmmlsL2LOcI//4gCfSrZt q/JQP6OfB7K74fEs7hAL2Rg= =c1Pa -----END PGP SIGNATURE----- From JPClizbe at comcast.net Mon Sep 5 03:01:53 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Mon Sep 5 03:03:00 2005 Subject: Expired Keys In-Reply-To: <431B75B1.7000709@gmail.com> References: <431B570B.8070303@gmail.com> <200509042257.53066.linux@codehelp.co.uk> <431B75B1.7000709@gmail.com> Message-ID: <431B9901.9010505@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cameron Metzke wrote: > > Well thats a great bash script which i will incorperate into my *nix box > :). > Basically what im trying to do is build a php frontend to gnupg which > can act like a keyserver. The keys are imported using --fast-import > which i belive doesnt touch the trustdb, so all im really trying to do > is basically delete all expired keys in the pubring (and possibly keys > that have been revoked). > I intend on using a bash script to run the delete script via cron. > Unfortunatly my skills have alot to be desired lol, so best i get to > work on it :) > If anyones has any tips I would love to hear them :) bash and ksh are both available for Windows in a variety of flavors and sources*. Ditto for cron. * MSys/MinGW; Cygwin; UWin; MS SFU... to name a few. - -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3-cvs-2005-09-04 (Windows 2000 SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDG5kAHQSsSmCNKhARAmI5AJ9TuRfR/oUFZfX1wO1XdvwHQIyS6QCfccxY f//fMa2BGvhVsvU8IpDx0CY= =PXlC -----END PGP SIGNATURE----- From cmetzke at gmail.com Mon Sep 5 05:09:57 2005 From: cmetzke at gmail.com (Cameron Metzke) Date: Mon Sep 5 05:10:35 2005 Subject: Key signing policy Message-ID: <431BB705.6030708@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Does anyone have solid written key signing policy? I ask because i was just asked myself, and just gave a rough verbal of my own policy. But i would like to see any others before i commit myself to anything on paper. (I'm Trying To Push For GnuPG To Be Used At My Workplace) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iD8DBQFDG7cFiJKCWGgxIoARAt83AJ0QwiyoPdWzL17MsptrCrekaYTtrgCbBFZM 7JXRB8FQQi/upMRmn4ra1uY= =cI6C -----END PGP SIGNATURE----- From npcole at yahoo.co.uk Mon Sep 5 09:35:15 2005 From: npcole at yahoo.co.uk (Nicholas Cole) Date: Mon Sep 5 10:35:52 2005 Subject: PKCS#11 support for gpg-agent In-Reply-To: <87hdd3ih86.fsf@wheatstone.g10code.de> Message-ID: <20050905073515.38596.qmail@web25406.mail.ukl.yahoo.com> --- Werner Koch wrote: > It may not be widely adopted but nevertheless it is > the standard to > make sure that confidential information can be send > over the Internet. > It is used all over the Net and major industry > players are using it > and even requring that suppkiers are using PGP. > > The IETF has not decided whether OpenPGP or S/MIME > will be the > preferred standard. I don't mean to get involved in the heated discussion about smart cards and the like, but since it has been raised, I would welcome some clarification about gpg-1.9, and the thinking behind adding support for s/mime. What is the "roadmap" (from the point of view of users) for gpg? Is there any sense in which opengpg is, or may be soon, a deprecated standard? Beyond the pros and cons of centralised CAs, what are the advantages of the two? It seems to be the case that amongst individuals and open source projects, openpgp is in very wide use (these things are relative!) - and given the ease with which openpgp has shown it can adapt to emerging security threats I would expect that to continue. I have no idea at all how well commercial pgp is doing. Best, N. ___________________________________________________________ To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com From sadam at CLEMSON.EDU Thu Sep 1 05:56:26 2005 From: sadam at CLEMSON.EDU (Adam Schreiber) Date: Mon Sep 5 10:50:36 2005 Subject: [Sks-devel] Re: zero-length MPIs In-Reply-To: <20050901030516.GA20299@jabberwocky.com> References: <42F97044.9050603@comcast.net> <42FAC641.9040507@comcast.net> <20050811160217.GC358@wilma.widomaker.com> <20050811182144.GA33562@wilma.widomaker.com> <20050811195459.GB12783@opium.palfrader.org> <20050812002243.GD358@wilma.widomaker.com> <20050824130716.GA4211@suse.de> <20050901030516.GA20299@jabberwocky.com> Message-ID: <43167BEA.1080205@clemson.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shaw wrote: > Try this patch. I get an MPI error with this patch I didn't get with Klaus'. *snip* gpg: mpi larger than indicated length (2 bytes) gpg: keyring_get_keyblock: read error: invalid packet gpg: keydb_get_keyblock failed: invalid keyring *snip* Adam Schreiber - -- Why isn't all of your email protected? http://gnupg.org http://enigmail.mozdev.org http://seahorse.sourceforge.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD4DBQFDFnvqjU1oaHEI4wgRAv/MAKCltzlrWdWElPm4Gis173DWKeHKvACYyJdW xXcd3RTxVp7/8OF7TeezrA== =bdKw -----END PGP SIGNATURE----- From sadam at CLEMSON.EDU Thu Sep 1 05:58:47 2005 From: sadam at CLEMSON.EDU (Adam Schreiber) Date: Mon Sep 5 10:51:11 2005 Subject: [Sks-devel] Re: zero-length MPIs In-Reply-To: <20050901030516.GA20299@jabberwocky.com> References: <42F97044.9050603@comcast.net> <42FAC641.9040507@comcast.net> <20050811160217.GC358@wilma.widomaker.com> <20050811182144.GA33562@wilma.widomaker.com> <20050811195459.GB12783@opium.palfrader.org> <20050812002243.GD358@wilma.widomaker.com> <20050824130716.GA4211@suse.de> <20050901030516.GA20299@jabberwocky.com> Message-ID: <43167C77.2020009@clemson.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Please ignore my previous email. The patch works for me. Adam Schreiber - -- Why isn't all of your email protected? http://gnupg.org http://enigmail.mozdev.org http://seahorse.sourceforge.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDFnx3jU1oaHEI4wgRAihPAJkB2BpJW+fej/HfvStxYCQTdCvETQCg4jA4 DA7CvncNxh2hDubCGbIoO2A= =Can1 -----END PGP SIGNATURE----- From kssingvo at suse.de Thu Sep 1 13:28:47 2005 From: kssingvo at suse.de (Klaus Singvogel) Date: Mon Sep 5 10:51:17 2005 Subject: [Sks-devel] Re: zero-length MPIs In-Reply-To: <43167C77.2020009@clemson.edu> References: <42F97044.9050603@comcast.net> <42FAC641.9040507@comcast.net> <20050811160217.GC358@wilma.widomaker.com> <20050811182144.GA33562@wilma.widomaker.com> <20050811195459.GB12783@opium.palfrader.org> <20050812002243.GD358@wilma.widomaker.com> <20050824130716.GA4211@suse.de> <20050901030516.GA20299@jabberwocky.com> <43167C77.2020009@clemson.edu> Message-ID: <20050901112846.GA5580@suse.de> -----BEGIN PGP SIGNED MESSAGE----- I can confirm too that the patch of David Shaw is working fine. Thanks. Regards, Klaus. Adam Schreiber wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Please ignore my previous email. The patch works for me. > > > Adam Schreiber > > - -- > Why isn't all of your email protected? > http://gnupg.org > http://enigmail.mozdev.org > http://seahorse.sourceforge.net > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFDFnx3jU1oaHEI4wgRAihPAJkB2BpJW+fej/HfvStxYCQTdCvETQCg4jA4 > DA7CvncNxh2hDubCGbIoO2A= > =Can1 > -----END PGP SIGNATURE----- - -- Klaus Singvogel SUSE LINUX Products GmbH Maxfeldstr. 5 E-Mail: Klaus.Singvogel@SuSE.de 90409 Nuernberg Phone: +49 (0) 911 740530 Germany GnuPG-Key-ID: 1024R/5068792D 1994-06-27 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iQCVAwUBQxbl7rbjw8ZQaHktAQF9PgP/Z0Xs81u0SjC98iCK9mmQEKI/c/5Q54CO /fj/LkkunLQ7r+5ywwxJ/5htLEHKz4iY5QCvYCGc72H8S0IqX1KN3ThTTTsWiDy6 FWVb/svpOfQks9Zu6MJegxiphX+oHwieza6SVB3Y5/r2pC/gzQF3syiC/YOoI6r1 DbMPEtF0FSE= =ran3 -----END PGP SIGNATURE----- From btober at computer.org Fri Sep 2 21:14:28 2005 From: btober at computer.org (Berend Tober) Date: Mon Sep 5 10:51:50 2005 Subject: Multiple signatures on a single file Message-ID: <4318A494.3020507@computer.org> Is it possible to have multiple persons sign a single file? If so, how is this done? The particular scenario is currently this: Employees submit expense reports for business travel using a spread sheet. Current practise is the the employee fills out spread sheet via computer (or optionally prints blank spread sheet template and writes by hand with a pen), physically signs using pen and ink, physically delivers signed hardcopy to supervisor for supervisor pen-and-ink signature prior to payment processing. Desired practise is to eliminate both producing hard copy and pen-and-ink signatures, and then re-work the process using gpg electronic signatures. Thus, employee would enter data into expense report spread sheet, save, gpg sign, mail to supervisor, supervisor would (presumably) open and review spread sheet, close without changing, gpg sign, and then return to employee or forward to accounting dept. Sounds straightforward, but I didn't spot in the various manuals/guides/how-to's for gnupg how a second individual could add their signature after me. -- BMT From kimmo.surakka at gmail.com Sun Sep 4 20:31:47 2005 From: kimmo.surakka at gmail.com (Kimmo Surakka) Date: Mon Sep 5 10:51:54 2005 Subject: Signing MS-Excel spread sheets In-Reply-To: <431B248C.1090107@seaworthysys.com> References: <4318BAC6.4000100@seaworthysys.com> <20050904144048.GD911@straylight.m.ringlet.net> <431B248C.1090107@seaworthysys.com> Message-ID: Berend Tober wrote: > Indeed, and I even included in my original post "(Aside from the > obvious -- "Stop using MS-Excel!" -- because that is a failure I > cannot control...)". Kids these days.... > > Anyway, I've looked at WinPT and GPGee and one other GUI wrapper > around gnupg, but they all of course are victims of this MS Excel > "feature", and furthermore none of them satisfy my other need to be > able to support multiple persons signing any given document, either > (cf. other mailing list message thread "Multiple signatures on a > single file"). > > Just my two cents worth: isn't it true that most Windows zippers can open a file "from inside a zip archive", i.e. uncompress it transparently to a temp directory and open from there? One easy-to- use solution could therefore be to store the Excel file inside a zip archive, and then sign that archive? When the second person opens the spreadsheet, all the changes Excel wants to do are done to the temporary copy -- not the actual spreadsheet itself. Kusti From pgut001 at cs.auckland.ac.nz Mon Sep 5 05:07:22 2005 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Mon Sep 5 10:51:56 2005 Subject: OpenPGG Card In-Reply-To: <85000712c0e502626e38ba79992949d3@www.pythagoras.no-ip.org> Message-ID: Benjamin Donnachie writes: >I saw that... Perhaps we should "fork" GPG and work on a PKCS#11 compliant >version... I'm fairly new to smartcards, but I have a fair bit of other >programming experience... I'd already offered the use of my PKCS #11 interface code from cryptlib for GPG use some time ago. This should do everything you need and has had years of tuning to work with all the bugs in various PKCS #11 drivers, it's vastly easier than going through the entire learning curve yourself. Peter. From twoaday at freakmail.de Mon Sep 5 11:21:14 2005 From: twoaday at freakmail.de (Timo Schulz) Date: Mon Sep 5 11:19:15 2005 Subject: [outlgpg] Outlook 2002 Crash In-Reply-To: <04CD4FAAABDDC543BA2B33D5C043F91707454F@presinet-main2.PRESINET.local> References: <04CD4FAAABDDC543BA2B33D5C043F91707454F@presinet-main2.PRESINET.local> Message-ID: <1125912074.1450.0.camel@colt> Am Mon, 2005-08-29 um 20.15 schrieb Ryley Breiddal: > I'm running Outlook 2002 SP2 on Windows 2000, and whenever I try to sign > a message, Outlook crashes. There was a report recently, archived at > http://lists.gnupg.org/pipermail/gnupg-users/2005-August/026511.html > whose symptoms match mine exactly. > > I have GPGExch.dll version 0.6.1 and libgpgmedlgs.dll version 0.99.4. > My GPG version is 1.4.2 (I installed WinPT 0.10.0). Please use the new GPGol version. The old 'OutlGPG' version will no longer be maintained and is now replaced with GPGol. Timo From alon.barlev at gmail.com Mon Sep 5 14:16:37 2005 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Mon Sep 5 13:16:21 2005 Subject: OpenPGP Card In-Reply-To: Message-ID: >I'd already offered the use of my PKCS #11 interface code from cryptlib for GPG use some time ago. This > should do everything you need and has had years of tuning to work with all the bugs in various PKCS #11 > drivers, it's vastly easier than going through the entire learning curve yourself. Nice! The conclusion of my discussion with people here is that the need of using PKCS#11 for accessing various smartcards is not clear. I've tried to highlight the advantages of using standard software API to access external devices, but I've failed. Best Regards, Alon Bar-Lev. From btober at seaworthysys.com Mon Sep 5 13:41:19 2005 From: btober at seaworthysys.com (Berend Tober) Date: Mon Sep 5 13:41:29 2005 Subject: Multiple signatures on a single file In-Reply-To: <4319191E.3090900@gmail.com> References: <4318A1A5.6040705@seaworthysys.com> <4319191E.3090900@gmail.com> Message-ID: <431C2EDF.6090407@seaworthysys.com> Alphax wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: RIPEMD160 > >Berend Tober wrote: > > >>Is it possible to have multiple persons sign a single file? If so, how >>is this done? >> >>The particular scenario is currently this: Employees submit expense >>reports for business travel using a spread sheet. Current practise is >>the the employee fills out spread sheet via computer (or optionally >>prints blank spread sheet template and writes by hand with a pen), >>physically signs using pen and ink, physically delivers signed hardcopy >>to supervisor for supervisor pen-and-ink signature prior to payment >>processing. >> >>Desired practise is to eliminate both producing hard copy and >>pen-and-ink signatures, and then re-work the process using gpg >>electronic signatures. Thus, employee would enter data into expense >>report spread sheet, save, gpg sign, mail to supervisor, supervisor >>would (presumably) open and review spread sheet, close without changing, >>gpg sign, and then return to employee or forward to accounting dept. >> >>Sounds straightforward, but I didn't spot in the various >>manuals/guides/how-to's for gnupg how a second individual could add >>their signature after me. >> >> >> > >Use detached signatures? Generate a key to sign the document with, and >have that key signed by the supervisor? > > What I don't like about doing that explicitly is that every additional signature, at least in the default operational mode, appends an additional ".sig" file extension. Further more, the signatures are wrapped withing one another, so that to verification would require serial verification of each preceding outer layer signature. What I've been refining during the last couple days uses a command line script to append additional detached signatures into a single signature file. This approach models more directly the co-signature concept of legacy contracts, i.e., think of buying a house -- you and you spouse are co-signators rather than having one sign the contract and the other sign the others signature. What you suggested models the concept of a notary public witnessing a signature, but that we already have by signing public keys in the trust model. From btober at seaworthysys.com Mon Sep 5 14:07:13 2005 From: btober at seaworthysys.com (Berend Tober) Date: Mon Sep 5 14:08:16 2005 Subject: Signing MS-Excel spread sheets In-Reply-To: References: <4318BAC6.4000100@seaworthysys.com> <20050904144048.GD911@straylight.m.ringlet.net> <431B248C.1090107@seaworthysys.com> Message-ID: <431C34F1.1030004@seaworthysys.com> Kimmo Surakka wrote: > Berend Tober wrote: > >> Indeed, and I even included in my original post "(Aside from the >> obvious -- "Stop using MS-Excel!" -- because that is a failure I >> cannot control...)". Kids these days.... >> >> Anyway, I've looked at WinPT and GPGee and one other GUI wrapper >> around gnupg, but they all of course are victims of this MS Excel >> "feature", and furthermore none of them satisfy my other need to be >> able to support multiple persons signing any given document, either >> (cf. other mailing list message thread "Multiple signatures on a >> single file"). > > Just my two cents worth: isn't it true that most Windows zippers can > open a file "from inside a zip archive", i.e. uncompress it > transparently to a temp directory and open from there? One easy-to- > use solution could therefore be to store the Excel file inside a zip > archive, and then sign that archive? When the second person opens the > spreadsheet, all the changes Excel wants to do are done to the > temporary copy -- not the actual spreadsheet itself. The sounds like it would work, but I don't like the idea of imposing the extra layer of the separate zip application like this between the document and the signing step -- although it could be the approach we have to take if we bring this to the next level and scan the supporting documents (i.e., receipts) to jpeg files for inclusion along with the spread sheet -- which would be pretty cool. However, I still have the issue being discussed in a separate-but-related thread concerning co-signatures. The comand script I'm refining seems to do all that I need, even if it has some rough edges: gpg --sign.cmd: @echo off if .%1. == .. exit attrib +r %1 gpg --detach-sign --armor --comment "Signature of %USERNAME%" --local-user %USERNAME% -o - %1>>%1.asc along with gpg --verify.cmd: @echo off gpg --verify %1 echo. pause to list the co-signators. Lastly, I make short cuts in the Windows "Send To" folder, putting these two features in the Explorer context menu. Seems to work o.k. -- BMT From jdbeyer at exit109.com Mon Sep 5 14:24:45 2005 From: jdbeyer at exit109.com (Jean-David Beyer) Date: Mon Sep 5 14:24:55 2005 Subject: Transparent keyboards In-Reply-To: <381d1646f1dc19ec951fb45d2de75818@biglumber.com> References: <381d1646f1dc19ec951fb45d2de75818@biglumber.com> Message-ID: <431C390D.6090509@exit109.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greg Sabino Mullane wrote: > > >>>Once a computer or other device that needs secure access is sufficiently >>>protected, it becomes cheaper for a large government agency to resort to >>>bribery or torture to get the information it wants. Assuming they do not >>>wish to try bribery, are you sure you want your machine that safe? > > > That's a silly argument. Because they are ways of obtaining your > passphrase by force, you shouldn't bother using one or take other > protective measures? Last I heard, the government of Finland was not > known for torturing its citizens. I do not say you should not take protective measures. I just say to consider that if your protective measures are so effective that using force or torture are cheaper than the alternatives, that you expose yourself to such measures if your information is actually worth it. I am glad Finland is such a country. But what if an agency known to employ torture, or not known do do so but that does, chooses to operate in Finland, most likely withouth the knowledge or consent of the government of Finland... ? > > >>>I assume you are using gnupg for all your correspondence with everyone. If >>>you encrypt only your sensitive communications, it will be painfully obvious >>>which of your e-mails to decrypt, saving the black hats a lot of trouble. > > > A lot of trouble in what way? Do you know of a black hat agency able to > decrypt exi[s]ting gpg-encrypted messages? It is pretty easy once they have the passphrases or private keys. And once a suitable keylogger is in there, they get them very easily. I imagine if the NSA really wanted to decrypt a gpg-encrypted message, they have the resources to do it. It would probably take them a while if they had to use brute force (and perhaps that is what they would do, again, if they felt the information was actually worth it). Probably no one on this newsgroup actually knows how much compute power the NSA has at its disposal. At one time, the budget of the NSA was about 10x the budget of the CIA (to the great annoyance, apparently, of the DCI). I imagine a lot of their budget was spent on computing equipment, general purpose and special purpose. > > The original poster may want to check out "Tinfoil Hat Linux"[1] which has > some interesting capabilities, including an anti-keylogger measure. A > laptop or PDA with its own keyboard could be useful as well. > > [1] http://tinfoilhat.shmoo.com/ > - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 08:15:00 up 82 days, 2:11, 4 users, load average: 5.23, 5.18, 4.91 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDHDkNPtu2XpovyZoRAiN7AJ91pz9h5uqJ1vsJBeTju61Klda5lwCfU4dL YH5/sZwJd7XqYHRKx6KkjNU= =QRHs -----END PGP SIGNATURE----- From linux at codehelp.co.uk Mon Sep 5 14:34:54 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Mon Sep 5 14:34:39 2005 Subject: Key signing policy In-Reply-To: <431BB705.6030708@gmail.com> References: <431BB705.6030708@gmail.com> Message-ID: <200509051334.57345.linux@codehelp.co.uk> On Monday 05 September 2005 4:09 am, Cameron Metzke wrote: > Does anyone have solid written key signing policy? I don't think there is one policy to fit all needs. There are FAQ's and HOWTO's on keysigning events/parties and lots of groups have their own policies for their own needs. There are also tools like CA Bot (by Peter Palfrader) and others that help in keysigning - particularly when keys and identities are verified at distant events and the participants won't necessarily meet again for a considerable time. http://www.palfrader.org/#cabot http://cabot.alioth.debian.org/ There's a very simple HOWTO for those who don't know the details of *how* to sign a key: http://gnupg.neil.williamsleesmill.me.uk/book1.html A more general FAQ based on the GNU Privacy Handbook: http://www.dcglug.org.uk/linux_adm/gnupg.html and containing it's own keysigning guide: http://www.dcglug.org.uk/linux_doc/gnupgsign.html And the general keysigning HOWTO: http://www.cryptnet.net/fdp/crypto/gpg-party.html All are written from a standpoint of a loose association of GnuPG users who correspond regularly by email and meet occasionally or just once. Each document tends to consider participants as individuals with their own individual key(s) and with no "group key" or "group hierarchy". i.e. they are policies for friends/contacts, not necessarily policies for employer/employees. These may need to be adapted for your purposes. The main DCGLUG guide at http://www.dcglug.org.uk/linux_doc/startgnupg.html is licenced under the GNU Free Documentation Licence. -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050905/42b6bdca/attachment.pgp From ceprn at hotmail.com Mon Sep 5 14:36:24 2005 From: ceprn at hotmail.com (the dragon) Date: Mon Sep 5 15:22:36 2005 Subject: Transparent keyboards In-Reply-To: <431C390D.6090509@exit109.com> Message-ID: This thread is taking a turn to the absurd, and I have been thinking about it. I fully support the ability to maintain your right to privacy, such as the government has granted you, to it's fullest. However, if you're involved in a terrorist movement, and it appear the original poster is if the government is involved in one, even if it's under the guise of "animal rights" (as if they have any), then I support the ability of law enforcement to investigate, prosecute and convict the peretrator. Good grief, if you need to be that paranoid, then maybe you should find a more legal cause to be involved in. peace, clark 'the dragon' willis PSA: Salary <> Slavery. If you earn a salary, your employer is renting your services for 40 hours a week, not purchasing your soul. Your time is the only real finite asset that you have, and once used it can never be recovered, so don't waste it by giving it away. I work to live; I don't live to work. "Time is the coin of your life. It is the only coin you have, and only you can determine how it will be spent. Be careful lest you let other people spend it for you." Carl Sandburg (1878 - 1967) From wk at gnupg.org Mon Sep 5 16:26:21 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Sep 5 16:31:38 2005 Subject: OpenPGG Card In-Reply-To: (Peter Gutmann's message of "Mon, 05 Sep 2005 15:07:22 +1200") References: Message-ID: <87d5nn7fqq.fsf@wheatstone.g10code.de> On Mon, 05 Sep 2005 15:07:22 +1200, Peter Gutmann said: > I'd already offered the use of my PKCS #11 interface code from cryptlib for > GPG use some time ago. This should do everything you need and has had years Thanks. That would indeed help to write a pkcs#11 implementation to connect Mozilla et al with gpg-agent/scdaemon. Regarding use of pkcs#11 below scdaemon: This might be possible by writing an app-p11 module. However, I still doubt that it makes much sense. Tweaking app-p15 for the existing cards seems to be a cleaner way to me. BTW, I just committed support for T=0 cards, tested with the Beglian eID card. Shalom-Salam, Werner From wk at gnupg.org Mon Sep 5 16:32:01 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Sep 5 16:36:24 2005 Subject: PKCS#11 support for gpg-agent In-Reply-To: <20050905073515.38596.qmail@web25406.mail.ukl.yahoo.com> (Nicholas Cole's message of "Mon, 5 Sep 2005 08:35:15 +0100 (BST)") References: <20050905073515.38596.qmail@web25406.mail.ukl.yahoo.com> Message-ID: <878xyb7fha.fsf@wheatstone.g10code.de> On Mon, 5 Sep 2005 08:35:15 +0100 (BST), Nicholas Cole said: > gpg-1.9, and the thinking behind adding support for > s/mime. What is the "roadmap" (from the point of view > of users) for gpg? * The most important task is to integrate gpg 1.4 code base into gpg 1.9. I did this a long time ago but in the meantime e changed a lot of stuff in 1.4. so that if needs to be done again. * The format of the keyrings will be switched to a newer one (KBX). This should really help with larger keyrings and provides some other goodies. * Release 2.0 > Is there any sense in which opengpg is, or may be > soon, a deprecated standard? NO. We all like OpenPGP far more than S/MIME. > Beyond the pros and cons of centralised CAs, what are > the advantages of the two? To match the structure of the organisation. OpenPGP allows for all kinds of PKIs; whereas X.509 requires a hierarchical one. Salam-Shalom, Werner From zvrba at globalnet.hr Mon Sep 5 16:38:05 2005 From: zvrba at globalnet.hr (Zeljko Vrba) Date: Mon Sep 5 16:37:39 2005 Subject: OpenPGG Card In-Reply-To: References: Message-ID: <431C584D.7020506@globalnet.hr> Peter Gutmann wrote: > > I'd already offered the use of my PKCS #11 interface code from cryptlib for > GPG use some time ago. This should do everything you need and has had years > of tuning to work with all the bugs in various PKCS #11 drivers, it's vastly > easier than going through the entire learning curve yourself. > That's correct, it was my proposal in question. The problem is that, under Linux, I couldn't find a smart-card + PKCS#11 combination that works correctly enough (out of the box) to be usable with cryptlib. GPG needs at three different keys and static data storage. I have a patch emulating static data storage, enabling the use of pre-generated keys. I don't remember exactly all the details, but I did disregard cryptlib for some reason (not because of its quality which is superb, but because of the state of.. smart-card and PKCS#11 issues on Linux). For interested parties in this thread: OpenPGP Java card applet (almost finished): http://www.core-dump.com.hr/index.pl?node_id=421 Patch that enables the use of any smart-card with GnuPG. It allows the use of cards with pregenerated keys and uses an auxiliray file to feed metadata into GnuPG (I'm assuming a read-only token). Signing works correctly. http://www.core-dump.com.hr/software/gnupg-1.3.92-pkcs11.patch http://www.core-dump.com.hr/software/gnupg-1.3.92-pkcs11.patch.asc There is a g10/p11howto.txt describing how to use it. I've given up on maintaining it because of Werner's attitude towards PKCS#11. If someone else wants to maintain it - be welcome. I will provide you some help if neccessary. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050905/c0700e81/signature.pgp From wk at gnupg.org Mon Sep 5 16:43:40 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Sep 5 16:46:31 2005 Subject: OpenPGP Card In-Reply-To: (Peter Gutmann's message of "Tue, 06 Sep 2005 01:23:51 +1200") References: Message-ID: <87zmqr60df.fsf@wheatstone.g10code.de> On Tue, 06 Sep 2005 01:23:51 +1200, Peter Gutmann said: > and commercial/business users (who really need PKCS #11 but who probably > wouldn't use GPG). The result is, as you've found, something of a lack of a I won't agree to this because there is at least one large company in Germany using Smartcards along with gpgsm. Salam-Shalom, Werner From jharris at widomaker.com Mon Sep 5 16:47:42 2005 From: jharris at widomaker.com (Jason Harris) Date: Mon Sep 5 16:48:10 2005 Subject: new (2005-09-04) keyanalyze results (+sigcheck) Message-ID: <20050905144741.GF358@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2005-09-04/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: 252e0f13e55a2ca2ca32886f211e7471d08afce6 12916224 preprocess.keys cb882ca6570486e9f20879accc1e4d3dab102238 7871329 othersets.txt 890e81a284d0087c6587feb3e1c7ca046b4bda79 3190186 msd-sorted.txt a751f9d5477744a4f5e5ce6ebad6a60908e317ee 1372 index.html 56433a9a8c1aa573893f03c5c6a2c0282aa9bb4c 2291 keyring_stats 26c3982c68658092c19c210abec94fe0351e98b0 1253289 msd-sorted.txt.bz2 fdd2a5d063a4817b86f6a595441ff23ce24cb321 26 other.txt e5737d65e99fb365b6ce180b6dffc39c062d4e02 1697277 othersets.txt.bz2 d9774ab70de75e25ff27ab89eb745f3725996c7a 5219110 preprocess.keys.bz2 df084c3d93601c1669975012110398ec6c34a0bf 13046 status.txt 740907630c1b3c8882c93d6987a549ea74be87bd 210121 top1000table.html 8447fc107e1c02788ee5bed7143a13aa608c97d5 30191 top1000table.html.gz 483d02289f157c12fd4a00a8fa6722a20785bf2a 10785 top50table.html 56ac06d6254b663d9ed114144f621cf53c8ea65c 2534 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 313 bytes Desc: not available Url : /pipermail/attachments/20050905/7f116984/attachment.pgp From alon.barlev at gmail.com Mon Sep 5 18:27:17 2005 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Mon Sep 5 17:26:56 2005 Subject: OpenPGP Card In-Reply-To: Message-ID: >>The conclusion of my discussion with people here is that the need of >>using >>PKCS#11 for accessing various smartcards is not clear. I've tried to >>highlight the advantages of using standard software API to access >>external devices, but I've failed. >Users of crypto tokens tend to fall into two classes, hobbyists/enthusiasts (who don't mind hacking their > own glue code, so PKCS #11 isn't too important), and commercial/business users (who really need > PKCS #11 but who probably wouldn't use GPG). The result is, as you've found, something of a lack > of a market for PKCS #11 combined with GPG. I agree... But I was still amazed... If you read the PKCS#11 corresponding you will notice that there is a remote possibility to agree the usage of PKCS#11 in a way that gpg will be the provider... So that other applications can use gpg keys... This was really strange. The whole idea is to separate between application logic (gpg) and device access (Smartcards, HSM)... Best Regards, Alon Bar-Lev. From lionel at mamane.lu Mon Sep 5 16:41:40 2005 From: lionel at mamane.lu (Lionel Elie Mamane) Date: Mon Sep 5 17:31:20 2005 Subject: Certification-only key Message-ID: <20050905144140.GA27381@tofu.mamane.lu> Hi, I tried to generate an RSAv4 certification-only key with GnuPG, but failed, even in "expert mode". What I mean is a primary key that can be used to attach a subkey to it, or _maybe_ also to sign UserIDs of other keys (for the Web of Trust). But not for data signatures. As I understand the RFC, I want a primary key with key flags 0x01 (or maybe even 0x00?). But GnuPG only presents me with three "bits" to flip: - signature, which seems to set key flag 0x03 - encryption, which seems to set key flag 0x0C - authentication, which seems to set flag 0x21 I tried turning all three bits off, but then the key doesn't have a key flags subpacket (packet 27) at all and seems to be treated by GnuPG as a "everything is allowed" key. Is this impossible with GnuPG? Is it a bad idea? Why? Do I misunderstand the RFC? Thanks for your explanations, -- Lionel -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: Digital signature Url : /pipermail/attachments/20050905/928cbe33/attachment.pgp From alon.barlev at gmail.com Mon Sep 5 18:38:20 2005 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Mon Sep 5 17:38:03 2005 Subject: OpenPGP Card In-Reply-To: <431C584D.7020506@globalnet.hr> Message-ID: Hello, >That's correct, it was my proposal in question. The problem is that, under Linux, I couldn't find a smart-card + PKCS#11 > combination that works correctly enough (out of the box) to be usable with cryptlib. I use Athena smartcard www.athena-scs.com which works perfectly in term of Linux and PKCS#11. I enjoy using it with Java JCE, Mozilla, Tunderbird, PAM_PKCS11, I've encrypted my disk using aes-loop and then required gpg to support PKCS#11... And here we are... > Patch that enables the use of any smart-card with GnuPG. It allows the use of cards with pregenerated keys and uses an auxiliray file to > feed metadata into GnuPG (I'm assuming a read-only token). Signing works correctly. > http://www.core-dump.com.hr/software/gnupg-1.3.92-pkcs11.patch > http://www.core-dump.com.hr/software/gnupg-1.3.92-pkcs11.patch.asc > There is a g10/p11howto.txt describing how to use it. I've given up on maintaining it because of Werner's attitude towards PKCS#11. > If someone else wants to maintain it - be welcome. I will provide you some help if neccessary. This is great work! But the work needs to be moved into gpg-agent... :( I would have help merging it if I knew that there is a chance to merge it into to gpg source. Best Regards, Alon Bar-Lev. From zvrba at globalnet.hr Mon Sep 5 18:57:54 2005 From: zvrba at globalnet.hr (Zeljko Vrba) Date: Mon Sep 5 18:57:30 2005 Subject: OpenPGP Card In-Reply-To: References: Message-ID: <431C7912.5080407@globalnet.hr> Alon Bar-Lev wrote: > > I use Athena smartcard www.athena-scs.com which works perfectly in term of > Linux and PKCS#11. I enjoy using it with Java JCE, Mozilla, Tunderbird, > PAM_PKCS11, I've encrypted my disk using aes-loop and then required gpg to > support PKCS#11... And here we are... > Great! When I was developing my patch, I had only Cryptoflex 8k cards available (still have a few of them, but not at my current geographical location :)). > > This is great work! > Thanks. > > But the work needs to be moved into gpg-agent... :( > Probably not too difficult, but still time-consuming to understand the existing code.. and that would probably be wasted time, unless you want to make a life-time commitment to keep the patch in pace with gpg development. > > I would have help merging it if I knew that there is a chance to merge it > into to gpg source. > Judging by the discussion on this list.. it seems that there is no chance for that :( Look in the archives of gnupg lists, IIRC it is around November 2004, for threads started by me. I was quickly discouraged by Werner and nowhere as persistent as you in trying to persuade him into the usefulness of PKCS#11. IMHO, PKCS#11 has succeeded where ISO7816 has failed: providing a (relatively) simple way to interface with many smart-card implementations, many of which aren't ISO7816-compliant above level 3 - they even don't support basic interindustry commands, but provide their own proprietary and undocumented command set. Personally, I think that applications not supporting PKCS#11 and/or MS CAPI will become extinct much before than non-compliant ISO7816 cards. These two have become the de-facto industry standards. I'm no fortune teller, so time will prove me right or wrong :) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050905/55037bf5/signature-0001.pgp From alon.barlev at gmail.com Mon Sep 5 20:19:45 2005 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Mon Sep 5 19:19:08 2005 Subject: OpenPGP Card In-Reply-To: Message-ID: Peter wrote: >>Oh, that's the old Aladdin stuff. Well, they've certainly come a >>*long* way since I last looked at them - in the 1999-2000 time frame >>they had the worst PKCS #11 driver I've ever seen, and their "support" >>consisted of telling you to buy more copies of their $700 SDK to see >>whether they'd fixed any of the bugs in the version you already had. > Argh, sorry, wrong driver, it's the ActivCard drivers (and support) that were that bad, not Aladdin. > Aladdin (and by extension ASECard and Athena Cards, and eTokens as well) work just fine. Just to > repeat that: Nothing wrong with Aladdin's PKCS #11. I am glad you corrected your-self... ActivCard did not implement a good CSP/PKCS#11 on Windows too... :( Athena and Aladdin produce good support software... I am using their cards and I am very happy... Athena support Linux well... And even share the same cards between Windows CSP/PKCS#11 and Linux PKCS#11!!! Best Regards, Alon Bar-Lev From alon.barlev at gmail.com Mon Sep 5 20:19:45 2005 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Mon Sep 5 19:19:25 2005 Subject: OpenPGP Card In-Reply-To: <431C7912.5080407@globalnet.hr> Message-ID: Zeljko wrote: >> >> I would have help merging it if I knew that there is a chance to merge >> it into to gpg source. >> > Judging by the discussion on this list.. it seems that there is no chance for that :( > Look in the archives of gnupg lists, IIRC it is around November 2004, for threads started by me. I was quickly discouraged by Werner and > nowhere as persistent as you in trying to persuade him into the usefulness of PKCS#11. Yes... I agree... I gave up... Tried to help... And failed. > IMHO, PKCS#11 has succeeded where ISO7816 has failed: providing a > (relatively) simple way to interface with many smart-card implementations, many of which aren't ISO7816-compliant above level 3 - they even don't > support basic interindustry commands, but provide their own proprietary and undocumented command set. I agree! > Personally, I think that applications not supporting PKCS#11 and/or MS CAPI will become extinct much before than non-compliant ISO7816 cards. > These two have become the de-facto industry standards. I'm no fortune teller, so time will prove me right or wrong :) This is exactly my claim... I've tried to introduce this argument to Werner... But without any success... I was out of new arguments when I gave up... I think that an open source project that does not support software interaction standards will be replaced by a different solution when the time comes. Best Regards, Alon Bar-Lev. From alon.barlev at gmail.com Mon Sep 5 20:19:45 2005 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Mon Sep 5 19:19:56 2005 Subject: OpenPGP Card In-Reply-To: Message-ID: >> I won't agree to this because there is at least one large company in >> Germany using Smartcards along with gpgsm. > Well OK, so there's always exceptions, but I don't think there's enough to drive significant > demand for this - all the commercial users I've seen who want smart cards/PKCS #11/whatever want > to use it with standard commercial software and, you know, that stuff with the 'X' and some > digits in it :-). I think that many enterprises are looking first for open source solutions... If they find one that is suitable, they don't buy commercial product. The problem is that the open source community does not always understand which standard to support, and many, like gpg, inventing their own... Best Regards, Alon Bar-Lev. From johanw at vulcan.xs4all.nl Mon Sep 5 17:40:26 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Mon Sep 5 19:20:53 2005 Subject: Transparent keyboards In-Reply-To: <431C390D.6090509@exit109.com> Message-ID: <200509051540.j85FeQEh010957@vulcan.xs4all.nl> Jean-David Beyer wrote: >I imagine if the NSA really wanted to decrypt a gpg-encrypted message, they >have the resources to do it. It would probably take them a while if they had >to use brute force No, they can's do it by brute force. Look even at the power requirements to do such a calculation: we're talking about an energy consumption that is more that the entire sun will radiate during its entire lifetime. I'm pretty sure that's beyond anything even the NSA can deploy. If they are able to decrypt pgp/gpg, it will be because they either broke an algorithm or implementation of it, or they have obtained the key by other means (keylogger, hidden camera, tempest, virus, torture). -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From ceprn at hotmail.com Mon Sep 5 19:28:56 2005 From: ceprn at hotmail.com (the dragon) Date: Mon Sep 5 19:29:31 2005 Subject: Transparent keyboards In-Reply-To: <200509051540.j85FeQEh010957@vulcan.xs4all.nl> Message-ID: I suspect, with enough horsepower and resources, any encrytion can be broken. I am sure, at one point, all encrytion was thought to be unbreakable. peace, clark 'the dragon' willis PSA: Salary <> Slavery. If you earn a salary, your employer is renting your services for 40 hours a week, not purchasing your soul. Your time is the only real finite asset that you have, and once used it can never be recovered, so don't waste it by giving it away. I work to live; I don't live to work. "Time is the coin of your life. It is the only coin you have, and only you can determine how it will be spent. Be careful lest you let other people spend it for you." Carl Sandburg (1878 - 1967) ----Original Message Follows---- Jean-David Beyer wrote: >I imagine if the NSA really wanted to decrypt a gpg-encrypted message, they >have the resources to do it. It would probably take them a while if they had >to use brute force No, they can's do it by brute force. Look even at the power requirements to do such a calculation: we're talking about an energy consumption that is more that the entire sun will radiate during its entire lifetime. I'm pretty sure that's beyond anything even the NSA can deploy. If they are able to decrypt pgp/gpg, it will be because they either broke an algorithm or implementation of it, or they have obtained the key by other means (keylogger, hidden camera, tempest, virus, torture). From zvrba at globalnet.hr Mon Sep 5 19:36:07 2005 From: zvrba at globalnet.hr (Zeljko Vrba) Date: Mon Sep 5 19:35:37 2005 Subject: OpenPGP Card In-Reply-To: References: Message-ID: <431C8207.7080004@globalnet.hr> Alon Bar-Lev wrote: > Zeljko wrote: > >>IMHO, PKCS#11 has succeeded where ISO7816 has failed: providing a >>(relatively) simple way to interface with many smart-card implementations, > And I've forgot to mention one thing that may be important to some people: PKCS#11 is not limited to smart-cards. If GPG were to support it, it could be used with top-grade crypto modules (providing physical security and self-destruct on tampering) such as Thales WebSentry or nCipher. And for these things there is *no* universal standard except for PKCS#11 and MS CAPI. From experience I know that Thales was delivering RG732 crypto modules with their own development kit, and they've switched to PKCS#11 + MS CAPI in their new products (i.e. WebSentry). Yes, these devices are expensive for individuals. But if company already does own (for some) reason one of these, maybe they would also like to use it for e.g. storing a company "master key" that signs employees' keys. That's just one use-case example. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050905/1a15f387/signature.pgp From dshaw at jabberwocky.com Mon Sep 5 19:46:07 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Sep 5 19:53:08 2005 Subject: Certification-only key In-Reply-To: <20050905144140.GA27381@tofu.mamane.lu> References: <20050905144140.GA27381@tofu.mamane.lu> Message-ID: <20050905174607.GB1750@jabberwocky.com> On Mon, Sep 05, 2005 at 04:41:40PM +0200, Lionel Elie Mamane wrote: > Hi, > > I tried to generate an RSAv4 certification-only key with GnuPG, but > failed, even in "expert mode". > > What I mean is a primary key that can be used to attach a subkey to > it, or _maybe_ also to sign UserIDs of other keys (for the Web of > Trust). But not for data signatures. As I understand the RFC, I want a > primary key with key flags 0x01 (or maybe even 0x00?). It would be 0x01. 0x00 is not meaningful in PGP since that would mean "key with no capabilities". The standard requires that all primary keys must be able to certify. Even if the 0x01 bit is not set by the user, primary keys can certify. > But GnuPG only presents me with three "bits" to flip: > > - signature, which seems to set key flag 0x03 > - encryption, which seems to set key flag 0x0C > - authentication, which seems to set flag 0x21 > > I tried turning all three bits off, but then the key doesn't have a > key flags subpacket (packet 27) at all and seems to be treated by > GnuPG as a "everything is allowed" key. > > Is this impossible with GnuPG? Is it a bad idea? Why? Do I > misunderstand the RFC? It's not impossible - 1.4.3 (not released yet) supports certify-only keys like you want. It's not necessarily a good idea though: some people before agreeing to sign a key will ask for a signed message to prove that you "own" the secret portion of the key they are about to sign. Without the ability to sign, such a signature is hard to generate. Why do you want such a key? David From sk at intertivity.com Mon Sep 5 19:15:47 2005 From: sk at intertivity.com (Kiefer, Sascha) Date: Mon Sep 5 19:58:07 2005 Subject: Multiple signing - is this a common desire? (was Re: Signing MS-Excel spread sheets) In-Reply-To: <431B8166.2080809@excelcia.org> Message-ID: <002601c5b23d$76446470$f500a8c0@HOME> Well, i do not know about files, but our product signs mails using multiple-signatures (at least two signatures are required before a mail leaves the system). So i think it is NOT a bad feature. Regards, Sascha > -----Original Message----- > From: gnupg-users-bounces@gnupg.org > [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of Kurt Fitzner > Sent: Montag, 5. September 2005 01:21 > To: gnupg-users@gnupg.org > Subject: Multiple signing - is this a common desire? (was Re: > Signing MS-Excel spread sheets) > > > > Berend Tober wrote: > > > Anyway, I've looked at WinPT and GPGee and one other GUI wrapper > > around gnupg, but they all of course are victims of this MS Excel > > "feature", and furthermore none of them satisfy my other need to be > > able to support multiple persons signing any given document > > > When I started with GPGee I debated the idea of handling > multiple-signatures. I decided not to deal with the added > complexity because I didn't think it was a much called-for feature. > > If this is something that people would want to do more often > in the real world, I'll happily add this feature. > > I can even drop in something like "Set target file read-only > after operation" - well, if I can figure out a shorter > description to use for it. > > Anyway, is multiple-key signing more common than I gave it credit for? > > Kurt. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From alon.barlev at gmail.com Mon Sep 5 21:32:40 2005 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Mon Sep 5 20:31:59 2005 Subject: OpenPGP Card In-Reply-To: Message-ID: Peter wrote: > Zeljko Vrba writes: >> Yes, these devices are expensive for individuals. > Although they're less expensive on ebay :-). Keep an eye on that long enough and you'll find almost > anything turning up, for example there's almost always some Spyrus Lynks cards on sale by someone. > Some of the stuff even has previous CA's keys still in the HW. >> PKCS#11 is not limited to smart-cards. > Yup, and that's an important point. If you want big-iron style crypto HW support, your choice is > either PKCS #11, CryptoAPI, or a per-hardware-device custom API. I know which one I'd want... I agree... So if we all understand the need of PKCS#11 in order to access cryptographic tokens, what I don't understand is how come people choose to develop low-level applications in order to work with specific devices? Best Regards, Alon Bar-Lev. From zvrba at globalnet.hr Mon Sep 5 21:03:49 2005 From: zvrba at globalnet.hr (Zeljko Vrba) Date: Mon Sep 5 21:03:16 2005 Subject: OpenPGP Card In-Reply-To: References: Message-ID: <431C9695.9060904@globalnet.hr> Alon Bar-Lev wrote: > > I agree... So if we all understand the need of PKCS#11 in order to access > cryptographic tokens, what I don't understand is how come people choose to > develop low-level applications in order to work with specific devices? > Neither do I understand that. Werner didn't give a single plausible argument except possibly of license incompatibility. But in my understanding, just incorporating PKCS#11 support into GnuPG would NOT cause license incompatibility. It would happen at run-time if the user chooses to load GPL-incompatible binary PKCS#11 driver (which most of them are). -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050905/2fbaf03c/signature.pgp From alon.barlev at gmail.com Mon Sep 5 22:14:41 2005 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Mon Sep 5 21:14:09 2005 Subject: OpenPGP Card In-Reply-To: <431C9695.9060904@globalnet.hr> Message-ID: Zeljko Vrba wrote: > Alon Bar-Lev wrote: >> >> I agree... So if we all understand the need of PKCS#11 in order to >> access cryptographic tokens, what I don't understand is how come >> people choose to develop low-level applications in order to work with specific devices? >> > Neither do I understand that. Werner didn't give a single plausible argument except possibly of license incompatibility. But in my understanding, > just incorporating PKCS#11 support into GnuPG would NOT cause license incompatibility. It would happen at run-time if the user chooses to > load GPL-incompatible binary PKCS#11 driver (which most of them are). Right... This argument was given to me also... But I could not find any justification for it... Let's say you use GPLed licensed program on windows... It loads kernel32.dll, right? Since your GPLed program does not contain any other licensed code it is still GPLed... The same goes with GPLed licensed program that loads PKCS#11 module... I think it is the same as gpg works with vendor's X card... The card runs an operating system that is not GPLed... And yet... gpg is GPL... Moreover, I've found that opensc and PAM PKCS11 are LGPL and that openCryptoki (http://sourceforge.net/projects/opencryptoki) is GPL. So... I think licensing should not be an issue... Best Regards, Alon Bar-Lev. From roam at ringlet.net Mon Sep 5 21:33:09 2005 From: roam at ringlet.net (Peter Pentchev) Date: Mon Sep 5 21:33:46 2005 Subject: OpenPGP Card In-Reply-To: References: <431C9695.9060904@globalnet.hr> Message-ID: <20050905193309.GC3205@straylight.m.ringlet.net> On Mon, Sep 05, 2005 at 10:14:41PM +0200, Alon Bar-Lev wrote: > Zeljko Vrba wrote: > > Alon Bar-Lev wrote: > >> > >> I agree... So if we all understand the need of PKCS#11 in order to > >> access cryptographic tokens, what I don't understand is how come > >> people choose to develop low-level applications in order to work with > specific devices? > >> > > Neither do I understand that. Werner didn't give a single plausible > argument except possibly of license incompatibility. But in my > understanding, > > just incorporating PKCS#11 support into GnuPG would NOT cause license > incompatibility. It would happen at run-time if the user chooses to > > load GPL-incompatible binary PKCS#11 driver (which most of them are). > > Right... This argument was given to me also... > But I could not find any justification for it... > Let's say you use GPLed licensed program on windows... It loads > kernel32.dll, right? > Since your GPLed program does not contain any other licensed code it is > still GPLed... > The same goes with GPLed licensed program that loads PKCS#11 module... Hate to jump into this discussion, but isn't this *exactly* why Werner always keeps mentioning *shared* libraries? :) G'luck, Peter -- Peter Pentchev roam@ringlet.net roam@cnsys.bg roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence was in the past tense. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20050905/0a0fe6cd/attachment.pgp From lionel at mamane.lu Mon Sep 5 21:35:50 2005 From: lionel at mamane.lu (Lionel Elie Mamane) Date: Mon Sep 5 21:35:53 2005 Subject: Certification-only key In-Reply-To: <20050905174607.GB1750@jabberwocky.com> References: <20050905144140.GA27381@tofu.mamane.lu> <20050905174607.GB1750@jabberwocky.com> Message-ID: <20050905193550.GB2713@tofu.mamane.lu> On Mon, Sep 05, 2005 at 01:46:07PM -0400, David Shaw wrote: > On Mon, Sep 05, 2005 at 04:41:40PM +0200, Lionel Elie Mamane wrote: >> I tried to generate an RSAv4 certification-only key with GnuPG, but >> failed, even in "expert mode". >> Is this impossible with GnuPG? Is it a bad idea? Why? Do I >> misunderstand the RFC? > It's not impossible - 1.4.3 (not released yet) supports certify-only > keys like you want. OK, thanks. > It's not necessarily a good idea though: some people before agreeing > to sign a key will ask for a signed message to prove that you "own" > the secret portion of the key they are about to sign. I would obviously have at least one data-signing subkey. I presume these people would take a signature from such as subkey. Or decryption of a nonce they sent me encrypted to an encryption subkey. > Why do you want such a key? First, separation of roles. Doesn't hurt. More importantly, my wishes on the primary key and on data signature keys are different. The primary key is my electronic identity; it should be humongous. If it can hold secure for all my life, then I want it to. My data signatures, on the other hand, for most of them, a week of security is enough (but sometimes a few years is nice). Paying the cost of big signature size is less worth it, at least until computers again get too fast or factorisation becomes easier or ... Maybe I even *want* them to fade away into fakability over time. Who knows what I will be in twenty years? I may be so unlucky as to be a politician then. I wouldn't want some of my teenage opinions or acts to haunt me back, would I? You could argue I could have this without marking the key as certificate-only, by never issuing data signatures with the primary key. That's harder on me. I have to be more cautious. Over the course of twenty years, I *will* screw up. Now, I'm starting to wonder if I can retroactively change the capabilities of the key. I just have to reissue the self-signature on the UserIDs, right? (Yes, I'd have to hack GnuPG to allow me to change the key flags.) -- Lionel From alon.barlev at gmail.com Mon Sep 5 22:43:33 2005 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Mon Sep 5 21:42:51 2005 Subject: OpenPGP Card In-Reply-To: <20050905193309.GC3205@straylight.m.ringlet.net> Message-ID: Peter Pentchev wrote: > Hate to jump into this discussion, but isn't this *exactly* why Werner always keeps mentioning *shared* libraries? :) Why hate? Can you please elaborate? I don' t understand what you mean... Best Regards, Alon Bar-Lev. From samuel at Update.UU.SE Mon Sep 5 21:48:48 2005 From: samuel at Update.UU.SE (Samuel ]slund) Date: Mon Sep 5 21:48:59 2005 Subject: Signing MS-Excel spread sheets In-Reply-To: <431C34F1.1030004@seaworthysys.com> References: <4318BAC6.4000100@seaworthysys.com> <20050904144048.GD911@straylight.m.ringlet.net> <431B248C.1090107@seaworthysys.com> <431C34F1.1030004@seaworthysys.com> Message-ID: <20050905194848.GB31745@Update.UU.SE> On Mon, Sep 05, 2005 at 08:07:13AM -0400, Berend Tober wrote: > Kimmo Surakka wrote: > > >Just my two cents worth: isn't it true that most Windows zippers can > >open a file "from inside a zip archive", i.e. uncompress it > >transparently to a temp directory and open from there? One easy-to- > >use solution could therefore be to store the Excel file inside a zip > >archive, and then sign that archive? When the second person opens the > >spreadsheet, all the changes Excel wants to do are done to the > >temporary copy -- not the actual spreadsheet itself. > > The sounds like it would work, but I don't like the idea of imposing the > extra layer of the separate zip application like this between the > document and the signing step -- although it could be the approach we > have to take if we bring this to the next level and scan the supporting > documents (i.e., receipts) to jpeg files for inclusion along with the > spread sheet -- which would be pretty cool. However, I still have the > issue being discussed in a separate-but-related thread concerning > co-signatures. Another option with zip-archives, if you put the signed .xls and the signatures in the zip you should get the nonmodifiable effect and keep the signatures "attached" to the file. With luck there is some way to ask the zip program to execute your sctrip... //Samuel From lionel at mamane.lu Mon Sep 5 22:44:07 2005 From: lionel at mamane.lu (Lionel Elie Mamane) Date: Mon Sep 5 22:44:13 2005 Subject: OpenPGP Card In-Reply-To: References: <431C9695.9060904@globalnet.hr> Message-ID: <20050905204407.GA7834@tofu.mamane.lu> On Mon, Sep 05, 2005 at 10:14:41PM +0200, Alon Bar-Lev wrote: > Zeljko Vrba wrote: >> Neither do I understand that. Werner didn't give a single plausible >> argument except possibly of license incompatibility. But in my >> understanding, just incorporating PKCS#11 support into GnuPG would >> NOT cause license incompatibility. It would happen at run-time if >> the user chooses to load GPL-incompatible binary PKCS#11 driver >> (which most of them are). > Right... This argument was given to me also... > But I could not find any justification for it... > Let's say you use GPLed licensed program on windows... It loads > kernel32.dll, right? kernel32.dll falls under the following language in the GPL: However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. > Since your GPLed program does not contain any other licensed code it is > still GPLed... > The same goes with GPLed licensed program that loads PKCS#11 > module... Not unless that PKCS#11 module "is normally distributed with the major components of the operating system". (Assuming here that the PKCS#11 module would is a library that GnuPG would be dlopen.) -- Lionel From dshaw at jabberwocky.com Mon Sep 5 22:46:46 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Sep 5 22:47:28 2005 Subject: Certification-only key In-Reply-To: <20050905193550.GB2713@tofu.mamane.lu> References: <20050905144140.GA27381@tofu.mamane.lu> <20050905174607.GB1750@jabberwocky.com> <20050905193550.GB2713@tofu.mamane.lu> Message-ID: <20050905204646.GC1750@jabberwocky.com> On Mon, Sep 05, 2005 at 09:35:50PM +0200, Lionel Elie Mamane wrote: > On Mon, Sep 05, 2005 at 01:46:07PM -0400, David Shaw wrote: > > On Mon, Sep 05, 2005 at 04:41:40PM +0200, Lionel Elie Mamane wrote: > > >> I tried to generate an RSAv4 certification-only key with GnuPG, but > >> failed, even in "expert mode". > > >> Is this impossible with GnuPG? Is it a bad idea? Why? Do I > >> misunderstand the RFC? > > > It's not impossible - 1.4.3 (not released yet) supports certify-only > > keys like you want. > > OK, thanks. > > > It's not necessarily a good idea though: some people before agreeing > > to sign a key will ask for a signed message to prove that you "own" > > the secret portion of the key they are about to sign. > > I would obviously have at least one data-signing subkey. I presume > these people would take a signature from such as subkey. Or decryption > of a nonce they sent me encrypted to an encryption subkey. They might, but really shouldn't (I wouldn't). When you make a certification signature on someone elses key, you're signing the primary key plus the user ID in question. There is no benefit in receiving a signed challenge from any key other than the primary. For the same reason, encryption challenges ("can you decrypt this?") aren't usually meaningful in OpenPGP (PGP 5+, GnuPG). Since the object being signed is the primary key, that's the key you want to establish ownership of. The huge majority of primary keys in the world today don't or can't encrypt. > You could argue I could have this without marking the key as > certificate-only, by never issuing data signatures with the primary > key. That's harder on me. I have to be more cautious. Over the course > of twenty years, I *will* screw up. GnuPG actually makes it hard for you to screw up here. If there is a subkey that can sign, GnuPG will use it rather than the primary. The only way to get a signature (as opposed to a key certification) from the primary is to specify its key ID explicitly with an exclamation point. Some people keep their primary key offline and do their regular day to day signing and encryption with subkeys. In that case, it's not possible to screw up: even if you override the default by specifying the key ID and an exclamation point, the actual key isn't there to use. > Now, I'm starting to wonder if I can retroactively change the > capabilities of the key. I just have to reissue the self-signature on > the UserIDs, right? (Yes, I'd have to hack GnuPG to allow me to change > the key flags.) Yes. Obviously you can't do things like turn a DSA key into an encryption key, but you can certainly twiddle an RSA key into whatever you like. David From unknown_kev_cat at hotmail.com Mon Sep 5 23:44:13 2005 From: unknown_kev_cat at hotmail.com (Joe Smith) Date: Mon Sep 5 23:47:36 2005 Subject: OpenPGP Card References: <431C7912.5080407__34242.7164003768$1125939585$gmane$org@globalnet.hr> Message-ID: "Zeljko Vrba" wrote in message news:431C7912.5080407__34242.7164003768$1125939585$gmane$org@globalnet.hr... >IMHO, PKCS#11 has succeeded where ISO7816 has failed: providing a >(relatively) simple way to interface with many smart-card >implementations, many of which aren't ISO7816-compliant above level 3 - >they even don't support basic interindustry commands, but provide their >own proprietary and undocumented command set PKCS#11 is a crypto token enchange system ISO7816 is a specification for a card interface. They are 100% unrelated. Perhaps you meant the abondoned PKCS#13 which is what many cards use. *PKCS#11 has nothing at all to do with smartcards.* The fact that many propretary card drivers export a PKCS #11 interface is mearly coincedence. That said, I think allowing a pkcs #11 interface as well as OpenPGP Card interface is useful in its own right. Doesn't gpgsm support PKCS#11? One of the larger reasons why Werner is probably reluctant to support PKCS#11 in GPG is that X509 (which pkcs#11 is almost always used with) does not interface well with OpenPGP. It makes beteter sense to have a seperate X509 key, rather than use your key for both X509 and OpenPGP. For example, your CA can revoke your key leaving you with one key that is invalid X.509, but valid OpenPGP? Yuck! Werner designed the OpenPGP Card such that the interface works well with OpenPGP. OpenPGP cards are intended to be used for authentication and OpenPGP only. They are not designed for things such as SSL, SSH, TLS, S/MIME , or any other cyrptographic purpose. It is important to ensure that people do not confuse X.509 and OpenPGP, but implementing PKCS#11 in gpg may blur things too much. Besides it is hard enough to support just one card, imagine the problems that could arise if people started using cards with broken PKCS#11 drivers, and asssumed the problem was in gpg. From alon.barlev at gmail.com Tue Sep 6 00:59:48 2005 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Mon Sep 5 23:59:04 2005 Subject: OpenPGP Card In-Reply-To: <20050905204407.GA7834@tofu.mamane.lu> Message-ID: Lionel Elie Mamane Wrote: > Not unless that PKCS#11 module "is normally distributed with the major components of the operating system". > (Assuming here that the PKCS#11 module would is a library that GnuPG would be dlopen.) So how come GPGed application can use display driver that is vendor provided? I use ATI drivers... And I have a lot of GPLed programs on my computer... And how come GPGed application can print on a printer using a proprietary driver from HP (for example)? I can show you that it GPLed program loads these drivers... The same goes to PKCS#11, it is a driver to access the smart card... It is just like any other peripheral component you use, it is part of the run-time environment, so that the user may choose which device should be used, without the software author forcing him to use a specific device. Open source if about freedom... Right? So there is also the freedom of the user to choose his peripheral devices, including smartcards. Best Regards, Alon Bar-Lev. From alon.barlev at gmail.com Tue Sep 6 01:16:00 2005 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Tue Sep 6 00:15:22 2005 Subject: OpenPGP Card In-Reply-To: Message-ID: Joe Smith wrote: > *PKCS#11 has nothing at all to do with smartcards.* The fact that many propretary card drivers export a PKCS #11 interface > is mearly coincedence. PKCS#11 and Microsoft cryptographic providers are the two APIs available for accessing cryptographic tokens. Every application that wishes to use services of vendor in depended cryptographic tokens uses one of these APIs. So vendors that developing smartcard provide these interfaces so their card will be usable. Enterprises (which are the larger clients) will not but a smartcard that does not support PKCS#11. > One of the larger reasons why Werner is probably reluctant to support > PKCS#11 in GPG is that X509 (which pkcs#11 is almost always used with) does not interface well with OpenPGP. It makes beteter sense to > have a separate X509 key, rather than use your key for both X509 and OpenPGP. For example, your CA can revoke your key leaving you > with one key that is invalid X.509, but valid OpenPGP? Yuck! I think you got revocation wrong... Revocation is letting OTHERS know that a key should not be trusted... There is nothing wrong in leaving the private key in the smartcard. Regardless this point PKCS#11 token can be organized that the same X.509 and PGP certificates will refer to the same private key, so if that private key is deleted both certificate will be unusable. > Werner designed the OpenPGP Card such that the interface works well with OpenPGP. OpenPGP cards are intended to be used for > authentication and OpenPGP only. They are not designed for things such as SSL, SSH, TLS, S/MIME , or any other cryptographic purpose. > It is important to ensure that people do not confuse X.509 and OpenPGP, but implementing PKCS#11 in gpg may blur things too much. But each user should have one smartcard... It is not logical to force user to keep several cards in his wallet in order to use several applications. One smartcard can be used to have tree types of identities: Authentication, Signature (Email and data), Decryption (Email and data). There is no reason to divide these into several physical containers. Users will simply select a different software which can access the same card as other software... Application that forces users to use a specific exclusive card will slowly vanish. > Besides it is hard enough to support just one card, imagine the problems that could arise if people started using cards with broken PKCS#11 > drivers, and asssumed the problem was in gpg. But this is exactly the point! You should not develop low-level code to access each card's processor in order to add the ability to work with smartcards, resulting in N separate implementations. You can benefit from the PKCS#11 high-level API in order to access cryptographic tokens (Smartcards, HSM, software). PKCS#11 is a standard that most vendors support, I can agree that if vendor did not implement the standard correctly, its token will not work with applications. For example, Mozilla Firefox will not work with some of the smartcards out there... And I have no claims to Mozilla, they have done a great job! Best Regards, Alon Bar-Lev. From stefan at fuhrmann.homedns.org Tue Sep 6 00:26:50 2005 From: stefan at fuhrmann.homedns.org (Stefan Fuhrmann) Date: Tue Sep 6 00:26:49 2005 Subject: linux-gpg and win-pgp Message-ID: <200509060026.51387.stefan@fuhrmann.homedns.org> Hello all, Im using kubuntu and so kmail with gnupg. When I send an encrypted mail to win user who has pgp the encrypted mail is attached. 1.) Why this message is attached and pgp is not able to decrypt it? I have to save it first and decrypt it then. 2.) Is there a way to sent this mail so that win users have the mail in the mail body and not as attachment? But when I do it some german characters are not displayed! 3.) What is the reason for it? The character set under my linux is okay! When I use win-pgp with this characters ??? and so on all is okay also under my linux , only when I send the mail from my linux to a win and trying to decrypt with pgp I have the problems with pgp and the characters. 4.) How can I solve this? Can someone help? tia stefan From stefan at fuhrmann.homedns.org Mon Sep 5 23:26:40 2005 From: stefan at fuhrmann.homedns.org (Stefan Fuhrmann) Date: Tue Sep 6 00:27:02 2005 Subject: Linux-gnupg and win-pgp Message-ID: <200509052326.53595.stefan@fuhrmann.homedns.org> Hello all, Im using kubuntu and so kmail with gnupg. When I send an encrypted mail to win user who has pgp the encrypted mail is attached. 1.) Why this message is attached and pgp is not able to decrypt it? I have to save it first and decrypt it then. 2.) Is there a way to sent this mail so that win users have the mail in the mail body and not as attachment? But when I do it some german characters are not displayed! 3.) What is the reason for it? The character set under my linux is okay! When I use win-pgp with this characters ??? and so on all is okay also under my linux , only when I send the mail from my linux to a win and trying to decrypt with pgp I have the problems with pgp and the characters. 4.) How can I solve this? Can someone help? tia stefan -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050905/049e42fe/attachment.pgp From lionel at mamane.lu Tue Sep 6 01:03:00 2005 From: lionel at mamane.lu (Lionel Elie Mamane) Date: Tue Sep 6 01:03:04 2005 Subject: Certification-only key In-Reply-To: <20050905204646.GC1750@jabberwocky.com> References: <20050905144140.GA27381@tofu.mamane.lu> <20050905174607.GB1750@jabberwocky.com> <20050905193550.GB2713@tofu.mamane.lu> <20050905204646.GC1750@jabberwocky.com> Message-ID: <20050905230300.GB7834@tofu.mamane.lu> On Mon, Sep 05, 2005 at 04:46:46PM -0400, David Shaw wrote: > On Mon, Sep 05, 2005 at 09:35:50PM +0200, Lionel Elie Mamane wrote: >> On Mon, Sep 05, 2005 at 01:46:07PM -0400, David Shaw wrote: >>> It's not necessarily a good idea though: some people before agreeing >>> to sign a key will ask for a signed message to prove that you "own" >>> the secret portion of the key they are about to sign. >> I would obviously have at least one data-signing subkey. I presume >> these people would take a signature from such as subkey. Or >> decryption of a nonce they sent me encrypted to an encryption >> subkey. > They might, but really shouldn't (I wouldn't). When you make a > certification signature on someone elses key, you're signing the > primary key plus the user ID in question. There is no benefit in > receiving a signed challenge from any key other than the primary. But that subkey is attached to the primary key by a signature of the primary key. Isn't then control of that subkey enough to "prove" control of the primary key? Unless: 1) Signature scheme cryptographically broken. We have a bigger problem. 2) Primary key owner has done stupid things, like sharing subkeys with others. But if we assume he has done that, we might as well assume he would sign the challenge a man-in-the-middle attacker has forwarded him or shared his primary key or ... Where's the flaw in the reasoning? >> You could argue I could have this without marking the key as >> certificate-only, by never issuing data signatures with the primary >> key. That's harder on me. I have to be more cautious. Over the course >> of twenty years, I *will* screw up. > GnuPG actually makes it hard for you to screw up here. If there is > a subkey that can sign, GnuPG will use it rather than the primary. > The only way to get a signature (as opposed to a key certification) > from the primary is to specify its key ID explicitly with an > exclamation point. Ah. Good. I just hope mutt doesn't pass the KeyID with an exclamation point. Should check that. -- Lionel From lionel at mamane.lu Tue Sep 6 01:16:20 2005 From: lionel at mamane.lu (Lionel Elie Mamane) Date: Tue Sep 6 01:16:29 2005 Subject: OpenPGP Card In-Reply-To: References: <20050905204407.GA7834@tofu.mamane.lu> Message-ID: <20050905231617.GC7834@tofu.mamane.lu> On Tue, Sep 06, 2005 at 12:59:48AM +0200, Alon Bar-Lev wrote: > Lionel Elie Mamane Wrote: >> Not unless that PKCS#11 module "is normally distributed with the >> major components of the operating system". (Assuming here that the >> PKCS#11 module would is a library that GnuPG would dlopen.) > So how come GPGed application can use display driver that is vendor > provided? The application does not link to the display driver. On Microsoft Windows, the display driver is part of the kernel, and AFAIK applications communicate with the kernel through syscalls (eventually wrapped by gdi32.dll, kernel32.dll, etc), not linkage. On a Unix system, the program communicates with the "display" through the networking layer, so there is also absolutely no linkage. But there is indeed a case to be made that if the library implements a well-known, standard ABI, then linking to it is not a GPL violation. Legally it depends whether the linked program is a "derived work" from the program or not. > And how come GPGed application can print on a printer using a > proprietary driver from HP (for example)? On a Unix system, again, programs don't link with a printer driver. They exec() lpr over a pipe and dump postscript to it over the pipe. Just a matter of passing data around to another process, no library linkage. > I can show you that it GPLed program loads these drivers... Yes, show me, I'm curious. -- Lionel From lionel at mamane.lu Tue Sep 6 01:31:47 2005 From: lionel at mamane.lu (Lionel Elie Mamane) Date: Tue Sep 6 01:31:51 2005 Subject: Linux-gnupg and win-pgp In-Reply-To: <200509052326.53595.stefan@fuhrmann.homedns.org> References: <200509052326.53595.stefan@fuhrmann.homedns.org> Message-ID: <20050905233147.GA5323@tofu.mamane.lu> On Mon, Sep 05, 2005 at 11:26:40PM +0200, Stefan Fuhrmann wrote: > Im using kubuntu and so kmail with gnupg. > When I send an encrypted mail to win user who has pgp the encrypted mail is > attached. > 1.) Why this message is attached and pgp is not able to decrypt it? > I have to save it first and decrypt it then. Because you send is a PGP/MIME (RFC3156) message, which is the better and preferred way, but your correspondent's mail user agent (mail program) doesn't support PGP/MIME. > 2.) Is there a way to sent this mail so that win users have the mail in the > mail body and not as attachment? I dunno if KMail can do that. Look for a "old method" option or "plain text" option or something like that. > But when I do it some german characters are not displayed! > 3.) What is the reason for it? Because by then the information over which charset the text was in is lost. This is meta-information attached to the attachment, by saving it you "loose" it. -- Lionel From eocsor at gmail.com Tue Sep 6 01:42:14 2005 From: eocsor at gmail.com (Roscoe) Date: Tue Sep 6 01:42:49 2005 Subject: Transparent keyboards In-Reply-To: References: <200509051540.j85FeQEh010957@vulcan.xs4all.nl> Message-ID: First: Sure, with enough anything can be brute forced. But what happens when that "enough" isn't possible? Brute forcing (alone) 256-bit keys is a joke. It's just not a issue. Second: Being investigated by animal rights folk does *not* make you a terrorist. Now back to being on topic but still slightly off... I think a laptop you keep with you all the time is a pretty good shot. :) On 9/6/05, the dragon wrote: > I suspect, with enough horsepower and resources, any encrytion can be > broken. > > I am sure, at one point, all encrytion was thought to be unbreakable. > > peace, > clark 'the dragon' willis > > > > PSA: Salary <> Slavery. If you earn a salary, your employer is renting your > services for 40 hours a week, not purchasing your soul. Your time is the > only real finite asset that you have, and once used it can never be > recovered, so don't waste it by giving it away. > > I work to live; I don't live to work. > > "Time is the coin of your life. It is the only coin you have, and only you > can determine how it will be spent. Be careful lest you let other people > spend it for you." > > Carl Sandburg > (1878 - 1967) > > ----Original Message Follows---- > > Jean-David Beyer wrote: > > >I imagine if the NSA really wanted to decrypt a gpg-encrypted message, > they > >have the resources to do it. It would probably take them a while if they > had > >to use brute force > > No, they can's do it by brute force. Look even at the power requirements > to do such a calculation: we're talking about an energy consumption that > is more that the entire sun will radiate during its entire lifetime. > I'm pretty sure that's beyond anything even the NSA can deploy. > > If they are able to decrypt pgp/gpg, it will be because they either broke > an algorithm or implementation of it, or they have obtained the key by > other means (keylogger, hidden camera, tempest, virus, torture). > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From stefan at fuhrmann.homedns.org Tue Sep 6 01:53:18 2005 From: stefan at fuhrmann.homedns.org (Stefan Fuhrmann) Date: Tue Sep 6 01:53:31 2005 Subject: Linux-gnupg and win-pgp In-Reply-To: <20050905233147.GA5323@tofu.mamane.lu> References: <200509052326.53595.stefan@fuhrmann.homedns.org> <20050905233147.GA5323@tofu.mamane.lu> Message-ID: <200509060153.30294.stefan@fuhrmann.homedns.org> Am Dienstag, 6. September 2005 01:31 schrieb Lionel Elie Mamane: > On Mon, Sep 05, 2005 at 11:26:40PM +0200, Stefan Fuhrmann wrote: > > Im using kubuntu and so kmail with gnupg. > > When I send an encrypted mail to win user who has pgp the encrypted mail > > is attached. > > 1.) Why this message is attached and pgp is not able to decrypt it? > > I have to save it first and decrypt it then. > > Because you send is a PGP/MIME (RFC3156) message, which is the better > and preferred way, but your correspondent's mail user agent (mail > program) doesn't support PGP/MIME. okay, most of the win users have outlook....so what....? > > > 2.) Is there a way to sent this mail so that win users have the mail in > > the mail body and not as attachment? > > I dunno if KMail can do that. Look for a "old method" option or "plain > text" option or something like that. Cant find something like that. > > > But when I do it some german characters are not displayed! > > 3.) What is the reason for it? > > Because by then the information over which charset the text was in is > lost. This is meta-information attached to the attachment, by saving > it you "loose" it. hmmm... I dont understand this: when I save the message the information is lost?! Why? And how can win-PGP users decrypt such messages? With a correct character set also? I tried a lot and search a lot but cant find a solution. maybe somone has an idea?? tia stefan -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050906/c5075162/attachment.pgp From lionel at mamane.lu Tue Sep 6 08:16:09 2005 From: lionel at mamane.lu (Lionel Elie Mamane) Date: Tue Sep 6 08:16:21 2005 Subject: OpenPGP Card In-Reply-To: References: <20050905204407.GA7834@tofu.mamane.lu> Message-ID: <20050906061609.GA28526@tofu.mamane.lu> On Tue, Sep 06, 2005 at 03:14:56PM +1200, Peter Gutmann wrote: > Lionel Elie Mamane writes: >>On Mon, Sep 05, 2005 at 10:14:41PM +0200, Alon Bar-Lev wrote: >>> Since your GPLed program does not contain any other licensed code it is >>> still GPLed... >>> The same goes with GPLed licensed program that loads PKCS#11 >>> module... >>Not unless that PKCS#11 module "is normally distributed with the major >>components of the operating system". (Assuming here that the PKCS#11 module >>would is a library that GnuPG would be dlopen.) > PKCS #11 is a device driver without which it's impossible to use > critical (to the application) hardware. If you take this > interpretation then GPG already violates it because it ends up using > all manner of components (RAID drivers, ATI/nVidia video drivers, > PC/SC drivers, etc) that aren't distributed as part of the OS. GnuPG doesn't *link* to RAID drivers or video drivers. They don't end up "running linked together in a shared address space". They communicate over syscalls or sockets; mechanisms that are well-known as to be "GPL-safe" (as long as the coupling between them isn't too tight). See http://www.fsf.org/licensing/licenses/gpl-faq.html#MereAggregation . On the other hand, some people interpret the GPL in a way saying that if a library implements a "standard" ABI, then one can link GPL software to it. I think it is a good idea to stick to the copyright holder's interpretation. > In fact if you wanted to go reductio ad absurdum even kernel32.dll > is excluded because the hotfixes that are constantly applied to it > aren't "normally distributed with the system components" - they're a > special download. Do I have to answer that? > On the other hand using a particular interpretation of the GPL in > order to make it impossible for GPG to be able to support widespread > smart cards and crypto hardware is a great example of cutting off > your nose to spite your face. That's a choice for the copyright holder to make. -- Lionel From lionel at mamane.lu Tue Sep 6 08:39:11 2005 From: lionel at mamane.lu (Lionel Elie Mamane) Date: Tue Sep 6 08:39:15 2005 Subject: Linux-gnupg and win-pgp In-Reply-To: <200509060153.30294.stefan@fuhrmann.homedns.org> References: <200509052326.53595.stefan@fuhrmann.homedns.org> <20050905233147.GA5323@tofu.mamane.lu> <200509060153.30294.stefan@fuhrmann.homedns.org> Message-ID: <20050906063911.GB28526@tofu.mamane.lu> On Tue, Sep 06, 2005 at 01:53:18AM +0200, Stefan Fuhrmann wrote: > Am Dienstag, 6. September 2005 01:31 schrieb Lionel Elie Mamane: >> On Mon, Sep 05, 2005 at 11:26:40PM +0200, Stefan Fuhrmann wrote: >>> Im using kubuntu and so kmail with gnupg. >>> When I send an encrypted mail to win user who has pgp the encrypted mail >>> is attached. >>> 1.) Why this message is attached and pgp is not able to decrypt it? >>> I have to save it first and decrypt it then. >> Because you send is a PGP/MIME (RFC3156) message, which is the >> better and preferred way, but your correspondent's mail user agent >> (mail program) doesn't support PGP/MIME. > okay, most of the win users have outlook....so what....? So they suffer from a very limited feature set. ;-) >>> 2.) Is there a way to sent this mail so that win users have the mail in >>> the mail body and not as attachment? >> I dunno if KMail can do that. Look for a "old method" option or "plain >> text" option or something like that. > Cant find something like that. In the message composition window, in the toolbar, there is a choice list between "Inline OpenPGP", "OpenPGP/MIME" and a few others. Choose "Inline OpenPGP". >>> But when I do it some german characters are not displayed! >>> 3.) What is the reason for it? >> Because by then the information over which charset the text was in is >> lost. This is meta-information attached to the attachment, by saving >> it you "loose" it. > hmmm... I dont understand this: when I save the message the > information is lost?! Why? The filesystem doesn't have a "place" for this information. -- Lionel From alon.barlev at gmail.com Tue Sep 6 10:09:25 2005 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Tue Sep 6 09:09:06 2005 Subject: OpenPGP Card In-Reply-To: <20050905231617.GC7834@tofu.mamane.lu> Message-ID: Lionel Elie Mamane wrote: > But there is indeed a case to be made that if the library implements a well-known, standard ABI, then linking to it is not a GPL violation. > Legally it depends whether the linked program is a "derived work" from the program or not. But PKCS#11 is not a library you link against! It is an API specification. There is no proprietary code you link into your program in order to implement this standard. > GnuPG doesn't *link* to RAID drivers or video drivers. They don't end up "running linked together in a shared address space". > They communicate over syscalls or sockets; mechanisms that are well-known as to be "GPL-safe" (as long as the coupling between them isn't > too tight). See http://www.fsf.org/licensing/licenses/gpl-faq.html#MereAggregation . I think you should read PKCS#11 specification... You cannot call it "combining two parts into a program" PKCS#11 is a specification, you don't provide the implementation along with your program, the specification is EXACTLY the same as protocol or command line specification. Like you can use HTTP protocol, since you have RFC that state how, you use cryptographic token since you have PKCS#11 that tells you how. Since you don't provide the PKCS#11 provider implementation along with your GPLed distribution and that there is a complete API specification of the interface, it does not fall into the "combined program". > On the other hand, some people interpret the GPL in a way saying that if a library implements a "standard" ABI, then one can link GPL software > to it. I think it is a good idea to stick to the copyright holder's interpretation. I don't understand this statement... >> I can show you that it GPLed program loads these drivers... > Yes, show me, I'm curious. Examples: opensc from www.opensc.org - LGPL uses PKCS#11 pkcs11_login from www.opensc.org - LGPL uses PKCS#11 openCryptoki from http://sourceforge.net/projects/opencryptoki - GPL uses PKCS#11 Best Regards, Alon Bar-Lev. From pgut001 at cs.auckland.ac.nz Mon Sep 5 15:23:51 2005 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Tue Sep 6 11:25:04 2005 Subject: OpenPGP Card In-Reply-To: Message-ID: "Alon Bar-Lev" writes: >The conclusion of my discussion with people here is that the need of using >PKCS#11 for accessing various smartcards is not clear. I've tried to >highlight the advantages of using standard software API to access external >devices, but I've failed. Users of crypto tokens tend to fall into two classes, hobbyists/enthusiasts (who don't mind hacking their own glue code, so PKCS #11 isn't too important), and commercial/business users (who really need PKCS #11 but who probably wouldn't use GPG). The result is, as you've found, something of a lack of a market for PKCS #11 combined with GPG. Peter. From pgut001 at cs.auckland.ac.nz Mon Sep 5 17:57:51 2005 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Tue Sep 6 11:25:18 2005 Subject: OpenPGP Card In-Reply-To: <87zmqr60df.fsf@wheatstone.g10code.de> Message-ID: Werner Koch writes: >On Tue, 06 Sep 2005 01:23:51 +1200, Peter Gutmann said: >> and commercial/business users (who really need PKCS #11 but who probably >> wouldn't use GPG). The result is, as you've found, something of a lack of a > >I won't agree to this because there is at least one large company in Germany >using Smartcards along with gpgsm. Well OK, so there's always exceptions, but I don't think there's enough to drive significant demand for this - all the commercial users I've seen who want smart cards/PKCS #11/whatever want to use it with standard commercial software and, you know, that stuff with the 'X' and some digits in it :-). Peter. From pgut001 at cs.auckland.ac.nz Mon Sep 5 18:08:02 2005 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Tue Sep 6 11:25:21 2005 Subject: OpenPGG Card In-Reply-To: <431C584D.7020506@globalnet.hr> Message-ID: Zeljko Vrba writes: >Peter Gutmann wrote: >> I'd already offered the use of my PKCS #11 interface code from cryptlib for >> GPG use some time ago. This should do everything you need and has had years >> of tuning to work with all the bugs in various PKCS #11 drivers, it's vastly >> easier than going through the entire learning curve yourself. > >That's correct, it was my proposal in question. The problem is that, under >Linux, I couldn't find a smart-card + PKCS#11 combination that works >correctly enough (out of the box) to be usable with cryptlib. I think the problem is more a generalisation of that, it's "under Linux, I couldn't find a smart-card + PKCS#11 combination that works correctly". I've heard of (from memory) four PKCS #11-for-Linux projects by commercial vendors that either ended up as pre-alpha quality releases/abandonware or were shelved beause the vendor couldn't find a business model for them (this was a few years ago, it may be better now). The one PKCS #11-under-Linux driver that I know of that was completed, the nCipher one, works fine with cryptlib. Everything else is Windows only... actually Eracom have Solaris and some other OS support (PHUX?), and there's some OEM'd Cryptoswift supported under Solaris. (Which other Linux PKCS #11 drivers are there?). Peter. From pgut001 at cs.auckland.ac.nz Mon Sep 5 18:23:38 2005 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Tue Sep 6 11:25:26 2005 Subject: OpenPGP Card In-Reply-To: Message-ID: "Alon Bar-Lev" writes: >I use Athena smartcard www.athena-scs.com which works perfectly in term of >Linux and PKCS#11. I enjoy using it with Java JCE, Mozilla, Tunderbird, >PAM_PKCS11, I've encrypted my disk using aes-loop and then required gpg to >support PKCS#11... And here we are... Oh, that's the old Aladdin stuff. Well, they've certainly come a *long* way since I last looked at them - in the 1999-2000 time frame they had the worst PKCS #11 driver I've ever seen, and their "support" consisted of telling you to buy more copies of their $700 SDK to see whether they'd fixed any of the bugs in the version you already had. I still have some of their hardware lying around as a paperweight somewhere. (Disclaimer: I have no idea what it's like now (it certainly sounds a lot better than it used to be), I'm just saying that at one point it was really bad). Peter. From pgut001 at cs.auckland.ac.nz Mon Sep 5 18:30:24 2005 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Tue Sep 6 11:25:31 2005 Subject: OpenPGP Card Message-ID: I wrote: >Oh, that's the old Aladdin stuff. Well, they've certainly come a *long* way >since I last looked at them - in the 1999-2000 time frame they had the worst >PKCS #11 driver I've ever seen, and their "support" consisted of telling you >to buy more copies of their $700 SDK to see whether they'd fixed any of the >bugs in the version you already had. Argh, sorry, wrong driver, it's the ActivCard drivers (and support) that were that bad, not Aladdin. Aladdin (and by extension ASECard and Athena Cards, and eTokens as well) work just fine. Just to repeat that: Nothing wrong with Aladdin's PKCS #11. Peter. From pgut001 at cs.auckland.ac.nz Mon Sep 5 20:10:40 2005 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Tue Sep 6 11:25:35 2005 Subject: OpenPGP Card In-Reply-To: <431C8207.7080004@globalnet.hr> Message-ID: Zeljko Vrba writes: >Yes, these devices are expensive for individuals. Although they're less expensive on ebay :-). Keep an eye on that long enough and you'll find almost anything turning up, for example there's almost always some Spyrus Lynks cards on sale by someone. Some of the stuff even has previous CA's keys still in the HW. >PKCS#11 is not limited to smart-cards. Yup, and that's an important point. If you want big-iron style crypto HW support, your choice is either PKCS #11, CryptoAPI, or a per-hardware-device custom API. I know which one I'd want... Peter. From broonie at sirena.org.uk Mon Sep 5 21:54:10 2005 From: broonie at sirena.org.uk (Mark Brown) Date: Tue Sep 6 11:25:40 2005 Subject: OpenPGP Card In-Reply-To: References: <431C9695.9060904@globalnet.hr> Message-ID: <20050905195409.GA4956@sirena.org.uk> On Mon, Sep 05, 2005 at 10:14:41PM +0200, Alon Bar-Lev wrote: > Let's say you use GPLed licensed program on windows... It loads > kernel32.dll, right? > Since your GPLed program does not contain any other licensed code it is > still GPLed... Note that the GPL has a specific exception in it for libraries like kernel32.dll that are shipped as part of the operating system. -- "You grabbed my hand and we fell into it, like a daydream - or a fever." From tmz at pobox.com Tue Sep 6 03:26:54 2005 From: tmz at pobox.com (Todd) Date: Tue Sep 6 11:25:43 2005 Subject: Linux-gnupg and win-pgp In-Reply-To: <200509060153.30294.stefan@fuhrmann.homedns.org> References: <200509052326.53595.stefan@fuhrmann.homedns.org> <20050905233147.GA5323@tofu.mamane.lu> <200509060153.30294.stefan@fuhrmann.homedns.org> Message-ID: <20050906012654.GG16978@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stefan Fuhrmann wrote: > okay, most of the win users have outlook....so what....? Outlook and many other mailers do not support MIME very well. You have to use different methods to communicate with them unfortunately. >>> 2.) Is there a way to sent this mail so that win users have the >>> mail in the mail body and not as attachment? >>> >> I dunno if KMail can do that. Look for a "old method" option or >> "plain text" option or something like that. > > Cant find something like that. In KMail, you want to use Inline OpenPGP, from the Composer window (http://docs.kde.org/development/en/kdepim/kmail/the-composer-window.html#encrypt-sign). - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== When buying and selling are controlled by legislation, the first things to be bought and sold are legislators. -- P.J. O'Rourke, Parliament of Whores -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iG0EARECAC0FAkMc8F4mGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt ei5hc2MACgkQuv+09NZUB1rg3gCdEFuO4QZSr9BOCgEHlAGSpjPIz18AoNdKP9or n4fol8Ou2QqwmXZonvgR =rkm3 -----END PGP SIGNATURE----- From pgut001 at cs.auckland.ac.nz Tue Sep 6 05:14:56 2005 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Tue Sep 6 11:25:47 2005 Subject: OpenPGP Card In-Reply-To: <20050905204407.GA7834@tofu.mamane.lu> Message-ID: Lionel Elie Mamane writes: >On Mon, Sep 05, 2005 at 10:14:41PM +0200, Alon Bar-Lev wrote: >> Since your GPLed program does not contain any other licensed code it is >> still GPLed... >> The same goes with GPLed licensed program that loads PKCS#11 >> module... > >Not unless that PKCS#11 module "is normally distributed with the major >components of the operating system". (Assuming here that the PKCS#11 module >would is a library that GnuPG would be dlopen.) PKCS #11 is a device driver without which it's impossible to use critical (to the application) hardware. If you take this interpretation then GPG already violates it because it ends up using all manner of components (RAID drivers, ATI/nVidia video drivers, PC/SC drivers, etc) that aren't distributed as part of the OS. In fact if you wanted to go reductio ad absurdum even kernel32.dll is excluded because the hotfixes that are constantly applied to it aren't "normally distributed with the system components" - they're a special download. On the other hand using a particular interpretation of the GPL in order to make it impossible for GPG to be able to support widespread smart cards and crypto hardware is a great example of cutting off your nose to spite your face. I guess you can always tell people who want to use crypto devices with PGP to go with the commercial PGP instead. Or cryptlib :-). Peter. From kfitzner at excelcia.org Tue Sep 6 11:36:12 2005 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Tue Sep 6 11:38:38 2005 Subject: PGP global directory cruft in keyservers Message-ID: <431D630C.6010208@excelcia.org> This isn't GnuPG-related really, but recently downloaded my own public key from a keyserver and found on it about a billion of those silly PGP global directory signatures on it. Either someone has been downloading my key from PGP a whole bunch and then submitting it to keyservers, or the mainstream keyservers are syncing with PGP's global directory. I'm wondering if this is a widespread problem. Have other people noticed this with their keys? I am now very sorry I went throught that email process with PGP. I'm actually hoping this is a widespread problem so that keyserver operators will start deleting those stupid signatures. If not, I am stuck with my key having a billion useless signatures on it. I'm so glad there is GnuPG with no corporate agenda!!! Thanks Werner et al. Kurt. From lionel at mamane.lu Tue Sep 6 11:42:19 2005 From: lionel at mamane.lu ('Lionel Elie Mamane') Date: Tue Sep 6 11:42:23 2005 Subject: OpenPGP Card In-Reply-To: References: <20050905231617.GC7834@tofu.mamane.lu> Message-ID: <20050906094219.GC2863@tofu.mamane.lu> On Tue, Sep 06, 2005 at 10:09:25AM +0200, Alon Bar-Lev wrote: > Lionel Elie Mamane wrote: >> But there is indeed a case to be made that if the library >> implements a well-known, standard ABI, then linking to it is not a >> GPL violation. Legally it depends whether the linked >> program is a "derived work" from the program or not. > But PKCS#11 is not a library you link against! > It is an API specification. > There is no proprietary code you link into your program in order to > implement this standard. I thought we were talking about PKCS#11 "drivers" for specific cards, and that you had to link this driver into your program (dynamically at run-time) in order to use it. That _driver_ would be gpl-incompatible. >> GnuPG doesn't *link* to RAID drivers or video drivers. They don't >> end up "running linked together in a shared address space". They >> communicate over syscalls or sockets; mechanisms that are >> well-known as to be "GPL-safe" (as long as the coupling between >> them isn't too tight). > I think you should read PKCS#11 specification... You cannot call it > "combining two parts into a program" PKCS#11 is a specification, you > don't provide the implementation along with your program, the > specification is EXACTLY the same as protocol or command line > specification. I had understood that it was not a _protocol_ but a library API. HTTP is a _protocol_ for data interchange over the network. I thought PKCS#11 was a _library_ API and that you linked (dynamically at run-time) a particular "implementation" of it (the card driver) into your program to use it. If that's not the case, my previous messages are void and meaningless. > Since you don't provide the PKCS#11 provider implementation along > with your GPLed distribution and that there is a complete API > specification of the interface, it does not fall into the "combined > program". Again assuming that the provider implementation is a library you link against: That may or may not be true. I don't think that's legally clearly established yet. >> On the other hand, some people interpret the GPL in a way saying >> that if a library implements a "standard" ABI, then one can link >> GPL software to it. I think it is a good idea to stick to >> the copyright holder's interpretation. > I don't understand this statement... There are two statements: First: >> On the other hand, some people interpret the GPL in a way saying >> that if a library implements a "standard" ABI, then one can link >> GPL software to it. This one says essentially the same thing as what you quoted before. Some say standard ABI -> not combined program, but I don't think this has been "proven" by case-law yet. It may be found true by courts, or not. Second: >> I think it is a good idea to stick to the copyright holder's >> interpretation. A license means what the licensor means by it. If the licensor has clearly told you that by *his* reading of the GPL that-and-that is forbidden then you'd be in a tricky situation in front of a judge explaining "I know that the licensor meant to forbid that, but the text he gave me permits it, so he has permitted it.". >>> I can show you that it GPLed program loads these drivers... >> Yes, show me, I'm curious. I had misundertood what you meant by "these drivers". I thought you meant the display and printing drivers. > Examples: > opensc from www.opensc.org - LGPL uses PKCS#11 > pkcs11_login from www.opensc.org - LGPL uses PKCS#11 LGPL is not GPL. The difference is exactly that it permits linking to non-(L)GPL code. > openCryptoki from http://sourceforge.net/projects/opencryptoki - GPL uses > PKCS#11 I downloaded opencryptoki-2.2.0.tar.gz . It is not GPL, it is under the "Common Public License Version 0.5". -- Lionel From alphasigmax at gmail.com Tue Sep 6 12:27:13 2005 From: alphasigmax at gmail.com (Alphax) Date: Tue Sep 6 12:30:02 2005 Subject: PGP global directory cruft in keyservers In-Reply-To: <431D630C.6010208@excelcia.org> References: <431D630C.6010208@excelcia.org> Message-ID: <431D6F01.8000706@gmail.com> Kurt Fitzner wrote: > This isn't GnuPG-related really, but recently downloaded my own public > key from a keyserver and found on it about a billion of those silly PGP > global directory signatures on it. Either someone has been downloading > my key from PGP a whole bunch and then submitting it to keyservers, or > the mainstream keyservers are syncing with PGP's global directory. > > I'm wondering if this is a widespread problem. Have other people > noticed this with their keys? > > I am now very sorry I went throught that email process with PGP. I'm > actually hoping this is a widespread problem so that keyserver operators > will start deleting those stupid signatures. If not, I am stuck with my > key having a billion useless signatures on it. > If you have gpg 1.4.2 you can edit your key and clean it. You can also set your import and export options to clean these signatures automatically. -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ From stefan at fuhrmann.homedns.org Tue Sep 6 12:46:31 2005 From: stefan at fuhrmann.homedns.org (Stefan Fuhrmann) Date: Tue Sep 6 12:46:42 2005 Subject: Linux-gnupg and win-pgp In-Reply-To: <20050906063911.GB28526@tofu.mamane.lu> References: <200509052326.53595.stefan@fuhrmann.homedns.org> <200509060153.30294.stefan@fuhrmann.homedns.org> <20050906063911.GB28526@tofu.mamane.lu> Message-ID: <200509061246.46626.stefan@fuhrmann.homedns.org> > > In the message composition window, in the toolbar, there is a choice > list between "Inline OpenPGP", "OpenPGP/MIME" and a few others. Choose > "Inline OpenPGP". "inline OpenPGP" works!!! thank you !!! :-) stefan -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050906/e6aaaae4/attachment.pgp From alon.barlev at gmail.com Tue Sep 6 14:03:50 2005 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Tue Sep 6 13:03:32 2005 Subject: OpenPGP Card In-Reply-To: <20050906094219.GC2863@tofu.mamane.lu> Message-ID: Lionel Elie Mamane wrote: > I thought we were talking about PKCS#11 "drivers" for specific cards, and that you had to link this driver into your program (dynamically > at run-time) in order to use it. That _driver_ would be gpl-incompatible. PKCS#11 is a standard it is not vendor specific, please refer to http://www.rsasecurity.com/rsalabs/node.asp?id=2133 so that your answers will be correct. So if PKCS#11 is an API specification that every smartcard/HSM/Software who manages cryptographic keys supports, by means of developing a shared library/DLL that implement the standard, is it OK for GPLed program to load and interact with this library. NOTICE: Since the application does not know which cryptographic token is used by the user, the usage of the library MUST be done at runtime. There is stick interface for these libraries which is described in PKCS#11 standard. We need a definite answer here... So the licensing argument will be out of the way... [[[ Some of my thoughts... And comments for your position. A standard is a standard... And it is not matter if it describers an API, a protocol, a command-line, a format or any other interface. As long as there is no intellectual rights claims for the implementation of the standard, it can be used by GPL. Hence... HTTP is a standard (RFCXXX, protocol), PKCS#11 is a standard (RSA, API), S/MIME is a standard (RFC, format) etc... There is not difference between them in term of implementing a compliance software. ]]] Best Regards, Alon Bar-Lev. From eleuteri at myrealbox.com Tue Sep 6 13:18:49 2005 From: eleuteri at myrealbox.com (David Picon Alvarez) Date: Tue Sep 6 14:58:34 2005 Subject: OpenPGP Card References: Message-ID: <001701c5b2d4$c26d6fd0$0302a8c0@enterprise> > NOTICE: Since the application does not know which cryptographic token is > used by the user, the usage of the library MUST be done at runtime. There is > stick interface for these libraries which is described in PKCS#11 standard. In such a case the DLL or .so or whatever MUST be GPL-compatible (GPL or less restrictive) per the meaning of FSF in order to be GPL-linkable, or be covered by the "standard OS component" exception. > We need a definite answer here... So the licensing argument will be out of > the way... If a library runs on a shared addressable space, FSF (which is GnuPG's Copyright holder, I assume?) considers the combined result a derived work in the meaning of copyright law. This is the whole point of the LGPL, to have a licence that allows linking libraries into non-free software, but which ensures distribution of the library will always be on free terms and so on. > A standard is a standard... And it is not matter if it describers an API, a > protocol, a command-line, a format or any other interface. > As long as there is no intellectual rights claims for the implementation of > the standard, it can be used by GPL. You are wrong. The GPL does not talk of standards in the meaning you propose. If a work links to a shared library and invokes its functions it is making use of the library in a manner similar to copying pages from another book into your own book. This process creates a derived work of the library. Whether the library implements a patent-protected standard, a Trade Secret or an open, non-patent-encumbered standard is for the purposes of the linking issue, irrelevant. Linking creates derivation. > Hence... HTTP is a standard (RFCXXX, protocol), PKCS#11 is a standard (RSA, > API), S/MIME is a standard (RFC, format) etc... There is not difference > between them in term of implementing a compliance software. The difference is that when I write onto a socket to talk to an HTTP server I do not copy its code onto my memory segment, I am making use of the server but not copying anything from its internals, which is why HTTP does not lead to a derived work being created. Whereas when I link in a library I copy its code onto my memory segment, and I invoke its functions in a manner equivalent to writing those functions onto my own code, which makes a derived work. IANAL (yet), but a gifted amateur :-) HTH, --David. From henkdebruijn at wanadoo.nl Tue Sep 6 14:48:33 2005 From: henkdebruijn at wanadoo.nl (Henk M. de Bruijn) Date: Tue Sep 6 15:28:29 2005 Subject: how to select a subkey Message-ID: <691362319.20050906144833@wanadoo.nl> Hi all, Forgive my ignorance but how do I select a subkey? TIA -- Henk M. de Bruijn ______________________________________________________________________ The Bat! Natural E-Mail System? version 3.5 Pro on Windows XP SP2 Request-PGP: http://www.biglumber.com/x/web?qs=0x6C9F6CE78C32408B Gossamer Spider Web of Trust http://www.gswot.org A progressive and innovative Web of Trust -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 183 bytes Desc: not available Url : /pipermail/attachments/20050906/c353d7ca/attachment.pgp From zvrba at globalnet.hr Tue Sep 6 15:56:22 2005 From: zvrba at globalnet.hr (Zeljko Vrba) Date: Tue Sep 6 15:55:56 2005 Subject: OpenPGP Card In-Reply-To: References: <431C7912.5080407__34242.7164003768$1125939585$gmane$org@globalnet.hr> Message-ID: <431DA006.6000807@globalnet.hr> Joe Smith wrote: > > For example, your CA can revoke your key leaving you with one key that > is invalid X.509, but valid OpenPGP? Yuck! > Using the X.509 cert and OpenPGP public key (having the same private key) could be useful in the following scenario: 1. You must periodically pay to your CA to renew your certificate 2. OpenPGP trust model isn't as 'strong' as X.509 (i.e. there aren't many trusted introducers) So, you pay ONCE to some CA to issue you short-lived, widely-trusted certificate. It will expire after a year or so, but.. you can continue to use your OpenPGP key as long as you deem it's OK. The point is that your _identity_ doesn't change when the X.509 cert expires. So, continuing to use the X.509 (expired) private key solves problem 1. Having X.509 cert in the first place, solves problem 2. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050906/1e5b0a68/signature.pgp From zvrba at globalnet.hr Tue Sep 6 16:04:28 2005 From: zvrba at globalnet.hr (Zeljko Vrba) Date: Tue Sep 6 16:04:11 2005 Subject: OpenPGP Card In-Reply-To: <20050906094219.GC2863@tofu.mamane.lu> References: <20050905231617.GC7834@tofu.mamane.lu> <20050906094219.GC2863@tofu.mamane.lu> Message-ID: <431DA1EC.9090907@globalnet.hr> 'Lionel Elie Mamane' wrote: > > I had understood that it was not a _protocol_ but a library API. HTTP > is a _protocol_ for data interchange over the network. I thought > PKCS#11 was a _library_ API and that you linked (dynamically at > run-time) a particular "implementation" of it (the card driver) into > your program to use it. If that's not the case, my previous messages > are void and meaningless. > PKCS#11 IS a library API. But really, how is API different from a protocol? Is the only difference linking in the same address space? Anyway, the "right" way, as I've understood Alon, is to make gpg use gpg-agent. They communicate via a well defined _protocol_ and are not _linked_ together. So actually, the PKCS#11 licensing issue can be solved by independently writing a BSD-licensed version of the gpg-agent. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050906/9b0f5831/signature.pgp From alphasigmax at gmail.com Tue Sep 6 16:02:04 2005 From: alphasigmax at gmail.com (Alphax) Date: Tue Sep 6 16:04:39 2005 Subject: OpenPGP Card In-Reply-To: <431DA006.6000807@globalnet.hr> References: <431C7912.5080407__34242.7164003768$1125939585$gmane$org@globalnet.hr> <431DA006.6000807@globalnet.hr> Message-ID: <431DA15C.1020205@gmail.com> Zeljko Vrba wrote: > Joe Smith wrote: > >> >> For example, your CA can revoke your key leaving you with one key that >> is invalid X.509, but valid OpenPGP? Yuck! >> > Using the X.509 cert and OpenPGP public key (having the same private > key) could be useful in the following scenario: > Is that even allowed?? -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ From kfitzner at excelcia.org Tue Sep 6 16:13:06 2005 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Tue Sep 6 16:13:15 2005 Subject: GnuPG Explorer Extension (GPGee) version 1.2.0 released Message-ID: <431DA3F2.4030609@excelcia.org> Version 1.2.0 of GPGee has been released - head to the homepage at http://gpgee.excelcia.org to download it. New features include: - Support for creating signatures with more than one key at once. - Support for verifying multi-signed documents. - Automated new version checking (this was actually added in 1.1.3 but that version was unannounced) - Can automatically change the status of source files to read-only after they are signed. Useful for cases where a certain type of file's reader (MS Excel with spreadsheets is one) changes the file when it is opened even if it isn't edited. Since this would invalidate a signature, you can now have GPGee set the file read-only. In addition to that, there are a few bug fixes incorporated for good measure. To my knowledge, GPGee is the only GUI for GnuPG that supports multi-key signing. I actually got a first. :) For those that aren't familliar with GPGee, it is a Windows shell extension that adds GnuPG support to explorer's right-click menu. You can sign, sign+encrypt, encrypt, verify, and decrypt files right from within the Windows explorer. p.s. A very grateful thank-you goes to Werner Koch. In addition to a very nice compliment about GPGee's source code, he has offered hosting for GPGee at gnupg.org. Recently I began to experience a lot of downloads of GPGee (up to 500/week - which is a whole lot for me) and it was threatening to overwhelm my modest self hosting ability. Actually, now that I think about it, it was partially his fault to begin with. He added a link to GPGee on the GnuPG web site's list of frontends, and it was then that was when I started to see all the downloads. I should mention, before people think I'm actually blaming him, that I requested the link... Werner was simply gracious enough to say yes and put it there. Thanks for both the link and the hosting. :) From zvrba at globalnet.hr Tue Sep 6 16:17:07 2005 From: zvrba at globalnet.hr (Zeljko Vrba) Date: Tue Sep 6 16:16:45 2005 Subject: OpenPGP Card In-Reply-To: <431DA15C.1020205@gmail.com> References: <431C7912.5080407__34242.7164003768$1125939585$gmane$org@globalnet.hr> <431DA006.6000807@globalnet.hr> <431DA15C.1020205@gmail.com> Message-ID: <431DA4E3.3090802@globalnet.hr> Alphax wrote: > Zeljko Vrba wrote: > >>Joe Smith wrote: >> >> >>>For example, your CA can revoke your key leaving you with one key that >>>is invalid X.509, but valid OpenPGP? Yuck! >>> >> >>Using the X.509 cert and OpenPGP public key (having the same private >>key) could be useful in the following scenario: >> > > Is that even allowed?? > In what sense allowed? PKCS#11 know nothing about policies.. It just exposes a set of objects on the card (certificate, public and private keys and maybe some other data objects along with certificates). The application is free to do whatever it wants with these objects, given sufficient authentication to the card (PIN). Technically, there is nothing CA can do to prevent you to use your X.509 keys as OpenPGP keys. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050906/2990ac4f/signature.pgp From alphasigmax at gmail.com Tue Sep 6 16:18:45 2005 From: alphasigmax at gmail.com (Alphax) Date: Tue Sep 6 16:21:27 2005 Subject: OpenPGP Card In-Reply-To: <431DA4E3.3090802@globalnet.hr> References: <431C7912.5080407__34242.7164003768$1125939585$gmane$org@globalnet.hr> <431DA006.6000807@globalnet.hr> <431DA15C.1020205@gmail.com> <431DA4E3.3090802@globalnet.hr> Message-ID: <431DA545.6030708@gmail.com> Zeljko Vrba wrote: > Alphax wrote: > >> Zeljko Vrba wrote: >> >>> Joe Smith wrote: >>> >>> >>>> For example, your CA can revoke your key leaving you with one key that >>>> is invalid X.509, but valid OpenPGP? Yuck! >>>> >>> >>> Using the X.509 cert and OpenPGP public key (having the same private >>> key) could be useful in the following scenario: >>> >> >> Is that even allowed?? >> > In what sense allowed? PKCS#11 know nothing about policies.. It just > exposes a set of objects on the card (certificate, public and private > keys and maybe some other data objects along with certificates). > It terms of using the same generic public/private keypair... how does that work? > The application is free to do whatever it wants with these objects, > given sufficient authentication to the card (PIN). Technically, there is > nothing CA can do to prevent you to use your X.509 keys as OpenPGP keys. I think I might have seen something like that with a Thawte Freemail root certificate or something... it wasn't pretty :( (eh, I think I just answered my own question, but I still don't "get it"...) -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ From zvrba at globalnet.hr Tue Sep 6 16:26:05 2005 From: zvrba at globalnet.hr (Zeljko Vrba) Date: Tue Sep 6 16:25:36 2005 Subject: OpenPGP Card In-Reply-To: <431DA1EC.9090907@globalnet.hr> References: <20050905231617.GC7834@tofu.mamane.lu> <20050906094219.GC2863@tofu.mamane.lu> <431DA1EC.9090907@globalnet.hr> Message-ID: <431DA6FD.5030602@globalnet.hr> Zeljko Vrba wrote: > > PKCS#11 IS a library API. But really, how is API different from a > protocol? Is the only difference linking in the same address space? > BTW, I can imagine writing a version of ld.so (BSD licensed!) that will execute different shared libraries as separate processes, and will NOT link them in the same address space with the application in question (i.e. GnuPG). So the "procedure call" will call to a stub in the BSD licensed ld.so which will just "pass a message" to the real shared library and return a result code to the application. Thing like this would forever end this GPL madness about what is "derivative work". -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050906/aacdce94/signature.pgp From lionel at mamane.lu Tue Sep 6 16:31:14 2005 From: lionel at mamane.lu ('Lionel Elie Mamane') Date: Tue Sep 6 16:31:32 2005 Subject: OpenPGP Card In-Reply-To: <431DA1EC.9090907@globalnet.hr> References: <20050905231617.GC7834@tofu.mamane.lu> <20050906094219.GC2863@tofu.mamane.lu> <431DA1EC.9090907@globalnet.hr> Message-ID: <20050906143114.GB9347@tofu.mamane.lu> On Tue, Sep 06, 2005 at 04:04:28PM +0200, Zeljko Vrba wrote: > 'Lionel Elie Mamane' wrote: >>I had understood that it was not a _protocol_ but a library API. HTTP >>is a _protocol_ for data interchange over the network. I thought >>PKCS#11 was a _library_ API and that you linked (dynamically at >>run-time) a particular "implementation" of it (the card driver) into >>your program to use it. If that's not the case, my previous messages >>are void and meaningless. > PKCS#11 IS a library API. But really, how is API different from a > protocol? Is the only difference linking in the same address space? The fact that they have to run in the same address space suggests that they exchange "complex data structures" and that the intercoupling (interdependency?) between them is quite tight. I suppose this is the FSF's reasoning. -- Lionel From eleuteri at myrealbox.com Tue Sep 6 16:33:36 2005 From: eleuteri at myrealbox.com (David Picon Alvarez) Date: Tue Sep 6 16:33:48 2005 Subject: OpenPGP Card References: <20050905231617.GC7834@tofu.mamane.lu> <20050906094219.GC2863@tofu.mamane.lu><431DA1EC.9090907@globalnet.hr> <431DA6FD.5030602@globalnet.hr> Message-ID: <007501c5b2ef$f877dd20$0302a8c0@enterprise> List wrote: So the "procedure call" will call to a stub in the BSD licensed ld.so which will just "pass a message" to the real shared library and return a result code to the application. That might not be enough. In order to ensure that copyright does not trigger you need to exclude derivation, which is caused by copying (but not copying only). The API could be (and has sometimes been) considered to be subject to copyright insofar as it is an original non-functional (id est, it could be done some other way) work. However for this case the API is explicitly licence, so if the licence of the API is GPL-compatible your library might indeed solve the problem. Many libraries however could not be used in such a way. --David. From lionel at mamane.lu Tue Sep 6 16:35:04 2005 From: lionel at mamane.lu ('Lionel Elie Mamane') Date: Tue Sep 6 16:35:22 2005 Subject: OpenPGP Card In-Reply-To: <431DA6FD.5030602@globalnet.hr> References: <20050905231617.GC7834@tofu.mamane.lu> <20050906094219.GC2863@tofu.mamane.lu> <431DA1EC.9090907@globalnet.hr> <431DA6FD.5030602@globalnet.hr> Message-ID: <20050906143504.GC9347@tofu.mamane.lu> On Tue, Sep 06, 2005 at 04:26:05PM +0200, Zeljko Vrba wrote: >> PKCS#11 IS a library API. But really, how is API different from a >> protocol? Is the only difference linking in the same address space? > BTW, I can imagine writing a version of ld.so (BSD licensed!) that > will execute different shared libraries as separate processes, Please do so. I'm curious how you will handle: 1) Pointers being passed By copying the whole address space back and forth at each call and return? "Morally" that's not running in separate address spaces! 2) A library that calls exec() or fork() or setuid() such a "process state changing" syscall. I don't think you can keep the semantics of all libraries in this way. > and will NOT link them in the same address space with the > application in question (i.e. GnuPG). > So the "procedure call" will call to a stub in the BSD licensed > ld.so which will just "pass a message" to the real shared library > and return a result code to the application. > Thing like this would forever end this GPL madness about what is > "derivative work". It would certainly be a fun legal challenge. I don't believe however, you would win it. But I'm not a lawyer, he. By all means, please follow through on this plan. It will be very fun to watch! -- Lionel From lionel at mamane.lu Tue Sep 6 16:42:53 2005 From: lionel at mamane.lu (Lionel Elie Mamane) Date: Tue Sep 6 16:42:56 2005 Subject: how to select a subkey In-Reply-To: <691362319.20050906144833@wanadoo.nl> References: <691362319.20050906144833@wanadoo.nl> Message-ID: <20050906144253.GE9347@tofu.mamane.lu> On Tue, Sep 06, 2005 at 02:48:33PM +0200, Henk M. de Bruijn wrote: > Forgive my ignorance but how do I select a subkey? I'm not sure what you mean. In the "--edit-key" menu, you type "key n", replacing "n" by a number. From the command line, you "just" use the KeyID of the key. -- Lionel From zvrba at globalnet.hr Tue Sep 6 16:52:55 2005 From: zvrba at globalnet.hr (Zeljko Vrba) Date: Tue Sep 6 16:52:21 2005 Subject: OpenPGP Card In-Reply-To: <20050906143504.GC9347@tofu.mamane.lu> References: <20050905231617.GC7834@tofu.mamane.lu> <20050906094219.GC2863@tofu.mamane.lu> <431DA1EC.9090907@globalnet.hr> <431DA6FD.5030602@globalnet.hr> <20050906143504.GC9347@tofu.mamane.lu> Message-ID: <431DAD47.5050907@globalnet.hr> 'Lionel Elie Mamane' wrote: > > Please do so. I'm curious how you will handle: > > 1) Pointers being passed > > By copying the whole address space back and forth at each call and > return? "Morally" that's not running in separate address spaces! > Make the programs share their _data_ segments, but NOT their _code_ segments. GPL is about _code_, not about the _data_ created and used by the code. The first pointer-sharing reference will trigger a fault which will be handled by the ld.so and it will create an appropriate data-sharing mapping. "Morally" I don't care, even in the case of copying. Technically, making the programs share their data segments is, IMHO, not a violation of GPL since no code is shared between the programs. But then again, I'm not a lawyer. I'm always interested in other opinions. > > 2) A library that calls exec() or fork() or setuid() such a > "process state changing" syscall. > > > I don't think you can keep the semantics of all libraries in this > way. > By providing the support for few such critical things within ld.so, so it can change the state of the 'right' process. I don't have all details worked-out, but none of them seem really unsurmountable. In the extreme case, nothing that couldn't be solved with little kernel-side work and support. > > It would certainly be a fun legal challenge. I don't believe however, > you would win it. But I'm not a lawyer, he. > Neither am I. > > By all means, please follow through on this plan. It will be very fun > to watch! > In what way "fun"? :) I don't have the time currently, sadly. But, the biggest journey begins with the first step, so I just might start to write some design paper in my spare time :) Either I'll be the first one to do it, or someone will get ahead of me. In any case, Werner will run out of his only reasonable argument (IMHO) for not supporting PKCS#11 and users will (hopefully) profit ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050906/a38657a3/signature.pgp From dshaw at jabberwocky.com Tue Sep 6 17:06:21 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Sep 6 17:07:01 2005 Subject: Certification-only key In-Reply-To: <20050905230300.GB7834@tofu.mamane.lu> References: <20050905144140.GA27381@tofu.mamane.lu> <20050905174607.GB1750@jabberwocky.com> <20050905193550.GB2713@tofu.mamane.lu> <20050905204646.GC1750@jabberwocky.com> <20050905230300.GB7834@tofu.mamane.lu> Message-ID: <20050906150621.GA3400@jabberwocky.com> On Tue, Sep 06, 2005 at 01:03:00AM +0200, Lionel Elie Mamane wrote: > >> I would obviously have at least one data-signing subkey. I presume > >> these people would take a signature from such as subkey. Or > >> decryption of a nonce they sent me encrypted to an encryption > >> subkey. > > > They might, but really shouldn't (I wouldn't). When you make a > > certification signature on someone elses key, you're signing the > > primary key plus the user ID in question. There is no benefit in > > receiving a signed challenge from any key other than the primary. > > But that subkey is attached to the primary key by a signature of the > primary key. Isn't then control of that subkey enough to "prove" > control of the primary key? > > Unless: > > 1) Signature scheme cryptographically broken. We have a bigger > problem. > > 2) Primary key owner has done stupid things, like sharing subkeys > with others. But if we assume he has done that, we might as well > assume he would sign the challenge a man-in-the-middle attacker > has forwarded him or shared his primary key or ... > > Where's the flaw in the reasoning? The flaw is that #2 is not necessarily a stupid thing to do. There are useful things that can be done by having two different keys that happen to share subkeys. It's not illegal in OpenPGP to do so. In addition, given the current design of signing subkeys, it's possible to steal a subkey from someone elses key and pretend that their signature is from you. (GnuPG has a fix for this from a recent OpenPGP draft, but I'm waiting for PGP to implement it before I turn it on). The real flaw here is accepting a signature from something other than the object you are signing. That's one step removed, and therefore dangerous. David From shavital at mac.com Tue Sep 6 17:08:30 2005 From: shavital at mac.com (Charly Avital) Date: Tue Sep 6 17:08:45 2005 Subject: how to select a subkey In-Reply-To: <691362319.20050906144833@wanadoo.nl> References: <691362319.20050906144833@wanadoo.nl> Message-ID: <431DB0EE.1070704@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Henk M. de Bruijn wrote the following on 9/6/05 8:48 AM: | Hi all, | | Forgive my ignorance but how do I select a subkey? | | TIA I take it that you mean an additional subkey. $ gpg --edit-key [key ID] Command> addkey Key is protected. You need a passphrase to unlock the secret key for user: [you and the key you have selected] [type the passphrase for that key] Please select what kind of key you want: ~ (2) DSA (sign only) ~ (4) Elgamal (encrypt only) ~ (5) RSA (sign only) ~ (6) RSA (encrypt only) Your selection? If you want the additional subkey for sign only, your choice of DSA or RSA may be conditioned to the fact that if you want or need a "large" size (>1024) then you have to go for RSA. If you generate a RSA subkey of e.g. 2048, then you can use, if you want SHA256 i/o SHA1. Etc... Charly -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQIVAwUBQx2w5m69XHxycyfPAQj0qg//cps0LAn/ftiXfqBlxJvrqQxqS56H3Q1B Q7QBorwIz3BpoqPNpX9OmSICmvDZ19reBfRhOjberVa6Ut6hbSfR1xtIztEExIjM y0OGcVplFq1wuxJHQKoOra/iSWPZkrIJkwaYV18LWG9qw1r4cMtv6fH8KNfAXMhJ WrXU/jKHxEluZa2N1xnTzlKWCCh6tMnFPdCOocMVpdrCEgPgEjf0GnskNOtW8+Re 9KXH9jmchNgzGnYECFSEc7zUWiLnqAqZBc2ad1rrxI2T2GWbES5jMWuMYMTwarkB D/bgwDDzIUUJoQplcEXeyzVWS8KeiMXgKcyoH84UjNwTzIsQW5/QzYOfcWmsGN+R nuyq5DIz0mQRK+p6nyliQ6fWJPU7RovAYbyQJLGAqkAOw/vhBUhWKou8fpgx32Aj vXEnASTmw5hI1s0uzPNG1qWxOstx/gEXJ97yg/necA+3U9VLlSEY1iMkbSN+dJgA R70yqRBOijtkFB0j6136HyNXNBfTMeUqT3rnpBoq1AA7Orph8LbejHBbkN3QFRAU OKpNZUxxRYnHirpiGAkGpJaVidUo76udQsu0iuKdHPL9AVVRrPExLLds3JiYcN2O IxlJiXEXCBMe1LVu0AN/YHFkklPWtG/5ycqjthH4LnoJhohZe2W2EHi7ugh6lLQK iRbaYrqYlc8= =qOfn -----END PGP SIGNATURE----- From alex at bofh.net.pl Tue Sep 6 17:24:23 2005 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Tue Sep 6 17:25:25 2005 Subject: OpenPGP Card In-Reply-To: <431DA545.6030708@gmail.com> References: <431C7912.5080407__34242.7164003768$1125939585$gmane$org@globalnet.hr> <431DA006.6000807@globalnet.hr> <431DA15C.1020205@gmail.com> <431DA4E3.3090802@globalnet.hr> <431DA545.6030708@gmail.com> Message-ID: <20050906152423.GC16716@syjon.fantastyka.net> On Tue, Sep 06, 2005 at 11:48:45PM +0930, Alphax wrote: > > The application is free to do whatever it wants with these objects, > > given sufficient authentication to the card (PIN). Technically, there is > > nothing CA can do to prevent you to use your X.509 keys as OpenPGP keys. > > I think I might have seen something like that with a Thawte Freemail > root certificate or something... it wasn't pretty :( When Thawte signed PGP keys as a part of Web Of Trust program, they used the same key in both OpenPGP and X.509 form. Why you say it wasnt pretty? An actual RSA modulus is well hidden within the stuff so it doesn't really matter. Alex -- mors ab alto 0x46399138 From alon.barlev at gmail.com Tue Sep 6 18:26:05 2005 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Tue Sep 6 17:25:39 2005 Subject: OpenPGP Card In-Reply-To: <001701c5b2d4$c26d6fd0$0302a8c0@enterprise> Message-ID: David Picon Alvarez wrote: > If a library runs on a shared addressable space, FSF (which is GnuPG's Copyright holder, I assume?) considers the combined result > a derived work in the meaning of copyright law. This is the whole point of the LGPL, to have a licence that allows linking libraries into > non-free software, but which ensures distribution of the library will always be on free terms and so on. But this is the opposite the GPL program uses a none GPLed library with out linkage to it!!! I don't understand why we always turn the facts around. > You are wrong. The GPL does not talk of standards in the meaning you propose. If a work links to a shared library and invokes its functions > it is making use of the library in a manner similar to copying pages from another book into your own book. This process creates a derived work of > the library. > Whether the library implements a patent-protected standard, a Trade Secret or an open, non-patent-encumbered standard is for the purposes > of the linking issue, irrelevant. Linking creates derivation. No... You are wrong. Let's say my Api is as follows: int do_work (int argc, void *argv[]); Now I load a shared library, get the do_work address and call it by: int (*do_work)(int argc, void *argv[]) = get_do_work_address (); char *args[] = { "ls", "-l" ); do_work (2, argv); What is the difference between calling this shared library or executing a none GPLed "ls"?!?!?!? There is an exception in the FAQ page... "If modules are designed to run linked together in a shared address space, that almost surely means combining them into one program." Please note the word _ALMOST_, you tend to forget that every rule has an exception. The above implementation and PKCS#11 do not fall this category. >> Hence... HTTP is a standard (RFCXXX, protocol), PKCS#11 is a standard (RSA, >> API), S/MIME is a standard (RFC, format) etc... There is not >> difference between them in term of implementing a compliance software. > The difference is that when I write onto a socket to talk to an HTTP server I do not copy its code onto my memory segment, I am making use > of the server but not copying anything from its internals, which is why HTTP does not lead to a derived work being created. Whereas when I link > in a library I copy its code onto my memory segment, and I invoke its functions in a manner equivalent to writing those functions onto my own > code, which makes a derived work. Again... I am sorry but I must disagree... WHERE THE CODE RUN IS NOT AN ISSUE. The issue is how tightly your code is with another code. A protocol and API specification are the same, since they can replace one another... In your view I can write a PKCS#11 daemon that exposes SOAP as protocol... And this way to use PKCS#11 in GPLed application. But I cannot use the PKCS#11 directly... This is CRAZY!!! You are fooling your-self if you think there is a difference between the two... If the usage of PKCS#11 caused your application to violate the GPL license, then the usage of the same API through SOAP will cause the same affect! I cannot imagine that the lower who wrote the GPL meant that the open source community's programmers should work so hard in order to implement their software... I think this is your interpretation... I've written FSF and I hope they will address this issue. Best Regards, Alon Bar-Lev. From kfitzner at excelcia.org Tue Sep 6 16:09:57 2005 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Tue Sep 6 17:30:45 2005 Subject: [Announce] GnuPG Explorer Extension (GPGee) version 1.2.0 released Message-ID: <431DA335.6020304@excelcia.org> Version 1.2.0 of GPGee has been released - head to the homepage at http://gpgee.excelcia.org to download it. New features include: - Support for creating signatures with more than one key at once. - Support for verifying multi-signed documents. - Automated new version checking (this was actually added in 1.1.3 but that version was unannounced) - Can automatically change the status of source files to read-only after they are signed. Useful for cases where a certain type of file's reader (MS Excel with spreadsheets is one) changes the file when it is opened even if it isn't edited. Since this would invalidate a signature, you can now have GPGee set the file read-only. In addition to that, there are a few bug fixes incorporated for good measure. For those that aren't familliar with GPGee, it is a Windows shell extension that adds GnuPG support to explorer's right-click menu. You can sign, sign+encrypt, encrypt, verify, and decrypt files right from within the Windows explorer. _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From alphasigmax at gmail.com Tue Sep 6 17:32:52 2005 From: alphasigmax at gmail.com (Alphax) Date: Tue Sep 6 17:36:21 2005 Subject: OpenPGP Card In-Reply-To: <20050906152423.GC16716@syjon.fantastyka.net> References: <431C7912.5080407__34242.7164003768$1125939585$gmane$org@globalnet.hr> <431DA006.6000807@globalnet.hr> <431DA15C.1020205@gmail.com> <431DA4E3.3090802@globalnet.hr> <431DA545.6030708@gmail.com> <20050906152423.GC16716@syjon.fantastyka.net> Message-ID: <431DB6A4.1020806@gmail.com> Janusz A. Urbanowicz wrote: > On Tue, Sep 06, 2005 at 11:48:45PM +0930, Alphax wrote: > >>>The application is free to do whatever it wants with these objects, >>>given sufficient authentication to the card (PIN). Technically, there is >>>nothing CA can do to prevent you to use your X.509 keys as OpenPGP keys. >> >>I think I might have seen something like that with a Thawte Freemail >>root certificate or something... it wasn't pretty :( > > > When Thawte signed PGP keys as a part of Web Of Trust program, they used the > same key in both OpenPGP and X.509 form. > > Why you say it wasnt pretty? An actual RSA modulus is well hidden within the > stuff so it doesn't really matter. > They converted the same key several times, so there were 3 or so keys with the same long fingerprint, but different creation times - multiple copies of the same key. Is it possible to arbitrarily make an OpenPGP key with whatever keypair? -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ From alex at bofh.net.pl Tue Sep 6 17:36:58 2005 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Tue Sep 6 17:37:53 2005 Subject: OpenPGP Card In-Reply-To: <431DB6A4.1020806@gmail.com> References: <431C7912.5080407__34242.7164003768$1125939585$gmane$org@globalnet.hr> <431DA006.6000807@globalnet.hr> <431DA15C.1020205@gmail.com> <431DA4E3.3090802@globalnet.hr> <431DA545.6030708@gmail.com> <20050906152423.GC16716@syjon.fantastyka.net> <431DB6A4.1020806@gmail.com> Message-ID: <20050906153658.GD16716@syjon.fantastyka.net> On Wed, Sep 07, 2005 at 01:02:52AM +0930, Alphax wrote: > Is it possible to arbitrarily make an OpenPGP key with whatever keypair? There is no software that would do this right now, but assuming this is a actual RSA keypair, yes. Why not? Alex -- mors ab alto 0x46399138 From lionel at mamane.lu Tue Sep 6 18:57:01 2005 From: lionel at mamane.lu ('Lionel Elie Mamane') Date: Tue Sep 6 18:57:14 2005 Subject: OpenPGP Card In-Reply-To: <431DAD47.5050907@globalnet.hr> References: <20050905231617.GC7834@tofu.mamane.lu> <20050906094219.GC2863@tofu.mamane.lu> <431DA1EC.9090907@globalnet.hr> <431DA6FD.5030602@globalnet.hr> <20050906143504.GC9347@tofu.mamane.lu> <431DAD47.5050907@globalnet.hr> Message-ID: <20050906165701.GB14872@tofu.mamane.lu> On Tue, Sep 06, 2005 at 04:52:55PM +0200, Zeljko Vrba wrote: > 'Lionel Elie Mamane' wrote: >>Please do so. I'm curious how you will handle: >> >> 1) Pointers being passed >> >> By copying the whole address space back and forth at each call and >> return? "Morally" that's not running in separate address spaces! > Make the programs share their _data_ segments, but NOT their _code_ > segments. GPL is about _code_, not about the _data_ created and used by > the code. The pointer may point to code. It can be a pointer to a function. For a callback, for example. > I don't have all details worked-out, but none of them seem really > unsurmountable. In the extreme case, nothing that couldn't be solved > with little kernel-side work and support. >> By all means, please follow through on this plan. It will be very fun >> to watch! > In what way "fun"? :) 1) Scientifically, see interesting problems tackled. 2) From a slightly more "Schadenfreude" perspective, watch the legal discussions and / or flamewars it will create. White papers flying around! Eben Moglen saying your mechanism doesn't circumvent the GPL, you disagreeing and arguing back, a new GPL revision coming out to address the "loophole" you have demonstrated (if it gets settled that it _is_ a loophole), etc. You saying that the revised GPL version doesn't count, because not derivative work and thus legally cannot enforce limitations. Fun to watch from the sidelines, cheering on, etc ;-) > In any case, Werner will run out of his only reasonable argument > (IMHO) for not supporting PKCS#11 and users will (hopefully) profit > ;) I find the following argument very reasonable: I have no interest in implementing PKCS#11 and nobody has stepped up to pay me to do it. He won't run out of *this* argument ;-) -- Lionel From zvrba at globalnet.hr Tue Sep 6 18:59:19 2005 From: zvrba at globalnet.hr (Zeljko Vrba) Date: Tue Sep 6 18:59:07 2005 Subject: OpenPGP Card In-Reply-To: References: Message-ID: <431DCAE7.5060906@globalnet.hr> Alon Bar-Lev wrote: > > Again... I am sorry but I must disagree... WHERE THE CODE RUN IS NOT AN > ISSUE. > The issue is how tightly your code is with another code. > A protocol and API specification are the same, since they can replace one > another... > I would agree with this. Why does the actual _mechanism_ of DATA sharing matter? Can somebody explain, what is the difference between calling PKCS#11 as a shared library and passing a message to some daemon to pefrorm the work and return the result? The amount of sharing and coupling between the two modules is EXACTLY THE SAME, the only difference is the MECHANISM used to accomplish that sharing (i.e. shared address space in the case of dynamic library or UNIX sockets in the case of stand-alone daemon). What's more, UNIX sockets can be implemented via shared memory. What would GPL say in _that_ case? And I would try again to emphasize DATA sharing, not CODE sharing. You use PKCS#11 API to share DATA with the library[1]. In my opinion, data sharing does not and cannot (in any common-sense interpretation) constitute a "derivative work". Then again, I'm not a lawyer. The application calling PKCS#11 one way or another shares ONLY data with it, not its code! And I don't think that GPL says anything about data sharing. So it would be (maybe) legal and GPL-compliant to link in proprietary PKCS#11 .so into GnuPG. [1] There are some cases when you can register a callback to be called by PKCS#11 into you application. This is again a moot point, since even Windows do that: call app callback from the kernel (e.g. the ubiquitous "WndProc"). Paradoxically, it seems that GnuPG would be allowed to used closed-source MS CAPI because it is delivered as a "part of the operating system". The way CAPI works is: your application -> CAPI -> back-end driver So your application interacts with CAPI (delivered as a part of the operating system - an exception permitted by the GPL, as someone quoted in this thread), and CAPI interacts with the back-end driver for the particular hardware device. > > In your view I can write a PKCS#11 daemon that exposes SOAP as protocol... > And this way to use PKCS#11 in GPLed application. > But I cannot use the PKCS#11 directly... > > This is CRAZY!!! You are fooling your-self if you think there is a > difference between the two... > Yes, I agree with this viewpoint. The only difference is in the MECHANISM to accomplish the sharing. BTW, let us know when you get the reply from the FSF. I'm really curious.. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050906/63ade901/signature-0001.pgp From lionel at mamane.lu Tue Sep 6 18:58:59 2005 From: lionel at mamane.lu ('Lionel Elie Mamane') Date: Tue Sep 6 18:59:35 2005 Subject: OpenPGP Card In-Reply-To: <431DAD47.5050907@globalnet.hr> References: <20050905231617.GC7834@tofu.mamane.lu> <20050906094219.GC2863@tofu.mamane.lu> <431DA1EC.9090907@globalnet.hr> <431DA6FD.5030602@globalnet.hr> <20050906143504.GC9347@tofu.mamane.lu> <431DAD47.5050907@globalnet.hr> Message-ID: <20050906165859.GC14872@tofu.mamane.lu> On Tue, Sep 06, 2005 at 04:52:55PM +0200, Zeljko Vrba wrote: > 'Lionel Elie Mamane' wrote: >> 1) Pointers being passed >> By copying the whole address space back and forth at each call and >> return? "Morally" that's not running in separate address spaces! > "Morally" I don't care, even in the case of copying. "Morally" is what a judge will look at. So it is the crux of the matter. -- Lionel From alon.barlev at gmail.com Tue Sep 6 20:12:53 2005 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Tue Sep 6 19:12:11 2005 Subject: OpenPGP Card In-Reply-To: <20050906165701.GB14872@tofu.mamane.lu> Message-ID: 'Lionel Elie Mamane' wrote: > I find the following argument very reasonable: I have no interest in implementing PKCS#11 and nobody has stepped up to pay me to do it. When I started this discussion, I wanted to ask whether implementing a feature of gpg-agent to access PKCS#11 token is in the roadmap... I will gladly get the answer, yes... If someone will pay for the implementation... When you raise this issue... It seems that PKCS#11 is not implemented not because of licensing problems... But because if PKCS#11 will be implemented then there will be no work to be done for each specific card... Best Regards, Alon Bar-Lev. From zvrba at globalnet.hr Tue Sep 6 19:35:34 2005 From: zvrba at globalnet.hr (Zeljko Vrba) Date: Tue Sep 6 19:35:01 2005 Subject: OpenPGP Card In-Reply-To: References: Message-ID: <431DD366.1030405@globalnet.hr> Alon Bar-Lev wrote: > > When you raise this issue... It seems that PKCS#11 is not implemented not > because of licensing problems... But because if PKCS#11 will be implemented > then there will be no work to be done for each specific card... > But this strategy can, and will backfire :) From personal experience, companies are much more likely to choose a standard, interoperable solution (-> PKCS#11 -> X.509) than paying for a proprietary[1] solution. [1] In a sense that I can't describe exactly, OpenPGP card + GnuPG feels more proprietary than any closed-source smart card with PKCS#11 driver provided. The metric of 'proprietary-ness' would be in this case: the number of different smart-cards and interfaces supported by GnuPG. IMHO, the overall situation would get better for GnuPG and OpenPGP card if someone wrote a GPL-compatible PKCS#11 driver for the OpenPGP card. Then: a) OpenPGP cards can be used by other applications, not just GnuPG. (OK, they can be used in other applications even now, but noone sane will write card-specific code when they can use a high-level, universal API like PKCS#11). b) GnuPG switches to PKCS#11 and uses the GPL-compatible PKCS#11 for the OpenPGP card. It doesn't even have to dynamically link to it. As Alon did remark earlier, the general movement in the industry is towards multi-purpose smart-cards. OpenPGP card currently doesn't fall into this category. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050906/f851d8c4/signature.pgp From wk at gnupg.org Tue Sep 6 20:35:36 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Sep 6 20:41:35 2005 Subject: OpenPGP Card In-Reply-To: <431DA1EC.9090907@globalnet.hr> (Zeljko Vrba's message of "Tue, 06 Sep 2005 16:04:28 +0200") References: <20050905231617.GC7834@tofu.mamane.lu> <20050906094219.GC2863@tofu.mamane.lu> <431DA1EC.9090907@globalnet.hr> Message-ID: <87k6huxcw7.fsf@wheatstone.g10code.de> On Tue, 06 Sep 2005 16:04:28 +0200, Zeljko Vrba said: > Anyway, the "right" way, as I've understood Alon, is to make gpg use > gpg-agent. They communicate via a well defined _protocol_ and are not > _linked_ together. Just for the record: Linking is only one indication that the whole is a derived work. There is no one to one relation ship and in particular even two separate processes might make up a derived work. Salam-Shalom, Werner From wk at gnupg.org Tue Sep 6 20:39:47 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Sep 6 20:41:56 2005 Subject: OpenPGP Card In-Reply-To: <431DD366.1030405@globalnet.hr> (Zeljko Vrba's message of "Tue, 06 Sep 2005 19:35:34 +0200") References: <431DD366.1030405@globalnet.hr> Message-ID: <87d5nmxcp8.fsf@wheatstone.g10code.de> On Tue, 06 Sep 2005 19:35:34 +0200, Zeljko Vrba said: > As Alon did remark earlier, the general movement in the industry is > towards multi-purpose smart-cards. OpenPGP card currently doesn't fall > into this category. Not true. The OpenPGP card specification is a card application and you may put as many other applications on a card as you like and the EEPROM allows to. With 6k (and even less possible) it is actually a pretty small application. Shalom-Salam, Werner From JPClizbe at comcast.net Tue Sep 6 20:36:37 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Tue Sep 6 20:48:02 2005 Subject: PGP global directory cruft in keyservers In-Reply-To: <431D630C.6010208@excelcia.org> References: <431D630C.6010208@excelcia.org> Message-ID: <431DE1B5.6040002@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kurt Fitzner wrote: > This isn't GnuPG-related really, but recently downloaded my own public > key from a keyserver and found on it about a billion of those silly PGP > global directory signatures on it. Either someone has been downloading > my key from PGP a whole bunch and then submitting it to keyservers, or > the mainstream keyservers are syncing with PGP's global directory. > > I'm wondering if this is a widespread problem. Have other people > noticed this with their keys? > > I am now very sorry I went throught that email process with PGP. I'm > actually hoping this is a widespread problem so that keyserver operators > will start deleting those stupid signatures. If not, I am stuck with my > key having a billion useless signatures on it. > > I'm so glad there is GnuPG with no corporate agenda!!! > Thanks Werner et al. gpg --edit-key clean And setting the clean-sigs and clean-uids options on import-options, export-options, and keyserver-options are our only defense until then. Like you, I refreshed from a SKS server and found 120 new sigs on my key, ALL PGP Universal Keyserver. Over on PGP-Basics, someone asked what was the purpose of the 'clean' command in GnuPG. A good friend of mine replied, "It undoes the damage caused by the PGP Universal key server." Like you, I regret ever submitting my key to that nightmare. I ignored all the renewal emails. I can't say if the PGP signatures were always the problem, but importing my full keyring to clean it in the process reduced a 750 key ring from ~8MB to ~6MB, just under 1/3 (32%) reduction. Maybe --clean-keys could be added as a command to GnuPG, like --check-sigs. Perhaps autocleaning keys is something the SKS keyserver folks will introduce. They seem to have the only active development taking place. And I second the thanks to Werner, David, Timo, and the rest of the GnuPG development community. - -- John P. Clizbe PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3-cvs-2005-09-04 (Windows 2000 SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDHeG0HQSsSmCNKhARAqyJAKD1xF5/xYoV2m2CSqC3BQ1t2mX6jwCeNxc/ bgXl+nXUPBTIuAk0+rGJQ6k= =DTUD -----END PGP SIGNATURE----- From alon.barlev at gmail.com Tue Sep 6 22:34:33 2005 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Tue Sep 6 21:33:59 2005 Subject: OpenPGP Card In-Reply-To: <87d5nmxcp8.fsf@wheatstone.g10code.de> Message-ID: Werner Koch wrote: >> As Alon did remark earlier, the general movement in the industry is >> towards multi-purpose smart-cards. OpenPGP card currently doesn't fall >> into this category. > Not true. The OpenPGP card specification is a card application and you may put as many other applications on a card as you like and the > EEPROM allows to. With 6k (and even less possible) it is actually a pretty small application. Werner, you fail to understand the user requirements... The low level specifications of the cards is not important, programmers (except of you guys...) do not program low-level code in order to access devices. There is PKCS#11 which is high-level SOFTWARE API that is cross-platform, cross-device, and easy to use. This is the only specification to which I can write software and make sure that the user will be free to choose his hardware. Best Regards, Alon Bar-Lev. From eleuteri at myrealbox.com Tue Sep 6 22:46:48 2005 From: eleuteri at myrealbox.com (David Picon Alvarez) Date: Tue Sep 6 22:47:00 2005 Subject: OpenPGP Card References: Message-ID: <003001c5b324$1b291940$0302a8c0@enterprise> > But this is the opposite the GPL program uses a none GPLed library with out > linkage to it!!! > I don't understand why we always turn the facts around. It's the same, combination and derivation trigger the copyright, and the GPL _requires_ the combined whole work to be covered by the GPL. So if I link to non-GPL library the linking against non-GPL code taints mine, and if someone links to my GPLed library my GPL requirement has to be obeyed. > Let's say my Api is as follows: > > int do_work (int argc, void *argv[]); > > Now I load a shared library, get the do_work address and call it by: > > int (*do_work)(int argc, void *argv[]) = get_do_work_address (); > > char *args[] = { > "ls", > "-l" > ); > > do_work (2, argv); > > What is the difference between calling this shared library or executing a > none GPLed "ls"?!?!?!? The difference is in the copying. Copyright is triggered by copying, not use. When you call a program and it executes independently you do not create or combine or derive in the meaning of copyright, because you are not engaging in copying and aggregating onto your own code. When you link a library you do. > Again... I am sorry but I must disagree... WHERE THE CODE RUN IS NOT AN > ISSUE. > The issue is how tightly your code is with another code. Part of the issue is that, since, as I said later, API itself can have some degree of copyright protection. But it is generally believed by FSF that sharing an address space implies creating a combined and/or derived work. > In your view I can write a PKCS#11 daemon that exposes SOAP as protocol... > And this way to use PKCS#11 in GPLed application. > But I cannot use the PKCS#11 directly... Correct, if you write a daemon no copy occurs, thus no triggering of copyright. > This is CRAZY!!! You are fooling your-self if you think there is a > difference between the two... > If the usage of PKCS#11 caused your application to violate the GPL license, > then the usage of the same API through SOAP will cause the same affect! See above. > I cannot imagine that the lower who wrote the GPL meant that the open source > community's programmers should work so hard in order to implement their > software... I think this is your interpretation... I've written FSF and I > hope they will address this issue. The lawyer who wrote GPL wrote it with the explicit intent to incentive programmers to write free software and keep software free. Allowing linkage to or from NON-GPL code is generally considered to be counterproductive for the purposes stated. --David. From alon.barlev at gmail.com Tue Sep 6 23:16:53 2005 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Tue Sep 6 23:21:23 2005 Subject: OpenPGP Card In-Reply-To: <003001c5b324$1b291940$0302a8c0@enterprise> References: <003001c5b324$1b291940$0302a8c0@enterprise> Message-ID: <431E0745.5040909@gmail.com> David Picon Alvarez wrote: I dropped all stuff regarding the differences using API and communication... I think you are wrong, there is exception for the rules... I try now to contact FSF for a formal position. > > The lawyer who wrote GPL wrote it with the explicit intent to incentive > programmers to write free software and keep software free. Allowing linkage > to or from NON-GPL code is generally considered to be counterproductive for > the purposes stated. > Here is what you imply... And it is so sad that I want to cry :-( On Microsoft platform, there is an API called CryptoAPI which is provided as part of the operating system. This API uses CSPs (Cryptographic Service Providers) that is provided by the smart card vendors. So GPLed program can execute on Windows platform which is TOTALLY NOT A FREE software and use vendor provided smart card interface. On the other hand, in Linux environment, the flag ship of the free software, a GPLed software cannot use vendor provided smart card interface since (As you claim) every shared library that is used must be also GPLed. Microsoft environment turns to be the best environment for GPLed software, since it provides all features as part of the operating system... This is how they use their monopoly... And you and all people who think like you fall into their trap. Your arguments should not be if the code is run here or run there or how technically you use a piece of code, your argument should be around the ability to spread free software, and this ability is provided if the free software uses as many standards as it can, PKCS#11 is one of them. There is no sense in turning Linux environment to be less attractive for free software development, since smart card are hardware based, they will never be free and as such every program that need to use hardware will have to use proprietary code. From your position there are three options: 1. Linux will not be able to use many hardware devices available in the market. So there will be less application for Linux, more application for Windows. 2. Vendors will develop NONE FREE software and sell it to people who insist to use these hardware devices and Linux. For example, I will write a PKCS#11 gpg-agent and sale it for enterprises... If they insist of using gpg... But I don't believe they will... 3. Application in Linux environment will invent standards like the OpenPGP card, and be left out with some early adapters individuals. When I read the GPL and the GPL FAQ I don't understand that this was the wish of the authors. Exactly because of that they allowed exceptions. People should understand when a situation occurs that satisfied an exception. Best Regards, Alon Bar-Lev. From eleuteri at myrealbox.com Tue Sep 6 23:40:39 2005 From: eleuteri at myrealbox.com (David Picon Alvarez) Date: Tue Sep 6 23:40:47 2005 Subject: OpenPGP Card References: <003001c5b324$1b291940$0302a8c0@enterprise> <431E0745.5040909@gmail.com> Message-ID: <001801c5b32b$a0e699c0$0302a8c0@enterprise> Alon, First, I might have written to you directly instead of to the list. If so I'm sorry, I screwed up with my mail agent. > There is no sense in turning Linux environment to be less > attractive for free software development, since smart card are > hardware based, they will never be free and as such every > program that need to use hardware will have to use proprietary > code. This is really, really wrong. Just because a piece of hardware is proprietary it needs not have proprietary drivers. There are plenty of free drivers for hardware in the Linux kernel, for example, thanks to either reverse engineering or to companies who make the hardware being smart (and doing the write thing) and releasing the necessary specifications of the hardware so that a free driver is possible. In addition, with ever-cheaper FPGAs and so on, hardware and software might converge quite a lot (a lot of hardware these days is more written (VHDL or VeriLog code) than designed). But this is a bit OT. The fact is that, even though I mostly agree with you that it is a hard fight to convince smart card manufacturers to provide ISO compliance or specs for their cards and that using PKCS#11 would make GnuPG more capable this does not matter, because the things you're able to express with a licence are limited, and GPL is written as it is. So nothing there is to be done. > From your position there are three options: There are a few more. > 1. Linux will not be able to use many hardware devices > available in the market. So there will be less application for > Linux, more application for Windows. This already happens today to an extent. Winmodems, winprinters. Fortunately there are pervasive reverse engineering efforts together with pressure to manufacturers to yield specs. > 2. Vendors will develop NONE FREE software and sell it to > people who insist to use these hardware devices and Linux. For > example, I will write a PKCS#11 gpg-agent and sale it for > enterprises... If they insist of using gpg... But I don't > believe they will... Again, this happens today. See proprietary nVidia drivers (which probably violate the GPL). > 3. Application in Linux environment will invent standards like > the OpenPGP card, and be left out with some early adapters > individuals. 4. Hardware manufacturing companies will follow standards about smart cards like the cited ISO standard. 5. Hardware manufacturing companies will provide specifications that will allow the creation of free drivers. Options 4 and 5 are much preferable to option 0 (GnuPG implements PKCS#11 and people use non-free drivers) and not implementing PKCS#11 might put some optimizing pressure in this direction. Best, --David. From dshaw at jabberwocky.com Wed Sep 7 00:03:28 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Sep 7 00:15:08 2005 Subject: PGP global directory cruft in keyservers In-Reply-To: <431DE1B5.6040002@comcast.net> References: <431D630C.6010208@excelcia.org> <431DE1B5.6040002@comcast.net> Message-ID: <20050906220328.GB3400@jabberwocky.com> On Tue, Sep 06, 2005 at 01:36:37PM -0500, John Clizbe wrote: > Kurt Fitzner wrote: > > This isn't GnuPG-related really, but recently downloaded my own public > > key from a keyserver and found on it about a billion of those silly PGP > > global directory signatures on it. Either someone has been downloading > > my key from PGP a whole bunch and then submitting it to keyservers, or > > the mainstream keyservers are syncing with PGP's global directory. > > > > I'm wondering if this is a widespread problem. Have other people > > noticed this with their keys? > > > > I am now very sorry I went throught that email process with PGP. I'm > > actually hoping this is a widespread problem so that keyserver operators > > will start deleting those stupid signatures. If not, I am stuck with my > > key having a billion useless signatures on it. > > > > I'm so glad there is GnuPG with no corporate agenda!!! > > Thanks Werner et al. > > gpg --edit-key clean > > And setting the clean-sigs and clean-uids options on import-options, > export-options, and keyserver-options are our only defense until then. > > Like you, I refreshed from a SKS server and found 120 new sigs on my key, > ALL PGP Universal Keyserver. To my knowledge, the PGP GD doesn't sync with anyone. It would be interesting to know how/where these signatures are leaking into the keyserver net. > Over on PGP-Basics, someone asked what was the purpose of the 'clean' > command in GnuPG. A good friend of mine replied, "It undoes the damage > caused by the PGP Universal key server." > > Like you, I regret ever submitting my key to that nightmare. I ignored all > the renewal emails. > > I can't say if the PGP signatures were always the problem, but importing my > full keyring to clean it in the process reduced a 750 key ring from ~8MB to > ~6MB, just under 1/3 (32%) reduction. > > Maybe --clean-keys could be added as a command to GnuPG, like --check-sigs. Do you think this is that useful? I had expected people to treat clean-* as a "set it and forget it" feature and let GnuPG handle the keyring. Note that if clean-* is set, doing a --refresh-keys, as many people do every now and then, effectively runs clean on each key. > Perhaps autocleaning keys is something the SKS keyserver folks will > introduce. They seem to have the only active development taking place. Would be difficult to do in SKS. You need to be able to verify signatures (so cleaning doesn't remove the wrong signature), and right now SKS doesn't verify signatures. David From alon.barlev at gmail.com Wed Sep 7 09:43:34 2005 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Wed Sep 7 08:43:08 2005 Subject: OpenPGP Card In-Reply-To: <001801c5b32b$a0e699c0$0302a8c0@enterprise> Message-ID: David Picon Alvarez wrote: > Options 4 and 5 are much preferable to option 0 (GnuPG implements PKCS#11 and people use non-free drivers) and not implementing > PKCS#11 might put some optimizing pressure in this direction. Again, you are wrong. There is not point in writing a low level code in each application to support each card it is NxN situation, not wise. Had you written that if vendors would have published their low-level interface, which is expected to be different since every one offers a different set of features, and someone would have written a GPLed PKCS#11 provider for each card, I could almost agree with you that this is the right way to go... Why almost? Since the software you are communicating with, which runs on the smartcard device, is proprietary... And I am completely not agree with you that there is a difference between sending proprietary APDUs or using an API. I think you reach the same state no matter how you look on it. I am still waiting for FSF response, does anyone knows someone there how can help in resolving this issue? Best Regards, Alon Bar-Lev. From wk at gnupg.org Wed Sep 7 08:57:24 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Sep 7 09:01:27 2005 Subject: OpenPGP Card In-Reply-To: <431DA006.6000807@globalnet.hr> (Zeljko Vrba's message of "Tue, 06 Sep 2005 15:56:22 +0200") References: <431C7912.5080407__34242.7164003768$1125939585$gmane$org@globalnet.hr> <431DA006.6000807@globalnet.hr> Message-ID: <87zmqpwejv.fsf@wheatstone.g10code.de> On Tue, 06 Sep 2005 15:56:22 +0200, Zeljko Vrba said: > 2. OpenPGP trust model isn't as 'strong' as X.509 (i.e. there aren't > many trusted introducers) OpenPGP does not define any trust model. Instead it provides the mechanisms to implement any kind of trust modell on top of it. Salam-Shalom, Werner From eleuteri at myrealbox.com Wed Sep 7 10:24:33 2005 From: eleuteri at myrealbox.com (David Picon Alvarez) Date: Wed Sep 7 10:24:43 2005 Subject: OpenPGP Card References: Message-ID: <005e01c5b385$94530c20$0302a8c0@enterprise> > There is not point in writing a low level code in each application to > support each card it is NxN situation, not wise. The truth is that if cards were more ISO compliant this situation would not be a big deal. Also I'm sure a lot of this code could be shared among apps. Anyway, I'm a gpg user and I do appreciate your effort in making gpg more capable, best of luck. --David. From alphasigmax at gmail.com Wed Sep 7 12:17:12 2005 From: alphasigmax at gmail.com (Alphax) Date: Wed Sep 7 12:19:37 2005 Subject: PGP global directory cruft in keyservers In-Reply-To: <20050906220328.GB3400@jabberwocky.com> References: <431D630C.6010208@excelcia.org> <431DE1B5.6040002@comcast.net> <20050906220328.GB3400@jabberwocky.com> Message-ID: <431EBE28.3040507@gmail.com> David Shaw wrote: > On Tue, Sep 06, 2005 at 01:36:37PM -0500, John Clizbe wrote: > >>Kurt Fitzner wrote: >> >>gpg --edit-key clean >> >>And setting the clean-sigs and clean-uids options on import-options, >>export-options, and keyserver-options are our only defense until then. >> >>Like you, I refreshed from a SKS server and found 120 new sigs on my key, >>ALL PGP Universal Keyserver. > > > To my knowledge, the PGP GD doesn't sync with anyone. It would be > interesting to know how/where these signatures are leaking into the > keyserver net. > Probably some PGP users who are "automagically" synchronising their entire keyrings with multiple keyservers, leaking keys that their owners would rather not have on the keyservers in the process :( -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ From alphasigmax at gmail.com Wed Sep 7 12:25:12 2005 From: alphasigmax at gmail.com (Alphax) Date: Wed Sep 7 12:27:37 2005 Subject: OpenPGP Card In-Reply-To: <431E0745.5040909@gmail.com> References: <003001c5b324$1b291940$0302a8c0@enterprise> <431E0745.5040909@gmail.com> Message-ID: <431EC008.5020500@gmail.com> Alon Bar-Lev wrote: > David Picon Alvarez wrote: > > I dropped all stuff regarding the differences using API and > communication... I think you are wrong, there is exception for the > rules... I try now to contact FSF for a formal position. > >> >> The lawyer who wrote GPL wrote it with the explicit intent to incentive >> programmers to write free software and keep software free. Allowing >> linkage >> to or from NON-GPL code is generally considered to be >> counterproductive for >> the purposes stated. >> > > Here is what you imply... And it is so sad that I want to cry :-( > > On Microsoft platform, there is an API called CryptoAPI which is > provided as part of the operating system. > This API uses CSPs (Cryptographic Service Providers) that is provided by > the smart card vendors. > You trust the Microsoft CryptoAPI? Well why don't you just run Windows, which Microsoft Says is Perfectly Secure, and use Microsoft's inbuilt X.509 instead of OpenPGP, since Microsoft Guarantees No Back Doors in the CryptoAPI? -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ From alphasigmax at gmail.com Wed Sep 7 12:32:56 2005 From: alphasigmax at gmail.com (Alphax) Date: Wed Sep 7 12:35:38 2005 Subject: OpenPGP Card In-Reply-To: <87d5nmxcp8.fsf@wheatstone.g10code.de> References: <431DD366.1030405@globalnet.hr> <87d5nmxcp8.fsf@wheatstone.g10code.de> Message-ID: <431EC1D8.7090809@gmail.com> Werner Koch wrote: > On Tue, 06 Sep 2005 19:35:34 +0200, Zeljko Vrba said: > > >>As Alon did remark earlier, the general movement in the industry is >>towards multi-purpose smart-cards. OpenPGP card currently doesn't fall >>into this category. > > > Not true. The OpenPGP card specification is a card application and > you may put as many other applications on a card as you like and the > EEPROM allows to. With 6k (and even less possible) it is actually a > pretty small application. > Um... slightly OT, but... 1. What's the standard size of the EEPROM on a smartcard suitable for OpenPGP? 2. What else could you fit on such a card? 3. Is it possible to have multiple things on a smartcard without them conflicting? Thanks, -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ From johnmoore3rd at joimail.com Wed Sep 7 12:38:04 2005 From: johnmoore3rd at joimail.com (John W. Moore III) Date: Wed Sep 7 12:38:24 2005 Subject: OpenPGP Card In-Reply-To: <431EC008.5020500@gmail.com> References: <003001c5b324$1b291940$0302a8c0@enterprise> <431E0745.5040909@gmail.com> <431EC008.5020500@gmail.com> Message-ID: <431EC30C.7020006@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Alphax wrote: > You trust the Microsoft CryptoAPI? Well why don't you just run Windows, > which Microsoft Says is Perfectly Secure, and use Microsoft's inbuilt > X.509 instead of OpenPGP, since Microsoft Guarantees No Back Doors in > the CryptoAPI? > Actually, Everyone with M$ on their Box is "running Windows!" Have you checked out Linspire? Ease of use, Linux based, shortage of progs unless one is "Compile Fluent." JOHN :) Timestamp: Wed 07 September 2005, 06:37 AM --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Public Key at: http://tinyurl.com/5ztc6 Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iEYEAREDAAYFAkMewwgACgkQnCmZhrerneUy4ACfYv7pODJJoyTYUOPKejkyhLCx lLIAoJ4Toht7BK6dwvsn86KvUljuAWTX =WTUD -----END PGP SIGNATURE----- From alon.barlev at gmail.com Wed Sep 7 13:43:22 2005 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Wed Sep 7 12:42:56 2005 Subject: OpenPGP Card In-Reply-To: <431EC008.5020500@gmail.com> Message-ID: David Picon Alvarez wrote: > You trust the Microsoft CryptoAPI? Well why don't you just run Windows, > which Microsoft Says is Perfectly Secure, and use Microsoft's inbuilt > X.509 instead of OpenPGP, since Microsoft Guarantees No Back Doors in > the CryptoAPI? No! this is not the issue of cryptography. It was an argument for the GPL position that some of the people here took. I am saying that if you take that stand, GPL application can enjoy the Microsoft environment more than the open source environment, and that it does not make sense to me... Please read the whole corresponding. Best Regards, Alon Bar-Lev. From alphasigmax at gmail.com Wed Sep 7 12:51:46 2005 From: alphasigmax at gmail.com (Alphax) Date: Wed Sep 7 12:54:18 2005 Subject: OpenPGP Card In-Reply-To: References: Message-ID: <431EC642.4040906@gmail.com> Alon Bar-Lev wrote: > > David Picon Alvarez wrote: > > > >>You trust the Microsoft CryptoAPI? Well why don't you just run Windows, >>which Microsoft Says is Perfectly Secure, and use Microsoft's inbuilt >>X.509 instead of OpenPGP, since Microsoft Guarantees No Back Doors in >>the CryptoAPI? > > > No! this is not the issue of cryptography. > It was an argument for the GPL position that some of the people here took. > I am saying that if you take that stand, GPL application can enjoy the > Microsoft environment more than the open source environment, and that it > does not make sense to me... > Please read the whole corresponding. > I understand. The only place in the GPL where libraries are mentioned is in reference to the LGPL. Using the Microsoft CryptoAPI doesn't appear to be legal; AFAICT, this is similar to the reason why Enigmail insists on GPG instead of being able to interface with PGP on Windows systems. In that case, it appears that GNU/Linux has the upper hand, because at least there are *some* GPL/LGPL libraries available for what you want. With Windows, it appears that everything is proprietary. -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ From alex at bofh.net.pl Wed Sep 7 13:13:02 2005 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Wed Sep 7 13:14:16 2005 Subject: OpenPGP Card In-Reply-To: <431EC1D8.7090809@gmail.com> References: <431DD366.1030405@globalnet.hr> <87d5nmxcp8.fsf@wheatstone.g10code.de> <431EC1D8.7090809@gmail.com> Message-ID: <20050907111302.GG16716@syjon.fantastyka.net> On Wed, Sep 07, 2005 at 08:02:56PM +0930, Alphax wrote: > > Not true. The OpenPGP card specification is a card application and > > you may put as many other applications on a card as you like and the > > EEPROM allows to. With 6k (and even less possible) it is actually a > > pretty small application. > 3. Is it possible to have multiple things on a smartcard without them > conflicting? This is what Werner above said. An card application is a ,,partition'' on a card that is used for one purpose. I think you can access OpenPGP card from other computer app and use it as any other crypto smartcard, and it won't interfere with OpenPGP stuff on it. Alex PS> The whole discussion made me curious; I worked with smartcards extensively few years ago and was grossly disappointed with the stuff from the development side, but times they are a'changin... Where can I purchase a couple of OpenPGP cards and readers suitable for use with Debian? Preferably within the European Union. -- mors ab alto 0x46399138 From eleuteri at myrealbox.com Wed Sep 7 13:14:24 2005 From: eleuteri at myrealbox.com (David Picon Alvarez) Date: Wed Sep 7 13:14:32 2005 Subject: OpenPGP Card References: Message-ID: <002201c5b39d$4eed7770$0302a8c0@enterprise> From: "Alon Bar-Lev" > David Picon Alvarez wrote: > > You trust the Microsoft CryptoAPI? Well why don't you just run Windows, > > which Microsoft Says is Perfectly Secure, and use Microsoft's inbuilt > > X.509 instead of OpenPGP, since Microsoft Guarantees No Back Doors in > > the CryptoAPI? No, I didn't. That's to say I've been misquoted. That's written by alfax, not me. --David. From eleuteri at myrealbox.com Wed Sep 7 13:18:52 2005 From: eleuteri at myrealbox.com (David Picon Alvarez) Date: Wed Sep 7 13:19:03 2005 Subject: OpenPGP Card References: <431EC642.4040906@gmail.com> Message-ID: <002b01c5b39d$eec12580$0302a8c0@enterprise> > The only place in the GPL where libraries are mentioned is in reference > to the LGPL. Using the Microsoft CryptoAPI doesn't appear to be legal; > AFAICT, this is similar to the reason why Enigmail insists on GPG > instead of being able to interface with PGP on Windows systems. Wrong. From alon.barlev at gmail.com Wed Sep 7 14:33:49 2005 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Wed Sep 7 13:33:22 2005 Subject: OpenPGP Card In-Reply-To: <431EC642.4040906@gmail.com> Message-ID: Alphax wrote: > The only place in the GPL where libraries are mentioned is in reference to the LGPL. Using the Microsoft CryptoAPI doesn't appear to be legal; > AFAICT, this is similar to the reason why Enigmail insists on GPG instead of being able to interface with PGP on Windows systems. So you say that it is illeagal to run GPL software on windows or on AIX... It also make no sense... Since it is... Best Regards, Alon Bar-Lev. From alphasigmax at gmail.com Wed Sep 7 13:39:05 2005 From: alphasigmax at gmail.com (Alphax) Date: Wed Sep 7 13:41:47 2005 Subject: OpenPGP Card In-Reply-To: References: Message-ID: <431ED159.90207@gmail.com> Peter Gutmann wrote: > Alphax writes: > >>Zeljko Vrba wrote: >> >>>Joe Smith wrote: >>> >>>>For example, your CA can revoke your key leaving you with one key that >>>>is invalid X.509, but valid OpenPGP? Yuck! >>>> >>> >>>Using the X.509 cert and OpenPGP public key (having the same private >>>key) could be useful in the following scenario: >> >>Is that even allowed?? > > > SPENGLER (emphatic): Don't cross PGP and X.509. > > VENKMAN: Why not? > > SPENGLER: Trust me. It will be bad. > > VENKMAN: What do you mean "bad?" > > SPENGLER: It's hard to explain, but try to imagine Werner appearing suddenly > and beating you to death with a large copy of the GNU manifesto. > > VENKMAN (with military authority): That's it! No X.509. You guys are > dangerous. > Wait, where's Richard Stallman in all of this? :) -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ From alphasigmax at gmail.com Wed Sep 7 13:40:53 2005 From: alphasigmax at gmail.com (Alphax) Date: Wed Sep 7 13:43:23 2005 Subject: OpenPGP Card In-Reply-To: References: Message-ID: <431ED1C5.7070803@gmail.com> Alon Bar-Lev wrote: > Alphax wrote: >> The only place in the GPL where libraries are mentioned is in >> reference to the LGPL. Using the Microsoft CryptoAPI doesn't appear >> to be legal; AFAICT, this is similar to the reason why Enigmail >> insists on GPG instead of being able to interface with PGP on >> Windows systems. > > So you say that it is illeagal to run GPL software on windows or on > AIX... It also make no sense... Since it is... > No, I'm saying that a GPL program (Enigmail) can't interface with a proprietary application (PGP) but has to interface with a GPL application (GnuPG). I'm not sure how interfacing with such a program or library through a pipe would affect the situation. IANAL. -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ From pgut001 at cs.auckland.ac.nz Wed Sep 7 13:31:51 2005 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Wed Sep 7 14:07:14 2005 Subject: OpenPGP Card In-Reply-To: <431DA15C.1020205@gmail.com> Message-ID: Alphax writes: >Zeljko Vrba wrote: >> Joe Smith wrote: >>> For example, your CA can revoke your key leaving you with one key that >>> is invalid X.509, but valid OpenPGP? Yuck! >>> >> Using the X.509 cert and OpenPGP public key (having the same private >> key) could be useful in the following scenario: > >Is that even allowed?? SPENGLER (emphatic): Don't cross PGP and X.509. VENKMAN: Why not? SPENGLER: Trust me. It will be bad. VENKMAN: What do you mean "bad?" SPENGLER: It's hard to explain, but try to imagine Werner appearing suddenly and beating you to death with a large copy of the GNU manifesto. VENKMAN (with military authority): That's it! No X.509. You guys are dangerous. Peter. From zvrba at globalnet.hr Wed Sep 7 14:58:50 2005 From: zvrba at globalnet.hr (Zeljko Vrba) Date: Wed Sep 7 14:58:25 2005 Subject: OpenPGP Card In-Reply-To: <431EC1D8.7090809@gmail.com> References: <431DD366.1030405@globalnet.hr> <87d5nmxcp8.fsf@wheatstone.g10code.de> <431EC1D8.7090809@gmail.com> Message-ID: <431EE40A.4090005@globalnet.hr> Alphax wrote: > > 1. What's the standard size of the EEPROM on a smartcard suitable for > OpenPGP? > YOu have cards ranging from 8k to 64k > > 2. What else could you fit on such a card? > debit/credit applications, X.509 PKI applications, data-containers, etc. > > 3. Is it possible to have multiple things on a smartcard without them > conflicting? > yes. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050907/107f4d34/signature-0001.pgp From zvrba at globalnet.hr Wed Sep 7 15:30:39 2005 From: zvrba at globalnet.hr (Zeljko Vrba) Date: Wed Sep 7 15:30:05 2005 Subject: OpenPGP Card In-Reply-To: <005e01c5b385$94530c20$0302a8c0@enterprise> References: <005e01c5b385$94530c20$0302a8c0@enterprise> Message-ID: <431EEB7F.9020102@globalnet.hr> David Picon Alvarez wrote: >>There is not point in writing a low level code in each application to >>support each card it is NxN situation, not wise. > > > The truth is that if cards were more ISO compliant this situation would not > be a big deal. > Even if this were to happen, ISO still doesn't say anything about "big-iron" crypto HW (as Peter Guttmann called it). To use such HW hardware, you have only 4 options (as Peter already did once point them out): 1. PKCS#11 2. MS CAPI 3. vendor's proprietary API 4. do not support the HW at all Pick your poison :) Werner has chosen 4. for GnuPG, contrary to wishes of GnuPG users. PKCS#11 and MS CAPI are the only wide-spread APIs that solve the problem of _generic interfacing_ to crypto HW. Oh, I'm tired already of this. I'm waiting fot the FSF's verdict on the matter. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050907/cef8040f/signature.pgp From h-bar at skenbe.net Wed Sep 7 17:22:22 2005 From: h-bar at skenbe.net (Henrik O A Barkman) Date: Wed Sep 7 18:05:50 2005 Subject: PGP global directory cruft in keyservers In-Reply-To: <431EBE28.3040507@gmail.com> References: <431D630C.6010208@excelcia.org> <431DE1B5.6040002@comcast.net> <20050906220328.GB3400@jabberwocky.com> <431EBE28.3040507@gmail.com> Message-ID: <431F05AE.3040509@skenbe.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>To my knowledge, the PGP GD doesn't sync with anyone. It would be >>interesting to know how/where these signatures are leaking into the >>keyserver net. > > Probably some PGP users who are "automagically" synchronising their > entire keyrings with multiple keyservers, leaking keys that their owners > would rather not have on the keyservers in the process :( That would have to be very zealous users, since I once found PGP GD signatures on one of my keys when I checked it on the SKS network. At the time, that key was known only by me, the SKS servers and the PGP GD. What users would download keys at random? - -- $\hbar$ -- http://skenbe.net/h-bar/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDHwWtQbA0YmDQIJURAr/1AKDMRnrldVIXflsE0V49HB6KQDUeIwCfWcyp jKE0IuwyLm9ma58R0OmDxWM= =SRF3 -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Wed Sep 7 18:21:53 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Sep 7 18:22:41 2005 Subject: PGP global directory cruft in keyservers In-Reply-To: <431EBE28.3040507@gmail.com> References: <431D630C.6010208@excelcia.org> <431DE1B5.6040002@comcast.net> <20050906220328.GB3400@jabberwocky.com> <431EBE28.3040507@gmail.com> Message-ID: <20050907162153.GB6764@jabberwocky.com> On Wed, Sep 07, 2005 at 07:47:12PM +0930, Alphax wrote: > David Shaw wrote: > > On Tue, Sep 06, 2005 at 01:36:37PM -0500, John Clizbe wrote: > > > >>Kurt Fitzner wrote: > >> > > >>gpg --edit-key clean > >> > >>And setting the clean-sigs and clean-uids options on import-options, > >>export-options, and keyserver-options are our only defense until then. > >> > >>Like you, I refreshed from a SKS server and found 120 new sigs on my key, > >>ALL PGP Universal Keyserver. > > > > > > To my knowledge, the PGP GD doesn't sync with anyone. It would be > > interesting to know how/where these signatures are leaking into the > > keyserver net. > > > > Probably some PGP users who are "automagically" synchronising their > entire keyrings with multiple keyservers, leaking keys that their owners > would rather not have on the keyservers in the process :( I'm not terribly familiar with the PGP 9 product, but does it even have a feature to do this? I seem to recall some notion of uploading changes to your own key, or changes to keys that you have signed, but not a way to upload changes to a whole keyring. It seems like an odd feature for a program to have. David From dirk.traulsen at lypso.de Wed Sep 7 17:41:27 2005 From: dirk.traulsen at lypso.de (Dirk Traulsen) Date: Wed Sep 7 18:39:37 2005 Subject: clean sigs Message-ID: <431F2647.32753.8EB4D6@localhost> Hi! I loaded a new key from a keyserver and cleaned it in the '--edit- key' shell. When I controlled the result with 'gpg --list-sigs 08B0A90B', I found a lot of expired signatures. If you look at the output at sigs from the key CA57AD7C, you see that there are 7 valid newer signatures from this key and a lot of older expired signatures. I thought, that these sigs should be deleted, if there is a newer valid signature from the same key. From zvrba at globalnet.hr Wed Sep 7 18:56:49 2005 From: zvrba at globalnet.hr (Zeljko Vrba) Date: Wed Sep 7 18:56:22 2005 Subject: OpenPGP Card In-Reply-To: References: Message-ID: <431F1BD1.2000208@globalnet.hr> Alon Bar-Lev wrote: > > But the work needs to be moved into gpg-agent... :( > You were referring to my PKCS#11 patch.. After studying the GPG architecture a bit, I think this needs to be moved into the scdaemon. gpg-agent actually does nothing with smart-cards - it uses scdaemon to do the work. Which is good, since the scdaemon's work is pretty simple; much simpler than that of gpg-agent's. The communication PROTOCOL (not API!) is publicly defined and is UNIX-socket based. I believe that writing a BSD-licensed PKCS#11 version of scdaemon is feasible. Then you use the 'p11-scdaemon' (let's call it that way) instead of the gpg's and voila! You have PKCS#11 support. Opinions? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050907/40e7f927/signature.pgp From alon.barlev at gmail.com Wed Sep 7 19:05:56 2005 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Wed Sep 7 19:10:32 2005 Subject: OpenPGP Card In-Reply-To: <431F1BD1.2000208@globalnet.hr> References: <431F1BD1.2000208@globalnet.hr> Message-ID: <431F1DF4.7030302@gmail.com> Zeljko Vrba wrote: > Alon Bar-Lev wrote: > > > >> But the work needs to be moved into gpg-agent... :( >> > You were referring to my PKCS#11 patch.. After studying the GPG > architecture a bit, I think this needs to be moved into the scdaemon. > gpg-agent actually does nothing with smart-cards - it uses scdaemon to > do the work. > > Which is good, since the scdaemon's work is pretty simple; much simpler > than that of gpg-agent's. > > The communication PROTOCOL (not API!) is publicly defined and is > UNIX-socket based. I believe that writing a BSD-licensed PKCS#11 version > of scdaemon is feasible. Then you use the 'p11-scdaemon' (let's call it > that way) instead of the gpg's and voila! You have PKCS#11 support. > > Opinions? Great! Super! Amazing! If you can do it with a little effort I will glad to check and use it. But after looking at the source... it does not looked like a very simple interface... Best Regards, Alon Bar-Lev. From zvrba at globalnet.hr Wed Sep 7 19:21:58 2005 From: zvrba at globalnet.hr (Zeljko Vrba) Date: Wed Sep 7 19:21:32 2005 Subject: OpenPGP Card In-Reply-To: <431F1DF4.7030302@gmail.com> References: <431F1BD1.2000208@globalnet.hr> <431F1DF4.7030302@gmail.com> Message-ID: <431F21B6.7060602@globalnet.hr> Alon Bar-Lev wrote: > > Great! Super! Amazing! > If you can do it with a little effort I will glad to check and use it. > Not so little. I don't have any card or PKCS#11 driver. Mozilla NSS is a pain to set up. I have no idea how to use its softtoken implementation. Opencryptoki uses ^$@@#$$#&^!!ng autotools bootstrap so I'm not even able to compile it for its softtoken! Obviously, I need *some* PKCS#11 to be able to test the thing :) > > But after looking at the source... it does not looked like a very simple > interface... > It is. Text-based. There is libassuan to help implement the details of the protocol if needed. libassuan is LGPL so there should be no license issues if it is used. Best regards, Zeljko. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050907/75530646/signature.pgp From dshaw at jabberwocky.com Wed Sep 7 19:23:06 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Sep 7 19:23:43 2005 Subject: clean sigs In-Reply-To: <431F2647.32753.8EB4D6@localhost> References: <431F2647.32753.8EB4D6@localhost> Message-ID: <20050907172306.GC6764@jabberwocky.com> On Wed, Sep 07, 2005 at 05:41:27PM +0200, Dirk Traulsen wrote: > Hi! > > I loaded a new key from a keyserver and cleaned it in the '--edit- > key' shell. > When I controlled the result with 'gpg --list-sigs 08B0A90B', > I found a lot of expired signatures. If you look at the output at > sigs from the key CA57AD7C, you see that there are 7 valid newer > signatures from this key and a lot of older expired signatures. > I thought, that these sigs should be deleted, if there is a newer > valid signature from the same key. > > >From the man page: > > --edit-key KEY > clean sigs ... It also removes any signature > that is superceded by a later signature... I can't seem to duplicate your problem here. Are you sure you saved the result when you exited from --edit-key? David From stefan at fuhrmann.homedns.org Wed Sep 7 20:58:18 2005 From: stefan at fuhrmann.homedns.org (Stefan Fuhrmann) Date: Wed Sep 7 20:58:25 2005 Subject: cant sent a sig with inline openpgp Message-ID: <200509072058.34049.stefan@fuhrmann.homedns.org> Hello all, I use kubuntu with kmail and kgpg. When I try to send a mail with signature and I use "inline openpgp" then the sig is attached and not inline. I see this when I send a mail to winusers and outlook. Can someone tell me how I can send a signature inline? So PGP on outlook can read it? tia stefan -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050907/2bc15156/attachment.pgp From benjamin at pythagoras.no-ip.org Wed Sep 7 21:29:21 2005 From: benjamin at pythagoras.no-ip.org (Benjamin Donnachie) Date: Wed Sep 7 21:38:24 2005 Subject: OpenPGP Card Message-ID: PLEASE PLEASE PLEASE stop cc'ing messages to me if they are also addressed to the list!!!! -- Benjamin benjamin@pythagoras.no-ip.org From david69 at charter.net Wed Sep 7 21:25:02 2005 From: david69 at charter.net (David) Date: Wed Sep 7 22:37:16 2005 Subject: cant sent a sig with inline openpgp In-Reply-To: <200509072058.34049.stefan@fuhrmann.homedns.org> References: <200509072058.34049.stefan@fuhrmann.homedns.org> Message-ID: <20050907192502.GA18225@localhost.localdomain> On Wed, Sep 07, 2005 at 08:58:18PM +0200, Stefan Fuhrmann wrote: > [...] I use kubuntu with kmail and kgpg. > When I try to send a mail with signature and I use "inline openpgp" then the > sig is attached and not inline. [...] I have the same problem with Mutt 1.5.9i & Gnupg 1.4.1 on Debian 3.1. I try to apply inline sig but the email is sent with mime sig. From lionel at mamane.lu Wed Sep 7 22:47:46 2005 From: lionel at mamane.lu (Lionel Elie Mamane) Date: Wed Sep 7 22:48:00 2005 Subject: OpenPGP Card In-Reply-To: <20050907111302.GG16716@syjon.fantastyka.net> References: <431DD366.1030405@globalnet.hr> <87d5nmxcp8.fsf@wheatstone.g10code.de> <431EC1D8.7090809@gmail.com> <20050907111302.GG16716@syjon.fantastyka.net> Message-ID: <20050907204746.GA6265@tofu.mamane.lu> On Wed, Sep 07, 2005 at 01:13:02PM +0200, Janusz A. Urbanowicz wrote: > PS> The whole discussion made me curious; I worked with smartcards > extensively few years ago and was grossly disappointed with the stuff from > the development side, but times they are a'changin... Where can I purchase a > couple of OpenPGP cards and readers suitable for use with Debian? Preferably > within the European Union. http://www.kernelconcepts.de/products/security.shtml (Web site in German, but they speak English if you call or email them.) -- Lionel From btober at seaworthysys.com Wed Sep 7 23:29:18 2005 From: btober at seaworthysys.com (Berend Tober) Date: Wed Sep 7 23:33:24 2005 Subject: How to run a key server Message-ID: <431F5BAE.7000506@seaworthysys.com> This may be a very silly question, but I want to know what is involved with running a key server? A manager has asked about whether we can somehow use "electronic signatures" on internal documents to reduce paper and printer costs as well as the problem of occasionally losing a printed piece of documentation that needs to get approved or signed by more than one person. Seems to me like gnupg is made for this kind of situation. Since this will be an internal infrastructure, I"m not concerned with providing a PKI to the *public*, but just to company employees. I'm thinking that there must be a server software package that handle this available somewhere, but my googling turns up mostly info on using gpg individually, more or less. There is a sourceforge project that seems to be the right tool, but it was listed as inactive. From cmetzke at gmail.com Wed Sep 7 23:50:57 2005 From: cmetzke at gmail.com (Cameron Metzke) Date: Wed Sep 7 23:51:36 2005 Subject: How to run a key server In-Reply-To: <431F5BAE.7000506@seaworthysys.com> References: <431F5BAE.7000506@seaworthysys.com> Message-ID: <431F60C1.90607@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Berend Tober wrote: > This may be a very silly question, but I want to know what is involved > with running a key server? > > A manager has asked about whether we can somehow use "electronic > signatures" on internal documents to reduce paper and printer costs as > well as the problem of occasionally losing a printed piece of > documentation that needs to get approved or signed by more than one > person. Seems to me like gnupg is made for this kind of situation. Since > this will be an internal infrastructure, I"m not concerned with > providing a PKI to the *public*, but just to company employees. I'm > thinking that there must be a server software package that handle this > available somewhere, but my googling turns up mostly info on using gpg > individually, more or less. There is a sourceforge project that seems to > be the right tool, but it was listed as inactive. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > You could just put a front-end on a particular gnupg install, and use it as a basic keyserver. I have written a rough php front-end to gnupg to do pretty much what you want ( I Think ). It can query a pubring for a public key, update Public Keys and add public keys. If you want the rough script, just send me an email and ill fire it off to you, it should give you some idea's at least of how to do what you need. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iD8DBQFDH2DAiJKCWGgxIoARAia/AJ9928fsQpBxm9D45kLops/Lb880JwCgoQWs z/7iWU4EpmjlSBkexvzJkYc= =kCEk -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Thu Sep 8 00:06:17 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Sep 8 00:06:52 2005 Subject: How to run a key server In-Reply-To: <431F5BAE.7000506@seaworthysys.com> References: <431F5BAE.7000506@seaworthysys.com> Message-ID: <20050907220617.GE6764@jabberwocky.com> On Wed, Sep 07, 2005 at 05:29:18PM -0400, Berend Tober wrote: > This may be a very silly question, but I want to know what is involved > with running a key server? > > A manager has asked about whether we can somehow use "electronic > signatures" on internal documents to reduce paper and printer costs as > well as the problem of occasionally losing a printed piece of > documentation that needs to get approved or signed by more than one > person. Seems to me like gnupg is made for this kind of situation. Since > this will be an internal infrastructure, I"m not concerned with > providing a PKI to the *public*, but just to company employees. I'm > thinking that there must be a server software package that handle this > available somewhere, but my googling turns up mostly info on using gpg > individually, more or less. There is a sourceforge project that seems to > be the right tool, but it was listed as inactive. There are three good ways to do this: First is SKS While SKS is most commonly used for public keyservers, there is no reason why you can't run it without synchronizing with other servers. The second is regular old LDAP. GnuPG can use keys stored on a LDAP server. This is often a good choice for internal infrastructure as many companies already have a LDAP server in use. The third is regular old HTTP. GnuPG can also fetch keys from a web server. This is not as easy as the other two options as you can't say "find me the key with email address abcd@example.com" or the like, but for some usages this ability is not necessary. David From kfitzner at excelcia.org Thu Sep 8 04:21:24 2005 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Thu Sep 8 04:21:51 2005 Subject: PGP global directory cruft in keyservers In-Reply-To: <20050906220328.GB3400@jabberwocky.com> References: <431D630C.6010208@excelcia.org> <431DE1B5.6040002@comcast.net> <20050906220328.GB3400@jabberwocky.com> Message-ID: <431FA024.70100@excelcia.org> David Shaw wrote: > Would be difficult to do in SKS. You need to be able to verify > signatures (so cleaning doesn't remove the wrong signature), and right > now SKS doesn't verify signatures. The problem isn't widespread in that other keyservers are doing this sort of thing. A simple explicit deletion of all PGP directory keys would suffice. Plus, it would send a message to PGP about their behavior in bloating the key infrastructure when there are lots of more technically elegant solutions to what they were doing. Kurt. From dshaw at jabberwocky.com Thu Sep 8 04:48:51 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Sep 8 05:01:04 2005 Subject: PGP global directory cruft in keyservers In-Reply-To: <431FA024.70100@excelcia.org> References: <431D630C.6010208@excelcia.org> <431DE1B5.6040002@comcast.net> <20050906220328.GB3400@jabberwocky.com> <431FA024.70100@excelcia.org> Message-ID: <20050908024851.GB7551@jabberwocky.com> On Wed, Sep 07, 2005 at 08:21:24PM -0600, Kurt Fitzner wrote: > David Shaw wrote: > > > Would be difficult to do in SKS. You need to be able to verify > > signatures (so cleaning doesn't remove the wrong signature), and right > > now SKS doesn't verify signatures. > > The problem isn't widespread in that other keyservers are doing this > sort of thing. A simple explicit deletion of all PGP directory keys > would suffice. Plus, it would send a message to PGP about their > behavior in bloating the key infrastructure when there are lots of more > technically elegant solutions to what they were doing. Dropping all signatures that match a particular key ID would indeed resolve a significant piece of the problem (and you don't need crypto support in the keyservers for that), but I don't agree that this is the fault of PGP. PGP isn't sending these signatures out. PGP doesn't sync with anyone, in or out. The question to ask is not how to make PGP stop, but how are the signatures leaking from their isolated island server? I've gotten a number of private emails today from PGP 9 users who indicate that PGP 9 has *no* functionality to bridge a key and say it must be done manually. Any keyserver operators care to trace down where the signatures are being injected from? David From gnichols at tpg.com.au Thu Sep 8 08:04:23 2005 From: gnichols at tpg.com.au (Graeme Nichols) Date: Thu Sep 8 08:50:43 2005 Subject: WinPT Message-ID: <000a01c5b43b$2ba5bf40$0101a8c0@youru51ci7l8m4> Maybe off topic.If so please point me in the right direction. OS is WIN XP SP2 I have just installed the latest WinPT front-end 1.0rc2 from their web site. I want to use my installed gpg 1.4.2 but it will not run. It produces an error stating that it needs gpg 1.1 or higher. It runs OK with the version 1.2.1 of gpg that came with it. Could someone advise me what to do please. Kind Regards, Graeme. From twoaday at gmx.net Thu Sep 8 09:28:34 2005 From: twoaday at gmx.net (Timo Schulz) Date: Thu Sep 8 09:35:29 2005 Subject: WinPT In-Reply-To: <000a01c5b43b$2ba5bf40$0101a8c0@youru51ci7l8m4> References: <000a01c5b43b$2ba5bf40$0101a8c0@youru51ci7l8m4> Message-ID: <20050908072834.GB1222@daredevil.joesixpack.net> On Thu Sep 08 2005; 16:04, Graeme Nichols wrote: > I have just installed the latest WinPT front-end 1.0rc2 from their web > site. I want to use my installed gpg 1.4.2 but it will not run. It produces > an error stating that it needs gpg 1.1 or higher. It runs OK with the The SF.net site of WinPT is not longer the primary download site. Please try http://www.winpt.org and get 0.10.1 which is the newest WinPT version. It also works with GPG 1.4.x. There is a link to an English installer, but make sure you remove the old 1.0rc2 installer before. Timo From wk at gnupg.org Thu Sep 8 10:15:38 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Sep 8 10:21:45 2005 Subject: OpenPGP Card In-Reply-To: <431EEB7F.9020102@globalnet.hr> (Zeljko Vrba's message of "Wed, 07 Sep 2005 15:30:39 +0200") References: <005e01c5b385$94530c20$0302a8c0@enterprise> <431EEB7F.9020102@globalnet.hr> Message-ID: <877jdsynyt.fsf@wheatstone.g10code.de> On Wed, 07 Sep 2005 15:30:39 +0200, Zeljko Vrba said: > 1. PKCS#11 > 2. MS CAPI > 3. vendor's proprietary API > 4. do not support the HW at all > Pick your poison :) > Werner has chosen 4. for GnuPG, contrary to wishes of GnuPG users. Not true. I simply do not have a 4758 or other tokens here. Having worked with that beast a couple of years ago I know that it will be very straightforward to integrate it into scdaemon (depending on the applications used on the 4758). Salam-Shalom, Werner From dirk.traulsen at lypso.de Thu Sep 8 10:25:20 2005 From: dirk.traulsen at lypso.de (Dirk Traulsen) Date: Thu Sep 8 10:23:29 2005 Subject: clean sigs In-Reply-To: <20050907172306.GC6764@jabberwocky.com> References: <431F2647.32753.8EB4D6@localhost> Message-ID: <43201190.444.425C7BC@localhost> Am 7 Sep 2005 um 19:23 hat David Shaw geschrieben: > I can't seem to duplicate your problem here. Are you sure you > saved the result when you exited from --edit-key? As you can see, I did. I get the message 'already clean', but the sigs are still there. In spite the output being partly in german, I think it will be ok for you. Dirk C:\>gpg --ed putty gpg (GnuPG) 1.4.2; Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. pub 1024D/08B0A90B created: 2000-12-20 expires: niemals usage: CSA trust: unbekannt G?ltigkeit: unbekannt [ unknown] (1). PuTTY Releases (DSA) Befehl> clean sigs User ID "PuTTY Releases (DSA) ": already clean. Befehl> q C:\>gpg --list-sigs putty Schl?sselbund: C:\Dokumente und Einstellungen\Dirk\Anwendungsdaten\gnupg\pubring .gpg ---------------------------------------------------------------------- ---------- ---- pub 1024D/08B0A90B 2000-12-20 uid PuTTY Releases (DSA) sig 3 08B0A90B 2000-12-20 PuTTY Releases (DSA) sig 30B94B5C 2005-05-24 [User-ID nicht gefunden] sig 2 348DA95A 2005-04-06 [User-ID nicht gefunden] sig 50376667 2003-07-04 [User-ID nicht gefunden] sig 56C5DD90 2003-06-24 [User-ID nicht gefunden] sig 5DC3F473 2004-10-26 [User-ID nicht gefunden] sig 66A14468 2004-10-26 [User-ID nicht gefunden] sig 2 66A9A510 2005-01-27 [User-ID nicht gefunden] sig 677BA1EC 2004-10-26 [User-ID nicht gefunden] sig 6A93B34E 2000-12-20 [User-ID nicht gefunden] sig 9DB2B5BC 2003-07-04 [User-ID nicht gefunden] sig ADEB818B 2003-07-04 [User-ID nicht gefunden] sig CA57AD7C 2005-09-04 [User-ID nicht gefunden] sig CA57AD7C 2005-09-02 [User-ID nicht gefunden] sig CA57AD7C 2005-08-31 [User-ID nicht gefunden] sig CA57AD7C 2005-08-30 [User-ID nicht gefunden] sig CA57AD7C 2005-08-28 [User-ID nicht gefunden] sig CA57AD7C 2005-08-27 [User-ID nicht gefunden] sig CA57AD7C 2005-08-27 [User-ID nicht gefunden] sig X CA57AD7C 2005-08-21 [User-ID nicht gefunden] sig X CA57AD7C 2005-08-15 [User-ID nicht gefunden] sig X CA57AD7C 2005-07-31 [User-ID nicht gefunden] sig X CA57AD7C 2005-07-31 [User-ID nicht gefunden] sig X CA57AD7C 2005-07-29 [User-ID nicht gefunden] sig X CA57AD7C 2005-07-24 [User-ID nicht gefunden] sig X CA57AD7C 2005-07-11 [User-ID nicht gefunden] sig X CA57AD7C 2005-07-10 [User-ID nicht gefunden] sig X CA57AD7C 2005-06-20 [User-ID nicht gefunden] sig X CA57AD7C 2005-06-19 [User-ID nicht gefunden] sig X CA57AD7C 2005-06-15 [User-ID nicht gefunden] sig X CA57AD7C 2005-05-31 [User-ID nicht gefunden] sig X CA57AD7C 2005-05-30 [User-ID nicht gefunden] sig X CA57AD7C 2005-05-17 [User-ID nicht gefunden] sig X CA57AD7C 2005-05-15 [User-ID nicht gefunden] sig X CA57AD7C 2005-05-01 [User-ID nicht gefunden] sig X CA57AD7C 2005-04-17 [User-ID nicht gefunden] sig X CA57AD7C 2005-04-03 [User-ID nicht gefunden] sig X CA57AD7C 2005-03-20 [User-ID nicht gefunden] sig X CA57AD7C 2005-03-05 [User-ID nicht gefunden] sig X CA57AD7C 2005-02-19 [User-ID nicht gefunden] sig X CA57AD7C 2005-02-16 [User-ID nicht gefunden] sig X CA57AD7C 2005-02-07 [User-ID nicht gefunden] sig X CA57AD7C 2005-01-25 [User-ID nicht gefunden] sig X CA57AD7C 2005-01-11 [User-ID nicht gefunden] sig CC350332 2002-06-17 [User-ID nicht gefunden] sig E213B692 2004-10-26 [User-ID nicht gefunden] From oskar at rbgi.net Thu Sep 8 19:26:10 2005 From: oskar at rbgi.net (Oskar L.) Date: Thu Sep 8 19:26:46 2005 Subject: No Debian package for 1.4.2 In-Reply-To: References: <200509051540.j85FeQEh010957@vulcan.xs4all.nl> Message-ID: <2200.213.169.30.81.1126200370.squirrel@mail.rbgi.net> Does anyone know why there still isn't a Debian package for version 1.4.2 of GnuPG? http://packages.debian.org/gnupg Oskar From jam at jamux.com Thu Sep 8 21:28:52 2005 From: jam at jamux.com (John A. Martin) Date: Thu Sep 8 21:52:27 2005 Subject: No Debian package for 1.4.2 References: <200509051540.j85FeQEh010957@vulcan.xs4all.nl> <2200.213.169.30.81.1126200370.squirrel@mail.rbgi.net> Message-ID: <87mzmntl3f.fsf@athene.jamux.com> >>>>> "Oskar" == Oskar L >>>>> "No Debian package for 1.4.2" >>>>> Thu, 8 Sep 2005 20:26:10 +0300 (EEST) Oskar> Does anyone know why there still isn't a Debian package for Oskar> version 1.4.2 of GnuPG? http://packages.debian.org/gnupg You can file a Debian wishlist bug report against gnupg. See . jam -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 154 bytes Desc: not available Url : /pipermail/attachments/20050908/585b1af9/attachment.pgp From dshaw at jabberwocky.com Thu Sep 8 22:00:13 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Sep 8 22:00:51 2005 Subject: clean sigs In-Reply-To: <43201190.444.425C7BC@localhost> References: <431F2647.32753.8EB4D6@localhost> <43201190.444.425C7BC@localhost> Message-ID: <20050908200013.GA10234@jabberwocky.com> On Thu, Sep 08, 2005 at 10:25:20AM +0200, Dirk Traulsen wrote: > Am 7 Sep 2005 um 19:23 hat David Shaw geschrieben: > > > I can't seem to duplicate your problem here. Are you sure you > > saved the result when you exited from --edit-key? > > As you can see, I did. > I get the message 'already clean', but the sigs are still there. > In spite the output being partly in german, I think it will be ok for > you. I'm trying, but I still can't duplicate the problem. Can you put together a simple keyring and simple gpg.conf file that still shows the problem? David From dirk.traulsen at lypso.de Fri Sep 9 00:33:47 2005 From: dirk.traulsen at lypso.de (Dirk Traulsen) Date: Fri Sep 9 00:32:01 2005 Subject: clean sigs In-Reply-To: <20050908200013.GA10234@jabberwocky.com> References: <43201190.444.425C7BC@localhost> Message-ID: <4320D86B.26826.72E8F05@localhost> Am 8 Sep 2005 um 16:00 hat David Shaw geschrieben: > I'm trying, but I still can't duplicate the problem. Can you put > together a simple keyring and simple gpg.conf file that still shows > the problem? I did what you asked me to do and now I'm completely confused! First I deleted my gpg.conf, the keyrings and the trustdb. Then I fetched the key 08B0A90B from the keyserver 'random.sks.keyserver.penguin.de' and it was the same as yesterday: 47 sigs with a lot of old expired sigs from the same key (see output1 below) and 'clean' later removed just one self sig and all the old ones were still there. As 'clean' did the same as yesterday, it had nothing to do with my gpg.conf, keyrings or trustdb. Now I have three additional problems: 1. The same key from the same keyserver just one day later, but if you compare it with my output in my mail from yesterday, you see that the sigs are in a completely different order! Why? Aren't they always in the same order in the key? 2. There is a line after the '--recv-key' which I don't understand: 'gpg: kein uneingeschr?nkt vertrauensw?rdiger Schl?ssel 0022FA10 gefunden' (my english translation: gpg: no ultimately trusted key 0022FA10 found) As you can see in the output, I didn't ask for this key. There are no keyrings or trustdb, as I deleted them before. I don't know this key and I couldn't find it at the keyservers. Why did gpg try to find this key? 3. Because now I was irritated, I did the same again with a different keyserver 'keyserver.kjsl.com' and I got a completely different result! When I fetched the key 08B0A90B, here it didn't have 47 sigs, but only 15 sigs (see below output2). There was only a double self sig, which 'clean' removed later. How can this be, if the keyservers are synchronized? I repeated this twice with the same outcome. The keys are different and 'clean' doesn't work on the larger one. My system is gpg 1.4.2 on WinXP Home with the latest updates. David, I really hope, you can reproduce it now or at least get an idea what's going on. Dirk ++++++++++++++ Output1 +++++++++++++++++++ C:\DOKUME~1\Chef\Anwendungsdaten\gnupg>gpg -k gpg: Schl?sselbund `C:/Dokumente und Einstellungen/Chef/Anwendungsdaten/gnupg\secring.gpg' erstellt gpg: Schl?sselbund `C:/Dokumente und Einstellungen/Chef/Anwendungsdaten/gnupg\pubring.gpg' erstellt gpg: C:/Dokumente und Einstellungen/Chef/Anwendungsdaten/gnupg\trustdb.gpg: trust-db erzeugt C:\DOKUME~1\Chef\Anwendungsdaten\gnupg>gpg --keyserver random.sks.keyserver.penguin.de --recv-key 08b0a90b gpg: requesting key 08B0A90B from hkp server random.sks.keyserver.penguin.de gpg: key 08B0A90B: public key "PuTTY Releases (DSA) " imported gpg: kein uneingeschr?nkt vertrauensw?rdiger Schl?ssel 0022FA10 gefunden gpg: Anzahl insgesamt bearbeiteter Schl?ssel: 1 gpg: importiert: 1 C:\DOKUME~1\Chef\Anwendungsdaten\gnupg>gpg --list-sigs putty pub 1024D/08B0A90B 2000-12-20 uid PuTTY Releases (DSA) sig 6A93B34E 2000-12-20 [User-ID nicht gefunden] sig CC350332 2002-06-17 [User-ID nicht gefunden] sig 56C5DD90 2003-06-24 [User-ID nicht gefunden] sig ADEB818B 2003-07-04 [User-ID nicht gefunden] sig 50376667 2003-07-04 [User-ID nicht gefunden] sig 9DB2B5BC 2003-07-04 [User-ID nicht gefunden] sig 677BA1EC 2004-10-26 [User-ID nicht gefunden] sig E213B692 2004-10-26 [User-ID nicht gefunden] sig 5DC3F473 2004-10-26 [User-ID nicht gefunden] sig 30B94B5C 2005-05-24 [User-ID nicht gefunden] sig 2 66A9A510 2005-01-27 [User-ID nicht gefunden] sig 2 348DA95A 2005-04-06 [User-ID nicht gefunden] sig 3 08B0A90B 2000-12-20 PuTTY Releases (DSA) sig 3 08B0A90B 2000-12-20 PuTTY Releases (DSA) sig X CA57AD7C 2005-01-11 [User-ID nicht gefunden] sig X CA57AD7C 2005-01-25 [User-ID nicht gefunden] sig X CA57AD7C 2005-02-07 [User-ID nicht gefunden] sig X CA57AD7C 2005-02-16 [User-ID nicht gefunden] sig X CA57AD7C 2005-02-19 [User-ID nicht gefunden] sig X CA57AD7C 2005-03-05 [User-ID nicht gefunden] sig X CA57AD7C 2005-03-20 [User-ID nicht gefunden] sig X CA57AD7C 2005-04-03 [User-ID nicht gefunden] sig X CA57AD7C 2005-04-17 [User-ID nicht gefunden] sig X CA57AD7C 2005-05-01 [User-ID nicht gefunden] sig X CA57AD7C 2005-05-15 [User-ID nicht gefunden] sig X CA57AD7C 2005-05-17 [User-ID nicht gefunden] sig X CA57AD7C 2005-05-30 [User-ID nicht gefunden] sig X CA57AD7C 2005-05-31 [User-ID nicht gefunden] sig X CA57AD7C 2005-06-15 [User-ID nicht gefunden] sig X CA57AD7C 2005-06-19 [User-ID nicht gefunden] sig X CA57AD7C 2005-06-20 [User-ID nicht gefunden] sig X CA57AD7C 2005-07-10 [User-ID nicht gefunden] sig X CA57AD7C 2005-07-11 [User-ID nicht gefunden] sig X CA57AD7C 2005-07-24 [User-ID nicht gefunden] sig X CA57AD7C 2005-07-29 [User-ID nicht gefunden] sig X CA57AD7C 2005-07-31 [User-ID nicht gefunden] sig X CA57AD7C 2005-07-31 [User-ID nicht gefunden] sig X CA57AD7C 2005-08-15 [User-ID nicht gefunden] sig X CA57AD7C 2005-08-21 [User-ID nicht gefunden] sig CA57AD7C 2005-08-27 [User-ID nicht gefunden] sig CA57AD7C 2005-08-27 [User-ID nicht gefunden] sig CA57AD7C 2005-08-28 [User-ID nicht gefunden] sig CA57AD7C 2005-08-30 [User-ID nicht gefunden] sig CA57AD7C 2005-08-31 [User-ID nicht gefunden] sig CA57AD7C 2005-09-02 [User-ID nicht gefunden] sig CA57AD7C 2005-09-04 [User-ID nicht gefunden] sig 66A14468 2004-10-26 [User-ID nicht gefunden] +++++++++++++ Output2 +++++++++++++++++++++++ C:\DOKUME~1\Chef\Anwendungsdaten\gnupg>gpg -k gpg: Schl?sselbund `C:/Dokumente und Einstellungen/Chef/Anwendungsdaten/gnupg\secring.gpg' erstellt gpg: Schl?sselbund `C:/Dokumente und Einstellungen/Chef/Anwendungsdaten/gnupg\pubring.gpg' erstellt gpg: C:/Dokumente und Einstellungen/Chef/Anwendungsdaten/gnupg\trustdb.gpg: trust-db erzeugt C:\DOKUME~1\Chef\Anwendungsdaten\gnupg>gpg --keyserver keyserver.kjsl.com --recv-key 08b0a90b gpg: requesting key 08B0A90B from hkp server keyserver.kjsl.com gpg: key 08B0A90B: public key "PuTTY Releases (DSA) " imported gpg: kein uneingeschr?nkt vertrauensw?rdiger Schl?ssel 0022FA10 gefunden gpg: Anzahl insgesamt bearbeiteter Schl?ssel: 1 gpg: importiert: 1 C:\DOKUME~1\Chef\Anwendungsdaten\gnupg>gpg --list-sigs putty pub 1024D/08B0A90B 2000-12-20 uid PuTTY Releases (DSA) sig 3 08B0A90B 2000-12-20 PuTTY Releases (DSA) sig 3 08B0A90B 2000-12-20 PuTTY Releases (DSA) sig 30B94B5C 2005-05-24 [User-ID nicht gefunden] sig 2 348DA95A 2005-04-06 [User-ID nicht gefunden] sig 50376667 2003-07-04 [User-ID nicht gefunden] sig 56C5DD90 2003-06-24 [User-ID nicht gefunden] sig 5DC3F473 2004-10-26 [User-ID nicht gefunden] sig 66A14468 2004-10-26 [User-ID nicht gefunden] sig 2 66A9A510 2005-01-27 [User-ID nicht gefunden] sig 677BA1EC 2004-10-26 [User-ID nicht gefunden] sig 6A93B34E 2000-12-20 [User-ID nicht gefunden] sig 9DB2B5BC 2003-07-04 [User-ID nicht gefunden] sig ADEB818B 2003-07-04 [User-ID nicht gefunden] sig CC350332 2002-06-17 [User-ID nicht gefunden] sig E213B692 2004-10-26 [User-ID nicht gefunden] +++++++++++++++++++++++++++++++++++++++ From dshaw at jabberwocky.com Fri Sep 9 02:00:25 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Sep 9 02:01:08 2005 Subject: clean sigs In-Reply-To: <4320D86B.26826.72E8F05@localhost> References: <43201190.444.425C7BC@localhost> <4320D86B.26826.72E8F05@localhost> Message-ID: <20050909000025.GA10588@jabberwocky.com> On Fri, Sep 09, 2005 at 12:33:47AM +0200, Dirk Traulsen wrote: > Am 8 Sep 2005 um 16:00 hat David Shaw geschrieben: > > > I'm trying, but I still can't duplicate the problem. Can you put > > together a simple keyring and simple gpg.conf file that still shows > > the problem? > > I did what you asked me to do and now I'm completely confused! > > First I deleted my gpg.conf, the keyrings and the trustdb. > > Then I fetched the key 08B0A90B from the keyserver > 'random.sks.keyserver.penguin.de' and it was the same as yesterday: > 47 sigs with a lot of old expired sigs from the same key (see output1 > below) and 'clean' later removed just one self sig and all the old > ones were still there. As 'clean' did the same as yesterday, it had > nothing to do with my gpg.conf, keyrings or trustdb. > > Now I have three additional problems: > > 1. The same key from the same keyserver just one day later, but if > you compare it with my output in my mail from yesterday, you see that > the sigs are in a completely different order! Why? Aren't they always > in the same order in the key? No, they're not. The only requirement is that the signatures remain after the appropriate user ID. Within each user ID block, though, you can rearrange signatures without affecting anything so most programs don't give any particular effort to keeping them in order. > 2. There is a line after the '--recv-key' which I don't understand: > 'gpg: kein uneingeschr?nkt vertrauensw?rdiger Schl?ssel 0022FA10 > gefunden' > (my english translation: gpg: no ultimately trusted key 0022FA10 > found) > As you can see in the output, I didn't ask for this key. There are no > keyrings or trustdb, as I deleted them before. I don't know this key > and I couldn't find it at the keyservers. > Why did gpg try to find this key? GnuPG will look for your own key. Did you generate a key with that key ID? > 3. Because now I was irritated, I did the same again with a different > keyserver 'keyserver.kjsl.com' and I got a completely different > result! When I fetched the key 08B0A90B, here it didn't have 47 sigs, > but only 15 sigs (see below output2). There was only a double self > sig, which 'clean' removed later. How can this be, if the keyservers > are synchronized? Looks like they're not all that well synchronized :) > David, I really hope, you can reproduce it now or at least get an > idea what's going on. Yes, I see what happened now. It's just a misunderstanding. "clean" can't work unless you have the key that issued the signature that you want cleaned (so it can know which signatures to remove). In your case, you need to fetch key CA57AD7C (the PGP GD key). Once you have that key, GnuPG can remove signatures that it has issued. David From eocsor at gmail.com Fri Sep 9 04:02:21 2005 From: eocsor at gmail.com (Roscoe) Date: Fri Sep 9 04:02:59 2005 Subject: No Debian package for 1.4.2 In-Reply-To: <2200.213.169.30.81.1126200370.squirrel@mail.rbgi.net> References: <200509051540.j85FeQEh010957@vulcan.xs4all.nl> <2200.213.169.30.81.1126200370.squirrel@mail.rbgi.net> Message-ID: I imagine it's because stable is frozen. Hence only fixes will get in - and not new vewsions. (I maybe wrong on that.) (Naturally that only applies to stable..) Building and installing your own gnupg.deb from gnupg.org sources has significant merits though. (For those unfamilar its a three command process: dh_make, dpkg-buildpackage and dpkg -i) On 9/9/05, Oskar L. wrote: > Does anyone know why there still isn't a Debian package for version 1.4.2 > of GnuPG? http://packages.debian.org/gnupg > > Oskar > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From jharris at widomaker.com Fri Sep 9 04:08:24 2005 From: jharris at widomaker.com (Jason Harris) Date: Fri Sep 9 04:08:38 2005 Subject: stripping GD sigs (was: Re: clean sigs) In-Reply-To: <20050909000025.GA10588@jabberwocky.com> References: <43201190.444.425C7BC@localhost> <4320D86B.26826.72E8F05@localhost> <20050909000025.GA10588@jabberwocky.com> Message-ID: <20050909020824.GB643@wilma.widomaker.com> On Thu, Sep 08, 2005 at 08:00:25PM -0400, David Shaw wrote: > On Fri, Sep 09, 2005 at 12:33:47AM +0200, Dirk Traulsen wrote: > > 3. Because now I was irritated, I did the same again with a different > > keyserver 'keyserver.kjsl.com' and I got a completely different > > result! When I fetched the key 08B0A90B, here it didn't have 47 sigs, > > but only 15 sigs (see below output2). There was only a double self > > sig, which 'clean' removed later. How can this be, if the keyservers > > are synchronized? > > Looks like they're not all that well synchronized :) Well, keyserver.ubuntu.com is still not participating in email syncs to non-SKS keyservers, but that's a different problem. keyserver.kjsl.com is now stripping all GD sigs. The extra variable in kd_search.c and code for 'case 2:' of make_keys_elem(), respectively: static unsigned char gdkeyid[8] = {0x97, 0x10, 0xB8, 0x9B, 0xCA, 0x57, 0xAD, 0x7C}; if ((keyid.size == 8) && (keyid.offset == 0) && (memcmp (keyid.data, gdkeyid, 8) == 0)) { break; } -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 313 bytes Desc: not available Url : /pipermail/attachments/20050908/60327e3c/attachment.pgp From dshaw at jabberwocky.com Fri Sep 9 04:28:29 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Sep 9 04:29:09 2005 Subject: [Sks-devel] stripping GD sigs (was: Re: clean sigs) In-Reply-To: <20050909020824.GB643@wilma.widomaker.com> References: <43201190.444.425C7BC@localhost> <4320D86B.26826.72E8F05@localhost> <20050909000025.GA10588@jabberwocky.com> <20050909020824.GB643@wilma.widomaker.com> Message-ID: <20050909022829.GB10588@jabberwocky.com> On Thu, Sep 08, 2005 at 10:08:24PM -0400, Jason Harris wrote: > On Thu, Sep 08, 2005 at 08:00:25PM -0400, David Shaw wrote: > > On Fri, Sep 09, 2005 at 12:33:47AM +0200, Dirk Traulsen wrote: > > > > 3. Because now I was irritated, I did the same again with a different > > > keyserver 'keyserver.kjsl.com' and I got a completely different > > > result! When I fetched the key 08B0A90B, here it didn't have 47 sigs, > > > but only 15 sigs (see below output2). There was only a double self > > > sig, which 'clean' removed later. How can this be, if the keyservers > > > are synchronized? > > > > Looks like they're not all that well synchronized :) > > Well, keyserver.ubuntu.com is still not participating in email syncs > to non-SKS keyservers, but that's a different problem. > > keyserver.kjsl.com is now stripping all GD sigs. The extra variable > in kd_search.c and code for 'case 2:' of make_keys_elem(), respectively: It's your keyserver, and you of course make the choices for what it carries, but for the record, I think this is a bad idea. Skipping the usual discussion about the GD (I don't think anyone will convince anyone else at this point), you do realize that this means you are making a decision to edit the web of trust for others based on your own personal criteria. I'd be all in favor of an option where users could elect to filter out keys: that would put the user in control. Forcing your decision on others by stripping signatures is a very disturbing step. David From jharris at widomaker.com Fri Sep 9 05:10:23 2005 From: jharris at widomaker.com (Jason Harris) Date: Fri Sep 9 05:10:31 2005 Subject: [Sks-devel] stripping GD sigs (was: Re: clean sigs) In-Reply-To: <20050909022829.GB10588@jabberwocky.com> References: <43201190.444.425C7BC@localhost> <4320D86B.26826.72E8F05@localhost> <20050909000025.GA10588@jabberwocky.com> <20050909020824.GB643@wilma.widomaker.com> <20050909022829.GB10588@jabberwocky.com> Message-ID: <20050909031023.GC643@wilma.widomaker.com> On Thu, Sep 08, 2005 at 10:28:29PM -0400, David Shaw wrote: > On Thu, Sep 08, 2005 at 10:08:24PM -0400, Jason Harris wrote: > > keyserver.kjsl.com is now stripping all GD sigs. The extra variable > > in kd_search.c and code for 'case 2:' of make_keys_elem(), respectively: > > It's your keyserver, and you of course make the choices for what it > carries, but for the record, I think this is a bad idea. Skipping the > usual discussion about the GD (I don't think anyone will convince > anyone else at this point), you do realize that this means you are > making a decision to edit the web of trust for others based on your > own personal criteria. > > I'd be all in favor of an option where users could elect to filter out > keys: that would put the user in control. Forcing your decision on > others by stripping signatures is a very disturbing step. Not at all. Anyone who wants sigs from the GD should use that keyserver. They're still available from it, and, remember, expired sigs don't affect the WoT, so what's the point of the well-synchronized keyservers keeping GD sigs? -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 313 bytes Desc: not available Url : /pipermail/attachments/20050908/1780e9ee/attachment.pgp From dshaw at jabberwocky.com Fri Sep 9 05:23:08 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Sep 9 05:29:54 2005 Subject: [Sks-devel] stripping GD sigs (was: Re: clean sigs) In-Reply-To: <20050909031023.GC643@wilma.widomaker.com> References: <43201190.444.425C7BC@localhost> <4320D86B.26826.72E8F05@localhost> <20050909000025.GA10588@jabberwocky.com> <20050909020824.GB643@wilma.widomaker.com> <20050909022829.GB10588@jabberwocky.com> <20050909031023.GC643@wilma.widomaker.com> Message-ID: <20050909032308.GC10588@jabberwocky.com> On Thu, Sep 08, 2005 at 11:10:23PM -0400, Jason Harris wrote: > On Thu, Sep 08, 2005 at 10:28:29PM -0400, David Shaw wrote: > > On Thu, Sep 08, 2005 at 10:08:24PM -0400, Jason Harris wrote: > > > > keyserver.kjsl.com is now stripping all GD sigs. The extra variable > > > in kd_search.c and code for 'case 2:' of make_keys_elem(), respectively: > > > > It's your keyserver, and you of course make the choices for what it > > carries, but for the record, I think this is a bad idea. Skipping the > > usual discussion about the GD (I don't think anyone will convince > > anyone else at this point), you do realize that this means you are > > making a decision to edit the web of trust for others based on your > > own personal criteria. > > > > I'd be all in favor of an option where users could elect to filter out > > keys: that would put the user in control. Forcing your decision on > > others by stripping signatures is a very disturbing step. > > Not at all. Anyone who wants sigs from the GD should use that > keyserver. They're still available from it, and, remember, > expired sigs don't affect the WoT, so what's the point of the > well-synchronized keyservers keeping GD sigs? You're not dropping expired signatures. You're dropping all signatures from a particular key - expired or not. Those signatures are part of the web of trust. The web of trust now has a different view from your keyserver than from the rest of the world. If I ran a keyserver, would it be appropriate for me to drop all signatures from your key D39DA0E3 simply because they're available somewhere else? Personal opinions as to the usefulness of signatures should not be a factor in what a keyserver stores. It's a very dangerous path to go down: do you also strip signatures from someone "known" to be a bad signer? What's the criteria for inclusion in your keyserver? Is it stated somewhere so users can read it? David From jharris at widomaker.com Fri Sep 9 06:22:00 2005 From: jharris at widomaker.com (Jason Harris) Date: Fri Sep 9 06:22:11 2005 Subject: [Sks-devel] stripping GD sigs (was: Re: clean sigs) In-Reply-To: <20050909032308.GC10588@jabberwocky.com> References: <43201190.444.425C7BC@localhost> <4320D86B.26826.72E8F05@localhost> <20050909000025.GA10588@jabberwocky.com> <20050909020824.GB643@wilma.widomaker.com> <20050909022829.GB10588@jabberwocky.com> <20050909031023.GC643@wilma.widomaker.com> <20050909032308.GC10588@jabberwocky.com> Message-ID: <20050909042200.GD643@wilma.widomaker.com> On Thu, Sep 08, 2005 at 11:23:08PM -0400, David Shaw wrote: > On Thu, Sep 08, 2005 at 11:10:23PM -0400, Jason Harris wrote: > > Not at all. Anyone who wants sigs from the GD should use that > > keyserver. They're still available from it, and, remember, > > expired sigs don't affect the WoT, so what's the point of the > > well-synchronized keyservers keeping GD sigs? > > You're not dropping expired signatures. You're dropping all > signatures from a particular key - expired or not. Those signatures > are part of the web of trust. The web of trust now has a different > view from your keyserver than from the rest of the world. Indeed, all keyservers (except the GD) should drop GD sigs. > If I ran a keyserver, would it be appropriate for me to drop all > signatures from your key D39DA0E3 simply because they're available > somewhere else? keyserver.pgp.com doesn't synchronize with other keyservers, by design, which they maintain to be a GoodThing(TM). Are you currently insinuating that the GD sigs should spam the well-synchronized keyservers? > Personal opinions as to the usefulness of signatures should not be a > factor in what a keyserver stores. It's a very dangerous path to go > down: do you also strip signatures from someone "known" to be a bad > signer? What's the criteria for inclusion in your keyserver? Is it > stated somewhere so users can read it? Right now, TTBOMK, only the GD is, indeed, ""known" to be a bad signer." -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 313 bytes Desc: not available Url : /pipermail/attachments/20050909/0b6ab6f5/attachment.pgp From cmetzke at gmail.com Fri Sep 9 07:16:53 2005 From: cmetzke at gmail.com (Cameron Metzke) Date: Fri Sep 9 07:17:36 2005 Subject: No Debian package for 1.4.2 In-Reply-To: References: <200509051540.j85FeQEh010957@vulcan.xs4all.nl> <2200.213.169.30.81.1126200370.squirrel@mail.rbgi.net> Message-ID: <43211AC5.2040202@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Roscoe wrote: > I imagine it's because stable is frozen. Hence only fixes will get > in - and not new vewsions. (I maybe wrong on that.) (Naturally that > only applies to stable..) > > Building and installing your own gnupg.deb from gnupg.org sources > has significant merits though. (For those unfamilar its a three > command process: dh_make, dpkg-buildpackage and dpkg -i) > > > On 9/9/05, Oskar L. wrote: > >> Does anyone know why there still isn't a Debian package for >> version 1.4.2 of GnuPG? http://packages.debian.org/gnupg >> >> Oskar >> >> _______________________________________________ Gnupg-users >> mailing list Gnupg-users@gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users >> > > _______________________________________________ Gnupg-users mailing > list Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > Since I just updated my ubuntu version of GunPG to 1.4.2, and noticed this message to the list i thought I would upload the deb package I put together. It's there if you want it basically :) http://www.cameronmetzke.com/folder/software/debs/gnupg-1.4.2_1.4.2-1_i386.deb If you do use it, any feedback would be appreciated as to any problems you might encounter. It worked fine for me, I only had to change the path to the executable in enigmail to /usr/local/bin/gpg -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDIRrFiJKCWGgxIoARAo1DAKC1GVlSBH8ULBVomfMSw2/vilQSNwCglEWy 4mz/6WADzMBIVGyLNU0GB1o= =xsmY -----END PGP SIGNATURE----- From erwan at rail.eu.org Fri Sep 9 08:09:51 2005 From: erwan at rail.eu.org (Erwan David) Date: Fri Sep 9 09:16:43 2005 Subject: No Debian package for 1.4.2 In-Reply-To: References: <200509051540.j85FeQEh010957@vulcan.xs4all.nl> <2200.213.169.30.81.1126200370.squirrel@mail.rbgi.net> Message-ID: <20050909060951.GA474@ratagaz.depot.rail.eu.org> Le Fri 9/09/2005, Roscoe disait > I imagine it's because stable is frozen. Hence only fixes will get in > - and not new vewsions. > (I maybe wrong on that.) > (Naturally that only applies to stable..) But unsable still has 1.4.1 -- Erwan From alex at bofh.net.pl Fri Sep 9 11:23:19 2005 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Fri Sep 9 11:24:27 2005 Subject: No Debian package for 1.4.2 In-Reply-To: References: <200509051540.j85FeQEh010957@vulcan.xs4all.nl> <2200.213.169.30.81.1126200370.squirrel@mail.rbgi.net> Message-ID: <20050909092319.GA8662@syjon.fantastyka.net> On Fri, Sep 09, 2005 at 11:32:21AM +0930, Roscoe wrote: > I imagine it's because stable is frozen. Hence only fixes will get in > - and not new vewsions. > (I maybe wrong on that.) > (Naturally that only applies to stable..) > > Building and installing your own gnupg.deb from gnupg.org sources has > significant merits though. > (For those unfamilar its a three command process: dh_make, > dpkg-buildpackage and dpkg -i) In general you don't want packages built this way on a stable (production) system. Even with trivial software, some hand-tweaking is always needed. The new GPG will appear in unstable when James Troup (GPG package maintainer) will update it. Then, to obtain sarge package download the source package and dpkg-buildpackage it. The kosher and kind way to notify James that new gpg is important, file a severity=wishlist bug agains gnupg with text that you miss gnupg so much in unstable :-). Alex -- mors ab alto 0x46399138 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050909/20d02c37/attachment.pgp From johanw at vulcan.xs4all.nl Fri Sep 9 11:02:56 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Fri Sep 9 11:39:01 2005 Subject: [Sks-devel] stripping GD sigs (was: Re: clean sigs) In-Reply-To: <20050909022829.GB10588@jabberwocky.com> Message-ID: <200509090902.j8992ugd002912@vulcan.xs4all.nl> David Shaw wrote: >I'd be all in favor of an option where users could elect to filter out >keys: that would put the user in control. Forcing your decision on >others by stripping signatures is a very disturbing step. Considering the behaviour of the GD, I'd say it's also a practical issue about resources: if it keeps signing keys like this, an SKS server might well be in need of seriously more hardware than it is now. Someone's got to pay for that, amd I don't think all keyserver maintainers want to. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From alphasigmax at gmail.com Fri Sep 9 12:08:31 2005 From: alphasigmax at gmail.com (Alphax) Date: Fri Sep 9 12:10:58 2005 Subject: [Sks-devel] stripping GD sigs (was: Re: clean sigs) In-Reply-To: <200509090902.j8992ugd002912@vulcan.xs4all.nl> References: <200509090902.j8992ugd002912@vulcan.xs4all.nl> Message-ID: <43215F1F.6070607@gmail.com> Johan Wevers wrote: > David Shaw wrote: > > >>I'd be all in favor of an option where users could elect to filter out >>keys: that would put the user in control. Forcing your decision on >>others by stripping signatures is a very disturbing step. > > > Considering the behaviour of the GD, I'd say it's also a practical issue > about resources: if it keeps signing keys like this, an SKS server might > well be in need of seriously more hardware than it is now. Someone's got > to pay for that, amd I don't think all keyserver maintainers want to. > Carrying out a full cleaning of keys stored on keyservers would seriously damage the WoT. Removing duplicated signatures however would probably have little impact, assuming you are removing only the newest ones and keeping any signatures with attributes set (notation data, policy URLs, revocation/expiry status). I think anything more drastic would require a serious overhaul of PKS infrastructure; I hope that (one day) we have keyservers that will prevent spambots from harvesting email address, eg. by requiring a challenge-response system (don't ask me how it would work). I have friends who currently don't want to use PGP because they fear that their keys will be uploaded to a keyserver, and then they will be spammed forever more. -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ From fizban at slackware.it Fri Sep 9 12:48:07 2005 From: fizban at slackware.it (Andreas Liebschner) Date: Fri Sep 9 12:48:14 2005 Subject: Open PGP cards and backup Message-ID: <43216867.2050405@slackware.it> Hi, I'm still playing with my card ;-) Just in case my fellowship card breaks up, I wanted to test the bkuptocard process. So I stick another openpgp card in the reader and --edit my key, run bkuptocard /path/to/sk_*.gpg Apparently it successfully imports it, but however I still see the old card' s/n under "General key info..:". In fact, I can't sign anything because I'm asked for the other card. (I obviousy save before quitting gpg) I the tried to "addcardkey", and it creates the new subkey on the new card, however I'm always asked for the old one, to sign the new key I guess. The newly created key gets properly marked as "being on" the new card. So, am I doing something wrong? For what I could understand from the man pages, it should update that kind of information, so that I could use this new card with the old backed up key. I also tried keytocard, but it fails stating that a secret key is already on the card (which is true, but shouldn't I be able to change the secret key like that, if I enter my pins and all?) And, is there any way for someone to "empty" the card from all the keys stored, after entering the admin pin or something? If it isn't possible, is it a "missing feature", or an actual feature? Thanks, -- Andreas Liebschner From johanw at vulcan.xs4all.nl Fri Sep 9 13:11:30 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Fri Sep 9 13:45:19 2005 Subject: [Sks-devel] stripping GD sigs (was: Re: clean sigs) In-Reply-To: <43215F1F.6070607@gmail.com> Message-ID: <200509091111.j89BBUmb003928@vulcan.xs4all.nl> Alphax wrote: >Carrying out a full cleaning of keys stored on keyservers would >seriously damage the WoT. Too bad. However, if you just strip the GD signature off the damage won't be too large. >Removing duplicated signatures however would probably have little impact, >assuming you are removing only the newest ones Don't you mean keeping the newst ones? >I have friends who currently don't want to use PGP because they fear that >their keys will be uploaded to a keyserver, and then they will be spammed >forever more. They don't HAVE to add their email address to their key. I've seen several keys with only a name in it. After all, pgp/gpg is also usable without email. You can also use it to distribute encrypted files by carrying them on a floppy/CD/memory stick/whatever. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From wk at gnupg.org Fri Sep 9 13:58:16 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Sep 9 14:01:23 2005 Subject: Open PGP cards and backup In-Reply-To: <43216867.2050405@slackware.it> (Andreas Liebschner's message of "Fri, 09 Sep 2005 12:48:07 +0200") References: <43216867.2050405@slackware.it> Message-ID: <87mzmme9lz.fsf@wheatstone.g10code.de> On Fri, 09 Sep 2005 12:48:07 +0200, Andreas Liebschner said: > Apparently it successfully imports it, but however I still see the old > card' s/n under "General key info..:". In fact, I can't sign anything > because I'm asked for the other card. (I obviousy save before quitting gpg) Well, this might be a bug or a feature. I am not sure. To solve this, you should first delete your secret subkey (--edit-key; key N; delkey) and than do the bkuptocard. This should work; I once tested it. > And, is there any way for someone to "empty" the card from all the keys > stored, after entering the admin pin or something? If it isn't possible, > is it a "missing feature", or an actual feature? Missing feature. Salam-Shalom, Werner From kfitzner at excelcia.org Thu Sep 8 14:41:58 2005 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Fri Sep 9 14:06:39 2005 Subject: [Announce] GnuPG Explorer Extension (GPGee) Version 1.2.1 Released Message-ID: <43203196.8080806@excelcia.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Version 1.2.1 of GPGee has now been released and is available at http://gpgee.excelcia.org. This is mainly a bugfix release to correct a couple of functional bugs that appeared shortly after 1.2.0 was released. Bugs fixes include: - - Performing sign+encrypt no longer results in GPGee causing Explorer to hang. - - Change in the URL used for the automatic version check (the previous URL pointed at an ISP that cached its web pages, causing repeated notices to "upgrade" to an earlier version). - - Version now only occurs once per day as it was intended. Additionally, the version checking now compares build numbers rather than performing a simple string equality check. There should never again, regardless of ISP problems, be a notice to upgrade to an earlier version. There is one added feature for 1.2.1, designed to work with the multi-key signatures added in 1.2.0. It is now possible to append new signatures to an existing detached signature. In this way you can have one person sign a document, give the document and signature to another person at another maching and that person can add another signature. For those that aren't familliar with GPGee, it is a Windows shell extension that adds GnuPG support to explorer's right-click menu. You can sign, sign+encrypt, encrypt, verify, and decrypt files right from within the Windows explorer. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEVAwUBQyAxlt366Kf2Ie2tAQMpqAf+LzFDQ+T30gUwQR1sOP7FmXx8rWZgWOWE 2yKh6BAnINyL8SUnojU1gClgdpeJ/JS87d0//WJaE9z96kv+VR5/qKlpTqbQtTSB 68NOnk1Iszc6NLpRGe2sHxssJSVxnEUKvAfevLGW3JEdeCkenJ1CVbY184eFu5JM Xxc9yrWy6M2gELM56+BIA2f2Zaj9smTybCwhcCnsqgGJvosXttnFeS1Vw2K3aTP1 wFpeWT7Posn0BrquF+5YBsOVJuFgEdJrxXM+546nti3FWiT+iG/Pp/aMaXGZyjFQ p8d+F+8F3Av44UXw2Nw4BxN3JaUQVaxq1i4cnz6mWvxPDF8b/UUmkQ== =/eNV -----END PGP SIGNATURE----- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From dshaw at jabberwocky.com Fri Sep 9 14:31:35 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Sep 9 14:32:20 2005 Subject: [Sks-devel] stripping GD sigs (was: Re: clean sigs) In-Reply-To: <20050909042200.GD643@wilma.widomaker.com> References: <43201190.444.425C7BC@localhost> <4320D86B.26826.72E8F05@localhost> <20050909000025.GA10588@jabberwocky.com> <20050909020824.GB643@wilma.widomaker.com> <20050909022829.GB10588@jabberwocky.com> <20050909031023.GC643@wilma.widomaker.com> <20050909032308.GC10588@jabberwocky.com> <20050909042200.GD643@wilma.widomaker.com> Message-ID: <20050909123135.GD10588@jabberwocky.com> On Fri, Sep 09, 2005 at 12:22:00AM -0400, Jason Harris wrote: > > If I ran a keyserver, would it be appropriate for me to drop all > > signatures from your key D39DA0E3 simply because they're available > > somewhere else? > > keyserver.pgp.com doesn't synchronize with other keyservers, by design, > which they maintain to be a GoodThing(TM). Are you currently insinuating > that the GD sigs should spam the well-synchronized keyservers? Obviously not. The GD is an island that synchronizes with nobody. The whole design of it is radically different than the other keyservers out there in that it is not designed to store all keys. It is designed to store one key per active user, and that is enforced. Synchronizing would destroy that design goal. Not synchronizing is also the only way they can avoid certain semantic problems with robot CAs. Still, Jason, you can't have it both ways: you complain that the GD won't sync, and you complain that the GD signatures leak out. Which do you want to fix? > > Personal opinions as to the usefulness of signatures should not be a > > factor in what a keyserver stores. It's a very dangerous path to go > > down: do you also strip signatures from someone "known" to be a bad > > signer? What's the criteria for inclusion in your keyserver? Is it > > stated somewhere so users can read it? > > Right now, TTBOMK, only the GD is, indeed, ""known" to be a bad signer." Known by *you*. I rather think the GD is a good signer, for what it is. I know a whole lot of other people who think the GD is a good signer, just as I know a whole lot of people who think the GD is a bad signer. Is your keyserver for you personally or for the public? Do understand, this isn't about the GD specifically: it's about a keyserver operator who is editing their database to present a different trust view than is really there. When do your personal preferences start impacting a public service? If a user fetches a key from sks.dnsalias.net they see one view of the world. If they fetch the same key from your keyserver, they see your private view of the world. Or to put it another way: I know dozens of bad signers (I could tell some horror stories here). Should you drop their signatures too? With regards to the GD problem, specifically: Jason, I've seen you do amazing things with debugging the keyserver net, and point to exactly where particular signatures entered the net. Why don't you just see where the signatures are leaking in from before you redefine what a keyserver stores to suit yourself? They're not coming from the GD, and PGP and GnuPG have no way to bridge them automatically. Therefore someone is doing it manually, and on a regular basis. If you insist on presenting a different view to users than the entire rest of the keyserver net, without any way to turn such a "feature" off, then I suggest that keyserver.kjsl.com be removed from the subkeys.pgp.net rotation. It will cause more confusion than benefit. David From dshaw at jabberwocky.com Fri Sep 9 14:50:52 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Sep 9 14:51:26 2005 Subject: [Sks-devel] stripping GD sigs (was: Re: clean sigs) In-Reply-To: <200509090902.j8992ugd002912@vulcan.xs4all.nl> References: <20050909022829.GB10588@jabberwocky.com> <200509090902.j8992ugd002912@vulcan.xs4all.nl> Message-ID: <20050909125052.GE10588@jabberwocky.com> On Fri, Sep 09, 2005 at 11:02:56AM +0200, Johan Wevers wrote: > David Shaw wrote: > > >I'd be all in favor of an option where users could elect to filter out > >keys: that would put the user in control. Forcing your decision on > >others by stripping signatures is a very disturbing step. > > Considering the behaviour of the GD, I'd say it's also a practical issue > about resources: if it keeps signing keys like this, an SKS server might > well be in need of seriously more hardware than it is now. Someone's got > to pay for that, amd I don't think all keyserver maintainers want to. I have sympathy for that argument, so wouldn't it be good to trace down where the sigs are entering the keyserver net, and ask whoever is doing it to stop? It seems like the obvious first step. David From dshaw at jabberwocky.com Fri Sep 9 14:56:04 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Sep 9 14:56:39 2005 Subject: [Sks-devel] stripping GD sigs (was: Re: clean sigs) In-Reply-To: <43215F1F.6070607@gmail.com> References: <200509090902.j8992ugd002912@vulcan.xs4all.nl> <43215F1F.6070607@gmail.com> Message-ID: <20050909125604.GF10588@jabberwocky.com> On Fri, Sep 09, 2005 at 07:38:31PM +0930, Alphax wrote: > Johan Wevers wrote: > > David Shaw wrote: > > > > > >>I'd be all in favor of an option where users could elect to filter out > >>keys: that would put the user in control. Forcing your decision on > >>others by stripping signatures is a very disturbing step. > > > > > > Considering the behaviour of the GD, I'd say it's also a practical issue > > about resources: if it keeps signing keys like this, an SKS server might > > well be in need of seriously more hardware than it is now. Someone's got > > to pay for that, amd I don't think all keyserver maintainers want to. > > > > Carrying out a full cleaning of keys stored on keyservers would > seriously damage the WoT. Removing duplicated signatures however would > probably have little impact, assuming you are removing only the newest > ones and keeping any signatures with attributes set (notation data, > policy URLs, revocation/expiry status). If the keyservers had crypto support, you could do the equivalent of GnuPG "clean" on each key. Without crypto support, though, you could remove a good signature and keep a bad one. I suspect it would be cheaper to store the extra packets than it would be to do all the signature math for every key.... David From dshaw at jabberwocky.com Fri Sep 9 14:57:32 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Sep 9 14:58:07 2005 Subject: [Sks-devel] stripping GD sigs (was: Re: clean sigs) In-Reply-To: <200509091111.j89BBUmb003928@vulcan.xs4all.nl> References: <43215F1F.6070607@gmail.com> <200509091111.j89BBUmb003928@vulcan.xs4all.nl> Message-ID: <20050909125732.GG10588@jabberwocky.com> On Fri, Sep 09, 2005 at 01:11:30PM +0200, Johan Wevers wrote: > Alphax wrote: > > >Carrying out a full cleaning of keys stored on keyservers would > >seriously damage the WoT. > > Too bad. However, if you just strip the GD signature off the damage won't > be too large. Then it needs to be done across the board after discussion by the keyserver operators, not by a single operator acting alone. David From jharris at widomaker.com Fri Sep 9 15:30:35 2005 From: jharris at widomaker.com (Jason Harris) Date: Fri Sep 9 15:30:46 2005 Subject: [Sks-devel] stripping GD sigs (was: Re: clean sigs) In-Reply-To: <20050909123135.GD10588@jabberwocky.com> References: <43201190.444.425C7BC@localhost> <4320D86B.26826.72E8F05@localhost> <20050909000025.GA10588@jabberwocky.com> <20050909020824.GB643@wilma.widomaker.com> <20050909022829.GB10588@jabberwocky.com> <20050909031023.GC643@wilma.widomaker.com> <20050909032308.GC10588@jabberwocky.com> <20050909042200.GD643@wilma.widomaker.com> <20050909123135.GD10588@jabberwocky.com> Message-ID: <20050909133035.GE643@wilma.widomaker.com> On Fri, Sep 09, 2005 at 08:31:35AM -0400, David Shaw wrote: > On Fri, Sep 09, 2005 at 12:22:00AM -0400, Jason Harris wrote: [I'll address your other points later.] > If you insist on presenting a different view to users than the entire > rest of the keyserver net, without any way to turn such a "feature" > off, then I suggest that keyserver.kjsl.com be removed from the > subkeys.pgp.net rotation. It will cause more confusion than benefit. I pointed out the potential for confusion before. But, now, I'm convinced the best solution _is_ to remove the GD sigs from non- GD keyservers. Also, subkeys.pgp.net is about _subkeys_. If you want gd-retention.pgp.net, go ahead and ask Piete to create it, then configure GPG to use it by default. As well, please give OpenPGP users more credit. They seem to be quite capable of comprehending the differences among keyservers. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 313 bytes Desc: not available Url : /pipermail/attachments/20050909/cca1d993/attachment.pgp From dshaw at jabberwocky.com Fri Sep 9 15:42:22 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Sep 9 15:42:58 2005 Subject: [Sks-devel] stripping GD sigs (was: Re: clean sigs) In-Reply-To: <20050909133035.GE643@wilma.widomaker.com> References: <43201190.444.425C7BC@localhost> <4320D86B.26826.72E8F05@localhost> <20050909000025.GA10588@jabberwocky.com> <20050909020824.GB643@wilma.widomaker.com> <20050909022829.GB10588@jabberwocky.com> <20050909031023.GC643@wilma.widomaker.com> <20050909032308.GC10588@jabberwocky.com> <20050909042200.GD643@wilma.widomaker.com> <20050909123135.GD10588@jabberwocky.com> <20050909133035.GE643@wilma.widomaker.com> Message-ID: <20050909134222.GH10588@jabberwocky.com> On Fri, Sep 09, 2005 at 09:30:35AM -0400, Jason Harris wrote: > On Fri, Sep 09, 2005 at 08:31:35AM -0400, David Shaw wrote: > > On Fri, Sep 09, 2005 at 12:22:00AM -0400, Jason Harris wrote: > > [I'll address your other points later.] > > > If you insist on presenting a different view to users than the entire > > rest of the keyserver net, without any way to turn such a "feature" > > off, then I suggest that keyserver.kjsl.com be removed from the > > subkeys.pgp.net rotation. It will cause more confusion than benefit. > > I pointed out the potential for confusion before. But, now, I'm > convinced the best solution _is_ to remove the GD sigs from non- > GD keyservers. You seem to continue to ignore my point, probably because it's easier for you to argue this as a GD issue. Let me try again: 1) This isn't about the GD. 2) Nope, not about the GD. 3) Still, not about the GD. 4) It's about one lone keyserver operator, without any discussion with other operators, editing his own keyserver to remove material he doesn't like. 5) Did I mention it wasn't about the GD? > Also, subkeys.pgp.net is about _subkeys_. If you want > gd-retention.pgp.net, go ahead and ask Piete to create it, then > configure GPG to use it by default. Jason, what would you do if one particular keyserver in subkeys.pgp.net refused to sync with the others, so it presented a different view? What would you do if one particular keyserver decided to drop all signatures from you because they don't think you're a good signer (0x11 signatures - argh). Should they be dropped from subkeys.pgp.net? Are they breaching their responsibility to the rest of the keyserver net? Remember: not a GD issue. You're editing your keyserver based on *your* personal preferences. Again, by the way, not a GD issue. > As well, please give OpenPGP users more credit. They seem to be > quite capable of comprehending the differences among keyservers. You do realize, I hope, that the very email that started this thread was from someone confused about why the keyservers weren't giving back the same material... David From dirk.traulsen at lypso.de Fri Sep 9 16:18:11 2005 From: dirk.traulsen at lypso.de (Dirk Traulsen) Date: Fri Sep 9 16:16:16 2005 Subject: clean sigs In-Reply-To: <20050909000025.GA10588@jabberwocky.com> References: <4320D86B.26826.72E8F05@localhost> Message-ID: <4321B5C3.19592.A8F2F80@localhost> Am 8 Sep 2005 um 20:00 hat David Shaw geschrieben: > Yes, I see what happened now. It's just a misunderstanding. "clean" > can't work unless you have the key that issued the signature that you > want cleaned (so it can know which signatures to remove). In your > case, you need to fetch key CA57AD7C (the PGP GD key). Once you have > that key, GnuPG can remove signatures that it has issued. I can confirm, that 'clean' worked as you said, when I first fetched the keys for the obsolete sigs. But why is it nescessary to fetch the key first? When there is a new, functional and valid signature from key 12345678 on a key, isn't it obvious from the originally 16 character keyID, that they were issued from the same key, whether I have it in my keyring or not? Couldn't gpg delete the old obsolete signatures without the signing key itself? Dirk From dirk.traulsen at lypso.de Fri Sep 9 16:18:11 2005 From: dirk.traulsen at lypso.de (Dirk Traulsen) Date: Fri Sep 9 16:16:28 2005 Subject: gpg looking for strange additional key upon import (was Re: clean sigs) In-Reply-To: <20050909000025.GA10588@jabberwocky.com> References: <4320D86B.26826.72E8F05@localhost> Message-ID: <4321B5C3.25048.A8F2EF4@localhost> Am 8 Sep 2005 um 20:00 hat David Shaw geschrieben: > > 2. There is a line after the '--recv-key' which I don't understand: > > 'gpg: kein uneingeschr?nkt vertrauensw?rdiger Schl?ssel 0022FA10 > > gefunden' (my english translation: gpg: no ultimately trusted key > > 0022FA10 found) As you can see in the output, I didn't ask for this > > key. There are no keyrings or trustdb, as I deleted them before. I > > don't know this key and I couldn't find it at the keyservers. Why > > did gpg try to find this key? > > GnuPG will look for your own key. Did you generate a key with that > key ID? No, I didn't and I deleted the keyrings and the trustdb, so how could gpg know? I tried a lot of combinations and found, that the message comes only, when a new (meaning not in the pubring) public key is imported directly or via keyserver and there is no ultimately trusted public key in the pubring. This does not depend on the existence of a secret key. It is independent of the used keyserver, the preferences and whether the imported key was made with gpg 1.0.7 - 1.4.2 or pgp. This is true for gpg 1.4.2 under Win95 and WinXP. Until now I could not test it under Linux. But the strange line comes not, when I generate new key pairs, export, transport the ascii files internally and '--import' them. It doesn't matter on which system (Win95, WinXP, Linux) or program (gpg1.0.7 -1.4.2, pgp) the keys are generated. Interestingly there is a difference, whether I use '--import' to get a key from a 'key.asc' or '--recv-key' to import it from a keyserver. It reproducibly asks for two different, not existing keys. On WinXP it is always 0022FB70 when a key gets '--import'ed and 0022FA10 when it is '--recv-key'ed. It is the same for Win95, but with other key IDs: 0080F760 for '--import' and 0080F8F0 for '--recv-key'. Dirk +++++++ Output '--import' +++++++++++++++++++++++ C:\>gpg --import koch.asc gpg: key 57548DCD: public key "Werner Koch (gnupg sig) " imported gpg: Anzahl insgesamt bearbeiteter Schl?ssel: 1 gpg: importiert: 1 gpg: kein uneingeschr?nkt vertrauensw?rdiger Schl?ssel 0022FB70 gefunden +++++++ Output '--recv-key' +++++++++++++++++++++ C:\Dokumente und Einstellungen\Chef\Anwendungsdaten\gnupg>gpg -- keyserver keyserver.kjsl.com --recv-key 08B0A90B gpg: requesting key 08B0A90B from hkp server keyserver.kjsl.com gpg: key 08B0A90B: public key "PuTTY Releases (DSA) " imported gpg: kein uneingeschr?nkt vertrauensw?rdiger Schl?ssel 0022FA10 gefunden gpg: Anzahl insgesamt bearbeiteter Schl?ssel: 1 gpg: importiert: 1 +++++++ Output '--import' of a new generated key ++++++ C:\>gpg --import newkey.asc gpg: key A6F74F00: public key "newkey " imported gpg: Anzahl insgesamt bearbeiteter Schl?ssel: 1 gpg: importiert: 1 +++++++++++++++++++++++++++++++++++++++++++ From dshaw at jabberwocky.com Fri Sep 9 16:29:08 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Sep 9 16:29:48 2005 Subject: gpg looking for strange additional key upon import (was Re: clean sigs) In-Reply-To: <4321B5C3.25048.A8F2EF4@localhost> References: <4320D86B.26826.72E8F05@localhost> <4321B5C3.25048.A8F2EF4@localhost> Message-ID: <20050909142908.GA12440@jabberwocky.com> On Fri, Sep 09, 2005 at 04:18:11PM +0200, Dirk Traulsen wrote: > Interestingly there is a difference, whether I use '--import' to get > a key from a 'key.asc' or '--recv-key' to import it from a keyserver. > It reproducibly asks for two different, not existing keys. On WinXP > it is always 0022FB70 when a key gets '--import'ed and 0022FA10 when > it is '--recv-key'ed. It is the same for Win95, but with other key > IDs: 0080F760 for '--import' and 0080F8F0 for '--recv-key'. That looks disturbingly like uninitialized data, but I'm not able to duplicate it here. Here is what I'm doing: $ rm ~/.gnupg/trustdb.gpg $ gpg --import koch.asc gpg: /home/dshaw/.gnupg/trustdb.gpg: trustdb created gpg: key 57548DCD: public key "Werner Koch (gnupg sig) " imported gpg: Total number processed: 1 gpg: imported: 1 Can you give exact steps to follow? David From dshaw at jabberwocky.com Fri Sep 9 16:46:26 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Sep 9 16:47:03 2005 Subject: clean sigs In-Reply-To: <4321B5C3.19592.A8F2F80@localhost> References: <4320D86B.26826.72E8F05@localhost> <4321B5C3.19592.A8F2F80@localhost> Message-ID: <20050909144626.GB12440@jabberwocky.com> On Fri, Sep 09, 2005 at 04:18:11PM +0200, Dirk Traulsen wrote: > Am 8 Sep 2005 um 20:00 hat David Shaw geschrieben: > > > Yes, I see what happened now. It's just a misunderstanding. "clean" > > can't work unless you have the key that issued the signature that you > > want cleaned (so it can know which signatures to remove). In your > > case, you need to fetch key CA57AD7C (the PGP GD key). Once you have > > that key, GnuPG can remove signatures that it has issued. > > I can confirm, that 'clean' worked as you said, when I first fetched > the keys for the obsolete sigs. Excellent. > But why is it nescessary to fetch the key first? When there is a new, > functional and valid signature from key 12345678 on a key, isn't it > obvious from the originally 16 character keyID, that they were issued > from the same key, whether I have it in my keyring or not? > Couldn't gpg delete the old obsolete signatures without the signing > key itself? Unfortunately not, because without the signing key, gpg can't tell if a signature is valid or not. If there is no way to tell if a signature is valid then the wrong thing might happen in cleaning. Here's an example: signature 1 from key 12345678 is dated January 1, 2000. signature 2 from key 12345678 is dated January 1, 2001. It would seem obvious that signature 1 should be removed... but in fact, signature 1 is valid, and signature 2 is a forgery. If gpg removes signature 1, then the forger who created signature 2 effectively "revoked" signature 1. Only if the signing key 12345678 is present can gpg tell which is the real signature. There is perhaps an argument to be made for a "super clean" that does clean and also removes any signature where the signing key is not present (in fact, an early version of clean did that), but that's a different thing than clean. David From alphasigmax at gmail.com Fri Sep 9 16:51:27 2005 From: alphasigmax at gmail.com (Alphax) Date: Fri Sep 9 16:53:52 2005 Subject: [Sks-devel] stripping GD sigs (was: Re: clean sigs) In-Reply-To: <200509091111.j89BBUmb003928@vulcan.xs4all.nl> References: <200509091111.j89BBUmb003928@vulcan.xs4all.nl> Message-ID: <4321A16F.6010000@gmail.com> Johan Wevers wrote: > Alphax wrote: >>Removing duplicated signatures however would probably have little impact, >>assuming you are removing only the newest ones > > Don't you mean keeping the newst ones? > Er, yes. However as David Shaw pointed out further down the thread, there's no safe way to do so without validating the signatures first. -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ From alphasigmax at gmail.com Fri Sep 9 16:58:22 2005 From: alphasigmax at gmail.com (Alphax) Date: Fri Sep 9 17:00:45 2005 Subject: [Sks-devel] stripping GD sigs (was: Re: clean sigs) In-Reply-To: <20050909125052.GE10588@jabberwocky.com> References: <20050909022829.GB10588@jabberwocky.com> <200509090902.j8992ugd002912@vulcan.xs4all.nl> <20050909125052.GE10588@jabberwocky.com> Message-ID: <4321A30E.3080506@gmail.com> David Shaw wrote: > On Fri, Sep 09, 2005 at 11:02:56AM +0200, Johan Wevers wrote: > >>David Shaw wrote: >> >> >>>I'd be all in favor of an option where users could elect to filter out >>>keys: that would put the user in control. Forcing your decision on >>>others by stripping signatures is a very disturbing step. >> >>Considering the behaviour of the GD, I'd say it's also a practical issue >>about resources: if it keeps signing keys like this, an SKS server might >>well be in need of seriously more hardware than it is now. Someone's got >>to pay for that, amd I don't think all keyserver maintainers want to. > > > I have sympathy for that argument, so wouldn't it be good to trace > down where the sigs are entering the keyserver net, and ask whoever is > doing it to stop? It seems like the obvious first step. > Well, I don't know *where* they are coming from, but I (and the kind soul who worked it out and told me) know think we know *how* it's being done. And unfortunately, it's very easy (too easy!) to do, especially for someone with a high-speed internet connection. -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ From JPClizbe at comcast.net Fri Sep 9 16:59:53 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Fri Sep 9 17:10:05 2005 Subject: clean sigs In-Reply-To: <20050909144626.GB12440@jabberwocky.com> References: <4320D86B.26826.72E8F05@localhost> <4321B5C3.19592.A8F2F80@localhost> <20050909144626.GB12440@jabberwocky.com> Message-ID: <4321A369.1000705@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shaw wrote: > There is perhaps an argument to be made for a "super clean" that does > clean and also removes any signature where the signing key is not > present (in fact, an early version of clean did that), but that's a > different thing than clean. Perhaps --scrub ? --sanitize ? --disinfect ? 8-}) - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3-cvs-2005-09-04 (Windows 2000 SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDIaNoHQSsSmCNKhARAuvEAKD6jPFcx5eWiWWPfMMuBc0F8PEm8ACgiOZ2 Ce8bwxxQe1q4M5roPQC8tdk= =3V0S -----END PGP SIGNATURE----- From kfitzner at excelcia.org Fri Sep 9 22:00:38 2005 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Fri Sep 9 22:01:33 2005 Subject: This IS about GD - a proposal on dealing with the problem Message-ID: <4321E9E6.7080608@excelcia.org> Ok, that other thread isn't about the GD, but this one is. I think this is something that should be discussed and a consensus reached. Are they a good/bad signer? Does something need to be done about them? Should they be approached by the community? PGP's position (and the argument I've heard from others) is that they have a lone keyserver, not attached to anything else, if the keys and junk signatures leak - SEF/SEP (Somebody Else's Fault, Somebody Else's Problem). My response is, if a company produced a pool of toxic waste and left it on private, but open and unprotected property, is that company liable for that toxic waste getting out? The community is getting toxic waste from their inelegant solution. A solution that, I suggest, can only be in place to promote dependance on their server and force people to keep coming back to them (is this ringing any familiarity bells yet). Assuming a goal without advertising as a central theme (ie: the technical goal of producing a signature indicating a certail level of trust - where that trust can be periodically reviewed and the signature removed if the trust is breached), any one of us could come up with a half dozen technically elegant solutions that don't pollute. Their server and their signatures, but we are paying the price with time, agravation, and quite possibly increased costs to keyserver operators if something isn't done. My proposal is that a letter be sent to PGP requesting (I'd put demanding, but that's simply my personal outrage speaking) they kindly stop leaving toxic waste....er junk signatures... out where any naive user can (and obviously does) spread them around. Perhaps it could be suggested that they take part in the cleanup effort by supplying time and money to operators to fix the problem. I propose this letter be signed by as many of the OpenPGP and related support software developers, key server operators, and even end users as will support it. Signature cleaning and/or filtering is not the answer, just as spam filtering is not the ultimate answer. The cost to the IT industry of spam filtering is enormous. Let's deal with the problem at the source. Kurt. From dshaw at jabberwocky.com Fri Sep 9 23:27:29 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Sep 9 23:28:11 2005 Subject: This IS about GD - a proposal on dealing with the problem In-Reply-To: <4321E9E6.7080608@excelcia.org> References: <4321E9E6.7080608@excelcia.org> Message-ID: <20050909212729.GA12723@jabberwocky.com> On Fri, Sep 09, 2005 at 02:00:38PM -0600, Kurt Fitzner wrote: > Ok, that other thread isn't about the GD, but this one is. I think this > is something that should be discussed and a consensus reached. > > Are they a good/bad signer? > Does something need to be done about them? > Should they be approached by the community? > > PGP's position (and the argument I've heard from others) is that they > have a lone keyserver, not attached to anything else, if the keys and > junk signatures leak - SEF/SEP (Somebody Else's Fault, Somebody Else's > Problem). My response is, if a company produced a pool of toxic waste > and left it on private, but open and unprotected property, is that > company liable for that toxic waste getting out? So if I take material from www.cnn.com and distribute it around the net, it's CNN's fault for not protecting their data better? It might be useful to tone down the rage here. PGP isn't producing toxic waste. They're producing small packets of binary data. Nobody is actually being poisoned and dying here. Extra signatures on keys do not actually harm anyone, despite all the hysterics that they seem to cause. At best, this is an aesthetic problem. Also, these are not "junk" signatures. They have semantic meaning, and are used by many people. Please clarify what makes a signature a "junk" signature. I'd like to understand why you classify them that way. > Their server and their signatures, but we are paying the price with > time, agravation, and quite possibly increased costs to keyserver > operators if something isn't done. Where is the time (aside from the time we keep spending talking about it)? Where is the aggravation? Costs? Picking a random GD signature off my key, it is 293 bytes long. Let's guess that there are around 10,000 keys that exist both on the SKS net and the GD. Let's also say that there is a malicious person out there who is bridging *every one* of those 10,000 keys. I doubt this is happening, but again, let's go with it. Given all those weighted-to-be-awful numbers, what does that come to? 2.8 megabytes. The GD reissues signatures on demand, more or less every 2 weeks. 52 weeks in a year, so the GD will add 72.7 megabytes a YEAR to the SKS server net. 72.7 megabytes a year. In 8 years, we'll have enough to fill a CD-ROM. Allow me to opine that if we're hurting from 72.7 megabytes a year, than the keyserver net has other problems than the GD. > My proposal is that a letter be sent to PGP requesting (I'd put > demanding, but that's simply my personal outrage speaking) they kindly > stop leaving toxic waste....er junk signatures... out where any naive > user can (and obviously does) spread them around. Perhaps it could be > suggested that they take part in the cleanup effort by supplying time > and money to operators to fix the problem. I propose this letter be > signed by as many of the OpenPGP and related support software > developers, key server operators, and even end users as will support it. Why the outrage? I really don't understand why people are so hopping mad about this. Turn on "import-clean" in your gpg.conf and you'll never see more than one GD signature at a time. It's fairly obvious at this point that someone is bridging the GD to the keyserver net. PGP (the company) isn't doing it, and PGP (the product) and GnuPG have no way to do it automatically. Again, may I suggest that before we implement changes in keyservers or send threatening letters to the PGP company or even just continue to vent, we simply track down who is doing it and ask them nicely to stop? I've seen Jason pull off miracles at tracking down the origin of bad packets on the keyserver net. That would actually accomplish something, rather than getting all angry and scolding PGP (which might make people feel better, but likely won't change any part of the GD). David From dshaw at jabberwocky.com Fri Sep 9 23:28:36 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Sep 9 23:29:12 2005 Subject: [Sks-devel] stripping GD sigs (was: Re: clean sigs) In-Reply-To: <4321A30E.3080506@gmail.com> References: <20050909022829.GB10588@jabberwocky.com> <200509090902.j8992ugd002912@vulcan.xs4all.nl> <20050909125052.GE10588@jabberwocky.com> <4321A30E.3080506@gmail.com> Message-ID: <20050909212836.GB12723@jabberwocky.com> On Sat, Sep 10, 2005 at 12:28:22AM +0930, Alphax wrote: > David Shaw wrote: > > On Fri, Sep 09, 2005 at 11:02:56AM +0200, Johan Wevers wrote: > > > >>David Shaw wrote: > >> > >> > >>>I'd be all in favor of an option where users could elect to filter out > >>>keys: that would put the user in control. Forcing your decision on > >>>others by stripping signatures is a very disturbing step. > >> > >>Considering the behaviour of the GD, I'd say it's also a practical issue > >>about resources: if it keeps signing keys like this, an SKS server might > >>well be in need of seriously more hardware than it is now. Someone's got > >>to pay for that, amd I don't think all keyserver maintainers want to. > > > > > > I have sympathy for that argument, so wouldn't it be good to trace > > down where the sigs are entering the keyserver net, and ask whoever is > > doing it to stop? It seems like the obvious first step. > > > > Well, I don't know *where* they are coming from, but I (and the kind > soul who worked it out and told me) know think we know *how* it's being > done. And unfortunately, it's very easy (too easy!) to do, especially > for someone with a high-speed internet connection. Yep. Oddly enough, people seem to blame the GD and PGP company rather than blaming the actual litterer. David From karadenizi at earthlink.net Sat Sep 10 03:55:06 2005 From: karadenizi at earthlink.net (Kara) Date: Sat Sep 10 03:55:06 2005 Subject: [OT] The Family Pays Message-ID: <43223CFA.4030007@earthlink.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ==== Reference: Subject: Re: legal status of GnuPG in China? Date: Wed, 24 Aug 2005 13:19:19 -0400 (EDT) From: Atom Smasher To: gnupg-users@gnupg.org > ....just remember, next time you buy some piece of crap at wal-mart > and it says "made in china", part of the money that you're spending > is to buy bullets to shoot people who are caught using crypto (or > practicing religion). It's my understanding that the Chinese Government forces the family to pay for the cost of the bullet. I like the Chinese system: Just have the criminal to be executed kneel and then kill him or her with a single bullet to the back of the head. Quick, humane, and with the family paying for the cost of the bullet, cost-effective. Seems like a much better system than we use in the US. - -- Ciao Kara "If everyone is thinking alike, then somebody isn't thinking." - General George S. Patton Timestamp: Fri 09 September 2005, 2155 EDT (USA) UTC: --400 ==== . -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2rc2 (GNU/Linux) Comment: Using Fedora and Enigmail Comment: OpenPGP keyID and URL in Message Headers iD8DBQFDIjz415k+1L3RO5ARAhL2AKDzVSvD/tZ6z5GtJMqm74gbqbJ1TACfQZnI Hngf/B0ACBZ+tLWYECUds9k= =ZGIn -----END PGP SIGNATURE----- From kfitzner at excelcia.org Sat Sep 10 03:58:57 2005 From: kfitzner at excelcia.org (Kurt Fitzner) Date: Sat Sep 10 04:02:04 2005 Subject: This IS about GD - a proposal on dealing with the problem In-Reply-To: <20050909212729.GA12723@jabberwocky.com> References: <4321E9E6.7080608@excelcia.org> <20050909212729.GA12723@jabberwocky.com> Message-ID: <43223DE1.4040900@excelcia.org> David Shaw wrote: > On Fri, Sep 09, 2005 at 02:00:38PM -0600, Kurt Fitzner wrote: > >>Ok, that other thread isn't about the GD, but this one is. I think this >>is something that should be discussed and a consensus reached. >> >>Are they a good/bad signer? >>Does something need to be done about them? >>Should they be approached by the community? >> >>PGP's position (and the argument I've heard from others) is that they >>have a lone keyserver, not attached to anything else, if the keys and >>junk signatures leak - SEF/SEP (Somebody Else's Fault, Somebody Else's >>Problem). My response is, if a company produced a pool of toxic waste >>and left it on private, but open and unprotected property, is that >>company liable for that toxic waste getting out? > > > So if I take material from www.cnn.com and distribute it around the > net, it's CNN's fault for not protecting their data better? CNN's articles are distributable with a URL. A public key needs to be transferred. CNN doesn't attach extra data to an article that is in a form that the distribution channels are reluctant to filter out for other reasons, causing them to grow ad infinitum within the distribution system. If there was a distribution network set up where anyone could submit news articles where, once submitted to one, the articles would then be automatically shared amongst other servers and then archived forever; if that distribution system had the mechanism for, say, appending an update to the article that would then be spread around and if CNN appended an update to their articles every two weeks that said "Nothing has changed, this article is still as it is intended to be - oh, and by the way, even though we are appending this update every two weeks, we won't reevaluate doing so for another six months".... if this were the case, then yes, I would say CNN is then at fault. > It might be useful to tone down the rage here. PGP isn't producing > toxic waste. They're producing small packets of binary data. Nobody > is actually being poisoned and dying here. Extra signatures on keys > do not actually harm anyone, despite all the hysterics that they seem > to cause. At best, this is an aesthetic problem. The keyservers are the individuals being poisoned. It's a heavy metal poison. In general, heavy metal poisons are dangerous because they accumulate in the tissues of the affected individual and aren't naturally cleaned and purged. Also, like the poisoning of many heavy metals, this onem, if left to accumulate, will cause brain dysfunction in the infected individuals. > Also, these are not "junk" signatures. They have semantic meaning, > and are used by many people. Please clarify what makes a signature a > "junk" signature. I'd like to understand why you classify them that > way. Junk signatures because the form they are being distributed in is meaningless. Signatures that expire in two weeks in a system which is evaluated every six months are useful for exactly what, mway I ask? They have semantic meaning the same way a child's "are we there yet" questions every five minutes for the last hour of car ride have semantic meaning. Yes, there is meaning conveyed, yes the meaning can be parsed, but the same question (is this key valid/are we there yet) could have been asked once in the time period and have been just as valid. >>Their server and their signatures, but we are paying the price with >>time, agravation, and quite possibly increased costs to keyserver >>operators if something isn't done. > > Where is the time (aside from the time we keep spending talking about > it)? Where is the aggravation? > Costs? Picking a random GD signature off my key, it is 293 bytes > long. Let's guess that there are around 10,000 keys that exist both > on the SKS net and the GD. Let's also say that there is a malicious > person out there who is bridging *every one* of those 10,000 keys. I > doubt this is happening, but again, let's go with it. Given all those > weighted-to-be-awful numbers, what does that come to? 2.8 megabytes. > The GD reissues signatures on demand, more or less every 2 weeks. 52 > weeks in a year, so the GD will add 72.7 megabytes a YEAR to the SKS > server net. 72.7 megabytes a year. In 8 years, we'll have enough to > fill a CD-ROM. How about we guess there is an order of magnitude more keys and that the database is several gigabytes. Let's guess that in 2002 there were, say, 1.6 million keys with 3.8 million signatures in general circulation, and the database size was 1.6 gigabytes. Let's guess that the key count was up about 150,000 keys from the previous year. Given those guesses, what sort of impact might GD have? What sort of impact might they have in ten years? How about we also guess that not all servers are modern Athlon64X2 machines with more hard drive space than has a right to exist. Let's say that some of them are old, otherwise castaway machines used because they make good little servers. Old pentiums with ten or so gigs storage - machines that, essentially, can handle the load now but might not be able to with GD's junk data. Replacing those machines is a cost to the providers. Losing those machines is a cost to the community. > Allow me to opine that if we're hurting from 72.7 megabytes a year, > than the keyserver net has other problems than the GD. Opine allowed :) - please see above though. >>My proposal is that a letter be sent to PGP requesting (I'd put >>demanding, but that's simply my personal outrage speaking) they kindly >>stop leaving toxic waste....er junk signatures... out where any naive >>user can (and obviously does) spread them around. Perhaps it could be >>suggested that they take part in the cleanup effort by supplying time >>and money to operators to fix the problem. I propose this letter be >>signed by as many of the OpenPGP and related support software >>developers, key server operators, and even end users as will support it. > > > Why the outrage? I really don't understand why people are so hopping > mad about this. Turn on "import-clean" in your gpg.conf and you'll > never see more than one GD signature at a time. This is end-user spam filtering. By the same argument, because my server's spam filter is 99.99% effective and I am essentially personally unaffected by spam on a daily basis, that spam is not a problem. I am upset because PGP being who they are had to know that: - The keys would get out - There was no mechanism for removing anything from any key once it enters general keyserver distribution I am upset because there is no truly useful purpose behind a two-week shelf-life signature in a system where key validity is assessed every six months. I am upset because there can be no logical reason for what they are doing except to create a dependance on their services and right now it is at the expense of free service providers. > It's fairly obvious at this point that someone is bridging the GD to > the keyserver net. PGP (the company) isn't doing it, and PGP (the > product) and GnuPG have no way to do it automatically. Again, may I > suggest that before we implement changes in keyservers or send > threatening letters to the PGP company or even just continue to vent, > we simply track down who is doing it and ask them nicely to stop? I don't accept that it is obvious that PGP (the company) isn't doing it. I only accept that it is obvious that they say they aren't coing it. I have seen no technical data that supports or contradicts the question of whether or not they are responsible. If this exists, please point me to it - I'll even try to evaluate it objectively. :) > I've seen Jason pull off miracles at tracking down the origin of bad > packets on the keyserver net. That would actually accomplish > something, rather than getting all angry and scolding PGP (which might > make people feel better, but likely won't change any part of the GD). Oh, if enough people signed the request, I'm sure it could get slashdotted - /. may not be very elegant in and of itself, but a harsh article there would affect PGP's bottom line a little bit. Maybe just a very little bit, but it would most likely be enough to put an end to the practice. From yochanon at localnet.com Sat Sep 10 08:27:02 2005 From: yochanon at localnet.com (John B) Date: Sat Sep 10 08:27:24 2005 Subject: Hushmail troubles...again Message-ID: <200509100127.02811.yochanon@localnet.com> Hi all, I've tried over the past week to send encrypted e-mails to a friend with a Hushmail address from Kmail on SuSE 9.3 . I've got his key on my keyring and when I hit the 'send' button, it brings up the gpg window showing the key I'm using and all that and I enter my passphrase and it sends away as if there's no problem. The problem is, it always ends up at the Hushmail place as an attachment and no way to open it or read it. I even made a Hushmail account for myself and tried it and it did the same thing for me...it came to the Hushmail as an attachment with no way to open it. Is there something I'm doing wrong? Is it something Hushmail is doing wrong? Does anyone have any idea what it could possibly be, because using the Hushmail thing online is extremely slow for a dial-up user and a PITA when I have Kmail and gpg on my own system. Thanks for any ideas to try to fix this dilemma. JB From gpg-0 at ml.turing-complete.org Sat Sep 10 09:34:45 2005 From: gpg-0 at ml.turing-complete.org (Nicolas Rachinsky) Date: Sat Sep 10 10:41:04 2005 Subject: This IS about GD - a proposal on dealing with the problem In-Reply-To: <43223DE1.4040900@excelcia.org> References: <4321E9E6.7080608@excelcia.org> <20050909212729.GA12723@jabberwocky.com> <43223DE1.4040900@excelcia.org> Message-ID: <20050910073445.GA47429@mid.pc5.i.0x5.de> * Kurt Fitzner [2005-09-09 19:58 -0600]: > Junk signatures because the form they are being distributed in is > meaningless. Signatures that expire in two weeks in a system which is > evaluated every six months are useful for exactly what, mway I ask? You may remove a key at any time from GD. Nicolas From bob.henson at galen.org.uk Sat Sep 10 10:30:45 2005 From: bob.henson at galen.org.uk (Bob Henson) Date: Sat Sep 10 11:31:40 2005 Subject: This IS about GD - a proposal on dealing with the problem Message-ID: <432299B5.7080003@galen.org.uk> David Shaw wrote: >> Also, these are not "junk" signatures. They have semantic meaning, >> and are used by many people. Please clarify what makes a signature a >> "junk" signature. I'd like to understand why you classify them that >> way. Put it the other way round - what useful purpose do they serve? I haven't seen one yet, ergo they are junk. I don't even like the added signatures when a key is edited, unless it is that particular signature that is edited I would prefer to see the original signature date. Cleaning the key removes the older ones, instead of the junk ones. >> Why the outrage? I really don't understand why people are so hopping >> mad about this. Turn on "import-clean" in your gpg.conf and you'll >> never see more than one GD signature at a time. It may do with the nightly builds, but it doesn't yet work on the release version of GPG. Sadly, I doubt PGP corporation would take any notice of a petition - they don't even listen to and reply their paid subscribers comments, never mind those that don't use PGP. Regards, Bob -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050910/4c32769a/signature.pgp From dirk.traulsen at lypso.de Sat Sep 10 14:21:24 2005 From: dirk.traulsen at lypso.de (Dirk Traulsen) Date: Sat Sep 10 14:19:37 2005 Subject: gpg looking for strange additional key upon import (was Re: clean sigs) In-Reply-To: <20050909142908.GA12440@jabberwocky.com> References: <4321B5C3.25048.A8F2EF4@localhost> Message-ID: <4322EBE4.16796.115C86D@localhost> Am 9 Sep 2005 um 10:29 hat David Shaw geschrieben: > On Fri, Sep 09, 2005 at 04:18:11PM +0200, Dirk Traulsen wrote: > > > Interestingly there is a difference, whether I use '--import' to get > > a key from a 'key.asc' or '--recv-key' to import it from a > > keyserver. It reproducibly asks for two different, not existing > > keys. On WinXP it is always 0022FB70 when a key gets '--import'ed > > and 0022FA10 when it is '--recv-key'ed. It is the same for Win95, > > but with other key IDs: 0080F760 for '--import' and 0080F8F0 for > > '--recv-key'. > > That looks disturbingly like uninitialized data, but I'm not able to > duplicate it here. > > Here is what I'm doing: > > $ rm ~/.gnupg/trustdb.gpg > $ gpg --import koch.asc > gpg: /home/dshaw/.gnupg/trustdb.gpg: trustdb created > gpg: key 57548DCD: public key "Werner Koch (gnupg sig) > " imported gpg: Total number processed: 1 gpg: > imported: 1 > > Can you give exact steps to follow? Ok, I'll try. First, I did this with gpg 1.4.2 under WinXP and confirmed my findings on another machine with gpg 1.4.2 under Win95. Your machine seems to be Linux. Unfortunately I cannot test gpg 1.4.2 under Linux at the moment. The first output below is what I described the last two days. When there is not at least one public key in the keyring, which has ultimate trust, gpg tries to find non-existing keys upon importing or receiving (but not from new generated keys). See above for the constant key IDs. Today I thought about it and concluded, it could be dependent on a read of the trustdb after a change and not specifically the import. I made some experiments and it seems to be true. When I set the trust- model via gpg.conf to direct or always, this line never comes. I tried to find the simplest situation for you. I hope, this is simple enough: I deleted everything, added one public key (Werners :) ), set it to ultimate trust, set it back to full trust to have the change in the trustdb and issued --list-key. As you can see below, it brings up the bug. And something new: When I ask for the secret keys after the same procedure, it asks for a new third key ID, which is always the same like the other two. And like before, it is the same on Win95, but with a different ID. I hope, this will help you and that maybe somebody else can reproduce it. Dirk +++++++++++++++++++++++++++++++++++++++++++++ (Delete keyrings and trustdb. I did not delete random_seed. Does it matter? Made new gpg.conf with only one line for shorter output: no-greeting) C:\DOKUME~1\Dirk\ANWEND~1\gnupg>del *.gpg C:\DOKUME~1\Dirk\ANWEND~1\gnupg>del *.bak C:\DOKUME~1\Dirk\ANWEND~1\gnupg>edit gpg.conf (Import previously exported key file => gpg states: no ultimately trusted key 0022FB70 found) C:\DOKUME~1\Dirk\ANWEND~1\gnupg>gpg --import koch.asc gpg: key 57548DCD: public key "Werner Koch (gnupg sig) " imported gpg: Anzahl insgesamt bearbeiteter Schl?ssel: 1 gpg: importiert: 1 gpg: kein uneingeschr?nkt vertrauensw?rdiger Schl?ssel 0022FB70 gefunden (Next one is just to show, it has nothing to do with Werners key) C:\DOKUME~1\Dirk\ANWEND~1\gnupg>gpg --import binner.asc gpg: key D86A0D19: public key "Stephan Binner " imported gpg: Anzahl insgesamt bearbeiteter Schl?ssel: 1 gpg: importiert: 1 gpg: kein uneingeschr?nkt vertrauensw?rdiger Schl?ssel 0022FB70 gefunden (Import a new generated, exported and then deleted key => The line comes not!) C:\DOKUME~1\Dirk\ANWEND~1\gnupg>gpg --import koch.asc gpg: key 57548DCD: "Werner Koch (gnupg sig) " not changed gpg: Anzahl insgesamt bearbeiteter Schl?ssel: 1 gpg: unver?ndert: 1 (Fetch key from keyserver (tried several) => gpg states: no ultimately trusted key 0022FA10 found) C:\DOKUME~1\Dirk\ANWEND~1\gnupg>gpg --keyserver random.sks.keyserver.penguin.de --recv-key 08b0a90b gpg: requesting key 08B0A90B from hkp server random.sks.keyserver.penguin.de gpg: key 08B0A90B: public key "PuTTY Releases (DSA) " imported gpg: kein uneingeschr?nkt vertrauensw?rdiger Schl?ssel 0022FA10 gefunden gpg: Anzahl insgesamt bearbeiteter Schl?ssel: 1 gpg: importiert: 1 +++++++++++++++++++++++++++++++++++++++++++++++ (Start again with deleting everything. Made new gpg.conf with only one line for shorter output: no-greeting) C:\DOKUME~1\Dirk\ANWEND~1\gnupg>del *.bak C:\DOKUME~1\Dirk\ANWEND~1\gnupg>del *.gpg C:\DOKUME~1\Dirk\ANWEND~1\gnupg>edit gpg.conf (As before: Import previously exported key file => gpg states: no ultimately trusted key 0022FB70 found) C:\DOKUME~1\Dirk\ANWEND~1\gnupg>gpg --import koch.asc gpg: Schl?sselbund `C:/Dokumente und Einstellungen/Dirk/Anwendungsdaten/gnupg\secring.gpg' erstellt gpg: Schl?sselbund `C:/Dokumente und Einstellungen/Dirk/Anwendungsdaten/gnupg\pubring.gpg' erstellt gpg: C:/Dokumente und Einstellungen/Dirk/Anwendungsdaten/gnupg\trustdb.gpg: trust-db erzeugt gpg: key 57548DCD: public key "Werner Koch (gnupg sig) " imported gpg: Anzahl insgesamt bearbeiteter Schl?ssel: 1 gpg: importiert: 1 gpg: kein uneingeschr?nkt vertrauensw?rdiger Schl?ssel 0022FB70 gefunden (Set trust to ultimate (I shortened the output)) C:\DOKUME~1\Dirk\ANWEND~1\gnupg>gpg --ed koch Befehl> trust Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Ihre Auswahl? 5 Do you really want to set this key to ultimate trust? (y/N) y Befehl> q (Set trust back to full => no ultimately trusted public key there (even further shortened output)) C:\DOKUME~1\Dirk\ANWEND~1\gnupg>gpg --ed koch gpg: "Trust-DB" wird ?berpr?ft gpg: 3 marignal-needed, 1 complete-needed, PGP Trust-Modell gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: n?chste "Trust-DB"-Pflicht?berpr?fung am 2005-12-31 pub 1024D/57548DCD created: 1998-07-07 expires: 2005-12-31 usage: CSA trust: uneingeschr?nkt G?ltigkeit: uneingeschr?nkt [ultimate] (1). Werner Koch (gnupg sig) Befehl> trust Ihre Auswahl? 4 Befehl> q (Now when I ask for the key-list, there is a look at the trustdb and gpg states: no ultimately trusted key 0022FB70 found) C:\DOKUME~1\Dirk\ANWEND~1\gnupg>gpg -k gpg: "Trust-DB" wird ?berpr?ft gpg: kein uneingeschr?nkt vertrauensw?rdiger Schl?ssel 0022FB70 gefunden C:/Dokumente und Einstellungen/Dirk/Anwendungsdaten/gnupg\pubring.gpg --------------------------------------------------------------------- pub 1024D/57548DCD 1998-07-07 [expires: 2005-12-31] uid Werner Koch (gnupg sig) (This comes only the first time. A look at the trustdb is nescessary?) C:\DOKUME~1\Dirk\ANWEND~1\gnupg>gpg -k C:/Dokumente und Einstellungen/Dirk/Anwendungsdaten/gnupg\pubring.gpg --------------------------------------------------------------------- pub 1024D/57548DCD 1998-07-07 [expires: 2005-12-31] uid Werner Koch (gnupg sig) +++++++++++++++++++++++++++++++++++++++++++++++++++++++ (When I do like before, but ask for the secret keys instead, gpg looks reproducibly for a new third non-exiting key 0022FB80!) C:\DOKUME~1\Dirk\ANWEND~1\gnupg>gpg -K gpg: "Trust-DB" wird ?berpr?ft gpg: kein uneingeschr?nkt vertrauensw?rdiger Schl?ssel 0022FB80 gefunden (This also comes only the first time.) C:\DOKUME~1\Dirk\ANWEND~1\gnupg>gpg -K C:\DOKUME~1\Dirk\ANWEND~1\gnupg> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ From dirk.traulsen at lypso.de Sat Sep 10 14:21:24 2005 From: dirk.traulsen at lypso.de (Dirk Traulsen) Date: Sat Sep 10 14:19:47 2005 Subject: clean sigs In-Reply-To: <20050909144626.GB12440@jabberwocky.com> References: <4321B5C3.19592.A8F2F80@localhost> Message-ID: <4322EBE4.1624.115C8EA@localhost> Am 9 Sep 2005 um 10:46 hat David Shaw geschrieben: > Unfortunately not, because without the signing key, gpg can't tell if > a signature is valid or not. If there is no way to tell if a > signature is valid then the wrong thing might happen in cleaning. > > Here's an example: > > signature 1 from key 12345678 is dated January 1, 2000. > signature 2 from key 12345678 is dated January 1, 2001. > > It would seem obvious that signature 1 should be removed... but in > fact, signature 1 is valid, and signature 2 is a forgery. If gpg > removes signature 1, then the forger who created signature 2 > effectively "revoked" signature 1. Only if the signing key 12345678 > is present can gpg tell which is the real signature. Ok, now I understand. Maybe it would be helpful to write it in the man page, that you need the key for cleaning. > There is perhaps an argument to be made for a "super clean" that does > clean and also removes any signature where the signing key is not > present (in fact, an early version of clean did that), but that's a > different thing than clean. I think, it would be a good thing to have, especially if you have limited space. The name is funny too. Thank you for your help Dirk From dshaw at jabberwocky.com Sat Sep 10 15:34:25 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Sep 10 15:35:02 2005 Subject: gpg looking for strange additional key upon import (was Re: clean sigs) In-Reply-To: <4322EBE4.16796.115C86D@localhost> References: <4321B5C3.25048.A8F2EF4@localhost> <4322EBE4.16796.115C86D@localhost> Message-ID: <20050910133425.GB13389@jabberwocky.com> On Sat, Sep 10, 2005 at 02:21:24PM +0200, Dirk Traulsen wrote: > I hope, this will help you and that maybe somebody else can reproduce > it. Aha! I found the problem. It's actually a bug in the German translation. I was testing in English, so never saw it. I'll file a bug for that. Thanks for your help running this one down. David From mus1876 at gmx.info Sat Sep 10 17:34:53 2005 From: mus1876 at gmx.info (MUS1876) Date: Sat Sep 10 18:35:36 2005 Subject: [Sks-devel] stripping GD sigs (was: Re: clean sigs) / Feature Request Message-ID: <4322FD1D.5080007@gmx.info> > I have > friends who currently don't want to use PGP because they fear that their > keys will be uploaded to a keyserver, and then they will be spammed > forever more. Hi, I totally agree what friends of Alphax say. Wouldn't it be cute to have a sepcial option to flag both keys and subkeys as non exportable (uploadable) to keyservers? Speaking of myself at current, I also don't want to see any of my keys posted to a keyserver by someone else, be it on intention or not. From dshaw at jabberwocky.com Sat Sep 10 18:45:59 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Sep 10 18:46:35 2005 Subject: [Sks-devel] stripping GD sigs (was: Re: clean sigs) / Feature Request In-Reply-To: <4322FD1D.5080007@gmx.info> References: <4322FD1D.5080007@gmx.info> Message-ID: <20050910164559.GA14974@jabberwocky.com> On Sat, Sep 10, 2005 at 05:34:53PM +0200, MUS1876 wrote: > > I have > > friends who currently don't want to use PGP because they fear that their > > keys will be uploaded to a keyserver, and then they will be spammed > > forever more. > > Hi, > > I totally agree what friends of Alphax say. > > Wouldn't it be cute to have a sepcial option to flag both keys and > subkeys as non exportable (uploadable) to keyservers? Speaking of myself > at current, I also don't want to see any of my keys posted to a > keyserver by someone else, be it on intention or not. There is such a flag, and GnuPG even sets it by default (type "showpref" in the --edit-key menu and you'll see "keyserver no-modify"). Unfortunately, the keyservers don't honor the flag... David From dougb at dougbarton.net Sat Sep 10 21:00:37 2005 From: dougb at dougbarton.net (Doug Barton) Date: Sat Sep 10 21:00:48 2005 Subject: This IS about GD - a proposal on dealing with the problem In-Reply-To: <432299B5.7080003@galen.org.uk> References: <432299B5.7080003@galen.org.uk> Message-ID: <43232D55.9060105@dougbarton.net> Bob Henson wrote: > Put it the other way round - what useful purpose do they serve? I haven't > seen one yet, ergo they are junk. Um, until you actually get appointed ruler of the universe, you don't get to make that decision for everyone else. :) Seriously though, I interact with a lot of people that get their keys from the GD (their choice, and I'm not in a position to argue), so I need to have my key there, and it needs to be signed by the GD system. You can argue whether what pgp.com is doing is wrong all day long, but it is what it is, and therefore I need to be compatible with it. Thus, I really like the clean options, and have the following in my gpg.conf which works splendidly: import-options import-clean-sigs import-clean-uids export-options export-clean-sigs export-clean-uids keyserver-options import-clean-sigs import-clean-uids export-clean-sigs export-clean-uids > It may do with the nightly builds, but it doesn't yet work on the release > version of GPG. I don't know what you mean about "release version of GPG," but the above works fine with 1.4.2 on both Windows and FreeBSD. hth, Doug -- If you're never wrong, you're not trying hard enough From mus1876 at gmx.info Sat Sep 10 16:42:08 2005 From: mus1876 at gmx.info (MUS1876) Date: Sat Sep 10 22:24:09 2005 Subject: [Sks-devel] stripping GD sigs (was: Re: clean sigs) / Feature Request Message-ID: <4322F0C0.7050502@gmx.info> > I have > friends who currently don't want to use PGP because they fear that their > keys will be uploaded to a keyserver, and then they will be spammed > forever more. Hi, I totally agree what friends of Alphax say. Wouldn't it be cute to have a sepcial option to flag both keys and subkeys as non exportable (uploadable) to keyservers? Speaking of myself at current, I also don't want to see any of my keys posted to a keyserver by someone else, be it on intention or not. From zwon at severodvinsk.ru Sat Sep 10 22:28:57 2005 From: zwon at severodvinsk.ru (Pawel Shajdo) Date: Sat Sep 10 23:05:22 2005 Subject: This IS about GD - a proposal on dealing with the problem In-Reply-To: <4321E9E6.7080608@excelcia.org> References: <4321E9E6.7080608@excelcia.org> Message-ID: <20050910202857.GA1319@sky.schizandra.ru> On Fri, Sep 09, 2005 at 02:00:38PM -0600, Kurt Fitzner wrote: > Ok, that other thread isn't about the GD, but this one is. I think this > is something that should be discussed and a consensus reached. > > Are they a good/bad signer? > Does something need to be done about them? > Should they be approached by the community? > > ... > > Signature cleaning and/or filtering is not the answer, just as spam > filtering is not the ultimate answer. The cost to the IT industry of > spam filtering is enormous. Let's deal with the problem at the source. > > Kurt. I think this is public more keyservers design problem than GD. Keyserver should accept new signatures only from key owner. -- Pawel I. Shajdo From gnupg at nym.hush.com Sun Sep 11 00:09:33 2005 From: gnupg at nym.hush.com (gnupg@nym.hush.com) Date: Sun Sep 11 01:10:00 2005 Subject: Hushmail troubles...again Message-ID: <200509102209.j8AM9cNw040513@mailserver3.hushmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I've tried over the past week to send encrypted e-mails to a >friend with a Hushmail address from Kmail on SuSE 9.3 . I've got his >key on my keyring and when I hit the 'send' button, it brings up the >gpg window showing the key I'm using and all that and I enter my >passphrase and it sends away as if there's no problem. The problem is, >it always ends up at the Hushmail place as an attachment and no way to >open it or read it. I even made a Hushmail account for myself and >tried it and it did the same thing for me...it came to the Hushmail as >an attachment with no way to open it. Is there something I'm doing >wrong? Is it something Hushmail is doing wrong? Does anyone have any >idea what it could possibly be, because using the Hushmail thing >online is extremely slow for a dial-up user and a PITA when I have >Kmail and gpg on my own >system. Thanks for any ideas to try to fix >this dilemma. > > JB Unless I'm misunderstanding you, your friend is the one with the hush account and you are trying to send to him? For hushmail users to receive encrypted or signed emails from non- hush users the non-hush users must upload their public key to the hush key server. This cannot be done from ldap://keys.hush.com, this is only to retreive keys. You must upload your public key at https://www.hushtools.com and click on the "Key Management" button and then on your left you'll see a link to "Upload a public key". Once your key is uploaded, all hush users can recieve your encrypted emails. For hush users, the hush key server is kinda like one big keyring for everyone. This doc from hush.com about how to use GPG/PGP with hush would be something to look at. http://makeashorterlink.com/?Z131166CB *************** DM Public PGP Key: http://makeashorterlink.com/?A25E3159A -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkMjWcQACgkQ7+E2aQJ0LJ88/wCgh10l4jPEUp0uWkdBLBCi6qZbc0AA nAisU6W3e8hdESQi6oPmJa/3B6j1 =yIM9 -----END PGP SIGNATURE----- From alphasigmax at gmail.com Sun Sep 11 06:03:45 2005 From: alphasigmax at gmail.com (Alphax) Date: Sun Sep 11 06:06:17 2005 Subject: This IS about GD - a proposal on dealing with the problem In-Reply-To: <20050910202857.GA1319@sky.schizandra.ru> References: <4321E9E6.7080608@excelcia.org> <20050910202857.GA1319@sky.schizandra.ru> Message-ID: <4323ACA1.3000802@gmail.com> Pawel Shajdo wrote: > On Fri, Sep 09, 2005 at 02:00:38PM -0600, Kurt Fitzner wrote: > >>Ok, that other thread isn't about the GD, but this one is. I think this >>is something that should be discussed and a consensus reached. >> >>Are they a good/bad signer? >>Does something need to be done about them? >>Should they be approached by the community? >> >>... >> >>Signature cleaning and/or filtering is not the answer, just as spam >>filtering is not the ultimate answer. The cost to the IT industry of >>spam filtering is enormous. Let's deal with the problem at the source. >> >> Kurt. > > I think this is public more keyservers design problem than GD. Keyserver > should accept new signatures only from key owner. > That poses a significant problem when someone loses their key, but has a trusted revoker set... there are other situations where someone other than the key's owner would want to upload the key, but I can't think of them at the moment. -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ From zvrba at globalnet.hr Sun Sep 11 07:58:00 2005 From: zvrba at globalnet.hr (Zeljko Vrba) Date: Sun Sep 11 07:58:17 2005 Subject: This IS about GD - a proposal on dealing with the problem In-Reply-To: <20050910202857.GA1319@sky.schizandra.ru> References: <4321E9E6.7080608@excelcia.org> <20050910202857.GA1319@sky.schizandra.ru> Message-ID: <4323C768.5080808@globalnet.hr> Pawel Shajdo wrote: > > I think this is public more keyservers design problem than GD. Keyserver > should accept new signatures only from key owner. > Hm, maybe to define a "key upload format" which must be signed with the uploaded key itself (analogon of PKCS#10)? Of course, the public key itself should have some flag set to "signed upload only" so that the server doesn't accept it without the corresponding signature. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050911/80a578f6/signature.pgp From alphasigmax at gmail.com Sun Sep 11 09:12:52 2005 From: alphasigmax at gmail.com (Alphax) Date: Sun Sep 11 09:15:17 2005 Subject: This IS about GD - a proposal on dealing with the problem In-Reply-To: <4323C768.5080808@globalnet.hr> References: <4321E9E6.7080608@excelcia.org> <20050910202857.GA1319@sky.schizandra.ru> <4323C768.5080808@globalnet.hr> Message-ID: <4323D8F4.6040403@gmail.com> Zeljko Vrba wrote: > Pawel Shajdo wrote: > >>I think this is public more keyservers design problem than GD. Keyserver >>should accept new signatures only from key owner. >> > > > Hm, maybe to define a "key upload format" which must be signed with the > uploaded key itself (analogon of PKCS#10)? Of course, the public key > itself should have some flag set to "signed upload only" so that the > server doesn't accept it without the corresponding signature. > However, the keyserver would then have to verify the signature of the uploading key... how much of an extra burden would this be? -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ From zvrba at globalnet.hr Sun Sep 11 09:32:55 2005 From: zvrba at globalnet.hr (Zeljko Vrba) Date: Sun Sep 11 09:33:09 2005 Subject: This IS about GD - a proposal on dealing with the problem In-Reply-To: <4323D8F4.6040403@gmail.com> References: <4321E9E6.7080608@excelcia.org> <20050910202857.GA1319@sky.schizandra.ru> <4323C768.5080808@globalnet.hr> <4323D8F4.6040403@gmail.com> Message-ID: <4323DDA7.8010306@globalnet.hr> Alphax wrote: > > However, the keyserver would then have to verify the signature of the > uploading key... how much of an extra burden would this be? > In what way "extra burden"? Computationally (CPU), programming complexity, or...? Computationally - it would be done only oncem on key upload. It is not really an expensive operation - the same as verifying a GPG signature. And I think that modern servers have much spare CPU time.. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050911/7f62aba0/signature.pgp From alphasigmax at gmail.com Sun Sep 11 09:34:55 2005 From: alphasigmax at gmail.com (Alphax) Date: Sun Sep 11 09:37:21 2005 Subject: This IS about GD - a proposal on dealing with the problem In-Reply-To: <4323DDA7.8010306@globalnet.hr> References: <4321E9E6.7080608@excelcia.org> <20050910202857.GA1319@sky.schizandra.ru> <4323C768.5080808@globalnet.hr> <4323D8F4.6040403@gmail.com> <4323DDA7.8010306@globalnet.hr> Message-ID: <4323DE1F.80402@gmail.com> Zeljko Vrba wrote: > Alphax wrote: > >>However, the keyserver would then have to verify the signature of the >>uploading key... how much of an extra burden would this be? >> > > In what way "extra burden"? Computationally (CPU), programming > complexity, or...? > > Computationally - it would be done only oncem on key upload. It is not > really an expensive operation - the same as verifying a GPG signature. > And I think that modern servers have much spare CPU time.. > I don't suppose any keyserver operators could tell us the specs on their machines... -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ From zvrba at globalnet.hr Sun Sep 11 09:46:12 2005 From: zvrba at globalnet.hr (Zeljko Vrba) Date: Sun Sep 11 09:46:33 2005 Subject: This IS about GD - a proposal on dealing with the problem In-Reply-To: <4323DE1F.80402@gmail.com> References: <4321E9E6.7080608@excelcia.org> <20050910202857.GA1319@sky.schizandra.ru> <4323C768.5080808@globalnet.hr> <4323D8F4.6040403@gmail.com> <4323DDA7.8010306@globalnet.hr> <4323DE1F.80402@gmail.com> Message-ID: <4323E0C4.5040000@globalnet.hr> Alphax wrote: > > I don't suppose any keyserver operators could tell us the specs on their > machines... > IMO, more important factor is the number of uploaded keys per hour or day. If a keyserver receives e.g. 100 keys per day, this work could be easily handled by 486/66MHz. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050911/7a642271/signature-0001.pgp From bob.henson at galen.org.uk Sun Sep 11 12:13:27 2005 From: bob.henson at galen.org.uk (Bob Henson) Date: Sun Sep 11 12:31:50 2005 Subject: This IS about GD - a proposal on dealing with the problem In-Reply-To: <43232D55.9060105@dougbarton.net> References: <432299B5.7080003@galen.org.uk> <43232D55.9060105@dougbarton.net> Message-ID: <43240347.7010807@galen.org.uk> Doug Barton wrote: > Bob Henson wrote: > >> Put it the other way round - what useful purpose do they serve? I haven't >> seen one yet, ergo they are junk. > > Um, until you actually get appointed ruler of the universe, you don't get to > make that decision for everyone else. :) Seriously though, I interact with a > lot of people that get their keys from the GD (their choice, and I'm not in > a position to argue), so I need to have my key there, and it needs to be > signed by the GD system. You can argue whether what pgp.com is doing is > wrong all day long, but it is what it is, and therefore I need to be > compatible with it. Thus, I really like the clean options, and have the > following in my gpg.conf which works splendidly: > > import-options import-clean-sigs import-clean-uids > export-options export-clean-sigs export-clean-uids > keyserver-options import-clean-sigs import-clean-uids export-clean-sigs > export-clean-uids > >> It may do with the nightly builds, but it doesn't yet work on the release >> version of GPG. > > I don't know what you mean about "release version of GPG," but the above > works fine with 1.4.2 on both Windows and FreeBSD. A P.S. to the last message. I added the above lines and tried again, and neither refreshing a key from the keyserver, uploading a key, nor downloading a new key cause the "clean" to run. I must be doing something silly in the set-up. I created a new file in the same directory as gpg.exe (OK?) called gpg.conf (OK?) and added to it *exactly* your lines above (not line wrapped in the case of the third line. I exited Thunderbird, restarted, and tried the keyserver procedures above. No joy. Does that sound correct? Maybe it doesn't work via Enigmail? I'm using GPG 1.4.2 via Enigmail 0.92.0.0. I checked the doc file I got with GPG 1.4.2 and whilst it lists the import/export-options "clean" command there is no equivalent key-server-option "clean" command listed - this may just be an oversight in the doc file, of course. I'll away and try exporting my keyring to see what happens. Regards, Bob -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050911/f9b2e682/signature.pgp From bob.henson at galen.org.uk Sun Sep 11 11:48:25 2005 From: bob.henson at galen.org.uk (Bob Henson) Date: Sun Sep 11 12:43:17 2005 Subject: This IS about GD - a proposal on dealing with the problem Message-ID: <4323FD69.2000408@galen.org.uk> Doug Barton wrote: >> Bob Henson wrote: >> > >>>> Put it the other way round - what useful purpose do they serve? I haven't >>>> seen one yet, ergo they are junk. > >> >> Um, until you actually get appointed ruler of the universe, you don't get to >> make that decision for everyone else. :) Seriously though, I interact with a >> lot of people that get their keys from the GD (their choice, and I'm not in >> a position to argue), so I need to have my key there, and it needs to be >> signed by the GD system. You can argue whether what pgp.com is doing is >> wrong all day long, but it is what it is, and therefore I need to be >> compatible with it. Thus, I really like the clean options, and have the >> following in my gpg.conf which works splendidly: >> >> import-options import-clean-sigs import-clean-uids >> export-options export-clean-sigs export-clean-uids >> keyserver-options import-clean-sigs import-clean-uids export-clean-sigs >> export-clean-uids >> > >>>> It may do with the nightly builds, but it doesn't yet work on the release >>>> version of GPG. > >> >> I don't know what you mean about "release version of GPG," but the above >> works fine with 1.4.2 on both Windows and FreeBSD. Hmm, I did mean 1.4.2 - so I'd better try again then, Doug. I tried adding the keyserver options but it didn't do anything here. Maybe you need to have the import export options set too, I tried them first, and then removed them before adding the keyserver options, since I only need the latter. Anyway, I'll set them all and try again. Regards, Bob -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050911/51ef8b74/signature.pgp From alphasigmax at gmail.com Sun Sep 11 13:54:16 2005 From: alphasigmax at gmail.com (Alphax) Date: Sun Sep 11 13:56:46 2005 Subject: This IS about GD - a proposal on dealing with the problem In-Reply-To: <43240347.7010807@galen.org.uk> References: <432299B5.7080003@galen.org.uk> <43232D55.9060105@dougbarton.net> <43240347.7010807@galen.org.uk> Message-ID: <43241AE7.4060404@gmail.com> Bob Henson wrote: > > A P.S. to the last message. I added the above lines and tried again, > > and neither refreshing a key from the keyserver, uploading a key, > nor downloading a new key cause the "clean" to run. > > I must be doing something silly in the set-up. I created a new file > in the same directory as gpg.exe (OK?) called gpg.conf (OK?) and > added to it *exactly* your lines above (not line wrapped in the case > of the third line. > I exited Thunderbird, restarted, and tried the keyserver procedures > above. No joy. Does that sound correct? > > Maybe it doesn't work via Enigmail? I'm using GPG 1.4.2 via Enigmail > 0.92.0.0. I checked the doc file I got with GPG 1.4.2 and whilst it > lists the import/export-options "clean" command there is no > equivalent key-server-option "clean" command listed - this may just > be an oversight in > the doc file, of course. > > I'll away and try exporting my keyring to see what happens. > You need to put gpg.conf in the same directory as you keyrings (eg. C:\Documents and Settings\Bob\Application Data\GnuPG under Windows 2000 and XP). -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ From vedaal at hush.com Sun Sep 11 16:51:01 2005 From: vedaal at hush.com (vedaal@hush.com) Date: Sun Sep 11 16:51:13 2005 Subject: Hushmail troubles...again Message-ID: <200509111451.j8BEp4xP045485@mailserver2.hushmail.com> >Message: 1 >Date: Sat, 10 Sep 2005 01:27:02 -0500 >From: John B >Subject: Hushmail troubles...again >To: gnupg-users@gnupg.org >Message-ID: <200509100127.02811.yochanon@localnet.com> >Content-Type: text/plain; charset="us-ascii" > I've tried over the past week to send encrypted e-mails to a >friend with a >Hushmail address from Kmail on SuSE 9.3 . > The problem is, it always ends up at the Hushmail place as an >attachment and >no way to open it or read it. I even made a Hushmail account for >myself and >tried it and it did the same thing for me...it came to the >Hushmail as an >attachment with no way to open it. > Is there something I'm doing wrong? Is it something Hushmail is >doing wrong? >Does anyone have any idea what it could possibly be, it might be that your e-mail program is sending the message as pgp/mime, which hushmail receives as an attachment try sending the message as encrypted inline text, encrypt your message first, copy it into the e-mail program, and send as is i have been doing this with hushmail since it first came out, without problems, (now if i could only figure out how to get hushmail to stop mangling clearsigned sigs ... :-) ) vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From johanw at vulcan.xs4all.nl Fri Sep 9 15:00:31 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Sun Sep 11 20:18:14 2005 Subject: [Sks-devel] stripping GD sigs (was: Re: clean sigs) In-Reply-To: <20050909123135.GD10588@jabberwocky.com> Message-ID: <200509091300.j89D0VuN004913@vulcan.xs4all.nl> David Shaw wrote: >Known by *you*. I rather think the GD is a good signer, for what it >is. I think both of you need to make a difference between a bad signer that signs keys without doing sufficient checking, and a signer that spams signatures in quantities that could become a DOS attack. The GD falls in the second category, not in the first. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From zwon at severodvinsk.ru Sun Sep 11 20:13:58 2005 From: zwon at severodvinsk.ru (Pawel Shajdo) Date: Sun Sep 11 20:19:31 2005 Subject: This IS about GD - a proposal on dealing with the problem In-Reply-To: <4323ACA1.3000802@gmail.com> References: <4321E9E6.7080608@excelcia.org> <20050910202857.GA1319@sky.schizandra.ru> <4323ACA1.3000802@gmail.com> Message-ID: <20050911181358.GA1017@sky.schizandra.ru> On Sun, Sep 11, 2005 at 01:33:45PM +0930, Alphax wrote: > > On Fri, Sep 09, 2005 at 02:00:38PM -0600, Kurt Fitzner wrote: > > That poses a significant problem when someone loses their key, but has a > trusted revoker set... there are other situations where someone other I mean only key signatures, not revokations > than the key's owner would want to upload the key, but I can't think of what if key's owner don't want it? > them at the moment. > -- Pawel I. Shajdo From cedar at 3web.net Sun Sep 11 21:58:25 2005 From: cedar at 3web.net (cdr) Date: Sun Sep 11 21:59:22 2005 Subject: [Sks-devel] stripping GD sigs (was: Re: clean sigs) / Feature Request In-Reply-To: <4322F0C0.7050502@gmx.info> References: <4322F0C0.7050502@gmx.info> Message-ID: <43248C61.8010401@3web.net> MUS1876 wrote: >>I have >>friends who currently don't want to use PGP because they fear that >>their >>keys will be uploaded to a keyserver, and then they will be spammed >>forever more. > > I totally agree what friends of Alphax say. > > Wouldn't it be cute to have a sepcial option to flag both keys and > subkeys as non exportable (uploadable) to keyservers? Speaking of > myself > at current, I also don't want to see any of my keys posted to a > keyserver by someone else, be it on intention or not. > The time is ripe for a GPG variant: ("GPG-lean" ?): a public key encryption utility with no built-in e-mail ties and no attempt whatsoever to incorporate the solution for the authentication problem. (For the majority of us, fingerprint-exchange-by-voice is more perfectly adequate). CD Rok From JPClizbe at comcast.net Mon Sep 12 01:07:38 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Mon Sep 12 01:08:44 2005 Subject: This IS about GD - a proposal on dealing with the problem In-Reply-To: <43240347.7010807@galen.org.uk> References: <432299B5.7080003@galen.org.uk> <43232D55.9060105@dougbarton.net> <43240347.7010807@galen.org.uk> Message-ID: <4324B8BA.1000703@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bob Henson wrote: > A P.S. to the last message. I added the above lines and tried again, and > neither refreshing a key from the keyserver, uploading a key, nor > downloading a new key cause the "clean" to run. > > I must be doing something silly in the set-up. I created a new file in the > same directory as gpg.exe (OK?) called gpg.conf (OK?) and added to it > *exactly* your lines above (not line wrapped in the case of the third line. > I exited Thunderbird, restarted, and tried the keyserver procedures above. > No joy. Does that sound correct? gpg.conf must be in your GnuPG home directory. On Windows systems, this is equivalent to %APPDATA%\GnuPG or, fully expanded, C:\Documents and Settings\User Name\Application Data\GnuPG > Maybe it doesn't work via Enigmail? I'm using GPG 1.4.2 via Enigmail > 0.92.0.0. I checked the doc file I got with GPG 1.4.2 and whilst it lists > the import/export-options "clean" command there is no equivalent > key-server-option "clean" command listed - this may just be an oversight in > the doc file, of course. - From the gpg.man file that shiped with 1.4.2: --keyserver-options parameters This is a space or comma delimited string that gives options for the keyserver. Options can be prepended with a `no-' to give the opposite meaning. Valid import-options or export- options may be used here as well to apply to importing (--recv-key) or exporting (--send-key) a key from a key- server. While not all options are available for all key- server types, some common options are: "Valid import-options or export-options..." -- it's in the documentation. - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3-cvs-2005-09-04 (Windows 2000 SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDJLi5HQSsSmCNKhARAqFYAKC/BRg3a57KIjATxcrW+U2Jw9+pNwCfXAB1 iR5KIh63duS1bJZ8/CHFvUM= =iZ6p -----END PGP SIGNATURE----- From johanw at vulcan.xs4all.nl Sun Sep 11 21:35:28 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Mon Sep 12 02:27:48 2005 Subject: This IS about GD - a proposal on dealing with the problem In-Reply-To: <4321E9E6.7080608@excelcia.org> Message-ID: <200509111935.j8BJZStk008730@vulcan.xs4all.nl> Kurt Fitzner wrote: >Signature cleaning and/or filtering is not the answer, just as spam >filtering is not the ultimate answer. I prefer spam filtering it over laws that compromise privacy as a side effect, but that's another discussion. However, your comparison doesn't work. Email spammers are many, use false sender addresses and are of bad will, making filtering difficult. GD is one, doesn't try to hide its identity so filtering is easy. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From johanw at vulcan.xs4all.nl Sun Sep 11 21:27:54 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Mon Sep 12 02:27:57 2005 Subject: [Sks-devel] stripping GD sigs (was: Re: clean sigs) In-Reply-To: <20050909125052.GE10588@jabberwocky.com> Message-ID: <200509111927.j8BJRtcg008604@vulcan.xs4all.nl> David Shaw wrote: >I have sympathy for that argument, so wouldn't it be good to trace >down where the sigs are entering the keyserver net, and ask whoever is >doing it to stop? It seems like the obvious first step. Assuming this is possible at all. I don't know exctly what keyservers log, but I'd assume that making the links GD sig upload -> IP address -> email address is not trivial. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From dshaw at jabberwocky.com Mon Sep 12 04:28:55 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Sep 12 04:29:42 2005 Subject: [Sks-devel] stripping GD sigs (was: Re: clean sigs) In-Reply-To: <200509111927.j8BJRtcg008604@vulcan.xs4all.nl> References: <20050909125052.GE10588@jabberwocky.com> <200509111927.j8BJRtcg008604@vulcan.xs4all.nl> Message-ID: <20050912022855.GA15770@jabberwocky.com> On Sun, Sep 11, 2005 at 09:27:54PM +0200, Johan Wevers wrote: > David Shaw wrote: > > >I have sympathy for that argument, so wouldn't it be good to trace > >down where the sigs are entering the keyserver net, and ask whoever is > >doing it to stop? It seems like the obvious first step. > > Assuming this is possible at all. I don't know exctly what keyservers log, > but I'd assume that making the links GD sig upload -> IP address -> email > address is not trivial. It wasn't an idle suggestion. You can assume that I do, in fact, know that this is possible, or I wouldn't have suggested it. Why on earth an email address is relevant here I have no idea. You don't need anything more than the IP address. I made the suggestion as a challenge. The trace is not actually going to happen, as it is far, far more entertaining to complain and moan about the GD than it would be to see who is bridging the signatures. David From dshaw at jabberwocky.com Mon Sep 12 04:31:26 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Sep 12 04:31:59 2005 Subject: [Sks-devel] stripping GD sigs (was: Re: clean sigs) In-Reply-To: <200509091300.j89D0VuN004913@vulcan.xs4all.nl> References: <20050909123135.GD10588@jabberwocky.com> <200509091300.j89D0VuN004913@vulcan.xs4all.nl> Message-ID: <20050912023126.GB15770@jabberwocky.com> On Fri, Sep 09, 2005 at 03:00:31PM +0200, Johan Wevers wrote: > David Shaw wrote: > > >Known by *you*. I rather think the GD is a good signer, for what it > >is. > > I think both of you need to make a difference between a bad signer that > signs keys without doing sufficient checking, and a signer that spams > signatures in quantities that could become a DOS attack. The GD falls > in the second category, not in the first. No, actually it doesn't. The GD doesn't distribute signatures in bulk. In fact, you have to fetch each new signature manually. David From dshaw at jabberwocky.com Mon Sep 12 04:42:05 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Sep 12 04:42:40 2005 Subject: This IS about GD - a proposal on dealing with the problem In-Reply-To: <43223DE1.4040900@excelcia.org> References: <4321E9E6.7080608@excelcia.org> <20050909212729.GA12723@jabberwocky.com> <43223DE1.4040900@excelcia.org> Message-ID: <20050912024205.GC15770@jabberwocky.com> On Fri, Sep 09, 2005 at 07:58:57PM -0600, Kurt Fitzner wrote: > > It might be useful to tone down the rage here. PGP isn't producing > > toxic waste. They're producing small packets of binary data. Nobody > > is actually being poisoned and dying here. Extra signatures on keys > > do not actually harm anyone, despite all the hysterics that they seem > > to cause. At best, this is an aesthetic problem. > > The keyservers are the individuals being poisoned. It's a heavy metal > poison. In general, heavy metal poisons are dangerous because they > accumulate in the tissues of the affected individual and aren't > naturally cleaned and purged. Also, like the poisoning of many heavy > metals, this onem, if left to accumulate, will cause brain dysfunction > in the infected individuals. There are so many levels of wrong here that I am actually struck utterly silent. Congratulations. I'm leaving the thread. I cannot answer without somehow falsely implying that there is any signal in the noise. David From dshaw at jabberwocky.com Mon Sep 12 05:01:22 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Sep 12 05:01:59 2005 Subject: clean sigs In-Reply-To: <4321A369.1000705@comcast.net> References: <4320D86B.26826.72E8F05@localhost> <4321B5C3.19592.A8F2F80@localhost> <20050909144626.GB12440@jabberwocky.com> <4321A369.1000705@comcast.net> Message-ID: <20050912030122.GA10058@jabberwocky.com> On Fri, Sep 09, 2005 at 09:59:53AM -0500, John Clizbe wrote: > David Shaw wrote: > > There is perhaps an argument to be made for a "super clean" that does > > clean and also removes any signature where the signing key is not > > present (in fact, an early version of clean did that), but that's a > > different thing than clean. > > Perhaps --scrub ? --sanitize ? --disinfect ? I rather like "minimize", but this isn't really a minimal key (as it has signatures other than selfsigs). David From alphasigmax at gmail.com Mon Sep 12 08:13:37 2005 From: alphasigmax at gmail.com (Alphax) Date: Mon Sep 12 08:16:08 2005 Subject: [Sks-devel] stripping GD sigs (was: Re: clean sigs) In-Reply-To: <20050912022855.GA15770@jabberwocky.com> References: <20050909125052.GE10588@jabberwocky.com> <200509111927.j8BJRtcg008604@vulcan.xs4all.nl> <20050912022855.GA15770@jabberwocky.com> Message-ID: <43251C91.9050106@gmail.com> David Shaw wrote: > On Sun, Sep 11, 2005 at 09:27:54PM +0200, Johan Wevers wrote: > >>David Shaw wrote: >> >> >>>I have sympathy for that argument, so wouldn't it be good to trace >>>down where the sigs are entering the keyserver net, and ask whoever is >>>doing it to stop? It seems like the obvious first step. >> >>Assuming this is possible at all. I don't know exctly what keyservers log, >>but I'd assume that making the links GD sig upload -> IP address -> email >>address is not trivial. > > > It wasn't an idle suggestion. You can assume that I do, in fact, know > that this is possible, or I wouldn't have suggested it. Why on earth > an email address is relevant here I have no idea. You don't need > anything more than the IP address. > > I made the suggestion as a challenge. The trace is not actually going > to happen, as it is far, far more entertaining to complain and moan > about the GD than it would be to see who is bridging the signatures. > It has been suggested that automatically retrieving keys from keyservers can expose your IP to the keyserver manager, as all they have to do is generate a new key, send it to you, and wait until someone downloads that key... It seems likely that sigs from the GD are entering via one of two ways: firstly, individuals putting their keys on the global directory, and then sending their keys with GD sigs out to SKS keyservers; secondly, someone doing a 2-way synchronisation of their entire keyring with both the GD and the SKS network. -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ From alphasigmax at gmail.com Mon Sep 12 08:17:24 2005 From: alphasigmax at gmail.com (Alphax) Date: Mon Sep 12 08:19:45 2005 Subject: [Sks-devel] stripping GD sigs (was: Re: clean sigs) / Feature Request In-Reply-To: <43248C61.8010401@3web.net> References: <4322F0C0.7050502@gmx.info> <43248C61.8010401@3web.net> Message-ID: <43251D74.30905@gmail.com> cdr wrote: > MUS1876 wrote: >> Alphax wrote: >>> I have friends who currently don't want to use PGP because they >>> fear that their keys will be uploaded to a keyserver, and then >>> they will be spammed forever more. >> >> >> I totally agree what friends of Alphax say. >> >> Wouldn't it be cute to have a sepcial option to flag both keys and >> subkeys as non exportable (uploadable) to keyservers? Speaking of >> myself at current, I also don't want to see any of my keys posted >> to a keyserver by someone else, be it on intention or not. >> > The time is ripe for a GPG variant: ("GPG-lean" ?): a public key > encryption utility with no built-in e-mail ties and no attempt > whatsoever to incorporate the solution for the authentication > problem. (For the majority of us, fingerprint-exchange-by-voice is > more perfectly adequate). > Ciphersaber? -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ From svz90 at pipeline.com Sun Sep 11 05:59:02 2005 From: svz90 at pipeline.com (Sean Zimmermann) Date: Mon Sep 12 11:09:39 2005 Subject: GPA Problem on Mac Message-ID: <6F06954F-E74E-4DAA-BA65-6B00BFDAA148@pipeline.com> Hello, I recently compiled GPA on my Mac running Tiger, and I got the following error when I tried to run gpa (in xterm): $ gpa dyld: Symbol not found: _pth_connect Referenced from: /usr/local/lib/libgpgme.11.dylib Expected in: flat namespace Trace/BPT trap $ Is there a way to fix this? Thank you in advance for any help, Sean From bob.henson at galen.org.uk Mon Sep 12 11:43:32 2005 From: bob.henson at galen.org.uk (Bob Henson) Date: Mon Sep 12 11:43:25 2005 Subject: Cleaning In-Reply-To: <4324B8BA.1000703@comcast.net> References: <432299B5.7080003@galen.org.uk> <43232D55.9060105@dougbarton.net> <43240347.7010807@galen.org.uk> <4324B8BA.1000703@comcast.net> Message-ID: <43254DC4.8060408@galen.org.uk> John Clizbe wrote: > Bob Henson wrote: > >>> A P.S. to the last message. I added the above lines and tried again, and >>> neither refreshing a key from the keyserver, uploading a key, nor >>> downloading a new key cause the "clean" to run. >>> >>> I must be doing something silly in the set-up. I created a new file in the >>> same directory as gpg.exe (OK?) called gpg.conf (OK?) and added to it >>> *exactly* your lines above (not line wrapped in the case of the third line. >>> I exited Thunderbird, restarted, and tried the keyserver procedures above. >>> No joy. Does that sound correct? > > gpg.conf must be in your GnuPG home directory. On Windows systems, this is > equivalent to %APPDATA%\GnuPG or, fully expanded, > C:\Documents and Settings\User Name\Application Data\GnuPG I finally got that sorted and got it to work, so thanks for the replies and the help. Sadly, when I ran a complete keyring refresh, it screwed up the key-ring altogether (error messages discussed in here before - can't remember precise details from last night, but it concerned something being shorter then the buffer length) and I had to re-install it from an old backup. Just for the moment, I think I'd better stop meddling with things I don't understand, and just use the system when it's working OK. Having said that, I'm off to find out how to change my passphrase from the old back-up keyring to my current passphrase - so I'll probably make a complete hash of that too (pun intended :-) ) Regards, Bob -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050912/dfe6ceb8/signature.pgp From wk at gnupg.org Mon Sep 12 12:13:07 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Sep 12 12:16:22 2005 Subject: gpg looking for strange additional key upon import In-Reply-To: <20050910133425.GB13389@jabberwocky.com> (David Shaw's message of "Sat, 10 Sep 2005 09:34:25 -0400") References: <4321B5C3.25048.A8F2EF4@localhost> <4322EBE4.16796.115C86D@localhost> <20050910133425.GB13389@jabberwocky.com> Message-ID: <87oe6yr3v0.fsf@wheatstone.g10code.de> On Sat, 10 Sep 2005 09:34:25 -0400, David Shaw said: > Aha! I found the problem. It's actually a bug in the German > translation. I was testing in English, so never saw it. I'll file a > bug for that. Thanks for your help running this one down. I was sure that gettext points out such problems but obviously it does not anymore (at least not when run in Emac's po-mode). Need to check all translations. Shalom-Salam, Werner From johanw at vulcan.xs4all.nl Mon Sep 12 10:30:46 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Mon Sep 12 14:58:33 2005 Subject: [Sks-devel] stripping GD sigs (was: Re: clean sigs) In-Reply-To: <20050912022855.GA15770@jabberwocky.com> Message-ID: <200509120830.j8C8Uk33000919@vulcan.xs4all.nl> David Shaw wrote: >It wasn't an idle suggestion. You can assume that I do, in fact, know >that this is possible, or I wouldn't have suggested it. Why on earth >an email address is relevant here I have no idea. You don't need >anything more than the IP address. That depends. If that IP address is the http proxy of a large provider you'd need more information to complain at the right person. >I made the suggestion as a challenge. The trace is not actually going >to happen, as it is far, far more entertaining to complain and moan >about the GD than it would be to see who is bridging the signatures. Sorry, but I don't have enough information and knowledge to do it myself. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From wk at gnupg.org Mon Sep 12 15:29:20 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Sep 12 15:43:44 2005 Subject: [Announce] GnuPG 1.9.19 (S/MIME and gpg-agent) released Message-ID: <87y862o1n3.fsf@wheatstone.g10code.de> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From bob.henson at galen.org.uk Mon Sep 12 16:41:36 2005 From: bob.henson at galen.org.uk (Bob Henson) Date: Mon Sep 12 16:41:23 2005 Subject: GnuPG 1.9.19 Message-ID: <432593A0.4060000@galen.org.uk> Is there a version of GnuPG 1.9.19 compiled for Windows? Regards, Bob -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050912/0f4a18f5/signature.pgp From cedar at 3web.net Mon Sep 12 16:52:49 2005 From: cedar at 3web.net (cdr) Date: Mon Sep 12 16:53:32 2005 Subject: [Sks-devel] stripping GD sigs (was: Re: clean sigs) / Feature Request In-Reply-To: <43251D74.30905@gmail.com> References: <4322F0C0.7050502@gmx.info> <43248C61.8010401@3web.net> <43251D74.30905@gmail.com> Message-ID: <43259641.4070201@3web.net> Alphax wrote: >>The time is ripe for a GPG variant: ("GPG-lean" ?): a public key >>encryption utility with no built-in e-mail ties and no attempt >>whatsoever to incorporate the solution for the authentication >>problem. (For the majority of us, fingerprint-exchange-by-voice >>is perfectly adequate). > > Ciphersaber? > ...public key...! (Hybrid actually, but that is understood). (There is no shortage of excellent symmetric encryptors, easier to use and based on stronger ciphers. Ciphersaber is an RC4 based, specifically designed to satisfy a somewhat dubious notion of "let's-all-make-our-own-crypto-software"). cdr From wk at gnupg.org Mon Sep 12 18:06:15 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Sep 12 18:11:21 2005 Subject: GnuPG 1.9.19 In-Reply-To: <432593A0.4060000@galen.org.uk> (Bob Henson's message of "Mon, 12 Sep 2005 15:41:36 +0100") References: <432593A0.4060000@galen.org.uk> Message-ID: <87vf16l18o.fsf@wheatstone.g10code.de> On Mon, 12 Sep 2005 15:41:36 +0100, Bob Henson said: > Is there a version of GnuPG 1.9.19 compiled for Windows? No. I have not tried to build it. Probably some minor things need to get fixed. Shalom-Salam, Werner From henkdebruijn at wanadoo.nl Mon Sep 12 20:17:57 2005 From: henkdebruijn at wanadoo.nl (Henk M. de Bruijn) Date: Mon Sep 12 20:20:13 2005 Subject: gpg: invalid armor header Message-ID: <1528448156.20050912201757@wanadoo.nl> I tried to verify a clearsigned (inline signed) message. Used digest algorhythm Hash: SHA512 This is what I get when I try to verify the message: "gpg: invalid armor header: www.pgp.com" When I made a remark about this I was pointed in the direction that it maybe had something to do with wrapping a header??? I have never seen this happening with my MUA The Bat! Does anybody know what is happening? -- Henk M. de Bruijn ______________________________________________________________________ The Bat! Natural E-Mail System? version 3.5 Pro on Windows XP SP2 Request-PGP: http://www.biglumber.com/x/web?qs=0x6C9F6CE78C32408B Gossamer Spider Web of Trust http://www.gswot.org A progressive and innovative Web of Trust From dshaw at jabberwocky.com Mon Sep 12 20:30:09 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Sep 12 20:30:43 2005 Subject: gpg: invalid armor header In-Reply-To: <1528448156.20050912201757@wanadoo.nl> References: <1528448156.20050912201757@wanadoo.nl> Message-ID: <20050912183009.GF11238@jabberwocky.com> On Mon, Sep 12, 2005 at 08:17:57PM +0200, Henk M. de Bruijn wrote: > I tried to verify a clearsigned (inline signed) message. > > Used digest algorhythm Hash: SHA512 > > This is what I get when I try to verify the message: > > "gpg: invalid armor header: www.pgp.com" > > When I made a remark about this I was pointed in the direction that it > maybe had something to do with wrapping a header??? That comment was correct. What happens is a message that has a version line that is very long. Something like: Version: PGP 8.0.2 - not licensed for commercial use: www.pgp.com The line is long enough that the "www.pgp.com" on the end linewraps around when the message is pasted into some mail clients. The www.pgp.com on its own line breaks the message. David From yochanon at localnet.com Tue Sep 13 07:50:06 2005 From: yochanon at localnet.com (John B) Date: Tue Sep 13 07:50:29 2005 Subject: Hushmail troubles...again In-Reply-To: <200509111451.j8BEp4xP045485@mailserver2.hushmail.com> References: <200509111451.j8BEp4xP045485@mailserver2.hushmail.com> Message-ID: <200509130050.06556.yochanon@localnet.com> On Sunday 11 September 2005 09:51, vedaal@hush.com wrote: > >Message: 1 > >Date: Sat, 10 Sep 2005 01:27:02 -0500 > >From: John B > >Subject: Hushmail troubles...again > >To: gnupg-users@gnupg.org > >Message-ID: <200509100127.02811.yochanon@localnet.com> > >Content-Type: text/plain; charset="us-ascii" > > > > I've tried over the past week to send encrypted e-mails to a > >friend with a > >Hushmail address from Kmail on SuSE 9.3 . > > > > The problem is, it always ends up at the Hushmail place as an > >attachment and > >no way to open it or read it. I even made a Hushmail account for > >myself and > >tried it and it did the same thing for me...it came to the > >Hushmail as an > >attachment with no way to open it. > > Is there something I'm doing wrong? Is it something Hushmail is > >doing wrong? > >Does anyone have any idea what it could possibly be, > > it might be that your e-mail program is sending the message as > pgp/mime, > which hushmail receives as an attachment > > try sending the message as encrypted inline text, > > encrypt your message first, > copy it into the e-mail program, > and send as is I just tried this to 'my' hushmail account, and it worked fine, but my friend still can't decrypt mine for anything. I've uploaded *all* my public keys to the hushmail server and tried all my addresses and still no go for anyone but my own account. Any ideas what I'm doing wrong? John From rbreiddal at presinet.com Tue Sep 13 00:47:41 2005 From: rbreiddal at presinet.com (Ryley Breiddal) Date: Tue Sep 13 11:13:23 2005 Subject: [outlgpg] Outlook 2002 Crash Message-ID: <04CD4FAAABDDC543BA2B33D5C043F9170745B8@presinet-main2.PRESINET.local> >Please use the new GPGol version. The old 'OutlGPG' version will no >longer be maintained and is now replaced with GPGol. Excellent. I have updated to this version, which now leaves me with the following: Outlook 2002 SP2 GPGol 0.9.0 GPG 1.4.2 WinPT 0.10.1 (updated this too) Everything is still the same in terms of crashes on signing, and I logged the following from the Debug log: 2636/olflange.cpp:ExchEntryPoint: creating new CGPGExchExt object 2636/olflange.cpp:Install: context=0x6 (SendNoteMessage) flags=0x0 2636/olflange.cpp:InstallCommands: context=0x6 (SendNoteMessage) flags=0x0 2636/olflange.cpp:find_outlook_property: looking for `ConversationIndex' 2636/olflange.cpp:find_outlook_property: got IDispatch=05F1860C dispid=113 2636/olflange.cpp:InstallCommands: ConversationIndex is `' 2636/olflange.cpp:OnCheckNames: received 2636/olflange.cpp:OnCheckNamesComplete: received 2636/olflange.cpp:OnSubmit: received 2636/olflange.cpp:OnWrite: received 2636/olflange.cpp:OnWriteComplete: received 2636/gpgmsg.cpp:sign: enter message=02F165A0 2636/gpgmsg.cpp:loadBody: loaded body `Test Message ' at 02BFD9B8 2636/decrypt_key_dlg_proc: WM_INITDIALOG I'm not sure if it's of interest, but there was other bits like this in the log: 2264/gpgme can't find a suitable OpenPGP backend: Invalid crypto engine 2264/olflange.cpp:CGPGExchExt: first time initialization done 2264/olflange.cpp:Install: context=0x1 (Session) flags=0x0 2264/olflange.cpp:Install: can't handle this context 2264/olflange.cpp:~CGPGExchExt: cleaning up CGPGExchExt object 2264/olflange.cpp:~CGPGExchExt: DLL closed down 2264/olflange.cpp:ExchEntryPoint: creating new CGPGExchExt object 2264/gpgme can't find a suitable OpenPGP backend: Invalid crypto engine 2264/olflange.cpp:CGPGExchExt: first time initialization done 2264/olflange.cpp:Install: context=0x2 (Viewer) flags=0x0 2264/olflange.cpp:InstallCommands: context=0x2 (Viewer) flags=0x0 2264/olflange.cpp:ExchEntryPoint: creating new CGPGExchExt object 2264/olflange.cpp:Install: context=0x7 (ReadNoteMessage) flags=0x0 2264/olflange.cpp:InstallCommands: context=0x7 (ReadNoteMessage) flags=0x0 2264/olflange.cpp:OnRead: received 2264/show_mapi_property: PR_CONVERSATION_INDEX=01C5B7E400E8D636E56AD3E94CD39EBFD481F73041E6 Which seemed interesting - gpgme seems to be complaining that it can't find gpg.exe, but it is properly specified in Tools->Options->Advanced (in Outlook, if that's even relevant). For quicker response, CC me on replies. Thanks, _______________________________ Ryley Breiddal From sysop at sperryservices.com Tue Sep 13 10:33:30 2005 From: sysop at sperryservices.com (Richard Sperry) Date: Tue Sep 13 11:13:28 2005 Subject: Hushmail troubles...again In-Reply-To: <200509130050.06556.yochanon@localnet.com> Message-ID: Have him use something like winpt and decrypt current screen. Or since it's a web based solution, have them add the extentions for gnupg. Ie; blah.pgp and blah.gpg -----Original Message----- From: gnupg-users-bounces@gnupg.org [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of John B Sent: Monday, September 12, 2005 10:50 PM To: gnupg-users@gnupg.org Subject: Re: Hushmail troubles...again On Sunday 11 September 2005 09:51, vedaal@hush.com wrote: > >Message: 1 > >Date: Sat, 10 Sep 2005 01:27:02 -0500 > >From: John B > >Subject: Hushmail troubles...again > >To: gnupg-users@gnupg.org > >Message-ID: <200509100127.02811.yochanon@localnet.com> > >Content-Type: text/plain; charset="us-ascii" > > > > I've tried over the past week to send encrypted e-mails to a friend > >with a Hushmail address from Kmail on SuSE 9.3 . > > > > The problem is, it always ends up at the Hushmail place as an > >attachment and no way to open it or read it. I even made a Hushmail > >account for myself and tried it and it did the same thing for me...it > >came to the Hushmail as an attachment with no way to open it. > > Is there something I'm doing wrong? Is it something Hushmail is > >doing wrong? > >Does anyone have any idea what it could possibly be, > > it might be that your e-mail program is sending the message as > pgp/mime, which hushmail receives as an attachment > > try sending the message as encrypted inline text, > > encrypt your message first, > copy it into the e-mail program, > and send as is I just tried this to 'my' hushmail account, and it worked fine, but my friend still can't decrypt mine for anything. I've uploaded *all* my public keys to the hushmail server and tried all my addresses and still no go for anyone but my own account. Any ideas what I'm doing wrong? John _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From wk at gnupg.org Tue Sep 13 15:33:54 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Sep 13 15:36:24 2005 Subject: [outlgpg] Outlook 2002 Crash In-Reply-To: <04CD4FAAABDDC543BA2B33D5C043F9170745B8@presinet-main2.PRESINET.local> (Ryley Breiddal's message of "Mon, 12 Sep 2005 15:47:41 -0700") References: <04CD4FAAABDDC543BA2B33D5C043F9170745B8@presinet-main2.PRESINET.local> Message-ID: <87ll21drct.fsf@wheatstone.g10code.de> On Mon, 12 Sep 2005 15:47:41 -0700, Ryley Breiddal said: > 2264/gpgme can't find a suitable OpenPGP backend: Invalid crypto engine I guess that this is due to a bug in gpgme.dll. You installed gpg Below something like "c:\Program Files", right. There is a bug in gpgme which doesn't properly quote the program's name (i.e. argv[0]) and thus gpg sees "Files\..." as its first argument which is not valid. Please replace the gpgme.dll with the one at: ftp://ftp.g10code.com/g10code/gpgol/gpgme.dll (42k) ftp://ftp.g10code.com/g10code/gpgol/gpgme.dll.sig and try again. I have not yet commited the changes but will do so if it works for you. Salam-Shalom, Werner From vedaal at hush.com Tue Sep 13 17:24:43 2005 From: vedaal at hush.com (vedaal@hush.com) Date: Tue Sep 13 17:24:55 2005 Subject: Gnupg-users Digest, Vol 24, Issue 34 Message-ID: <20050913152446.E756733C58@mailserver5.hushmail.com> >Message: 8 >Date: Tue, 13 Sep 2005 00:50:06 -0500 >From: John B >Subject: Re: Hushmail troubles...again >On Sunday 11 September 2005 09:51, vedaal@hush.com wrote: >> try sending the message as encrypted inline text, >> >> encrypt your message first, >> copy it into the e-mail program, >> and send as is > > I just tried this to 'my' hushmail account, and it worked fine, >but my >friend still can't decrypt mine for anything. I've uploaded *all* >my public >keys to the hushmail server and tried all my addresses and still >no go for >anyone but my own account. > Any ideas what I'm doing wrong? what key are you encrypting to? if you are encrypting to your friend's gnupg generated public key, then, there is one simple step he needs to do when he receives your inline encrypted mussage: hushmail will give an error message that it cannot decrypt (because it doesn't have the private key of the gnupg generated keypair, [which is the way it should be, the private key shouldn't really be entrusted to anyone else, even hushmail ;-) ] when hushmail gives this error message, just click on 'options' in the hushmail e-mail message window, then on 'show original', and hushmail will display your encrypted message, which he can then decrypt in gnupg now, if your friend has 'only' hushmail, and doesn't use gnupg, and wants to decrypt your messages, then you need his hushmail public key, (which either he needs to send to you, or, if you have a hushmail account too, you can retrieve it from 'hushtools' 'key management' 'retrieve a public key') import your friend's hush key into gnupg, encrypt to it, and then he will be able to decrypt the message directly vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From bob.henson at galen.org.uk Wed Sep 14 11:42:10 2005 From: bob.henson at galen.org.uk (Bob Henson) Date: Wed Sep 14 11:42:06 2005 Subject: Importing keys Message-ID: <4327F072.3050608@galen.org.uk> I can't find anything in the man page about key import file formats. Other than ascii files, can GnuPG import any other file formats and if so what? Regards, Bob -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050914/d40a25fe/signature.pgp From wk at gnupg.org Wed Sep 14 12:06:24 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Sep 14 12:11:24 2005 Subject: Importing keys In-Reply-To: <4327F072.3050608@galen.org.uk> (Bob Henson's message of "Wed, 14 Sep 2005 10:42:10 +0100") References: <4327F072.3050608@galen.org.uk> Message-ID: <87psrc7ylb.fsf@wheatstone.g10code.de> On Wed, 14 Sep 2005 10:42:10 +0100, Bob Henson said: > I can't find anything in the man page about key import file formats. Other > than ascii files, can GnuPG import any other file formats and if so what? gpg knows about both OpenPGP defiend formats: Binary and ASCII armored. It will automagically detect the mode. See rfc2440 for the OpenPGP key formats. Salam-Shalom, Werner From alphasigmax at gmail.com Wed Sep 14 12:21:37 2005 From: alphasigmax at gmail.com (Alphax) Date: Wed Sep 14 12:24:06 2005 Subject: Importing keys In-Reply-To: <87psrc7ylb.fsf@wheatstone.g10code.de> References: <4327F072.3050608@galen.org.uk> <87psrc7ylb.fsf@wheatstone.g10code.de> Message-ID: <4327F9B1.1050309@gmail.com> Werner Koch wrote: > On Wed, 14 Sep 2005 10:42:10 +0100, Bob Henson said: > > >>I can't find anything in the man page about key import file formats. Other >>than ascii files, can GnuPG import any other file formats and if so what? > > > gpg knows about both OpenPGP defiend formats: Binary and ASCII > armored. It will automagically detect the mode. See rfc2440 for the > OpenPGP key formats. > > Can GPG use ascii-armored keyrings? Or must keyrings be binary files? -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ From blueness at gmx.net Wed Sep 14 13:33:35 2005 From: blueness at gmx.net (Mica Mijatovic) Date: Wed Sep 14 13:39:22 2005 Subject: Importing keys In-Reply-To: <4327F072.3050608@galen.org.uk> References: <4327F072.3050608@galen.org.uk> Message-ID: <1093209137.20050914133335@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: TIGER192 Was Wed, 14 Sep 2005, at 10:42:10 +0100, when Bob wrote: > I can't find anything in the man page about key import file formats. > Other than ascii files, can GnuPG import any other file formats and if > so what? Every file containing a valid key data can be imported by GnuPG, regardless the file extension and the file format. As I know there are only two formats: ascii ("armored"), which is actually a plain text format, and the binary format (the one not very readable by a human). GnuPG (as a genuinely *nix application) reads and recognizes actually the file format primarily and doesn't pay attention at its "extension" (as is the case with Windows). Usually, extensions for these formats are: ascii binary ===== ====== .txt .gpg .asc .pgp .sec .sig etc. .pub .rev etc. GnuPG also can read (import) properly even if a file has no any extension, and/or if a file has _any_ extension, even mangled one or completely arbitrary one. It will, for instance, properly import a valid key data even if a file is with extension key.jpg (mangled extension), key (no extension) and key.fricassee (arbitrary extension). (PGP, though, as an exclusively Windows application, will be deluded by such extensions, and will say it doesn't recognize the file format, even without reading it, so that will import nothing.) - -- Mica PGP keys nestled at: http://bardo.port5.com/pgpkeys/ ~~~ For personal mail please use my address as it is *exactly* given in my "From|Reply To" field(s). ~~~ -----BEGIN PGP SIGNATURE----- iQEVAwUBQygKjLSpHvHEUtv8AQbKmAf/ZNvAx1/8roIpW/3wJXnYTmiFqzIRDb3D bN2S6RqXZxxH1xlKQsKsSZ7CQ72ceqY7sR/9tnXPD04YEmaXLIp8Onfl0bJmgl95 KG0JgadJB94f6Sy3ez/qjTyyBgJ23Mse1OCiBEvUyxk4Tcc1EcYFHoxNuh2eI6ez fSsGsD8/8rTb70fzRELx0PYCeXPUFeHsLge68fEON+y8KPJmAlc9qKdVDjBsUSTv iftJXWnqZxlXbkckx3X3GURZVHcisYHB28L8ycdBSUeQm5D0ewHmZV3NVXAtf8ba my+NwmM+I62tegkjGRgaWx3Bin/oGg5lwiULzApq+f1TuJYj9CJyJw== =H4Pt -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Wed Sep 14 13:45:14 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Sep 14 13:45:49 2005 Subject: Importing keys In-Reply-To: <4327F9B1.1050309@gmail.com> References: <4327F072.3050608@galen.org.uk> <87psrc7ylb.fsf@wheatstone.g10code.de> <4327F9B1.1050309@gmail.com> Message-ID: <20050914114514.GA14796@jabberwocky.com> On Wed, Sep 14, 2005 at 07:51:37PM +0930, Alphax wrote: > Werner Koch wrote: > > On Wed, 14 Sep 2005 10:42:10 +0100, Bob Henson said: > > > > > >>I can't find anything in the man page about key import file formats. Other > >>than ascii files, can GnuPG import any other file formats and if so what? > > > > > > gpg knows about both OpenPGP defiend formats: Binary and ASCII > > armored. It will automagically detect the mode. See rfc2440 for the > > OpenPGP key formats. > > > > > > Can GPG use ascii-armored keyrings? Or must keyrings be binary files? Keyrings must be binary format. Incidentally, keyring format isn't defined by the RFC - just the import/export transport format. Historically, though, most programs use the binary format. It isn't guaranteed to stay this way forever, and this is why there is the frequent advice to not rely on the fact that a keyring is just a block of binary keys glued together. David From bob.henson at galen.org.uk Wed Sep 14 15:51:34 2005 From: bob.henson at galen.org.uk (Bob Henson) Date: Wed Sep 14 15:51:32 2005 Subject: Importing keys In-Reply-To: <1093209137.20050914133335@gmx.net> References: <4327F072.3050608@galen.org.uk> <1093209137.20050914133335@gmx.net> Message-ID: <43282AE6.8010603@galen.org.uk> Mica Mijatovic wrote: > Was Wed, 14 Sep 2005, at 10:42:10 +0100, > when Bob wrote: > >>> I can't find anything in the man page about key import file formats. >>> Other than ascii files, can GnuPG import any other file formats and if >>> so what? > > Every file containing a valid key data can be imported by GnuPG, > regardless the file extension and the file format. > > As I know there are only two formats: ascii ("armored"), which is > actually a plain text format, and the binary format (the one not very > readable by a human). > > GnuPG (as a genuinely *nix application) reads and recognizes actually > the file format primarily and doesn't pay attention at its "extension" > (as is the case with Windows). > > Usually, extensions for these formats are: > > ascii binary > ===== ====== > .txt .gpg > .asc .pgp > .sec .sig etc. > .pub > .rev etc. > > GnuPG also can read (import) properly even if a file has no any > extension, and/or if a file has _any_ extension, even mangled one or > completely arbitrary one. > > It will, for instance, properly import a valid key data even if a file > is with extension key.jpg (mangled extension), key (no extension) and > key.fricassee (arbitrary extension). > > (PGP, though, as an exclusively Windows application, will be deluded by > such extensions, and will say it doesn't recognize the file format, even > without reading it, so that will import nothing.) Thanks, that's what I was trying to find out. I was confused by all the formats (and their extensions) for sharing information - .pfx .p7b .cer etc. I was trying to use data from Windows and import to GPG. As you remark, the extension is irrelevant, so long as the file is DER encoded binary ( possibly base 64 as well? - I haven't tried that). I have managed (don't ask me how) to get what appears to be a working x.509 certificate from Thawtes onto my GPG keyring, and have self signed it. I thought I'd have a go at getting another onto the keyring, but didn't know what format to export it from Windows. It would appear that I can only export the *public* keys from the X.509 certs as binary files - the key pairs will only export in .pfx format, which GPG won't import, so I guess it's some sort of Windows proprietary format. This is more or less for academic interest only, and I am only able to work on an empirical basis, not understanding the technicalities involved - but when, as I am, you're crocked and stuck indoors and have nothing else to do it seemed like a good idea :-) Regards, Bob -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050914/2ad649f4/signature-0001.pgp From garysaved at frontiernet.net Wed Sep 14 16:39:56 2005 From: garysaved at frontiernet.net (Gary Graham) Date: Wed Sep 14 16:40:04 2005 Subject: Two questions Message-ID: <4328363C.3030402@frontiernet.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have a couple questions I have not been able to figure out on my own. First, and probably easiest: Is it possible to put a photo into a key? I see some keys have it, but have not figured how to do it. Second: I have a Thawte Freemail certificate. I have Enigmail set to use it. How do I import it, or whatever, it into my GNUpg keyring? I see several have done it. Thanks in advance. Gary -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFDKDY8JgYFZehli50RAgZRAJ9ZgVaRvnSTCoFO3/d7GcPWerdIBgCcDTFO LvF7BpWYmOAaUJcBGQ6h0og= =9ztg -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3202 bytes Desc: S/MIME Cryptographic Signature Url : /pipermail/attachments/20050914/3912ff5b/smime.bin From dshaw at jabberwocky.com Wed Sep 14 17:06:07 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Sep 14 17:06:45 2005 Subject: Two questions In-Reply-To: <4328363C.3030402@frontiernet.net> References: <4328363C.3030402@frontiernet.net> Message-ID: <20050914150607.GB16898@jabberwocky.com> On Wed, Sep 14, 2005 at 10:39:56AM -0400, Gary Graham wrote: > I have a couple questions I have not been able to figure out on my own. > First, and probably easiest: Is it possible to put a photo into a > key? I see some keys have it, but have not figured how to do it. gpg --edit-key (thekey) addphoto > Second: I have a Thawte Freemail certificate. I have Enigmail set to > use it. How do I import it, or whatever, it into my GNUpg keyring? I > see several have done it. I'm not quite sure what you mean here. Thawte certs are X.509 - it's a different creature than OpenPGP. David From wk at gnupg.org Wed Sep 14 17:07:50 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Sep 14 17:11:25 2005 Subject: Importing keys In-Reply-To: <43282AE6.8010603@galen.org.uk> (Bob Henson's message of "Wed, 14 Sep 2005 14:51:34 +0100") References: <4327F072.3050608@galen.org.uk> <1093209137.20050914133335@gmx.net> <43282AE6.8010603@galen.org.uk> Message-ID: <87mzmf662h.fsf@wheatstone.g10code.de> On Wed, 14 Sep 2005 14:51:34 +0100, Bob Henson said: > I was trying to use data from Windows and import to GPG. As you remark, the > extension is irrelevant, so long as the file is DER encoded binary ( > possibly base 64 as well? - I haven't tried that). I have managed (don't ask Fortunatley OpenPGP does not make use of any ASN.1 encoding and thus we don't use DER but the OpenPGP binary format. > me how) to get what appears to be a working x.509 certificate from Thawtes > onto my GPG keyring, and have self signed it. I thought I'd have a go at For X.509 you need to install gpg's cousin gpgsm which is available in the package gnupg-1.9.19 in the alpha directory of the ftp servers. gpgsm can cope with S/MIME (X.509 and CMS) and also import export _some_ p12/pfx files. Shalom-Salam, Werner From yochanon at localnet.com Wed Sep 14 17:16:46 2005 From: yochanon at localnet.com (John B) Date: Wed Sep 14 17:17:03 2005 Subject: Gnupg-users Digest, Vol 24, Issue 34 In-Reply-To: <20050913152446.E756733C58@mailserver5.hushmail.com> References: <20050913152446.E756733C58@mailserver5.hushmail.com> Message-ID: <200509141016.47003.yochanon@localnet.com> On Tuesday 13 September 2005 10:24, vedaal@hush.com wrote: > what key are you encrypting to? Got it figured out. I was encrypting with 'my' keys instead of encrypting with 'his' key . Thanks for the help! From bht at actrix.gen.nz Thu Sep 15 01:38:22 2005 From: bht at actrix.gen.nz (Bernard) Date: Thu Sep 15 01:36:57 2005 Subject: How to delete a secret key in batch mode? Message-ID: Hi, I have added a secret key in batch mode. Now I want to delete it in batch mode. gpg prints an error: gpg: can't do that in batchmode gpg: (unless you specify the key by fingerprint) The command I use is: C:\gnupg\gpg.exe --homedir "\tmp" --yes --batch --delete-secret-key 1CBB4C01 It looks like I am doing what the error message requests: Specifying the key by fingerprint. Am I overlooking anything? I am desparately looking for an answer to this (in clean simple batch mode). Many thanks Bernard From dshaw at jabberwocky.com Thu Sep 15 03:00:30 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Sep 15 03:01:08 2005 Subject: How to delete a secret key in batch mode? In-Reply-To: References: Message-ID: <20050915010030.GA17774@jabberwocky.com> On Thu, Sep 15, 2005 at 11:38:22AM +1200, Bernard wrote: > Hi, > > I have added a secret key in batch mode. > > Now I want to delete it in batch mode. > > gpg prints an error: > > gpg: can't do that in batchmode > gpg: (unless you specify the key by fingerprint) > > The command I use is: > > C:\gnupg\gpg.exe --homedir "\tmp" --yes --batch --delete-secret-key > 1CBB4C01 > > It looks like I am doing what the error message requests: Specifying > the key by fingerprint. > > Am I overlooking anything? 1CBB4C01 is not a fingerprint. Do this: gpg --fingerprint 1CBB4C01 The resulting value is a fingerprint. David From bht at actrix.gen.nz Thu Sep 15 05:20:24 2005 From: bht at actrix.gen.nz (Bernard) Date: Thu Sep 15 05:18:59 2005 Subject: How to delete a secret key in batch mode? In-Reply-To: <20050915010030.GA17774@jabberwocky.com> References: <20050915010030.GA17774@jabberwocky.com> Message-ID: Hi David Thanks for your help. Where can I find the syntax for deleting a secret key by fingerprint? I get an eof error when I use what I guess is the fingerprint: C:\gnupg\gpg.exe --homedir "\tmp" --fingerprint 1CBB4C01 pub 1024D/1CBB4C01 2005-09-14 Key fingerprint = 361C C290 F145 7D9B AB8F D49C 18C3 9694 1CBB 4C01 uid bttest$actrix.gen.nz (Test key comment) sub 1024g/87D138B1 2005-09-14 C:\gnupg\gpg.exe --homedir "\tmp" --batch --delete-secret-key "361C C290 F145 7D9B AB8F D49C 18C3 9694 1CBB 4C01" gpg: key "361C C290 F145 7D9B AB8F D49C 18C3 9694 1CBB 4C01" not found: eof gpg: 361C C290 F145 7D9B AB8F D49C 18C3 9694 1CBB 4C01: delete key failed: eof Thanks again Bernard On Wed, 14 Sep 2005 21:00:30 -0400, you wrote: >On Thu, Sep 15, 2005 at 11:38:22AM +1200, Bernard wrote: >> Hi, >> >> I have added a secret key in batch mode. >> >> Now I want to delete it in batch mode. >> >> gpg prints an error: >> >> gpg: can't do that in batchmode >> gpg: (unless you specify the key by fingerprint) >> >> The command I use is: >> >> C:\gnupg\gpg.exe --homedir "\tmp" --yes --batch --delete-secret-key >> 1CBB4C01 >> >> It looks like I am doing what the error message requests: Specifying >> the key by fingerprint. >> >> Am I overlooking anything? > >1CBB4C01 is not a fingerprint. Do this: > > gpg --fingerprint 1CBB4C01 > >The resulting value is a fingerprint. > >David > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users From dshaw at jabberwocky.com Thu Sep 15 05:29:09 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Sep 15 05:29:57 2005 Subject: How to delete a secret key in batch mode? In-Reply-To: References: <20050915010030.GA17774@jabberwocky.com> Message-ID: <20050915032909.GB17774@jabberwocky.com> On Thu, Sep 15, 2005 at 03:20:24PM +1200, Bernard wrote: > Hi David > > Thanks for your help. > > Where can I find the syntax for deleting a secret key by fingerprint? > > I get an eof error when I use what I guess is the fingerprint: > > > C:\gnupg\gpg.exe --homedir "\tmp" --fingerprint 1CBB4C01 > pub 1024D/1CBB4C01 2005-09-14 > Key fingerprint = 361C C290 F145 7D9B AB8F D49C 18C3 9694 1CBB > 4C01 > uid bttest$actrix.gen.nz (Test key comment) > > sub 1024g/87D138B1 2005-09-14 > > C:\gnupg\gpg.exe --homedir "\tmp" --batch --delete-secret-key "361C > C290 F145 7D9B AB8F D49C 18C3 9694 1CBB 4C01" Take the spaces out. David From JPClizbe at comcast.net Thu Sep 15 08:12:41 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Thu Sep 15 08:13:20 2005 Subject: Importing keys In-Reply-To: <43282AE6.8010603@galen.org.uk> References: <4327F072.3050608@galen.org.uk> <1093209137.20050914133335@gmx.net> <43282AE6.8010603@galen.org.uk> Message-ID: <432910D9.5040903@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bob Henson wrote: > Thanks, that's what I was trying to find out. I was confused by all the > formats (and their extensions) for sharing information - .pfx .p7b .cer etc. > I was trying to use data from Windows and import to GPG. As you remark, the > extension is irrelevant, so long as the file is DER encoded binary ( > possibly base 64 as well? - I haven't tried that). I have managed (don't ask > me how) to get what appears to be a working x.509 certificate from Thawtes > onto my GPG keyring, and have self signed it. I thought I'd have a go at > getting another onto the keyring, but didn't know what format to export it > from Windows. It would appear that I can only export the *public* keys from > the X.509 certs as binary files - the key pairs will only export in .pfx > format, which GPG won't import, so I guess it's some sort of Windows > proprietary format. Backup from Mozilla/Firefox/Netscape as .p12 Backup from IE as .pfx Import it to OpenPGP format using PGPkeys from PGP 8 or 9. Then you can export pub and secret key to an .asc for importing to GPG. Or you can CTRL-C to copy the key in PGPkeys and import from clipboard with WinPT or GPGshell. The PGP-Basics Yahoo! group can help you a lot more on this. Several of the folks there have loaded X.509 Certs into PGP. - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3-cvs-3891-2005-09-13 (Windows 2000 SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFDKRDYHQSsSmCNKhARAqfUAKDwnVHijl2hQ5kEQOusz23KuPrcigCg/cC8 GSKjHTanajNrHqmk/nTuxsk= =TwDD -----END PGP SIGNATURE----- From JPClizbe at comcast.net Thu Sep 15 09:12:06 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Thu Sep 15 09:17:51 2005 Subject: Two questions In-Reply-To: <4328363C.3030402@frontiernet.net> References: <4328363C.3030402@frontiernet.net> Message-ID: <43291EC6.5010304@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gary Graham wrote: > I have a couple questions I have not been able to figure out on my own. > First, and probably easiest: Is it possible to put a photo into a > key? I see some keys have it, but have not figured how to do it. gpg --edit-key addphoto > Second: I have a Thawte Freemail certificate. I have Enigmail set to > use it. How do I import it, or whatever, it into my GNUpg keyring? I > see several have done it. How do I say "It's more trouble than it's worth"? You have to use PGP as an intermediate step. The CA cert on X.509 certificate is not recognized by GnuPG 1.4.x and shows up as a signature from keyid 0x00000000. PGP will consider the X.509 as a valid key if you import the CAs keys and sign them as a trusted introducer. For GnuPG to consider the X.509 RSA key material valid you need to either sign the key with your default key or self-sign the key. Unless your identity has been verified by Thawte's Assurance program, the key will have your name as "Thawte Freemail Member" - not exactly a stand out on the keyservers. Key prefs are another pain. Am imported Thawte cert shows: Cipher: 3DES Digest: SHA1 Compression: ZIP, Uncompressed A GnuPG created key shows: Cipher: AES256, AES192, AES, CAST5, 3DES, IDEA Digest: SHA1, SHA256, RIPEMD160 Compression: ZLIB, BZIP2, ZIP, Uncompressed Features: MDC, Keyserver no-modify My last post to this list gave a brief overview. If you still want to do it, it's best to ask for more help over on the PGP-Basics Yahoo! group. http://groups.yahoo.com/group/PGP-Basics/ Also, Enigmail WILL NOT use X.509 keys. You have most likely configured S/MIME to use your Thawte certificate. That's the 'Security' tab in TB's account settings. Enigmail is configured on the 'OpenPGP Security' tab. - -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3-cvs-3891-2005-09-13 (Windows 2000 SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFDKR7FHQSsSmCNKhARAuMrAJ4nrbsFJN23d06f00C1XRM5GhW6swCgrCGm vrOXWyIrGLewNbDkFqOnSbw= =zCI9 -----END PGP SIGNATURE----- From alphasigmax at gmail.com Thu Sep 15 09:26:14 2005 From: alphasigmax at gmail.com (Alphax) Date: Thu Sep 15 09:28:40 2005 Subject: Two questions In-Reply-To: <43291EC6.5010304@comcast.net> References: <4328363C.3030402@frontiernet.net> <43291EC6.5010304@comcast.net> Message-ID: <43292216.1020401@gmail.com> John Clizbe wrote: > Gary Graham wrote: >> Second: I have a Thawte Freemail certificate. I have Enigmail set >> to use it. How do I import it, or whatever, it into my GNUpg >> keyring? I see several have done it. > > > How do I say "It's more trouble than it's worth"? You have to use PGP > as an intermediate step. From sandello at permonline.ru Thu Sep 15 09:45:09 2005 From: sandello at permonline.ru (Denis Kostousov) Date: Thu Sep 15 10:27:36 2005 Subject: Bug? Message-ID: <43292685.1020303@permonline.ru> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I use gnupg 1.4.2, Thunderbird 1.0.6, enigmail 0.92.1 When I try to open "Open PGP Key Managment" I receive error message: gpg: buffer shorter than subpacket gpg: buffer shorter than subpacket gpg: signature packet without keyid gpg: buffer shorter than subpacket I receved the error with Gnupg 1.4.1, enigmal 0.92.0 Enigmail debug: $ cat enigcmd.txt /usr/bin/gpg --charset utf8 --batch --no-tty --status-fd 2 --with-fingerprint --fixed-list-mode --with-colons --list-keys $ cat enigenv.txt DISPLAY=:1.0,HOME=/home/sandello,LANG=ru_RU.UTF-8,LOGNAME=sandello,LD_LIBRARY_PATH=/home/sandello/Programs/Thunderbird:/home/sandello/Programs/Thunderbird/plugins:/usr/local/lib/mre/mre-1.0.6,MOZILLA_FIVE_HOME=/home/sandello/Programs/Thunderbird,PATH=/usr/local/jdk/bin:/usr/local/java/ant/bin:/usr/kerberos/bin:/usr/lib/courier/bin:/usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin:/home/sandello/bin:/home/sandello/sbin,PWD=/home/sandello,SHELL=/bin/bash,TMPDIR=/tmp,USER=sandello $ cat enigerr.txt [GNUPG:] KEYEXPIRED 1071310391 [GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead [GNUPG:] KEYEXPIRED 1111923147 [GNUPG:] SIGEXPIRED deprecated-use-keyexpired-instead gpg: buffer shorter than subpacket gpg: buffer shorter than subpacket gpg: signature packet without keyid gpg: buffer shorter than subpacket NOTE: this is the tail of enigerr.txt $ tail enigout.txt fpr:::::::::3F0A12FC0B55A917D79182D372FDC205F6A32A8E: uid:-::::969131660::02957B6D476581DF9970B1959C2C226CD654C882::Santiago Garcia Mantinan (manty) : uid:r::::::F5B02927C9137D6B86C0443F9D6F30D4E3E2C55A::Santiago Garcia Mantinan (manty) : uid:-::::969131512::0EE6D8286E42846516EA24914C5C7FC7B6703366::Santiago Garcia Mantinan (manty) : uid:-::::973705934::A7ECCF51C99F469795F191BACDC2DD965E768191::Santiago Garcia Mantinan (manty) : sub:-:1024:16:8F802C268D0EB704:969129228::::::e: pub:-:1024:17:E9311E2A656CB5B5:1031330729:::-:::scaESCA: fpr:::::::::A0627E3D8CF2BAA6254DAAC6E9311E2A656CB5B5: uid:-::::1031330729::E1DF469C11F55309FAE5870F9AC480A3CE9DE4D0::Caroline Tremblay : sub:-:2048:16:9A375D018C6C1AF5:1031330729::::::e: - -- Denis Kostousov email: sandelloTHEDOGpermonline.ru jabber: sandelloATjabber.org fingerprint: FE3D 60AF E08D 2D2A 6A8B C891 70BB 0665 F047 ADAE -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDKSaFcLsGZfBHra4RAkruAKDtTxzAYIzYeilaanQDu/xqEvwO5gCgtiwQ NZ5OgZWbho8YPMMK/Bpowx4= =o9i4 -----END PGP SIGNATURE----- From abhalerao at apple.com Tue Sep 13 23:01:14 2005 From: abhalerao at apple.com (amit bhalerao) Date: Fri Sep 16 10:49:20 2005 Subject: Migrating from PGP TO GPG Message-ID: Hi , We are migrating from PGP to GPG mechanism . We download encrypted report from external vendors and decrypt them. However external vendors are still using PGP mechanism to encrypt the file . To explain further :- 1. We are generating a public private key on HOST system using GPG . 2. This keys are exported to external vendor system. Vendor will be encrypting the file using PGP (not sure about compatibilty) 3. Files are then decrypted on host system using GPG mechanism. I am not sure whether this is feasible . If any of you have implemented this before ,please let me know. -Amit From lionel at mamane.lu Fri Sep 16 11:03:46 2005 From: lionel at mamane.lu (Lionel Elie Mamane) Date: Fri Sep 16 11:03:47 2005 Subject: Migrating from PGP TO GPG In-Reply-To: References: Message-ID: <20050916090345.GB13300@tofu.mamane.lu> On Tue, Sep 13, 2005 at 02:01:14PM -0700, amit bhalerao wrote: > 1. We are generating a public private key on HOST system using GPG . > 2. This keys are exported to external vendor system. Vendor will be > encrypting the file using PGP (not sure about compatibilty) > 3. Files are then decrypted on host system using GPG mechanism. > I am not sure whether this is feasible . Yes, this should work. -- Lionel From dshaw at jabberwocky.com Thu Sep 15 14:02:13 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Sep 16 11:17:20 2005 Subject: Bug? In-Reply-To: <43292685.1020303@permonline.ru> References: <43292685.1020303@permonline.ru> Message-ID: <20050915120213.GC17774@jabberwocky.com> On Thu, Sep 15, 2005 at 01:45:09PM +0600, Denis Kostousov wrote: > I use gnupg 1.4.2, Thunderbird 1.0.6, enigmail 0.92.1 > When I try to open "Open PGP Key Managment" I receive error message: > > gpg: buffer shorter than subpacket > gpg: buffer shorter than subpacket > gpg: signature packet without keyid > gpg: buffer shorter than subpacket > > I receved the error with Gnupg 1.4.1, enigmal 0.92.0 Is it a bug? Yes and no. Those messages in 1.4.1 indicate an actual problem with a key (corruption or other oddness). However, keys in the wild on keyservers are mangled often enough that GnuPG has been modified to accept them anyway. This modification is partly done in 1.4.2 (the current version), and will be complete in 1.4.3 (the next version). David From sithtracy at yahoo.com Fri Sep 16 11:38:35 2005 From: sithtracy at yahoo.com (Tracy D. Bossong) Date: Fri Sep 16 13:22:16 2005 Subject: Migrating from PGP TO GPG In-Reply-To: Message-ID: <20050916093835.1222.qmail@web51701.mail.yahoo.com> My firm uses both GnuPG and McAfee e-Business Server (the original PGP, IMO). Project will take a little research, but all should be fine for you. And if you have existing keys with PGP, there is no reason you can't continue to use them so you don't impact your trading partners by changing keys. Good luck, and you shoulg get lots of help from this forum even as an observer. Tracy Bossong --- amit bhalerao wrote: > Hi , > > We are migrating from PGP to GPG mechanism > . We download > encrypted report from external vendors and decrypt > them. However > external vendors are still using PGP mechanism to > encrypt the file . > To explain further :- > 1. We are generating a public private key on HOST > system using GPG . > 2. This keys are exported to external vendor system. > Vendor will be > encrypting the file using PGP (not sure about > compatibilty) > 3. Files are then decrypted on host system using GPG > mechanism. > I am not sure whether this is feasible . If > any of you have > implemented this before ,please let me know. > > -Amit > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From garysaved at frontiernet.net Fri Sep 16 01:12:00 2005 From: garysaved at frontiernet.net (Gary Graham) Date: Fri Sep 16 13:48:31 2005 Subject: gpa / gpg-agent Message-ID: <4329FFC0.5060307@frontiernet.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have been trying to figure out what all GPG will do. I do not see any notes on how to run gpg-agent. I went thru the session manager, and placed it as a startup program. The only problem with this is I keep noticing I have several copys running if I have rebooted the system several times. Is this the right mailing list to discuss GPA? There are too many problems to mention before finding out if this is the correct place to address it. Gary -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFDKf+/JgYFZehli50RAopeAKDB4gbNLR57pzX0UUifoW+EayBTZACfdH8X 6poVREV3PqoUGDdzvuJeNgY= =o8SG -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3202 bytes Desc: S/MIME Cryptographic Signature Url : /pipermail/attachments/20050915/77f633bf/smime-0001.bin From vedaal at hush.com Fri Sep 16 17:02:29 2005 From: vedaal at hush.com (vedaal@hush.com) Date: Fri Sep 16 17:02:34 2005 Subject: Migrating from PGP TO GPG Message-ID: <200509161502.j8GF2VHt049859@mailserver3.hushmail.com> amit bhalerao abhalerao at apple.com Tue Sep 13 23:01:14 CEST 2005 >We are migrating from PGP to GPG mechanism . We download >encrypted report from external vendors and decrypt them. However >external vendors are still using PGP mechanism to encrypt the file . >1. We are generating a public private key on HOST system using GPG . >2. This keys are exported to external vendor system. Vendor will be encrypting the file using PGP (not sure about compatibilty) >3. Files are then decrypted on host system using GPG mechanism. there are only two areas of potential difficulties: (1) comment or version line wrapping (not unlikely) gnupg will stop trying to decrypt if the pgp version line or comment line wraps to the next line (2) if the vendors use a shared or split key system (unlikely) otherwise gnupg can handle everything pgp can, [and then some :-) ] vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From chinatinte at gmx.ch Fri Sep 16 17:51:57 2005 From: chinatinte at gmx.ch (chinatinte) Date: Fri Sep 16 17:52:00 2005 Subject: Shooting Trouble :-) Message-ID: Hi list, I received an encrypted mail. Every time I tried to decrypt it, I got the following error: gpg: Ung?ltiges "radix64" Zeichen 3a ignoriert gpg: Ung?ltiges "radix64" Zeichen 2e ignoriert gpg: Ung?ltiges "radix64" Zeichen 2e ignoriert gpg: Ung?ltiges "radix64" Zeichen 28 ignoriert gpg: Ung?ltiges "radix64" Zeichen 29 ignoriert gpg: Ung?ltiges "radix64" Zeichen 2d ignoriert gpg: Ung?ltiges "radix64" Zeichen 3a ignoriert gpg: Ung?ltiges "radix64" Zeichen 2e ignoriert gpg: Ung?ltiges "radix64" Zeichen 2e ignoriert gpg: Pr?fsummenfehler; 5ae41f - ae60e1 gpg: [don't know]: invalid packet (ctb=55) I tried to find a solution in the net with no success. What I then did was: I did delete a part of the encrypted message, basically all empty lines and the following text which was after the header: "Version: PGP Desktop 9.0.2 (Build 2424) - not licensed for commercial use: www.pgp.com" After doing so, I saved the message and was then able to decrypt it. Don't know if this is of any significance, but maybe it helps someone who faces the same problem as I did. Inzli From gnupg at sperryservices.com Thu Sep 15 10:46:37 2005 From: gnupg at sperryservices.com (Richard Sperry) Date: Sat Sep 17 00:22:00 2005 Subject: Windows Corp Implementations In-Reply-To: <87mzmf662h.fsf@wheatstone.g10code.de> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Most of this will be directed to Werner but I need any input I can get. I am designing a high visability network and this may get some attention to GnuPG. What I want to do is make GPG more feasable for AD domains, thus get more programers to help us improve gpg in the winhell world. What I want to do is extend the AD schema possibly with ADAM to incorperate basic keyserver functionality. Any clues, I know ldap is outdated but it will work well for AD admins. Next I was wondering what it would take to make the gpgexch have the ability to do the following: Rich Text (so I can paste out of word and what not) Symmetric encryption for mailing lists Auto key retreveal if it is not in the pub ring (from the perfered key server, perferably ldap) Any clues? - --Rich -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iD8DBQFDKTGlj/vP89OfSf4RAvKSAJ9obRFvCCTn/brPYkd1BHXyfWL83gCgo+Rx mnzBT6xYNyL4mNqdljnVGeo= =PAGT -----END PGP SIGNATURE----- From Laurent.Jumet at advalvas.be Sat Sep 17 11:45:12 2005 From: Laurent.Jumet at advalvas.be (Laurent Jumet) Date: Sat Sep 17 17:22:00 2005 Subject: Option "--pgp2" in 1.4.2 Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hello ! When I put option "--pgp2" in order to get the most pgp-2 complient signature, GPG asks for the passphrase but does nothing. No signature is generated on a file, neither separated or clearsign. "--pgp2" implies many options. I've by default "--no-force-v3-sigs", and normally I suppose that "--pgp2" overrrides this, isn't? Any idea? BTW, I compiled the 1.4.2 manual in a printable PDF form, il order to print it in 14 pages and two colums, for those like me who like to have it on their desk. You can get it here (be careful, there is a space in the file name, I wasn't aware that the URL could not wort as is): http://users.skynet.be/laurent.jumet/MyMan_GnuPG 142.pdf - -- Laurent Jumet KeyID: 0xCFAF704C -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iHkEAREDADkFAkMr6BEyGGh0dHA6Ly91c2Vycy5za3luZXQuYmUvbGF1cmVudC5q dW1ldC9DRkFGNzA0Qy5hc2MACgkQ9R1toM+vcEwmKACeKJBtrtgHzPHtPIJVZ3ch M8atqQcAoLsLRE08eEwbjXVH0H55ZygJwAnX =pWz2 -----END PGP SIGNATURE----- From pwchi at pwchi.info Sat Sep 17 17:34:14 2005 From: pwchi at pwchi.info (Po-Wen Chi) Date: Sat Sep 17 17:34:29 2005 Subject: OpenPGP Card useing sha256 failed !! Message-ID: <432C3776.9010205@pwchi.info> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have a OpenPGP Card. I have already produced key pear on this card . But go wrong when I will sign with this card. If using SHA-1 will be carried out normally. But if appoint to use SHA-256 , will present wrong information . The following is course and information operated. Excuse me, who can tell me what the matter is? very thanks. == SHA-1 OK! == cmd> gpg --digest-algo sha1 -u 4a7d9528 --clearsign a.txt gpg: detected reader `CASTLES EZ100PU 0' gpg: signatures created so far: 6 Please enter the PIN [sigs done: 6] == SHA-256 failed == cmd> gpg --digest-algo sha256 -u 4a7d9528 --clearsign a.txt gpg: detected reader `CASTLES EZ100PU 0' gpg: signing failed: invalid argument gpg: a.txt: clearsign failed: invalid argument - -- This E-mail use UTF-8 character code Po-Wen Chi(???) ??????????????? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQCVAwUBQyw3dBxtAEOvczphAQJArgQAiyySQG9RieyoyJBiB6JX3O8IDa8sTxyj yF0dWnBQ+shY+/34MVumFMYuYfHhMsFtPc+hi1s3TUIf4A8udA2uukCCCyPhNnE5 BgllSPAjoqMKmeQXccD50a6RUNXZlqg+Bv1xgsVcihB6DAQXS/b6tUyC1+tYVaG1 48TXAMe2ys4= =m3Re -----END PGP SIGNATURE----- From henkdebruijn at wanadoo.nl Sat Sep 17 17:39:47 2005 From: henkdebruijn at wanadoo.nl (Henk M. de Bruijn) Date: Sat Sep 17 17:39:48 2005 Subject: Option "--pgp2" in 1.4.2 In-Reply-To: References: Message-ID: <1466889715.20050917173947@wanadoo.nl> On Sat, 17 Sep 2005 11:45:12 +0200GMT (17-9-2005, 11:45 +0200, where I live), Laurent Jumet wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > Hello ! > When I put option "--pgp2" in order to get the most pgp-2 complient > signature, GPG asks for the passphrase but does nothing. No signature is > generated on a file, neither separated or clearsign. > "--pgp2" implies many options. > I've by default "--no-force-v3-sigs", and normally I suppose that > "--pgp2" overrrides this, isn't? > Any idea? > BTW, I compiled the 1.4.2 manual in a printable PDF form, il order to print > it in 14 pages and two colums, for those like me who like to have it on > their desk. You can get it here (be careful, there is a space in the file > name, I wasn't aware that the URL could not wort as is): > http://users.skynet.be/laurent.jumet/MyMan_GnuPG 142.pdf I tried to find it, solved the space but... -- Henk M. de Bruijn ______________________________________________________________________ The Bat! Natural E-Mail System? version 3.5 Pro on Windows XP SP2 Request-PGP: http://www.biglumber.com/x/web?qs=0x6C9F6CE78C32408B Gossamer Spider Web of Trust http://www.gswot.org A progressive and innovative Web of Trust From pwchi at pwchi.info Sat Sep 17 15:35:10 2005 From: pwchi at pwchi.info (Po-Wen Chi) Date: Sat Sep 17 17:51:51 2005 Subject: OpenPGP Card useing sha256 failed !! Message-ID: <432C1B8E.7060202@pwchi.info> I have a OpenPGP Card. I have already produced key pear on this card . But go wrong when I will sign with this card. If using SHA-1 will be carried out normally. But if appoint to use SHA-256 , will present wrong information . The following is course and information operated. Excuse me, who can tell me what the matter is? very thanks. -- SHA-1 OK! -- cmd> gpg --digest-algo sha1 -u 4a7d9528 --clearsign a.txt gpg: detected reader `CASTLES EZ100PU 0' gpg: signatures created so far: 6 Please enter the PIN [sigs done: 6] -- SHA-256 failed -- cmd> gpg --digest-algo sha256 -u 4a7d9528 --clearsign a.txt gpg: detected reader `CASTLES EZ100PU 0' gpg: signing failed: invalid argument gpg: a.txt: clearsign failed: invalid argument -- This E-mail use UTF-8 character code Po-Wen Chi(???) ??????????????? From contactium at gmail.com Sat Sep 17 20:07:33 2005 From: contactium at gmail.com (Marc) Date: Sat Sep 17 21:22:00 2005 Subject: Problem with KMail Message-ID: <200509171407.34577.contactium@gmail.com> Hello, I have a problem with GPG. When I receive an email encrypted in my inbox and that I want to see it I have the message: Encrypted message (decryption not possible) Reason: Crypto plug-in "openpgp" could not decrypt the data. Error: Bad passphrase The problem it's that it does not ask me the password for decrypt the ? I installed pinentry, but that doesn't change. ? Here lines in gpg.conf: # Passphrase agent # # We support the old experimental passphrase agent protocol as well as # the new Assuan based one (currently available in the "newpg" package # at ftp.gnupg.org/gcrypt/alpha/aegypten/). ?To make use of the agent, # you have to run an agent as daemon and use the option # # use-agent # # which tries to use the agent but will fallback to the regular mode # if there is a problem connecting to the agent. ?The normal way to # locate the agent is by looking at the environment variable # GPG_AGENT_INFO which should have been set during gpg-agent startup. # In certain situations the use of this variable is not possible, thus # the option # # --gpg-agent-info=::1 # # may be used to override it. default-key A13270E3 use-agent I have create gpg-agent.conf in /.gnupg/ with : pinentry-program /usr/bin/pinentry-qt no-grab default-cache-ttl 1800 Do I have to change something? ? And what? ? Thank you Marc. From Laurent.Jumet at advalvas.be Sun Sep 18 08:53:06 2005 From: Laurent.Jumet at advalvas.be (Laurent Jumet) Date: Sun Sep 18 09:07:27 2005 Subject: GnuPG 1.4.2 manual... Message-ID: Hello ! This URL works, to get my compilation of the manual in 14 pages and two columns, for printing purpose: http://users.skynet.be/laurent.jumet/MyMan_GnuPG%20142.pdf -- Laurent Jumet KeyID: 0xCFAF704C From Gerben.Wierda at rna.nl Sun Sep 18 15:13:51 2005 From: Gerben.Wierda at rna.nl (Gerben Wierda) Date: Sun Sep 18 16:21:58 2005 Subject: 1.2.1 to 1.4.2 upgrade question Message-ID: <1153F2B3-D2F2-480E-8CCB-AF20E1AFDCBF@rna.nl> I have a gpg 1.2.1 binary which I compiled a while back. I use this binary in a special sort of free-floating way in an application for a restricted (no web of trust, yes I am aware of limitations of this setup but it is better than nothing) way of verifying files. There is needs not to be a gpg installed on the system, the setup works independently of any GPG install. I used to do something like this mkdir /tmp/gpg-test chmod 700 /tmp/gpg-test/ ( cat foo | gpg --quiet --keyserver wwwkeys.nl.pgp.net --homedir /tmp/ gpg-test --no-options --keyserver-options auto-key-retrieve --verify foo.sig - ) With 1.2.1, this works. E.g. $ cat tex.plist| gpg --keyserver wwwkeys.nl.pgp.net --homedir /tmp/ gpg-test --no-options --keyserver-options auto-key-retrieve --verify tex.plist.sig gpg: Signature made Sat Sep 17 22:32:38 2005 CEST using DSA key ID C87AB5FC gpg: /tmp/gpg-test/trustdb.gpg: trustdb created gpg: key C87AB5FC: public key "i-Installer " imported gpg: Total number processed: 1 gpg: imported: 1 gpg: Good signature from "i-Installer " gpg: checking the trustdb gpg: no ultimately trusted keys found gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: C1BA 787F 78B0 18D2 B6E7 9464 9D03 DB70 C87A B5FC But with 1.4.2 I get: gpg: keyring `/tmp/gpg-test/pubring.gpg' created gpg: Signature made Sat Sep 17 22:32:38 2005 CEST using DSA key ID C87AB5FC gpg: requesting key C87AB5FC from hkp server wwwkeys.nl.pgp.net gpg: unable to execute program `/usr/local/libexec/gnupg/ gpgkeys_hkp': No such file or directory gpg: no handler for keyserver scheme `hkp' gpg: Can't check signature: public key not found This is not surprising as gpg is not installed on the system and this script should work regardless of its install. It seems gpg has the string /usr/local/libexec/gnupg hard coded. Is it possible for me to make gpg use gpgkeys_hkp from another location? Or am I in trouble and can't I use GPG anymore in this free floating manner? Thanks, G From contactium at gmail.com Sun Sep 18 16:33:12 2005 From: contactium at gmail.com (Marc) Date: Sun Sep 18 16:33:20 2005 Subject: Problem with KMail In-Reply-To: <200509171407.34577.contactium@gmail.com> References: <200509171407.34577.contactium@gmail.com> Message-ID: <200509181033.13458.contactium@gmail.com> On 2005-09-17 14:07, Marc wrote: > Hello, > > I have a problem with GPG. > > When I receive an email encrypted in my inbox and that I want to see it I > have the message: > Encrypted message (decryption not possible) > Reason: Crypto plug-in "openpgp" could not decrypt the data. > Error: Bad passphrase > > The problem it's that it does not ask me the password for decrypt the > ? > I installed pinentry, but that doesn't change. ? > Here lines in gpg.conf: > > # Passphrase agent > # > # We support the old experimental passphrase agent protocol as well as > # the new Assuan based one (currently available in the "newpg" package > # at ftp.gnupg.org/gcrypt/alpha/aegypten/). ?To make use of the agent, > # you have to run an agent as daemon and use the option > # > # use-agent > # > # which tries to use the agent but will fallback to the regular mode > # if there is a problem connecting to the agent. ?The normal way to > # locate the agent is by looking at the environment variable > # GPG_AGENT_INFO which should have been set during gpg-agent startup. > # In certain situations the use of this variable is not possible, thus > # the option > # > # --gpg-agent-info=::1 > # > # may be used to override it. > > default-key A13270E3 > use-agent > > > > > I have create gpg-agent.conf in /.gnupg/ with : > > pinentry-program /usr/bin/pinentry-qt > no-grab > default-cache-ttl 1800 > > > Do I have to change something? ? > And what? ? > > Thank you > > Marc. > Nobody to help me ? Marc. From doug.jih at gmail.com Sun Sep 18 21:37:40 2005 From: doug.jih at gmail.com (JIH, DOUG Y.) Date: Sun Sep 18 21:38:12 2005 Subject: Trouble decrypting AES256 symmetric encrypted 4.58 GB file Message-ID: I got the following messages when I tried to decrypt a file.gpg with the size 4,920,412,393 bytes using gpg version 1.4.2, official Windows version: >gpg -vv -o file --decrypt file.gpg :symkey enc packet: version 4, cipher 9, s2k 3, hash 2 salt 5088796db832388a, count 96 gpg: AES256 encrypted data :encrypted data packet: length: unknown mdc_method: 2 gpg: encrypted with 1 passphrase :compressed packet: algo=1 :literal data packet: mode b (62), created 1126887210, name="file", raw data: 614055611 bytes gpg: original file name='file' gpg: [don't know]: invalid packet (ctb=7e) gpg: [don't know]: invalid packet (ctb=32) gpg: WARNING: encrypted message has been manipulated! :unknown packet: type 59, length 35 dump: 59 71 71 c4 24 29 4c 5e ee 7f e4 11 4d 3d 1a 78 08 6a e7 70 51 9d 0f 96 24: 69 7a a3 fb 18 bb 14 15 0c bd 58 gpg: [don't know]: invalid packet (ctb=2c) GPG failed when the output file has a size of 614,055,611 bytes. I noticed this is exactly the number of bytes shown by "raw data:" in the above messages. Is this a flaw in GPG? It's hard to believe GPG would have a serious flaw like this, because there was absolutely no error message when I encrypted the file, and now GPG is unable to decrypt the file to its ooriginal size? Can anyone please help me recover my data! Thanks. From jharris at widomaker.com Mon Sep 19 00:04:12 2005 From: jharris at widomaker.com (Jason Harris) Date: Mon Sep 19 00:42:52 2005 Subject: new (2005-09-18) keyanalyze results (+sigcheck) Message-ID: <20050918220411.GC4267@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2005-09-18/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: b41368d033fcd000380fc69f6e62cb8387a3ce25 12935988 preprocess.keys 1779933e717243044c72aeb75bf33eea8684644b 7851928 othersets.txt 7a08e4fb96d6d86fde031ed55a2d822131bc13a3 3198924 msd-sorted.txt a751f9d5477744a4f5e5ce6ebad6a60908e317ee 1372 index.html 3106a943e6512e573d03eeb6ed23ec5ad6daf452 2291 keyring_stats ce7fe8ab9b3161965a348337b3ae7072532467fb 1257444 msd-sorted.txt.bz2 74db707dc86ddf09fccbb2c6d676dbb7998c9fc0 26 other.txt 96953baf227177b677786a2d07f273303df05b2a 1695917 othersets.txt.bz2 d2abb801974100b1f509cbaec92c1d4364a3c71f 5225480 preprocess.keys.bz2 1a02da8254d0b9168cbe1c543219ad685c74fd11 13235 status.txt b59ec4e390d4cf62d21a5702de08d095302ff046 210128 top1000table.html 03abcce67ca888a06771f249f507eb1c9fc27791 30107 top1000table.html.gz fceaa0d92d604bbc272339a0f025ac84e1ef8645 10782 top50table.html abf0af0da327a1558770cbed3c85097936e2bc7a 2534 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 313 bytes Desc: not available Url : /pipermail/attachments/20050918/495e8d03/attachment.pgp From boldyrev+nospam at cgitftp.uiggm.nsc.ru Mon Sep 19 06:44:00 2005 From: boldyrev+nospam at cgitftp.uiggm.nsc.ru (Ivan Boldyrev) Date: Mon Sep 19 06:57:43 2005 Subject: Problem with KMail References: <200509171407.34577.contactium@gmail.com> <200509181033.13458.contactium__30019.9291240007$1127054371$gmane$org@gmail.com> Message-ID: On 9236 day of my life contactium@gmail.com wrote: >> Do I have to change something? ? >> And what? ? 1. Does gpg work in X console (kterm or something like this)? 2. Is gpg-agent running? -- Ivan Boldyrev Life! Don't talk to me about life. From doug.jih at gmail.com Sat Sep 17 04:30:11 2005 From: doug.jih at gmail.com (JIH, DOUG Y.) Date: Mon Sep 19 10:56:05 2005 Subject: Trouble decrypting AES256 symmetric encrypted file Message-ID: I got the following messages when I tried to decrypt a file.gpg with the size 4,920,412,393 bytes. gpg: AES256 encrypted data gpg: encrypted with 1 passphrase gpg: [don't know]: invalid packet (ctb=7e) gpg: [don't know]: invalid packet (ctb=32) gpg: WARNING: encrypted message has been manipulated! gpg: [don't know]: invalid packet (ctb=2c) The file was produced by encrypting with gpg -c --cipher aes256 file When the error messages occured, the output file has a size of 614,055,611 bytes. Can anyone please help! Using gpg version 1.4.2, official Windows version From pwchi.tw at gmail.com Sat Sep 17 14:30:50 2005 From: pwchi.tw at gmail.com (Po-Wen Chi) Date: Mon Sep 19 10:56:16 2005 Subject: OpenPGP Card useing sha256 failed !! Message-ID: <432C0C7A.3040407@pwchi.info> I have a OpenPGP Card. I have already produced key pear on this card . But go wrong when I will sign with this card. If using SHA-1 will be carried out normally. But if appoint to use SHA-256 , will present wrong information . The following is course and information operated. Excuse me, who can tell me what the matter is? very thanks. -- SHA-1 OK! -- cmd> gpg --digest-algo sha1 -u 4a7d9528 --clearsign a.txt gpg: detected reader `CASTLES EZ100PU 0' gpg: signatures created so far: 6 Please enter the PIN [sigs done: 6] -- SHA-256 failed -- cmd> gpg --digest-algo sha256 -u 4a7d9528 --clearsign a.txt gpg: detected reader `CASTLES EZ100PU 0' gpg: signing failed: invalid argument gpg: a.txt: clearsign failed: invalid argument -- This E-mail use UTF-8 character code Po-Wen Chi(???) ??????????????? From Laurent.Jumet at advalvas.be Mon Sep 19 11:38:54 2005 From: Laurent.Jumet at advalvas.be (Laurent Jumet) Date: Mon Sep 19 13:23:22 2005 Subject: Trouble decrypting AES256 symmetric encrypted file In-Reply-To: Message-ID: Hello ! "JIH, DOUG Y." wrote: JY> I got the following messages when I tried to decrypt a file.gpg with JY> the size 4,920,412,393 bytes. JY> gpg: AES256 encrypted data JY> gpg: encrypted with 1 passphrase JY> gpg: [don't know]: invalid packet (ctb=7e) JY> gpg: [don't know]: invalid packet (ctb=32) JY> gpg: WARNING: encrypted message has been manipulated! JY> gpg: [don't know]: invalid packet (ctb=2c) JY> The file was produced by encrypting with JY> gpg -c --cipher aes256 file I suppose that it couldn't be a charset problem? -- Laurent Jumet KeyID: 0xCFAF704C From alphasigmax at gmail.com Mon Sep 19 15:36:52 2005 From: alphasigmax at gmail.com (Alphax) Date: Mon Sep 19 15:39:31 2005 Subject: Trouble decrypting AES256 symmetric encrypted file In-Reply-To: References: Message-ID: <432EBEF4.3040203@gmail.com> JIH, DOUG Y. wrote: > I got the following messages when I tried to decrypt a file.gpg with > the size 4,920,412,393 bytes. > > gpg: AES256 encrypted data > gpg: encrypted with 1 passphrase > gpg: [don't know]: invalid packet (ctb=7e) > gpg: [don't know]: invalid packet (ctb=32) > gpg: WARNING: encrypted message has been manipulated! > gpg: [don't know]: invalid packet (ctb=2c) > > The file was produced by encrypting with > > gpg -c --cipher aes256 file > > When the error messages occured, the output file has a size of > 614,055,611 bytes. > > Can anyone please help! > > Using gpg version 1.4.2, official Windows version > I have a feeling Windows has problems with files this large, esp. on NTFS. -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ From JPClizbe at comcast.net Mon Sep 19 16:59:12 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Mon Sep 19 17:00:09 2005 Subject: Trouble decrypting AES256 symmetric encrypted file In-Reply-To: <432EBEF4.3040203@gmail.com> References: <432EBEF4.3040203@gmail.com> Message-ID: <432ED240.1040300@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alphax wrote: > JIH, DOUG Y. wrote: >> I got the following messages when I tried to decrypt a file.gpg with >> the size 4,920,412,393 bytes. >> >> gpg: AES256 encrypted data >> gpg: encrypted with 1 passphrase >> gpg: [don't know]: invalid packet (ctb=7e) >> gpg: [don't know]: invalid packet (ctb=32) >> gpg: WARNING: encrypted message has been manipulated! >> gpg: [don't know]: invalid packet (ctb=2c) >> >> The file was produced by encrypting with >> >> gpg -c --cipher aes256 file >> >> When the error messages occured, the output file has a size of >> 614,055,611 bytes. >> >> Can anyone please help! >> >> Using gpg version 1.4.2, official Windows version >> > > I have a feeling Windows has problems with files this large, esp. on NTFS. > I recall this being a common error with GnuPG on Win32. The usual work-around if I recall correctly is to use redirection: gpg < file.gpg > file.out Has the file been manipulated or moved between systems since it was encrypted? - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3-cvs-3894-2005-09-16 (Windows 2000 SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDLtI/HQSsSmCNKhARAspQAKCZ3AxkIgg5q2AoQRTPpnGPr0oBIwCgpUK+ bJ+racHQ3qECGNwcHVrnN4o= =6srI -----END PGP SIGNATURE----- From garysaved at frontiernet.net Mon Sep 19 22:23:52 2005 From: garysaved at frontiernet.net (Gary Graham) Date: Mon Sep 19 22:24:02 2005 Subject: GPA Message-ID: <432F1E58.3030604@frontiernet.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have Fedora FC4. with all available updates. I am using GPG 1.4.1 and v1.9.18 is also installed. The GPA is version 0.7.0 My Firestarter firewall is set to let all traffic out, and is not showing as blocking anything when I try. First I bring up GPA. Then I click on my default key set. Next I select 'Server', then 'Send Keys...' It asks me if I am sure I want to distribute the selected keys to: "hkp://subkeys.pgp.net". Most of the time I will get the error: * "An error occurred while contacting the server:" "Internal keyserver error" * Note there is an empty line between the two. If I do not get this error, it says: '*Connecting to server "hkp://subkeys.pgp.net". Please wait.*' and nothing happens till I click on the X to close the window, then I get the original error. This happens with this server, and any of the default servers GPA has on its default list. Let me know if you need any other information. Gary -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFDLx5XJgYFZehli50RAj2nAJ0XCqWdFl/LjdQCBkDL22VGn3y47QCdH74n 9FOMVJl+QSuNDVHT7Tn7hNM= =Trmw -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3202 bytes Desc: S/MIME Cryptographic Signature Url : /pipermail/attachments/20050919/95d04093/smime.bin From dshaw at jabberwocky.com Mon Sep 19 23:54:18 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Sep 19 23:54:56 2005 Subject: Windows Corp Implementations In-Reply-To: <200509162226.j8GMQ30m023564@walrus.hsd1.ma.comcast.net> References: <87mzmf662h.fsf@wheatstone.g10code.de> <200509162226.j8GMQ30m023564@walrus.hsd1.ma.comcast.net> Message-ID: <20050919215418.GA12686@jabberwocky.com> On Thu, Sep 15, 2005 at 01:46:37AM -0700, Richard Sperry wrote: > Most of this will be directed to Werner but I need any input I can get. > > I am designing a high visability network and this may get some attention to GnuPG. > What I want to do is make GPG more feasable for AD domains, thus get more programers to help us improve gpg in the winhell world. > > What I want to do is extend the AD schema possibly with ADAM to incorperate basic keyserver functionality. Any clues, I know ldap > is outdated but it will work well for AD admins. Not at all: LDAP makes an excellent keyserver protocol. GnuPG can already use an AD box as a keyserver (or OpenLDAP, iPlanet, etc). The schema is the same one that PGP uses for its LDAP keyserver support. David From contactium at gmail.com Tue Sep 20 02:44:17 2005 From: contactium at gmail.com (Marc) Date: Tue Sep 20 02:44:38 2005 Subject: Problem with KMail In-Reply-To: References: <200509171407.34577.contactium@gmail.com> <200509181033.13458.contactium__30019.9291240007$1127054371$gmane$org@gmail.com> Message-ID: <432F5B61.3000109@gmail.com> Ivan Boldyrev a ?crit : >On 9236 day of my life contactium@gmail.com wrote: > > >>>Do I have to change something? >>>And what? >>> >>> > >1. Does gpg work in X console (kterm or something like this)? >2. Is gpg-agent running? > > > All it's ok now. Thanks From guitarbench at yahoo.com Tue Sep 20 05:32:11 2005 From: guitarbench at yahoo.com (Guitar Bench) Date: Tue Sep 20 07:21:53 2005 Subject: UbuntuLinux GPG Still Doesn't Work With Remailers Message-ID: <20050920033211.32382.qmail@web90007.mail.scd.yahoo.com> I've been trying now for almost three months and I still can't get the Cypherpunks remailers to accept messages encrypted with Ubuntu Linux/GPG v1.2.5. I have no idea what's wrong. I've tried everything I can think of and it STILL refuses to work. I used Windows XP PGP and the remailers every day for YEARS and never had a problem with PGP, but I can't get Linux/GPG to work with the remailers to save my life. Cutting & Pasting encryption doesn't produce a message that remailers can recognize. Making the remailer message and directives into a text file, encrypting it with command-line GPG then adding the header :: Encrypted: PGP and a space wont work. Nothing works. Any ideas? gpg (GnuPG) 1.2.5 Copyright (C) 2004 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA, ELG Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256 Compression: Uncompressed, ZIP, ZLIB, BZIP2 >The biggest difference between PGP/Windows XP vs GPG/Linux >> seems to be the line endings to me. There is a text option >> with GnuPG to make sure.. >> - -t, --textmode I use the -eat command line, which should cover it, but it doesn't seem to. I'm wondering if there's some screwup with the :: Encrypted: PGP Having its linefeeds grunged. On the other hand, I can send an unencrypted remailer message (to the remailers that accept them) with the directives in plaintext and it works. That's what I'm doing now. Mysteriously, as I've mentioned before, Dizum accepts my encrypted messages. ONLY Dizum. >> IDEA doesn't matter if you only use DH keys of remailers that have them. That's certainly what I always thought, plus I was under the impression that it wouldn't matter with RSA recipients who weren't using the IDEA algorithm. I have the IDEA file, but I cannot figure out what to do with it, as the instructions assume a level of Linux experience I do not yet have. In any case, it doesn't seem essential to using remailers with DSS keys. ______________________________________________________ Yahoo! for Good Donate to the Hurricane Katrina relief effort. http://store.yahoo.com/redcross-donate3/ From hhhobbit7 at netscape.net Tue Sep 20 09:25:02 2005 From: hhhobbit7 at netscape.net (Henry Hertz Hobbit) Date: Tue Sep 20 09:25:37 2005 Subject: trouble decrypting AES256 symmetric encrypted file Message-ID: <0FB8AE89.4084D03F.0307202B@netscape.net> John Clizbe wrote: >Alphax wrote: >> JIH, DOUG Y. wrote: >>> I got the following messages when I tried to decrypt a file.gpg with >>> the size 4,920,412,393 bytes. >>> >>> gpg: AES256 encrypted data >>> gpg: encrypted with 1 passphrase >>> gpg: [don't know]: invalid packet (ctb=7e) >>> gpg: [don't know]: invalid packet (ctb=32) >>> gpg: WARNING: encrypted message has been manipulated! >>> gpg: [don't know]: invalid packet (ctb=2c) >>> >>> The file was produced by encrypting with >>> >>> gpg -c --cipher aes256 file >>> >>> When the error messages occured, the output file has a size of >>> 614,055,611 bytes. >>> >>> Can anyone please help! >>> >>> Using gpg version 1.4.2, official Windows version >>> >> >> I have a feeling Windows has problems with files this large, esp. on NTFS. >> >I recall this being a common error with GnuPG on Win32. > >The usual work-around if I recall correctly is to use redirection: > > gpg < file.gpg > file.out > >Has the file been manipulated or moved between systems since it was encrypted? First, it is NOT a limitation of the file size on an NTFS file system (at least in theory). Check it out (snatched out of the mouth of the Lion: http://tinyurl.com/2ozuo Quoting the maximum file size from Microsoft: Theory: 16 exabytes minus 1 KB (2^64 bytes minus 1 KB) mplementation: 16 terabytes minus 64 KB (2^44 bytes minus 64 KB) That is much better than the 2 GB limit of EXT3. In reality, that can't be the limit because a DVD gets broken up into chunks rather than being one huge file. The indirection (< input > output) works, but I think you have lost your file. I suggest regenerating it and using the indirection. I am assuming it is a huge backup and that you CAN regenerate it again. If you can't, Microsoft is your best bet at finding out how to get all of the lost clusters back, and I strongly suspect you will never see the file again. What zip program did you use to generate such a huge file? HHH -- Key Name: "Henry Hertz Hobbit" pub 1024D/E1FA6C62 2005-04-11 [expires: 2006-04-11] Key fingerprint = ACA0 B65B E20A 552E DFE2 EE1D 75B9 D818 E1FA 6C62 __________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp From wk at gnupg.org Tue Sep 20 10:30:20 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Sep 20 10:36:31 2005 Subject: Windows Corp Implementations In-Reply-To: (Richard Sperry's message of "Thu, 15 Sep 2005 01:46:37 -0700") References: Message-ID: <87irww16qr.fsf@wheatstone.g10code.de> On Thu, 15 Sep 2005 01:46:37 -0700, Richard Sperry said: > Next I was wondering what it would take to make the gpgexch have the ability to do the following: > Rich Text (so I can paste out of word and what not) The successor of gpgexch is called GPGol. However I have not yet looked at the Word/RTF issues, one of the next tasks will be to get HTML mails[1] working. For now we just don't allow them. > Symmetric encryption for mailing lists Okay, I'll put an item onto the TODO list. > Auto key retreveal if it is not in the pub ring (from the perfered key server, perferably ldap) This is already possible, albeit you need to add the appropriate option to the gpg.conf file. Salam-Shalom, Werner From wk at gnupg.org Tue Sep 20 10:56:32 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Sep 20 11:01:29 2005 Subject: trouble decrypting AES256 symmetric encrypted file In-Reply-To: <0FB8AE89.4084D03F.0307202B@netscape.net> (Henry Hertz Hobbit's message of "Tue, 20 Sep 2005 03:25:02 -0400") References: <0FB8AE89.4084D03F.0307202B@netscape.net> Message-ID: <87ek7k15j3.fsf@wheatstone.g10code.de> On Tue, 20 Sep 2005 03:25:02 -0400, Henry Hertz Hobbit said: > That is much better than the 2 GB limit of EXT3. In reality, that There is no 2 GB limit for EXT3 nor for EXT2. Old applications, not properly making use of the off_t type and related functions might give that impression. Any modern shell (for <,>, redirection) as well as gpg are able to handle far larger files. I have to commit that I did not try larger files on Windows for years (lack of disk space) so here might indeed be a problem with that. A quick check however shows that GetFileSize is used correctly. Shalom-Salam, Werner From Laurent.Jumet at advalvas.be Tue Sep 20 08:57:40 2005 From: Laurent.Jumet at advalvas.be (Laurent Jumet) Date: Tue Sep 20 11:52:26 2005 Subject: GPA In-Reply-To: <432F1E58.3030604@frontiernet.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hello ! Gary Graham wrote: GG> I have Fedora FC4. with all available updates. GG> I am using GPG 1.4.1 and v1.9.18 is also installed. GG> The GPA is version 0.7.0 GG> My Firestarter firewall is set to let all traffic out, and is not GG> showing as blocking anything when I try. GG> First I bring up GPA. Then I click on my default key set. Next I GG> select 'Server', then 'Send Keys...' GG> It asks me if I am sure I want to distribute the selected keys to: GG> "hkp://subkeys.pgp.net". GG> Most of the time I will get the error: GG> * "An error occurred while contacting the server:" GG> "Internal keyserver error" GG> * GG> Note there is an empty line between the two. GG> If I do not get this error, it says: '*Connecting to server GG> "hkp://subkeys.pgp.net". Please wait.*' GG> and nothing happens till I click on the X to close the window, then I GG> get the original error. GG> This happens with this server, and any of the default servers GPA has GG> on its default list. GG> Let me know if you need any other information. On my system, my FireWall allows 3 programs of the GPG suite to go out: GPG.exe GPGKEYS_HKP.exe GPGKEYS_LDAP.exe The last one is only involved in a special way. I think that's a suppletive URL. Notice that one of the KeyServers installed on my system seems actually to be down, and I've to wait until GPG surrounds when trying to update. - -- Laurent Jumet KeyID: 0xCFAF704C -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iD8DBQFDL7Q/9R1toM+vcEwRA0haAKDfokYBTF0/iyExRyTkXI5odTPZ/gCdFGEC G2Nd+iE10awpL5iOgfKXkJ0= =P2po -----END PGP SIGNATURE----- From pwchi at pwchi.info Tue Sep 20 14:28:15 2005 From: pwchi at pwchi.info (Po-Wen Chi) Date: Tue Sep 20 14:28:24 2005 Subject: OpenPGP Card useing sha256 failed !! Message-ID: <4330005F.7010907@pwchi.info> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 I have a OpenPGP Card. I have already produced key pear on this card . But go wrong when I will sign with this card. If using SHA-1 will be carried out normally. But if appoint to use SHA-256 , will present wrong information . The following is course and information operated. Excuse me, who can tell me what the matter is? very thanks. == SHA-1 OK! == cmd> gpg --digest-algo sha1 -u 4a7d9528 --clearsign a.txt gpg: detected reader `CASTLES EZ100PU 0' gpg: signatures created so far: 6 Please enter the PIN [sigs done: 6] == SHA-256 failed == cmd> gpg --digest-algo sha256 -u 4a7d9528 --clearsign a.txt gpg: detected reader `CASTLES EZ100PU 0' gpg: signing failed: invalid argument gpg: a.txt: clearsign failed: invalid argument - -- This E-mail use UTF-8 character code Po-Wen Chi(???) ??????????????? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQCVAwUBQzAAXRxtAEOvczphAQNnFAQAwZl19X4FUkjIzmL0YeHveqoFNj5dmJJw BKbA1uwsu0YRIC5QtI7iptwvI8c1rbeoVs7l2elsU/GfFob35+g3oiRL9ehj55Wm L65O0FIfhC8Egac2K2yzGcOVwUbQqJynlJd4fqIjUzcCUArlgo26VrfSfRk1shGB h7BaFEUkLig= =JL3H -----END PGP SIGNATURE----- From knvijay1 at yahoo.com Tue Sep 20 13:51:40 2005 From: knvijay1 at yahoo.com (Vijay K.N.) Date: Tue Sep 20 15:51:54 2005 Subject: Public-key encrypt/sign: providing Passphrase programmatically via Callbacks Message-ID: <20050920115140.64950.qmail@web31007.mail.mud.yahoo.com> Hi, I am using GPG to sign/encrypt messages using DSA/Elgamel 2048-bit keys. I would like to pass the pass-phrase for secret keys programmatically - so that I don't get a pop-up for every message that needs to be signed. I tried using Callbacks for providing the passphrase - but apparently the callbacks are not getting invoked. Referring to the GPG documentation seemed to suggest that support for providing passphrase via callbacks is limited to certain algorithms. Appreciate if someone can clarify whether providing passphrase programmatically is supported for the above GPG public-key encryption/signature operation, in GPG1.4.2 and if so, how it can be done. thanks Vijay __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From wk at gnupg.org Tue Sep 20 17:04:24 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Sep 20 17:06:30 2005 Subject: Public-key encrypt/sign: providing Passphrase programmatically via Callbacks In-Reply-To: <20050920115140.64950.qmail@web31007.mail.mud.yahoo.com> (Vijay K. N.'s message of "Tue, 20 Sep 2005 04:51:40 -0700 (PDT)") References: <20050920115140.64950.qmail@web31007.mail.mud.yahoo.com> Message-ID: <874q8fsruv.fsf@wheatstone.g10code.de> On Tue, 20 Sep 2005 04:51:40 -0700 (PDT), Vijay K N said: > Appreciate if someone can clarify whether providing > passphrase programmatically is supported for the above Sure it is. So see how it forms, check out GPGME or well just use GPGME to access gpg. Salam-Shalom, Werner From patrick at sourcecode.cc Tue Sep 20 22:09:55 2005 From: patrick at sourcecode.cc (Patrick) Date: Tue Sep 20 22:51:57 2005 Subject: Key from smartcard to disk Message-ID: <43306C93.9030207@sourcecode.cc> Hello, i have a problem with the g10 OpenPGP card. I have key on the Card, but not on harddisk. I don't have the secret key and don't have the pubic key. How do i import keys from the card? And how can i encrypt or decrypt files with the card now? I don't want to generate new keys. Thank you for help, Patrick From johanw at vulcan.xs4all.nl Tue Sep 20 23:54:03 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed Sep 21 00:02:11 2005 Subject: UbuntuLinux GPG Still Doesn't Work With Remailers In-Reply-To: <20050920033211.32382.qmail@web90007.mail.scd.yahoo.com> Message-ID: <200509202154.j8KLs3lQ010670@vulcan.xs4all.nl> You, Guitar Bench, wrote: >I've been trying now for almost three months and I >still can't get the Cypherpunks remailers to accept >messages encrypted with Ubuntu Linux/GPG v1.2.5. Do these mailers still require pgp 2.x encrypted messages? If so, installing IDEA and using the --pgp2 switch might help. >>The biggest difference between PGP/Windows XP vs >>GPG/Linux seems to be the line endings to me. However, in email this is standardised so it should not matter. >I have the IDEA file, but I cannot figure out what to >do with it, as the instructions assume a level of >Linux experience I do not yet have. You can unpack the gpg source, put idea.c in the cipher dir and recompile. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From ryan at malayter.com Wed Sep 21 00:11:11 2005 From: ryan at malayter.com (Ryan Malayter) Date: Wed Sep 21 00:11:41 2005 Subject: trouble decrypting AES256 symmetric encrypted file In-Reply-To: <87ek7k15j3.fsf@wheatstone.g10code.de> References: <0FB8AE89.4084D03F.0307202B@netscape.net> <87ek7k15j3.fsf@wheatstone.g10code.de> Message-ID: <5d7f07420509201511519f005c@mail.gmail.com> On 9/20/05, Werner Koch wrote: > I have to commit that I did not try larger files on Windows for years > (lack of disk space) so here might indeed be a problem with that. A > quick check however shows that GetFileSize is used correctly. Werner, I can confirm that large file (> 4GB) support does not work on Win32 without using file redirection, at least in version 1.4.1. Did you make a change to enable 64-bit file sizes in a later version? I would love to help fix this issue, but as I have not worked with C much since 1996, I can probably really only contribute lots of testing. Are there debug builds of GPG for win32 that might be useful in this regard? Or will using "-vv" give the kind of information necessary? Thank you for any help/ideas, -- RPM ========================= All problems can be solved by diplomacy, but violence and treachery are equally effective, and more fun. -Anonymous From ryan at malayter.com Wed Sep 21 00:24:44 2005 From: ryan at malayter.com (Ryan Malayter) Date: Wed Sep 21 00:25:14 2005 Subject: Trouble decrypting AES256 symmetric encrypted file In-Reply-To: <432EBEF4.3040203@gmail.com> References: <432EBEF4.3040203@gmail.com> Message-ID: <5d7f074205092015242675c071@mail.gmail.com> On 9/19/05, Alphax wrote: > I have a feeling Windows has problems with files this large, esp. on NTFS. This is surpisingly *not* a Windows issue. We have 200+ GB database files on many of our database servers. All using NTFS. I think the issue is that GnuPG is using a 32-bit DWORD file pointer and the older file functions. Werner mentioned using GetFIleSize, but the platform SDK indicates that you need to use GetFileSizeEx to enable files greater than 2^32 bytes: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/fileio/fs/getfilesize.asp Werner, do you use GetFileSize or GetFileSizeEx? There are also WriteFileEx and any number of other -Ex file-related functions to handle files larger than 4 GB. -- RPM ========================= All problems can be solved by diplomacy, but violence and treachery are equally effective, and more fun. -Anonymous From guitarbench at yahoo.com Wed Sep 21 03:12:37 2005 From: guitarbench at yahoo.com (Guitar Bench) Date: Wed Sep 21 03:13:11 2005 Subject: UbuntuLinux GPG Still Doesn't Work With Remailers In-Reply-To: <200509202154.j8KLs3lQ010670@vulcan.xs4all.nl> Message-ID: <20050921011237.89942.qmail@web90006.mail.scd.yahoo.com> --- Johan Wevers wrote: > Do these mailers still require pgp 2.x encrypted > messages? Apparently not. I have used the --pgp2 switch with no resulting success. The remailers have used all versions of PGP in Windows with no decryption problems whatsoever for years in some cases. > If so, installing IDEA and using the --pgp2 switch > might help. If I can figure out how to install IDEA, I will, but I can't see how it could possibly matter with DSS/DSA keys. > >>The biggest difference between PGP/Windows XP vs > >>GPG/Linux seems to be the line endings to me. > However, in email this is standardised so it should > not matter. The original respondent was correct. I can say with absolute, 100% certainty that this is not the case. Despite -at armoring, I have seen the GPGed armored messages arrive with "|"s at the end of each line, etc. There are definitely line ending compatibility problems in some cases, worst with Yahoo mail, though these support Windows/PGP flawlessly. > put idea.c in the cipher dir and recompile. The "cipher dir" in this case would be /home/anonymous/.gnupg ? My personal guess at this point is that this has something to do with charactersets, though nominally UTF-8 should work. The ONLY way I could get GPG to work (sometimes) in Enigmail for simple encrypted e-mail only, however, was to change the characterset to ISO-8859-1. Linux/GPG has for the most part been an unremitting nightmare to use, and I have been using PGP daily since I beta-tested v.1 for Phil Zimmerman back in the late Bronze Age. I am NOT trying to use Enigmail with remailers. For this I have used the kGPG shell or stright comman-line GPG encryption, with no difference in success. The messages as sent look 100% perfect...they just don't work. I have repeatedly asked over the past several months on alt.privacy.anon-server and alt.security.pgp for help from people using Linux/GPG with remailers without success. I have no access to the remops list, though this would probably give the most useful info. This may just be yet another example of Linux Hell, one of the seemingly infinite number of undocumented, utter application failures that make that OS such a trial to use. [sigh!] __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com From wk at gnupg.org Wed Sep 21 07:18:26 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Sep 21 07:21:35 2005 Subject: trouble decrypting AES256 symmetric encrypted file In-Reply-To: <5d7f07420509201511519f005c@mail.gmail.com> (Ryan Malayter's message of "Tue, 20 Sep 2005 17:11:11 -0500") References: <0FB8AE89.4084D03F.0307202B@netscape.net> <87ek7k15j3.fsf@wheatstone.g10code.de> <5d7f07420509201511519f005c@mail.gmail.com> Message-ID: <87irwvq9r1.fsf@wheatstone.g10code.de> On Tue, 20 Sep 2005 17:11:11 -0500, Ryan Malayter said: > Werner, I can confirm that large file (> 4GB) support does not work on > Win32 without using file redirection, at least in version 1.4.1. Did > you make a change to enable 64-bit file sizes in a later version? I have not changed anything in the code for a long time. However at some point I switched from my old cross-building environment to Debian's mingw32. I am about to order a new Windows machine - that should give me enough space to test with large files. > testing. Are there debug builds of GPG for win32 that might be useful > in this regard? Or will using "-vv" give the kind of information I doubt that we have enough debugging code in place to track down this issue. As an educated guess I would say something with the error checking in GetFileSize is wrong or I misinterpreted the documentation which is somehwat contradictionary as it claims that GetFileSize may not be used for larger files but nevertheless it returns in an optional parameter the high word of the file size. gpg does not use this optional parameter but detect the error code of a too large file and then acts internally as if the file has been piped into gpg. I'll see with the new machine. Salam-Shalom, Werner From wk at gnupg.org Wed Sep 21 07:28:24 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Sep 21 07:31:38 2005 Subject: Key from smartcard to disk In-Reply-To: <43306C93.9030207@sourcecode.cc> (patrick@sourcecode.cc's message of "Tue, 20 Sep 2005 22:09:55 +0200") References: <43306C93.9030207@sourcecode.cc> Message-ID: <87ek7jq9af.fsf@wheatstone.g10code.de> On Tue, 20 Sep 2005 22:09:55 +0200, Patrick said: > i have a problem with the g10 OpenPGP card. I have key on the Card, but > not on harddisk. I don't have the secret key and don't have the pubic > key. How do i import keys from the card? And how can i encrypt or decrypt You mean, how to copy the secret key from the card to the disk? The asnwer ist simple: You can't. This is the major security feature of smartcards. It is possible to read out the public key, though. However it does not help you much because these are only a few numbers without any other information. When gpg generated the key on the card it also created this other data and stored it in your regular keyring on disk. If you lost this keyring, you basically lost your key. It is possible to reconstruct so that the fingerprint stays the same but we have no instant way of doing so. It is easier to generate a new key then. I assume that you did not send the key to a keyserver in which case you would be able to restore the key by gpg --recv-key Shalom-Salam, Werner From wk at gnupg.org Wed Sep 21 07:33:14 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Sep 21 07:36:31 2005 Subject: OpenPGP Card useing sha256 failed !! In-Reply-To: <4330005F.7010907@pwchi.info> (Po-Wen Chi's message of "Tue, 20 Sep 2005 20:28:15 +0800") References: <4330005F.7010907@pwchi.info> Message-ID: <87aci7q92d.fsf@wheatstone.g10code.de> On Tue, 20 Sep 2005 20:28:15 +0800, Po-Wen Chi said: > If using SHA-1 will be carried out normally. > But if appoint to use SHA-256 , will present wrong information . You can't use SHA256 with the OpenPGP card or any card I know of. The reason for this is that the card checks that the padding is fine and that padding includes tnhe OID of the hash algorithm. Anyway, it does not make sense to use a hash algorithm other than SHA-1 or RIPE MD160 with that card. The RSA key of currently available cards is limited to 1024 bit and thus SHA256 would be overkill. Salam-Shalom, Werner From wk at gnupg.org Wed Sep 21 07:41:02 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Sep 21 07:46:32 2005 Subject: Trouble decrypting AES256 symmetric encrypted file In-Reply-To: <5d7f074205092015242675c071@mail.gmail.com> (Ryan Malayter's message of "Tue, 20 Sep 2005 17:24:44 -0500") References: <432EBEF4.3040203@gmail.com> <5d7f074205092015242675c071@mail.gmail.com> Message-ID: <8764svq8pd.fsf@wheatstone.g10code.de> On Tue, 20 Sep 2005 17:24:44 -0500, Ryan Malayter said: > Werner, do you use GetFileSize or GetFileSizeEx? There are also GetFileSize. However it should return an error if the file is too large and we then fall back ito streaming mode which means that we use OpenPGP's partial length header format for larger files. > WriteFileEx and any number of other -Ex file-related functions to > handle files larger than 4 GB. From patrick at sourcecode.cc Wed Sep 21 11:49:25 2005 From: patrick at sourcecode.cc (Patrick Plattes) Date: Wed Sep 21 11:49:30 2005 Subject: Key from smartcard to disk In-Reply-To: <87ek7jq9af.fsf@wheatstone.g10code.de> References: <43306C93.9030207@sourcecode.cc> <87ek7jq9af.fsf@wheatstone.g10code.de> Message-ID: <43312CA5.7090907@sourcecode.cc> Werner Koch wrote: >It is possible to read out the public key, though. However it does >not help you much because these are only a few numbers without any >other information. When gpg generated the key on the card it also >created this other data and stored it in your regular keyring on >disk. If you lost this keyring, you basically lost your key. It is >possible to reconstruct so that the fingerprint stays the same but we >have no instant way of doing so. > First, thank you for the fast reply. I read your mail more than twice. And I try to understand why there is no instant way of doing this. Please tell me if my presumption is correct. The public key will be generated with the aid of the secret key and the secret key never leave the card, the card must generate the pk. So it's not a missing feature in GnuPG instead of the OpenPGP card. Correct? >It is easier to generate a new key >then. I assume that you did not send the key to a keyserver in which >case you would be able to restore the key by > > gpg --recv-key > > > I didn't send the Key to the Server :( Thank you, Patrick From wk at gnupg.org Wed Sep 21 14:17:46 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Sep 21 14:21:34 2005 Subject: Key from smartcard to disk In-Reply-To: <43312CA5.7090907@sourcecode.cc> (Patrick Plattes's message of "Wed, 21 Sep 2005 11:49:25 +0200") References: <43306C93.9030207@sourcecode.cc> <87ek7jq9af.fsf@wheatstone.g10code.de> <43312CA5.7090907@sourcecode.cc> Message-ID: <87wtlaobrp.fsf@wheatstone.g10code.de> On Wed, 21 Sep 2005 11:49:25 +0200, Patrick Plattes said: > this. Please tell me if my presumption is correct. The public key will > be generated with the aid of the secret key and the secret key never Public and secret keys are generated at the same, thus they are called a key pair. > leave the card, the card must generate the pk. So it's not a missing > feature in GnuPG instead of the OpenPGP card. Correct? No. We send a command "GENERATE" to the card, the card reads this commands, starts the key generation, and responds with success. Then we send a command "READ PUBLIC KEY" and the card returns the public key of the key pari it just generated. Optionally we may create the *key pair* outside of the card and send the secret key to the card using a command like "STORE SECRET KEY". There is no command "READ SECRET KEY". The sapce inside the card where the secret key is stored is for the outside world a write-only-memory. Access to this memory is only allowed by the card itself and through certain fucntion (SIGN, DECRYPT). Salam-Shalom, Werner From derek at ximbiot.com Wed Sep 21 17:52:08 2005 From: derek at ximbiot.com (Derek Price) Date: Wed Sep 21 19:56:03 2005 Subject: Extracting a single signature from a file containing multiple signatures Message-ID: <433181A8.6010103@ximbiot.com> Say `gpg --detach-sign' were used to create several detached signatures and they were concatenated into the same file. Is there a simple way to separate those signatures again? Is there documentation of the gpg signature file format online? (I am looking into allowing CVS revisions to be signed in the CVS repository, potentially by multiple users, and I want to know if I can store multiple signatures in a single binary string (I know that gpg --verify can handle this) or if I need to keep them separate, to allow for admins to later delete single, possibly expired, signatures from the signature blob by keyid. Once I get the signatures separated again, I can exec gpg to extract the keyid, but if I cannot separate them, this won't work to find and delete a single signature from the blob.) Thanks, Derek -- Derek R. Price CVS Solutions Architect Ximbiot v: +1 717.579.6168 f: +1 717.234.3125 From dshaw at jabberwocky.com Wed Sep 21 20:11:07 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Sep 21 20:11:49 2005 Subject: Extracting a single signature from a file containing multiple signatures In-Reply-To: <433181A8.6010103@ximbiot.com> References: <433181A8.6010103@ximbiot.com> Message-ID: <20050921181107.GA17629@jabberwocky.com> On Wed, Sep 21, 2005 at 11:52:08AM -0400, Derek Price wrote: > Say `gpg --detach-sign' were used to create several detached signatures > and they were concatenated into the same file. Is there a simple way to > separate those signatures again? Is there documentation of the gpg > signature file format online? Yes, and yes. To separate signatures, use 'gpgsplit', which comes with gpg. You'll end up with each signature in its own file. The documentation of the signature file format is in RFC-2440: http://www.ietf.org/rfc/rfc2440.txt David From ulriks at ruc.dk Wed Sep 21 21:33:39 2005 From: ulriks at ruc.dk (Ulrik Stervbo) Date: Wed Sep 21 23:26:01 2005 Subject: Digitally sign pdf Message-ID: <4331B593.7010306@ruc.dk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello everyone, I was wondering how I could sign pdf-documents created with pdflatex? Can I use OpenPGP in some way? I have messed about with itext, but I end up with a 'form warning bar' in the viewer - not really what I want :-D Thanks Ulrik - -- Reclaim Your Inbox! http://www.mozilla.org/products/thunderbird -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDMbWTJSFe0jsfkmcRAntTAJ99eJxJCTbaa2ct8NEl9I9gQ4dXkwCeMGKq alAdx5Faz2eLwnEISkRPBCs= =XUbb -----END PGP SIGNATURE----- From johanw at vulcan.xs4all.nl Wed Sep 21 20:56:59 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Sep 22 00:03:31 2005 Subject: UbuntuLinux GPG Still Doesn't Work With Remailers In-Reply-To: <20050921011237.89942.qmail@web90006.mail.scd.yahoo.com> Message-ID: <200509211856.j8LIuxUO009609@vulcan.xs4all.nl> You, Guitar Bench, wrote: >Apparently not. I have used the --pgp2 switch with no >resulting success. --pgp2 without the idea plugin is quite useless I think. There are hacked pgp2 versions that can use other ciphers, but I don't think they're in widespread use. >If I can figure out how to install IDEA, I will, but I >can't see how it could possibly matter with DSS/DSA >keys. It won't. Those keys are not pgp2 compatible anyway. >> put idea.c in the cipher dir and recompile. > >The "cipher dir" in this case would be >/home/anonymous/.gnupg ? No, that is a dir when you unpack the source code of GnuPG. I don't know if the load-extension still works on Unix systems. If it does, you'd have to compile the file idea.c into a loadable module and can put it anywhere, and point to it in gpg.conf. >My personal guess at this point is that this has >something to do with charactersets, though nominally >UTF-8 should work. I have no experience with special character encodings. However, it shouldn't influence the encryption/decryption, only how the file looks afterwards on your screen. The bits of the file should not change by it. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From chd at chud.net Thu Sep 22 01:22:54 2005 From: chd at chud.net (Chris De Young) Date: Thu Sep 22 01:23:12 2005 Subject: Digitally sign pdf In-Reply-To: <4331B593.7010306@ruc.dk> References: <4331B593.7010306@ruc.dk> Message-ID: <20050921232254.GE1994@dionysus.chud.net> On Wed, Sep 21, 2005 at 09:33:39PM +0200, Ulrik Stervbo wrote: > Hello everyone, > > I was wondering how I could sign pdf-documents created with pdflatex? gpg -b filename.pdf ? If that doesn't work for what you need, could you be more specific? -C -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050921/39aeff2f/attachment.pgp From alaricd at pengdows.com Thu Sep 22 03:23:56 2005 From: alaricd at pengdows.com (Alaric Dailey) Date: Thu Sep 22 03:24:51 2005 Subject: Digitally sign pdf In-Reply-To: <20050921232254.GE1994@dionysus.chud.net> References: <4331B593.7010306@ruc.dk> <20050921232254.GE1994@dionysus.chud.net> Message-ID: <433207AC.3020704@pengdows.com> Correct me if I am wrong but the PDF spec doesn't support internal PGP signatures. > On Wed, Sep 21, 2005 at 09:33:39PM +0200, Ulrik Stervbo wrote: > >> Hello everyone, >> >> I was wondering how I could sign pdf-documents created with pdflatex? >> > > gpg -b filename.pdf > > ? > > If that doesn't work for what you need, could you be more specific? > > -C > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3544 bytes Desc: S/MIME Cryptographic Signature Url : /pipermail/attachments/20050921/bc251bbe/smime-0001.bin From derek at ximbiot.com Thu Sep 22 03:29:04 2005 From: derek at ximbiot.com (Derek Price) Date: Thu Sep 22 03:29:07 2005 Subject: Extracting a single signature from a file containing multiple signatures In-Reply-To: <20050921181107.GA17629@jabberwocky.com> References: <433181A8.6010103@ximbiot.com> <20050921181107.GA17629@jabberwocky.com> Message-ID: <433208E0.5020703@ximbiot.com> David Shaw wrote: >Yes, and yes. > >To separate signatures, use 'gpgsplit', which comes with gpg. You'll >end up with each signature in its own file. > >The documentation of the signature file format is in RFC-2440: >http://www.ietf.org/rfc/rfc2440.txt > > Thank you very much. That will be useful. Is there some way I can extract signature information from individual signatures without running gpg --verify? i.e. key ID, date, anything else that is available when the signed data may not be? Regards, Derek -- Derek R. Price CVS Solutions Architect Ximbiot v: +1 717.579.6168 f: +1 717.234.3125 From Laurent.Jumet at advalvas.be Thu Sep 22 01:55:59 2005 From: Laurent.Jumet at advalvas.be (Laurent Jumet) Date: Thu Sep 22 04:37:06 2005 Subject: Digitally sign pdf In-Reply-To: <4331B593.7010306@ruc.dk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hello ! Ulrik Stervbo wrote: US> I was wondering how I could sign pdf-documents created with pdflatex? US> Can I use OpenPGP in some way? US> I have messed about with itext, but I end up with a 'form warning bar' US> in the viewer - not really what I want :-D The only practical way seems a detached signature. You may want to use GPGShell for that purpose. - -- Laurent Jumet KeyID: 0xCFAF704C -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iD8DBQFDMfTS9R1toM+vcEwRA0+uAKDfrhW7NdB3/jMP9/dfYZLmdpC0LwCglOiP 3esZScFob4oGd7rWA8N9Am0= =lbTP -----END PGP SIGNATURE----- From Laurent.Jumet at advalvas.be Thu Sep 22 01:59:17 2005 From: Laurent.Jumet at advalvas.be (Laurent Jumet) Date: Thu Sep 22 05:14:38 2005 Subject: UbuntuLinux GPG Still Doesn't Work With Remailers In-Reply-To: <200509211856.j8LIuxUO009609@vulcan.xs4all.nl> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello ! Johan Wevers wrote: >> Apparently not. I have used the --pgp2 switch with no >> resulting success. JW> --pgp2 without the idea plugin is quite useless I think. There are JW> hacked pgp2 versions that can use other ciphers, but I don't think JW> they're in widespread use. On my system, --pgp2 doesn't work. The FAQ says --rfc1991 should be used instead, and this works. This message should be signed in a PGP2-compliant way. - -- Laurent Jumet KeyID: 0xCFAF704C -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iD8DBQFDMfRv9R1toM+vcEwRAnq5AKDgg3W2loUdWRHzMWRNvym1ZlZj2gCePQaR nku8ikrIVet5ec7BI5ltKmY= =qhy6 -----END PGP SIGNATURE----- From atom at smasher.org Thu Sep 22 07:23:49 2005 From: atom at smasher.org (Atom Smasher) Date: Thu Sep 22 07:24:10 2005 Subject: legally binding digital sigs Message-ID: <20050922052403.3417.qmail@smasher.org> does anyone know what makes a digital signature legally binding (or not) under US law? thanks... -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "These numbers have nothing to do with the technology of the devices; they are the maximum that thermodynamics will allow. and they strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space." -- Bruce Schneier, Applied Cryptography From ulriks at ruc.dk Thu Sep 22 08:04:47 2005 From: ulriks at ruc.dk (Ulrik Stervbo) Date: Thu Sep 22 08:04:55 2005 Subject: Digitally sign pdf In-Reply-To: References: Message-ID: <4332497F.1030100@ruc.dk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! Using gpg -b file.pdf results in a detached signature. However, only internal signatures will do. The idea is to sign applications and having a detached signature (or a signature in general) just confuses people who are not computer scientists. Thanks for the quick response Ulrik Laurent Jumet wrote: > Hello ! > > Ulrik Stervbo wrote: > > US> I was wondering how I could sign pdf-documents created with > pdflatex? US> Can I use OpenPGP in some way? > > US> I have messed about with itext, but I end up with a 'form > warning bar' US> in the viewer - not really what I want :-D > > The only practical way seems a detached signature. You may want to > use GPGShell for that purpose. > _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users - -- Reclaim Your Inbox! http://www.mozilla.org/products/thunderbird -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDMkl/JSFe0jsfkmcRAhUTAJ9eUdl7BkozH8ihb0t7qhLoMr9CLQCg7knm JbfjA+0/mYecGFxlCDtPMTc= =Qu3b -----END PGP SIGNATURE----- From guitarbench at yahoo.com Thu Sep 22 08:07:53 2005 From: guitarbench at yahoo.com (Guitar Bench) Date: Thu Sep 22 08:08:22 2005 Subject: UbuntuLinux GPG Still Doesn't Work With Remailers In-Reply-To: <200509211856.j8LIuxUO009609@vulcan.xs4all.nl> Message-ID: <20050922060753.73314.qmail@web90005.mail.scd.yahoo.com> --- Johan Wevers wrote: >>If I can figure out how to install IDEA, I will, >>but I can't see how it could possibly matter with >>DSS/DSA keys. > It won't. Those keys are not pgp2 compatible anyway. OK. So...if the remailers are distributing DSS kets, what version of PGP can we assume they are using? What GPG encryption options can we use to work with that version of PGP? Thanks for any help on this. __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com From lionel at mamane.lu Thu Sep 22 09:38:21 2005 From: lionel at mamane.lu (Lionel Elie Mamane) Date: Thu Sep 22 09:38:23 2005 Subject: UbuntuLinux GPG Still Doesn't Work With Remailers In-Reply-To: References: <200509211856.j8LIuxUO009609@vulcan.xs4all.nl> Message-ID: <20050922073821.GA16476@tofu.mamane.lu> On Thu, Sep 22, 2005 at 01:59:17AM +0200, Laurent Jumet wrote: > Johan Wevers wrote: > On my system, --pgp2 doesn't work. > The FAQ says --rfc1991 should be used instead, and this works. > This message should be signed in a PGP2-compliant way. To encrypt / sign in a PGP2-compatible way, you must work on _files_, not stdin/stdout. See the last bullet point of http://www.gnupg.org/gph/en/pgp2x.html#AEN85 . -- Lionel From lionel at mamane.lu Thu Sep 22 09:39:54 2005 From: lionel at mamane.lu (Lionel Elie Mamane) Date: Thu Sep 22 09:39:52 2005 Subject: UbuntuLinux GPG Still Doesn't Work With Remailers In-Reply-To: <20050922073821.GA16476@tofu.mamane.lu> References: <200509211856.j8LIuxUO009609@vulcan.xs4all.nl> <20050922073821.GA16476@tofu.mamane.lu> Message-ID: <20050922073953.GB16476@tofu.mamane.lu> On Thu, Sep 22, 2005 at 09:38:21AM +0200, Lionel Elie Mamane wrote: > On Thu, Sep 22, 2005 at 01:59:17AM +0200, Laurent Jumet wrote: > > Johan Wevers wrote: > > > On my system, --pgp2 doesn't work. > > The FAQ says --rfc1991 should be used instead, and this works. > > This message should be signed in a PGP2-compliant way. > > To encrypt / sign in a PGP2-compatible way, you must work on _files_, > not stdin/stdout. See the last bullet point of > http://www.gnupg.org/gph/en/pgp2x.html#AEN85 . > You also used the SHA-1 hash instead of MD5. From ulriks at ruc.dk Thu Sep 22 10:23:10 2005 From: ulriks at ruc.dk (Ulrik Stervbo) Date: Thu Sep 22 10:23:17 2005 Subject: Digitally sign pdf In-Reply-To: <4331B593.7010306@ruc.dk> References: <4331B593.7010306@ruc.dk> Message-ID: <433269EE.5010700@ruc.dk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Using keytool -genkey -keyalg RSA -sigalg MD5withRSA -keystore testkeystore - -alias mykey I can add a signature to my pdfs, still using itext but without the annoying 'form warning bar' (I am a tad confused) Using the following code, I load the testkeystore - can I do something similar with gpg? KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); ks.load(new FileInputStream("testkeystore"), "password".toCharArray()); Ulrik Ulrik Stervbo wrote: > Hello everyone, > > I was wondering how I could sign pdf-documents created with > pdflatex? > > Can I use OpenPGP in some way? > > I have messed about with itext, but I end up with a 'form warning > bar' in the viewer - not really what I want :-D > > Thanks Ulrik > _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users - -- Reclaim Your Inbox! http://www.mozilla.org/products/thunderbird -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDMmnuJSFe0jsfkmcRAsVtAJ9sTtc1ibvycKbZrkJtWnbPyzDodwCgkwvW 5LcdhdcvQYAh+0SKkBXZHAg= =4QL4 -----END PGP SIGNATURE----- From Laurent.Jumet at advalvas.be Thu Sep 22 10:25:02 2005 From: Laurent.Jumet at advalvas.be (Laurent Jumet) Date: Thu Sep 22 10:28:21 2005 Subject: PGP2... Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello ! Does this gpg.conf makes PGP2 compatible signatures? === Begin PGP2.txt === default-key 0xCFAF704C default-recipient-self encrypt-to 0xCFAF704C keyserver x-hkp://blackhole.pca.dfn.de keyserver-options auto-key-retrieve photo-viewer c:\program files\gpgshell\gpgview.exe %i /title 0x%k rfc1991 load-extension c:\lib\gnupg\idea.dll keyid-format 0xSHORT no-greeting no-mdc-warning armor verbose === End PGP2.txt === Is this signature on the message, a PGP2 one? - -- Laurent Jumet KeyID: 0xCFAF704C -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iD8DBQFDMmr29R1toM+vcEwRAl8oAKCr3Rnu2x9WlObXE4d6M5uNneM3QQCeLd0M hzfsKKkL5LHBeC9NYTCR7IE= =W+cd -----END PGP SIGNATURE----- From lionel at mamane.lu Thu Sep 22 10:59:42 2005 From: lionel at mamane.lu (Lionel Elie Mamane) Date: Thu Sep 22 10:59:42 2005 Subject: PGP2... In-Reply-To: References: Message-ID: <20050922085941.GA20299@tofu.mamane.lu> On Thu, Sep 22, 2005 at 10:25:02AM +0200, Laurent Jumet wrote: > Is this signature on the message, a PGP2 one? You made this signature with a DSS key. You "must" use an RSAv3 key to do PGP2-compatible signatures, I believe. Where PGP2 is the "official" version. And use MD5, not SHA1. -- Lionel From guitarbench at yahoo.com Thu Sep 22 15:55:03 2005 From: guitarbench at yahoo.com (Guitar Bench) Date: Thu Sep 22 15:55:33 2005 Subject: UbuntuLinux GPG Still Doesn't Work With Remailers In-Reply-To: <20050922073821.GA16476@tofu.mamane.lu> Message-ID: <20050922135503.47397.qmail@web90001.mail.scd.yahoo.com> --- Lionel Elie Mamane wrote: > To encrypt / sign in a PGP2-compatible way... This is apparently not relevant to my question, as the remailers are using DSA/DSS keys (see previous messages). Changing to PGP6 compatibility also makes no difference for what that's worth. Let's stick to my original problem until we get it whipped. Thanks! __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com From johanw at vulcan.xs4all.nl Thu Sep 22 09:47:03 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Sep 22 15:58:47 2005 Subject: UbuntuLinux GPG Still Doesn't Work With Remailers In-Reply-To: <20050922060753.73314.qmail@web90005.mail.scd.yahoo.com> Message-ID: <200509220747.j8M7l3RV009690@vulcan.xs4all.nl> Guitar Bench wrote: >So...if the remailers are distributing DSS kets, what >version of PGP can we assume they are using? One that can use those keys and allows scripting. That should be GnuPG or pgp 6.something. >What GPG encryption options can we use to work with >that version of PGP? I'd try to use as many compatibility options as possible, like --rfc1991. Further, doesn't the remailer key has preferences? And can't you mail the remailer operator? -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From johanw at vulcan.xs4all.nl Thu Sep 22 09:50:43 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Sep 22 15:58:59 2005 Subject: legally binding digital sigs In-Reply-To: <20050922052403.3417.qmail@smasher.org> Message-ID: <200509220750.j8M7ohji009767@vulcan.xs4all.nl> Atom Smasher wrote: >does anyone know what makes a digital signature legally binding (or not) >under US law? US law? I'd say enough money to pay all the lawyers to argue about it in court until the other side is bancrupt. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From guitarbench at yahoo.com Thu Sep 22 16:59:26 2005 From: guitarbench at yahoo.com (Guitar Bench) Date: Thu Sep 22 16:59:57 2005 Subject: UbuntuLinux GPG Still Doesn't Work With Remailers In-Reply-To: <200509220747.j8M7l3RV009690@vulcan.xs4all.nl> Message-ID: <20050922145926.93151.qmail@web90006.mail.scd.yahoo.com> --- Johan Wevers wrote: > That should be GnuPG or pgp 6.something. That's what I thought. Enabling PGP6 compatibility in kGPG does not make any difference, though. > I'd try to use as many compatibility options as > possible, like --rfc1991. --rfc1991 doesn't work. That (as I understand it) simulates PGP 2.*, which these remailers aren't using as they have DSA/DSS keys. > Further, doesn't the remailer key has > preferences? I don't understand what you mean. > And can't you mail the remailer operator? Apparently not. I'd like to have access to the REMOPS list, but it's invitation-only Discussing this on alt.privacy.anon-server has been a bust, though most remailer operators frequent that newsgroup. Curiously, I've never been able to find a Linux user who has worked with the remailers, though some of them are running Linux! __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com From jam at jamux.com Thu Sep 22 17:17:49 2005 From: jam at jamux.com (John A. Martin) Date: Thu Sep 22 17:24:19 2005 Subject: legally binding digital sigs References: <20050922052403.3417.qmail@smasher.org> <200509220750.j8M7ohji009767@vulcan.xs4all.nl> Message-ID: <873bnxw2qq.fsf@athene.jamux.com> >>>>> "Johan" == Johan Wevers >>>>> "Re: legally binding digital sigs" >>>>> Thu, 22 Sep 2005 09:50:43 +0200 (MET DST) Johan> Atom Smasher wrote: >> does anyone know what makes a digital signature legally binding >> (or not) under US law? Johan> US law? I'd say enough money to pay all the lawyers to Johan> argue about it in court until the other side is bancrupt. HTH jam -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 154 bytes Desc: not available Url : /pipermail/attachments/20050922/1e69b303/attachment.pgp From lporter at hdsmith.com Thu Sep 22 15:32:27 2005 From: lporter at hdsmith.com (Lowell Porter) Date: Thu Sep 22 17:26:02 2005 Subject: legally binding digital sigs (Atom Smasher) In-Reply-To: <43257BA40000FD1E@HDSPRIME.hdsmith.com> (added by HDSPRIME.hdsmith.com) Message-ID: <002001c5bf7a$13579770$a504a8c0@hdsmith.com> www.findlaw.com is a good resource for legal questions. It can be tedious to find exactly what you are looking for, however when it is found, you'll get plenty of valuable information. ------------------------------ Message: 4 Date: Thu, 22 Sep 2005 01:23:49 -0400 (EDT) From: Atom Smasher Subject: legally binding digital sigs To: gnupg-users@gnupg.org Message-ID: <20050922052403.3417.qmail@smasher.org> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed does anyone know what makes a digital signature legally binding (or not) under US law? thanks... -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "These numbers have nothing to do with the technology of the devices; they are the maximum that thermodynamics will allow. and they strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space." -- Bruce Schneier, Applied Cryptography **************************************************************************** This transmission may contain information that is privileged, Confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. **************************************************************************** From benfell at greybeard95a.com Fri Sep 23 09:22:35 2005 From: benfell at greybeard95a.com (David Benfell) Date: Fri Sep 23 11:26:00 2005 Subject: legally binding digital sigs (Atom Smasher) In-Reply-To: <002001c5bf7a$13579770$a504a8c0@hdsmith.com> References: <43257BA40000FD1E@HDSPRIME.hdsmith.com> <002001c5bf7a$13579770$a504a8c0@hdsmith.com> Message-ID: <20050923072235.GB10433@parts-unknown.org> On Thu, 22 Sep 2005 08:32:27 -0500, Lowell Porter wrote: > www.findlaw.com is a good resource for legal questions. It can be > tedious to find exactly what you are looking for, however when it is > found, you'll get plenty of valuable information. Using the site: keyword, in this case on "site:findlaw.com" can help with a Google search. Even so, there are a number of hits. The article that appears definitive begins at . (Look for the continuation pages on the "next page" link, *after* the footnotes.) The bottom line seems to be that a digital signature is enforceable when the state says it is. And it doesn't appear there's any real agreement on the conditions under which this should be so. However there is this: A signature, whether electronic or on paper, is first and foremost a symbol that signifies intent . Thus, the definition of "signed" in the Uniform Commercial Code includes "any symbol" so long as it is "executed or adopted by a party with present intention to authenticate a writing." The primary focus, of course, is on the "intention to authenticate," which distinguishes a signature from an autograph. Yet, the nature of that intent will vary with the transaction, and in most cases can be determined only by looking at the context in which the signature was made. I am not a lawyer, but... This allows electronic signatures to be accepted as long as *all* parties to a contract agree to use them. I perceive a "chicken and egg" problem here, but, for instance, in completing a financial aid application through the FAFSA web site for college, a student agrees to sign the application electronically, using their peculiar process. The act of filling in the application presumably demonstrates the intent confirmed by the symbol obtained through the signature process. The author of the article, Thomas J. Smedinghoff, seems to acknowledge that this doesn't really resolve some fundamental legal issues, and devotes considerable space to the "direction in which [electronic signature] legislation should be moving." So, if I understand all this correctly, use and rely upon electronic signatures at your own risk. Avoid using them in situations where litigation is reasonably foreseeable, for the validity of such signatures is probably still open to challenge. If possible, obtain paper authorizations from all participants agreeing to use electronic signatures. -- David Benfell, LCP benfell@parts-unknown.org --- Resume available at http://www.parts-unknown.org/ From johanw at vulcan.xs4all.nl Thu Sep 22 22:39:03 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Fri Sep 23 11:59:14 2005 Subject: UbuntuLinux GPG Still Doesn't Work With Remailers In-Reply-To: <20050922145926.93151.qmail@web90006.mail.scd.yahoo.com> Message-ID: <200509222039.j8MKd3ij001750@vulcan.xs4all.nl> Guitar Bench wrote: >> Further, doesn't the remailer key has preferences? >I don't understand what you mean. gpg --edit-key gpg> showpref This gives a list of supported algorithms. Although the list can be incorrect if the key is used with another version as it was created with. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From doug.jih at gmail.com Fri Sep 23 12:39:38 2005 From: doug.jih at gmail.com (JIH, DOUG Y.) Date: Fri Sep 23 12:40:18 2005 Subject: trouble decrypting AES256 symmetric encrypted file In-Reply-To: <0FB8AE89.4084D03F.0307202B@netscape.net> References: <0FB8AE89.4084D03F.0307202B@netscape.net> Message-ID: I used 7-Zip to archive about 4.6 GB of files, and I used GPG to encrypt the 7z file. 7-Zip can't seem to open the partially decrypted file, unfortunately, so I can't get any of the files back. I was hoping that the whole 7z file was still available in its encrypted form, and that GPG was simply confused by an overflown 32-bit index or something like that. In any case, this seems like a serious problem that people should be aware of. On 9/20/05, Henry Hertz Hobbit wrote: > > John Clizbe wrote: > > >Alphax wrote: > >> JIH, DOUG Y. wrote: > >>> I got the following messages when I tried to decrypt a file.gpg with > >>> the size 4,920,412,393 bytes. > >>> > >>> gpg: AES256 encrypted data > >>> gpg: encrypted with 1 passphrase > >>> gpg: [don't know]: invalid packet (ctb=7e) > >>> gpg: [don't know]: invalid packet (ctb=32) > >>> gpg: WARNING: encrypted message has been manipulated! > >>> gpg: [don't know]: invalid packet (ctb=2c) > >>> > >>> The file was produced by encrypting with > >>> > >>> gpg -c --cipher aes256 file > >>> > >>> When the error messages occured, the output file has a size of > >>> 614,055,611 bytes. > >>> > >>> Can anyone please help! > >>> > >>> Using gpg version 1.4.2, official Windows version > >>> > >> > >> I have a feeling Windows has problems with files this large, esp. on NTFS. > >> > >I recall this being a common error with GnuPG on Win32. > > > >The usual work-around if I recall correctly is to use redirection: > > > > gpg < file.gpg > file.out > > > >Has the file been manipulated or moved between systems since it was encrypted? > > First, it is NOT a limitation of the file size on an NTFS file system > (at least in theory). Check it out (snatched out of the mouth of the > Lion: > > http://tinyurl.com/2ozuo > > Quoting the maximum file size from Microsoft: > > Theory: 16 exabytes minus 1 KB (2^64 bytes minus 1 KB) > mplementation: 16 terabytes minus 64 KB (2^44 bytes minus 64 KB) > > That is much better than the 2 GB limit of EXT3. In reality, that > can't be the limit because a DVD gets broken up into chunks rather > than being one huge file. The indirection (< input > output) works, > but I think you have lost your file. I suggest regenerating it and > using the indirection. I am assuming it is a huge backup and that > you CAN regenerate it again. If you can't, Microsoft is your best > bet at finding out how to get all of the lost clusters back, and I > strongly suspect you will never see the file again. What zip program > did you use to generate such a huge file? > > HHH > -- > Key Name: "Henry Hertz Hobbit" > pub 1024D/E1FA6C62 2005-04-11 [expires: 2006-04-11] > Key fingerprint = ACA0 B65B E20A 552E DFE2 EE1D 75B9 D818 E1FA 6C62 > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From erwan at rail.eu.org Fri Sep 23 12:57:04 2005 From: erwan at rail.eu.org (Erwan David) Date: Fri Sep 23 13:53:28 2005 Subject: trouble decrypting AES256 symmetric encrypted file In-Reply-To: References: <0FB8AE89.4084D03F.0307202B@netscape.net> Message-ID: <20050923105703.GA14910@brehat.trusted-logic.fr> Le Fri 23/09/2005, JIH, DOUG Y. disait > I used 7-Zip to archive about 4.6 GB of files, and I used GPG to > encrypt the 7z file. 7-Zip can't seem to open the partially decrypted > file, unfortunately, so I can't get any of the files back. > > I was hoping that the whole 7z file was still available in its > encrypted form, and that GPG was simply confused by an overflown > 32-bit index or something like that. > > In any case, this seems like a serious problem that people should be > aware of. Zip file catalogue is at end of archive (even if it is called "Central Directory"). WIthout the end of the file, not very much can be done on the archive... -- Erwan David From mixmaster at remailer.privacy.at Wed Sep 21 15:46:12 2005 From: mixmaster at remailer.privacy.at (privacy.at Anonymous Remailer) Date: Sat Sep 24 16:26:20 2005 Subject: --throw-keyid and -R options Message-ID: Is there any difference between the effects of following commands? gpg -e -R alice -R bob file gpg -e -r alice -r bob --throw-keyid file And when I abbreviate --throw-keyid to --throw or --throw-keyi even, I get the error: gpg: Option "--throw-key" is ambiguous There is nothing else that starts with the string "throw" so why? From claudia_low at stercomm.com Fri Sep 23 11:10:38 2005 From: claudia_low at stercomm.com (Low, Claudia) Date: Sat Sep 24 16:26:26 2005 Subject: GPG Passphrase on the command line Message-ID: Hi, Is there an option, eg. --passphrase, that I can use so that I can pass the passphrase in the command line when doing a signing, symmetric encryption or decryption? Without this option, I will be prompted on the console. In my program, I can only use command line to execute the commands. I am not able to pass in the passphrase from a file (using file descriptor). Please kindly help. Thanks, Claudia From sithtracy at yahoo.com Sat Sep 24 16:36:25 2005 From: sithtracy at yahoo.com (Tracy D. Bossong) Date: Sat Sep 24 16:37:00 2005 Subject: GPG Passphrase on the command line In-Reply-To: Message-ID: <20050924143625.46394.qmail@web51702.mail.yahoo.com> You didn't specify your platform, but in Windows it's done like this: echo mypasshrase|gpg --encrypt --passphrase-fd 0..... --- "Low, Claudia" wrote: > Hi, > > Is there an option, eg. --passphrase, that I can > use so that I can > pass the passphrase in the command line when doing a > signing, symmetric > encryption or decryption? Without this option, I > will be prompted on the > console. > In my program, I can only use command line to > execute the commands. I > am not able to pass in the passphrase from a file > (using file > descriptor). > > Please kindly help. > > Thanks, > Claudia > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From dshaw at jabberwocky.com Sat Sep 24 18:42:28 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Sep 24 18:43:16 2005 Subject: --throw-keyid and -R options In-Reply-To: References: Message-ID: <20050924164228.GA5780@jabberwocky.com> On Wed, Sep 21, 2005 at 03:46:12PM +0200, privacy.at Anonymous Remailer wrote: > > Is there any difference between the effects of following commands? > > gpg -e -R alice -R bob file > > gpg -e -r alice -r bob --throw-keyid file Since you are using -R (which does a per-recipient --throw-keyid) for both recipients, there is no difference between the two commands. > And when I abbreviate --throw-keyid to --throw or --throw-keyi even, I > get the error: > > gpg: Option "--throw-key" is ambiguous > > > There is nothing else that starts with the string "throw" so why? There is: there are both options --throw-keyid and --throw-keyids (they do the same thing). Come to think though, --throw-keyid could be removed since is effectively an abbreviation of --throw-keyids. David From lusfert at gmail.com Sat Sep 24 21:57:21 2005 From: lusfert at gmail.com (lusfert) Date: Sat Sep 24 23:56:00 2005 Subject: Strange problem and key preferences Message-ID: <4335AFA1.3090904@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hello! I'm currenly using GnuPG 1.4.2 on WinXP SP2 and I have a problem: When I write gpg -d file.ext.asc I receive long output of hard readable characters and PC Speaker loud beeping. I can stop this only by manual ending processes cmd.exe and gpg.exe via Task Manager. Is it possible to avoid this? For example, ask for an output location (file, etc.) as gpg asks for recipient when he/she/it isn'n specified. Also I didn't understand how to set up preferences for a key: allowed and preferred ciphers, digest algorithms and compress methods. It is possible to set up them using PGP Desktop 9. Regards - -- Current OpenPGP key ID: 0x500B8987 Fingerprint: E883 045D 36FB 8CA3 8D69 9C79 9E35 3B56 500B 8987 Keyserver to use: sks.keyserver.penguin.de Encrypted mail preferred. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iD4DBQFDNa+bnjU7VlALiYcRA7+CAKC4cW6IK6k2h6CTuGhP8OzvZkGHSQCYumOq gUSOFscrigrX3NMjb/sJ9Q== =bV6s -----END PGP SIGNATURE----- From sithtracy at yahoo.com Sun Sep 25 00:06:46 2005 From: sithtracy at yahoo.com (Tracy D. Bossong) Date: Sun Sep 25 00:07:16 2005 Subject: Strange problem and key preferences In-Reply-To: <4335AFA1.3090904@gmail.com> Message-ID: <20050924220646.67742.qmail@web51710.mail.yahoo.com> use: gpg --use-embedded-filename file.ext.asc I think that is what you are looking for... or use gpg --decrypt --output file.ext file.ext.asc --- lusfert wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > Hello! > > I'm currenly using GnuPG 1.4.2 on WinXP SP2 and I > have a problem: > > When I write > > gpg -d file.ext.asc > > I receive long output of hard readable characters > and PC Speaker loud > beeping. I can stop this only by manual ending > processes cmd.exe and > gpg.exe via Task Manager. > Is it possible to avoid this? For example, ask for > an output location > (file, etc.) as gpg asks for recipient when > he/she/it isn'n specified. > > Also I didn't understand how to set up preferences > for a key: allowed > and preferred ciphers, digest algorithms and > compress methods. It is > possible to set up them using PGP Desktop 9. > > Regards > > - -- > Current OpenPGP key ID: 0x500B8987 > Fingerprint: E883 045D 36FB 8CA3 8D69 9C79 9E35 > 3B56 500B 8987 > Keyserver to use: sks.keyserver.penguin.de > Encrypted mail preferred. > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (MingW32) > > iD4DBQFDNa+bnjU7VlALiYcRA7+CAKC4cW6IK6k2h6CTuGhP8OzvZkGHSQCYumOq > gUSOFscrigrX3NMjb/sJ9Q== > =bV6s > -----END PGP SIGNATURE----- > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From johanw at vulcan.xs4all.nl Sun Sep 25 00:52:41 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Sun Sep 25 01:14:31 2005 Subject: Strange problem and key preferences In-Reply-To: <4335AFA1.3090904@gmail.com> Message-ID: <200509242252.j8OMqf7I001729@vulcan.xs4all.nl> lusfert wrote: >gpg -d file.ext.asc > >I receive long output of hard readable characters and PC Speaker loud >beeping. You forgot to use -a for ASCII mode. As a Unix-like program, gpg does nothing with extensions so calling an output filename something.asc won't automagically trigger ASCII mode. >Also I didn't understand how to set up preferences for a key: allowed >and preferred ciphers, digest algorithms and compress methods. It is >possible to set up them using PGP Desktop 9. I've not looked at pgp since v5, so I don't know. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From johanw at vulcan.xs4all.nl Sun Sep 25 00:43:44 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Sun Sep 25 01:14:42 2005 Subject: GPG Passphrase on the command line In-Reply-To: Message-ID: <200509242243.j8OMhiqv001524@vulcan.xs4all.nl> Low, Claudia wrote: > Is there an option, eg. --passphrase, that I can use so that I can >pass the passphrase in the command line when doing a signing, symmetric >encryption or decryption? Without this option, I will be prompted on the >console. No, you'll have to pipe it through a file descriptor with --passphrase-fd. But with the echo command it can be done on a commandline too on fd 0: echo password | gpg --passphrase-fd 0 --decrypt / --encrypt. For some reasons I don't completely understand the GnuPG developers feel this is less insecure than a normal commandline (you're certainly not the first to ask this...). > In my program, I can only use command line to execute the commands. I >am not able to pass in the passphrase from a file (using file >descriptor). Piping doesn't necessarily require a file. I don't know what language your application is in, but for C or C++, see pipe(), dup2() and fork(). -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From lionel at mamane.lu Sun Sep 25 08:25:09 2005 From: lionel at mamane.lu (Lionel Elie Mamane) Date: Sun Sep 25 08:25:15 2005 Subject: Strange problem and key preferences In-Reply-To: <4335AFA1.3090904@gmail.com> References: <4335AFA1.3090904@gmail.com> Message-ID: <20050925062508.GA18416@tofu.mamane.lu> On Sat, Sep 24, 2005 at 11:57:21PM +0400, lusfert wrote: > Also I didn't understand how to set up preferences for a key: > allowed and preferred ciphers, digest algorithms and compress > methods. It is possible to set up them using PGP Desktop 9. gpg --edit-key 0xKeyID setpref "the preferences you want" updpref save -- Lionel From vedaal at hush.com Sun Sep 25 09:16:06 2005 From: vedaal at hush.com (vedaal@hush.com) Date: Sun Sep 25 09:16:13 2005 Subject: --throw-keyid and -R options Message-ID: <200509250716.j8P7G9L7069419@mailserver2.hushmail.com> >Message: 2 >Date: Wed, 21 Sep 2005 15:46:12 +0200 (CEST) >From: "privacy.at Anonymous Remailer" >Is there any difference between the effects of following commands? > >gpg -e -R alice -R bob file > >gpg -e -r alice -r bob --throw-keyid file if you do not routinely additionally encrypt to self, (or to a default other key), then there is no difference if you do routinely encrypt to self, then leaving out the --throw-keyids will hide only the recipients ids, but leave your's identified vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From samuel at Update.UU.SE Sun Sep 25 19:34:59 2005 From: samuel at Update.UU.SE (Samuel ]slund) Date: Sun Sep 25 19:35:15 2005 Subject: GPG Passphrase on the command line In-Reply-To: <200509242243.j8OMhiqv001524@vulcan.xs4all.nl> References: <200509242243.j8OMhiqv001524@vulcan.xs4all.nl> Message-ID: <20050925173459.GB15483@Update.UU.SE> On Sun, Sep 25, 2005 at 12:43:44AM +0200, Johan Wevers wrote: > > No, you'll have to pipe it through a file descriptor with --passphrase-fd. > But with the echo command it can be done on a commandline too on fd 0: > echo password | gpg --passphrase-fd 0 --decrypt / --encrypt. > > For some reasons I don't completely understand the GnuPG developers feel > this is less insecure than a normal commandline (you're certainly not the > first to ask this...). I would guess the reasoning is something like, "when you know enough to be able to do it you know why _not_ to do it", a consious decission that this breach of security does not hurt is a lot less dangerous than breaking security without knowing. Just some thoughts. //Samuel From cstork at ics.uci.edu Sat Sep 24 18:41:53 2005 From: cstork at ics.uci.edu (Christian Stork) Date: Mon Sep 26 10:34:23 2005 Subject: Incompatibility between GnuPG 1.2 and 1.4? Message-ID: <20050924164153.GA13078@anthony.ics.uci.edu> Hi, A friend of mine uses Enigmail to encrypt his mail on a SuSE 9.x box with gpg 1.2.1 installed. Since I upgraded my Debian box to use gpg 1.4.1 I can't decrypt his mails anymore: $gpg-1.4.1 mal1.asc You need a passphrase to unlock the secret key for user: "Christian H. Stork (University) " 3072-bit ELG-E key, ID B0BE33B2, created 1999-10-02 (main key ID 50F9CA2F) gpg: encrypted with 2048-bit ELG-E key, ID 4A12AF6D, created 2001-12-14 "Marc-Andre Lemburg " gpg: encrypted with 3072-bit ELG-E key, ID B0BE33B2, created 1999-10-02 "Christian H. Stork (University) " gpg: uncompressing failed: unknown compress algorithm gpg: WARNING: message was not integrity protected But it works with gpg 1.2: $gpg-1.2.4 mal1.asc You need a passphrase to unlock the secret key for user: "Christian H. Stork (University) " 3072-bit ELG-E key, ID B0BE33B2, created 1999-10-02 (main key ID 50F9CA2F) gpg: encrypted with 2048-bit ELG-E key, ID 4A12AF6D, created 2001-12-14 "Marc-Andre Lemburg " gpg: encrypted with 3072-bit ELG-E key, ID B0BE33B2, created 1999-10-02 "Christian H. Stork (University) " gpg: old style (PGP 2.x) signature gpg: Signature made Mon Sep 19 12:28:25 2005 PDT using DSA key ID 6A6DDB60 gpg: Good signature from "Marc-Andre Lemburg " gpg: aka "Marc-Andre Lemburg " gpg: WARNING: message was not integrity protected Here's part of his gpg.conf: ---------------8<------------------------------- # Needed for PGP 5.x interop compress-algo 1 cipher-algo CAST5 no-sk-comments s2k-cipher-algo CAST5 s2k-digest-algo SHA1 rfc1991 # The next option is enabled because this one is needed for interoperation # with PGP 5 users. To enable full OpenPGP compliance you have to remove # this option. force-v3-sigs # Because some mailers change lines starting with "From " to ">From " # it is good to handle such lines in a special way when creating # cleartext signatures; all other PGP versions do it this way too. # To enable full OpenPGP compliance you have to remove this option. escape-from-lines ----------------8<--------------------------------- Do I need to invoke gpg 1.4 with special options (I tried several combinations without success)? I'd be happy to provide more details if that is needed. Thanks for your time, Chris -- Chris Stork <> Support eff.org! <> http://www.ics.uci.edu/~cstork/ OpenPGP fingerprint: B08B 602C C806 C492 D069 021E 41F3 8C8D 50F9 CA2F From peter at palfrader.org Sun Sep 25 15:58:11 2005 From: peter at palfrader.org (Peter Palfrader) Date: Mon Sep 26 10:34:27 2005 Subject: UbuntuLinux GPG Still Doesn't Work With Remailers In-Reply-To: <20050920033211.32382.qmail@web90007.mail.scd.yahoo.com> References: <20050920033211.32382.qmail@web90007.mail.scd.yahoo.com> Message-ID: <20050925135811.GA18746@asteria.noreply.org> On Mon, 19 Sep 2005, Guitar Bench wrote: > I've been trying now for almost three months and I > still can't get the Cypherpunks remailers to accept > messages encrypted with Ubuntu Linux/GPG v1.2.5. I know that gpg 1.4 (and probably also 1.2 as well, tho I don't have any systems with that anymore) work with gpg --textmode --cipher-algo 3DES --recipient $foo --encrypt because those are the options used by Echolot, a remailer pinger. Also note that for forward anonymous traffic you probably shouldn't use type I anyway. -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred. | : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `- http://www.debian.org/ From mixmaster at remailer.privacy.at Mon Sep 26 01:45:10 2005 From: mixmaster at remailer.privacy.at (privacy.at Anonymous Remailer) Date: Mon Sep 26 10:34:31 2005 Subject: --throw-keyid and -R options Message-ID: <04a1de687175b7d1d2e11d4cb8ed6e58@remailer.privacy.at> > > Is there any difference between the effects of following commands? > > > > gpg -e -R alice -R bob file > > > > gpg -e -r alice -r bob --throw-keyid file > > Since you are using -R (which does a per-recipient --throw-keyid) for > both recipients, there is no difference between the two commands. I suppose gpg -e -r alice -R bob file might be useful in unusual circumstances! > > And when I abbreviate --throw-keyid to --throw or --throw-keyi even, I > > get the error: > > > > gpg: Option "--throw-key" is ambiguous > > > > > > There is nothing else that starts with the string "throw" so why? > > There is: there are both options --throw-keyid and --throw-keyids > (they do the same thing). Come to think though, --throw-keyid could > be removed since is effectively an abbreviation of --throw-keyids. Aha, I had not noticed those two very similar options. Thanks. From wk at gnupg.org Mon Sep 26 11:49:20 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Sep 26 11:51:39 2005 Subject: GPG Passphrase on the command line In-Reply-To: <200509242243.j8OMhiqv001524@vulcan.xs4all.nl> (Johan Wevers's message of "Sun, 25 Sep 2005 00:43:44 +0200 (MET DST)") References: <200509242243.j8OMhiqv001524@vulcan.xs4all.nl> Message-ID: <87irwognvj.fsf@wheatstone.g10code.de> On Sun, 25 Sep 2005 00:43:44 +0200 (MET DST), Johan Wevers said: > echo password | gpg --passphrase-fd 0 --decrypt / --encrypt. > For some reasons I don't completely understand the GnuPG developers feel > this is less insecure than a normal commandline (you're certainly not the > first to ask this...). On a multi-user machine it is trivial to see the command line and even the environment of all users without the need of root privileges. Further the passphrase will be visible in the command line edit history. From nidhog at gmail.com Mon Sep 26 15:36:37 2005 From: nidhog at gmail.com (nidhog) Date: Mon Sep 26 17:26:02 2005 Subject: GPG Passphrase on the command line In-Reply-To: <87irwognvj.fsf@wheatstone.g10code.de> References: <200509242243.j8OMhiqv001524@vulcan.xs4all.nl> <87irwognvj.fsf@wheatstone.g10code.de> Message-ID: On 9/26/05, Werner Koch wrote: > On Sun, 25 Sep 2005 00:43:44 +0200 (MET DST), Johan Wevers said: > > > echo password | gpg --passphrase-fd 0 --decrypt / --encrypt. > > > For some reasons I don't completely understand the GnuPG developers feel > > this is less insecure than a normal commandline (you're certainly not the > > first to ask this...). > > On a multi-user machine it is trivial to see the command line and even > the environment of all users without the need of root privileges. > Further the passphrase will be visible in the command line edit > history. > > it will show on ps and on your .bash_history and on casual shoulder-surfing -- that's why it's insecure. plus it's not good security practice typing in your passphrase in the open, readable form. it's just as if you handed the world your secring and your key. on the subject of piping, you might try to get a win32 port of unix's echo command (echo.exe). win32's echo command sometimes have that ugly \n attached and will mess up your passphrase. with unix's echo, you can do an echo -n. -- /nh From zwon at severodvinsk.ru Mon Sep 26 20:42:36 2005 From: zwon at severodvinsk.ru (Pawel Shajdo) Date: Mon Sep 26 20:43:22 2005 Subject: Incompatibility between GnuPG 1.2 and 1.4? In-Reply-To: <20050926174228.GA25029@anthony.ics.uci.edu> References: <20050924164153.GA13078@anthony.ics.uci.edu> <20050926172356.GA892@sky.schizandra.ru> <20050926174228.GA25029@anthony.ics.uci.edu> Message-ID: <20050926184236.GB1567@sky.schizandra.ru> On Mon, Sep 26, 2005 at 10:42:28AM -0700, Christian Stork wrote: > On Mon, Sep 26, 2005 at 09:23:56PM +0400, Pawel Shajdo wrote: > > On Sat, Sep 24, 2005 at 09:41:53AM -0700, Christian Stork wrote: > > > gpg: uncompressing failed: unknown compress algorithm > > > gpg: WARNING: message was not integrity protected > > > > I'd be happy to provide more details if that is needed. > > What show gpg --version ? > > The --version output of the encrypting GnuPG (my oringinal 1.2.1 claim was > wrong): gpg -vv mail.asc ? -- Pawel I. Shajdo From johanw at vulcan.xs4all.nl Mon Sep 26 19:20:02 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Mon Sep 26 22:25:53 2005 Subject: GPG Passphrase on the command line In-Reply-To: <87irwognvj.fsf@wheatstone.g10code.de> Message-ID: <200509261720.j8QHK2SC003395@vulcan.xs4all.nl> Werner Koch wrote: >> echo password | gpg --passphrase-fd 0 --decrypt / --encrypt. >> For some reasons I don't completely understand the GnuPG developers feel >> this is less insecure than a normal commandline (you're certainly not the >> first to ask this...). >On a multi-user machine it is trivial to see the command line and even >the environment of all users without the need of root privileges. >Further the passphrase will be visible in the command line edit >history. But typing the above line on the commandline has the same problems. Further, that commandline history is only saved in certain shells, like bash. I work in tcsh, which uses a memory buffer for command history. Once you exit tcsh the commandline history is gone. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From johanw at vulcan.xs4all.nl Mon Sep 26 19:21:12 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Mon Sep 26 22:26:15 2005 Subject: GPG Passphrase on the command line In-Reply-To: Message-ID: <200509261721.j8QHLCNB003436@vulcan.xs4all.nl> nidhog wrote: >it will show on ps and on your .bash_history One of the reasons I don't use bash. I prefer tcsh. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From guitarbench at yahoo.com Mon Sep 26 22:28:20 2005 From: guitarbench at yahoo.com (Guitar Bench) Date: Mon Sep 26 22:28:51 2005 Subject: UbuntuLinux GPG Still Doesn't Work With Remailers In-Reply-To: <20050925135811.GA18746@asteria.noreply.org> Message-ID: <20050926202820.65349.qmail@web90009.mail.scd.yahoo.com> --- Peter Palfrader wrote: > I know that gpg 1.4 (and probably also 1.2 as well, > tho I don't have any > systems with that anymore) work with > gpg --textmode --cipher-algo 3DES > --recipient $foo --encrypt > because those are the options used by Echolot, a > remailer pinger. I spent several hours testing that command line and every permutation I could think of without having GPG accept it once. In any case, it doesn't account for any default settings in echolot's configuration. __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com From blueness at gmx.net Mon Sep 26 22:56:06 2005 From: blueness at gmx.net (Mica Mijatovic) Date: Tue Sep 27 00:21:40 2005 Subject: GPG Passphrase on the command line In-Reply-To: References: <200509242243.j8OMhiqv001524@vulcan.xs4all.nl> <87irwognvj.fsf@wheatstone.g10code.de> Message-ID: <62708047.20050926225606@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Was Mon, 26 Sep 2005, at 06:36:37 -0700, when nidhog wrote: > on the subject of piping, you might try to get a win32 port of unix's > echo command (echo.exe). win32's echo command sometimes have that ugly > \n attached and will mess up your passphrase. with unix's echo, you > can do an echo -n. That's good idea. There is a package unxutils.zip with about 80+ such ported utilities which make the work under Windows more comfortable. - -- Mica PGP keys nestled at: http://bardo.port5.com/pgpkeys/ ~~~ For personal mail please use my address as it is *exactly* given in my "From|Reply To" field(s). ~~~ -----BEGIN PGP SIGNATURE----- iQEVAwUBQzhgZbSpHvHEUtv8AQNLewf/WLf8gcmmhGUm5wA6b5MDtVhgxDM/YhLo MYx1ZLErgX53AhamexgM2DF0/G7C9LeNDx2myWtzV9MeERKRE2zNthKXTY7jwm3E 1WeH/hEqPqYB3sl8QVP+QBD0YTe0v3/yacLajxC+XUnfRQ55v09c5f37P4ZO81Wn 7S+LZjQGfxpt1XFyVB6h3yh+9APOSwfYx0yryW8lBqFxD1XZ5zakSetCh2Kl0SpD fwzMJy6jcyRFfpUgxcfSUT/wW7uxL2oVLkbrQt5hikIxaDDFcaMZ159NdryLL2z3 X2GszUP4wk/t/q7e4ANyHRCLCexpVN/f3711lr5ajEnFJRc/v5CH1Q== =8Q2T -----END PGP SIGNATURE----- From blueness at gmx.net Tue Sep 27 00:17:26 2005 From: blueness at gmx.net (Mica Mijatovic) Date: Tue Sep 27 00:21:46 2005 Subject: GPG Passphrase on the command line In-Reply-To: <200509261721.j8QHLCNB003436@vulcan.xs4all.nl> References: <200509261721.j8QHLCNB003436@vulcan.xs4all.nl> Message-ID: <146646473.20050927001726@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Was Mon, 26 Sep 2005, at 19:21:12 +0200 (MET DST), when Johan wrote: > nidhog wrote: >>it will show on ps and on your .bash_history > One of the reasons I don't use bash. I prefer tcsh. Who likes bash, may program/set it to not record history. - -- Mica PGP keys nestled at: http://bardo.port5.com/pgpkeys/ ~~~ For personal mail please use my address as it is *exactly* given in my "From|Reply To" field(s). ~~~ Never anger a dragon, for you are crunchy and good with brie. -----BEGIN PGP SIGNATURE----- iQEVAwUBQzhzdLSpHvHEUtv8AQPBsAf+JAhSppK95m/LzgEd/NIKy8Q3vguyjPrK SWueNGRi7aSE+ZgTHlbrNJknA5zOxVAWHnKWxAQEtmxzrZROkJZEMm5E3os05AJd YtQMopCnO0xnMPzDHZ2kq4oyJDGTC78fsfWBf35wX2UCzJuJZ17Yp+QRiUVmYGpv UjV3UT19UsuI3v1awGDWNGKoIQ5I+Y66p8wWDNy5fxKGYb6OsWnsdhPZoX2yeqRo A7fdi/6tAqy5RgaF/bUJ9Nb49aMzYjF/fenrp6twCFYvWjGWezKsLyDw8imyCiky AtiDv2Ash8PCCqGZK9bdROoeXLuociWFoks0oUl/XA3abKQ+xoINfw== =bzc8 -----END PGP SIGNATURE----- From wk at gnupg.org Tue Sep 27 08:41:54 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Sep 27 08:46:47 2005 Subject: GPG Passphrase on the command line In-Reply-To: <200509261720.j8QHK2SC003395@vulcan.xs4all.nl> (Johan Wevers's message of "Mon, 26 Sep 2005 19:20:02 +0200 (MET DST)") References: <200509261720.j8QHK2SC003395@vulcan.xs4all.nl> Message-ID: <873bnrdnbh.fsf@wheatstone.g10code.de> On Mon, 26 Sep 2005 19:20:02 +0200 (MET DST), Johan Wevers said: > But typing the above line on the commandline has the same problems. That was just an example. You may use cat or if you feel lucky fortune. Salam-Shalom, Werner From wk at gnupg.org Tue Sep 27 08:44:26 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Sep 27 08:46:54 2005 Subject: UbuntuLinux GPG Still Doesn't Work With Remailers In-Reply-To: <20050926202820.65349.qmail@web90009.mail.scd.yahoo.com> (Guitar Bench's message of "Mon, 26 Sep 2005 13:28:20 -0700 (PDT)") References: <20050926202820.65349.qmail@web90009.mail.scd.yahoo.com> Message-ID: <87y85jc8mt.fsf@wheatstone.g10code.de> On Mon, 26 Sep 2005 13:28:20 -0700 (PDT), Guitar Bench said: > --- Peter Palfrader wrote: >> gpg --textmode --cipher-algo 3DES >> --recipient $foo --encrypt >> because those are the options used by Echolot, a >> remailer pinger. > I spent several hours testing that command line and > every permutation I could think of without having GPG The above line won't work unless " Shalom-Salam, Werner From francois.baert at wanadoo.fr Tue Sep 27 16:20:15 2005 From: francois.baert at wanadoo.fr (francois.baert) Date: Tue Sep 27 17:56:01 2005 Subject: Pb signature Message-ID: <200509271620.15555.francois.baert@wanadoo.fr> Hello, I would like to install the kernel-source of my os RedHat 9.0 I got the source from a mirror of kernel.org and try to install it. rpm -ivh kernel-source-2.4.20-6.i386.rpm error: kernel-source-2.4.20-6.i386.rpm: V3 DSA signature :BAD, key ID db42a60e error: kernel-source-2.4.20-6.i386.rpm cannot be installed. After reading Faqs and Howtos found on gnupg.org (it takes me a couple of days) I found "the linux kernel archives OpenPGP Signature" according to this paper I try to obtain the public key using my key ID db42a60e with gpg --keyserver wwwkeys.pgp.net --recv-keys 0xdb42a60e I found in my pubring.gpg with gpg --list-public-keys this: pub 1024D/DB42A60E 1999-09-23 RedHat, Inc sub 2048g/961630A2 1999-09-23 Then following the literature I submit: rpm -K kernek-source-2.4.20-6.i386.rpm I got : kernel-source-2.4.20-6.i386.rpm: (SHA1) DSA sha1 MD5 GPG NOT OK I try with rpm -K --nosignature . . . I got kernel-source-2.4.20-6.i386.rpm sha1 MD5 NOT OK I confess that I don't know what kind of trials I am going to do ?? I would appreciated if somebody could give me some advices. Francois From gnupg-users=gnupg.org at lists.palfrader.org Tue Sep 27 13:59:27 2005 From: gnupg-users=gnupg.org at lists.palfrader.org (Peter Palfrader) Date: Tue Sep 27 18:25:59 2005 Subject: UbuntuLinux GPG Still Doesn't Work With Remailers In-Reply-To: <87y85jc8mt.fsf@wheatstone.g10code.de> References: <20050926202820.65349.qmail@web90009.mail.scd.yahoo.com> <87y85jc8mt.fsf@wheatstone.g10code.de> Message-ID: <20050927115927.GF20501@asteria.noreply.org> On Tue, 27 Sep 2005, Werner Koch wrote: > On Mon, 26 Sep 2005 13:28:20 -0700 (PDT), Guitar Bench said: > > > --- Peter Palfrader wrote: > > >> gpg --textmode --cipher-algo 3DES > >> --recipient $foo --encrypt > >> because those are the options used by Echolot, a > >> remailer pinger. > > > I spent several hours testing that command line and > > every permutation I could think of without having GPG > > The above line won't work unless " to mix options with arguments. Use > > gpg --textmode --cipher-algo 3DES --recipient $foo --encrypt That's what I meant. Must have happened while copying various snippets from various lines of the code :) -- PGP signed and encrypted | .''`. ** Debian GNU/Linux ** messages preferred. | : :' : The universal | `. `' Operating System http://www.palfrader.org/ | `- http://www.debian.org/ From sbt at megacceso.com Tue Sep 27 18:18:30 2005 From: sbt at megacceso.com (=?ISO-8859-1?Q?Sergi_Blanch_i_Torn=E9?=) Date: Tue Sep 27 19:19:01 2005 Subject: Pb signature In-Reply-To: <200509271620.15555.francois.baert@wanadoo.fr> References: <200509271620.15555.francois.baert@wanadoo.fr> Message-ID: <433970D6.6070002@megacceso.com> Hi, I don't know it either. But how you download the rpm file, maybe by ftp? check binary or ascii transmision. It's only an idea. /S En/na francois.baert ha escrit: > Hello, > > I would like to install the kernel-source of my os RedHat 9.0 > I got the source from a mirror of kernel.org and try to install it. > > rpm -ivh kernel-source-2.4.20-6.i386.rpm > > error: kernel-source-2.4.20-6.i386.rpm: V3 DSA signature :BAD, key ID db42a60e > error: kernel-source-2.4.20-6.i386.rpm cannot be installed. > > After reading Faqs and Howtos found on gnupg.org (it takes me a couple of > days) I found "the linux kernel archives OpenPGP Signature" according to > this paper I try to obtain the public key using my key ID db42a60e with > gpg --keyserver wwwkeys.pgp.net --recv-keys 0xdb42a60e > > I found in my pubring.gpg with gpg --list-public-keys this: > pub 1024D/DB42A60E 1999-09-23 RedHat, Inc > sub 2048g/961630A2 1999-09-23 > > Then following the literature I submit: > rpm -K kernek-source-2.4.20-6.i386.rpm > I got : > kernel-source-2.4.20-6.i386.rpm: (SHA1) DSA sha1 MD5 GPG NOT OK > > I try with rpm -K --nosignature . . . > I got > kernel-source-2.4.20-6.i386.rpm sha1 MD5 NOT OK > > I confess that I don't know what kind of trials I am going to do ?? > > I would appreciated if somebody could give me some advices. > > Francois > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From JBarrett at lyrix.com Wed Sep 28 00:21:57 2005 From: JBarrett at lyrix.com (Jason Barrett) Date: Wed Sep 28 02:26:06 2005 Subject: Any way to get smaller key sizes? Message-ID: Good afternoon, I am using GPG for encryption of sensitive information in a database. Some members of the development team are concerned about the space taken up by strings encrypted with 1024-bit keys and would like to sacrifice some security by reducing that key size. GnuPG will not let me do this with the --gen-keys command; is there any way I can get around that and create, say, a 512-bit key? Thanks, Jason From alaricd at pengdows.com Wed Sep 28 03:25:44 2005 From: alaricd at pengdows.com (Alaric Dailey) Date: Wed Sep 28 03:26:36 2005 Subject: Any way to get smaller key sizes? In-Reply-To: References: Message-ID: <4339F118.2090003@pengdows.com> considering this https://www.financialcryptography.com/mt/archives/000551.html why would you bother with anything less than 2048 bit keys. Jason Barrett wrote: > Good afternoon, > > I am using GPG for encryption of sensitive information in a database. Some > members of the development team are concerned about the space taken up by > strings encrypted with 1024-bit keys and would like to sacrifice some > security by reducing that key size. GnuPG will not let me do this with the > --gen-keys command; is there any way I can get around that and create, say, > a 512-bit key? > > Thanks, > Jason > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3544 bytes Desc: S/MIME Cryptographic Signature Url : /pipermail/attachments/20050927/b8340a20/smime-0001.bin From dshaw at jabberwocky.com Wed Sep 28 04:35:38 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Sep 28 04:36:18 2005 Subject: Any way to get smaller key sizes? In-Reply-To: References: Message-ID: <20050928023538.GB5681@jabberwocky.com> On Tue, Sep 27, 2005 at 06:21:57PM -0400, Jason Barrett wrote: > Good afternoon, > > I am using GPG for encryption of sensitive information in a database. Some > members of the development team are concerned about the space taken up by > strings encrypted with 1024-bit keys and would like to sacrifice some > security by reducing that key size. GnuPG will not let me do this with the > --gen-keys command; is there any way I can get around that and create, say, > a 512-bit key? Yes, but it's almost impossible to answer this because it's not clear what you're doing. Are you storing the keys or the results? 1024 bit keys with what algorithm? The only key type that is locked to 1024 bits is DSA and that's a signing algorithm, so encryption never comes into the equation. Say what you're doing, and we can help a lot. David From Laurent.Jumet at advalvas.be Wed Sep 28 08:42:08 2005 From: Laurent.Jumet at advalvas.be (Laurent Jumet) Date: Wed Sep 28 08:59:21 2005 Subject: Any way to get smaller key sizes? In-Reply-To: <4339F118.2090003@pengdows.com> Message-ID: Hello ! Is there a way to check the signature below with GnuPG? AD> This is a cryptographically signed message in MIME format. AD> --===============1956155648== AD> Content-Type: multipart/signed; AD> protocol="application/x-pkcs7-signature"; micalg=sha1; AD> boundary="------------ms010301020309090200000803" AD> This is a cryptographically signed message in MIME format. AD> --------------ms010301020309090200000803 AD> Content-Type: text/plain; charset=ISO-8859-1; format=flowed AD> Content-Transfer-Encoding: 7bit AD> --------------ms010301020309090200000803 AD> Content-Type: application/x-pkcs7-signature; name="smime.p7s" AD> Content-Transfer-Encoding: base64 AD> Content-Disposition: attachment; filename="smime.p7s" AD> Content-Description: S/MIME Cryptographic Signature AD> MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKXzC AD> C AD> Az8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQ AD> I AD> EwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIEN AD> v AD> bnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDA AD> i AD> BgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGV AD> y AD> c29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcwMDAwMDBaFw0xMzA3MTYyMzU AD> 5 AD> NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSB AD> M AD> dGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTCBnzA AD> N AD> BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065yplaHmjAdQRwnd/p/6Me7L3N9Vv AD> y AD> Gna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FWy688Cwfn8R+RNiQqE88r1fO AD> C AD> dz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEEQB5kGXJgt/sCAwEAAaOBlDC AD> B AD> kTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwudGh AD> h AD> d3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1UdDwQEAwIBBjApBgN AD> V AD> HREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJKoZIhvcNAQEFBQA AD> D AD> gYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A9BxQIJNwPP2t4WF AD> i AD> w9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYITq726jTlEBp AD> b AD> NU1341YheILcIRk13iSx0x1G/11fZU8wggOKMIIC86ADAgECAgMPYJswDQYJKoZIhvcNAQE AD> E AD> BQAwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx AD> 0 AD> ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA AD> 1 AD> MDgyODAwNDMzOFoXDTA2MDgyODAwNDMzOFowgakxDzANBgNVBAQTBkRhaWxleTEPMA0GA1U AD> E AD> KhMGQWxhcmljMRYwFAYDVQQDEw1BbGFyaWMgRGFpbGV5MSMwIQYJKoZIhvcNAQkBFhRhbGF AD> y AD> aWNkQHBlbmdkb3dzLmNvbTEnMCUGCSqGSIb3DQEJARYYYWxhcmljZGFpbGV5QGhvdG1haWw AD> u AD> Y29tMR8wHQYJKoZIhvcNAQkBFhBieXRld3VsZkBhaW0uY29tMIIBIjANBgkqhkiG9w0BAQE AD> F AD> AAOCAQ8AMIIBCgKCAQEAsndiAxzl3D2f+nOTQcPlwWoTD1hFN58Boc3BeiW/0eV2FwwsC0c AD> 6 AD> 37enTowaLbGOYU5JOGU6uYi/eYUeY7Ge3uN18ShOhRUsTWDQ3Y8yclz68kTyVctByWvYxEC AD> B AD> 2Bm6QTI166T8y1y2N3+sfpecYJSpdDVq6cL82znGJyYVGVkInhahfj2QSF09LL2hDoUpVOd AD> G AD> Qu2gRMye7Uy5fZ012bzqbOJAAwzM+am5BxEeXD8HamN9tZymCXWEGmZBdcrpk9XVDcnDHYf AD> e AD> 639ApqU+Dbi6uyYAtc1QhFiaeWMxCwTBSumWQsw3Sgfm+xxuKTcu41yQnrtQTMT2tUJqRKJ AD> 7 AD> +QIDAQABo4GBMH8wDwYDVR0PAQH/BAUDAwf5gDARBglghkgBhvhCAQEEBAMCBaAwSwYDVR0 AD> R AD> BEQwQoEUYWxhcmljZEBwZW5nZG93cy5jb22BGGFsYXJpY2RhaWxleUBob3RtYWlsLmNvbYE AD> Q AD> Ynl0ZXd1bGZAYWltLmNvbTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBADBypc1 AD> c AD> SLRlwln5n2/MksNpJb0CXi71MeqR4RG5JlBYuALF/SxCKwfU4CCw8azboRszQNPLgicQUTT AD> 8 AD> EZpDr4f+s9xK2R0V6mKNDtHSMHUdW3w5zlGchhqua+zfHWlJovkMiP3Tpukb53V2aMtGoh6 AD> B AD> QFZEq8nSiHAOhLLNdgT+MIIDijCCAvOgAwIBAgIDD2CbMA0GCSqGSIb3DQEBBAUAMGIxCzA AD> J AD> BgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgY AD> D AD> VQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wNTA4MjgwMDQ AD> z AD> MzhaFw0wNjA4MjgwMDQzMzhaMIGpMQ8wDQYDVQQEEwZEYWlsZXkxDzANBgNVBCoTBkFsYXJ AD> p AD> YzEWMBQGA1UEAxMNQWxhcmljIERhaWxleTEjMCEGCSqGSIb3DQEJARYUYWxhcmljZEBwZW5 AD> n AD> ZG93cy5jb20xJzAlBgkqhkiG9w0BCQEWGGFsYXJpY2RhaWxleUBob3RtYWlsLmNvbTEfMB0 AD> G AD> CSqGSIb3DQEJARYQYnl0ZXd1bGZAYWltLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADC AD> C AD> AQoCggEBALJ3YgMc5dw9n/pzk0HD5cFqEw9YRTefAaHNwXolv9HldhcMLAtHOt+3p06MGi2 AD> x AD> jmFOSThlOrmIv3mFHmOxnt7jdfEoToUVLE1g0N2PMnJc+vJE8lXLQclr2MRAgdgZukEyNeu AD> k AD> /Mtctjd/rH6XnGCUqXQ1aunC/Ns5xicmFRlZCJ4WoX49kEhdPSy9oQ6FKVTnRkLtoETMnu1 AD> M AD> uX2dNdm86mziQAMMzPmpuQcRHlw/B2pjfbWcpgl1hBpmQXXK6ZPV1Q3Jwx2H3ut/QKalPg2 AD> 4 AD> ursmALXNUIRYmnljMQsEwUrplkLMN0oH5vscbik3LuNckJ67UEzE9rVCakSie/kCAwEAAaO AD> B AD> gTB/MA8GA1UdDwEB/wQFAwMH+YAwEQYJYIZIAYb4QgEBBAQDAgWgMEsGA1UdEQREMEKBFGF AD> s AD> YXJpY2RAcGVuZ2Rvd3MuY29tgRhhbGFyaWNkYWlsZXlAaG90bWFpbC5jb22BEGJ5dGV3dWx AD> m AD> QGFpbS5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQAwcqXNXEi0ZcJZ+Z9 AD> v AD> zJLDaSW9Al4u9THqkeERuSZQWLgCxf0sQisH1OAgsPGs26EbM0DTy4InEFE0/BGaQ6+H/rP AD> c AD> StkdFepijQ7R0jB1HVt8Oc5RnIYarmvs3x1pSaL5DIj906bpG+d1dmjLRqIegUBWRKvJ0oh AD> w AD> DoSyzXYE/jGCAzswggM3AgEBMGkwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSB AD> D AD> b25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWF AD> p AD> bCBJc3N1aW5nIENBAgMPYJswCQYFKw4DAhoFAKCCAacwGAYJKoZIhvcNAQkDMQsGCSqGSIb AD> 3 AD> DQEHATAcBgkqhkiG9w0BCQUxDxcNMDUwOTI4MDEyNTQ0WjAjBgkqhkiG9w0BCQQxFgQUlGx AD> Q AD> QR5PnfeNFI/mKDaew//jb9wwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhki AD> G AD> 9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgweAYJKwY AD> B AD> BAGCNxAEMWswaTBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmc AD> g AD> KFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vpbmc AD> g AD> Q0ECAw9gmzB6BgsqhkiG9w0BCRACCzFroGkwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFR AD> o AD> YXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCB AD> G AD> cmVlbWFpbCBJc3N1aW5nIENBAgMPYJswDQYJKoZIhvcNAQEBBQAEggEAFlJnKLg8sX64cds AD> A AD> tmOO0KJh1yejL8losSpufvmfsA1Riu+pJ3Se5k8j7wTc5ZLMj/Sy4MJ+3Y9c55mcoHqtRg/ AD> x AD> WndOdZa/IMUtP/n+Q6/lc06M7ROxLqqoC2kkJ+TeKv1hM0bKIeBJuwf7PrGHQc1+gwtPpdO AD> v AD> nfayG2zQzgUXRysZvjQbgdLHapzl92W/ZjAgfJsRDJbjlCSSiW5B5PWzseKqZeNW8rV+vaY AD> c AD> 2tc2pQQ3IRR4Lu0BPshP+g6nOVxsjc1sJolDpoOqV04IJyT6tddni/ekW+jHnccqsCliZpr AD> c WebpvbjVWv35pMEVnJV0UUY8Zju2TF8DZs8qqgAAAAAAAA== AD> --------------ms010301020309090200000803-- AD> --===============1956155648== AD> Content-Type: text/plain; charset="us-ascii" AD> MIME-Version: 1.0 AD> Content-Transfer-Encoding: 7bit AD> Content-Disposition: inline -- Laurent Jumet KeyID: 0xCFAF704C From bht at actrix.gen.nz Wed Sep 28 09:39:22 2005 From: bht at actrix.gen.nz (Bernard) Date: Wed Sep 28 09:37:41 2005 Subject: Q: List format with --with-colons option Message-ID: Hi all I am writing a basic front end with limited gpg functionality. My knowledge of gpg is not great and as a start I need some help with the list format of --list-secret-keys and --list-public-keys. I found that the --with-colons option returns the most details and appears to be more machine readable but I don't know what some fields mean. Where would I find documentation about this? I don't know, for example with --list-secret-keys: sec::1024:17:F27DA7F7725BBB9D:2003-10-23::::myname@actrix.gen.nz (myname@actrix.gen) ::: fpr:::::::::5DDBD04F3450F9E0987211F9F27DA7F7725BBB9D: ssb::1024:16:C589482C95407314:2003-10-23::::::: the meaning of 17 in sec::1024:17 ----------^ and how is the key ID extracted from the output? I just guess that it's the last 8 characters of sec::1024:17:F27DA7F7725BBB9D:2003-10-23::::myname@actrix.gen.nz ---------------------^ Many thanks Bernard My apologies: My ISP uses a white list based SPAM filter so it would be easier to respond to the list because the filter knows gnupg.org but does not know individual users of the list who would be blocked. From alaricd at pengdows.com Wed Sep 28 12:54:22 2005 From: alaricd at pengdows.com (Alaric Dailey) Date: Wed Sep 28 12:55:10 2005 Subject: Any way to get smaller key sizes? In-Reply-To: References: Message-ID: <433A765E.4020507@pengdows.com> Laurent Jumet wrote: > Hello ! > > Is there a way to check the signature below with GnuPG? > > > > AD> This is a cryptographically signed message in MIME format. > > AD> --===============1956155648== > AD> Content-Type: multipart/signed; > AD> protocol="application/x-pkcs7-signature"; micalg=sha1; > AD> boundary="------------ms010301020309090200000803" > > AD> This is a cryptographically signed message in MIME format. > > AD> --------------ms010301020309090200000803 > AD> Content-Type: text/plain; charset=ISO-8859-1; format=flowed > AD> Content-Transfer-Encoding: 7bit > > > > AD> --------------ms010301020309090200000803 > AD> Content-Type: application/x-pkcs7-signature; name="smime.p7s" > AD> Content-Transfer-Encoding: base64 > AD> Content-Disposition: attachment; filename="smime.p7s" > AD> Content-Description: S/MIME Cryptographic Signature No, this is an S/MIME signature, basically SSL technology for emails. as it appears much cleaner in modern email clients than PGP. But it appears MUCH cleaner than PGP, and and modern email clients validate the signatures automatically, and without additional software. Also using an S/MIME to sign emails means that I can sign ALL my emails and they won't scare the unwashed masses, not to mention I get the additional benefit of using the CA as a "Trusted Introducer". For a basic rundown on S/MIME signatures checkout http://www.cacert.org/help.php?id=2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3544 bytes Desc: S/MIME Cryptographic Signature Url : /pipermail/attachments/20050928/0ab6a00a/smime.bin From jdbeyer at exit109.com Wed Sep 28 13:45:51 2005 From: jdbeyer at exit109.com (Jean-David Beyer) Date: Wed Sep 28 13:45:53 2005 Subject: Any way to get smaller key sizes? In-Reply-To: <4339F118.2090003@pengdows.com> References: <4339F118.2090003@pengdows.com> Message-ID: <433A826F.9070406@exit109.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alaric Dailey wrote: > considering this > > https://www.financialcryptography.com/mt/archives/000551.html > > why would you bother with anything less than 2048 bit keys. > In there, it says, in part: "If so, that means most intelligence agencies can probably already crunch most common key sizes. It still means that the capability is likely limited to intelligence agencies, which is some comfort for many of us, but not of comfort if you happen to live in a country where civil liberties are not well respected and keys and data are considered to be "on loan" to citizens - - you be the judge on that call." The trouble with that is that in such countries, using any encryption will probably call attention to you, even if you are only encrypting grocery lists and dentist's appointments, and the penalties can be severe. No point having encryption so secure that the government will find torture to be a cheaper way of getting the information it feels it needs. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 07:35:00 up 105 days, 1:33, 3 users, load average: 4.37, 4.31, 4.27 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDOoG5Ptu2XpovyZoRAlR6AJsEZhtUMq4M93OYMKhnX6xtLIEABwCeN41L v+nrwGNZqZahei/+vaMYbe4= =URBH -----END PGP SIGNATURE----- From Laurent.Jumet at advalvas.be Wed Sep 28 14:04:12 2005 From: Laurent.Jumet at advalvas.be (Laurent Jumet) Date: Wed Sep 28 14:08:25 2005 Subject: Any way to get smaller key sizes? In-Reply-To: <433A765E.4020507@pengdows.com> Message-ID: Hello ! Alaric Dailey wrote: AD> No, this is an S/MIME signature, basically SSL technology for emails. AD> as it appears much cleaner in modern email clients than PGP. But it AD> appears MUCH cleaner than PGP, and and modern email clients validate AD> the signatures automatically, and without additional software. Also AD> using an S/MIME to sign emails means that I can sign ALL my emails and AD> they won't scare the unwashed masses, not to mention I get the AD> additional benefit of using the CA as a "Trusted Introducer". May I ask with respect, why you came on this echo? :-) -- Laurent Jumet KeyID: 0xCFAF704C From og at pre-secure.de Wed Sep 28 14:10:25 2005 From: og at pre-secure.de (Olaf Gellert) Date: Wed Sep 28 14:18:10 2005 Subject: Any way to get smaller key sizes? In-Reply-To: <433A765E.4020507@pengdows.com> References: <433A765E.4020507@pengdows.com> Message-ID: <433A8831.6090102@pre-secure.de> Alaric Dailey wrote: > No, this is an S/MIME signature, basically SSL technology for emails. as > it appears much cleaner in modern email clients than PGP. But it > appears MUCH cleaner than PGP, and and modern email clients validate the > signatures automatically, and without additional software. Also using > an S/MIME to sign emails means that I can sign ALL my emails and they > won't scare the unwashed masses, not to mention I get the additional > benefit of using the CA as a "Trusted Introducer". Thanks for your unwanted comment. You can verify S/MIME- signatures with gpgsm (a tool with nearly the same command- line interface as gpg). This is the way kmail verifies S/MIME emails. And I have no trouble in using both GPG and S/MIME in Mozilla/Thunderbird. So why vote for less? S/MIME (X.509) and OpenPGP use a different model of trust, so if the S/MIME model fits your needs better, it does not mean that OpenPGP is bad. Getting an S/MIME- certificate that is validated successfully by the normal applications usually requires some money (as you need it to be issued by a trusted CA). If you have special requirements of trust (for example if you want to use X.509 certificates for login), you have to establish your own CA (and end up with your certificates being untrusted by default), so you have different troubles in the X.509 world. As always: The world is not black and white. :-) Cheers, Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE og@pre-secure.de A daily view on Internet Attacks https://www.ecsirt.net/sensornet From JBarrett at lyrix.com Wed Sep 28 16:29:40 2005 From: JBarrett at lyrix.com (Jason Barrett) Date: Wed Sep 28 16:35:53 2005 Subject: Any way to get smaller key sizes? Message-ID: Thanks for the responses, all. Good stuff. Alaric wrote: "considering this https://www.financialcryptography.com/mt/archives/000551.html why would you bother with anything less than 2048 bit keys." I'm inclined to agree with you, from a security standpoint. I appreciate you sending this as it gives me some 'ammunition' against colleagues of mine who argue that the additional storage taken up by encrypted data trumps the security of a long cryptography key. But, there are those who feel that way, especially since the encryption is not going to be the weak link in our data security for this product, at least for now. David wrote: Yes, but it's almost impossible to answer this because it's not clear what you're doing. Are you storing the keys or the results? 1024 bit keys with what algorithm? The only key type that is locked to 1024 bits is DSA and that's a signing algorithm, so encryption never comes into the equation. The key that's used for encryption, according to the Handbook, is the El-Gamal sub-key that gets created, along with the DSA signing key, when you invoke 'gpg --gen-key'. The concern is over database storage of the results, not the keys. I could store them outside the database, but I'd rather not as that adds a level of indirection, additional complexity, and another point of failure to the design. The algorithm is whatever is used by 'gpg --encrypt'. In a nutshell, I'm encrypting data entered via a website and storing it in a database for later retrieval and decryption by real-time user programs. I don't want to give up the value that the PGP brand adds to the product, but I can understand that some of my colleagues have concerns about the storage requirements, even though I have done worst-case analyses which indicate that the storage we need is available at minimal cost. I'm willing to address those concerns with some weakening of the public key security, given that there are other mechanisms in place to protect vital data (SSL for one). Thanks again! From jdbeyer at exit109.com Wed Sep 28 17:24:30 2005 From: jdbeyer at exit109.com (Jean-David Beyer) Date: Wed Sep 28 17:24:32 2005 Subject: Any way to get smaller key sizes? In-Reply-To: References: Message-ID: <433AB5AE.40704@exit109.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jason Barrett wrote: > In a nutshell, I'm encrypting data entered via a website and storing it > in a database for later retrieval and decryption by real-time user > programs. I don't want to give up the value that the PGP brand adds to > the product, but I can understand that some of my colleagues have > concerns about the storage requirements, even though I have done > worst-case analyses which indicate that the storage we need is available > at minimal cost. I'm willing to address those concerns with some > weakening of the public key security, given that there are other > mechanisms in place to protect vital data (SSL for one). > I had an occasion to work on a large project that management said had to run IBM IMS/DB (hierarchical model) almost 10 years after the relational model came out. We had lots of problems because the transaction handling provided by IMS did not handle transactions as perceived by the users, so if nothing were done, concurrent updates would be a problem. There were to be something like 5000 clerks entering transactions from all over the country. I figured out a way to provide locks for the transactions the users perceived (which involved several database transactions) to solve this. But it required 8 bytes per record. They argued that the disk space required for the locking procedure was excessive, and that the IO cost would cripple the system. I argued that the indices and the rest of the data in the records was so large that no one would notice the 8 bytes, and the locking procedure required only one more IO per transaction. They said that would double the IO cost, but I counted the IOs required and they went up from 19 to 20, or almost 5%. Management was not convinced, so I took it all out of the code. They said the odds against the concurrent update being a problem were a million to one. I calculated it to be far less than that, but that even using their number, we would have a problem every week or two. They ignored me, and the first problem was detected in only a few days. By then it was too late to change anything as there were hundreds of programs relying on the structure of that database and nothing could be changed. They decided to use manual methods to prevent concurrent updates. I got off that project, fortunately, so I do not know how they figured out how to coordinate 5000 employees scattered all around the country by manual methods. In your case, it might be that the encrypted records will actually be shorter than the unencrypted ones, since gpg compresses the things. But for security, it is difficult to imagine a program enhancement applied after sensitive data has been stolen that will get it back, is it not? I feel pretty cynical about corporate management. Perhaps there are well managed corporations, but they must be in the minority. - -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 11:10:00 up 105 days, 5:08, 3 users, load average: 4.46, 4.27, 4.13 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDOrWuPtu2XpovyZoRAiNcAKDUhQPq/zN0D+4fT/SCt0zVi9HF7wCfZf27 6QBQySAWB2t3mmO+Rl3WNuM= =mUjM -----END PGP SIGNATURE----- From zwon at severodvinsk.ru Wed Sep 28 17:38:41 2005 From: zwon at severodvinsk.ru (Pawel Shajdo) Date: Wed Sep 28 17:43:33 2005 Subject: Q: List format with --with-colons option In-Reply-To: References: Message-ID: <20050928153841.GA913@sky.schizandra.ru> On Wed, Sep 28, 2005 at 07:39:22PM +1200, Bernard wrote: > I found that the --with-colons option returns the most details and > appears to be more machine readable but I don't know what some fields > mean. > > Where would I find documentation about this? see doc/DETAILS file in source distribution -- Pawel I. Shajdo From lionel at mamane.lu Wed Sep 28 18:26:33 2005 From: lionel at mamane.lu (Lionel Elie Mamane) Date: Wed Sep 28 18:26:32 2005 Subject: Any way to get smaller key sizes? In-Reply-To: References: Message-ID: <20050928162633.GC20648@tofu.mamane.lu> On Tue, Sep 27, 2005 at 06:21:57PM -0400, Jason Barrett wrote: > I am using GPG for encryption of sensitive information in a > database. Some members of the development team are concerned about > the space taken up by strings encrypted with 1024-bit keys You may want to look into elliptic curves cryptography. It won't be GnuPG anymore, but it will permit you smaller keysizes for same security (as far as we know). I'm not sure there is a patent-free elliptic curves cryptography algorithm, though. -- Lionel From dshaw at jabberwocky.com Wed Sep 28 18:54:06 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Sep 28 18:54:48 2005 Subject: Any way to get smaller key sizes? In-Reply-To: References: Message-ID: <20050928165406.GA7542@jabberwocky.com> On Wed, Sep 28, 2005 at 10:29:40AM -0400, Jason Barrett wrote: > Yes, but it's almost impossible to answer this because it's not clear > what you're doing. Are you storing the keys or the results? 1024 bit > keys with what algorithm? The only key type that is locked to 1024 > bits is DSA and that's a signing algorithm, so encryption never comes > into the equation. > > The key that's used for encryption, according to the Handbook, is the > El-Gamal sub-key that gets created, along with the DSA signing key, when > you invoke 'gpg --gen-key'. The concern is over database storage of the > results, not the keys. I could store them outside the database, but I'd > rather not as that adds a level of indirection, additional complexity, and > another point of failure to the design. The algorithm is whatever is used > by 'gpg --encrypt'. Well, it's a tiny difference in practice, but you can generate small Elgamal keys by using the --expert flag along with --gen-key. David From sscotti at sscotti.net Wed Sep 28 17:01:26 2005 From: sscotti at sscotti.net (Stephen D. Scotti, M.D.) Date: Wed Sep 28 18:55:57 2005 Subject: Newbie Help Message-ID: <433AB046.6000407@sscotti.net> Hi, Kind of a newbie to gpg. I discovered it while using UBUNTU linux and then went back to windows to see how to implement it there. I've got the Mozilla Enigmail extension and I downloaded the 1.4.2 privacy guard from GNU and installed it. It seems to be partially working in the it will decode incoming mail and import keys, but I am getting an error when I try to send mail with signing or encryption using Open PGP. The output from the screen is here: Any assistance in getting this configure correctly would be helpful Stephen S. sscotti@sscotti.net From linux at codehelp.co.uk Wed Sep 28 19:22:26 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Wed Sep 28 19:21:45 2005 Subject: Newbie Help In-Reply-To: <433AB046.6000407@sscotti.net> References: <433AB046.6000407@sscotti.net> Message-ID: <200509281822.31909.linux@codehelp.co.uk> On Wednesday 28 September 2005 4:01 pm, Stephen D. Scotti, M.D. wrote: > Hi, > > Kind of a newbie to gpg. I discovered it while using UBUNTU linux Did you generate your own key? (with revocation certificate kept safe!) http://www.dcglug.org.uk/linux_doc/startgnupg.html#generate > will decode incoming mail and import keys, but I am getting an error > when I try to send mail with signing or encryption using Open PGP. The > output from the screen is here: Oops. Whatever you intended to do there didn't work. -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050928/44711744/attachment.pgp From vedaal at hush.com Wed Sep 28 23:09:49 2005 From: vedaal at hush.com (vedaal@hush.com) Date: Wed Sep 28 23:10:00 2005 Subject: proper syntax for decryption using session key ? Message-ID: <200509282109.j8SL9qcK018603@mailserver3.hushmail.com> have been trying to decrypt a message using the session key, but can't get it to work, (am using gnupg 1.4.2 at the command line) started by encrypting a file to a test key (and also to my default key), saving the file as c:\r\s.txt and decrypting with the option of --show-session-key here is part of the gpg output after decryption: gpg: public key is F0E74948 gpg: using subkey F0E74948 instead of primary key 7B534E2D gpg: public key encrypted data: good DEK gpg: public key is 04ADEE20 gpg: using subkey 04ADEE20 instead of primary key 6A589A97 gpg: encrypted with 4096-bit RSA key, ID 04ADEE20, created 4/26/2001 "vedaal nistar " gpg: encrypted with 1024-bit ELG-E key, ID F0E74948, created 1/15/2002 "boo " gpg: 3DES encrypted data gpg: decryption okay gpg: session key: `2:1568A79A26ABCB75C294AA07AB73C53A7D168F2B898F93BE' here is what i tried to do to decrypt with the session key: first, this one: C:\>gpg --override-session-key string1568A79A26ABCB75C294AA07AB73C53A7D168F2B898F93BE c:\r\s.txt and got this gpg output error message: gpg: public key decryption failed: bad key gpg: decryption failed: secret key not available then i tried each of the following, but got the same error message as above gpg --override-session-key string2:1568A79A26ABCB75C294AA07AB73C53A7D168F2B898F93BE c:\r\s.txt gpg --override-session-key string`1568A79A26ABCB75C294AA07AB73C53A7D168F2B898F93BE' c:\r\s.txt gpg --override-session-key string`2:1568A79A26ABCB75C294AA07AB73C53A7D168F2B898F93BE' c:\r\s.txt then i tried it with a space between the word string and the session key string, like this: (there was no line wrapping in the command line) gpg --override-session-key string `2:1568A79A26ABCB75C294AA07AB73C53A7D168F2B898F93BE' c:\r\s.txt and got the following gpg error message: usage: gpg [options] [filename] and got the same syntax error mesage for each of the variants of the session key string, both with and without the 2 and : in front, and both with and without the ' before and after the string what is the correct syntax to get this to work? TIA, vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From gpg-0 at ml.turing-complete.org Thu Sep 29 00:22:49 2005 From: gpg-0 at ml.turing-complete.org (Nicolas Rachinsky) Date: Thu Sep 29 00:22:51 2005 Subject: proper syntax for decryption using session key ? In-Reply-To: <200509282109.j8SL9qcK018603@mailserver3.hushmail.com> References: <200509282109.j8SL9qcK018603@mailserver3.hushmail.com> Message-ID: <20050928222249.GB20264@mid.pc5.i.0x5.de> * vedaal@hush.com [2005-09-28 14:09 -0700]: > C:\>gpg --override-session-key > string1568A79A26ABCB75C294AA07AB73C53A7D168F2B898F93BE c:\r\s.txt > > gpg --override-session-key > string2:1568A79A26ABCB75C294AA07AB73C53A7D168F2B898F93BE c:\r\s.txt > > gpg --override-session-key > string`1568A79A26ABCB75C294AA07AB73C53A7D168F2B898F93BE' c:\r\s.txt > > gpg --override-session-key > string`2:1568A79A26ABCB75C294AA07AB73C53A7D168F2B898F93BE' > c:\r\s.txt > > gpg --override-session-key string > `2:1568A79A26ABCB75C294AA07AB73C53A7D168F2B898F93BE' c:\r\s.txt > > and got the same syntax error mesage for each of the variants of > the session key string, both with and without the 2 and : in front, > and both with and without the ' before and after the string > > > what is the correct syntax to get this to work? I would try it without 'string'. Nicolas From vedaal at hush.com Thu Sep 29 00:43:17 2005 From: vedaal at hush.com (vedaal@hush.com) Date: Thu Sep 29 00:43:23 2005 Subject: proper syntax for decryption using session key ? Message-ID: <200509282243.j8SMhLd5029069@mailserver3.hushmail.com> Nicolas Rachinsky wrote Thu Sep 29 00:22:49 CEST 2005 >> what is the correct syntax to get this to work? >I would try it without 'string'. Thanks! that worked, but needed the algorithm identifier before the string (here is the form that worked:) gpg --override-session-key 2:1568A79A26ABCB75C294AA07AB73C53A7D168F2B898F93BE c:\r\s.txt did earlier gnupg versions need to have the algorithm identifier too, or did it need to be left out ? (have rarely used it and don't remember,) Tia, vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From vedaal at hush.com Thu Sep 29 01:42:06 2005 From: vedaal at hush.com (vedaal@hush.com) Date: Thu Sep 29 01:42:14 2005 Subject: session key curiosity ??? Message-ID: <200509282342.j8SNgA4d034556@mailserver3.hushmail.com> now that have finally gotten decryption with the session key to work ;-), discovered something very curious ... this was the 'good' command with the session key string: gpg --override-session-key 2:1568A79A26ABCB75C294AA07AB73C53A7D168F2B898F93BE c:\r\s.txt when retyping, i accidentally changed the last character to an F instead of an E and it *still* worked! should this be? or is the last character of the session string also an identifier of some sort, but not really part of the key that was used to encrypt/decrypt? for reference and reproducibility, here is the original encrypted message: -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.2 (MingW32) Comment: Acts of Kindness better the World, and protect the Soul hQEOA9kZp67w50lIEAQAq8301JNDrLFkpxOessXpzJZP/yd7Ejw6nrzPsMiCzSDH sD53TaV2+mz89QkD/L4ZWrBGLetpxJ4hbAZqIYMNnLwRq3Ip3VSNLvG0b+CHuMH4 fBIEnj07JkjZ+zB9VBvSIWePqXiSWDKbNBGcVrWCKnqKnEn1JkZRdfcxbjys7PIE AI4aB6uITbtEUrFTcXLgVUMnVi7qLNQtdg+t9j7BiLJnq4Hoe7g/VV5LzqXuVYsQ FQCEpt4CotgaMWM20GUJvGyvsy1CAhHK4ZeQy8elc2ouHm/H48oUBBEG2343fqAW zcbaaFPWaBIBeAg/ntTxb5HPLTm8nQnHnST0Tar9XKkhhQIMA6yhY/YEre4gARAA kGM+IWtMKipvr2GBzzh9HxdpLKvGv9jRXnv9gRTpiv85v6Iz+eOe5NL6e5L+FaiN 5fMObEMp2MnqMap6FSwPqT9ibDjzO+eGbaWngkXMdkY3FyuRbij1+x8boVVYK1WK sHRmFAiDe5JKFB06h812B75zML72px+wJNuDWTUhtynSrsfJ72kuq1GD3wz0UZSh GcfDzMu7U7DgPqRice31afDQdhbL08TibSxgY9mrTA2cPQakOKRFzwNNywl5/gCb iXoBz1nFMVbXbMSEoVvKy2IyOcVOH9mNL9ZBaeMfW2wFvjAOpWPkuEPyy8SWxhRt pzmIFcDFOew6w9wkewQcqWl0vFHAWx4hdvgB/xRbNMCuJ85ff91mbBV0Z1SzxGrJ YDEH6I9Aum/41aCXDrYE/kkyfgI1pHss2JT95DqL1w0G2uKaO5FPKJxVUZmD3ojk wEV+43YggiQ2GXKgC8PDX5Za+U/08BqqQnxy1UuKtq3RU0yIZ06CevXqhVbtCQre Y5hW5uwhLe3wp8jkSK6avaSs4MvKePO0FAsCRdEAZBWJGohYHZ9w8LfYB5ynbLeA 1SnAYgVTVUDNGw1kEraBIe98qFlGpI77lGxbRK3l/TSDYbCB9JDqREzDVi+tTKW/ Hg5YSb+wKyBfy04iscZVQ3xzN/WTBpJ07q6utaKD0j3SPwHAmF3UB/mPbbOYLIaN MemUCLbrz0x8HpluBRw0V04n8zK5Ip5tU2Dg4UwGcAf76nunrol0WAHVxJ6xZ2RK 9A== =Lxsg try both these session keys on whatever filename you save the message as gpg --override-session-key 2:1568A79A26ABCB75C294AA07AB73C53A7D168F2B898F93BF filename gpg --override-session-key 2:1568A79A26ABCB75C294AA07AB73C53A7D168F2B898F93BE filename tia, vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From johanw at vulcan.xs4all.nl Wed Sep 28 23:00:34 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Sep 29 02:28:13 2005 Subject: Any way to get smaller key sizes? In-Reply-To: Message-ID: <200509282100.j8SL0YIP004353@vulcan.xs4all.nl> Jason Barrett wrote: >I'm inclined to agree with you, from a security standpoint. I appreciate >you sending this as it gives me some 'ammunition' against colleagues of >mine who argue that the additional storage taken up by encrypted data >trumps the security of a long cryptography key. However, GnuPG encrypted files are usually compressed, so they take up even less space. So unless your database is storing diffs, like a versioning database (which won't work when you feed it encrypted files), or you store data that can't be lossless compressed anymore (jpg, xvid), encrypting will even be better in this aspect. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From alphasigmax at gmail.com Wed Sep 28 11:58:30 2005 From: alphasigmax at gmail.com (Alphax) Date: Thu Sep 29 06:26:16 2005 Subject: Any way to get smaller key sizes? In-Reply-To: References: Message-ID: <433A6946.1090803@gmail.com> Laurent Jumet wrote: > Hello ! > > Is there a way to check the signature below with GnuPG? > Possibly with GnuPG 1.9... I did some fiddling with the raw message, if you remove the MIME seperators inserted by mailman and replace them with the MIME lines in the original message (the Content-Type: line), you can make the signature show up (and indeed verify) with Thunderbird. However, the sheer size of the signature (the fact that the entire certificate is included with it) and the breakage that occurs with mailing lists continues to demonstrate the superiority of using OpenPGP :) -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ From wk at gnupg.org Thu Sep 29 11:35:08 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Sep 29 11:41:40 2005 Subject: Q: List format with --with-colons option In-Reply-To: (bht@actrix.gen.nz's message of "Wed, 28 Sep 2005 19:39:22 +1200") References: Message-ID: <873bno8beb.fsf@wheatstone.g10code.de> On Wed, 28 Sep 2005 19:39:22 +1200, Bernard said: > I found that the --with-colons option returns the most details and > appears to be more machine readable but I don't know what some fields > mean. See doc/DETAILS. Please also consider using gpgme, this is a far easier way to access gpg. C++, Ada and Java bindings are available. Salam-Shalom, Werner From wk at gnupg.org Thu Sep 29 11:43:51 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Sep 29 11:46:40 2005 Subject: session key curiosity ??? In-Reply-To: <200509282342.j8SNgA4d034556@mailserver3.hushmail.com> (vedaal@hush.com's message of "Wed, 28 Sep 2005 16:42:06 -0700") References: <200509282342.j8SNgA4d034556@mailserver3.hushmail.com> Message-ID: <87y85g6wfc.fsf@wheatstone.g10code.de> On Wed, 28 Sep 2005 16:42:06 -0700, said: > gpg --override-session-key > 2:1568A79A26ABCB75C294AA07AB73C53A7D168F2B898F93BE c:\r\s.txt > when retyping, i accidentally changed the last character to an F > instead of an E > and it *still* worked! > should this be? Yes. With DES only the high 7 bits of a byte are used and the low order bit is use as a parity bit. We don't check that parity bit - it is not required these days where everything is 8-bit clean. This is also the reason why we calculate with 56 or 168 bits when it comes to DES. Shalom-Salam, Werner From timemaster at sillydog.org Fri Sep 30 01:05:08 2005 From: timemaster at sillydog.org (David Vallier) Date: Fri Sep 30 02:26:00 2005 Subject: Ldap Message-ID: <433C7324.1000207@sillydog.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 How does a person request a key from a ldap server? and or tell Gnupg to use the gpgkeys_ldap.exe program? Tried to request a key via Winpt using a ldap server and Gnupg told me off say it couldn't find gpgkeys_ldap.exe. even though it's in the Gnu/Gpg "home" dir and the path is set. Running win me, and Gnupg 1.4.???? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: TANSTAAFL iEYEARECAAYFAkM8cyQACgkQCT6ogSjnGK8STACfaMzJaMuPb8sRlRfrwS9/4Off X+cAoK/IkcZ/E6Z10BHcS3upKjT+Sz4i =/xHG -----END PGP SIGNATURE----- From JPClizbe at comcast.net Fri Sep 30 07:19:21 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Fri Sep 30 07:20:34 2005 Subject: Newbie Help In-Reply-To: <433AB046.6000407@sscotti.net> References: <433AB046.6000407@sscotti.net> Message-ID: <433CCAD9.6060109@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen D. Scotti, M.D. wrote: > Hi, > > Kind of a newbie to gpg. I discovered it while using UBUNTU linux and > then went back to windows to see how to implement it there. I've got > the Mozilla Enigmail extension and I downloaded the 1.4.2 privacy guard > from GNU and installed it. It seems to be partially working in the it > will decode incoming mail and import keys, but I am getting an error > when I try to send mail with signing or encryption using Open PGP. The > output from the screen is here: > > Any assistance in getting this configure correctly would be helpful Did you generate a keypair of your own? Try the Enigmail _Beginners Manual_ the team put together (PDF): http://downloads.mozdev.org/enigmail/docs/beginners-manual.pdf We wrote a step-by-step page for installing GnuPG on Windows. There are a few changes since Werner introduced the binary installer with 1.4.1, but those are minor. It's located at http://enigmail.mozdev.org/gpgconf.html Then check the Enigmail Help page: http://enigmail.mozdev.org/help.html The Enigmail Configuration page, http://enigmail.mozdev.org/configure.html, has information on the various settings and options you'll encounter. Additionally, questions may be sent directly to the Enigmail mailing list, enigmail@mozdev.org. It's moderated to nonsubscribers, but most of us moderating won't leave you hanging for too long. Still, best if you subscribe. Details at http://mozdev.org/mailman/listinfo/enigmail - -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3-cvs-3899-2005-09-29 (Windows 2000 SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFDPMrYHQSsSmCNKhARAnvHAJ4ottzrJoFhfh0UyHwu73DMNcqqpwCgsL/t AAgUgBuNWkERcl+6z/g6//U= =4K8l -----END PGP SIGNATURE----- From JPClizbe at comcast.net Fri Sep 30 07:21:07 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Fri Sep 30 07:31:23 2005 Subject: Ldap In-Reply-To: <433C7324.1000207@sillydog.org> References: <433C7324.1000207@sillydog.org> Message-ID: <433CCB43.7050508@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Vallier wrote: > How does a person request a key from a ldap server? and or tell Gnupg > to use the gpgkeys_ldap.exe program? Tried to request a key via Winpt > using a ldap server and Gnupg told me off say it couldn't find > gpgkeys_ldap.exe. even though it's in the Gnu/Gpg "home" dir and the > path is set. > > Running win me, and Gnupg 1.4.???? gpg --keyserver ldap://horowitz.surfnet.nl --recv-key 0x608d2a10 You may also specify the keyserver option in gpg.conf. The first part of the URL; ldap:, hkp:, finger:, http:; tells gpg.exe which helper program to select. Not sure what is meant by 'Gnu/Gpg "home" dir'. HomeDir is a registry entry where GnuPG looks to find an individual user's settings and keyrings (typically %APPDATA%\GnuPG). Beginning with 1.4.1, Windows versions of GnuPG do not use %PATH% to locate the keyserver helpers (gpgkeys_*). From doc\README.W32: "The installation directory of GnuPG is stored in the Registry under the key HKEY_LOCAL_MACHINE\Software\GNU\GnuPG with the name "Install Directory". The installer does not change the PATH environment variable to include this directory. You might want to do this manually. Note, that this registry entry is also used to locate the keyserver helper programs (e.g. gpgkeys_ldap)." Assuming you used the GnuPG installer to install 1.4.2, gpg.exe as well as the packages keyserver helper .EXEs should all be located in %PROGRAMFILES%\Gnu\GnuPG (PROGRAMFILES typically expands to C:\Program Files). - -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3-cvs-3899-2005-09-29 (Windows 2000 SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFDPMtCHQSsSmCNKhARAoSGAJ9UMT544TIPmbWEAtj7yaTRWrWOFACfVtsJ PJ6zSvKsukXUb2PNqpgFyqw= =ewVp -----END PGP SIGNATURE----- From cstork at ics.uci.edu Mon Sep 26 19:42:28 2005 From: cstork at ics.uci.edu (Christian Stork) Date: Fri Sep 30 10:56:52 2005 Subject: Incompatibility between GnuPG 1.2 and 1.4? In-Reply-To: <20050926172356.GA892@sky.schizandra.ru> References: <20050924164153.GA13078@anthony.ics.uci.edu> <20050926172356.GA892@sky.schizandra.ru> Message-ID: <20050926174228.GA25029@anthony.ics.uci.edu> On Mon, Sep 26, 2005 at 09:23:56PM +0400, Pawel Shajdo wrote: > On Sat, Sep 24, 2005 at 09:41:53AM -0700, Christian Stork wrote: > > gpg: uncompressing failed: unknown compress algorithm > > gpg: WARNING: message was not integrity protected > > I'd be happy to provide more details if that is needed. > What show gpg --version ? The --version output of the encrypting GnuPG (my oringinal 1.2.1 claim was wrong): gpg (GnuPG) 1.2.5 Copyright (C) 2004 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA, ELG Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256 Compression: Uncompressed, ZIP, ZLIB, BZIP2 And I updated my decrypting gpg to 1.4.2 in the meantime: gpg (GnuPG) 1.4.2 Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512 Compression: Uncompressed, ZIP, ZLIB, BZIP2 Unfortunately the problems persist. -- Chris Stork <> Support eff.org! <> http://www.ics.uci.edu/~cstork/ OpenPGP fingerprint: B08B 602C C806 C492 D069 021E 41F3 8C8D 50F9 CA2F From cstork at ics.uci.edu Tue Sep 27 14:51:58 2005 From: cstork at ics.uci.edu (Christian Stork) Date: Fri Sep 30 10:56:58 2005 Subject: Incompatibility between GnuPG 1.2 and 1.4? In-Reply-To: <20050924164153.GA13078@anthony.ics.uci.edu> References: <20050924164153.GA13078@anthony.ics.uci.edu> Message-ID: <20050927125158.GB10699@anthony.ics.uci.edu> As requested: $ gpg-1.4.2 -vv mail.asc gpg: armor: BEGIN PGP MESSAGE gpg: armor header: Version: GnuPG v1.2.5 (GNU/Linux) :pubkey enc packet: version 3, algo 16, keyid 4AA7E00CB0BE33B2 data: [3070 bits] data: [3071 bits] gpg: public key is B0BE33B2 gpg: using subkey B0BE33B2 instead of primary key 50F9CA2F You need a passphrase to unlock the secret key for user: "Christian H. Stork (University) " gpg: using subkey B0BE33B2 instead of primary key 50F9CA2F 3072-bit ELG-E key, ID B0BE33B2, created 1999-10-02 (main key ID 50F9CA2F) gpg: public key encrypted data: good DEK :pubkey enc packet: version 3, algo 16, keyid 110C58544A12AF6D data: [2048 bits] data: [2046 bits] gpg: public key is 4A12AF6D :encrypted data packet: length: unknown gpg: using subkey 4A12AF6D instead of primary key 6A6DDB60 gpg: encrypted with 2048-bit ELG-E key, ID 4A12AF6D, created 2001-12-14 "Marc-Andre Lemburg " gpg: encrypted with 3072-bit ELG-E key, ID B0BE33B2, created 1999-10-02 "Christian H. Stork (University) " gpg: CAST5 encrypted data :compressed packet: algo=121 gpg: uncompressing failed: unknown compress algorithm gpg: decryption okay gpg: WARNING: message was not integrity protected So, what's algo 121 ? -- Chris Stork <> Support eff.org! <> http://www.ics.uci.edu/~cstork/ OpenPGP fingerprint: B08B 602C C806 C492 D069 021E 41F3 8C8D 50F9 CA2F From liquidlunch2k2 at yahoo.com Thu Sep 29 20:59:44 2005 From: liquidlunch2k2 at yahoo.com (bob bobby) Date: Fri Sep 30 10:57:03 2005 Subject: Compilation errors... Message-ID: <20050929185944.54573.qmail@web54610.mail.yahoo.com> Hello, I'm trying to install gnupg-1.9.17 on my Debian spar64 workstation. After several issues (that I managed to resolve ony my own), I am now faced with a showstopper. Here is it is black'n'white: mylinux:/opt/gnupg-1.9.17/agent# make source='call-scd.c' object='call-scd.o' libtool=no \ DEPDIR=.deps depmode=gcc /bin/sh ../scripts/depcomp \ gcc -DHAVE_CONFIG_H -I. -I. -I.. -I../gl -I../common -I../intl -DLOCALEDIR=\"/usr/local/share/locale\" -DGNUPG_BINDIR="\"/usr/local/bin\"" -DGNUPG_LIBEXECDIR="\"/usr/local/libexec\"" -DGNUPG_LIBDIR="\"/usr/local/lib/gnupg\"" -DGNUPG_DATADIR="\"/usr/local/share/gnupg\"" -I/usr/include -g -O2 -Wall -c call-scd.c In file included from call-scd.c:34: /usr/include/pth.h:341: warning: `_XOPEN_SOURCE' redefined /usr/include/features.h:133: warning: this is the location of the previous definition call-scd.c: In function `agent_scd_check_aliveness': call-scd.c:409: warning: implicit declaration of function `assuan_set_flag' call-scd.c:409: `ASSUAN_NO_WAITPID' undeclared (first use in this function) call-scd.c:409: (Each undeclared identifier is reported only once call-scd.c:409: for each function it appears in.) make: *** [call-scd.o] Error 1 `ASSUAN_NO_WAITPID' is undeclared. Am I comipiling this thing wrong, or do I need to tweak the "call-scd.c" file to make this work? (My C/C++ skills are limited, but I'm not afraid of any learning curve.) If someone has seen this before, and knows how to go about correcting this problem, I would appreciate any help you can offer. Thanks, Bob __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com From alphasigmax at gmail.com Fri Sep 30 12:06:34 2005 From: alphasigmax at gmail.com (Alphax) Date: Fri Sep 30 12:09:08 2005 Subject: Incompatibility between GnuPG 1.2 and 1.4? In-Reply-To: <20050927125158.GB10699@anthony.ics.uci.edu> References: <20050924164153.GA13078@anthony.ics.uci.edu> <20050927125158.GB10699@anthony.ics.uci.edu> Message-ID: <433D0E2A.2070504@gmail.com> Christian Stork wrote: > As requested: > > So, what's algo 121 ? > According to http://www.ietf.org/rfc/rfc2440.txt, it doesn't exist. The message is probably corrupt. -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ From lusfert at gmail.com Fri Sep 30 15:24:22 2005 From: lusfert at gmail.com (lusfert) Date: Fri Sep 30 15:28:50 2005 Subject: Can't check message signature Message-ID: <433D3C86.8020007@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hello. Recently I submitted my key to PGP Global Directory and received a verification request. I can't check it't signature, I see the following: OpenPGP Security Info Unverified signature gpg command line and output: C:\\Program Files\\GNU\\GnuPG\\gpg.exe --charset utf8 --verbose --batch - - - --no-tty --status-fd 2 --verify gpg: armor header: Hash: SHA1 gpg: original file name='' gpg: armor header: Version: PGP Universal 2.0.3 gpg: Signature made 09/29/05 19:40:01 using RSA key ID CA57AD7C gpg: WARNING: signature digest conflict in message gpg: Can't check signature: general error What may be a problem? GnuPG 1.4.2, Windows XP SP2, Enigmail 0.92.1.0 - -- Current OpenPGP key ID: 0x500B8987 Fingerprint: E883 045D 36FB 8CA3 8D69 9C79 9E35 3B56 500B 8987 Keyserver to use: sks.keyserver.penguin.de Encrypted mail preferred. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iD8DBQFDPTyAnjU7VlALiYcRA7O5AKC1tovmDY+eIyQoS6AffJI4bZRPjwCeKpob UuyDPqW8WNqj3SgVcd53Crk= =0pX/ -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Fri Sep 30 15:46:02 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Sep 30 15:46:44 2005 Subject: Can't check message signature In-Reply-To: <433D3C86.8020007@gmail.com> References: <433D3C86.8020007@gmail.com> Message-ID: <20050930134602.GC11013@jabberwocky.com> On Fri, Sep 30, 2005 at 05:24:22PM +0400, lusfert wrote: > Hello. > > Recently I submitted my key to PGP Global Directory and received a > verification request. I can't check it't signature, I see the following: > > OpenPGP Security Info > > Unverified signature > > gpg command line and output: > C:\\Program Files\\GNU\\GnuPG\\gpg.exe --charset utf8 --verbose --batch > - - --no-tty --status-fd 2 --verify > gpg: armor header: Hash: SHA1 > gpg: original file name='' > gpg: armor header: Version: PGP Universal 2.0.3 > gpg: Signature made 09/29/05 19:40:01 using RSA key ID CA57AD7C > gpg: WARNING: signature digest conflict in message > gpg: Can't check signature: general error Interesting. This means that the signature is malformed in a particular way. If there is nothing private in it, could you send me the message off-list? David From cstork at ics.uci.edu Fri Sep 30 16:39:13 2005 From: cstork at ics.uci.edu (Christian Stork) Date: Fri Sep 30 16:39:27 2005 Subject: Incompatibility between GnuPG 1.2 and 1.4? In-Reply-To: <433D0E2A.2070504@gmail.com> References: <20050924164153.GA13078@anthony.ics.uci.edu> <20050927125158.GB10699@anthony.ics.uci.edu> <433D0E2A.2070504@gmail.com> Message-ID: <20050930143912.GA17790@anthony.ics.uci.edu> On Fri, Sep 30, 2005 at 07:36:34PM +0930, Alphax wrote: > Christian Stork wrote: > > As requested: > > > So, what's algo 121 ? > According to http://www.ietf.org/rfc/rfc2440.txt, it doesn't exist. The > message is probably corrupt. But it this happens to all the messages I get from him (by now 6 or so) and why then does gpg 1.2 decrypt the same message without problems. I have gpg 1.2.4 installed on my Mac and it produces the following output on the _identical_ message: $ gpg-1.2.4 mal1.asc gpg: armor: BEGIN PGP MESSAGE gpg: armor header: Version: GnuPG v1.2.5 (GNU/Linux) :pubkey enc packet: version 3, algo 16, keyid 4AA7E00CB0BE33B2 data: [3070 bits] data: [3071 bits] gpg: public key is B0BE33B2 gpg: using secondary key B0BE33B2 instead of primary key 50F9CA2F You need a passphrase to unlock the secret key for user: "Christian H. Stork (University) " gpg: using secondary key B0BE33B2 instead of primary key 50F9CA2F 3072-bit ELG-E key, ID B0BE33B2, created 1999-10-02 (main key ID 50F9CA2F) gpg: public key encrypted data: good DEK :pubkey enc packet: version 3, algo 16, keyid 110C58544A12AF6D data: [2048 bits] data: [2046 bits] gpg: public key is 4A12AF6D :encrypted data packet: length: unknown gpg: using secondary key 4A12AF6D instead of primary key 6A6DDB60 gpg: encrypted with 2048-bit ELG-E key, ID 4A12AF6D, created 2001-12-14 "Marc-Andre Lemburg " gpg: encrypted with 3072-bit ELG-E key, ID B0BE33B2, created 1999-10-02 "Christian H. Stork (University) " gpg: CAST5 encrypted data :compressed packet: algo=1 :literal data packet: mode b, created 1127158105, name="", raw data: 0 bytes gpg: original file name='' :signature packet: algo 17, keyid F37A79CD6A6DDB60 version 3, created 1127158105, md5len 5, sigclass 00 digest algo 2, begin of digest 4f 9d data: [158 bits] data: [160 bits] gpg: old style (PGP 2.x) signature gpg: Signature made Mon Sep 19 12:28:25 2005 PDT using DSA key ID 6A6DDB60 gpg: Good signature from "Marc-Andre Lemburg " gpg: aka "Marc-Andre Lemburg " gpg: key 50F9CA2F: accepted as trusted key gpg: key C3D4D9D4: accepted as trusted key gpg: key DC8492FA: accepted as trusted key gpg: key 61F2C6B1: accepted as trusted key gpg: key EAB24878: accepted as trusted key gpg: key C9A2607F: accepted as trusted key gpg: key 6D2033CA: accepted as trusted key gpg: key 65EB1001: accepted as trusted key gpg: binary signature, digest algorithm SHA1 gpg: decryption okay gpg: WARNING: message was not integrity protected So in contrast to gpg 1.4 this gpg 1.2.4 identifies the compression algo as 1 and decrypts just fine. Could there still be an integrity problem as the warning at the end suggests? -- Chris Stork <> Support eff.org! <> http://www.ics.uci.edu/~cstork/ OpenPGP fingerprint: B08B 602C C806 C492 D069 021E 41F3 8C8D 50F9 CA2F From wk at gnupg.org Fri Sep 30 19:11:41 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Sep 30 19:16:42 2005 Subject: Compilation errors... In-Reply-To: <20050929185944.54573.qmail@web54610.mail.yahoo.com> (bob bobby's message of "Thu, 29 Sep 2005 11:59:44 -0700 (PDT)") References: <20050929185944.54573.qmail@web54610.mail.yahoo.com> Message-ID: <87ll1e32gi.fsf@wheatstone.g10code.de> On Thu, 29 Sep 2005 11:59:44 -0700 (PDT), bob bobby said: > `ASSUAN_NO_WAITPID' is undeclared. Am I comipiling > this thing wrong, or do I need to tweak the You need to update the libassuan development package. You need version 0.6.10 which is the latest released on. You should also get a newer gnupg1.9 tarball: The current one is 1.9.19. Shalom-Salam, Werner From lusfert at gmail.com Fri Sep 30 20:44:34 2005 From: lusfert at gmail.com (lusfert) Date: Fri Sep 30 20:48:52 2005 Subject: Can't check message signature In-Reply-To: <20050930134602.GC11013@jabberwocky.com> References: <433D3C86.8020007@gmail.com> <20050930134602.GC11013@jabberwocky.com> Message-ID: <433D8792.90306@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 David Shaw wrote: > On Fri, Sep 30, 2005 at 05:24:22PM +0400, lusfert wrote: > >>Hello. >> >>Recently I submitted my key to PGP Global Directory and received a >>verification request. I can't check it't signature, I see the following: >> >>OpenPGP Security Info >> >>Unverified signature >> >>gpg command line and output: >>C:\\Program Files\\GNU\\GnuPG\\gpg.exe --charset utf8 --verbose --batch >>- - --no-tty --status-fd 2 --verify >>gpg: armor header: Hash: SHA1 >>gpg: original file name='' >>gpg: armor header: Version: PGP Universal 2.0.3 >>gpg: Signature made 09/29/05 19:40:01 using RSA key ID CA57AD7C >>gpg: WARNING: signature digest conflict in message >>gpg: Can't check signature: general error > > > Interesting. This means that the signature is malformed in a > particular way. If there is nothing private in it, could you send me > the message off-list? I receive message ([PGP Global Directory] Verify Your Key) with such "unverified signature" each time after submitting a key to PGP Global Directory. What is "the message off-list"? Regards - -- Current OpenPGP key ID: 0x500B8987 Fingerprint: E883 045D 36FB 8CA3 8D69 9C79 9E35 3B56 500B 8987 Keyserver to use: sks.keyserver.penguin.de Encrypted mail preferred. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iD8DBQFDPYeNnjU7VlALiYcRAwtTAJ44m9jQilLRh0SsyQgUHtfk5Y1vBwCgicon feDu0RbQiETpmPOGGuibacw= =h/ut -----END PGP SIGNATURE-----