From pehr at alumni.utexas.net Thu Jun 1 00:32:17 2006 From: pehr at alumni.utexas.net (Pehr Jansson) Date: Thu Jun 1 02:26:00 2006 Subject: GPGFiletool does not find all keys in my keychain Message-ID: I am trying to use the GPGFiletool on Mac OS X to encrypt a file for a particular recipient. However, it does not show that person as being available. Other tools, e.g., GPG in the terminal window, or the GPG Mail plug in, have the recipient's key. Why does GPGFiletool not find it? From alphasigmax at gmail.com Thu Jun 1 05:08:33 2006 From: alphasigmax at gmail.com (Alphax) Date: Thu Jun 1 05:09:18 2006 Subject: GPGFiletool does not find all keys in my keychain In-Reply-To: References: Message-ID: <447E5A31.3040709@gmail.com> Pehr Jansson wrote: > I am trying to use the GPGFiletool on Mac OS X to encrypt a file for a > particular recipient. However, it does not show that person as being > available. Other tools, e.g., GPG in the terminal window, or the GPG > Mail plug in, have the recipient's key. Why does GPGFiletool not find it? > Is the key trusted? -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 569 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060601/8d92c59e/signature.pgp From alphasigmax at gmail.com Thu Jun 1 05:12:21 2006 From: alphasigmax at gmail.com (Alphax) Date: Thu Jun 1 05:13:11 2006 Subject: GnuPG asks for confirmation... In-Reply-To: References: Message-ID: <447E5B15.6010107@gmail.com> -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.4-svn4147:IDEA-TIGER192-DSA2 (MingW32) owNCWmg2MUFZJlNZeXIg9QABDH/////3mvZv7d3u1u7+////6/9u9+fv7zbr3P+Y et9XR/NAAbdzYbgyhoAA0aGgAAAB6gAAANBoAaDQAPUAAAD1AAAGgGgPKBo9TE09 T0nptUKqaep6npDQGgyD0gDQGjQA9TIAaGgaADIAaaaABpiAGgANABoyaAADTQNG mgiqeRGwk0bUDIGTQaAAGgaAAABoAAAA0DQNAANAANAAAAAGgACKehBTAU/JTT1M h6jyARmgE0aaGI2gmATIw0AIwQ09TEAGCaPUNMAjABMBMg0aZMTQCXTolHwkEpi9 Cy3oMcVcyQoedCij54i8qBKFR6k9J0vF5BuAxAAMabOnGlwu4MRAEjAL0igIkNTS ui3UzEttszPynEW6+sl0T3CzrCE11BAPEUDiO6slqDlPXW5gYRMImPkDWqUyMSWQ Cj0hgZJXjhZkCEmi4ELRi6ORp+plJcCEXWSavnE8yq/gIUUe/GO0wz1w1zeS0pFF 3fp1mZNg33ihfOAAIShdI6SFCJmDsQZjewL+iIhgwMtrCNZqHWHONm1NEWlaPYbt r9MF+EcWYOxtmU8eRBJlYN+CN5ooG4V2e1ATMzXB4YjnUXq3XEclCWjAIBfgvQEJ j8g3vxdwUZevhsj2w2fPSF2dgKN/j6zH0pJqMxIetO2fcRNK9Qt2CBRFpIsgwwPp UMRg3FU0ySgofeziOi1C+WHK3wytgsIdavJUFya16OaIgUJnDfUcF8SVETSeEVxl GbEihWIJwDnggVVBNTsApy1kuBIy3wFAwLjFAUR4oimyWcYKPqUjMBKAswmQHEAs qLmy59c8ehCn2WgNrMOuDrNUzlwgpVC6KK5j3n+yEp+kFwL77EHYDyqCCQvEDlya I3DdaAVMzoCkZTmmHqr8MlRypwvo6MFcuQy6lC9CG+IaDWKXrDuGUnVEfqT8KPxL MsdKkw6ZuEBi1BahSWTxNaENJ4EnIwTVBmoi4sIqUMLh3SjAjNO+o0nADcnkB2EB CnrM3Tf4u5IpwoSDy5EHqA== =pDFk -----END PGP MESSAGE----- From alphasigmax at gmail.com Thu Jun 1 07:15:48 2006 From: alphasigmax at gmail.com (Alphax) Date: Thu Jun 1 07:16:31 2006 Subject: GnuPG asks for confirmation... In-Reply-To: <447E5B15.6010107@gmail.com> References: <447E5B15.6010107@gmail.com> Message-ID: <447E7804.1050005@gmail.com> Alphax wrote: > Laurent Jumet wrote: >> Hello ! >> >> Charly Avital wrote: >> >>> This is a bit strange. >> >> You mean that you cannot read compressed (not crypted) messages. >> >> > > eg. a message produced with gpg -a -s? > Sorry, I should also have pointed out that this was using BZIP2 for the compression algorithm. What does gpg --with-colons --list-config (or gpg --version) give you? -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 569 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060601/30ee4f11/signature.pgp From pehr at alumni.utexas.net Thu Jun 1 06:54:29 2006 From: pehr at alumni.utexas.net (Pehr Jansson) Date: Thu Jun 1 07:55:53 2006 Subject: GPGFiletool does not find all keys in my keychain In-Reply-To: <447E5A31.3040709@gmail.com> References: <447E5A31.3040709@gmail.com> Message-ID: <22BF2A5C-1415-4E93-93AC-B7999F3C2CE6@alumni.utexas.net> I did figure out that the problem was that the key was not yet trusted. Once I signed the key, it appeared in GPGFT. On May 31, 2006, at 10:08 PM, Alphax wrote: > Pehr Jansson wrote: >> I am trying to use the GPGFiletool on Mac OS X to encrypt a file >> for a >> particular recipient. However, it does not show that person as being >> available. Other tools, e.g., GPG in the terminal window, or the GPG >> Mail plug in, have the recipient's key. Why does GPGFiletool not >> find it? >> > > Is the key trusted? > > -- > Alphax > Death to all fanatics! > Down with categorical imperative! > OpenPGP key: http://tinyurl.com/lvq4g > From Laurent.Jumet at advalvas.be Thu Jun 1 09:20:09 2006 From: Laurent.Jumet at advalvas.be (Laurent Jumet) Date: Thu Jun 1 09:22:32 2006 Subject: GnuPG asks for confirmation... In-Reply-To: Message-ID: -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.3 (MingW32) owNCWmg2MUFZJlNZLMzs4gABJn//+nIoAvQXV7X9/EYAP///4QTQSoJBJo7hAQKA EAAYAogwAYltKwamplJtNJ7UmJ6gNMQ9IMEA0aNoIbUaAaaMGk9IYyDU0mBNAKZN Gg0AAeoBoA00NBkAAAAAaCEp5I/VG0yhkNBoaA0yAGgAANAAAAB0L26igoXVF92F EW5m9AAD3g6khlhsgcvJru0hRj/8XZzD+ggTIjgCGcEUG1Lhbe80VrJ+BNl7Xcqd LD2ltRYrMkSu7kebYaU2++xrDpQuApVPqQookKJCGCi8pkRFL2KnfpfjExQ1102V Y0FGqLdQptdrSU86qQEFcixIWatb3Az2WKffyddqtHcKhwQzjpmfAua29Um2RCie /Qp1ddtdEQUhXLUZGdZ4SwVNBVQGDFRcRVDoDVdSvz5R744DYNBLLTFCiHRuEhBz lSx25GYJDchUHETIgZD+SRWSIZDqPnOcDpNE1mtDIIGnK0QNiwfJ73ARJQJYrcnv Mvpk8OcUjLAnqoMGJhtigtnBwVwGXRtJcJ8AlaaoKSaGSZ5Y9Qs6CEQjI8xiSKcy YwIZbZd4molEKndZxqkx4BnGEtZy5zYHGxI3AWcJBhscEIMUnQjtlLsKAqZcDaPc jbCQk0Aq6EGIEcyqjkgXvVl1WXixuBj8pbYL7cdDTwdy/uR/K/LeXpPGY41PO0+/ nF3JFOFCQLMzs4g= =fCpG -----END PGP MESSAGE----- From Laurent.Jumet at advalvas.be Thu Jun 1 08:51:04 2006 From: Laurent.Jumet at advalvas.be (Laurent Jumet) Date: Thu Jun 1 09:22:38 2006 Subject: GnuPG asks for confirmation... In-Reply-To: <447E5B15.6010107@gmail.com> Message-ID: -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.3 (MingW32) owNCWmg2MUFZJlNZi1q7vwABAn/3/lJiuvJnV7X9/gxyP+/f4whZQALBEpCCgYQQ QBshMAFlQQaghT2kwpkPUZAekAPUAAAD0mmQeo9IB6mjTQeo9qnqDUyTAjQjJppN qmn6oAB5Tyh6IAMgAADyjygD1BkOGgGgANAaA0AAADTRpoAyAAAaNMgx1aBLX3en 1PYzeWxPmZ31iEAjwF6YzDunLCUGzjBsaVxPa4PT98nkhSScQP2DAgbI4WKsOitQ 8TOuoisdyhZ0K/es0wwtEgKlB1mxqtqJjHKM25x09tci3U1Tn7SZfVprUKXCcVxj 0++rcd2RwwV4GY+fjRRJdPFBi2bvFZUwaqiIeqvt9OrBLlIgjDiMhUGKWpVpclSM NnowAWDzxSc/Oo4nGjJ1zSStaR9izFTiMaY+cQIhk1TzZTIZjmy3lLpZ3pfdC8/g wOOBfIxoJRTaPxB8lN0iIaKkLioFKSalJ/TUiuUapGtvFUgq369+fEtpPoSeOicY bjTJ5ItVpEUYexJGEqP5viCZKF2WlgEqicIsdv7Fk0gha9ssyoUGs3j77CrlLicQ uklHNvoFLYBSARMlDVHBN1gDmsYKltpQlFchhyNOsKuW6WiO1/8tfQh2pivCRzcl D6TpElmnKkfDfzyzJmm/xdyRThQkItau78A= =X2g2 -----END PGP MESSAGE----- From Laurent.Jumet at advalvas.be Thu Jun 1 08:57:36 2006 From: Laurent.Jumet at advalvas.be (Laurent Jumet) Date: Thu Jun 1 09:22:47 2006 Subject: GnuPG asks for confirmation... In-Reply-To: <447E7804.1050005@gmail.com> Message-ID: -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.3 (MingW32) owNCWmg2MUFZJlNZvE3tWgAByP/3+nYhAmBn//X//92YP+f/4RBBRo3MIoeA0kAA i0oQQAJHZ3cZxcImkmFPGqaep5Q9TQ2piZPUNPUeoAGhoZAGQB6hoHqGQNPRP1Qi aAphkp5DTJMmQaNAAAAAADRoAAAAABqp+TRGpiNI9INAGgaAAAABpoAAAGgAAAan pRlTyNED0jIzUAaBoBoDQ0AGQGgaAAAABAyIhXffQNNUjwqpa4pkAhIYG2XF8W/L GByrhAvGpjSqlyljBOUQRfbvDnBMCMzigBFAI/UYyU596881p0VClRgo6Sy8hgrc jB6xYRQLGIpyUVtN2RCAkYz8ZxtUczY8NaNjdecn8cUwyghQb8E+lUdIWaxKxO40 Yogs8QEJRECSXwz3MrKhijkQkOVCWjwgAZ1fGYtkcwEpPvkfSE2CFRKsplWi3tWa BEC1I3nj05QlOZRTtMHbzHjYjqiNTTmZtstGAjY/WIGOv7DlfG+oRJEMcUCuZYlR SmTRMMkXBzWvCYSV3qwPx3RIwAKkptGXDZeSAHRBZEmepYjrly3bwSF3ISzUIu5S tWZZ1qFGQHmgSSpAH5x91h2al+BSEkNUXqYtKie98thwPxIAq3Dah3sEkxmyiIiI TCKpNYp0LVtSoGpB04MRoQySSS+o1US6mTpjN40yvoY0Vctggdvaqa5z4JDMUK7J MwvOCzkrE+CV0ySx1K1YZ6l0KhFkuJoeVHXGN/lEiKFKe5CElKvkXLCpxMgiJtwo LUdXhmAwWkuITAfM+MtBSViViV1ITYIgbp1Z8TbEpFUlaHAOVjSDnIcOMCyBIkrR lgJjgbGB196gsJkIUBgFsOUSt04pYRtxWKwmeYKI2BlR2BDMhiAzEqI6gJwqFhfh dEDOiNaNQ108CGTnBgUCCajheaPOOBpMSQTWxgQjoglUQoOu9RG1DbNgoswENg5J cgLq4FIuWBmXcf3r+oQ50W1PPbvgZCxZ3rFoNw9n7/QiitVpVZylUk/0TNs4n/xd yRThQkLxN7Vo =/6Aq -----END PGP MESSAGE----- From alex at bofh.net.pl Thu Jun 1 11:27:10 2006 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Thu Jun 1 11:26:40 2006 Subject: Signing vs. encrypting was: Cipher v public key. In-Reply-To: <5155685DF4FC004297C9F5D769CBF51C02B611AF@KASHMIR.extenza-turpin.com> References: <5155685DF4FC004297C9F5D769CBF51C02B611AF@KASHMIR.extenza-turpin.com> Message-ID: <20060601092710.GE4129@hell.pl> On Wed, May 31, 2006 at 01:59:37PM +0100, David Gray wrote: > Will suggest to the customer that we use signed & encrypted > transmissions. The only Issue we then have is that they wish to be > custodians of the private key, There is no need for them, from the cryptography point of view. Using public-key crypto they can send you encrypted stuff and you can send them encrypted stuff and the second party can decrypt what they are sent without knowing the sender's secret key - thats what pubkey crypto is for. If they want to be sure that they can decrypt everything, the encrypted data should be encrypted to both recipients' pubkeys (thats perfectly possible using GPG/PGP). > they are Looking into commerical methods for secure key > distribution. direct them to commercial solutions for quantum cryptography :-> > The other issue is the IT manager at the customer site is wary of Gnu > software and is > Going to look at commerical offering, PGP I assume. Apart from the lack > Of cost are there any other good reason I can give for using GPG? gpg integrates better with autimation and I really doubt that there is current, supported PGP for anything else than windows and mac. Alex From tmz at pobox.com Thu Jun 1 11:46:48 2006 From: tmz at pobox.com (Todd Zullinger) Date: Thu Jun 1 11:47:36 2006 Subject: Signing vs. encrypting was: Cipher v public key. In-Reply-To: <20060601092710.GE4129@hell.pl> References: <5155685DF4FC004297C9F5D769CBF51C02B611AF@KASHMIR.extenza-turpin.com> <20060601092710.GE4129@hell.pl> Message-ID: <20060601094648.GE10720@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Janusz A. Urbanowicz wrote: > gpg integrates better with autimation and I really doubt that there is > current, supported PGP for anything else than windows and mac. While I prefer gnupg to pgp myself, I did just happen to see a reference to pgp command line today. Here are the platforms it supports: * Windows 2003 * Windows XP SP1 * Windows 2000 SP4 * HP-UX 11i or above (PA-RISC only) * IBM AIX 5.2 or above * Red Hat Enterprise Linux 3.0 or above (x86 only) * Solaris 8 or above (SPARC only) * Mac OS X 10.3 or above http://download.pgp.com/products/pdfs/PGP_CL902_DS_050825_F.pdf Not a terribly small list, except when compared to what gnupg will run on. :) - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== The man who is a pessimist before forty-eight knows too much; the man who is an optimist after forty-eight knows too little. -- Mark Twain -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iG0EARECAC0FAkR+t4gmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt ei5hc2MACgkQuv+09NZUB1pPxgCg+sDnINDLpwKXpLkqVpXEEDV4CmcAoOlQxtEo YKcINHqaop0I87a/Iy82 =jdsS -----END PGP SIGNATURE----- From laurent.jumet at skynet.be Thu Jun 1 10:44:27 2006 From: laurent.jumet at skynet.be (Laurent Jumet) Date: Thu Jun 1 12:26:01 2006 Subject: GnuPG asks for confirmation... In-Reply-To: <447EA522.8080806@radde.name> Message-ID: Hello ! Sven Radde wrote: >>> But this is logical, isn't it? >>> You don't trust a key (what's there to trust?). You trust the fact that >>> *a certain key belongs to a certain user-id* and if new ids are added, >>> you would have to think again if the owner of the key actually owns that >>> id. >>> >> Of course, he owns. >> It's impossible to add or revoque a UserID without the SecretKey. >> No matter if I add an UserID to my Key: it's the same Key. > Trust is not about owning the key. It is about owning the *user-id* and > in particular linking a user-id (= a real person) to a key. > In other words: Who would prevent you from adding "sven@radde.name" as a > user-id to your key? (Or, creating a new key with that user-id.) > Still, as nobody would believe that my email-address belongs to your key > (i.e. that new user-id on your key is not trusted by anyone), my emails > would not get encrypted to your key. People would approach me (my > user-id) for verification of the key's fingerprint and I could deny that > the key belongs to me / my user-id. You are right. But what I noticed is this: Let's suppose your Key has 4 UserID's and all fully trusted. You add one UserID more "Winston Churchill". All 4 previous UserID's are compromised too, at the moment you added another one. That's what *I think* I noticed. -- Laurent Jumet KeyID: 0xCFAF704C From vedaal at hush.com Thu Jun 1 17:33:14 2006 From: vedaal at hush.com (vedaal@hush.com) Date: Thu Jun 1 17:32:19 2006 Subject: Signing vs. encrypting was: Cipher v public key Message-ID: <20060601153315.15370DA820@mailserver8.hushmail.com> Todd Zullinger tmz at pobox.com wrote on Thu Jun 1 11:46:48 CEST 2006 : > While I prefer gnupg to pgp myself, I did just happen to see a > reference to pgp command line today the cost is *astronomical* have played around with it when it was released as a free command line pgp 8.5 beta has a few features unique to pgp, which may or may not be of interest to the customers: - ADK's - split-key / shared-key capablilty (this happens to be nice and useful any chance for a 'feature request' :-) ? ) - platform-specific self-decrypting archives, (a windows user can make an sda specifically for a mac or linux user, but not an sda that works on both) (this was added in 9.x) other than that, it is a very unforgiving and difficult command line to use, radically different from 6.5.8 or 2.x it is set up for 'no prompting' so unless all the options are anticipated and entered in the original command, it won't work would absolutely *NOT* recommend it, unless someone _must_ use a CLI with ADK capability vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 From webdevlasvegas at yahoo.com Thu Jun 1 23:59:38 2006 From: webdevlasvegas at yahoo.com (webdevlv) Date: Fri Jun 2 00:17:14 2006 Subject: Cannot decrypt this file for the life of me Message-ID: <4670580.post@talk.nabble.com> I am a complete newbie to GPG so bare with. I have a gpg encrypted file and two .asc files... file_sec.asc and file.asc (pubilc and secret key? I have no clue what the terminology is). I also have a passphrase that needs to be used. I have been trying to get something on my windows machine running for the past 3 days to try to get this file decrypted. I have installed gnupg (and added the location to gpg.exe in the PATH variable). I have also installed gpgshell and gpg4win, which includes winpt, and have tried absolutely every combination and permutation of key import, decrypt, etc, etc. Plain and simple, I just need a file decrypted. Do you know of a tutorial or an easy procedure for this? Your help with this issue is GREATLY appreciated. -- View this message in context: http://www.nabble.com/Cannot+decrypt+this+file+for+the+life+of+me-t1719517.html#a4670580 Sent from the GnuPG - User forum at Nabble.com. From engage at n0sq.us Fri Jun 2 03:38:30 2006 From: engage at n0sq.us (engage) Date: Fri Jun 2 03:38:19 2006 Subject: GnuPG asks for confirmation... In-Reply-To: <447E5B15.6010107@gmail.com> References: <447E5B15.6010107@gmail.com> Message-ID: <200606011938.31273.engage@n0sq.us> Why is someone sending an encrypted message to this list? On Wednesday 31 May 2006 09:12 pm, Alphax wrote: >-----BEGIN PGP MESSAGE----- >Version: GnuPG v1.4.4-svn4147:IDEA-TIGER192-DSA2 (MingW32) > >owNCWmg2MUFZJlNZeXIg9QABDH/////3mvZv7d3u1u7+////6/9u9+fv7zbr3P+Y >et9XR/NAAbdzYbgyhoAA0aGgAAAB6gAAANBoAaDQAPUAAAD1AAAGgGgPKBo9TE09 >T0nptUKqaep6npDQGgyD0gDQGjQA9TIAaGgaADIAaaaABpiAGgANABoyaAADTQNG >mgiqeRGwk0bUDIGTQaAAGgaAAABoAAAA0DQNAANAANAAAAAGgACKehBTAU/JTT1M >h6jyARmgE0aaGI2gmATIw0AIwQ09TEAGCaPUNMAjABMBMg0aZMTQCXTolHwkEpi9 >Cy3oMcVcyQoedCij54i8qBKFR6k9J0vF5BuAxAAMabOnGlwu4MRAEjAL0igIkNTS >ui3UzEttszPynEW6+sl0T3CzrCE11BAPEUDiO6slqDlPXW5gYRMImPkDWqUyMSWQ >Cj0hgZJXjhZkCEmi4ELRi6ORp+plJcCEXWSavnE8yq/gIUUe/GO0wz1w1zeS0pFF >3fp1mZNg33ihfOAAIShdI6SFCJmDsQZjewL+iIhgwMtrCNZqHWHONm1NEWlaPYbt >r9MF+EcWYOxtmU8eRBJlYN+CN5ooG4V2e1ATMzXB4YjnUXq3XEclCWjAIBfgvQEJ >j8g3vxdwUZevhsj2w2fPSF2dgKN/j6zH0pJqMxIetO2fcRNK9Qt2CBRFpIsgwwPp >UMRg3FU0ySgofeziOi1C+WHK3wytgsIdavJUFya16OaIgUJnDfUcF8SVETSeEVxl >GbEihWIJwDnggVVBNTsApy1kuBIy3wFAwLjFAUR4oimyWcYKPqUjMBKAswmQHEAs >qLmy59c8ehCn2WgNrMOuDrNUzlwgpVC6KK5j3n+yEp+kFwL77EHYDyqCCQvEDlya >I3DdaAVMzoCkZTmmHqr8MlRypwvo6MFcuQy6lC9CG+IaDWKXrDuGUnVEfqT8KPxL >MsdKkw6ZuEBi1BahSWTxNaENJ4EnIwTVBmoi4sIqUMLh3SjAjNO+o0nADcnkB2EB >CnrM3Tf4u5IpwoSDy5EHqA== >=pDFk >-----END PGP MESSAGE----- > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users From tmz at pobox.com Fri Jun 2 04:59:54 2006 From: tmz at pobox.com (Todd Zullinger) Date: Fri Jun 2 05:11:13 2006 Subject: GnuPG asks for confirmation... In-Reply-To: <200606011938.31273.engage@n0sq.us> References: <447E5B15.6010107@gmail.com> <200606011938.31273.engage@n0sq.us> Message-ID: <20060602025954.GA3390@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 engage wrote: > Why is someone sending an encrypted message to this list? It's not encrypted. It's just signed and armored. Doesn't your mail client automatically display this for you? - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== Democracy means simply the bludgeoning of the people by the people for the people. -- Oscar Wilde "The Soul of Man Under Socialism", 1895 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iG0EARECAC0FAkR/qakmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt ei5hc2MACgkQuv+09NZUB1oekQCfSYXbEkj/XMGYx7YrSkEQVDIH3qcAoNoVNE3e Nhq4mlux61kMHghjPP1J =flz7 -----END PGP SIGNATURE----- From z.himsel at gmail.com Fri Jun 2 05:27:49 2006 From: z.himsel at gmail.com (Zach Himsel) Date: Fri Jun 2 07:26:06 2006 Subject: Gnupg-users Digest, Vol 33, Issue 2 In-Reply-To: <447facbb.4884fcd8.2381.ffffd96fSMTPIN_ADDED@mx.gmail.com> References: <447facbb.4884fcd8.2381.ffffd96fSMTPIN_ADDED@mx.gmail.com> Message-ID: <447FB035.7060702@gmail.com> Hello, All! I use Thunderbird with Enigmail. For some reason, enigmail will not sign and/or encrypt my messages (even when I manually click encrypt). My keys work fine, and I can decrypt and verify already encrypted and signed messages, but I can't do it myself. I have to manually sign the message with gnupg. I've used TB and enigmail previously, and it worked then. Does anyone have this problem or know of a solution? From shavital at mac.com Fri Jun 2 07:40:09 2006 From: shavital at mac.com (Charly Avital) Date: Fri Jun 2 07:39:07 2006 Subject: Cannot decrypt this file for the life of me In-Reply-To: <4670580.post@talk.nabble.com> References: <4670580.post@talk.nabble.com> Message-ID: <447FCF39.3070001@mac.com> Who encrypted the file, for whom, using what system? Is it a text e-mail, or a stand-alone file? If it is an encrypted text e-mail, can you post the actual encrypted file? If not, can you URL a location where the actual file could be viewed? I am not familiar with your system (I am a Mac user); extension .asc applies usually to a plain text in ASCII format, that can be opened with a text editor. The two files you mention might be, as you indicate, your public and secret keys (your key pair). If you open the file 'file.asc' with a text editor, what are the headers and the footers? Is it something like: -----BEGIN PGP PUBLIC KEY BLOCK----- -----END PGP PUBLIC KEY BLOCK----- If it is so, then that's your public key block, and the other one 'file_sec.asc' is your secret key block. You should be very careful with the later, store it in a safe place, and *never* post it or publish it in any way whatsoever. You don't mention where those two files are located in your system. They are your key pair (secret+public key). Do you know (can you see) the contents of your keyring? That's where your keys are stored. Public keys, yours and other people, are stored in the public keyring, secret key or keys (yours only) are stored in the secret key ring. Charly webdevlv wrote the following on 6/1/06 5:59 PM: [...] > -- > View this message in context: http://www.nabble.com/Cannot+decrypt+this+file+for+the+life+of+me-t1719517.html#a4670580 > Sent from the GnuPG - User forum at Nabble.com. From laurent.jumet at skynet.be Fri Jun 2 08:41:02 2006 From: laurent.jumet at skynet.be (Laurent Jumet) Date: Fri Jun 2 08:48:35 2006 Subject: Headers on this echo... Message-ID: Hello ! Why the Headers on this echo are not correct? Messages come with this Sender: gnupg-users-bounces@gnupg.org and it should be of course "gnupg-users@gnupg.org" And there is no "Reply-To: gnupg-users@gnupg.org" Header. -- Laurent Jumet KeyID: 0xCFAF704C From tmz at pobox.com Fri Jun 2 09:36:16 2006 From: tmz at pobox.com (Todd Zullinger) Date: Fri Jun 2 09:35:47 2006 Subject: Headers on this echo... In-Reply-To: References: Message-ID: <20060602073616.GC3390@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Laurent, Laurent Jumet wrote: > Why the Headers on this echo are not correct? You'll have to provide some proof that they are incorrect. What defines "correct" headers? :) > Messages come with this > > Sender: gnupg-users-bounces@gnupg.org > > and it should be of course "gnupg-users@gnupg.org" This is the way Mailman sends mail. Sender is set to use $listname-bounces@$domain because there are broken MTA's that will send bounces back to Sender, rather than to the address in the Errors-To or Return-Path headers. This may be changed in a future version of mailman, as the number of broken MTA's is diminishing and the number of MUA's that display things like "on behalf of" when the Sender header differs from the - From header is increasing. See this recent thread on the mailman-users list for more discussion and links to relevant RFC's: http://www.mail-archive.com/mailman-users@python.org/msg38403.html > And there is no "Reply-To: gnupg-users@gnupg.org" Header. See Mailman FAQ 3.48. 'What about setting a "Reply-To:" header for the list?' for discussion of why many lists do not add a reply-to header and why the Mailman default is to not set this to the list address. http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq03.048.htp Your MUA should be able to handle this. Mutt does quite well without the reply-to header pointing to the list. Submit a feature request to the developers of your MUA if it's missing a list reply function. - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== It was probably drugs more than anything else that made me a Libertarian. -- John Gilmore -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iG0EARECAC0FAkR/6nAmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt ei5hc2MACgkQuv+09NZUB1pfnwCfU0nD1m//OvPGGpHsHyqpHkTs0zAAn3eAPj9h CUdFAqF5vKLlwCQc6Bze =98UM -----END PGP SIGNATURE----- From gnupg at raphael.poss.name Fri Jun 2 11:59:56 2006 From: gnupg at raphael.poss.name (=?ISO-8859-1?Q?Rapha=EBl_Poss?=) Date: Fri Jun 2 11:59:07 2006 Subject: Cannot decrypt this file for the life of me In-Reply-To: <4670580.post@talk.nabble.com> References: <4670580.post@talk.nabble.com> Message-ID: <44800C1C.4000709@raphael.poss.name> webdevlv schreef: > I am a complete newbie to GPG so bare with. I have a gpg encrypted file and > two .asc files... file_sec.asc and file.asc (pubilc and secret key? I have > no clue what the terminology is). I also have a passphrase that needs to be > used. Ok, I understand your issue. The bits you have are: - the encrypted file (I assume it's file.gpg) - the secret key (file_sec.asc) - the public key (file.asc) - the password to use the secret key. What you must do: 1. import the keys into your key ring ("gpg --import file_sec.asc" on the command line) 2. decrypt the file using the passphrase ("gpg file.gpg" on the command line) -- Raphael -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060602/7a1c5f0d/signature.pgp From alex at bofh.net.pl Fri Jun 2 13:37:41 2006 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Fri Jun 2 13:36:51 2006 Subject: Signing vs. encrypting was: Cipher v public key In-Reply-To: <20060601153315.15370DA820@mailserver8.hushmail.com> References: <20060601153315.15370DA820@mailserver8.hushmail.com> Message-ID: <20060602113741.GH4129@hell.pl> On Thu, Jun 01, 2006 at 11:33:14AM -0400, vedaal@hush.com wrote: > Todd Zullinger tmz at pobox.com wrote on > Thu Jun 1 11:46:48 CEST 2006 : > > > While I prefer gnupg to pgp myself, I did just happen to see a > > reference to pgp command line today > > the cost is *astronomical* > > have played around with it when it was released as a free > command line pgp 8.5 beta > > has a few features unique to pgp, > which may or may not be of interest to the customers: > > - ADK's This may be somewhat emulated with GPG (mandated encrypt-to) > - split-key / shared-key capablilty > (this happens to be nice and useful > any chance for a 'feature request' :-) ? ) I once thought of implementing this over gpg -- but it is notrivial to do it right and really it is a specialized application somewhat requiring a dedicated machine trusted by all the untrusting parties, to operate. A;ex From broonie at sirena.org.uk Fri Jun 2 13:08:50 2006 From: broonie at sirena.org.uk (Mark Brown) Date: Fri Jun 2 14:56:35 2006 Subject: GnuPG asks for confirmation... In-Reply-To: <20060602025954.GA3390@psilocybe.teonanacatl.org> References: <447E5B15.6010107@gmail.com> <200606011938.31273.engage@n0sq.us> <20060602025954.GA3390@psilocybe.teonanacatl.org> Message-ID: <20060602110849.GA20010@sirena.org.uk> On Thu, Jun 01, 2006 at 10:59:54PM -0400, Todd Zullinger wrote: > engage wrote: > > Why is someone sending an encrypted message to this list? > It's not encrypted. It's just signed and armored. > Doesn't your mail client automatically display this for you? Many mail clients will assume that any GPG message is encrypted and prompt for a passphrase prior to invoking GPG. -- "You grabbed my hand and we fell into it, like a daydream - or a fever." From laurent.jumet at skynet.be Fri Jun 2 15:03:45 2006 From: laurent.jumet at skynet.be (Laurent Jumet) Date: Fri Jun 2 15:05:28 2006 Subject: GnuPG asks for confirmation... In-Reply-To: <20060602110849.GA20010@sirena.org.uk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hello ! Mark Brown wrote: >> > Why is someone sending an encrypted message to this list? >> It's not encrypted. It's just signed and armored. >> Doesn't your mail client automatically display this for you? > Many mail clients will assume that any GPG message is encrypted and > prompt for a passphrase prior to invoking GPG. Are you sure? Security wouldn't be compromised if passphrase is given to anything else then gpg? - -- Laurent Jumet KeyID: 0xCFAF704C -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) iD8DBQFEgDeB9R1toM+vcEwRA/IJAJ94cYSGch26vubs+lDki6sDIDAA+gCgvMKk /8wC6zZZ6LWc5em3Ibl54EA= =iqz9 -----END PGP SIGNATURE----- From ml at mareichelt.de Fri Jun 2 16:26:31 2006 From: ml at mareichelt.de (markus reichelt) Date: Fri Jun 2 16:27:39 2006 Subject: GnuPG asks for confirmation... In-Reply-To: References: <20060602110849.GA20010@sirena.org.uk> Message-ID: <20060602142631.GA23111@dantooine> * Laurent Jumet wrote: > > Many mail clients will assume that any GPG message is encrypted and > > prompt for a passphrase prior to invoking GPG. > > Are you sure? > Security wouldn't be compromised if passphrase is given to anything else > then gpg? F.e. mutt itself asks for a passphrase and passes it on to gpg. It's a normal thing for email clients to do, as with frontends for gpg as well. In case an attacker replaces the gpg binary with a wrapper... well, security is compromised the moment when an attacker gains system access anyway. Btw, good to see GoldEd still floating around. How's fidonet? -- 2:2433/480 Sorry to the people I drove nuts back then, hehe -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20060602/66d3a0df/attachment.pgp From tmz at pobox.com Fri Jun 2 20:28:57 2006 From: tmz at pobox.com (Todd Zullinger) Date: Fri Jun 2 20:29:31 2006 Subject: GnuPG asks for confirmation... In-Reply-To: <20060602110849.GA20010@sirena.org.uk> References: <447E5B15.6010107@gmail.com> <200606011938.31273.engage@n0sq.us> <20060602025954.GA3390@psilocybe.teonanacatl.org> <20060602110849.GA20010@sirena.org.uk> Message-ID: <20060602182857.GD3390@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark Brown wrote: > On Thu, Jun 01, 2006 at 10:59:54PM -0400, Todd Zullinger wrote: >> engage wrote: >>> Why is someone sending an encrypted message to this list? > >> It's not encrypted. It's just signed and armored. > >> Doesn't your mail client automatically display this for you? > > Many mail clients will assume that any GPG message is encrypted and > prompt for a passphrase prior to invoking GPG. I guess I just take it for granted because using mutt along with gpg-agent, I don't get such a password request. I'd be curious if kmail would do the same if configured to use the gpg-agent. Without the agent, mutt prompts as well. It's just been a long long time since I wasn't using gpg-agent. :) - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== Nothing says, "Obey me!" like a bloody head on a fence post. -- Stewie Griffin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iG0EARECAC0FAkSAg2kmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt ei5hc2MACgkQuv+09NZUB1qhxQCggs0wv8cejnK4Q4Wjdt632zMzX2UAoJz7rb3m KbVGtmAeLGjkE//lkFuf =gim2 -----END PGP SIGNATURE----- From volker at ixolution.de Fri Jun 2 23:13:10 2006 From: volker at ixolution.de (Volker Dormeyer) Date: Fri Jun 2 23:12:15 2006 Subject: GnuPG Smartcard and Authentication Key In-Reply-To: <8531.1148850754@paulchen.ixolution.net> References: <7017.1148840654@paulchen.ixolution.net> <20060528203055.GA14213@jabberwocky.com> <8531.1148850754@paulchen.ixolution.net> Message-ID: <9265.1149282790@paulchen.ixolution.net> * On Sun, 28 May 2006 23:12:34 +0200, * Volker Dormeyer wrote: * On Sun, 28 May 2006 16:30:55 -0400, * David Shaw wrote: > On Sun, May 28, 2006 at 08:24:14PM +0200, Volker Dormeyer wrote: >> Hello all, >> >> recently I received a message which is encrypted with my public >> authentication key instead of my encryption key. >> >> I wonder how this can happen, because I thought GnuPG does not use the >> authentication key as encryption key. Am I wrong? >> >> Further, I am not able to decrypt the message. I tried it manually with >> "--try-all-secrets", but it doesn't seem to work. Basically it should >> work. I mean, I have the authentication private key. > This is unfortunately turning into a FAQ. Basically, you've run into > an old PGP bug. It was recently fixed (I don't recall exactly in what > version), but there are countless installations of PGP that predate > the fix. > This is what I read in the gnupg-users archive before I send the > question. I have to admit, I do not understand exactly, because I know > that the user who sent me the message is using GnuPG. It shows > -----BEGIN PGP MESSAGE----- > Version: GnuPG v1.2.5 (GNU/Linux) Just thought a bit about it... Is it possible, that GnuPG prior to version 1.4 was not able to interpret those "key flags"? I didn't use an authentication with versions prior to 1.4 for myself. > in the ASCII armored cipher text. > OpenPGP keys have "key flags" that indicate what a key is to be used > for (encryption, signing, or authentication). GnuPG honors these > flags and will not encrypt to any key that isn't marked for > encryption. The bug is that PGP is not properly looking at the key > and will happily encrypt to a signing or authentication key. > I am aware of the different "key flags". This was the reason why I > wondered how this could be happen. > As to what you can do about it, your best bet is to contact the sender > and ask for a retransmission encrypted to the proper key. It might be > possible to write a program that can essentially trick the smartcard > into decrypting the message by pretending it is a signature that needs > to be verified but it depends on how exactly the card handles > signatures. In any event, no such program exists today. Thanks, Volker -- Volker Dormeyer Join the Fellowship and protect your Freedom! (http://www.fsfe.org) From jeekay+gnupg at gmail.com Sat Jun 3 00:24:03 2006 From: jeekay+gnupg at gmail.com (Jee Kay) Date: Sat Jun 3 00:22:54 2006 Subject: Error generating new keys on Windows with gnupg 1.4.3 Message-ID: Whenever I try to generate a new secret key on Windows with gnupg 1.4.3, I get the following output immediately following the second request for my passphrase: gpg: NOTE: you should run 'diskperf -y' to enable the disk statistics A few seconds after that, a Windows error box pops up with this message: Microsoft Visual C++ Runtime Library Runtime Error! Program: z:\gnupg\gpg.exe This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information. Has anyone seen anything like this or know where to start debugging it? I don't know if it makes any difference, but I have HKLU\Software\GNU\gpgProgram set to z:\gnupg\gnupg.exe and HomeDir is set to z:\gnupg. Please keep me in CC on any replies as I am not subscribed. Thanks in advance, Ras From z.himsel at gmail.com Sat Jun 3 01:08:04 2006 From: z.himsel at gmail.com (Zach Himsel) Date: Sat Jun 3 01:07:03 2006 Subject: Error generating new keys on Windows with gnupg 1.4.3 In-Reply-To: References: Message-ID: <4480C4D4.5060507@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 6/2/2006 6:24 PM, Jee Kay wrote: > Whenever I try to generate a new secret key on Windows with gnupg > 1.4.3, I get the following output immediately following the second > request for my passphrase: > > gpg: NOTE: you should run 'diskperf -y' to enable the disk statistics > > A few seconds after that, a Windows error box pops up with this > message: > Microsoft Visual C++ Runtime Library > Runtime Error! > Program: z:\gnupg\gpg.exe > This application has requested the Runtime to terminate it in an > unusual way. Please contact the application's support team for more > information. > > > Has anyone seen anything like this or know where to start debugging > it? I don't know if it makes any difference, but I have > HKLU\Software\GNU\gpgProgram set to z:\gnupg\gnupg.exe and HomeDir is > set to z:\gnupg. > > Please keep me in CC on any replies as I am not subscribed. > > Thanks in advance, > Ras > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > Did you try using an environmental variable instead of using the registry? Assuming you're using WinXP, open up the system properties (right-click "My Computer">Properties). In the "Advanced" tab, click the "Environmental Variables" button on the bottom. You should now see a popup with 2 panes, one on top and one on the bottom. If you have admin access, open the "Path" variable. You going to want to add the path to the GnuPG EXECUTABLE (not the keyrings, unless they're in the same folder) at the end (make sure that you separate your addition from the string before it with a semicolon [;]. look at the rest of the "Path" variable to see an example of how they are separated). For example this is my "Path" variable before the addition: %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem Notice the semicolons between them and the lack of spaces. This is what mine looks like with the addition (just replace my GnuPG path with whatever yours is): %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\program file\gnu\gnupg Make sure that you do NOT put it in quotes (as we are used to doing in the command prompt when a filename had spaces). What the "Path" addition does is it tells the Windows Shell where to look for executable files (like when you say "cmd" at the "run" dialog, it looks in \windows\system32 for "cmd.exe"). So now when you type "gpg" (no quotes) at the "run" dialog or from a cmd prompt, it will run "gpg.exe." If you don't have administrator access to the computer, you can just add a new variable named "PATH" in the top pane (user variables). Just add the GnuPG exec path to that. The second thing to do is add one last variable. This one doesn't normally exist in Windows so you must create a new system (or user) variable named "GNUPGHOME" (case-sensitive). The value for that variable is going to be the directory of you GnuPG keyrings (i.e. my GNUPGHOME variable's value is "d:\gnupg" (no quotes), as that is the folder where my keyrings are). Once those variables are changed/added, just "OK" out of the remaining dialogs until System Properties is closed. You don't have to restart or anything. P.S. the environmental variables override the registry settings, so you don't have to worry about cleaning them up. - -- Zach Himsel |_|o|_| |_|_|o| |o|o|o| PGP Public Key: http://zach-himsel.is.dreaming.org/ PGP Public Key ID: 0xFD04A326 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRIDE1CZJc7D9BKMmAQJpDgf/XFCkeN8Rx9Bx5PBX44AhjgQeYnbuV60o 1q8pMUQIw3NxzsZh9oCytP75AaqW2AOfEP92dylwzDwpT7LGGl0dq3E0MgQnzTMB feTsZE744Zio93JaG1RPs563FypJ60hrB3zXNtxGEcOfOp/R6FaoMsc5eBVDFapf ZIVSt+64QgLmAT2M2Q5B55vp0MW8BPLg1bXMCYtTIn6VRrZNrtOKmMAzu27SCj6y U3zI0YF60Yd2oY1M2FH1y387C711DpCbi85MDwRkpdSonCY/kTOqpwScOCSIkd07 lWKYTqwytrPxUkGJeGEJHBMme6TVXAb++oCMiKflBFc/9rClTCOCYw== =AHCQ -----END PGP SIGNATURE----- From engage at n0sq.us Sat Jun 3 04:57:54 2006 From: engage at n0sq.us (engage) Date: Sat Jun 3 04:57:20 2006 Subject: GnuPG asks for confirmation... In-Reply-To: <20060602025954.GA3390@psilocybe.teonanacatl.org> References: <200606011938.31273.engage@n0sq.us> <20060602025954.GA3390@psilocybe.teonanacatl.org> Message-ID: <200606022057.55174.engage@n0sq.us> On Thursday 01 June 2006 08:59 pm, Todd Zullinger wrote: >engage wrote: >> Why is someone sending an encrypted message to this list? > >It's not encrypted. It's just signed and armored. > >Doesn't your mail client automatically display this for you? No. I keep getting prompted for my passphrase for this message. Kmail. From tmz at pobox.com Sat Jun 3 07:49:45 2006 From: tmz at pobox.com (Todd Zullinger) Date: Sat Jun 3 08:00:26 2006 Subject: GnuPG asks for confirmation... In-Reply-To: <200606022057.55174.engage@n0sq.us> References: <200606011938.31273.engage@n0sq.us> <20060602025954.GA3390@psilocybe.teonanacatl.org> <200606022057.55174.engage@n0sq.us> Message-ID: <20060603054945.GL3390@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 engage wrote: > On Thursday 01 June 2006 08:59 pm, Todd Zullinger wrote: >>engage wrote: >>> Why is someone sending an encrypted message to this list? >> >>It's not encrypted. It's just signed and armored. >> >>Doesn't your mail client automatically display this for you? > > No. I keep getting prompted for my passphrase for this message. > Kmail. Just hit enter. There isn't any encryption, but the message is armored and as others have pointed out, email software often just assumes any pgp chunk that begins with "BEGIN PGP MESSAGE" is encrypted and asks for a passphrase to pass on to gpg. I've used mutt with gpg-agent for years now and have grown accustomed to not having that prompt unless a passphrase was truly required. :) - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== Be who you are and say what you feel because those who mind don't matter and those who matter don't mind. -- Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iG0EARECAC0FAkSBIvkmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt ei5hc2MACgkQuv+09NZUB1q4mwCgmNVQcxB4nbERt8ovWRTA8ZmBmMgAoJPpYPT5 H8TSvRoU+Nks86qDnpSS =5G/L -----END PGP SIGNATURE----- From felix.klee at inka.de Sat Jun 3 19:09:16 2006 From: felix.klee at inka.de (Felix E. Klee) Date: Sat Jun 3 19:08:42 2006 Subject: Info on sub keys? Message-ID: <87zmgudv43.wl%felix.klee@inka.de> I've a couple of newbee questions concerning sub keys: * Aside from convenience, is there any difference between a sub key and an ordinary key signed with the master key? * Can such an ordinary key be transformed into a sub key? * Since when (date and version) does PGP and since when does GnuPG support signing sub keys? I ask because I read that old versions, at least of PGP, support only encryption sub keys, not signing sub keys. * Are signing sub keys part of the OpenPGP standard? * One can include any number of sub keys into a key, right? I ask because I recall reading that there was/is some problem with key servers and sub keys. If there is any good documentation on sub keys, aside from technical specifications (such as RFC 2440), then please let me know. -- Felix E. Klee From alphasigmax at gmail.com Sat Jun 3 19:32:19 2006 From: alphasigmax at gmail.com (Alphax) Date: Sat Jun 3 19:33:13 2006 Subject: Info on sub keys? In-Reply-To: <87zmgudv43.wl%felix.klee@inka.de> References: <87zmgudv43.wl%felix.klee@inka.de> Message-ID: <4481C7A3.4020804@gmail.com> Felix E. Klee wrote: > I've a couple of newbee questions concerning sub keys: > > * Aside from convenience, is there any difference between a sub key and > an ordinary key signed with the master key? > A subkey cannot issue a certification signature - at least not in any known implementations. > * Can such an ordinary key be transformed into a sub key? > Yes, with difficulty. See http://atom.smasher.org/gpg/gpg-migrate.txt for details. > * Since when (date and version) does PGP and since when does GnuPG > support signing sub keys? I ask because I read that old versions, at > least of PGP, support only encryption sub keys, not signing sub keys. > PGP 8 supports signing subkeys; no other offical version of PGP before then does. It's possible that 6.5.8ckt and 2.6.3ia supported them as well. > * Are signing sub keys part of the OpenPGP standard? > Yes. They wouldn't be in GPG if they weren't. > * One can include any number of sub keys into a key, right? I ask > because I recall reading that there was/is some problem with key > servers and sub keys. > PKS keyservers (pre version 0.9.6) had a bug that mangled keys with multiple subkeys. Fortunately they are mostly SKS and/or newer than this now. However, most versions of PGP will ignore the key flags on an RSA subkey, so you may end up getting messages encrypted to your signing subkeys. > If there is any good documentation on sub keys, aside from technical > specifications (such as RFC 2440), then please let me know. > Adrian von Bidder wrote an excellent tutorial on subkeys at . -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 569 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060604/4c6ce178/signature.pgp From felix.klee at inka.de Sat Jun 3 23:11:21 2006 From: felix.klee at inka.de (Felix E. Klee) Date: Sat Jun 3 23:43:45 2006 Subject: Info on sub keys? In-Reply-To: <4481C7A3.4020804@gmail.com> References: <87zmgudv43.wl%felix.klee@inka.de> <4481C7A3.4020804@gmail.com> Message-ID: <87y7wedjwm.wl%felix.klee@inka.de> At Sun, 04 Jun 2006 03:02:19 +0930, Alphax wrote: > A subkey cannot issue a certification signature - at least not in any > known implementations. Right, I read about that before. > PGP 8 supports signing subkeys; no other offical version of PGP before > then does. According to Tom McCune's FAQ [1] version 8.1 was the first version that supported signing subkeys for checking signatures: "GPG (but not PGP) can now generate subkeys for signing. Until PGP 8.1, PGP had no support for this, and could not verify signatures made with such a signing subkey." So, I assume that there was a version 8.0 which doesn't support them. I wonder when version 8.1 was released. > > * One can include any number of sub keys into a key, right? I ask > > because I recall reading that there was/is some problem with key > > servers and sub keys. > > PKS keyservers (pre version 0.9.6) had a bug that mangled keys with > multiple subkeys. Hm, as far as I understand it, public key servers exchange updates among each other, in oder to stay synchronized. Consider the following example: I upload a key to server A, from there it goes to server B and finally it arrives at server C: A->B->C. Now what would happen if that key contains a signature sub key and server B runs a pre 0.9.6 PKS version? Would the key end up in a mangled state on B and C? Could the mangled key propagate back to A? > > If there is any good documentation on sub keys, aside from technical > > specifications (such as RFC 2440), then please let me know. > > Adrian von Bidder wrote an excellent tutorial on subkeys at > . I recall finding it on the web some time ago, but I didn't read it. I better do that now. BTW, there's another little question I forgot to raise in my first message: In his FAQ, Tom McCune uses the expression "4096/2048 RSA" to refer to a 2048 bit master key with a 4096 bit encryption sub key. Is this a general convention? I.e. does "foo Y/X", in general, refer to an "X" bit master key of type "foo" with an "Y" bit sub key for encryption? [1] http://www.mccune.cc/PGPpage2.htm -- Felix E. Klee From kloecker at kde.org Sat Jun 3 22:19:36 2006 From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Sat Jun 3 23:56:05 2006 Subject: GnuPG asks for confirmation... In-Reply-To: <200606022057.55174.engage@n0sq.us> References: <20060602025954.GA3390@psilocybe.teonanacatl.org> <200606022057.55174.engage@n0sq.us> Message-ID: <200606032219.40359@erwin.ingo-kloecker.de> On Saturday 03 June 2006 04:57, engage wrote: > On Thursday 01 June 2006 08:59 pm, Todd Zullinger wrote: > >engage wrote: > >> Why is someone sending an encrypted message to this list? > > > >It's not encrypted. It's just signed and armored. > > > >Doesn't your mail client automatically display this for you? > > No. I keep getting prompted for my passphrase for this message. > Kmail. My KMail (1.9.x) shows the message without asking for a passhphrase. And I'm not aware of changes in this part of the code which would explain the different behavior. Strange. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20060603/ced68c2a/attachment.pgp From dshaw at jabberwocky.com Sun Jun 4 01:01:37 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Jun 4 01:00:44 2006 Subject: Info on sub keys? In-Reply-To: <87y7wedjwm.wl%felix.klee@inka.de> References: <87zmgudv43.wl%felix.klee@inka.de> <4481C7A3.4020804@gmail.com> <87y7wedjwm.wl%felix.klee@inka.de> Message-ID: <20060603230137.GB32267@jabberwocky.com> On Sat, Jun 03, 2006 at 11:11:21PM +0200, Felix E. Klee wrote: > At Sun, 04 Jun 2006 03:02:19 +0930, > Alphax wrote: > > > * One can include any number of sub keys into a key, right? I ask > > > because I recall reading that there was/is some problem with key > > > servers and sub keys. > > > > PKS keyservers (pre version 0.9.6) had a bug that mangled keys with > > multiple subkeys. > > Hm, as far as I understand it, public key servers exchange updates among > each other, in oder to stay synchronized. Consider the following > example: > > I upload a key to server A, from there it goes to server B and > finally it arrives at server C: A->B->C. > > Now what would happen if that key contains a signature sub key and > server B runs a pre 0.9.6 PKS version? Would the key end up in a > mangled state on B and C? Could the mangled key propagate back to A? B would mangle it and send the mangled version to C. Offhand, I don't recall any pre 0.9.6 PKS installations left though. > > > If there is any good documentation on sub keys, aside from technical > > > specifications (such as RFC 2440), then please let me know. > > > > Adrian von Bidder wrote an excellent tutorial on subkeys at > > . > > I recall finding it on the web some time ago, but I didn't read it. I > better do that now. > > BTW, there's another little question I forgot to raise in my first > message: > > In his FAQ, Tom McCune uses the expression "4096/2048 RSA" to refer to > a 2048 bit master key with a 4096 bit encryption sub key. Is this a > general convention? I.e. does "foo Y/X", in general, refer to an "X" > bit master key of type "foo" with an "Y" bit sub key for encryption? It's not a general convention. PGP said things like that because when you made a RSA primary key, it would (by default) also make a RSA subkey. Once you start mixing algorithms (RSA primary, Elgamal subkey, etc), the convention breaks down. David From sean at rima.ws Sun Jun 4 00:05:32 2006 From: sean at rima.ws (Sean Rima) Date: Sun Jun 4 01:56:07 2006 Subject: GnuPG asks for confirmation... In-Reply-To: <200606032219.40359@erwin.ingo-kloecker.de> References: <20060602025954.GA3390@psilocybe.teonanacatl.org> <200606022057.55174.engage@n0sq.us> <200606032219.40359@erwin.ingo-kloecker.de> Message-ID: <1331727322.20060603230532@rima.ws> Hello Ingo, Saturday, June 3, 2006, 9:19:36 PM, you wrote: > On Saturday 03 June 2006 04:57, engage wrote: >> On Thursday 01 June 2006 08:59 pm, Todd Zullinger wrote: >> >engage wrote: >> >> Why is someone sending an encrypted message to this list? >> > >> >It's not encrypted. It's just signed and armored. >> > >> >Doesn't your mail client automatically display this for you? >> >> No. I keep getting prompted for my passphrase for this message. >> Kmail. > My KMail (1.9.x) shows the message without asking for a passhphrase. And > I'm not aware of changes in this part of the code which would explain > the different behavior. Strange. I am using TheBat! and may having the same problem, except I have to try and get the signers key which I cannot so cannot read the mail(s) -- Sean ... The most incomprehensible thing about the world is that it is at all comprehensible. - Albert Einstein Strange things happen under the midnight sun when Men and Dogs go hunting for gold To get my public GPG key send me an email with the Subject of GET GPG KEY -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 1780 bytes Desc: S/MIME Cryptographic Signature Url : /pipermail/attachments/20060603/7daea064/smime.bin From tmz at pobox.com Sun Jun 4 07:54:28 2006 From: tmz at pobox.com (Todd Zullinger) Date: Sun Jun 4 07:54:16 2006 Subject: GnuPG asks for confirmation... In-Reply-To: <200606032219.40359@erwin.ingo-kloecker.de> References: <20060602025954.GA3390@psilocybe.teonanacatl.org> <200606022057.55174.engage@n0sq.us> <200606032219.40359@erwin.ingo-kloecker.de> Message-ID: <20060604055428.GA2817@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ingo Kl?cker wrote: > On Saturday 03 June 2006 04:57, engage wrote: >> On Thursday 01 June 2006 08:59 pm, Todd Zullinger wrote: >>>engage wrote: >>>> Why is someone sending an encrypted message to this list? >>> >>>It's not encrypted. It's just signed and armored. >>> >>>Doesn't your mail client automatically display this for you? >> >> No. I keep getting prompted for my passphrase for this message. >> Kmail. > > My KMail (1.9.x) shows the message without asking for a passhphrase. > And I'm not aware of changes in this part of the code which would > explain the different behavior. Strange. Ingo, are you using the gpg-agent? - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== Well at first I was skeptical but then I thought I could be like Hillary Clinton, just without the penis. -- Lois Griffin, The Family Guy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iG0EARECAC0FAkSCdZQmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt ei5hc2MACgkQuv+09NZUB1oSrQCgtoIHIRdNYTq00cEs6i3RvfFCWBIAn02w0d5J oLJNPYsOaHGXxNku2Kpy =9FtZ -----END PGP SIGNATURE----- From zvrba at globalnet.hr Sun Jun 4 10:55:46 2006 From: zvrba at globalnet.hr (zvrba@globalnet.hr) Date: Sun Jun 4 11:02:23 2006 Subject: Smart-card daemon and PKCS#11 Message-ID: <20060604085546.GA5517@zax.ifi.uio.no> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 After several independent queries about my PKCS#11 patch to gpg 1.4, I've decided to start an independent project and do the thing properly instead of keeping the patch up-to-date. The project aims to replace the scdaemon component of GnuPG 2 with another (named p11scd) which is able to work with read-only PKCS#11 cards. The project is hosted at: https://dev.interhost.no/p11scd/ The wiki is closed for public editing, but you may read it and access the subversion repository. If you have any comments/questions about the currently stated design-decisions, please send them to my email. I might set up a google mailing list in the future if enough people become interested. Please note that I'm doing this in my free time (which is not abundant), so I give no time frame when the project is going to be finished. If you want to participate in the project, please also drop me a mail. Rationale: This will enable the use of many other smart-card types with GnuPG than is currently possible. (One frequently asked for was Schlumberger - - now Axalto - Cryptoflex). -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEgqASUIHQih3H6ZQRAzbtAKCw/U61XkMYvxDxM7vUZnKfjsFcDgCePt2X 3Ljp3V3jN9hx7v1U0bmWXtg= =EGV8 -----END PGP SIGNATURE----- From gct3 at blueyonder.co.uk Fri Jun 2 14:01:25 2006 From: gct3 at blueyonder.co.uk (Graham) Date: Sun Jun 4 14:56:06 2006 Subject: [lists] re: Signing vs. encrypting was: Cipher v public key In-Reply-To: <20060601153315.15370DA820@mailserver8.hushmail.com> References: <20060601153315.15370DA820@mailserver8.hushmail.com> Message-ID: <20060602130125.3e9e5826@rocker1> On Thu, 01 Jun 2006 11:33:14 -0400 wrote: > > While I prefer gnupg to pgp myself, I did just happen to see a > > reference to pgp command line today > > the cost is *astronomical* > > have played around with it when it was released as a free > command line pgp 8.5 beta [snipped] AFAIK this is the latest PGP command line version available - except for server based systems, which is why the cost is *astronomical*. When Network Associates sold the rights to PGP to PGP Corporation, they kept the rights to the command line version, and unless things have changed this is why PGP Corporation don't offer it. But why bother when there is GPG? -- Graham From tmz at pobox.com Sun Jun 4 19:31:43 2006 From: tmz at pobox.com (Todd Zullinger) Date: Sun Jun 4 19:42:33 2006 Subject: [lists] re: Signing vs. encrypting was: Cipher v public key In-Reply-To: <20060602130125.3e9e5826@rocker1> References: <20060601153315.15370DA820@mailserver8.hushmail.com> <20060602130125.3e9e5826@rocker1> Message-ID: <20060604173143.GB2817@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Graham wrote: > On Thu, 01 Jun 2006 11:33:14 -0400 wrote: [...] >> the cost is *astronomical* >> >> have played around with it when it was released as a free command >> line pgp 8.5 beta > [snipped] > > AFAIK this is the latest PGP command line version available - except > for server based systems, which is why the cost is *astronomical*. PGP Commandline 9.0 is what I saw reference to. > When Network Associates sold the rights to PGP to PGP Corporation, > they kept the rights to the command line version, and unless things > have changed this is why PGP Corporation don't offer it. I believe it has. See: http://www.pgp.com/products/commandline/index.html And the cost is astronomical, IMO. The quote from their store: PGP Commandline 9.0, Perpetual License W/ SI - 2 Processors, 1 Key, Send and Receive Functionality $3,170.00 QTY: 1 > But why bother when there is GPG? No argument there. :) - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== Even moderation ought not to be practiced to excess. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iG0EARECAC0FAkSDGP8mGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt ei5hc2MACgkQuv+09NZUB1pGjgCfU7XZ19ML5OFqGIPhe/3uDymY8R8AoNgYsjcQ e7JkzALcKZo4FE6Fhh3u =B1TU -----END PGP SIGNATURE----- From utternoncesense at gmail.com Sun Jun 4 22:36:51 2006 From: utternoncesense at gmail.com (utternoncesense@gmail.com) Date: Sun Jun 4 22:35:55 2006 Subject: GPG Implementation of Symmetric Operations, and To-Self Encryption In-Reply-To: <2614f0720606030830g603be62dm4cfda3dc68fb1058@mail.gmail.com> References: <2614f0720606030830g603be62dm4cfda3dc68fb1058@mail.gmail.com> Message-ID: <2614f0720606041336t3f3ad5b9j4a0fd2ad9636b2b5@mail.gmail.com> I have a couple of questions about GPG that fall in the range above pure mathematical equations but below "You use this option." Mostly they're of the form "This is how I understand it now, can you confirm that I've got it?" Firstly, in pure RSA/ElGamal etc, there is no passphrase U - there's numbers p,q,g,a,b, etc. The way I understand it: Your secret key is encrypted using your passphrase. Your passphrase essentially acts as a symmetric key, one never stored anywhere except your head. Am I correct in the belief that this is how it works? I imagine it's some type of hashing or somesuch. If you don't want to give all the details of transformation from passphrase to key, that's okay, just want to make sure I understand it. Secondly, Using the option --symmetric creates a .gpg file and prompts you for a passphrase that the symmetric key is based on. Decrypting a Symmetric-ly Encrypted file is done by generic --decrypt option, and the header, non-encrypted part of the file says "Hey this is symmetric, prompt for a passphrase" Thirdly, GPG is based upon a hybrid system entirely. The data of any file is ALWAYS encrypted symmetrically, and a symmetric key is made for each encryption use. The symmetric key used is then encrypted with the public key of the recipient and the whole thing is bundled together. If I'm encypting something already zipped or compressed in any other method, I should use -z 0 because trying to compress it further isn't likely to do much, and it will slow down the processing - right? RSA & ElGamal use keys around 1024-2048 usually. EC uses 160-224 bit keys, but is based on mostly different math (it may be equivalent at some level, but I'm neither aware nor able to understand anythig beyond yes or no on that topic). AES uses 256 bit. It's not allowed to go over 256 bit. This is because it's an entirely different area of cryptography? Block Ciphers as opposed to integer factorization, discrete logs, or curvature? And comparing key lengths between the three areas (IF/DS, EC, Block) without any normalization is like comparing the engine in a semi to one in a sedan without considering the weights of the vehicles - They both enable the vehicle to go 80 (encrypted to some rigor) but the semi needs a much larger one because the truck weighs more (easier to test factors than undo block ciphers). Right? Some questions I couldn't find answers too online: RSA, ElGamal - I've always learned them as Asymmetric Ciphers - Public Key/Private Key. What algorithm does GPG use for the symmetric side of things? What's the size of the key? (the size of the key chosen for the Keypair?) For encryption of documents to myself, I can: - Use Symmetric Encryption with a passphrase of my choosing. But a passphrase seems weaker than a full blown key. - Use the --encrypt-to-self or --recipient options. I encrypt the Document using my public key so only my Private key can open it. - Is there an option to have a Symmetric Key, that behaves like both a public and a private key? Obviously you'd have to not publish your the key, but apart from that? It may be protected by a passphrase, it may not and rely upon the user to control Key access (an interesting implementation would be a very large symmetric key, that is stored on a removable media or encrypted partition that is inserted/mounted whenever access is needed, and not allowed to be stored anywhere but Volatile Memory) - Any other advised methods? --throw-keyid --encrypt-to-self will produce a file that, considering all available information available in the file, is known ONLY to be encrypted by GPG X.Y.Z with the private key of some individual. But may only be decrypted by myself (because it's encrypted to myself). Right? What would happen if I tried --symmetric --throw-keyid ? Does ElGamal double the size of the encrypted document if used without encryption? Thanks for any and all answers. From qed at tiscali.it Mon Jun 5 00:09:22 2006 From: qed at tiscali.it (Qed) Date: Mon Jun 5 00:15:43 2006 Subject: GPG Implementation of Symmetric Operations, and To-Self Encryption In-Reply-To: <2614f0720606041336t3f3ad5b9j4a0fd2ad9636b2b5@mail.gmail.com> References: <2614f0720606030830g603be62dm4cfda3dc68fb1058@mail.gmail.com> <2614f0720606041336t3f3ad5b9j4a0fd2ad9636b2b5@mail.gmail.com> Message-ID: <44835A12.1040407@tiscali.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On 06/04/2006 10:36 PM, utternoncesense@gmail.com wrote: > Firstly, in pure RSA/ElGamal etc, there is no passphrase U - there's > numbers p,q,g,a,b, etc. Only when you encrypt. > The way I understand it: > Your secret key is encrypted using your passphrase. Your passphrase > essentially acts as a symmetric key, one never stored anywhere except > your head. Am I correct in the belief that this is how it works? I > imagine it's some type of hashing or somesuch. If you don't want to > give all the details of transformation from passphrase to key, that's > okay, just want to make sure I understand it. Almost correct. > Secondly, Using the option --symmetric creates a .gpg file and prompts > you for a passphrase that the symmetric key is based on. Decrypting a > Symmetric-ly Encrypted file is done by generic --decrypt option, and > the header, non-encrypted part of the file says "Hey this is > symmetric, prompt for a passphrase" Right. > Thirdly, GPG is based upon a hybrid system entirely. Only when you use public key encryption. > The data of any file is ALWAYS encrypted symmetrically, and a symmetric > key is made for each encryption use. It is called "session key". > The symmetric key used is then encrypted with the public key of the > recipient and the whole thing is bundled together. OK. > If I'm encypting something already zipped or compressed in any other > method, I should use -z 0 because trying to compress it further isn't > likely to do much, and it will slow down the processing - right? Gnupg is aware of different compression algos(bzip2, zlib, zip) and when encounters such a compressed file disable compression automatically. > RSA & ElGamal use keys around 1024-2048 usually. 1024 RSA/ElGamal is considered semi-weak. > EC uses 160-224 bit keys, but is based on mostly different math > (it may be equivalent at some level, but I'm neither aware nor able > to understand anythig beyond yes or no on that topic). > AES uses 256 bit. It's not allowed to go over 256 bit. This is because > it's an entirely different area of cryptography? This is because AES doesn't allow this. Stop. > Block Ciphers as opposed to integer factorization, > discrete logs, or curvature? And comparing key lengths between the > three areas (IF/DS, EC, Block) without any normalization You could read NIST Special Pubblication 800-57 section 5.6.1 about this issue. > Some questions I couldn't find answers too online: > RSA, ElGamal - I've always learned them as Asymmetric Ciphers - Public > Key/Private Key. What algorithm does GPG use for the symmetric side > of things? What's the size of the key? (the size of the key chosen > for the Keypair?) gpg --versions shows supported algorithms. Many symmetric ciphers allow only a fixed length key by desing(IDEA, CAST5, 3DES); others(AES, TWOFISH, BLOWFISH) can be used with different key sizes, but only AES is used in such a way in OpenPGP. > For encryption of documents to myself, I can: > - Use Symmetric Encryption with a passphrase of my choosing. But a > passphrase seems weaker than a full blown key. You still use a passphrase to protect the secret part of your keyring, this is the weak link of most cryptosystems. > - Is there an option to have a Symmetric Key, that behaves like both a > public and a private key? Obviously you'd have to not publish your > the key, but apart from that? If you must not publish it, what makes it a public key? Hmmm, some bells start ringing in my head. Is this a homework assignment? > --throw-keyid --encrypt-to-self will produce a file that, considering > all available information available in the file, is known ONLY to be > encrypted by GPG X.Y.Z with the private key of some individual. But > may only be decrypted by myself (because it's encrypted to myself). > Right? This is wrong twice. Guess why. > What would happen if I tried --symmetric --throw-keyid ? Try yourself. > Does ElGamal double the size of the encrypted document if used without > encryption? This is DEFINITELY a homework assignment! Ever heard of Google? It is the holy saint of high school students. - -- Q.E.D. ICQ UIN: 301825501 OpenPGP key ID: 0x58D14EB3 Key fingerprint: 00B9 3E17 630F F2A7 FF96 DA6B AEE0 EC27 58D1 4EB3 Check fingerprints before trusting a key! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEg1oSH+Dh0Dl5XacRA8KkAJ94z914Z6TMrpZzDX1/0P4V5dUnYgCghUPf BJkf7JeMVOQVfoGJTrjMSuY= =ajKl -----END PGP SIGNATURE----- From sbt at megacceso.com Sun Jun 4 23:22:24 2006 From: sbt at megacceso.com (Sergi Blanch i =?iso-8859-1?q?Torn=E9?=) Date: Mon Jun 5 06:56:09 2006 Subject: GPG Implementation of Symmetric Operations, and To-Self Encryption In-Reply-To: <2614f0720606041336t3f3ad5b9j4a0fd2ad9636b2b5@mail.gmail.com> References: <2614f0720606030830g603be62dm4cfda3dc68fb1058@mail.gmail.com> <2614f0720606041336t3f3ad5b9j4a0fd2ad9636b2b5@mail.gmail.com> Message-ID: <200606042322.26123.sbt@megacceso.com> Hey! Too much things to answer... I will only respond some that I can know the answer, sorry. A Diumenge 04 Juny 2006 22:36, utternoncesense@gmail.com va escriure: (...) > Thirdly, GPG is based upon a hybrid system entirely. The data of any > file is ALWAYS encrypted symmetrically, and a symmetric key is made > for each encryption use. The symmetric key used is then encrypted > with the public key of the recipient and the whole thing is bundled > together. Think, for example that you want to send 100MB of information to 10 people. With in a pure asymmetric system yo will encrypt it one by one and then send at less 1GB (possible more). Using a hybric scheme (not less secure) you will send 100MB symmetrically encrypted and a little more of 10k where you have the symmetric key encrypted one by one. > RSA & ElGamal use keys around 1024-2048 usually. EC uses 160-224 bit > keys, but is based on mostly different math (it may be equivalent at > some level, but I'm neither aware nor able to understand anythig > beyond yes or no on that topic). AES uses 256 bit. It's not allowed > to go over 256 bit. This is because it's an entirely different area > of cryptography? Block Ciphers as opposed to integer factorization, > discrete logs, or curvature? And comparing key lengths between the > three areas (IF/DS, EC, Block) without any normalization is like > comparing the engine in a semi to one in a sedan without considering > the weights of the vehicles - They both enable the vehicle to go 80 > (encrypted to some rigor) but the semi needs a much larger one because > the truck weighs more (easier to test factors than undo block > ciphers). Right? To stablish the equivalence of security between different algorithm, also from different nature (like compare symmetric/asymmetric) we could use a formula that relates how many basic operations are needed to broke it, with how many basic operations the computer could do per second. Then you have one very much optimistic time. If some one find a new atack to one cryptosystem, this equivalences will change. (...) Sorry for the partial answer. Some one else could answer you better than I. /Sergi. From michael at vorlon.ping.de Mon Jun 5 18:49:56 2006 From: michael at vorlon.ping.de (Michael Bienia) Date: Mon Jun 5 18:49:08 2006 Subject: Problem with decrypting a mail with an openpgp card Message-ID: <20060605164956.GA14389@vorlon.ping.de> Hello, I've once again a problem with decrypting a mail with my openpgp card. The used subkey is my encryption key so it should work theoretically. The out of gnupg (with gnupg-agent) is: ,---- | gpg: armor header: Version: GnuPG v1.4.1 (GNU/Linux) | gpg: public key is AF58F2B4 | gpg: using subkey AF58F2B4 instead of primary key 968BD587 | gpg: sending command `SCD PKDECRYPT' to agent failed: ec=6.131 | gpg: using subkey AF58F2B4 instead of primary key 968BD587 | gpg: encrypted with 1024-bit RSA key, ID AF58F2B4, created 2006-03-13 | "Michael Bienia " | gpg: public key decryption failed: general error | gpg: decryption failed: secret key not available `---- I can succesfully decrypt an other mail (from someone else) which is also encrypted to the same subkey (he also used gnupg 1.4.1). gnupg and gnupg-agent are current versions from the svn (revision 4151). Has someone an explanation? TIA, Michael From mkontakt at gmail.com Mon Jun 5 23:41:01 2006 From: mkontakt at gmail.com (mkontakt@gmail.com) Date: Mon Jun 5 23:40:04 2006 Subject: sign and encrypt Message-ID: <20060605214101.GA8379@debian.mydomain.com> I have seen in the spec rfc3156 that a message should be signed and then encrypted, but hypothetically if send a message to someone I do not like and sign it and then encrypt it he/she can forward it to someone else pretending that the message was originally from my self. Is there anything I have missed in spec or in gnupg to forbid this? Thank in advance Martin From dshaw at jabberwocky.com Mon Jun 5 23:57:14 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Jun 5 23:56:07 2006 Subject: sign and encrypt In-Reply-To: <20060605214101.GA8379@debian.mydomain.com> References: <20060605214101.GA8379@debian.mydomain.com> Message-ID: <20060605215714.GA27428@jabberwocky.com> On Mon, Jun 05, 2006 at 11:41:01PM +0200, mkontakt@gmail.com wrote: > I have seen in the spec rfc3156 that a message should be signed and > then encrypted, but hypothetically if send a message to someone I do > not like and sign it and then encrypt it he/she can forward it to > someone else pretending that the message was originally from my self. > Is there anything I have missed in spec or in gnupg to forbid this? This isn't a rfc3156 (PGP/MIME) or GPG issue. The recipient can forward anything he likes and there is no way to prevent him. If you want to make it not useful for him to forward, stick something like "I sent this to so-and-so" in the signed message. David From z.himsel at gmail.com Tue Jun 6 01:09:55 2006 From: z.himsel at gmail.com (Zach Himsel) Date: Tue Jun 6 01:08:48 2006 Subject: gnupg-agent not working... Message-ID: <4484B9C3.7000202@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I am using Thunderbird with the Enigmail extension. It gets annoying to me to have to enter in my password every time I want to send a signed (every email) or encrypted (only some) email. Sure, it saves it for 5 minutes idle time, but it's not like someone is going to go on my computer and send emails signed by me as it is a private computer which only I have access to. In the past I have used the gnupg-agent to not have to enter my password and it worked, but now it doesn't. I do not know why. I have GnuPG 1.4.3 under Windows XP (I have it for SUSE 10.0 also, but I haven't tried it on that machine yet.). Thunderbird is 1.5.0.4 and Enigmail is 0.94.0. Thanks. - -- Zach Himsel |_|o|_| |_|_|o| |o|o|o| OpenPGP Public Key: http://zach-himsel.is.dreaming.org/ OpenPGP Public Key ID: 0xFD04A326 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) iQEVAwUBRIS5wyZJc7D9BKMmAQJCZwgAqniQo7yzja3DFQXk6Mf42LjpiZdxmrqs iT9qxkZbv0590kG9FVIkB3IasyUwnaPq6nQNgYiasgN8ep5b0ks31hrSZWMV5ZTO QaA1BZRcrEt5cM5jqIO2KyMtPEMn7twViaDYfDRv3+g8IyJJSMEwOS+UsbjmyxO6 onZFziJ5aVe9He71iTh+8sJBnw6FbaqdI+fJu3/dSvXTSGW+S6+tKFU1shNB5x7v /mwjGsfpZDC/MKg62NEB8LCDeO58wBA0U/FYaV4qOjurGUViQx8MK7bN5jZOh237 CrkDmAojcRDwvE00c149QoVviXz5tbOJEgn2Qsgfbb7Fxl2PsPoXSg== =TE+Q -----END PGP SIGNATURE----- From johnmoore3rd at joimail.com Tue Jun 6 01:24:09 2006 From: johnmoore3rd at joimail.com (John W. Moore III) Date: Tue Jun 6 01:23:16 2006 Subject: gpg-agent not working Message-ID: <4484BD19.3000209@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Zach Himsel wrote: > > - gpg control packet > > Hello, > > I am using Thunderbird with the Enigmail extension. It gets annoying > > to me to have to enter in my password every time I want to send a > > signed (every email) or encrypted (only some) email. Sure, it saves it > > for 5 minutes idle time, but it's not like someone is going to go on > > my computer and send emails signed by me as it is a private computer > > which only I have access to. In the past I have used the gnupg-agent > > to not have to enter my password and it worked, but now it doesn't. I > > do not know why. I have GnuPG 1.4.3 under Windows XP (I have it for > > SUSE 10.0 also, but I haven't tried it on that machine yet.). > > Thunderbird is 1.5.0.4 and Enigmail is 0.94.0. Thanks. I cannot speak to the gpg-agent issue; But, Enigmail *does* allow you to set the time it will store the passphrase. 5 minutes is the Default, but you may change it to any number of minutes you prefer. Look under OpenPGP > Preferences. One reminder; whenever you Close/Exit Thunderbird the passphrase will be cleared. JOHN 8-) Timestamp: Monday 05 Jun 2006, 19:22 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4-svn4151: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust (US26): http://www.gswot.org Comment: Homepage: http://tinyurl.com/9ubue Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCgAGBQJEhL0YAAoJEBCGy9eAtCsP6MIH/RK9e0VvffQrJacKCJ3axy8Z gjDPsW+NjnZl3H4+EH9uFnBVE3jj+u6VnNTRovbZJ6S/xv5GNWdxxeRouJhKIhs+ PmwFNxION7oMd6r8rahdTZGY/wE0aOHxm+IxX/QzBPjfw8n3IQCR5IMUS6erAIh8 Q2rrkO2f3j/ILvSxnjrhczQAjIyAYd/taCeQC1S2KIKb8VbzoD/oAwGDBWU+ezL5 iGwnas4j0CDyGXU+rovalFw+ZBKyR8oCi7IR5XL1BV8ryAM5Z2osGU78S8egq3dL rhkc8u7JIKJd/fQBKO5GspRDeZgP5W4xGfWdVKfAKrLFk4FzR7TeOs6omXVdNqI= =Mkjt -----END PGP SIGNATURE----- From chd at chud.net Mon Jun 5 23:58:32 2006 From: chd at chud.net (Chris De Young) Date: Tue Jun 6 01:25:52 2006 Subject: sign and encrypt In-Reply-To: <20060605214101.GA8379@debian.mydomain.com> References: <20060605214101.GA8379@debian.mydomain.com> Message-ID: <4484A908.7000008@chud.net> mkontakt@gmail.com wrote: > I have seen in the spec rfc3156 that a message should be signed and > then encrypted, but hypothetically if send a message to someone I do > not like and sign it and then encrypt it he/she can forward it to > someone else pretending that the message was originally from my self. I assume you mean forward the decrypted version, with the signature intact, since the encrypted version would only be readable by the intended recipient. Yes, this could happen, but it doesn't seem like a very big problem. The deception doesn't work if anything in the message itself indicates who the intended recipient is ("Hey Mike, [...]"). Signing after encryption exposes more information about the message, which I think is the main reason it's discouraged. The encrypted version is already tamper-proof, since any alteration will break the decryption. -C -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060605/e7288a1f/signature-0001.pgp From shavital at mac.com Tue Jun 6 06:00:53 2006 From: shavital at mac.com (Charly Avital) Date: Tue Jun 6 06:00:10 2006 Subject: gnupg-agent not working... In-Reply-To: <4484B9C3.7000202@gmail.com> References: <4484B9C3.7000202@gmail.com> Message-ID: <4484FDF5.3070300@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Zach Himsel wrote the following on 6/5/06 7:09 PM: > Hello, > I am using Thunderbird with the Enigmail extension. It gets annoying > to me to have to enter in my password every time I want to send a > signed (every email) or encrypted (only some) email. You know you don't have to use the passphrase to encrypt messages, only to sign them, or decrypt messages sent to you. > Sure, it saves it > for 5 minutes idle time, but it's not like someone is going to go on > my computer and send emails signed by me as it is a private computer > which only I have access to. In the past I have used the gnupg-agent > to not have to enter my password and it worked, but now it doesn't. I > do not know why. I have GnuPG 1.4.3 under Windows XP (I have it for > SUSE 10.0 also, but I haven't tried it on that machine yet.). > Thunderbird is 1.5.0.4 and Enigmail is 0.94.0. Thanks. I am using gpg-agent, but cannot address your query because I am a Macintosh user. I have set the gpg-agent cache in gpg-agent.conf to last 24 hours, I am the sole user of my computer. If you could post to the list the contents of the warning or error message you get when gpg-agent fails, it might help other Windows XP users in this forum to assist. As far as I know GnuPG 1.4.3 is not gpg-agent enabled, the current version is GnuPG 1.9.20. Sorry I can't help. Charly -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRIT98M3GMi2FW4PvAQj/twf7BDl+YcPLm2gXhrn0yTzQin9yr/zZFCEB IGe3tizcX9CQIfn6+ek3oQg4CUQBZDMSWEV+sNJJVMIzCgrpOmTT5oOuvhfBggG2 qz1bxYYablESI2ij5n3aIkMWRpc1xKA7VLZnDH9wCwMgpZb8FyxNzFuxHKCqxB1E 69Vc/9TcyJmsjasDTsKcqgnO1JI4LMdiLm1DqYOvS+NTYZWCrs0XHWEknu68+PSn dTLXkNnuDnh1hbmBPqv4zVd6CU7Hr848bpJKAhankJ65j8sJCi8YfWyzs5gQrv54 v4/j4tI9dlORYTyRGgJbvhb8k+sp7DFJF5OSxXZmCOZUWltwJ4ZDGg== =NG/s -----END PGP SIGNATURE----- From z.himsel at gmail.com Tue Jun 6 06:28:18 2006 From: z.himsel at gmail.com (Zach Himsel) Date: Tue Jun 6 06:27:37 2006 Subject: signature comments? Message-ID: <44850462.5080701@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've always wondered how to get comments put under the signature header... I've seen them on sigs before and would like to have my public key address put there. Does anyone know how to do this? Thanks. - -- Zach Himsel |_|o|_| |_|_|o| |o|o|o| OpenPGP Public Key: http://zach-himsel.is.dreaming.org/ OpenPGP Public Key ID: 0xFD04A326 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) iQEVAwUBRIUEYSZJc7D9BKMmAQI79gf/dikuPqN8vHIQhVEdK59XR6k+amVgW7WV hKDJboH5UVYmtiYjIKcd5e3fARdU+ap2h7ALy1E23Uz78B6K5fpC3kJykfm805jG CM1csBWOHOBPlN/wG+4Rzf4744g3m54K343o92DKz8taUBeyN36LaxqWJnsm/ILd 2/1L5kXdcqPSHT4uRaS6TsW76Xd8ucpkN3YoIly3FK8Zzm+U3us4tA0F9JfxFfj2 9w4z0qiSy4sZmQuqrV7FXr1RAK1ZLIHkzrEg+6kgBL66grcrunh2k1/K6iVzg4RQ 8bC1rqvIHW+txHMgvbsmolGVhFMw/wqPXTU+sVfSC4J2/rcYELJQeA== =Tr1s -----END PGP SIGNATURE----- From tmz at pobox.com Tue Jun 6 06:59:47 2006 From: tmz at pobox.com (Todd Zullinger) Date: Tue Jun 6 06:59:41 2006 Subject: gnupg-agent not working... In-Reply-To: <4484B9C3.7000202@gmail.com> References: <4484B9C3.7000202@gmail.com> Message-ID: <20060606045947.GC2258@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Zach Himsel wrote: > I am using Thunderbird with the Enigmail extension. It gets annoying > to me to have to enter in my password every time I want to send a > signed (every email) or encrypted (only some) email. Sure, it saves > it for 5 minutes idle time, but it's not like someone is going to go > on my computer and send emails signed by me as it is a private > computer which only I have access to. In the past I have used the > gnupg-agent to not have to enter my password and it worked, but now > it doesn't. I do not know why. I have GnuPG 1.4.3 under Windows XP > (I have it for SUSE 10.0 also, but I haven't tried it on that > machine yet.). Thunderbird is 1.5.0.4 and Enigmail is 0.94.0. I got the impression from this thread a few months ago that getting the agent working in windows was a bit difficult: http://lists.gnupg.org/pipermail/gnupg-devel/2006-January/022635.html - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== A person who smiles in the face of adversity ... probably has a scapegoat. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iG0EARECAC0FAkSFC8ImGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt ei5hc2MACgkQuv+09NZUB1qZZACeIe72pN+F/2rlCLouXu4PjTMgg54An0/3CBzC YX/1RpstjFfRWtSePX0w =2TiF -----END PGP SIGNATURE----- From tmz at pobox.com Tue Jun 6 07:08:20 2006 From: tmz at pobox.com (Todd Zullinger) Date: Tue Jun 6 07:07:38 2006 Subject: signature comments? In-Reply-To: <44850462.5080701@gmail.com> References: <44850462.5080701@gmail.com> Message-ID: <20060606050820.GD2258@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Zach Himsel wrote: > I've always wondered how to get comments put under the signature > header... I've seen them on sigs before and would like to have my > public key address put there. Does anyone know how to do this? Use the comment option in your gpg.conf file. You can use this on the command line too, if you want. Perhaps you would do this if you wanted to change the comment based upon which key you were using to sign the message. How you'd incorporate that into a windows environment with thunderbird/enigmail is another question. - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== The ultimate result of shielding men from the effects of folly is to fill the world with fools. -- Herbert Spencer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iG0EARECAC0FAkSFDcQmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt ei5hc2MACgkQuv+09NZUB1q+dQCfZV8yCea/gSxDvsV3ryJi8XX1iI4An11JvrbX SDXIT5BrI4Y7gu9X/XGe =p1o9 -----END PGP SIGNATURE----- From alphasigmax at gmail.com Tue Jun 6 07:08:05 2006 From: alphasigmax at gmail.com (Alphax) Date: Tue Jun 6 07:09:02 2006 Subject: signature comments? In-Reply-To: <44850462.5080701@gmail.com> References: <44850462.5080701@gmail.com> Message-ID: <44850DB5.2090208@gmail.com> Zach Himsel wrote: > I've always wondered how to get comments put under the signature > header... I've seen them on sigs before and would like to have my > public key address put there. Does anyone know how to do this? > From the man page: --comment string --no-comments Use string as a comment string in clear text signatures and ASCII armored messages or keys (see --armor). The default behavior is not to use a comment string. --comment may be repeated multiple times to get multiple comment strings. --no-comments removes all comments. It is a good idea to keep the length of a single comment below 60 characters to avoid problems with mail programs wrapping such lines. Note that comment lines, like all other header lines, are not pro- tected by the signature. HTH, -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 569 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060606/08de7468/signature.pgp From tmz at pobox.com Tue Jun 6 07:32:26 2006 From: tmz at pobox.com (Todd Zullinger) Date: Tue Jun 6 07:31:47 2006 Subject: signature comments? In-Reply-To: <44850462.5080701@gmail.com> References: <44850462.5080701@gmail.com> Message-ID: <20060606053226.GF2258@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Zach Himsel wrote: > I've always wondered how to get comments put under the signature > header... I've seen them on sigs before and would like to have my > public key address put there. Does anyone know how to do this? In addition to the comment option, you may also find the sig-keyserver-url option useful in this respect as well. See the man page for details. - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== Conscience is what hurts when everything else feels so good. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iG0EARECAC0FAkSFE2omGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt ei5hc2MACgkQuv+09NZUB1qo+gCeKGz1lP/NVXRJmwDincBwOSWKTCAAn1goWYGn knLS2zRgE1cuk9yjy8RJ =KNow -----END PGP SIGNATURE----- From a24061 at yahoo.com Tue Jun 6 11:15:28 2006 From: a24061 at yahoo.com (Adam Funk) Date: Tue Jun 6 11:19:23 2006 Subject: gnupg-agent not working... References: <4484B9C3.7000202__5616.7918061421$1149549488$gmane$org@gmail.com> Message-ID: On 2006-06-05, Zach Himsel wrote: > > Hello, > I am using Thunderbird with the Enigmail extension. It gets annoying > to me to have to enter in my password every time I want to send a > signed (every email) or encrypted (only some) email. Sure, it saves it > for 5 minutes idle time, but it's not like someone is going to go on > my computer and send emails signed by me as it is a private computer > which only I have access to. In the past I have used the gnupg-agent Under OpenPGP->Preferences->Basic you can set "Remember passphrase for ___ minutes of idle time" to any value up to 9999, which is almost 7 days. From dirk.traulsen at lypso.de Tue Jun 6 09:36:11 2006 From: dirk.traulsen at lypso.de (Dirk Traulsen) Date: Tue Jun 6 11:25:55 2006 Subject: some questions.. In-Reply-To: <9afe34fe0605271055g30ebca91p1a0f0074988ae9c0@mail.gmail.com> Message-ID: <44854C8B.636.FB13342@dirk.traulsen.lypso.de> Am 27 May 2006 um 19:55 hat J?rgen Lysdal geschrieben: > I have a revoker on my key that i would like to remove, but i cant > find a way to do this. Can anyone help? If you sent your key to a keyserver, then you are out of luck. There is no way to take something back you sent to a keyserver. You can only revoke things, but to add a revoker is unrevocable itself for security reasons. The only possibility for you is to revoke the key by yourself, but that is also the only damage a bad revoker can do to your key, so ... As the addition of a revoker to a key is the addition of a signature, there is a non-trivial way to get rid of it, when and only when you kept the key for yourself. If this is the case, ask again and I will send you instructions. > another question. > When i sign a key, is there any way i can set an expiration time for > the signature? From mkontakt at gmail.com Tue Jun 6 13:07:37 2006 From: mkontakt at gmail.com (mkontakt@gmail.com) Date: Tue Jun 6 13:06:30 2006 Subject: GnuPG internals Message-ID: <20060606110737.GA10897@debian.mydomain.com> I have found on the Internet that Mr. Koch gave a speech about gnupg internals and I would be very interested if any documents exist about this presentation or in any other doc about gnupg internals. I know that the source code is the best internal docs but I need a very quick overview. Thanks in advance and best regards Martin. From blueness at gmx.net Tue Jun 6 13:34:10 2006 From: blueness at gmx.net (Mica Mijatovic) Date: Tue Jun 6 13:34:09 2006 Subject: signature comments? In-Reply-To: <44850462.5080701@gmail.com> References: <44850462.5080701@gmail.com> Message-ID: <333057846.20060606133410@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Was Tue, 06 Jun 2006, at 00:28:18 -0400, when Zach wrote: > I've always wondered how to get comments put under the signature > header... I've seen them on sigs before and would like to have my > public key address put there. Does anyone know how to do this? In your gpg.conf file, add this line... comment "Some comment of yours." ...and all what is placed between quotation marks will appear in the "Comment:" line in your signature, like this... Comment: Some comment of yours. There can be lots of such comment lines, I don't know if their number is limited. - -- Mica PGP keys nestled at: http://blueness.port5.com/pgpkeys/ ~~~ For personal mail please use my address as it is *exactly* given in my "From|Reply To" field(s). ~~~ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4-svn-4151 <>o<> tiger192 (MSYS/MinGW32) iQEVAwUBRIVoIrSpHvHEUtv8AQgd/AgAiyQ5xDN5vN1o0XSiE2HfSlVx72+YQxlQ gwNjzjKC6Zr0OidzGTuoy/n0w26S3jCdpXcPsBbVHEfl/dUcTVoAxinJrmDhwZky WtX48DmwyX4kjFQSOEdjB1P9p7uFBH3EO6ejJxAJlZ/XKRrQ1iGKWv3W1lwOLmsh E11ig7Sw2MQNACkQ9v9jySD9P5I+1DP0uzIlS2XKBdGuVsPPIEqMJyNcOXEjZ2GQ vIVToM3E0cHV1QRo0JJvYOP3rdWo/yCo05FCpGKoXrzy6SxJS2G0gK2wknXal7V2 HO1mH0vMhdqsCUwRVl5mx4g8DtD0gMDwcjFwlxAyIoj6qFR2+xgMtw== =ixbt -----END PGP SIGNATURE----- From johnmoore3rd at joimail.com Tue Jun 6 13:37:53 2006 From: johnmoore3rd at joimail.com (John W. Moore III) Date: Tue Jun 6 13:36:47 2006 Subject: signatures Message-ID: <44856911.8080900@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Todd Zullinger wrote: > - gpg control packet > Zach Himsel wrote: >> I've always wondered how to get comments put under the signature >> header... I've seen them on sigs before and would like to have my >> public key address put there. Does anyone know how to do this? If I am reading your Question correctly, You wish to add the 'Signature' which can be read *after* the message has been Decrypted. Using Thunderbird, go into Account Settings and there will be a Box in which to add your desired signature. This is done by 'Browsing' to a .txt File on your HD that contains the Signature you prefer. If you intend upon using multiple signatures based upon addressee, whimsy, Key used, etc. then you should simply add the Extension 'Signature Switch' to Thunderbird. JOHN 8-) Timestamp: Tuesday 06 Jun 2006, 07:37 --400 (Eastern Daylight Time) - -- Abolish the IRS: http://www.FairTax.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4-svn4151: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust (US26): http://www.gswot.org Comment: Homepage: http://tinyurl.com/9ubue Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCgAGBQJEhWkOAAoJEBCGy9eAtCsPGq8H/R8z20jgKEnSvxhYTJGki5RN JOKg7YVDaVo+DQuiDvgt231hK6eMILF8s+Z7gvZBjXF9k8/6DMim6PuFPAYEXtk+ 65W0qSbQNGnNh6IDmIyMTSFO/7cJKJ9kjvIs1EKfKdERJS2GjPlbn1vzjBrloSce G0kfB9UFilU1e7khpT/bUg595BTQS3dr0+RRvDzvQEx07oeqwDX5QTLX9QS4pt4S 7wACOIEvGZEAbFJbOgpj7ANMSgZAxe/2+ytpWNvj10K4dzMcJAtSFme+GS+1+4fj Jc4VGPTkVnw3QgLp8RKlqjs0Ag9NcmOK7zm0AmdFtYh8uyQHPcUCdrCra9BdV7Q= =D+qS -----END PGP SIGNATURE----- From mkontakt at gmail.com Tue Jun 6 14:09:36 2006 From: mkontakt at gmail.com (mkontakt@gmail.com) Date: Tue Jun 6 14:08:20 2006 Subject: sign and encrypt In-Reply-To: <4484A908.7000008@chud.net> References: <20060605214101.GA8379@debian.mydomain.com> <4484A908.7000008@chud.net> Message-ID: <20060606120936.GA11033@debian.mydomain.com> Yes, I meant this. I can thing of other solutions as s-e-s or signing the header of email messages in separate mime part, but it would consume cpu, as you would not be able to sign a message and simply encrypt it n-times with recipients keys. So the best way around this problem is to educate users. Thanks for your comment Martin On Mon, Jun 05, 2006 at 02:58:32PM -0700, Chris De Young wrote: > mkontakt@gmail.com wrote: > > I have seen in the spec rfc3156 that a message should be signed and > > then encrypted, but hypothetically if send a message to someone I do > > not like and sign it and then encrypt it he/she can forward it to > > someone else pretending that the message was originally from my self. > > I assume you mean forward the decrypted version, with the signature > intact, since the encrypted version would only be readable by the > intended recipient. > > Yes, this could happen, but it doesn't seem like a very big problem. > The deception doesn't work if anything in the message itself indicates > who the intended recipient is ("Hey Mike, [...]"). > > Signing after encryption exposes more information about the message, > which I think is the main reason it's discouraged. The encrypted > version is already tamper-proof, since any alteration will break the > decryption. > > -C > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From z.himsel at gmail.com Tue Jun 6 16:09:56 2006 From: z.himsel at gmail.com (Zach Himsel) Date: Tue Jun 6 16:08:54 2006 Subject: signatures In-Reply-To: <44856911.8080900@joimail.com> References: <44856911.8080900@joimail.com> Message-ID: <44858CB4.3060309@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 6/6/2006 7:37 AM, John W. Moore III wrote: > Todd Zullinger wrote: >>> - gpg control packet Zach Himsel wrote: >>>> I've always wondered how to get comments put under the >>>> signature header... I've seen them on sigs before and would >>>> like to have my public key address put there. Does anyone >>>> know how to do this? > > If I am reading your Question correctly, You wish to add the > 'Signature' which can be read *after* the message has been > Decrypted. Using Thunderbird, go into Account Settings and there > will be a Box in which to add your desired signature. This is done > by 'Browsing' to a .txt File on your HD that contains the Signature > you prefer. > > If you intend upon using multiple signatures based upon addressee, > whimsy, Key used, etc. then you should simply add the Extension > 'Signature Switch' to Thunderbird. > > JOHN 8-) Timestamp: Tuesday 06 Jun 2006, 07:37 --400 (Eastern > Daylight Time) -- Abolish the IRS: http://www.FairTax.org > What I meant was to add a comment after the header for the OpenPGP signature of a file. For instance when you cleartext sign an email (like this one) there are comments under the "BEGIN PGP SIGNATURE" header. I've figured it out though is enigmail. In the preferences for enigmail where it asks for the GnuPG executable, you can have enigmail append command line options. I just added the option "--comment [my comment]" so any time it signs an email, it will add the comment. > _______________________________________________ Gnupg-users mailing > list Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > > -- Zach Himsel > > |_|o|_| |_|_|o| |o|o|o| > > OpenPGP Public Key: http://zach-himsel.is.dreaming.org/ OpenPGP > Public Key ID: 0xFD04A326 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) Comment: KeyID: 0xFD04A326 iQEVAwUBRIWMtCZJc7D9BKMmAQJCywf+Jd8d0AtRvj6bZTl3bnlZ1f9jlEAgpEdq iSmKvq72ST6fTPvlaNhTeyppRSfWZb1Sf4MGA7bcbKHTlVX5FrKJ1nwtAy5ypAV0 Q8H1kK9Ip2yrgjALiVPvIIvDbBUToO8jZ+cMRbYP/9klCv3OWbKHBgpnT3ZhBPTO 8RHGPRaePUkAk7AzIjqDq02DO6vsUzrg6OaRifJIm88cYsmiaobA7Q3iaboqVXsn 4SGYrwsJC3o14xEO5miSaoikwk/pSr8fn/pU9BcezALQt/bazHdPFcBzSd/XCzZa UhkSVW77DfE7Zj76wP/BqDVQCbgjy0V+A0W5m+D1wSqCt+++XN5YmQ== =d/l1 -----END PGP SIGNATURE----- From vedaal at hush.com Tue Jun 6 16:51:20 2006 From: vedaal at hush.com (vedaal@hush.com) Date: Tue Jun 6 16:50:15 2006 Subject: sign and encrypt Message-ID: <20060606145121.206BADA835@mailserver7.hushmail.com> mkontakt at gmail.com mkontakt at gmail.com wrote on Tue Jun 6 14:09:36 CEST 2006 : > I can thing of other solutions as s-e-s or > signing the header of email messages in separate mime part, > but it would consume cpu, as you would not be able to sign a message > and simply encrypt it n-times with recipients keys. there is a simpler way, just add the following line to the end your message, before signing: "this signed and encrypted message, is intended for, and being encrypted to, the following key(s): (list user id's and fingerprints)" this will be unqusetioned by all the recipients you really intended to encrypt to, *but* it doesn't deal with a potentially more difficult situation : proving you signed something, to someone whom you would prefer it 'not' proved to ;-(( i.e. if one of your recipients later has a disagreement with you, and wants to harm you by 'leaking/publicly posting' this material, then any message that you sign and encrypt, can be posted as a verifiable free-standing clearsigned or armored-signed text the only way around this is to develop a type of 'deniable signature' (i.e. the person you sent it to, knows you really signed it, but can't prove it to anyone else) maybe, once the open-pgp workgroup is ready to start with new ideas for the next rfc revision, there can be some agreement about this signature type (there have been several interesting proposals) for now, one of the ways of doing this (in pgp) is to use a split-key/shared-key system, a new key is 'split' to 2 or more public keys, and signing privileges are set to '1' share (signing privileges [and decrypting privileges] can be set for 1 share, all shares, or any number in between, so that it is possible to require the co-operation of 'all' sharers to sign or decrypt) when signing privileges are set to 1, then 'any' of the sharers 'could have' signed it, while all of them know who 'really' signed it, --the one who 'sent' it (this is especially true when there are only 2 sharers, since the receiver knows that the receiver 'didn't' sign it) posting it as a free-standing clearsigned message, or re-encrypting and sending it to someone else, still leaves the true signer's identity unprovable so, again :-) feature request, (please, please :-) ) 'split key/shared key' gnupg capability ... Thanks, vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 From JPClizbe at comcast.net Tue Jun 6 21:56:50 2006 From: JPClizbe at comcast.net (John Clizbe) Date: Tue Jun 6 21:56:24 2006 Subject: signature comments? In-Reply-To: <44850462.5080701@gmail.com> References: <44850462.5080701@gmail.com> Message-ID: <4485DE02.3070307@comcast.net> Zach Himsel wrote: > I've always wondered how to get comments put under the signature > header... I've seen them on sigs before and would like to have my > public key address put there. Does anyone know how to do this? > > Thanks. Hi Zach, Just add the comments lines you want to gpg.conf comment "OpenPGP Public Key: http://zach-himsel.is.dreaming.org/" comment "OpenPGP Public Key ID: 0xFD04A326" gpg.conf on windows systems is usually found in %APPDATA%\GnuPG which expands to C:\Documents and Settings\\Application Data\GnuPG Create or edit the file with the text editor of your choice. You may alternatively specify the Key ID and retrieval URL as headers in your email message. In Thunderbird, select Tools --> 'Account Settings'. Then the 'OpenPGP Security' tab for the email address you wish to configure. The OpenPGP header settings are at the bottom of the panel. -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 668 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060606/b63ad6e6/signature.pgp From webdevlasvegas at yahoo.com Tue Jun 6 21:59:52 2006 From: webdevlasvegas at yahoo.com (webdevlv) Date: Tue Jun 6 21:58:44 2006 Subject: Cannot decrypt this file for the life of me In-Reply-To: <44800C1C.4000709@raphael.poss.name> References: <4670580.post@talk.nabble.com> <44800C1C.4000709@raphael.poss.name> Message-ID: <4740054.post@talk.nabble.com> This is exactly what I needed. A no frillz answer. Worked like a charm! Thank you!!! -- View this message in context: http://www.nabble.com/Cannot-decrypt-this-file-for-the-life-of-me-t1719517.html#a4740054 Sent from the GnuPG - User forum at Nabble.com. From z.himsel at gmail.com Wed Jun 7 03:13:27 2006 From: z.himsel at gmail.com (Zach Himsel) Date: Wed Jun 7 03:12:36 2006 Subject: gnupg-agent not working... In-Reply-To: References: Message-ID: <44862837.5030102@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > On 6/6/2006 2:20 AM, Laurent Jumet wrote: > > === Begin Windows Clipboard === > - --passphrase-fd n Read the passphrase from file descriptor n. If you use 0 > forn, the passphrase will be read from stdin. This can only beused if only > one passphrase is supplied. > - --passphrase-file file Read the passphrase from file file. This can only be > used ifonly one passphrase is supplied. Obviously, a passphrasestored in > a file is of questionable security if other userscan read this file. Don't use > this option if you can avoidit. > - --passphrase string Use string as the passphrase. This can only be used if > onlyone passphrase is supplied. Obviously, this is of very ques-tionable > security on a multi-user system. Don't use thisoption if you can avoid it. > === End Windows Clipboard === How does the --passphrase-fd option work? How do I use that to store/autoenter my password? - -- Zach Himsel |_|o|_| |_|_|o| |o|o|o| OpenPGP Public Key: http://zach-himsel.is.dreaming.org/ OpenPGP Public Key ID: 0xFD04A326 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) Comment: KeyID: 0xFD04A326 iQEVAwUBRIYoNyZJc7D9BKMmAQLuNwf+JeNYD935rKkPiUv0BA4h5ANddZoeKA13 PSQJZZmio7tVQgGuch2+X4+HF2S2POqrQVW1NDp0Z9kRMnHDBmWrh9N7VO2Zvux5 MfFF7+YKm9EfIDZY8MsVeO5vIqwCIhkZFvM9c6BirJEsoOyaofncB8aq5ormp0R7 GnhcU+blh6bzu9ZcEVdVPJ+FVXLqoNpL/dv2zPA6LTSJtVJ4AF3dAHWv6D4pGpHb sB+OHOBmJQDJ/fF/TjSFBz4GJFVIoBFgVb4uL3dcymeg+NS1HWQgs9HLBuCEKDU0 36OcDxDFOaZJKlJhzuuqRSPAsCvbD8BclHwvFG5LS1xlZhz8ZDFWYQ== =UkuA -----END PGP SIGNATURE----- From alphasigmax at gmail.com Wed Jun 7 03:30:26 2006 From: alphasigmax at gmail.com (Alphax) Date: Wed Jun 7 03:31:07 2006 Subject: gnupg-agent not working... In-Reply-To: <44862837.5030102@gmail.com> References: <44862837.5030102@gmail.com> Message-ID: <44862C32.3020603@gmail.com> Zach Himsel wrote: >> On 6/6/2006 2:20 AM, Laurent Jumet wrote: > >> === Begin Windows Clipboard === [fixed indenting] >> --passphrase-fd n >> Read the passphrase from file descriptor n. If you use 0 for >> n, the passphrase will be read from stdin. This can only be >> used if only one passphrase is supplied. >> >> --passphrase-file file >> Read the passphrase from file file. This can only be used if >> only one passphrase is supplied. Obviously, a passphrase >> stored in a file is of questionable security if other users >> can read this file. Don't use this option if you can avoid >> it. >> >> --passphrase string >> Use string as the passphrase. This can only be used if only >> one passphrase is supplied. Obviously, this is of very ques- >> tionable security on a multi-user system. Don't use this >> option if you can avoid it. >> === End Windows Clipboard === > > How does the --passphrase-fd option work? How do I use that to > store/autoenter my password? > A file descriptor is something like a stream or pipe. Applications which communicate with gpg use --passphrase-fd to give gpg the passphrase. If you use --passphrase-fd 0, it will read it from standard in. Apart from that... explains it in more detail. You could of course use --passphrase-file , provided the file is only readable by yourself, but on a MinGW32 platform this is quite unlikely. That leaves --passphrase-string, which is still a security risk. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 569 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060607/df6ec849/signature.pgp From z.himsel at gmail.com Wed Jun 7 03:40:07 2006 From: z.himsel at gmail.com (Zach Himsel) Date: Wed Jun 7 03:38:56 2006 Subject: gnupg-agent not working... In-Reply-To: <44862C32.3020603@gmail.com> References: <44862837.5030102@gmail.com> <44862C32.3020603@gmail.com> Message-ID: <44862E77.4010000@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 6/6/2006 9:30 PM, Alphax wrote: > Zach Himsel wrote: >>> On 6/6/2006 2:20 AM, Laurent Jumet wrote: >>> === Begin Windows Clipboard === > [fixed indenting] >>> --passphrase-fd n >>> Read the passphrase from file descriptor n. If you use 0 for >>> n, the passphrase will be read from stdin. This can only be >>> used if only one passphrase is supplied. >>> >>> --passphrase-file file >>> Read the passphrase from file file. This can only be used if >>> only one passphrase is supplied. Obviously, a passphrase >>> stored in a file is of questionable security if other users >>> can read this file. Don't use this option if you can avoid >>> it. >>> >>> --passphrase string >>> Use string as the passphrase. This can only be used if only >>> one passphrase is supplied. Obviously, this is of very ques- >>> tionable security on a multi-user system. Don't use this >>> option if you can avoid it. >>> === End Windows Clipboard === >> How does the --passphrase-fd option work? How do I use that to >> store/autoenter my password? >> > > A file descriptor is something like a stream or pipe. Applications which > communicate with gpg use --passphrase-fd to give gpg the passphrase. If > you use --passphrase-fd 0, it will read it from standard in. Apart from > that... explains it in > more detail. > > You could of course use --passphrase-file , provided the file is > only readable by yourself, but on a MinGW32 platform this is quite > unlikely. That leaves --passphrase-string, which is still a security risk. > Ok, cool. Thanks, I think I got the --passphrase to work (with the string after it) - -- Zach Himsel |_|o|_| |_|_|o| |o|o|o| OpenPGP Public Key: http://zach-himsel.is.dreaming.org/ OpenPGP Public Key ID: 0xFD04A326 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) Comment: KeyID: 0xFD04A326 iQEVAwUBRIYudyZJc7D9BKMmAQimBwf/dZ8C4/woiz+UIUsl521kqTcw7sMNVhFZ tcqYaMMX+tDRX+gchpGabxVrjUdQWZWN/OrlZeFLAWN04TqU6tCnpm5ySUi+lR3x p1pkcPb2fX3TYftXMVGxmeYaJbLLRr3OZKKe/a0G7RBbLDOPaBXwmzALJdUxnj9U G7y7k+5Hsb2P3OZF0Vyyees9JnzX00vLecjUZOGGO5lv4sIFkjoXE9d7tkUixTU8 DuvODpCssRUnK84Pmk6iRmWgUzaz7lLDY//qmdP/5pQK1gcb1qNbg79U+OqP4my6 mc9/5tc8w0u+xExe5hx7HSrln2Dz3hUBBnCl3ChflVlsHShKxBVisg== =vu9V -----END PGP SIGNATURE----- From mkontakt at gmail.com Mon Jun 5 13:48:30 2006 From: mkontakt at gmail.com (mkontakt) Date: Wed Jun 7 10:43:20 2006 Subject: sign and encrypt Message-ID: I have seen in the spec rfc3156 that a message should be signed and then encrypted, but hypothetically if send a message to someone I do not like and sign it and then encrypt it he/she can forward it to someone else pretending that the message was originally from my self. Is there anything I have missed in spec or in gnupg to forbid this? Thank in advance Martin From mb at g10code.com Sat Jun 3 00:52:22 2006 From: mb at g10code.com (Marcus Brinkmann) Date: Wed Jun 7 10:43:48 2006 Subject: [Announce] Gpg4win 1.0.2 released Message-ID: <87odxbf9w9.wl%marcus.brinkmann@ruhr-uni-bochum.de> Hi! We are pleased to announce the availibility of Gpg4win, version 1.0.2. The gpg4win project aims at updating the gpg4win Windows installation package with GnuPG encryption tool, associated applications and documentation on a regular basis. Especially the documentation (handbooks "Einsteiger" and "Durchblicker") are directly maintained as part of the gpg4win project. It is an international project. Due to the origin of the project the German language is fully supported. As of now the the handbooks are only available in German. People helping with translations are very welcome! The main difference compared to all other similar approaches (mainly GnuPP, GnuPT, Windows Privacy Tools and GnuPG-Basics) is that the first thing developed was the *gpg4win-Builder*. This builder allows to easily create new gpg4win.exe installers with updated components. The builder runs on any decent Unix system, preferable Debian GNU/Linux. Almost all products are automatically cross-compiled for integration into the installer. With this concept it is hoped to *prevent quick aging of the* *installer package*. This is due to easier updating and less dependancy on single developers. Noteworthy changes in version 1.0.2 (2006-05-30) ------------------------------------------------ * Fixed a bug in GPA which led to a non-working backup on some Windows systems. * Updated Sylpheed-Claws to the latest stable version. * Included components are: GnuPG: 1.4.3 WinPT: 0.12.1 [*] GPA: 0.7.3 GPGol: 0.9.10 GPGee: 1.3.1 Sylpheed-Claws: 2.2.0 [*] Einsteiger: 2.0.2 [*] Durchblicker: 2.0.2 [*] (Marked packages are updated since the last release) For installation instuctions, please visit http://www.gpg4win.org or read on. Developers who want to *build an installer* need to get the following files from http://wald.intevation.org/projects/gpg4win/ : gpg4win-1.0.2.tar.bz2 (3.9M) gpg4win-1.0.2.tar.bz2.sig The second file is a digital signature of the the first file. Either check that this signature is fine or compare with the checksums given below. (see also http://www.gnupg.org/download/integrity_check.html) The *ready to use installer* is available at: http://ftp.gpg4win.org/gpg4win-1.0.2.exe (6.2M) http://ftp.gpg4win.org/gpg4win-1.0.2.exe.sig Or using the ftp protocol at: ftp://ftp.gpg4win.org/gpg4win/gpg4win-1.0.2.exe (6.2M) ftp://ftp.gpg4win.org/gpg4win/gpg4win-1.0.2.exe.sig SHA1 and MD5 checksums for these files are given below. If you don't need the German PDF manuals, you might alternatively download the "light" version of the installer: http://ftp.gpg4win.org/gpg4win-light-1.0.2.exe (4.6M) http://ftp.gpg4win.org/gpg4win-light- 1.0.2.exe.sig or using the ftp protocol at: ftp://ftp.gpg4win.org/gpg4win/gpg4win-1.0.2.exe (4.6M) ftp://ftp.gpg4win.org/gpg4win/gpg4win-1.0.2.exe.sig A separate installer with the the sources used to build the above installer is available at: ftp://ftp.gpg4win.org/gpg4win/gpg4win-src-1.0.2.exe (41M) ftp://ftp.gpg4win.org/gpg4win/gpg4win-src-1.0.2.exe.sig Most people don't need this source installer; it is merely stored on that server to satisfy the conditions of the GPL. In general it is better to get the gpg4win builder tarball (see above) and follow the instructions in the README to build new installers; building the installer is not possible on Windows machines and works best on current Debian GNU/Linux systems (we use the mingw32 package from Sid). SHA1 checksums are: 8d4aa1799096da33c8e961f44e5b5ceff0fc6647 gpg4win-1.0.2.exe ed93fc55e3cb221f2b0e0b96c660fb7d87f490bb gpg4win-light-1.0.2.exe 1d82a8f54819d487f6078aab4343fefa24504aa4 gpg4win-src-1.0.2.exe caa3c502645ece898281ca2f47cff4ce81657d0c gpg4win-1.0.2.tar.bz2 MD5 checksums are: ce25314e788c0434ead74cfe0662f6c5 gpg4win-1.0.2.exe 9886cbb42200393be5f3e0d019ee31ba gpg4win-light-1.0.2.exe c216828825d606dcdfe9e1b70cb3fcc7 gpg4win-src-1.0.2.exe 20f0588c5777cbe7834d751175fe98e2 gpg4win-1.0.2.tar.bz2 We like to thank the authors of the included packages, the NSIS authors, all other contributors and first of all, those folks who stayed with us and tested the early releases of gpg4win. Happy hacking, Jan, Marcus, Timo and Werner -- Marcus Brinkmann The GnuPG Experts http://g10code.com Join the Fellowship and protect your Freedom! http://www.fsfe.org _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From jeekay+gnupg at gmail.com Fri Jun 2 18:37:35 2006 From: jeekay+gnupg at gmail.com (Jee Kay) Date: Wed Jun 7 10:43:59 2006 Subject: Generating a new secret key on windows with gnupg 1.4.3 Message-ID: Whenever I try to generate a new secret key on Windows with gnupg 1.4.3, I get the following output immediately following the second request for my passphrase: gpg: NOTE: you should run 'diskperf -y' to enable the disk statistics A few seconds after that, a Windows error box pops up with this message: Microsoft Visual C++ Runtime Library Runtime Error! Program: z:\gnupg\gpg.exe This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information. Has anyone seen anything like this or know where to start debugging it? I don't know if it makes any difference, but I have HKLU\Software\GNU\gpgProgram set to z:\gnupg\gnupg.exe and HomeDir is set to z:\gnupg. Please keep me in CC on any replies as I am not subscribed. Thanks in advance, Ras From alex at bofh.net.pl Wed Jun 7 11:08:58 2006 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Wed Jun 7 11:08:24 2006 Subject: sign and encrypt In-Reply-To: <20060605214101.GA8379@debian.mydomain.com> References: <20060605214101.GA8379@debian.mydomain.com> Message-ID: <20060607090858.GC2799@hell.pl> On Mon, Jun 05, 2006 at 11:41:01PM +0200, mkontakt@gmail.com wrote: > I have seen in the spec rfc3156 that a message should be signed and > then encrypted, but hypothetically if send a message to someone I do > not like and sign it and then encrypt it he/she can forward it to > someone else pretending that the message was originally from my self. > Is there anything I have missed in spec or in gnupg to forbid this? read about eyes only option in gpg alex From michaelstefan at gmx.de Wed Jun 7 11:26:16 2006 From: michaelstefan at gmx.de (michaelstefan) Date: Wed Jun 7 11:27:18 2006 Subject: GnuPG doesn't work with all user accounts Message-ID: <4748100.post@talk.nabble.com> Hello, I'm trying to send crypted Mails with PHP and GnuPG. I've installed GnuPG imported PublicKeys and encrypted mails. It all works fine. Now, I wanted to add a Public key and this doesn't work anymore. The command --list-keys gives me: gpg: Warning: using insecure memory! gpg: [don't know]: invalid packet (ctb=03) gpg: read_keyblock: read error: invalid packet gpg: enum_keyblocks(read) failed: invalid keyring With user root or other users --list-keys works fine. Only as the User of my Webserver I get these errors. The strange thing is, that encryption with the PublicKey I already imported (some time ago) still works fine. I'm only not able to import new keys or --list-keys. in my php file I use the following command: /opt/gnupg/bin/gpg -a --always-trust --batch --no-secmem-warning -e -u "wwwrun" -r "Peter.Bromsberg@bromsberger.de" this works. Has anybody an idea? many thanks Michael Schmidt -- View this message in context: http://www.nabble.com/GnuPG-doesn%27t-work-with-all-user-accounts-t1746752.html#a4748100 Sent from the GnuPG - User forum at Nabble.com. From z.himsel at gmail.com Wed Jun 7 11:45:46 2006 From: z.himsel at gmail.com (Zach Himsel) Date: Wed Jun 7 11:45:02 2006 Subject: sign and encrypt In-Reply-To: <20060607090858.GC2799@hell.pl> References: <20060605214101.GA8379@debian.mydomain.com> <20060607090858.GC2799@hell.pl> Message-ID: <4486A04A.2000102@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Janusz A. Urbanowicz wrote: | On Mon, Jun 05, 2006 at 11:41:01PM +0200, mkontakt@gmail.com wrote: |> I have seen in the spec rfc3156 that a message should be signed and |> then encrypted, but hypothetically if send a message to someone I do |> not like and sign it and then encrypt it he/she can forward it to |> someone else pretending that the message was originally from my self. |> Is there anything I have missed in spec or in gnupg to forbid this? | | read about eyes only option in gpg | | alex | | _______________________________________________ | Gnupg-users mailing list | Gnupg-users@gnupg.org | http://lists.gnupg.org/mailman/listinfo/gnupg-users | Eyes Only? - -- Zach Himsel _ /========|==========================\ \ ||_|o|_| | (") ASCII Ribbon Campaign| )) ||_|_|o| | X Against HTML email | (( ||o|o|o| | / \ and vCard Signatures | ##_ |========|==========================| ## |OpenPGP Public Key ID: 0xFD04A326 | (( |http://zach-himsel.is.dreaming.org | )) \===================================/ _/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) Comment: ===================================== Comment: Zach Himsel Comment: ____________________________________ Comment: | _ ASCII Ribbon Campaign|Key ID: | Comment: |( ) against HTML email |0xFD04A326| Comment: | X and vCard signatures |__________| Comment: |/ \ | zach-himsel.is.dreaming.org | Comment: """""""""""""""""""""""""""""""""""""" iQEVAwUBRIagSSZJc7D9BKMmAQpPfQf/VxhGYNGBeZyC7E/8/1a/z3Q/oKSP84TZ S2ISLpiVwrRGcVoOBvYtbhRkt5wbYNY/amZdtVg+rKrUDP15tL7Yi8SG5HrrmVhZ dspE6UbSuvu6Ml+B+cO9KiDzMa+gw0rK/uZQmgMJalZAoZGgwH2uvk2FtWElvWdL V126+ibQKMCECF65rnE4kCR960Q/HPRw8P9orhwkDg74Axd+7lZEPur4RAe6JKg4 iSp6Q244AT1XQ3BJjMDD99iE4jK71geDKJu+uS+Obu/bXctQBIICuVP0p2zWyb5i mPqtfsUuGxD+0AML4o8mVbeepbJX0xVF0bbjaRF1dDcbyURWBuH9vQ== =r5Wh -----END PGP SIGNATURE----- From shavital at mac.com Wed Jun 7 13:00:59 2006 From: shavital at mac.com (Charly Avital) Date: Wed Jun 7 13:00:12 2006 Subject: sign and encrypt In-Reply-To: <4486A04A.2000102@gmail.com> References: <20060605214101.GA8379@debian.mydomain.com> <20060607090858.GC2799@hell.pl> <4486A04A.2000102@gmail.com> Message-ID: <4486B1EB.2030409@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Zach Himsel wrote the following on 6/7/06 5:45 AM: > Janusz A. Urbanowicz wrote: >[...] |> Is there anything I have missed in spec or in gnupg to forbid this? > | > | read about eyes only option in gpg > | > | alex > > Eyes Only? Aka 'Secure viewer'. - From man gpg: - --for-your-eyes-only - --no-for-your-eyes-only Set the `for your eyes only' flag in the message. This causes GnuPG to refuse to save the file unless the --output option is given, and PGP to use the "secure viewer" with a Tempest-resistant font to display the message. This option overrides --set-filename. --no-for-your-eyes-only disables this option. About Tempest: Charly -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEUAwUBRIax6M3GMi2FW4PvAQg6QAf3cRjjbfcLC5Bij0n2sFrAG3XReej7wH8i 1nhLPy6Lib/WZWzs6iY25S1AhZ6VOIfTIkNlOxpbsL6J0/hb1Y9H7WQVIK3ELlWz WXfPWyiJJiVzCQd/7fcbw30ghbIU4WHSR8JKXN0iprX7HpTmxhBOaGhkjPr9FL78 KUjeRRp8xYQ0tudw85jqELTBTx8Fizn/XWwM+zZAZ7lBtGAwwMEYDv2mr+jSdFdb kTdEPjLqyHKH5sS/DA9jbjCF0z3EC+2sjLAsimHQ7pwQD2P02gc3yJhzbdUtOO5o M7q7nAB4dlTyPY++WEqrvtPnI/Uyk1ZbKNv4/X8yw0ey5DW7mOxW =9bbO -----END PGP SIGNATURE----- From johnmoore3rd at joimail.com Wed Jun 7 13:30:55 2006 From: johnmoore3rd at joimail.com (John W. Moore III) Date: Wed Jun 7 13:29:48 2006 Subject: sign and encrypt In-Reply-To: <4486A04A.2000102@gmail.com> References: <20060605214101.GA8379@debian.mydomain.com> <20060607090858.GC2799@hell.pl> <4486A04A.2000102@gmail.com> Message-ID: <4486B8EF.2020108@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Zach Himsel wrote: > - gpg control packet > Janusz A. Urbanowicz wrote: > | On Mon, Jun 05, 2006 at 11:41:01PM +0200, mkontakt@gmail.com wrote: > |> I have seen in the spec rfc3156 that a message should be signed and > |> then encrypted, but hypothetically if send a message to someone I do > |> not like and sign it and then encrypt it he/she can forward it to > |> someone else pretending that the message was originally from my self. > |> Is there anything I have missed in spec or in gnupg to forbid this? > | > | read about eyes only option in gpg > Eyes Only? for-your-eyes-only is an Option within GnuPG that enables the same properties as 'Secure Viewer' does in PGP. One difference; the Tempest fonted viewing screen seen in PGP is unique to the PGP GUI. The complete description may be found in the GnuPG Manual. JOHN ;) Timestamp: Wednesday 07 Jun 2006, 07:29 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4-svn4151: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust (US26): http://www.gswot.org Comment: Homepage: http://tinyurl.com/9ubue Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCgAGBQJEhrjrAAoJEBCGy9eAtCsPQuUH/jjXwrs0xtYYKGy4ZiS4tw24 AyB2dUan3ao3tUAS87xJVn/EaIe/m1novfhnQ9CCLnFQbjB3fppLB33Knzh3Ju2A IUVlWc9NlMx98fbLn6Nvo36k1opE/ycYFahzf8uIPIXlIJgz2gt6Hd6ZzGMQ6/OV ZSgn4OM4SBEFsFrorQ4QMdL2XhgQ1zOqWu63M/LfdqiF7IzjU/Xddt/5XpjOWVXN e/W1qGXkS7U5Eb+lGvlVTozI0jgDUAIjBAYw1IQqloTNtxwMZBvCzgGTzcx8VxTH 2jnR48pu7MO7T2pV8Gt5aywDOkkGZ+5yJZ9kDmhwt6/fSL8l+wKY6HvD7S4b8Gw= =87SA -----END PGP SIGNATURE----- From hauser at acm.org Wed Jun 7 16:43:35 2006 From: hauser at acm.org (Ralf Hauser) Date: Wed Jun 7 18:26:02 2006 Subject: how to authenticate an ldaps keyserver lookup Message-ID: <006601c68a40$c2740040$2101a8c0@AcerRalf> Hi, A closed community would like to use gpg to retrieve the keys of other member. To keep the community closed and protect them from spam. They would like query an ldap server through SSL with username password authentication. While gpg appears to support "ldaps", I didn't see a way to communicate that username/password pair in a lookup like gpg --keyserver ldaps://somehost:636 --search micky Also the --keyserver-options parameters do not appear to offer taking a password. How can this be done with gpg? Furthermore, when trying to do that with apache's ldap server, it did not like the SSL it got from my gpg (http://issues.apache.org/jira/browse/DIR-185). Has anyone experienced the same? Any hints would be highly appreciated. Regards Ralf P.S.: With http://sourceforge.net/projects/jxplorer both the password and the SSL problem do not occur, but I'd rather not ask the users of the community to install yet another security tool - hopefully gpg can do that! From dshaw at jabberwocky.com Wed Jun 7 18:59:47 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Jun 7 18:58:45 2006 Subject: how to authenticate an ldaps keyserver lookup In-Reply-To: <006601c68a40$c2740040$2101a8c0@AcerRalf> References: <006601c68a40$c2740040$2101a8c0@AcerRalf> Message-ID: <20060607165947.GA15101@jabberwocky.com> On Wed, Jun 07, 2006 at 04:43:35PM +0200, Ralf Hauser wrote: > Hi, > > A closed community would like to use gpg to retrieve the keys of other member. To keep the community closed and protect them from spam. They would like query an ldap server through SSL with username password authentication. > > While gpg appears to support "ldaps", I didn't see a way to communicate that username/password pair in a lookup like > > gpg --keyserver ldaps://somehost:636 --search micky > > Also the --keyserver-options parameters do not appear to offer taking a password. > > How can this be done with gpg? First make sure you're using the latest version (1.4.3), then you can do: keyserver ldaps://somehost binddn=xxxx bindpw=xxxx binddn is the LDAP DN to bind to, and bindpw is the password to use. > Furthermore, when trying to do that with apache's ldap server, it did not like the SSL it got from my gpg (http://issues.apache.org/jira/browse/DIR-185). > > Has anyone experienced the same? Any hints would be highly appreciated. Try adding "keyserver-options debug=1" and running it again to get some idea what GPG is seeing. David From dshaw at jabberwocky.com Wed Jun 7 19:08:02 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Jun 7 19:06:54 2006 Subject: sign and encrypt In-Reply-To: <4486B8EF.2020108@joimail.com> References: <20060605214101.GA8379@debian.mydomain.com> <20060607090858.GC2799@hell.pl> <4486A04A.2000102@gmail.com> <4486B8EF.2020108@joimail.com> Message-ID: <20060607170802.GB15101@jabberwocky.com> On Wed, Jun 07, 2006 at 07:30:55AM -0400, John W. Moore III wrote: > Zach Himsel wrote: > > - gpg control packet > > Janusz A. Urbanowicz wrote: > > | On Mon, Jun 05, 2006 at 11:41:01PM +0200, mkontakt@gmail.com wrote: > > |> I have seen in the spec rfc3156 that a message should be signed and > > |> then encrypted, but hypothetically if send a message to someone I do > > |> not like and sign it and then encrypt it he/she can forward it to > > |> someone else pretending that the message was originally from my self. > > |> Is there anything I have missed in spec or in gnupg to forbid this? > > | > > | read about eyes only option in gpg > > > Eyes Only? > > for-your-eyes-only is an Option within GnuPG that enables the same > properties as 'Secure Viewer' does in PGP. One difference; the Tempest > fonted viewing screen seen in PGP is unique to the PGP GUI. > > The complete description may be found in the GnuPG Manual. Note that eyes only does not prevent forwarding. It is an advisory flag only (i.e. "please don't forward this"). David From unknown_kev_cat at hotmail.com Wed Jun 7 21:08:05 2006 From: unknown_kev_cat at hotmail.com (Joe Smith) Date: Wed Jun 7 21:09:42 2006 Subject: sign and encrypt References: <20060606145121.206BADA835__458.100174046372$1149609881$gmane$org@mailserver7.hushmail.com> Message-ID: wrote in message news:20060606145121.206BADA835__458.100174046372$1149609881$gmane$org@mailserver7.hushmail.com... > it doesn't deal with a potentially more difficult situation : > > proving you signed something, > to someone whom you would prefer it 'not' proved to ;-(( Encrypt and then sign does not have this problem, unless the other person is willing to sacrifice his/her private key. To avoid leaking information via the signature Encrypt-sign-encrypt could work. From vedaal at hush.com Wed Jun 7 23:20:39 2006 From: vedaal at hush.com (vedaal@hush.com) Date: Wed Jun 7 23:19:37 2006 Subject: sign and encrypt Message-ID: <20060607212039.80F41DA826@mailserver8.hushmail.com> Joe Smith unknown_kev_cat at hotmail.com wrote on Wed Jun 7 21:08:05 CEST 2006 : > Encrypt and then sign does not have this problem, > unless the other person is willing to sacrifice > his/her private key. > To avoid leaking information via the signature > Encrypt-sign-encrypt could work. no the receiver could simply post the message and the session keys, it also doesn't protect against surreptious forwarding, the receiver can decrypt the outer layer, and leave the inner encrypted layer, with the signature intact, and re-encrypt to any toher key and send it along vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 From mkontakt at gmail.com Wed Jun 7 23:34:35 2006 From: mkontakt at gmail.com (mkontakt) Date: Wed Jun 7 23:33:26 2006 Subject: gpgsm Message-ID: Sorry to bother, but are there any differences between gpg and gpgsm apps. The only difference I can see is the supported standards (OpenPGP, S/MIME). Should I see gpgsm as a supplement to gpg and pre-version for gpg2, which is the version with both standards implemented? Thanks in advance Martin From widhalmt at unix.sbg.ac.at Thu Jun 8 11:22:09 2006 From: widhalmt at unix.sbg.ac.at (Thomas Widhalm) Date: Thu Jun 8 11:21:57 2006 Subject: gpgsm In-Reply-To: References: Message-ID: <4487EC41.9050701@unix.sbg.ac.at> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As far as I got from the documentation, gpgsm is no replacement but an extension for gpg (even when it may be run alone) for using S/MIME. mkontakt schrieb: > Sorry to bother, but are there any differences between gpg and gpgsm > apps. The only difference I can see is the supported standards > (OpenPGP, S/MIME). Should I see gpgsm as a supplement to gpg and > pre-version for gpg2, which is the version with both standards > implemented? > > Thanks in advance > Martin > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users - -- ***************************************************************** * Thomas Widhalm Unix Administrator * * University of Salzburg ITServices (ITS) * * Systems Management Unix Systems * * Hellbrunnerstr. 34 5020 Salzburg, Austria * * widhalmt@unix.sbg.ac.at +43/662/8044-6774 * * gpg: 6265BAE6 * * http://www.sbg.ac.at/zid/organisation/mitarbeiter/widhalm.htm * ***************************************************************** -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD4DBQFEh+xBkbjs3GJluuYRAr1IAJiW4FrWoMDmFA0XKXx+wR5XomRqAKCYw80k p6BJRSETr8VT3Eic2x6W2Q== =ft3p -----END PGP SIGNATURE----- From z.himsel at gmail.com Fri Jun 9 02:58:58 2006 From: z.himsel at gmail.com (Zach Himsel) Date: Fri Jun 9 02:57:51 2006 Subject: RSA vs DSA/ElGamal Message-ID: <4488C7D2.2040105@gmail.com> My private key was recently compromised (Which sucks, I know). I was in the process of generating a new keypair when I realized "Why do I use RSA? What's the difference". Hence my question :) If I *do* use DSA/ElGamal, what bitrate should I use? I know there are FAQs and documentations that say to use a certain bitrate, but I would like to know the reason behind that... Thanks. -- Zach Himsel ,=========|==========================. | |_|o|_| | (`) ASCII Ribbon Campaign| | |_|_|o| | X Against HTML email | | |o|o|o| | / \ and vCard Signatures | |=========|==========================| | OpenPGP Public Key ID: 0x???????? | | http://zach-himsel.is.dreaming.org | `====================================' From johnmoore3rd at joimail.com Fri Jun 9 05:45:24 2006 From: johnmoore3rd at joimail.com (John W. Moore III) Date: Fri Jun 9 05:44:28 2006 Subject: RSA vs DSA/ElGamal In-Reply-To: <4488C7D2.2040105@gmail.com> References: <4488C7D2.2040105@gmail.com> Message-ID: <4488EED4.8030109@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Zach Himsel wrote: > My private key was recently compromised (Which sucks, I know). I was in > the process of generating a new keypair when I realized "Why do I use > RSA? What's the difference". Hence my question :) > > If I *do* use DSA/ElGamal, what bitrate should I use? I know there are > FAQs and documentations that say to use a certain bitrate, but I would > like to know the reason behind that... My personal preference is for an RSA signing Key with an ElGamal encryption sub-Key. My reasons are twofold: RSA Keys have *all* the hash functions available to them. Nothing truncated. RSA Keys are more difficult to 'forge' signatures due to the built in "firewall", for lack of a better word. Much has been written on PGP-Basics regarding this ability within RSA Keys. Robert J. Hansen also explains this very well in his 'Un-Official PGP FAQ' which is accessible from my Homepage. I use an ElGamal encryption sub-Key solely because I feel that bit-for-bit, ElGamal is the stronger. Others can & may differ. The way to avail yourself of all the Options in Key Generation is simply to add the single word _expert_ to your gpg.conf File. This single, 1 word line in gpg.conf will also allow you to accomplish a lot of silly things. For instance, absurdly large Keys may be generated. If by 'bitrate' (bit rate?) you are referring to the hash function, you are limited to a 160 bit Hash and I'd suggest RIPEMD160. If you are using a Compiled version of 1.4.4 and have decided to generate a DSA2 Key, then I'd specify SHA256 to obtain security & maximum verification compatibility. JOHN ;) Timestamp: Thursday 08 Jun 2006, 23:43 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4-svn4151: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust (US26): http://www.gswot.org Comment: Homepage: http://tinyurl.com/9ubue Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCgAGBQJEiO7TAAoJEBCGy9eAtCsP6XAIAIw0rn9LFyimSOBfK11cwuAE 1N6/ZElifmi9IEUH2zEARKjJzf6wVauHTMCFhx1A2iHtlzND6XEGwwDGnQv6VQcT NgcmjxfBGedWUqHqsg+CsNNSS8jdnVQPWv4zDG4Rx2al7B8t+jEmakzmq3iFkPVM zPZmJoCDrtLih6y60DXf2kdfjHamY6zoEF36NT/l3t2f60RSob06lpTRAtEUyHiL CpwGR6Jf56d9y3C49n4PcivodyHcYxe6FM9kHyNh8OR9GxfqGUb1pwXhmab/c03h 3qvKgdOeA+gBgbNwu3IwqQ4FickaV1So2eqyrLl5b5FdCAcDaoXFaczg45c80tc= =35H+ -----END PGP SIGNATURE----- From johnmoore3rd at joimail.com Fri Jun 9 06:18:32 2006 From: johnmoore3rd at joimail.com (John W. Moore III) Date: Fri Jun 9 06:17:34 2006 Subject: RSA vs DSA/ElGamal In-Reply-To: <4488F4A7.7090908@gmail.com> References: <4488C7D2.2040105@gmail.com> <4488EED4.8030109@joimail.com> <4488F4A7.7090908@gmail.com> Message-ID: <4488F698.5020305@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Zach Himsel wrote: > I created a RSA key that can sign and encrypt (only one key, no subkey). > Is that ok? Or is that a security and/or performance weakness? Or is it > better? That's Fine! There is *no* security weakness there; as long as the Key size is 2048 you should be in great shape. Assuming you still have control over your 'compromised' Key you may wish to generate a Revocation Certificate for it and Import it into your Key and then send the Old/Original Key (now Revoked) to the Keyservers so no one will attempt to use it in the future. Word of Caution: If you have any Files encrypted using the Old/Original Key; Decrypt them first. JOHN ;) Timestamp: Friday 09 Jun 2006, 00:18 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4-svn4151: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust (US26): http://www.gswot.org Comment: Homepage: http://tinyurl.com/9ubue Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCgAGBQJEiPaXAAoJEBCGy9eAtCsPOD0H+gMiIxMdY+fQFiXaSuaemE4U bbcfDFKYnxXVwQVH42BKl65vCouHPsiNx+CUEln5MiLI6JFXjeOMX3oHj1MZ6VSq AC95DETRpi4eSKsIFT+SxD9tzKkcLMjzdh6pkO+LzvWLNKmx39oSZh8rvfCmxNS1 huSdRL1LqbvewCQ2drZEaxd6Fp9FrKNoKWiF6eyzZG8F6/s8BBzyjCpNL6TDS9H0 L1v0OvRxK81TW/LuUP6PZwY7ck111kdKE/+EZMBXsMuxazraiymcVRbToOntXF0y TZdxT0+20CuQpOriTc62jimvwSsWm60lsLSrPFuMve0G3xIAgR1Lo1id+lXYYVs= =Zv9p -----END PGP SIGNATURE----- From z.himsel at gmail.com Fri Jun 9 06:31:18 2006 From: z.himsel at gmail.com (Zach Himsel) Date: Fri Jun 9 06:30:11 2006 Subject: RSA vs DSA/ElGamal In-Reply-To: <4488F698.5020305@joimail.com> References: <4488C7D2.2040105@gmail.com> <4488EED4.8030109@joimail.com> <4488F4A7.7090908@gmail.com> <4488F698.5020305@joimail.com> Message-ID: <4488F996.6080003@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 John W. Moore III wrote: > Zach Himsel wrote: > >>> I created a RSA key that can sign and encrypt (only one key, no subkey). >>> Is that ok? Or is that a security and/or performance weakness? Or is it >>> better? > > That's Fine! There is *no* security weakness there; as long as the Key > size is 2048 you should be in great shape. > > Assuming you still have control over your 'compromised' Key you may wish > to generate a Revocation Certificate for it and Import it into your Key > and then send the Old/Original Key (now Revoked) to the Keyservers so no > one will attempt to use it in the future. > > Word of Caution: If you have any Files encrypted using the Old/Original > Key; Decrypt them first. > > JOHN ;) > Timestamp: Friday 09 Jun 2006, 00:18 --400 (Eastern Daylight Time) I'm way ahead of you :) I already sent out the revocation signature to the keyservers. I've already decrypted all the files that I can think of. I'm also keeping the floppy with the original (before it was revoked) secret key, and the revocation certificate in case I come across another file. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users - -- Zach Himsel ,=========|==========================. | |_|o|_| | (`) ASCII Ribbon Campaign| | |_|_|o| | X Against HTML email | | |o|o|o| | / \ and vCard Signatures | |=========|==========================| | OpenPGP Public Key ID: 0xD1093592 | | http://zach-himsel.is.dreaming.org | `====================================' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) Comment: ===================================== Comment: Zach Himsel Comment: ____________________________________ Comment: | _ ASCII Ribbon Campaign|Key ID: | Comment: |( ) against HTML email |0xFD04A326| Comment: | X and vCard signatures |__________| Comment: |/ \ | zach-himsel.is.dreaming.org | Comment: """""""""""""""""""""""""""""""""""""" iQEVAwUBRIj5lZHoJdzRCTWSAQo7Pgf/RUbZ53C/s2bnMd8Ywvl2Yf7OSAVjNOx5 ftczgop+/GfcTCuyMeV2mNY+Hu2BB0j6ialKnoH7P53v2HAIcvSjaGcOm2MQYHsR eUp1Daq8f3X/NKyeyW+Xi0NxzuC5R/WW4Lu/8+Zg5j5HEPF9TlNUmj3MpRi401XM uEYKRL0haVVbIVHydptQQVYUvRmsxtKXKzjAgbhYDqxdOYnfCPxkLbf08dIxLTMu ml8mGY7PUKy916yy6/Ks9evoBijyh5KrmNjUelprE8WDgdzet0g8qzWOvnBu/QS6 f4yfqkm5T6Q/CnHDrZG2k4Mix14XCIyX9m6iewZabN1/Oz69Wdt2Hw== =jVVg -----END PGP SIGNATURE----- From rmyster at gmail.com Fri Jun 9 08:07:44 2006 From: rmyster at gmail.com (rmyster) Date: Fri Jun 9 09:55:59 2006 Subject: sha2 utilities: Print or check SHA-2 digests Message-ID: <1149833264.1828.18.camel@SuSE.site> -------------------------------------------------------------------- >From the coreutils documentation, it states: "6.6 sha2 utilities: Print or check SHA-2 digests The commands sha224sum, sha256sum, sha384sum and sha512sum compute checksums of various lengths (respectively 224, 256, 384 and 512 bits), collectively known as the SHA-2 hashes..." --------------------------------------------------------------------- Coreutils is installed but there isn't any sha224sum, sha256sum, sha384sum or sha512sum commands available. Is sha2 utilities part of some other package? TIA From mlisten at hammernoch.net Fri Jun 9 12:01:07 2006 From: mlisten at hammernoch.net (=?ISO-8859-15?Q?Ludwig_H=FCgelsch=E4fer?=) Date: Fri Jun 9 12:00:08 2006 Subject: RSA vs DSA/ElGamal In-Reply-To: <4488F698.5020305@joimail.com> References: <4488C7D2.2040105@gmail.com> <4488EED4.8030109@joimail.com> <4488F4A7.7090908@gmail.com> <4488F698.5020305@joimail.com> Message-ID: <448946E3.2050100@hammernoch.net> Hi, On 09.06.2006 6:18 Uhr, John W. Moore III wrote: > Word of Caution: If you have any Files encrypted using the Old/Original > Key; Decrypt them first. Generally: Decryption works fine even with a revoked key. However, if there's only the slightest possibility that the private key is not solely under the owners control, then encrypted files should be decrypted and then reencrypted with the new key. One should never ever delete a revoked key - there still might be a forgotten old backup encrypted to the old key! Ludwig From dshaw at jabberwocky.com Fri Jun 9 14:04:35 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Jun 9 14:03:40 2006 Subject: sha2 utilities: Print or check SHA-2 digests In-Reply-To: <1149833264.1828.18.camel@SuSE.site> References: <1149833264.1828.18.camel@SuSE.site> Message-ID: <20060609120435.GB13312@jabberwocky.com> On Fri, Jun 09, 2006 at 12:07:44AM -0600, rmyster wrote: > -------------------------------------------------------------------- > >From the coreutils documentation, it states: > "6.6 sha2 utilities: Print or check SHA-2 digests > > The commands sha224sum, sha256sum, sha384sum and sha512sum compute > checksums of various lengths (respectively 224, 256, 384 and 512 bits), > collectively known as the SHA-2 hashes..." > --------------------------------------------------------------------- > > > Coreutils is installed but there isn't any sha224sum, sha256sum, > sha384sum or sha512sum commands available. Is sha2 utilities part of > some other package? I'm not sure if I fully understand your question (coreutils has nothing to do with GnuPG), but GnuPG does have the SHA2 hashes: gpg --print-md sha256 (thefile) gpg --print-md sha384 (thefile) gpg --print-md sha512 (thefile) The next version of GPG will add: gpg --print-md sha224 (thefile) David From snoken at tunedal.nu Fri Jun 9 16:04:52 2006 From: snoken at tunedal.nu (Snoken) Date: Fri Jun 9 20:56:01 2006 Subject: PGP zip Message-ID: <7.0.1.0.2.20060609160125.03483bb0@radvis.nu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I cannot find any "gpg-zip"-program after installing GnuPG 1.4.3 for Windows. The announce message tells: "Added "gpg-zip", a program to create encrypted archives that can interoperate with PGP Zip." Snoken -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) - GPGrelay v0.959 Comment: Vad är en PGP-signatur? www.clipanish.com/PGP/pgp.html iD8DBQFEiYAwWisObvnr8tQRArPsAJ4nEHCeY5JQmojRdbnUU8eMSvCXwwCfVreL 0T9MK2Y/ryrJIinvMyanZVM= =V6KC -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Fri Jun 9 21:07:57 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Jun 9 21:06:54 2006 Subject: PGP zip In-Reply-To: <7.0.1.0.2.20060609160125.03483bb0@radvis.nu> References: <7.0.1.0.2.20060609160125.03483bb0@radvis.nu> Message-ID: <20060609190757.GB15008@jabberwocky.com> On Fri, Jun 09, 2006 at 04:04:52PM +0200, Snoken wrote: > Hi, > I cannot find any "gpg-zip"-program after installing GnuPG > 1.4.3 for Windows. > > The announce message tells: > > "Added "gpg-zip", a program to create encrypted archives that can > interoperate with PGP Zip." It only exists in GnuPG for Unix-like systems (it's a shell script that calls GPG). David From johnmoore3rd at joimail.com Fri Jun 9 21:15:26 2006 From: johnmoore3rd at joimail.com (John W. Moore III) Date: Fri Jun 9 21:14:31 2006 Subject: PGP zip In-Reply-To: <7.0.1.0.2.20060609160125.03483bb0@radvis.nu> References: <7.0.1.0.2.20060609160125.03483bb0@radvis.nu> Message-ID: <4489C8CE.3090605@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Snoken wrote: > Hi, > I cannot find any "gpg-zip"-program after installing GnuPG > 1.4.3 for Windows. > > The announce message tells: > > "Added "gpg-zip", a program to create encrypted archives that can > interoperate with PGP Zip." gpg.zip has nothing to do with M$ O/S's. It's there, but you'll never use/need it. JOHN ;) Timestamp: Friday 09 Jun 2006, 15:14 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4-svn4151: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust (US26): http://www.gswot.org Comment: Homepage: http://tinyurl.com/9ubue Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCgAGBQJEicjNAAoJEBCGy9eAtCsPweUH/ie0vK0GNyfTg+nJKSGUuys7 oeEKvSZ3ky3+wXYtzqW8IKRFiL2OvBkYUUbjEcA46ofkaDMzzVqxpGE2TBe08xY+ GEkddA8OanI+I1xPPk2pvGT66lun4hy1qHNInfqEdfi3Lc+LWF7a906kIgEnHzHw ncW8WUDXDipIpN8EIjKsdbZYumOqC0pZUsqU3ttPRvem38iv/1xKVm4UVXC8fizs UYVJW/qaGOPS/f9zrP2OIkXLOo+VjXZQ8y8pWmD8rTEExqqze+nltO9kauBavzzt VqiFS2yMUAVWyAo1Cctxjzz+S9cmNhoNpn9s3Sfz508yTzmMlsd3RSMg65aYTwE= =AWF4 -----END PGP SIGNATURE----- From tmz at pobox.com Fri Jun 9 21:58:07 2006 From: tmz at pobox.com (Todd Zullinger) Date: Fri Jun 9 22:03:12 2006 Subject: PGP zip In-Reply-To: <7.0.1.0.2.20060609160125.03483bb0@radvis.nu> References: <7.0.1.0.2.20060609160125.03483bb0@radvis.nu> Message-ID: <20060609195807.GC32667@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Snoken wrote: > Hi, > I cannot find any "gpg-zip"-program after installing GnuPG > 1.4.3 for Windows. > > The announce message tells: > > "Added "gpg-zip", a program to create encrypted archives that can > interoperate with PGP Zip." On my linux system, gpg-zip is a shell script. I'm guessing that it's not installed on windows because there isn't an sh compatible shell there. Perhaps if you were using cygwin you could get it to work, but I don't know. - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== Show me a politician who does not lie through his teeth, and.....I'll show you one who can't find his dentures. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iG0EARECAC0FAkSJ0s8mGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt ei5hc2MACgkQuv+09NZUB1qfkQCbBxhKVC0+/9qBosNCojH+9dBPbs4AoL8R9jXC KBTjCrTaY6gIa3mqQ24V =OJIi -----END PGP SIGNATURE----- From rmyster at gmail.com Fri Jun 9 23:57:59 2006 From: rmyster at gmail.com (rmyster) Date: Fri Jun 9 23:58:49 2006 Subject: sha2 utilities: Print or check SHA-2 digests Message-ID: <1149890279.22594.22.camel@SuSE.site> On Fri, 9 Jun 2006 at 08:04:35 -0400, David Shaw wrote: > > Coreutils is installed but there isn't any sha224sum, sha256sum, > > sha384sum or sha512sum commands available. Is sha2 utilities part > of some other package? > > I'm not sure if I fully understand your question (coreutils has > nothing to do with GnuPG), but GnuPG does have the SHA2 hashes: > > gpg --print-md sha256 (thefile) > gpg --print-md sha384 (thefile) > gpg --print-md sha512 (thefile) > > The next version of GPG will add: > > gpg --print-md sha224 (thefile) > > David > The question was how to obtain these values with the commands listed in the coreutils documentation. Could point me to where you obtained these options since they aren't listed in the gpg docs(man gpg,info gpg, etc)? In any event, thanks. I'll just create some scripts to alias yours to what I was trying to use from the coreutils manual. From dshaw at jabberwocky.com Sat Jun 10 00:08:34 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Jun 10 00:07:27 2006 Subject: sha2 utilities: Print or check SHA-2 digests In-Reply-To: <1149890279.22594.22.camel@SuSE.site> References: <1149890279.22594.22.camel@SuSE.site> Message-ID: <20060609220834.GC15107@jabberwocky.com> On Fri, Jun 09, 2006 at 03:57:59PM -0600, rmyster wrote: > On Fri, 9 Jun 2006 at 08:04:35 -0400, David Shaw wrote: > > > > Coreutils is installed but there isn't any sha224sum, sha256sum, > > > sha384sum or sha512sum commands available. Is sha2 utilities part > > of some other package? > > > > I'm not sure if I fully understand your question (coreutils has > > nothing to do with GnuPG), but GnuPG does have the SHA2 hashes: > > > > gpg --print-md sha256 (thefile) > > gpg --print-md sha384 (thefile) > > gpg --print-md sha512 (thefile) > > > > The next version of GPG will add: > > > > gpg --print-md sha224 (thefile) > > > > David > > > > The question was how to obtain these values with the commands listed in > the coreutils documentation. Could point me to where you obtained these > options since they aren't listed in the gpg docs(man gpg,info gpg, > etc)? Man page: --print-md algo [files] --print-mds [files] Print message digest of algorithm ALGO for all given files or stdin. With the second form (or a deprecated "*" as algo) digests for all available algorithms are printed. David From tmz at pobox.com Sat Jun 10 00:40:11 2006 From: tmz at pobox.com (Todd Zullinger) Date: Sat Jun 10 00:39:29 2006 Subject: sha2 utilities: Print or check SHA-2 digests In-Reply-To: <20060609220834.GC15107@jabberwocky.com> References: <1149890279.22594.22.camel@SuSE.site> <20060609220834.GC15107@jabberwocky.com> Message-ID: <20060609224011.GA21350@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shaw wrote: > Man page: > > --print-md algo [files] > --print-mds [files] > Print message digest of algorithm ALGO for all given > files or stdin. With the second form (or a > deprecated "*" as algo) digests for all available > algorithms are printed. Would it be slightly more consistent to use hash instead of algo here? And/or to note somewhere that the list of available hash algorithms is the same as what's printed by gpg --version on the Hash: line? I imagine that with a slight amount of autofoo the same list that's printed by the --version option could be added to the man page here as well. - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== It is easier to fight for one's principles than to live up to them. -- Alfred Adler -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iG0EARECAC0FAkSJ+MsmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt ei5hc2MACgkQuv+09NZUB1oJ/gCg6ExS7S8jOzfk2w0ikI8XNDiBzB4An1syS7PG 4fSw9FuAWYanWz/LtGEd =Y+pS -----END PGP SIGNATURE----- From rmyster at gmail.com Sat Jun 10 00:35:43 2006 From: rmyster at gmail.com (rmyster) Date: Sat Jun 10 01:41:19 2006 Subject: sha2 utilities: Print or check SHA-2 digests In-Reply-To: <20060609220834.GC15107@jabberwocky.com> References: <1149890279.22594.22.camel@SuSE.site> <20060609220834.GC15107@jabberwocky.com> Message-ID: <1149892544.25239.13.camel@SuSE.site> On Fri, 2006-06-09 at 18:08 -0400, David Shaw wrote: > > > > The question was how to obtain these values with the commands listed in > > the coreutils documentation. Could point me to where you obtained these > > options since they aren't listed in the gpg docs(man gpg,info gpg, > > etc)? > > Man page: > > --print-md algo [files] > --print-mds [files] > Print message digest of algorithm ALGO for all given files or > stdin. With the second form (or a deprecated "*" as algo) > digests for all available algorithms are printed. > > David > Oh.......I never would have made the connection. I can see what it refers to now but when I read it, the algorithm "ALGO" was one I had never heard of. Realistically, I wouldn't have caught it even if it was written as "--print-md [files]" Thanks again! From alphasigmax at gmail.com Sat Jun 10 06:42:11 2006 From: alphasigmax at gmail.com (Alphax) Date: Sat Jun 10 06:43:54 2006 Subject: PGP zip In-Reply-To: <20060609195807.GC32667@psilocybe.teonanacatl.org> References: <7.0.1.0.2.20060609160125.03483bb0@radvis.nu> <20060609195807.GC32667@psilocybe.teonanacatl.org> Message-ID: <448A4DA3.4080208@gmail.com> Todd Zullinger wrote: > Snoken wrote: >> Hi, >> I cannot find any "gpg-zip"-program after installing GnuPG >> 1.4.3 for Windows. > >> The announce message tells: > >> "Added "gpg-zip", a program to create encrypted archives that can >> interoperate with PGP Zip." > > On my linux system, gpg-zip is a shell script. I'm guessing that it's > not installed on windows because there isn't an sh compatible shell > there. Perhaps if you were using cygwin you could get it to work, but > I don't know. > Minimum requirement is MSYS , which is a small set of the Cygwin tools. Never used gpg-zip myself though. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 569 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060610/a441d4ef/signature.pgp From mkontakt at gmail.com Sat Jun 10 10:15:35 2006 From: mkontakt at gmail.com (mkontakt) Date: Sat Jun 10 10:14:29 2006 Subject: GnuPG internals Message-ID: I have found on the Internet that Mr. Koch gave a speech about gnupg internals and I would be very interested if any documents exist about this presentation or in any other doc about gnupg internals. I know that the source code is the best internal docs but I need a very quick overview. Thanks in advance and best regards Martin. From qed at tiscali.it Sat Jun 10 11:27:11 2006 From: qed at tiscali.it (Qed) Date: Sat Jun 10 12:01:32 2006 Subject: sha2 utilities: Print or check SHA-2 digests In-Reply-To: <1149892544.25239.13.camel@SuSE.site> References: <1149890279.22594.22.camel@SuSE.site> <20060609220834.GC15107@jabberwocky.com> <1149892544.25239.13.camel@SuSE.site> Message-ID: <448A906F.7030804@tiscali.it> On 06/10/2006 12:35 AM, rmyster wrote: >> --print-md algo [files] >> --print-mds [files] >> Print message digest of algorithm ALGO for all given files or >> stdin. With the second form (or a deprecated "*" as algo) >> digests for all available algorithms are printed. > > Oh.......I never would have made the connection. I can see what it > refers to now but when I read it, the algorithm "ALGO" was one I had > never heard of. Realistically, I wouldn't have caught it even if it was > written as "--print-md [files]" Ever heard of the funny story about the user calling helpdesk because cannot find the "any key" on his keyboard? ;-) -- Q.E.D. ICQ UIN: 301825501 OpenPGP key ID: 0x58D14EB3 Key fingerprint: 00B9 3E17 630F F2A7 FF96 DA6B AEE0 EC27 58D1 4EB3 Check fingerprints before trusting a key! From johanw at vulcan.xs4all.nl Sat Jun 10 13:15:33 2006 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Sat Jun 10 13:18:59 2006 Subject: sha2 utilities: Print or check SHA-2 digests In-Reply-To: <20060609220834.GC15107@jabberwocky.com> Message-ID: <200606101115.k5ABFXdu004538@vulcan.xs4all.nl> David Shaw wrote: > --print-mds [files] > Print message digest of algorithm ALGO for all given files or > stdin. With the second form (or a deprecated "*" as algo) > digests for all available algorithms are printed. Why is * deprecated anyway? Seems usefull to me if you don't know the hash used and want to check quick. The chance of a file being hashed with hash 1 being tampered with so that it produces the same hash in hash algo B seems pretty small to me. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From dshaw at jabberwocky.com Sat Jun 10 14:16:01 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Jun 10 14:15:00 2006 Subject: sha2 utilities: Print or check SHA-2 digests In-Reply-To: <200606101115.k5ABFXdu004538@vulcan.xs4all.nl> References: <20060609220834.GC15107@jabberwocky.com> <200606101115.k5ABFXdu004538@vulcan.xs4all.nl> Message-ID: <20060610121601.GB15370@jabberwocky.com> On Sat, Jun 10, 2006 at 01:15:33PM +0200, Johan Wevers wrote: > David Shaw wrote: > > > --print-mds [files] > > Print message digest of algorithm ALGO for all given files or > > stdin. With the second form (or a deprecated "*" as algo) > > digests for all available algorithms are printed. > > Why is * deprecated anyway? Seems usefull to me if you don't know the hash > used and want to check quick. The chance of a file being hashed with hash 1 > being tampered with so that it produces the same hash in hash algo B seems > pretty small to me. "--print-md * file" is deprecated in favor of "--print-mds". The functionality is still there. Just the name is different. David From rmyster at gmail.com Sat Jun 10 15:03:40 2006 From: rmyster at gmail.com (rmyster) Date: Sat Jun 10 15:04:24 2006 Subject: sha2 utilities: Print or check SHA-2 digests In-Reply-To: <448A906F.7030804@tiscali.it> References: <1149890279.22594.22.camel@SuSE.site> <20060609220834.GC15107@jabberwocky.com> <1149892544.25239.13.camel@SuSE.site> <448A906F.7030804@tiscali.it> Message-ID: <1149944620.29178.19.camel@SuSE.site> On Sat, 2006-06-10 at 11:27 +0200, Qed wrote: > >> --print-md algo [files] > >> --print-mds [files] > >> Print message digest of algorithm ALGO for all given files or > >> stdin. With the second form (or a deprecated "*" as algo) > >> digests for all available algorithms are printed. > > > > Oh.......I never would have made the connection. I can see what it > > refers to now but when I read it, the algorithm "ALGO" was one I had > > never heard of. Realistically, I wouldn't have caught it even if it was > > written as "--print-md [files]" > Ever heard of the funny story about the user calling helpdesk because > cannot find the "any key" on his keyboard? ;-) Yes, and supposedly it's causing problems for support departments. On the other hand, if you're looking for the command to calculate sha256 and sha512 hashes, what are the odds you will be targeting words like "ALGO"? "HASH" maybe, but "algo"? I'd be curious as to how many users even know that gpg can do sha256 and sha512 hashes based on what is written in the docs. MD5SUM and SHA1SUM are spelled out as clear as day in contrast to the ones I was trying to use. I had been using other applications to get the values. Still, does anyone know what the coreutils docs are referring to when it implies that sha512 hashes can be obtained with a command called "sha512sum" in the same manner of usage as md5sum and sha1sum? (i.e "sha512sum file") From qed at tiscali.it Sat Jun 10 17:32:19 2006 From: qed at tiscali.it (Qed) Date: Sat Jun 10 17:58:32 2006 Subject: sha2 utilities: Print or check SHA-2 digests In-Reply-To: <1149944620.29178.19.camel@SuSE.site> References: <1149890279.22594.22.camel@SuSE.site> <20060609220834.GC15107@jabberwocky.com> <1149892544.25239.13.camel@SuSE.site> <448A906F.7030804@tiscali.it> <1149944620.29178.19.camel@SuSE.site> Message-ID: <448AE603.9010601@tiscali.it> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On 06/10/2006 03:03 PM, rmyster wrote: > Yes, and supposedly it's causing problems for support departments. On > the other hand, if you're looking for the command to calculate sha256 > and sha512 hashes, what are the odds you will be targeting words like > "ALGO"? "HASH" maybe, but "algo"? I'd be curious as to how many users > even know that gpg can do sha256 and sha512 hashes based on what is > written in the docs. I think that we can categorize this task under "Advanced Features", how many un-skilled users need to compute sha2 digests of files? How many of them understand the term "command-line"? How many of them search in documentation before posting to Usenet/ML? > MD5SUM and SHA1SUM are spelled out as clear as day > in contrast to the ones I was trying to use. I had been using other > applications to get the values. Finding out the right syntax is different from having it under your own eyes and not seeing it. > Still, does anyone know what the coreutils docs are referring to when it > implies that sha512 hashes can be obtained with a command called > "sha512sum" in the same manner of usage as md5sum and sha1sum? > (i.e "sha512sum file") Maybe you could try to tell us what version of coreutils do you have installed and what OS are you using, we don't have a magic ball to ask. Two of your headers: > X-Mailer: Evolution 2.6.0 > Message-Id: <1149944620.29178.19.camel@SuSE.site> so I suppose you are using SuSE Linux, version 10.1 includes Evolution 2.6.0. Incidentally I am using the same version of this nice distribution, I have coreutils-5.93 here and there is no trace of sha2 support in documentation. However you should have noticed that this is not a linux mailing list. - -- Q.E.D. ICQ UIN: 301825501 OpenPGP key ID: 0x58D14EB3 Key fingerprint: 00B9 3E17 630F F2A7 FF96 DA6B AEE0 EC27 58D1 4EB3 Check fingerprints before trusting a key! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEiuYDH+Dh0Dl5XacRA+fXAJ9pcuMmMNgaqDKpiOdLX2fTwKO/bgCeOQmJ iIJ5nbjM3J8zIiDN/ngZo8Y= =9UW4 -----END PGP SIGNATURE----- From rmyster at gmail.com Sat Jun 10 18:40:54 2006 From: rmyster at gmail.com (rmyster) Date: Sat Jun 10 18:41:40 2006 Subject: sha2 utilities: Print or check SHA-2 digests In-Reply-To: <448AE603.9010601@tiscali.it> References: <1149890279.22594.22.camel@SuSE.site> <20060609220834.GC15107@jabberwocky.com> <1149892544.25239.13.camel@SuSE.site> <448A906F.7030804@tiscali.it> <1149944620.29178.19.camel@SuSE.site> <448AE603.9010601@tiscali.it> Message-ID: <1149957654.15748.11.camel@SuSE.site> > > > Still, does anyone know what the coreutils docs are referring to when it > > implies that sha512 hashes can be obtained with a command called > > "sha512sum" in the same manner of usage as md5sum and sha1sum? > > (i.e "sha512sum file") > Maybe you could try to tell us what version of coreutils do you have > installed and what OS are you using, we don't have a magic ball to ask. > Two of your headers: > > X-Mailer: Evolution 2.6.0 > > Message-Id: <1149944620.29178.19.camel@SuSE.site> > so I suppose you are using SuSE Linux, version 10.1 includes Evolution > 2.6.0. Incidentally I am using the same version of this nice > distribution, I have coreutils-5.93 here and there is no trace of sha2 > support in documentation. > > However you should have noticed that this is not a linux mailing list. > - -- Yes, suse 10.1 with coreutils-5.93-20. In the info manual, sha2 is mentioned under section 6.6 (sha2 utilities) and all it says is "The usage and options of these commands are precisely the same as for `md5sum'." While this isn't a linux mailing list, md5sum is part of gnupg. The closest other choice was the coreutils bug lists and this didn't seem like a bug related question. I'll take your hint and drop the topic. From tmz at pobox.com Sat Jun 10 19:02:49 2006 From: tmz at pobox.com (Todd Zullinger) Date: Sat Jun 10 19:08:28 2006 Subject: sha2 utilities: Print or check SHA-2 digests In-Reply-To: <1149957654.15748.11.camel@SuSE.site> References: <1149890279.22594.22.camel@SuSE.site> <20060609220834.GC15107@jabberwocky.com> <1149892544.25239.13.camel@SuSE.site> <448A906F.7030804@tiscali.it> <1149944620.29178.19.camel@SuSE.site> <448AE603.9010601@tiscali.it> <1149957654.15748.11.camel@SuSE.site> Message-ID: <20060610170249.GB30289@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 rmyster wrote: > Yes, suse 10.1 with coreutils-5.93-20. In the info manual, sha2 is > mentioned under section 6.6 (sha2 utilities) and all it says is "The > usage and options of these commands are precisely the same as for > `md5sum'." > > While this isn't a linux mailing list, md5sum is part of gnupg. No, it's not. md5sum is part of the coreutils package. You're using suse, which is an rpm based distro, so if I may extend the slightly off-topic posts a little, here's a handy way for you to find out what package a file belongs to: $ rpm -qf /usr/bin/md5sum On my FC5 system this returns coreutils-5.93-7.2. > The closest other choice was the coreutils bug lists and this didn't > seem like a bug related question. How not? If the docs state an application is available and it's not it's a bug - either in the docs or in the packaging. In any case, I took a blind leap of faith and searched for the string sha2 on the coreutils mailing list and the very first item returned[1] was titled: Re: Not finding sha256sum It's a documentation bug in coreutils. Total time spent, 30 secs. :) [1] http://lists.gnu.org/archive/html/bug-coreutils/2005-12/msg00170.html - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== A diplomat is a person who can tell you to go to Hell in such a way that you actually look forward to the trip. -- Anonymous -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iG0EARECAC0FAkSK+zkmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt ei5hc2MACgkQuv+09NZUB1pfBwCfQpESyyiX4VaoB3PxkUfu6tmgzHYAoMtHAQz9 86lV+58Vw46GWqxG5S0s =BkqK -----END PGP SIGNATURE----- From kloecker at kde.org Sun Jun 11 02:46:45 2006 From: kloecker at kde.org (Ingo =?utf-8?q?Kl=C3=B6cker?=) Date: Sun Jun 11 04:26:06 2006 Subject: GnuPG asks for confirmation... In-Reply-To: <20060604055428.GA2817@psilocybe.teonanacatl.org> References: <200606032219.40359@erwin.ingo-kloecker.de> <20060604055428.GA2817@psilocybe.teonanacatl.org> Message-ID: <200606110246.46333@erwin.ingo-kloecker.de> On Sunday 04 June 2006 07:54, Todd Zullinger wrote: > Ingo Kl?cker wrote: > > On Saturday 03 June 2006 04:57, engage wrote: > >> On Thursday 01 June 2006 08:59 pm, Todd Zullinger wrote: > >>>engage wrote: > >>>> Why is someone sending an encrypted message to this list? > >>> > >>>It's not encrypted. It's just signed and armored. > >>> > >>>Doesn't your mail client automatically display this for you? > >> > >> No. I keep getting prompted for my passphrase for this message. > >> Kmail. > > > > My KMail (1.9.x) shows the message without asking for a > > passhphrase. And I'm not aware of changes in this part of the code > > which would explain the different behavior. Strange. > > Ingo, are you using the gpg-agent? Sure. Okay, that might explain the different behavior. In any case, KMail isn't fully functional without gpg-agent, e.g. you can't decrypt OpenPGP/MIME messages. So using KMail without gpg-agent is not recommended. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20060611/b297a762/attachment.pgp From mkontakt at gmail.com Sun Jun 11 19:07:04 2006 From: mkontakt at gmail.com (mkontakt@gmail.com) Date: Sun Jun 11 19:05:46 2006 Subject: Modules in GnuPG In-Reply-To: <20060606120936.GA11033@debian.mydomain.com> References: <20060605214101.GA8379@debian.mydomain.com> <4484A908.7000008@chud.net> <20060606120936.GA11033@debian.mydomain.com> Message-ID: <20060611170704.GA13439@debian.mydomain.com> Can I say about gnupg that is modular? If yes, does exist a map of the modules? Thanks in advance Martin From oskar at rbgi.net Sun Jun 11 18:48:25 2006 From: oskar at rbgi.net (Oskar L.) Date: Sun Jun 11 20:25:55 2006 Subject: Exporting keys as seperate files In-Reply-To: <930e1e99569fea23ae3a3472204110b5@www.pythagoras.no-ip.org> References: <930e1e99569fea23ae3a3472204110b5@www.pythagoras.no-ip.org> Message-ID: <1120.213.169.2.90.1150044505.squirrel@mail.rbgi.net> Hello, I'd like to export all public keys in my keyring to seperate ASCII-armored files, using the name from the user ID as the filname, and adding ".asc" as the extension. If a key has multiple user IDs, then the name from the newest one should be used. Is there a shell script that can do this? Oskar From jasonwc at brandeis.edu Sun Jun 11 22:46:37 2006 From: jasonwc at brandeis.edu (Jason Wittlin-Cohen) Date: Mon Jun 12 00:26:07 2006 Subject: gnupg 1.4.3 uses SHA1 when preferred Digest is SHA2 Message-ID: <448C812D.5030606@brandeis.edu> I was playing around with the gnupg command line options and I noticed that whenever I signed or encrypted and signed a file, GPG would use SHA1 rather than SHA256, which is the preferred digest for my primary key. I confirmed that SHA256 was the preferred digest by using "gpg --edit-key 2228BC8F" and then did "showpref" which outputted the relevant line: "Digest: SHA256, SHA384, SHA512, RIPEMD160, SHA1" Yet, when I encrypt and sign a file with "gpg -esv blah.txt" I see: "gpg: RSA/SHA1 signature from: "2228BC8F Jason Wittlin-Cohen " When I manually specify "gpg -esv --digest-algo SHA256 blah.txt" I see: "gpg: RSA/SHA256 signature from: "2228BC8F Jason Wittlin-Cohen " I can also manually specify SHA384 or SHA512 and Enigmail will use SHA256,384, or 512 as well, without complaints. Any idea why GPG isn't using my preferred digest unless I manually specify it? It does use my preferred cipher (AES-256). -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 542 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060611/5ef3739a/signature.pgp From z.himsel at gmail.com Mon Jun 12 00:28:28 2006 From: z.himsel at gmail.com (Zach Himsel) Date: Mon Jun 12 00:27:16 2006 Subject: Enigmail Problem??? Message-ID: <448C990C.4020906@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I posted this on the Thunderbird Forums. I thought that it might have something to do with Enigmail/GnuGP... I thought I might get an opinion from another perspective. What do you guys think? > Sometimes (maybe 2/5 times) Thunderbird will crash when I start > typing an address into the "To:"/"cc:"/bcc"/etc. entry box to get the > autocomplete list of contacts. This happens if I: > > -write a new message > -reply/reply-to-all to a message > -forward a message > > But again, this only happens sometimes; it seems to be random also. > When the dialog comes up (in Windows XP) that says "Thunderbird is > experiencing an error and needs to close..." I look in the details, > and it says the module name (after thunderbird.exe) is > "xpcom_core.dll". I've checked the TB directory and xpcom_core.dll > *is* there. I thought it might be corrupted, so I searched the > internet and downloaded another copy. I replaced it (backing up the > old one) and it seemed to help. But about 10 minutes ago, it >happened > again. > > I really don't know why this is happening. The only thing I can > think of is the Enigmail extension (which has caused problems before) > but it is essential to my emails, so I can't afford to unistall it. > > Versions and extensions: > > TB: 1.5.0.4 (build 20060516) > > -Enigmail 0.94.0 > -MinimizeToTray 0.0.1 (build 2006030906+) > -SwitchProxy Tool 1.4 > > Installed after crashes (so they logically shouldn't have anything > to do with it) > -Lightning 0.1 (build) 2006031011 > -AboutConfig 0.6 - -- Zach Himsel (DJ Zeru ) ,=========|==========================. | |_|o|_| | (`) ASCII Ribbon Campaign| | |_|_|o| | X Against HTML email | | |o|o|o| | / \ and vCard Signatures | |=========|==========================| | OpenPGP Public Key ID: 0xD1093592 | | http://zach-himsel.is.dreaming.org | `====================================' (if this above looks garbled, view it using a monospace font (i.e. courier) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) Comment: ===================================== Comment: Zach Himsel Comment: DJ Zeru Comment: OpenPGP Public Key: 0xD1093592 Comment: zach-himsel.is.dreaming.org iQEVAwUBRIyZDJHoJdzRCTWSAQo0EQf/bOqjRfxGdM0Tf39bzsyz0zrl6KEAf8gl 4gnQ6oybI0QFbxdkS84OvZWt2VXJpD+eurHwyjxy0gCk2FSvJzcGdp4BdyNAarx3 NlCRQ10ZLbhRjfoW5O4QwSAlcbFUCzXyf/mmqKB1zozgIWR1ezIERZ04Wmv3fwth TCzNNoMsDxVEDSbRVjeqDga0EcM/IwFKPyDRZRWpnCbrxsponW4FxHivrqfgiybO GHq2wEzxG0zO/G1/V+FS4V0sn36gt1xv9qxVkihyL1YuJbIouCf/ra0N3SQTMjIE UOE9cUT1l0MVD4XJQKQs7OYCbyVn2lY/d+iZ8X4AGQfl5NViJB6ViA== =8VTY -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Mon Jun 12 02:36:46 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Jun 12 02:35:44 2006 Subject: gnupg 1.4.3 uses SHA1 when preferred Digest is SHA2 In-Reply-To: <448C812D.5030606@brandeis.edu> References: <448C812D.5030606@brandeis.edu> Message-ID: <20060612003646.GF15370@jabberwocky.com> On Sun, Jun 11, 2006 at 09:46:37PM +0100, Jason Wittlin-Cohen wrote: > I was playing around with the gnupg command line options and I noticed > that whenever I signed or encrypted and signed a file, GPG would use > SHA1 rather than SHA256, which is the preferred digest for my primary key. > > I confirmed that SHA256 was the preferred digest by using "gpg > --edit-key 2228BC8F" and then did "showpref" which outputted the > relevant line: > > "Digest: SHA256, SHA384, SHA512, RIPEMD160, SHA1" > > Yet, when I encrypt and sign a file with "gpg -esv blah.txt" I see: > > "gpg: RSA/SHA1 signature from: "2228BC8F Jason Wittlin-Cohen > " > > When I manually specify "gpg -esv --digest-algo SHA256 blah.txt" I see: > > "gpg: RSA/SHA256 signature from: "2228BC8F Jason Wittlin-Cohen > " > > I can also manually specify SHA384 or SHA512 and Enigmail will use > SHA256,384, or 512 as well, without complaints. > > Any idea why GPG isn't using my preferred digest unless I manually > specify it? It does use my preferred cipher (AES-256). The misunderstanding here is that "showpref" sets preferred algorithms for outgoing messages. It doesn't. The preferences on the key are used on messages being sent *to* your key. If you want to set preferences for outgoing messages, stick something like: personal-digest-preferences sha256 sha384 sha512 in your gpg.conf. David From tomt at lottah.com Mon Jun 12 04:42:56 2006 From: tomt at lottah.com (Tom Thekathyil) Date: Mon Jun 12 06:26:17 2006 Subject: Corrupting files Message-ID: <1150080176.1422.1.camel@localhost.localdomain> A wishes to send message to B. A encrypts message using B's key. Opens encrypted message and corrupts the file by altering one or more characters/adding redundant lines of code, e.g. changes case of first occurrence of 'T' in the code. Saves file and sends to B. B will get an error message when trying to decrypt message. However B knows that the first occurrence of 'T' needs case conversion and edits file. The edited file is now capable of being decrypted. Since no one apart from A & B knows how the encrypted file has been corrupted, this seems to be a method of increasing security. Question: Is there in theory any way of breaking the corrupted encryption through brute force? Regards, tt -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : /pipermail/attachments/20060612/18e71700/attachment.pgp From atom at smasher.org Mon Jun 12 07:04:57 2006 From: atom at smasher.org (Atom Smasher) Date: Mon Jun 12 08:55:56 2006 Subject: Corrupting files In-Reply-To: <1150080176.1422.1.camel@localhost.localdomain> References: <1150080176.1422.1.camel@localhost.localdomain> Message-ID: <20060612050501.27892.qmail@smasher.org> On Mon, 12 Jun 2006, Tom Thekathyil wrote: > A wishes to send message to B. > > A encrypts message using B's key. Opens encrypted message and corrupts > the file by altering one or more characters/adding redundant lines of > code, e.g. changes case of first occurrence of 'T' in the code. Saves > file and sends to B. > > B will get an error message when trying to decrypt message. However B > knows that the first occurrence of 'T' needs case conversion and edits > file. The edited file is now capable of being decrypted. > > Since no one apart from A & B knows how the encrypted file has been > corrupted, this seems to be a method of increasing security. > > Question: Is there in theory any way of breaking the corrupted > encryption through brute force? ========================= why not pipe the encrypted output of gpg through a captain midnight secret decoder ring? because it doesn't add any real security. i can't give an authoritative answer on the security of this, but i can say this... bear in mind that a pgp encrypted message consists of one or more packets containing "header" information, such as the encrypted session key, symmetric algorithm, compression algorithm etc. there will be one of these packets for each recipient the message is encrypted to. following the header packets, are the [symmetrically] encrypted data packet(s) which, AFAIK, don't have any inherent structure. the data in the header packets is fairly well structured... using a text editor, it would be easy to make a change towards the beginning of the armored message that would be very easy to discover and correct. that would result in no real added security. assuming that the decrypted data (plain-text) is structured in some way, a change to the armored message would corrupt all data after the change is made (the session key would have to be recovered to get this far). if an attacker has recovered the session key, and the decrypted data starts off having a certain structure and then turns to garbage, an attacker should be able to figure out what part of the armored message is corrupt, and fix it with trail and error. so, if this were to add any security at all, the first step would have to be editing part of the armored file that corresponds to the beginning of the encrypted data packets. again, i can't say that this *would* add any security... but clearly there are several ways to do it that would *not* add any real security. btw, what's the threat model where this is advantageous? -- ...atom ________________________ http://atom.smasher.org/ 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "HEY! HO! LET'S GO!" -- The Ramones From r.post at sara.nl Mon Jun 12 08:36:54 2006 From: r.post at sara.nl (Remco Post) Date: Mon Jun 12 10:26:08 2006 Subject: Corrupting files In-Reply-To: <1150080176.1422.1.camel@localhost.localdomain> References: <1150080176.1422.1.camel@localhost.localdomain> Message-ID: <448D0B86.5020006@sara.nl> Tom Thekathyil wrote: > A wishes to send message to B. > In theory, any encrypted message is like completely random. > Question: Is there in theory any way of breaking the corrupted > encryption through brute force? > Brute force... trying every possible key on a message until the decrypted message makes sense. Since in theory the corrupted message could be the result of encrypting the message with a different key, brute force may yield a different key, but in theory, this added encryption does not add any security. Now, is brute force feasible, no, not against any of the strong algorithms.... I don't see why one would bother, not in this way. > Regards, tt > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams From mkontakt at gmail.com Mon Jun 12 10:59:16 2006 From: mkontakt at gmail.com (mkontakt@gmail.com) Date: Mon Jun 12 10:57:51 2006 Subject: GnuPG modules Message-ID: <20060612085916.GA15873@debian.mydomain.com> Dear all, I have found a very nice picture of project Agypten(I am missing gnupg). This made me thing about gnupg modular approach. So, I would like to ask you for revision of my thoughts. Gnupg is a modular application composed of a crypto module based on libcrypt(independent development), a compression module, a key management module, a communication module (managing HKP, etc.). This model is easy to be extended in any of the arrays of this model. For instance adding new crypto alg. without disturbing other parts of the app(apart of utilitization of this new feature). Above all, Gnupg is used as a background by gpgME, which should be used as the preferred way of communication with the app by another program. Have I forgotten anything. Thanks in advance for your comments. Best regards Martin From kloecker at kde.org Mon Jun 12 10:39:47 2006 From: kloecker at kde.org (Ingo =?iso-8859-15?q?Kl=F6cker?=) Date: Mon Jun 12 12:26:02 2006 Subject: Corrupting files In-Reply-To: <1150080176.1422.1.camel@localhost.localdomain> References: <1150080176.1422.1.camel@localhost.localdomain> Message-ID: <200606121039.48692@helena.mathA.rwth-aachen.de> Am Montag, 12. Juni 2006 04:42 schrieb Tom Thekathyil: > A wishes to send message to B. > > A encrypts message using B's key. Opens encrypted message and > corrupts the file by altering one or more characters/adding redundant > lines of code, e.g. changes case of first occurrence of 'T' in the > code. Saves file and sends to B. > > B will get an error message when trying to decrypt message. However B > knows that the first occurrence of 'T' needs case conversion and > edits file. The edited file is now capable of being decrypted. Think again. A encrypts the message and let's say the result is 'ttttT'. A changes this to 'ttttt'. B changes it "back" to 'Ttttt'. Hmm, doesn't work. But applying ROT-13 would work. :-) > Since no one apart from A & B knows how the encrypted file has been > corrupted, this seems to be a method of increasing security. No. This is (false) security through obscurity. Anyone who is able to break the used encryption will have no problems also breaking your bogus attempt to increase security. > Question: Is there in theory any way of breaking the corrupted > encryption through brute force? Through brute force anything can be broken. The whole point of the encryption methods that are used by us is that a brute force attack is not feasible. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20060612/b7b064d8/attachment-0001.pgp From zvrba at globalnet.hr Mon Jun 12 12:50:50 2006 From: zvrba at globalnet.hr (zvrba@globalnet.hr) Date: Mon Jun 12 13:05:01 2006 Subject: Corrupting files In-Reply-To: <448D0B86.5020006@sara.nl> References: <1150080176.1422.1.camel@localhost.localdomain> <448D0B86.5020006@sara.nl> Message-ID: <20060612105050.GA5996@zax.ifi.uio.no> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On Mon, Jun 12, 2006 at 08:36:54AM +0200, Remco Post wrote: > > Brute force... trying every possible key on a message until the > Brute force both in the key length and the size of the alphabet. > > decrypted message makes sense. Since in theory the corrupted message > could be the result of encrypting the message with a different key, > brute force may yield a different key, but in theory, this added > encryption does not add any security. > I wouldn't agree with this reasoning. If a single character is changed, this might correspond to encryption with a different key. But all the other blocks are still encrypted with the _same_ key. Brute-forcing the key of the corrupted block won't help in decrypting the rest of the message. Then again, I might be wrong :) Best regards, Zeljko. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEjUcKFtofFpCIfhMRA+ZEAJwJBduW0byyJLW7FN+6GGJ/i5aybQCeO7b0 oVy2wol3sYgR6GFrtBrdQOQ= =0QCO -----END PGP SIGNATURE----- From alex at bofh.net.pl Mon Jun 12 14:20:56 2006 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Mon Jun 12 14:48:41 2006 Subject: Exporting keys as seperate files In-Reply-To: <1120.213.169.2.90.1150044505.squirrel@mail.rbgi.net> References: <930e1e99569fea23ae3a3472204110b5@www.pythagoras.no-ip.org> <1120.213.169.2.90.1150044505.squirrel@mail.rbgi.net> Message-ID: <20060612122055.GM22113@hell.pl> On Sun, Jun 11, 2006 at 07:48:25PM +0300, Oskar L. wrote: > Hello, > > I'd like to export all public keys in my keyring to seperate ASCII-armored > files, using the name from the user ID as the filname, and adding ".asc" > as the extension. If a key has multiple user IDs, then the name from the > newest one should be used. Is there a shell script that can do this? I once posted similar script to gnupg-devel: http://lists.gnupg.org/pipermail/gnupg-devel/2002-March/018217.html But it splits to files named as key-ids, not user ids. Alex From utternoncesense at gmail.com Mon Jun 12 18:02:04 2006 From: utternoncesense at gmail.com (utternoncesense@gmail.com) Date: Mon Jun 12 18:00:52 2006 Subject: Corrupting files In-Reply-To: <20060612105050.GA5996@zax.ifi.uio.no> References: <1150080176.1422.1.camel@localhost.localdomain> <448D0B86.5020006@sara.nl> <20060612105050.GA5996@zax.ifi.uio.no> Message-ID: <2614f0720606120902h4e122522m3424601b58de96ba@mail.gmail.com> If your modus operandi includes exchanging secret information outside of normal channels (e.g., "change the case of the nth letter") you would be better off exchanging more secure information than a single change like that. For example - a second set of public keys. Encyrpt your document twice, first with your friend's "private" public key, then with his public-public key. Or exchange the passphrase to a symetrically encrypted file, then encypt the symmetrically encrypted file with his public key. Hell, try one-time pads. From tomt at lottah.com Mon Jun 12 22:15:48 2006 From: tomt at lottah.com (Tom Thekathyil) Date: Mon Jun 12 22:11:31 2006 Subject: Corrupting files In-Reply-To: <448CF068.3030308@sixdemonbag.org> References: <1150080176.1422.1.camel@localhost.localdomain> <448CF068.3030308@sixdemonbag.org> Message-ID: <1150143348.1453.7.camel@localhost.localdomain> Hi Robert, Thanks for your response: that was for a trivial case :) Now let's try a curveball. We substitute lines 9 to 12 for the equivalent _somewhere else_ in the code, so it won't be a simple transform. This is based on a rule that a message sent on the 12th day of June would have certain properties, so no memorizing is required. 8 JuNi0jiIA6 9 nS1MSGrUoLv0VInSrfTKpEJtHCN7aksVxIOuiYgJySp6nWM0o8zpVL 10 1g5g8ipqHD45e5cDQOB2bRxqPLF+oUPHE0daaGtzUiccUGlKmuikOPjGlZKpqHQx 11 zVkrE/uEQil6UJMM/lhGXLI+pg4FzleotlWz0Dhc2lLqjqMHGTzt7uxcR6IFsqJT 12 HNkl21JswgxN0DlZaWLhBQeoAKKFbZWpZz4kbN9vYjTsqGhsMnNplH 13 GZvEnQ2oGy 14 qGlhUpW75BKVXgp2SWVqIkWJkws5VUofMQrblF19Pma1rKiK4GXUBK20k36sOj5y Let's consider another scenario where lines 9 to 12 are meaningless code inserted into the message. B has the rule to dispose of it but no one else would know the location and length of corruption. My gut feeling is that the human element throws a spanner into the algorithm. Regards, Tom (Haven't had time to consider the other responses, but many thanks - lots to learn here :) ) On Sun, 2006-06-11 at 23:41 -0500, Robert J. Hansen wrote: > > Since no one apart from A & B knows how the encrypted file has been > > corrupted, this seems to be a method of increasing security. > > There are some serious problems you'd have to hurdle. Let's assume > they're all hurdled, though, and that it works pretty much as you'd > expect. If we make that assumption, then we can talk about this scheme > in the best-case scenario. > > A reasonably long text message might be 3000 characters long. > Transposing the case of one of these letters gives us 3000 permutations. > Two gives us roughly nine million. Three gives us about 25 billion. > It's doubtful that you'd want to transpose more than three letters, due > to the difficulty of someone remembering "was I supposed to transpose > letters 1442, 1991 and 2047, or 1442, 1991 and 2074?" > > Log-2 of 25 billion is about 35. You've just added a factor of 2^35 > difficulty to breaking the message... but that's an _addition_, not a > multiplication. You're going to recover enough plaintext at the > beginning of the message to make it clear when you have the right key or > not. > > If you're going to posit the existence of an adversary who can do 2^128 > work to break your key, do you really think you're gaining anything by > _adding_ 2^35 work? 2^128 + 2^35 is so close to 2^128 as makes > absolutely no difference whatsoever. > > > Question: Is there in theory any way of breaking the corrupted > > encryption through brute force? > > Yes. As shown above, the additional work factor you're introducing is > trivial compared to the work in recovering the key in the first place. > -- From kloecker at kde.org Mon Jun 12 23:55:54 2006 From: kloecker at kde.org (Ingo =?iso-8859-15?q?Kl=F6cker?=) Date: Tue Jun 13 01:25:53 2006 Subject: Corrupting files In-Reply-To: <1150143348.1453.7.camel@localhost.localdomain> References: <1150080176.1422.1.camel@localhost.localdomain> <448CF068.3030308@sixdemonbag.org> <1150143348.1453.7.camel@localhost.localdomain> Message-ID: <200606122355.57622@erwin.ingo-kloecker.de> On Monday 12 June 2006 22:15, Tom Thekathyil wrote: > Hi Robert, > > Thanks for your response: that was for a trivial case :) > > Now let's try a curveball. We substitute lines 9 to 12 for the > equivalent _somewhere else_ in the code, so it won't be a simple > transform. This is based on a rule that a message sent on the 12th > day of June would have certain properties, so no memorizing is > required. Memorizing the rule and, more importantly, keeping the rule secret is required. > > 8 JuNi0jiIA6 > 9 nS1MSGrUoLv0VInSrfTKpEJtHCN7aksVxIOuiYgJySp6nWM0o8zpVL > 10 1g5g8ipqHD45e5cDQOB2bRxqPLF+oUPHE0daaGtzUiccUGlKmuikOPjGlZKpqHQx > 11 zVkrE/uEQil6UJMM/lhGXLI+pg4FzleotlWz0Dhc2lLqjqMHGTzt7uxcR6IFsqJT > 12 HNkl21JswgxN0DlZaWLhBQeoAKKFbZWpZz4kbN9vYjTsqGhsMnNplH > 13 GZvEnQ2oGy > 14 qGlhUpW75BKVXgp2SWVqIkWJkws5VUofMQrblF19Pma1rKiK4GXUBK20k36sOj5y > > Let's consider another scenario where lines 9 to 12 are meaningless > code inserted into the message. B has the rule to dispose of it but > no one else would know the location and length of corruption. > > My gut feeling is that the human element throws a spanner into the > algorithm. No, it doesn't. You are still believing in security-by-obscurity meaning that your additional "encryption" only works as long as you and the recipient are the only ones who know the secret rule. Anyway, why do you actually think that what you want to do would make any sense? If the encryption algorithm you use is too weak so that additional "encryption" methods are necessary then you probably shouldn't use this encryption algorithm in the first place. And if the encryption algorithm you use is strong enough (e.g. AES) then you gain nothing by additional "encyrption" methods unless those additional "encryption" methods are an even stronger encryption algorithm than the first one (but then why apply the first one). Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20060612/5f627314/attachment.pgp From samuel at Update.UU.SE Tue Jun 13 09:02:26 2006 From: samuel at Update.UU.SE (Samuel ]slund) Date: Tue Jun 13 09:54:20 2006 Subject: Corrupting files In-Reply-To: <200606122355.57622@erwin.ingo-kloecker.de> References: <1150080176.1422.1.camel@localhost.localdomain> <448CF068.3030308@sixdemonbag.org> <1150143348.1453.7.camel@localhost.localdomain> <200606122355.57622@erwin.ingo-kloecker.de> Message-ID: <20060613070226.GA1332@Update.UU.SE> On Mon, Jun 12, 2006 at 11:55:54PM +0200, Ingo Kl?cker wrote: > No, it doesn't. You are still believing in security-by-obscurity meaning > that your additional "encryption" only works as long as you and the > recipient are the only ones who know the secret rule. Please Ingo, _all_ encryption is based on "security-by-obscurity" if an attacker finds the secret key _any_ encryption system is toast. > Anyway, why do you actually think that what you want to do would make > any sense? If the encryption algorithm you use is too weak so that > additional "encryption" methods are necessary then you probably > shouldn't use this encryption algorithm in the first place. And if the > encryption algorithm you use is strong enough (e.g. AES) then you gain > nothing by additional "encyrption" methods unless those additional > "encryption" methods are an even stronger encryption algorithm than the > first one (but then why apply the first one). I can think of some possible scenarios; if an attacker is has automated the attacks, especially with attacks tailored for each known algorithm, then making the message not conform to known algorithms and structure should break the automation. Another could be, how would an attacker tell the difference between a random intercepted file that has been corrupted in transit and one with an additional human decryption step, e.g. during the window between key compromise and revocation. In this case we are dealing with humans that does not necessarily have huge amounts of resources and patience. I'd be impressed by any people communicating that actually had the patience to keep up this kind of scheme, since any communication needs manual intervention. //Samuel From kloecker at kde.org Tue Jun 13 10:59:57 2006 From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Tue Jun 13 10:59:01 2006 Subject: Corrupting files In-Reply-To: <20060613070226.GA1332@Update.UU.SE> References: <1150080176.1422.1.camel@localhost.localdomain> <200606122355.57622@erwin.ingo-kloecker.de> <20060613070226.GA1332@Update.UU.SE> Message-ID: <200606131100.02753@helena.mathA.rwth-aachen.de> Am Dienstag, 13. Juni 2006 09:02 schrieb Samuel ]slund: > On Mon, Jun 12, 2006 at 11:55:54PM +0200, Ingo Kl?cker wrote: > > No, it doesn't. You are still believing in security-by-obscurity > > meaning that your additional "encryption" only works as long as you > > and the recipient are the only ones who know the secret rule. > > Please Ingo, _all_ encryption is based on "security-by-obscurity" if > an attacker finds the secret key _any_ encryption system is toast. You know very well that "security by obscurity" refers to keeping the encryption algorithm secret. > > Anyway, why do you actually think that what you want to do would > > make any sense? If the encryption algorithm you use is too weak so > > that additional "encryption" methods are necessary then you > > probably shouldn't use this encryption algorithm in the first > > place. And if the encryption algorithm you use is strong enough > > (e.g. AES) then you gain nothing by additional "encyrption" methods > > unless those additional "encryption" methods are an even stronger > > encryption algorithm than the first one (but then why apply the > > first one). > > I can think of some possible scenarios; if an attacker is has > automated the attacks, especially with attacks tailored for each > known algorithm, then making the message not conform to known > algorithms and structure should break the automation. I don't see why such a scenario would make any sense. If the automated attack would have any chance of success then the used encryption algorithm was too weak. Otherwise it doesn't matter whether the automation works for the message or not. > Another could > be, how would an attacker tell the difference between a random > intercepted file that has been corrupted in transit and one with an > additional human decryption step, e.g. during the window between key > compromise and revocation. In this case we are dealing with humans > that does not necessarily have huge amounts of resources and > patience. Maybe you have a point. Still using a self-created obfuscation scheme doesn't feel like a really good solution for this threat model. > I'd be impressed by any people communicating that actually had the > patience to keep up this kind of scheme, since any communication > needs manual intervention. Sure. But as others have said earlier there are better ways to use a secure channel than to agree on such a stupid additional obfuscation step. If anything, then use a second symmetric encryption step for this special two-way-only communication. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20060613/476501d5/attachment.pgp From home at tristanwilliams.com Tue Jun 13 15:01:27 2006 From: home at tristanwilliams.com (Tristan Williams) Date: Tue Jun 13 17:56:18 2006 Subject: OpenPGP smartcard restore Message-ID: <20060613130126.GA1054@g3.spring.org> I am experimenting with the OpenPGP smartcard. I have two OpenPGP smart cards (smartA and smartB) and I want to verify that I can restore my on-card generated private key should I loose the master card (smartA). I only want to verify that I can do it - not discuss the merits of on-card vs. off-card key generation. I start with an empty ~/.gnupg For smartA I have (1) an on-card generated key (2) the backup file created ~/.gnupg/sk_X.gpg at key generation (3) a backup of ~/.gnupg/secring.gpg when the (4) a file with the exported associated public key (5) a test file encrypted with above public key which decrypts with smartA (6) the pass phrase used at key generation (7) second OpenPGP smartcard (smartB) I then I imagine that I have lost my card (smartA), my computer hard disk has died and I have to restore to a fresh new gpg environment (i.e. no ~/.gnupg) and smartB I then issues these commands gpg --list-keys which creates ~/.gnupg and various files within it. gpg --import public_key.asc using (4) from my backups gpg --list-keys shows that the public key has been imported I then copy my backup secring.gpg to ~/.gnugpg gpg --edit-key KEYID shows that the secret key is present gpg --list-secret-keys shows that the secret key is linked to card-no smartA gpg --edit-key KEYID toggle bkuptocard sk_X.gpg choose the (1) the signature replace existing key yes enter pass phrase save changes yes Now gpg --list-keys shows the key still linked to card-no smartA and not smartB any action needing the private key using smartB results in gpg requesting that you put in smartA (which is lost...) Has anyone actually managed a functional OpenPGP card restore with on-card key generation? And if so how please! Tristan Williams From zvrba at globalnet.hr Tue Jun 13 18:07:57 2006 From: zvrba at globalnet.hr (zvrba@globalnet.hr) Date: Tue Jun 13 18:23:32 2006 Subject: OpenPGP smartcard restore In-Reply-To: <20060613130126.GA1054@g3.spring.org> References: <20060613130126.GA1054@g3.spring.org> Message-ID: <20060613160757.GA5544@zax.ifi.uio.no> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On Tue, Jun 13, 2006 at 02:01:27PM +0100, Tristan Williams wrote: > I am experimenting with the OpenPGP smartcard. I have two OpenPGP smart > cards (smartA and smartB) and I want to verify that I can restore my > on-card generated private key should I loose the master card > (smartA). I only want to verify that I can do it - not discuss the > merits of on-card vs. off-card key generation. > > I start with an empty ~/.gnupg > > For smartA I have > > (1) an on-card generated key > You can stop here. In order to use card B you need to transfer the PRIVATE key from card A to card B. It is _impossible_ to export the private key under any circumstances (minus backdoors/implementation bugs in the smart- card software). Period. If you want to have the same private key on several physical cards, your only option is off-card generation, with import of the key afterwards. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEjuLdFtofFpCIfhMRA76IAJwPcBSIb0J2F07FMIwBxE/FGXso/QCcC8xq mBs0HDxYJudS0YWpz6O9XEA= =e9hh -----END PGP SIGNATURE----- From ml at mareichelt.de Tue Jun 13 18:55:17 2006 From: ml at mareichelt.de (markus reichelt) Date: Tue Jun 13 18:54:21 2006 Subject: OpenPGP smartcard restore In-Reply-To: <20060613160757.GA5544@zax.ifi.uio.no> References: <20060613130126.GA1054@g3.spring.org> <20060613160757.GA5544@zax.ifi.uio.no> Message-ID: <20060613165517.GD26554@tatooine.rebelbase.local> * zvrba@globalnet.hr wrote: > If you want to have the same private key on several physical cards, > your only option is off-card generation, with import of the key > afterwards. I'm not a smartcard user (somehow the concept hasn't been able to convince me ... yet), but what you write really sounds rather strange. Essentially you're saying: no backup of a private key generated on/via a smartcard cannot be exported. Because if it could be exported, importing the key(s) in question just works. However, and I'm saying this quite frankly, if that is true (gurus may jump in any time :-), that really should one prevent from using smartcards at all. There just has to be a backup option in any given system, or else it's plain Russian roulette for its user(s). -- left blank, right bald -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20060613/e60106b4/attachment.pgp From ml at mareichelt.de Tue Jun 13 19:03:42 2006 From: ml at mareichelt.de (markus reichelt) Date: Tue Jun 13 19:02:31 2006 Subject: OpenPGP smartcard restore In-Reply-To: <20060613165517.GD26554@tatooine.rebelbase.local> References: <20060613130126.GA1054@g3.spring.org> <20060613160757.GA5544@zax.ifi.uio.no> <20060613165517.GD26554@tatooine.rebelbase.local> Message-ID: <20060613170342.GE26554@tatooine.rebelbase.local> * markus reichelt wrote: > Essentially you're saying: no backup of a private key generated > on/via a smartcard cannot be exported. Because if it could be > exported, importing the key(s) in question just works. Sorry, that was heat-induced and shall read of course as follows: Essentially you're saying: a private key generated on/via a smartcard cannot be exported, so no backup of the private key in question is possible. Because if the private key(s) could be exported, import of the key(s) in question just works without problems. The rest of my message still stands though. Bottom line, what's the use of importing to smartcards when no export from smartcards is possible? In other words: Why is the export of plain smartcard private keys prohibited in the first place? Additionally, why is importing of off-card generated private keys allowed then? Where's the difference? -- left blank, right bald winter wanted, NOW! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20060613/31df36a1/attachment.pgp From ewrobinson at fedex.com Tue Jun 13 17:37:07 2006 From: ewrobinson at fedex.com (Eric Robinson) Date: Tue Jun 13 19:25:48 2006 Subject: False Decrypt Error... Message-ID: Is anyone familiar with the following error? Standard Error: gpg: WARNING: unsafe permissions on homedir "/opt/fxnet/gpg"gpg: WARNING: using insecure memory!gpg: please see http://www.gnupg.org/faq.html for more informationgpg: encrypted with 1024-bit ELG-E key, ID 07B01208, created 2004-07-14 "entsys (FedExNet GPG Key) "gpg: [don't know]: invalid packet (ctb=2f)gpg: WARNING: message was not integrity protected My tech guy says it has nothing to do with the 'WARNING: using insecure memory!' message, but it is the 'WARNING: message was not integrity protected' message....i have checked the FAQ's and found some info on the insecure memory that he says isn't the issue... The file actually DOES decrypt correctly but it's failing in our system because of the above. Ant help would be greatly appreciated Thanks, Eric ------------------------------------- Eric Robinson Business Application Advisor FedEx Corporate Services Internet Engineering & EC Integration 901.263.5749 ------------------------------------- (If you can read this, Thank a Teacher, If you can read this in English, Thank a Soldier.) From dshaw at jabberwocky.com Tue Jun 13 19:52:08 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Jun 13 19:51:04 2006 Subject: False Decrypt Error... In-Reply-To: References: Message-ID: <20060613175208.GA25111@jabberwocky.com> On Tue, Jun 13, 2006 at 10:37:07AM -0500, Eric Robinson wrote: > Is anyone familiar with the following error? > > Standard Error: gpg: WARNING: unsafe permissions on homedir > "/opt/fxnet/gpg"gpg: WARNING: using insecure memory!gpg: please see > http://www.gnupg.org/faq.html for more informationgpg: encrypted with > 1024-bit ELG-E key, ID 07B01208, created 2004-07-14 "entsys (FedExNet > GPG Key) "gpg: [don't know]: invalid packet (ctb=2f)gpg: WARNING: > message was not integrity protected > > My tech guy says it has nothing to do with the 'WARNING: using insecure > memory!' message, but it is the 'WARNING: message was not integrity > protected' message....i have checked the FAQ's and found some info on > the insecure memory that he says isn't the issue... You've got a bunch of warnings here. Let's take them one at a time: > gpg: WARNING: unsafe permissions on homedir "/opt/fxnet/gpg" Just what it says: the directory /opt/fxnet/gpg is writable by someone other than you. It's a good idea for you to fix it, but it isn't the cause of your problem. > gpg: WARNING: using insecure memory! > gpg: please see http://www.gnupg.org/faq.html for more information GPG tries to lock a small amount of memory so you can't accidentally swap a passphrase out to disk. Depending on how you are using GPG, this may not be significant to you. Either way, it's not the cause of your problem. > gpg: WARNING: message was not integrity protected This means that there is no integrity protection packet on the message. There is a very difficult attack against the old PGP message format that the integrity protected format combats. This isn't the cause of your problem either. > gpg: [don't know]: invalid packet (ctb=2f) THIS is your problem. GPG found garbage in the message that could not be parsed. Since you say the message was decrypted correctly before the garbage was found, it's likely the garbage is at the end. Is this an armored (i.e. "--- BEGIN PGP MESSAGE ---") message or binary (not printable ASCII)? David From home at tristanwilliams.com Tue Jun 13 19:46:48 2006 From: home at tristanwilliams.com (Tristan Williams) Date: Tue Jun 13 19:51:48 2006 Subject: OpenPGP smartcard restore In-Reply-To: <20060613160757.GA5544@zax.ifi.uio.no> References: <20060613130126.GA1054@g3.spring.org> <20060613160757.GA5544@zax.ifi.uio.no> Message-ID: <20060613174647.GA1750@g3.spring.org> On 13Jun06 18:07, zvrba@globalnet.hr wrote: > On Tue, Jun 13, 2006 at 02:01:27PM +0100, Tristan Williams wrote: > > I am experimenting with the OpenPGP smartcard. I have two OpenPGP smart > > cards (smartA and smartB) and I want to verify that I can restore my > > on-card generated private key should I loose the master card > > (smartA). I only want to verify that I can do it - not discuss the > > merits of on-card vs. off-card key generation. > > > > I start with an empty ~/.gnupg > > > > For smartA I have > > > > (1) an on-card generated key > > > You can stop here. In order to use card B you need to transfer the PRIVATE > key from card A to card B. It is _impossible_ to export the private key > under any circumstances (minus backdoors/implementation bugs in the smart- > card software). Period. If you want to have the same private key on several > physical cards, your only option is off-card generation, with import of the > key afterwards. > > Then it makes me wonder what is the purpose of the off card backup file sk_X.gpg created when the original private key was created via the on-card method? I can appreciate there might be reasons for not permitting export of the private key from the card but I did expect that restoring a private key using the backup file made at key creation time would be possible. It looks like I was wrong in that thought. From alifbaa at gmail.com Tue Jun 13 19:37:00 2006 From: alifbaa at gmail.com (alifbaa) Date: Tue Jun 13 19:54:02 2006 Subject: mime and pgp.asc Message-ID: <4851086.post@talk.nabble.com> I am currently using GPG 1.4.3 on my mac powerbook G4 OSX 10.4.6 I hope that this is the right forum to post this question, but when i send an email with attachment and encrypt and sign it, it converts the message into two attachments, one that says "mime-attachment" and one that says "pgp.asc". I don't want this. I want it to encrypt and sign it and it have an encrypted message at the top and an encrypted attachment at the bottom. I am currently sending these emails with the two attachments to a coworker with a PC that uses PGP and he cannot decrypt my emails. Any help would be greatly appreciated. -- View this message in context: http://www.nabble.com/mime-and-pgp.asc-t1781584.html#a4851086 Sent from the GnuPG - User forum at Nabble.com. From zvrba at globalnet.hr Tue Jun 13 19:41:44 2006 From: zvrba at globalnet.hr (zvrba@globalnet.hr) Date: Tue Jun 13 19:57:13 2006 Subject: OpenPGP smartcard restore In-Reply-To: <20060613170342.GE26554@tatooine.rebelbase.local> References: <20060613130126.GA1054@g3.spring.org> <20060613160757.GA5544@zax.ifi.uio.no> <20060613165517.GD26554@tatooine.rebelbase.local> <20060613170342.GE26554@tatooine.rebelbase.local> Message-ID: <20060613174144.GD5544@zax.ifi.uio.no> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On Tue, Jun 13, 2006 at 07:03:42PM +0200, markus reichelt wrote: > > Sorry, that was heat-induced and shall read of course as follows: > No need to apologize :) > > Essentially you're saying: a private key generated on/via a smartcard > cannot be exported, so no backup of the private key in question is > possible. Because if the private key(s) could be exported, import of > the key(s) in question just works without problems. > Exactly. If you want a smart-card that allows both export and import, then you don't have a problem. But this defeats the point of having a smart-card (a virus can wait until you authorize yourself to the card and unnoticed copy your private key to the attacker, for example). > > Bottom line, what's the use of importing to smartcards when no export > "Importing" means that you have an off-card key backup. If you don't have an off-card key backup (to import to another smart-card in case of theft or HW failure of the 1st card), *and* you've used that smart-card for decryption purposes... well, tough luck! > > from smartcards is possible? In other words: Why is the export of > plain smartcard private keys prohibited in the first place? > Security. This is the point of having a smart-card. Not even the owner of the smart card knows the private key. You are _entitled_ to use it to perform private key operations (if you know the PIN), but you don't know the key itself. For example, some digital signature laws require such level of security (FIPS level 2 or better). > > Additionally, why is importing of off-card generated private keys > allowed then? Where's the difference? > Backup. The difference being that importing an off-card generated private key may be "stolen" (either in transit to the smart card or from the disk) and thus doesn't provide the level of security required for some purposes (eg. non-repudiation digital signature). IMHO, it's no great damage if you loose your signing key. Loosing your decryption key is admittedly a problem that people think about usually only when it's too late. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEjvjYFtofFpCIfhMRA3QRAJwMS5FFIFs3F70pEVu2qPaQRc85ZACeJOwS tFCOWI5EscGStcPmu9e/dik= =8lVR -----END PGP SIGNATURE----- From zvrba at globalnet.hr Tue Jun 13 19:47:58 2006 From: zvrba at globalnet.hr (zvrba@globalnet.hr) Date: Tue Jun 13 20:03:24 2006 Subject: OpenPGP smartcard restore In-Reply-To: <20060613165517.GD26554@tatooine.rebelbase.local> References: <20060613130126.GA1054@g3.spring.org> <20060613160757.GA5544@zax.ifi.uio.no> <20060613165517.GD26554@tatooine.rebelbase.local> Message-ID: <20060613174758.GE5544@zax.ifi.uio.no> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On Tue, Jun 13, 2006 at 06:55:17PM +0200, markus reichelt wrote: > > I'm not a smartcard user (somehow the concept hasn't been able to > convince me ... yet), but what you write really sounds rather > strange. Essentially you're saying: no backup of a private key > generated on/via a smartcard cannot be exported. Because if it could > be exported, importing the key(s) in question just works. > Modulo more advanced cryptographic modules (not smart-cards!) which allow export of a wrapped (=encrypted) key to the file or another smart-card. The mechanisms are complicated; you can look for example at http://www.ncipher.com for an example of such device. They are both impractical (large and non-portable) and expensive (in the range of few thousand EUR). On the other hand, there are card-management systems (CMS) which generate private keys in *their own* cryptographic module and import it securely (over encrypted channel) into the smart-card; CMS saves the backup of the key in its own database aside (again, protected by some "master key" stored safely in the cryptographic module). Look at http://www.globalplatform.org/ for concrete mechanisms. Granted, the simplistic usage of smart-cards for encryption is a great opportunity to shoot oneself in the foot. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEjvpOFtofFpCIfhMRA3+pAJ92s9yd6gti+PzvaUF+uh/Wb30R5wCfboSo 3LfSNs5XliN4NTNMendtxW8= =kmTr -----END PGP SIGNATURE----- From tmz at pobox.com Tue Jun 13 20:19:38 2006 From: tmz at pobox.com (Todd Zullinger) Date: Tue Jun 13 20:30:42 2006 Subject: mime and pgp.asc In-Reply-To: <4851086.post@talk.nabble.com> References: <4851086.post@talk.nabble.com> Message-ID: <20060613181938.GE12965@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 alifbaa wrote: > I am currently using GPG 1.4.3 on my mac powerbook G4 OSX 10.4.6 I hope that > this is the right forum to post this question, but when i send an email with > attachment and encrypt and sign it, it converts the message into two > attachments, one that says "mime-attachment" and one that says "pgp.asc". I > don't want this. I want it to encrypt and sign it and it have an encrypted > message at the top and an encrypted attachment at the bottom. I am > currently sending these emails with the two attachments to a coworker with a > PC that uses PGP and he cannot decrypt my emails. Any help would be greatly > appreciated. It sounds like you are sending mail using the PGP/MIME format and your coworker's mail client can't handle that. What mail clients are you and your recipient using? What version of PGP is your coworker using? Knowing that, someone here may be able to let you know what, if any, settings scan be changed on either system to enable you to communicate. - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== What it means to take rights seriously is that one will honor them even when there is a significant social cost in doing so. -- Ronald Dworkin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iG0EARECAC0FAkSPAbomGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt ei5hc2MACgkQuv+09NZUB1rvIwCgtnOK0D6MSVwgGnopoaUHjSNLcd0AnArkRlBC 5ZazzBt0RhUjd9qLY4w5 =VR9o -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Tue Jun 13 20:47:17 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Jun 13 20:46:18 2006 Subject: False Decrypt Error... In-Reply-To: References: <20060613175208.GA25111@jabberwocky.com> Message-ID: <20060613184717.GC25111@jabberwocky.com> On Tue, Jun 13, 2006 at 01:40:51PM -0500, Eric Robinson wrote: > Hello David, > Thanks so much for responding... > > We have switched from PGP to GPG and we have some of our customers are still using PGP, > > ?PGP??N???? ? is the first part of the message. > > What you said below is suspicous, I did notice a null value 00, hex > 20 20, at the end of the file, I stripped it out and resubmitted it > and it processed fine. > > I will go on that assumption for now and edit these files that come > in and fail. If that's the case I'll get our development team > towrite a program to strip these out automatically before > decryption. Take a look at how you're transferring the files around. It's a very common problem where people use FTP in ascii mode to copy the files around and end up with them mangled. David From kloecker at kde.org Tue Jun 13 19:37:31 2006 From: kloecker at kde.org (Ingo =?iso-8859-15?q?Kl=F6cker?=) Date: Tue Jun 13 20:55:49 2006 Subject: OpenPGP smartcard restore In-Reply-To: <20060613170342.GE26554@tatooine.rebelbase.local> References: <20060613130126.GA1054@g3.spring.org> <20060613165517.GD26554@tatooine.rebelbase.local> <20060613170342.GE26554@tatooine.rebelbase.local> Message-ID: <200606131937.40422@erwin.ingo-kloecker.de> On Tuesday 13 June 2006 19:03, markus reichelt wrote: > * markus reichelt wrote: > > Essentially you're saying: no backup of a private key generated > > on/via a smartcard cannot be exported. Because if it could be > > exported, importing the key(s) in question just works. > > Sorry, that was heat-induced and shall read of course as follows: > > Essentially you're saying: a private key generated on/via a smartcard > cannot be exported, so no backup of the private key in question is > possible. Because if the private key(s) could be exported, import of > the key(s) in question just works without problems. > > The rest of my message still stands though. > > Bottom line, what's the use of importing to smartcards when no export > from smartcards is possible? Obviously, to be able to import keys which were generated off-card. Because some people don't seem to be able to sleep without a backup of the private key. > In other words: Why is the export of > plain smartcard private keys prohibited in the first place? Is that a trick question? Short answer: Security. Longer answer: It's prohibited because if nobody can export the private key from the smartcard then nobody can steal the private key without your knowledge. You would surely notice that your smartcard is missing but you might never know that some trojan horse has stolen your private key. > Additionally, why is importing of off-card generated private keys > allowed then? See above. Other use case: My key is signed by many people. If I couldn't import my key to a smartcard (well, I think I can't because it's no RSA key, but let's pretend for the moment that it were an importable key), then I'd have to regather all those signatures again for my new on-card generated key. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20060613/98564fe9/attachment.pgp From zvrba at globalnet.hr Tue Jun 13 20:53:19 2006 From: zvrba at globalnet.hr (zvrba@globalnet.hr) Date: Tue Jun 13 21:08:42 2006 Subject: OpenPGP smartcard restore In-Reply-To: <20060613174647.GA1750@g3.spring.org> References: <20060613130126.GA1054@g3.spring.org> <20060613160757.GA5544@zax.ifi.uio.no> <20060613174647.GA1750@g3.spring.org> Message-ID: <20060613185319.GH5544@zax.ifi.uio.no> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On Tue, Jun 13, 2006 at 06:46:48PM +0100, Tristan Williams wrote: > > Then it makes me wonder what is the purpose of the off card backup > file sk_X.gpg created when the original private key was created via > the on-card method? > Huh, according to the OpenPGP card specification v1.1, the GENERATE KEY command returns only the public part of the key. If the backup file really contains the private key, then the key is _not_ generated on the card, even though you believe that it is. Look for yourself here: http://g10code.com/docs/openpgp-card-1.1.pdf in section 7.2.11 at page 38. Have you checked what is inside the "backup" file? Of course, I might be wrong, but publicly available sources seem to tell that I'm right. I tried to dig into the gnupg source to see what is really happening, but it's too large :/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEjwmfFtofFpCIfhMRA+O8AJwNTSdBzCBGPmJX6Sh6XqzJejTYLACdEfVI PdagoBhaeMOdwjq1AfYR0D4= =0vOZ -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Tue Jun 13 21:18:48 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Jun 13 21:17:38 2006 Subject: OpenPGP smartcard restore In-Reply-To: <20060613174647.GA1750@g3.spring.org> References: <20060613130126.GA1054@g3.spring.org> <20060613160757.GA5544@zax.ifi.uio.no> <20060613174647.GA1750@g3.spring.org> Message-ID: <20060613191848.GD25111@jabberwocky.com> On Tue, Jun 13, 2006 at 06:46:48PM +0100, Tristan Williams wrote: > On 13Jun06 18:07, zvrba@globalnet.hr wrote: > > On Tue, Jun 13, 2006 at 02:01:27PM +0100, Tristan Williams wrote: > > > I am experimenting with the OpenPGP smartcard. I have two OpenPGP smart > > > cards (smartA and smartB) and I want to verify that I can restore my > > > on-card generated private key should I loose the master card > > > (smartA). I only want to verify that I can do it - not discuss the > > > merits of on-card vs. off-card key generation. > > > > > > I start with an empty ~/.gnupg > > > > > > For smartA I have > > > > > > (1) an on-card generated key > > > > > You can stop here. In order to use card B you need to transfer the PRIVATE > > key from card A to card B. It is _impossible_ to export the private key > > under any circumstances (minus backdoors/implementation bugs in the smart- > > card software). Period. If you want to have the same private key on several > > physical cards, your only option is off-card generation, with import of the > > key afterwards. > > > > > > Then it makes me wonder what is the purpose of the off card backup > file sk_X.gpg created when the original private key was created via > the on-card method? I can appreciate there might be reasons for not > permitting export of the private key from the card but I did expect > that restoring a private key using the backup file made at key > creation time would be possible. It looks like I was wrong in that > thought. There is a little misunderstanding here. When you generate a card key with off-card backup, the key is not generated via the on-card method. The key is generated like any other key, and then uploaded to the card (and saved to the backup file). The card does not allow reading a secret key off the card, so if you really generated it on-card, there would be no way of making the backup file. David From dshaw at jabberwocky.com Tue Jun 13 21:37:37 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Jun 13 21:36:29 2006 Subject: OpenPGP smartcard restore In-Reply-To: <20060613130126.GA1054@g3.spring.org> References: <20060613130126.GA1054@g3.spring.org> Message-ID: <20060613193737.GE25111@jabberwocky.com> On Tue, Jun 13, 2006 at 02:01:27PM +0100, Tristan Williams wrote: > I am experimenting with the OpenPGP smartcard. I have two OpenPGP smart > cards (smartA and smartB) and I want to verify that I can restore my > on-card generated private key should I loose the master card > (smartA). I only want to verify that I can do it - not discuss the > merits of on-card vs. off-card key generation. > > I start with an empty ~/.gnupg > > For smartA I have > > (1) an on-card generated key > (2) the backup file created ~/.gnupg/sk_X.gpg at key generation > (3) a backup of ~/.gnupg/secring.gpg when the > (4) a file with the exported associated public key > (5) a test file encrypted with above public key which decrypts with smartA > (6) the pass phrase used at key generation > (7) second OpenPGP smartcard (smartB) > > I then I imagine that I have lost my card (smartA), my computer hard disk has > died and I have to restore to a fresh new gpg environment (i.e. no > ~/.gnupg) and smartB > > I then issues these commands > > gpg --list-keys > which creates ~/.gnupg and various files within it. > > gpg --import public_key.asc > using (4) from my backups > > gpg --list-keys > shows that the public key has been imported > > I then copy my backup secring.gpg to ~/.gnugpg > > gpg --edit-key KEYID > shows that the secret key is present > > gpg --list-secret-keys > shows that the secret key is linked to card-no smartA > > gpg --edit-key KEYID > toggle > bkuptocard sk_X.gpg > > choose the (1) the signature > replace existing key yes > enter pass phrase > save changes yes > > Now > > gpg --list-keys > shows the key still linked to card-no smartA and not smartB > > any action needing the private key using smartB results in gpg > requesting that you put in smartA (which is lost...) Try this: do everything you did above, but at the end, delete the secret key stub: gpg --delete-secret-keys KEYID (or gpg --edit-key, toggle, and delkey if you're doing just a subkey). And now recreate the stub: gpg --card-edit I don't have my card with me so I can't test this, but it should do what you want. David From home at tristanwilliams.com Tue Jun 13 22:17:39 2006 From: home at tristanwilliams.com (Tristan Williams) Date: Tue Jun 13 22:17:52 2006 Subject: OpenPGP smartcard restore In-Reply-To: <20060613193737.GE25111@jabberwocky.com> References: <20060613130126.GA1054@g3.spring.org> <20060613193737.GE25111@jabberwocky.com> Message-ID: <102A3547-EEF6-4B47-8507-938215601ED5@tristanwilliams.com> On 13 Jun 2006, at 20:37, David Shaw wrote: > On Tue, Jun 13, 2006 at 02:01:27PM +0100, Tristan Williams wrote: >> I am experimenting with the OpenPGP smartcard. I have two OpenPGP >> smart >> cards (smartA and smartB) and I want to verify that I can restore my >> on-card generated private key should I loose the master card >> (smartA). I only want to verify that I can do it - not discuss the >> merits of on-card vs. off-card key generation. >> >> I start with an empty ~/.gnupg >> >> For smartA I have >> >> (1) an on-card generated key >> (2) the backup file created ~/.gnupg/sk_X.gpg at key generation >> (3) a backup of ~/.gnupg/secring.gpg when the >> (4) a file with the exported associated public key >> (5) a test file encrypted with above public key which decrypts >> with smartA >> (6) the pass phrase used at key generation >> (7) second OpenPGP smartcard (smartB) >> >> I then I imagine that I have lost my card (smartA), my computer >> hard disk has >> died and I have to restore to a fresh new gpg environment (i.e. no >> ~/.gnupg) and smartB >> >> I then issues these commands >> >> gpg --list-keys >> which creates ~/.gnupg and various files within it. >> >> gpg --import public_key.asc >> using (4) from my backups >> >> gpg --list-keys >> shows that the public key has been imported >> >> I then copy my backup secring.gpg to ~/.gnugpg >> >> gpg --edit-key KEYID >> shows that the secret key is present >> >> gpg --list-secret-keys >> shows that the secret key is linked to card-no smartA >> >> gpg --edit-key KEYID >> toggle >> bkuptocard sk_X.gpg >> >> choose the (1) the signature >> replace existing key yes >> enter pass phrase >> save changes yes >> >> Now >> >> gpg --list-keys >> shows the key still linked to card-no smartA and not smartB >> >> any action needing the private key using smartB results in gpg >> requesting that you put in smartA (which is lost...) > > Try this: do everything you did above, but at the end, delete the > secret key stub: > > gpg --delete-secret-keys KEYID > > (or gpg --edit-key, toggle, and delkey if you're doing just a subkey). > > And now recreate the stub: > > gpg --card-edit > > I don't have my card with me so I can't test this, but it should do > what you want. > > David > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users It works as you suggested. gpg is now happy with smartB (and longer asks for smartA). The file I encrypted with the public key is decrypted correctly. gpg now references smartB not smartA when listing keys. So what is in sk_X.gpg if it is not a standalone importable secret key? Thanks and regards, Tristan Williams From dshaw at jabberwocky.com Tue Jun 13 22:49:52 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Jun 13 22:48:48 2006 Subject: OpenPGP smartcard restore In-Reply-To: <102A3547-EEF6-4B47-8507-938215601ED5@tristanwilliams.com> References: <20060613130126.GA1054@g3.spring.org> <20060613193737.GE25111@jabberwocky.com> <102A3547-EEF6-4B47-8507-938215601ED5@tristanwilliams.com> Message-ID: <20060613204952.GF25111@jabberwocky.com> On Tue, Jun 13, 2006 at 09:17:39PM +0100, Tristan Williams wrote: > It works as you suggested. > > gpg is now happy with smartB (and longer asks for smartA). The file > I encrypted with the public key is decrypted correctly. > gpg now references smartB not smartA when listing keys. > > So what is in sk_X.gpg if it is not a standalone importable secret key? It is a standalone importable secret key, just as you thought. David From ewrobinson at fedex.com Tue Jun 13 20:51:03 2006 From: ewrobinson at fedex.com (Eric Robinson) Date: Tue Jun 13 23:31:15 2006 Subject: False Decrypt Error... In-Reply-To: <20060613184717.GC25111@jabberwocky.com> Message-ID: Ok, will do, in this case they send 10 files each day and maybe 1 a week errors out like this... Thanks again, Eric ------------------------------------- Eric Robinson Business Application Advisor FedEx Corporate Services Internet Engineering & EC Integration 901.263.5749 ------------------------------------- -----Original Message----- From: David Shaw [mailto:dshaw@jabberwocky.com] Sent: Tuesday, June 13, 2006 1:47 PM To: Eric Robinson Cc: gnupg-users@gnupg.org Subject: Re: False Decrypt Error... On Tue, Jun 13, 2006 at 01:40:51PM -0500, Eric Robinson wrote: > Hello David, > Thanks so much for responding... > > We have switched from PGP to GPG and we have some of our customers are > still using PGP, > > ?PGP??N???? ? is the first part of the message. > > What you said below is suspicous, I did notice a null value 00, hex 20 > 20, at the end of the file, I stripped it out and resubmitted it and > it processed fine. > > I will go on that assumption for now and edit these files that come in > and fail. If that's the case I'll get our development team towrite a > program to strip these out automatically before decryption. Take a look at how you're transferring the files around. It's a very common problem where people use FTP in ascii mode to copy the files around and end up with them mangled. David From johanw at vulcan.xs4all.nl Wed Jun 14 01:30:52 2006 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed Jun 14 01:43:01 2006 Subject: Corrupting files In-Reply-To: <20060612050501.27892.qmail@smasher.org> Message-ID: <200606132330.k5DNUqUs021674@vulcan.xs4all.nl> Atom Smasher wrote: >btw, what's the threat model where this is advantageous? I can imagine it might be used for plausible deniability: if some law enforcement agency would force you to decrypt the messsage, you could claim you can't and you didn't read it anyway because it's corrupted. Of course, this might be automated in a hacked copy of gpg instead of hand-editing a file. Also safer since it leaves no intermediate evidence around on your harddisk. Of course it would be better to store the changed source code somewhere safe. Might work against police drones, employers, etc. The NSA is unlikely to be fooled by such a scheme. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From ewrobinson at fedex.com Tue Jun 13 20:40:51 2006 From: ewrobinson at fedex.com (Eric Robinson) Date: Wed Jun 14 06:39:12 2006 Subject: False Decrypt Error... In-Reply-To: <20060613175208.GA25111@jabberwocky.com> Message-ID: Hello David, Thanks so much for responding... We have switched from PGP to GPG and we have some of our customers are still using PGP, ?PGP??N???? ? is the first part of the message. What you said below is suspicous, I did notice a null value 00, hex 20 20, at the end of the file, I stripped it out and resubmitted it and it processed fine. I will go on that assumption for now and edit these files that come in and fail. If that's the case I'll get our development team towrite a program to strip these out automatically before decryption. Thanks for your time in this. Eric ------------------------------------- Eric Robinson Business Application Advisor FedEx Corporate Services Internet Engineering & EC Integration 901.263.5749 ------------------------------------- -----Original Message----- From: gnupg-users-bounces@gnupg.org [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of David Shaw Sent: Tuesday, June 13, 2006 12:52 PM To: gnupg-users@gnupg.org Subject: Re: False Decrypt Error... On Tue, Jun 13, 2006 at 10:37:07AM -0500, Eric Robinson wrote: > Is anyone familiar with the following error? > > Standard Error: gpg: WARNING: unsafe permissions on homedir > "/opt/fxnet/gpg"gpg: WARNING: using insecure memory!gpg: please see > http://www.gnupg.org/faq.html for more informationgpg: encrypted with > 1024-bit ELG-E key, ID 07B01208, created 2004-07-14 "entsys (FedExNet > GPG Key) "gpg: [don't know]: invalid packet (ctb=2f)gpg: WARNING: > message was not integrity protected > > My tech guy says it has nothing to do with the 'WARNING: using > insecure memory!' message, but it is the 'WARNING: message was not > integrity protected' message....i have checked the FAQ's and found > some info on the insecure memory that he says isn't the issue... You've got a bunch of warnings here. Let's take them one at a time: > gpg: WARNING: unsafe permissions on homedir "/opt/fxnet/gpg" Just what it says: the directory /opt/fxnet/gpg is writable by someone other than you. It's a good idea for you to fix it, but it isn't the cause of your problem. > gpg: WARNING: using insecure memory! > gpg: please see http://www.gnupg.org/faq.html for more information GPG tries to lock a small amount of memory so you can't accidentally swap a passphrase out to disk. Depending on how you are using GPG, this may not be significant to you. Either way, it's not the cause of your problem. > gpg: WARNING: message was not integrity protected This means that there is no integrity protection packet on the message. There is a very difficult attack against the old PGP message format that the integrity protected format combats. This isn't the cause of your problem either. > gpg: [don't know]: invalid packet (ctb=2f) THIS is your problem. GPG found garbage in the message that could not be parsed. Since you say the message was decrypted correctly before the garbage was found, it's likely the garbage is at the end. Is this an armored (i.e. "--- BEGIN PGP MESSAGE ---") message or binary (not printable ASCII)? David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From alphasigmax at gmail.com Wed Jun 14 09:25:19 2006 From: alphasigmax at gmail.com (Alphax) Date: Wed Jun 14 09:26:18 2006 Subject: False Decrypt Error... In-Reply-To: References: Message-ID: <448FB9DF.8060908@gmail.com> Eric Robinson wrote: > Hello David, Thanks so much for responding... > > We have switched from PGP to GPG and we have some of our customers > are still using PGP, > > ?PGP??N???? ? is the first part of the message. > Ask your customers to make sure their messages are ASCII-armored - not sure how to set this with the PGP GUI versions, but for the command line version the manual says: > To produce a ciphertext file in ASCII radix-64 format, > just add the -a option when encrypting or signing a mes- > sage or extracting a key: > pgp -sea textfile her_userid > pgp -kxa userid keyfile [keyring] HTH, -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 569 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060614/5a7d6fb4/signature.pgp From home at tristanwilliams.com Wed Jun 14 11:07:27 2006 From: home at tristanwilliams.com (Tristan Williams) Date: Wed Jun 14 11:12:26 2006 Subject: OpenPGP smartcard restore In-Reply-To: <20060613204952.GF25111@jabberwocky.com> References: <20060613130126.GA1054@g3.spring.org> <20060613193737.GE25111@jabberwocky.com> <102A3547-EEF6-4B47-8507-938215601ED5@tristanwilliams.com> <20060613204952.GF25111@jabberwocky.com> Message-ID: <20060614090727.GA522@g3.spring.org> On 13Jun06 16:49, David Shaw wrote: > On Tue, Jun 13, 2006 at 09:17:39PM +0100, Tristan Williams wrote: > > > It works as you suggested. > > > > gpg is now happy with smartB (and longer asks for smartA). The file > > I encrypted with the public key is decrypted correctly. > > gpg now references smartB not smartA when listing keys. > > > > So what is in sk_X.gpg if it is not a standalone importable secret key? > > It is a standalone importable secret key, just as you thought. > > David > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > On closer inspection it appears that only the encryption key gets transfered to the new card (smartB) using the above. So I can decrypt but not sign. Tristan From ralfhauser at gmx.ch Thu Jun 15 07:14:57 2006 From: ralfhauser at gmx.ch (Ralf Hauser) Date: Thu Jun 15 09:26:30 2006 Subject: how to authenticate an ldaps keyserver lookup In-Reply-To: <20060607165947.GA15101@jabberwocky.com> Message-ID: <002e01c6903a$a4d20cd0$2201a8c0@AcerRalf> David, Thanks - your hint on v1.4.3 solved the bind problem. > > Furthermore, when trying to do that with apache's ldap server, it did > not like the SSL it got from my gpg > (http://issues.apache.org/jira/browse/DIR-185). > > Try adding "keyserver-options debug=1" and running it again to get > some idea what GPG is seeing. Since I didn't find a 1.4.3 version for Linux or windows with TLS support enabled, I am doing my other experiments with cygwin 1.4.2 version (without the bind). The "unknown_ca" error (reported in the above issue tracker 185) I saw on the server (directory.apache.org) side apparently was issued by the gpg client. For other ldapclients such as EQ or command-line ldapsearch, we solved that by creating a ~/.ldaprc file and either adding the server key with TLS_CACERT /path/to/cacert.pem or reducing the protection by adding TLS_REQCERT never Unfortunately, with gpg, this did not help. Putting the same into /etc/ldap/ldap.conf as per http://marc.theaimsgroup.com/?l=gnupg-users&m=109095590410758&w=2 didn't do it either. So my log now is: Ralf Hauser@Acer_Ralf:/etc/ldap> gpg.1.4.2.1 --keyserver ldaps://localhost:2636 --keyserver-options 'binddn="dn=micky"' --keyserver-options "debug=5" --keyserver-options bindpw=mouse --search-keys Tes t gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: searching for "Test" from ldaps server localhost gpgkeys: debug level 5 ldap_create ldap_search put_filter: "(objectClass=*)" put_filter: simple put_simple_filter: "objectClass=*" ldap_send_initial_request ldap_new_connection ldap_int_open_connection ldap_connect_to_host: TCP localhost:2636 ldap_new_socket: 4 ldap_prepare_socket: 4 ldap_connect_to_host: Trying 127.0.0.1:2636 ldap_connect_timeout: fd: 4 tm: -1 async: 0 ldap_ndelay_on: 4 ldap_is_sock_ready: 4 ldap_ndelay_off: 4 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 0, err: 18, subject: /DC=com/DC=netcetera/emailAddress=vlatkogj@domain.com.mk, issuer: /DC=com/DC=netcetera/emailAddress=vlatkogj@domain.com.mk TLS certificate verification: Error, self signed certificate TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_search put_filter: "(objectClass=*)" put_filter: simple put_simple_filter: "objectClass=*" ldap_send_initial_request ldap_send_server_request ldap_err2string gpgkeys: unable to retrieve LDAP base: Can't contact LDAP server gpg: key "Test" not found on keyserver gpg: keyserver internal error gpg: keyserver search failed: keyserver error Any hints would still be highly appreciated Ralf From ralfhauser at gmx.ch Thu Jun 15 12:14:22 2006 From: ralfhauser at gmx.ch (Ralf Hauser) Date: Thu Jun 15 12:13:53 2006 Subject: searching for a key with gpg ldap In-Reply-To: <20060607165947.GA15101@jabberwocky.com> Message-ID: <007101c69064$7a016940$2101a8c0@AcerRalf> Hi, Leaving the TLS/SSL problem from the previous mail aside, with gpg.1.4.3 --keyserver ldap://localhost:2389 --keyserver-options 'binddn="dn=micky"' --keyserver-options "debug=5" --keyserver-options bindpw=mouse --search-keys Test on windows, a nice "bind" succeeds and the serverInfo is queried with success. But then gpg presents: filter : '(pgpdisabled=0) all others (e.g. http://sourceforge.net/projects/jxplorer/), however ask for filter: (pgpUserID=*test*) Looking at the below 1.4.2. debug output, it appears that the first half of the query "(&(pgpuserid=*Test*)(pgpdisabled=0))" Never reaches my ldap server (directory.apache.org). So, the questions are: 1) why doesn't gpg ask for the REAL SEARCH STRING ("pgpuserid=*Test*")? 2) what response might my ldap server give to "pgpdisabled=0" to satisfy gpg such that it might ask me also about "*Test*" in a following query. Unsuccessful attempts are: - en empty result causes the gpg client to terminate the search - returning an arbitrary keys causes it to present that one and then stop search too - listing all keys irrespective of whether they contain "Test" or not is against the policy of our server Somehow "pgpdisabled=0" to me looks like "dear server, give me all keys you don't consider as disabled"? On the gpg side, the output of v1.4.3. is: gpg: searching for "Test" from ldap server localhost gpgkeys: not built with debugging support search type is 0, and key is "Test" gpg: key "Test" not found on keyserver Any hints are highly appreciated! Ralf P.S.: Version 1.4.2 (cygwin) output is probably more helpful: Gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: searching for "Test" from ldap server localhost gpgkeys: debug level 5 ldap_create ldap_search put_filter: "(objectClass=*)" put_filter: simple put_simple_filter: "objectClass=*" ldap_send_initial_request ldap_new_connection ldap_int_open_connection ldap_connect_to_host: TCP localhost:2389 ldap_new_socket: 4 ldap_prepare_socket: 4 ldap_connect_to_host: Trying 127.0.0.1:2389 ldap_connect_timeout: fd: 4 tm: -1 async: 0 ldap_ndelay_on: 4 ldap_is_sock_ready: 4 ldap_ndelay_off: 4 ldap_open_defconn: successful ldap_send_server_request ldap_result msgid 1 ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL wait4msg (infinite timeout), msgid 1 wait4msg continue, msgid 1, all 1 ** Connections: * host: localhost port: 2389 (default) refcnt: 2 status: Connected last used: Thu Jun 15 07:41:13 2006 ** Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** Response Queue: Empty ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 1, all 1 ldap_read: message type search-entry msgid 1, original id 1 wait4msg continue, msgid 1, all 1 ** Connections: * host: localhost port: 2389 (default) refcnt: 2 status: Connected last used: Thu Jun 15 07:41:13 2006 ** Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** Response Queue: * msgid 1, type 100 ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 1, all 1 ldap_read: message type search-result msgid 1, original id 1 new result: res_errno: 0, res_error: <>, res_matched: <> read1msg: 0 new referrals read1msg: mark request completed, id = 1 request 1 done res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection ldap_free_connection: refcnt 1 adding response id 1 type 101: ldap_parse_result ldap_get_values ldap_search put_filter: "(objectClass=*)" put_filter: simple put_simple_filter: "objectClass=*" ldap_send_initial_request ldap_send_server_request ldap_result msgid 2 ldap_chkResponseList for msgid=2, all=1 ldap_chkResponseList returns NULL wait4msg (infinite timeout), msgid 2 wait4msg continue, msgid 2, all 1 ** Connections: * host: localhost port: 2389 (default) refcnt: 2 status: Connected last used: Thu Jun 15 07:41:14 2006 ** Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ** Response Queue: Empty ldap_chkResponseList for msgid=2, all=1 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 2, all 1 ldap_read: message type search-result msgid 2, original id 2 ldap_chase_referrals read1msg: V2 referral chased, mark request completed, id = 2 new result: res_errno: 32, res_error: , res_matched: read1msg: 0 new referrals read1msg: mark request completed, id = 2 request 2 done res_errno: 32, res_error: , res_matched: ldap_free_request (origid 2, msgid 2) ldap_free_connection ldap_free_connection: refcnt 1 ldap_parse_result ldap_search put_filter: "(objectClass=*)" put_filter: simple put_simple_filter: "objectClass=*" ldap_send_initial_request ldap_send_server_request ldap_result msgid 3 ldap_chkResponseList for msgid=3, all=1 ldap_chkResponseList returns NULL wait4msg (infinite timeout), msgid 3 wait4msg continue, msgid 3, all 1 ** Connections: * host: localhost port: 2389 (default) refcnt: 2 status: Connected last used: Thu Jun 15 07:41:14 2006 ** Outstanding Requests: * msgid 3, origid 3, status InProgress outstanding referrals 0, parent count 0 ** Response Queue: Empty ldap_chkResponseList for msgid=3, all=1 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 3, all 1 ldap_read: message type search-entry msgid 3, original id 3 wait4msg continue, msgid 3, all 1 ** Connections: * host: localhost port: 2389 (default) refcnt: 2 status: Connected last used: Thu Jun 15 07:41:14 2006 ** Outstanding Requests: * msgid 3, origid 3, status InProgress outstanding referrals 0, parent count 0 ** Response Queue: * msgid 3, type 100 ldap_chkResponseList for msgid=3, all=1 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 3, all 1 ldap_read: message type search-result msgid 3, original id 3 new result: res_errno: 0, res_error: <>, res_matched: <> read1msg: 0 new referrals read1msg: mark request completed, id = 3 request 3 done res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 3, msgid 3) ldap_free_connection ldap_free_connection: refcnt 1 adding response id 3 type 101: ldap_parse_result ldap_get_values ldap_msgfree ldap_msgfree ldap_search put_filter: "(&(pgpuserid=*Test*)(pgpdisabled=0))" put_filter: AND put_filter_list "(pgpuserid=*Test*)(pgpdisabled=0)" put_filter: "(pgpuserid=*Test*)" put_filter: simple put_simple_filter: "pgpuserid=*Test*" put_substring_filter "pgpuserid=*Test*" put_filter: "(pgpdisabled=0)" put_filter: simple put_simple_filter: "pgpdisabled=0" ldap_send_initial_request ldap_send_server_request ldap_result msgid 4 ldap_chkResponseList for msgid=4, all=1 ldap_chkResponseList returns NULL wait4msg (infinite timeout), msgid 4 wait4msg continue, msgid 4, all 1 ** Connections: * host: localhost port: 2389 (default) refcnt: 2 status: Connected last used: Thu Jun 15 07:41:14 2006 ** Outstanding Requests: * msgid 4, origid 4, status InProgress outstanding referrals 0, parent count 0 ** Response Queue: Empty ldap_chkResponseList for msgid=4, all=1 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 4, all 1 ldap_read: message type search-result msgid 4, original id 4 new result: res_errno: 0, res_error: <>, res_matched: <> read1msg: 0 new referrals read1msg: mark request completed, id = 4 request 4 done res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 4, msgid 4) ldap_free_connection ldap_free_connection: refcnt 1 ldap_parse_result ldap_msgfree gpg: key "Test" not found on keyserver From dshaw at jabberwocky.com Thu Jun 15 14:03:23 2006 From: dshaw at jabberwocky.com ('David Shaw') Date: Thu Jun 15 14:02:22 2006 Subject: how to authenticate an ldaps keyserver lookup In-Reply-To: <002e01c6903a$a4d20cd0$2201a8c0@AcerRalf> References: <20060607165947.GA15101@jabberwocky.com> <002e01c6903a$a4d20cd0$2201a8c0@AcerRalf> Message-ID: <20060615120323.GA28184@jabberwocky.com> On Thu, Jun 15, 2006 at 07:14:57AM +0200, Ralf Hauser wrote: > David, > > Thanks - your hint on v1.4.3 solved the bind problem. > > > Furthermore, when trying to do that with apache's ldap server, it did > > not like the SSL it got from my gpg > > (http://issues.apache.org/jira/browse/DIR-185). > > > > Try adding "keyserver-options debug=1" and running it again to get > > some idea what GPG is seeing. > Since I didn't find a 1.4.3 version for Linux or windows with TLS support enabled, I am doing my other experiments with cygwin 1.4.2 version (without the bind). > > The "unknown_ca" error (reported in the above issue tracker 185) I saw on the server (directory.apache.org) side apparently was issued by the gpg client. > > For other ldapclients such as EQ or command-line ldapsearch, we solved that by creating a ~/.ldaprc file and either adding the server key with > TLS_CACERT /path/to/cacert.pem keyserver-options ca-cert-file=/path/to/cacert.pem > or reducing the protection by adding > TLS_REQCERT never keyserver-options no-check-cert Again, though, these are 1.4.3 features. They won't work on your 1.4.2. David From dshaw at jabberwocky.com Thu Jun 15 14:12:52 2006 From: dshaw at jabberwocky.com ('David Shaw') Date: Thu Jun 15 14:11:49 2006 Subject: searching for a key with gpg ldap In-Reply-To: <007101c69064$7a016940$2101a8c0@AcerRalf> References: <20060607165947.GA15101@jabberwocky.com> <007101c69064$7a016940$2101a8c0@AcerRalf> Message-ID: <20060615121252.GB28184@jabberwocky.com> On Thu, Jun 15, 2006 at 12:14:22PM +0200, Ralf Hauser wrote: > Hi, > > Leaving the TLS/SSL problem from the previous mail aside, with > > gpg.1.4.3 --keyserver ldap://localhost:2389 --keyserver-options 'binddn="dn=micky"' --keyserver-options "debug=5" --keyserver-options bindpw=mouse --search-keys Test > > on windows, a nice "bind" succeeds and the serverInfo is queried with success. > > But then gpg presents: > filter : '(pgpdisabled=0) > > all others (e.g. http://sourceforge.net/projects/jxplorer/), however ask for > filter: (pgpUserID=*test*) > > Looking at the below 1.4.2. debug output, it appears that the first half of the query > "(&(pgpuserid=*Test*)(pgpdisabled=0))" > > Never reaches my ldap server (directory.apache.org). This is a misunderstanding of what the logs are saying. The LDAP library is doing a logical AND between (pgpuserid=*Test*) and (pgpdisabled=0). You just don't have any records that have pgpDisabled being equal to 0. The pgpDisabled field is part of the PGP LDAP schema. Are you using this schema? If not, you're likely to hit many other compatibility problems like this. > Somehow "pgpdisabled=0" to me looks like "dear server, give me all > keys you don't consider as disabled"? Yes. That's exactly what it means. If you want to include all (even disabled) keys, then use: keyserver-options include-disabled David From ashok.musuvathy at gs.com Fri Jun 16 11:52:39 2006 From: ashok.musuvathy at gs.com (Ash M) Date: Fri Jun 16 12:02:20 2006 Subject: PGP to GnuPG Message-ID: <4897782.post@talk.nabble.com> Hi, I am working on a project to convert PGP keys to GnuPG. Most of the keys created recently have successfully been migtated but I am unable to migrate the ones created using PGP Version: 4.0 Business Edition. The error I get is: ( gpg version 1.4.2 ) $ gpg --import pubkey.pub.asc gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: key 390CA571: no valid user IDs gpg: this may be caused by a missing self-signature gpg: Total number processed: 1 gpg: w/o user IDs: 1 Following is the output from pgp for the same key: $ pgp -kvv 0x390CA571 Looking for user ID "0x390CA571". Type bits keyID Date User ID RSA 1024 0x390CA571 2003/09/24 KKK sig 0xCC7AB923 MFF user 1 matching key found. I have heard that there are compatibility issues between GnuPG and older versions of PGP but is there any way of getting around this ? Any help would be well appreciated. Thanks Ash -- View this message in context: http://www.nabble.com/PGP-to-GnuPG-t1797288.html#a4897782 Sent from the GnuPG - User forum at Nabble.com. From alphasigmax at gmail.com Fri Jun 16 12:44:01 2006 From: alphasigmax at gmail.com (Alphax) Date: Fri Jun 16 12:45:04 2006 Subject: PGP to GnuPG In-Reply-To: <4897782.post@talk.nabble.com> References: <4897782.post@talk.nabble.com> Message-ID: <44928B71.6090900@gmail.com> Ash M wrote: > Hi, > > I am working on a project to convert PGP keys to GnuPG. > Most of the keys created recently have successfully been migtated but I am > unable to migrate the ones created using PGP Version: 4.0 Business Edition. > > The error I get is: ( gpg version 1.4.2 ) > $ gpg --import pubkey.pub.asc > gpg: WARNING: using insecure memory! > gpg: please see http://www.gnupg.org/faq.html for more information > gpg: key 390CA571: no valid user IDs > gpg: this may be caused by a missing self-signature > gpg: Total number processed: 1 > gpg: w/o user IDs: 1 > > Following is the output from pgp for the same key: > $ pgp -kvv 0x390CA571 > Looking for user ID "0x390CA571". > Type bits keyID Date User ID > RSA 1024 0x390CA571 2003/09/24 KKK > sig 0xCC7AB923 MFF user > 1 matching key found. > > I have heard that there are compatibility issues between GnuPG and older > versions of PGP but is there any way of getting around this ? > Any help would be well appreciated. > If you still have the secret key, you can have the key sign itself and then this error will not occur. Otherwise, you can use the option in GnuPG --allow-non-selfsigned-uid to import the key, and then have it sign itself. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 569 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060616/620d4d61/signature.pgp From ashok.musuvathy at gs.com Fri Jun 16 14:56:08 2006 From: ashok.musuvathy at gs.com (Musuvathy, Ashok) Date: Fri Jun 16 16:56:02 2006 Subject: PGP to GnuPG In-Reply-To: <44928B71.6090900@gmail.com> Message-ID: <92DF157A152AFE499293DCDBCF81A10D011ECD1B@gsmblnp01es.firmwide.corp.gs.com> Thanks, I do have the secret keys., could you provide me the pgp command for self-signing ? Should I do this using pgp -ke for each one of them ? ( Have around 50 such keys to be migrated ) Gpg is able to load the key with "--allow-non-selfsigned-uid" but is unable to use the key for encryption - I guess this will be fixed once I self sign the key and load into gpg ring. Rgds Ashok -----Original Message----- From: Alphax [mailto:alphasigmax@gmail.com] Sent: Friday, June 16, 2006 11:44 AM To: Musuvathy, Ashok Cc: gnupg-users@gnupg.org Subject: Re: PGP to GnuPG Ash M wrote: > Hi, > > I am working on a project to convert PGP keys to GnuPG. > Most of the keys created recently have successfully been migtated but I am > unable to migrate the ones created using PGP Version: 4.0 Business Edition. > > The error I get is: ( gpg version 1.4.2 ) > $ gpg --import pubkey.pub.asc > gpg: WARNING: using insecure memory! > gpg: please see http://www.gnupg.org/faq.html for more information > gpg: key 390CA571: no valid user IDs > gpg: this may be caused by a missing self-signature > gpg: Total number processed: 1 > gpg: w/o user IDs: 1 > > Following is the output from pgp for the same key: > $ pgp -kvv 0x390CA571 > Looking for user ID "0x390CA571". > Type bits keyID Date User ID > RSA 1024 0x390CA571 2003/09/24 KKK > sig 0xCC7AB923 MFF user > 1 matching key found. > > I have heard that there are compatibility issues between GnuPG and older > versions of PGP but is there any way of getting around this ? > Any help would be well appreciated. > If you still have the secret key, you can have the key sign itself and then this error will not occur. Otherwise, you can use the option in GnuPG --allow-non-selfsigned-uid to import the key, and then have it sign itself. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g From j.lysdal at gmail.com Sat Jun 17 16:27:38 2006 From: j.lysdal at gmail.com (=?ISO-8859-1?Q?J=F8rgen_Lysdal?=) Date: Sat Jun 17 17:25:56 2006 Subject: personal-cipher/digest-preferences Message-ID: <4494115A.4050005@gmail.com> If i understand the gpg.man correctly.. The "--personal-cipher-preferences" does only have an effect when encrypting to more than one recipient, (besides from symmetrical encryption algo selection) and the "--personal-digest-preferences" only when encrypting and signing to more than one recipient. Im i right? What does it mean to "factor in their own preferred algorithms when algorithms are chosen via recipient key preferences." Does it mean that, when i encrypt to a key that has, lets say AES TWOFISH, and i use --personal-cipher-preferences TWOFISH AES, is the message TWOFISH encryptet andgb Is there any place i can read in detail how this works? - Jorgen j.lysdal(at)gmail.com / 0x01331B97 From johnmoore3rd at joimail.com Sat Jun 17 17:57:23 2006 From: johnmoore3rd at joimail.com (John W. Moore III) Date: Sat Jun 17 17:56:15 2006 Subject: personal-cipher/digest-preferences In-Reply-To: <4494115A.4050005@gmail.com> References: <4494115A.4050005@gmail.com> Message-ID: <44942663.6090905@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 J?rgen Lysdal wrote: > If i understand the gpg.man correctly.. > > The "--personal-cipher-preferences" does only have an effect when > encrypting to more than one recipient, (besides from symmetrical > encryption algo selection) > > and > > the "--personal-digest-preferences" only when encrypting and signing > to more than one recipient. Im i right? > > What does it mean to "factor in their own preferred algorithms when > algorithms are chosen via recipient key preferences." > > Does it mean that, when i encrypt to a key that has, lets say AES > TWOFISH, and i use --personal-cipher-preferences TWOFISH AES, is the > message TWOFISH encryptet andgb Well, Yes & No. Your personal-preferences are just that. These are the ciphers & digests you prefer using. When Encrypting to *one* other Key or Many, GnuPG will compare Your preferences to the ones the recipient(s) have indicated on their Key are theirs. GnuPG will then accommodate all Recipient(s). In your example the message would be Encrypted using Twofish. This is because you are doing the Encrypting and this is what You *prefer* and the recipient has shown that s/he can handle Twofish. Should they click 'Reply' and email you back, it would be Encrypted using AES since they are originating the Encryption and that's their preference and you have indicated you find AES acceptable. In the case of multiple recipients/Keys, GnuPG will determine the common denominator. This is why in large Group Encryption environments you will most likely see SHA1 used as the Hash. It's "common" to every engine. In encryption you will generally find 3DES used as the cipher for the same reason. JOHN ;) Timestamp: Saturday 17 Jun 2006, 11:56 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4-svn4159: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust (US26): http://www.gswot.org Comment: Homepage: http://tinyurl.com/9ubue Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCgAGBQJElCZfAAoJEBCGy9eAtCsPHgcIAIosO9VQNLptVqT2QkApZXTq Ne8zkarkBYmSb6u1mXTzlX6pg28m6rG+6tTs8IzKNJpU0XlH7zl/41ViPaevmapK EFIVqDkQobobjLJ+sv7Riy7ZVTab+x5mPATIWUnvA9GmxevXgSNCZguybUFYnnMe NtAk9tCAinp0ccmIeKWLv7nvZWdLiFYlf7RaGl650YcLO6NxAwJDICx+o30n10s7 bqMwKCgKjdAgGV0P+TA3SM/PAtsbSyvnDN5Gb0f9gQG/7mbhHSHkpLW/hrlQPRNm kaeNiIiHvXdu2vRQj3rmk2oi0l6V8VEEQOs4d/G+h4ZkoUZkdzBF1ZE4MX0vh/0= =xZJN -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Sat Jun 17 18:09:06 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Jun 17 18:07:56 2006 Subject: personal-cipher/digest-preferences In-Reply-To: <4494115A.4050005@gmail.com> References: <4494115A.4050005@gmail.com> Message-ID: <20060617160906.GC13280@jabberwocky.com> On Sat, Jun 17, 2006 at 04:27:38PM +0200, J?rgen Lysdal wrote: > If i understand the gpg.man correctly.. > > The "--personal-cipher-preferences" does only have an effect when > encrypting to more than one recipient, (besides from symmetrical > encryption algo selection) Not exactly. It even takes effect when you're encrypting to one recipient. Let's say that recipient asked for CAST5 and you don't have CAST5 in your personal-cipher-preferences. In that case, GPG will keep looking for a better match. > the "--personal-digest-preferences" only when encrypting and signing > to more than one recipient. Im i right? Same as above. > What does it mean to "factor in their own preferred algorithms when > algorithms are chosen via recipient key preferences." > > Does it mean that, when i encrypt to a key that has, lets say AES > TWOFISH, and i use --personal-cipher-preferences TWOFISH AES, is the > message TWOFISH encryptet andgb Yes. David From michael at vorlon.ping.de Sat Jun 17 23:11:58 2006 From: michael at vorlon.ping.de (Michael Bienia) Date: Sat Jun 17 23:11:00 2006 Subject: Problem with decrypting a mail with an openpgp card In-Reply-To: <20060605164956.GA14389@vorlon.ping.de> References: <20060605164956.GA14389@vorlon.ping.de> Message-ID: <20060617211158.GB20239@vorlon.ping.de> On 2006-06-05 18:49:56 +0200, Michael Bienia wrote: > Hello, > > I've once again a problem with decrypting a mail with my openpgp card. > The used subkey is my encryption key so it should work theoretically. > The out of gnupg (with gnupg-agent) is: > ,---- > | gpg: armor header: Version: GnuPG v1.4.1 (GNU/Linux) > | gpg: public key is AF58F2B4 > | gpg: using subkey AF58F2B4 instead of primary key 968BD587 > | gpg: sending command `SCD PKDECRYPT' to agent failed: ec=6.131 > | gpg: using subkey AF58F2B4 instead of primary key 968BD587 > | gpg: encrypted with 1024-bit RSA key, ID AF58F2B4, created 2006-03-13 > | "Michael Bienia " > | gpg: public key decryption failed: general error > | gpg: decryption failed: secret key not available > `---- > > I can succesfully decrypt an other mail (from someone else) which is > also encrypted to the same subkey (he also used gnupg 1.4.1). > > gnupg and gnupg-agent are current versions from the svn (revision 4151). > > Has someone an explanation? Has really nobody an explanation for this? Michael From mkontakt at gmail.com Sun Jun 18 12:50:41 2006 From: mkontakt at gmail.com (mkontakt@gmail.com) Date: Sun Jun 18 12:49:34 2006 Subject: Need help -gpgsm. Message-ID: <20060618105041.GA1346@debian.mydomain.com> I have successfully created a cart.p12 and when I tried to import the cent I got this: gpgsm --call-protect-tool --p12-import --store cert.p12 gpg-protect-tool: gpg-agent is not available in this session gpg-protect-tool: error while asking for the passphrase: Invalid digest algorithm What do I do wrong? Thanks in advance Martin gpg-agent is running. gpg-agent -v --daemon gpg-agent[1384]: listening on socket `/tmp/gpg-OhIK0y/S.gpg-agent' GPG_AGENT_INFO=/tmp/gpg-OhIK0y/S.gpg-agent:1385:1; export GPG_AGENT_INFO; From home at tristanwilliams.com Sun Jun 18 14:18:03 2006 From: home at tristanwilliams.com (Tristan Williams) Date: Sun Jun 18 14:23:52 2006 Subject: OpenPGP smartcard and Private DO 1 Message-ID: <20060618121803.GA2370@g3.spring.org> Hi, Is there any available software to write/read to the Private DO on the OpenPGPcard? Grateful for any pointers. Kind regards Tristan Williams From a24061 at yahoo.com Sun Jun 18 22:20:07 2006 From: a24061 at yahoo.com (Adam Funk) Date: Sun Jun 18 22:19:10 2006 Subject: (UK-specific) consultation about RIPA Message-ID: Consultation on the Investigation of Protected Electronic Information under RIPA The Home Office has issued a consultation on a revised draft statutory code of practice on investigation of protected electronic data data, which relates to the exercise and performance of the powers and duties that will arise from the implementation of Part III of the Regulation of Investigatory Powers Act 2000. Part III of the Regulation of Investigatory Powers Act 2000 established powers to impose a requirement upon a person to put protected electronic information into an intelligible form or to disclose a key which will enable the data to be put into an intelligible form. The Government has kept under review the need to implement the provisions in Part III. Over the last two to three years, investigators have begun encountering encrypted and protected data with increasing frequency. This, and the rapidly growing availability of encryption products including the advent of encryption products as integrated security features in standard operating systems, has led the Government to judge that it is now timely to implement the provisions of Part III. Please ensure you read the consultation document which can be found at http://www.homeoffice.gov.uk/documents/cons-2006-ripa-part3/ From jharris at widomaker.com Sun Jun 18 22:57:05 2006 From: jharris at widomaker.com (Jason Harris) Date: Sun Jun 18 22:56:26 2006 Subject: new (2006-06-11) keyanalyze results (+sigcheck) Message-ID: <20060618205704.GA3024@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2006-06-11/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: 16dec9fe9a68acf62fd48a97bd033d7373362ebd 13838166 preprocess.keys 8f2aced8a3646637596b6c23f50d728c93a08a13 8196239 othersets.txt 02be65c1a6261e0e72f6ad00595d516c2f2b9d09 3348796 msd-sorted.txt a751f9d5477744a4f5e5ce6ebad6a60908e317ee 1372 index.html e91b7927bc87f07eec1e4c9e9aa231fdc606947b 2291 keyring_stats 9e9feb5efa14b145f513f21cbbf884cb86b975e7 1315030 msd-sorted.txt.bz2 6c9833abf7f76a998654997d0a57dbe6ea9b21ec 26 other.txt 4ed7cb02c2bb9d07bec1c42d66c5fd67cbc999b9 1775463 othersets.txt.bz2 b09f08bd13f521ea12e0b372fd0560df1d95aefd 5609029 preprocess.keys.bz2 27359049d3d7d9d27404f8b9f46e005f393d1b74 13933 status.txt 1a84fc4346ce97cbf8de6dcd94c84d91e029b138 209825 top1000table.html a5ffd88331b1957d3560cacec11e9e9e219aa3d2 30052 top1000table.html.gz 0bd927f2ec8dbe88efd8152638fc4cadc58ac24d 10804 top50table.html 1f8084ce6578d8559d8998fe928ad77b7f2bfcc5 2529 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 313 bytes Desc: not available Url : /pipermail/attachments/20060618/83a9db0f/attachment.pgp From mattwestm at gmail.com Sat Jun 17 22:15:04 2006 From: mattwestm at gmail.com (Matthew West) Date: Mon Jun 19 10:52:09 2006 Subject: Moving to another computer Message-ID: <449462C8.60609@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I have all of my gnupg information set up on this current machine. How would I transfer my information to another computer. Is it fine to use the same information on both computers? Thank you, Matt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFElGLI3jWsqwxNSVYRAhseAJ9hM/uNu5zbJH4bta5UslT5sg4MKwCfeep7 4XzK9sTnazffd2wfX549LaY= =gECI -----END PGP SIGNATURE----- From wk at gnupg.org Mon Jun 19 17:28:47 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Jun 19 17:31:05 2006 Subject: GnuPG internals In-Reply-To: <20060606110737.GA10897@debian.mydomain.com> (mkontakt@gmail.com's message of "Tue, 6 Jun 2006 13:07:37 +0200") References: <20060606110737.GA10897@debian.mydomain.com> Message-ID: <87mzc9yxjk.fsf@wheatstone.g10code.de> On Tue, 6 Jun 2006 13:07, mkontakt@gmail.com said: > I have found on the Internet that Mr. Koch gave a speech about gnupg > internals and I would be very interested if any documents exist about > this presentation or in any other doc about gnupg internals. I know that There are just a few slides. I can't remember whether they are online and well, they are not very useful by themself. Salam-Shalom, Werner From wk at gnupg.org Mon Jun 19 17:31:23 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Jun 19 17:35:59 2006 Subject: gpgsm In-Reply-To: <4487EC41.9050701@unix.sbg.ac.at> (Thomas Widhalm's message of "Thu, 08 Jun 2006 11:22:09 +0200") References: <4487EC41.9050701@unix.sbg.ac.at> Message-ID: <87irmxyxf8.fsf@wheatstone.g10code.de> On Thu, 8 Jun 2006 11:22, Thomas Widhalm said: > As far as I got from the documentation, gpgsm is no replacement but an > extension for gpg (even when it may be run alone) for using S/MIME. Correct. The forthcoming gpg support in gnupg 1.9 will be identical to gpg 1.4.x from a user's POV. Shalom-Salam, Werner From wk at gnupg.org Mon Jun 19 17:39:45 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Jun 19 17:40:54 2006 Subject: OpenPGP smartcard and Private DO 1 In-Reply-To: <20060618121803.GA2370@g3.spring.org> (Tristan Williams's message of "Sun, 18 Jun 2006 13:18:03 +0100") References: <20060618121803.GA2370@g3.spring.org> Message-ID: <87ejxlyx1a.fsf@wheatstone.g10code.de> On Sun, 18 Jun 2006 14:18, Tristan Williams said: > Is there any available software to write/read to the Private DO > on the OpenPGPcard? gpg --card-edit admin privatedo 1 Enter the value or use privatedo 1 (Adam Funk's message of "Sun, 18 Jun 2006 21:20:07 +0100") References: Message-ID: <877j3dywuk.fsf@wheatstone.g10code.de> On Sun, 18 Jun 2006 22:20, Adam Funk said: > Part III of the Regulation of Investigatory Powers Act 2000 > established powers to impose a requirement upon a person to put > protected electronic information into an intelligible form or to > disclose a key which will enable the data to be put into an GnuPG features the --show-session-key/--override-session-key options to at least avoid revealing a private key. I am not sure whether this is still sufficient. Shalom-Salam, Werner From alphasigmax at gmail.com Tue Jun 20 05:42:00 2006 From: alphasigmax at gmail.com (Alphax) Date: Tue Jun 20 05:43:07 2006 Subject: Moving to another computer In-Reply-To: <449462C8.60609@gmail.com> References: <449462C8.60609@gmail.com> Message-ID: <44976E88.5050105@gmail.com> Matthew West wrote: > Hi, I have all of my gnupg information set up on this current machine. > How would I transfer my information to another computer. Is it fine to > use the same information on both computers? Copy ~/.gnupg/* to your other computer; specifically, trustdb.gpg, secring.gpg, pubring.gpg, gpg.conf. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 569 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060620/c4d8b657/signature-0001.pgp From vladimir at doisan.com Tue Jun 20 01:10:34 2006 From: vladimir at doisan.com (Vladimir Doisan) Date: Tue Jun 20 07:55:56 2006 Subject: Moving to another computer In-Reply-To: <449462C8.60609@gmail.com> References: <449462C8.60609@gmail.com> Message-ID: <44972EEA.7060103@doisan.com> It will be fine, all you have to do is to import your keys into gpg [code]gpg --import key_file.asc[/code] Matthew West wrote: > Hi, I have all of my gnupg information set up on this current > machine. How would I transfer my information to another computer. > Is it fine to use the same information on both computers? Thank > you, Matt > > _______________________________________________ Gnupg-users mailing > list Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > From home at tristanwilliams.com Tue Jun 20 08:42:09 2006 From: home at tristanwilliams.com (Tristan Williams) Date: Tue Jun 20 08:47:50 2006 Subject: OpenPGP smartcard and Private DO 1 In-Reply-To: <87ejxlyx1a.fsf@wheatstone.g10code.de> References: <20060618121803.GA2370@g3.spring.org> <87ejxlyx1a.fsf@wheatstone.g10code.de> Message-ID: <20060620064208.GA7729@g3.spring.org> On 19Jun06 17:39, Werner Koch wrote: > On Sun, 18 Jun 2006 14:18, Tristan Williams said: > > > Is there any available software to write/read to the Private DO > > on the OpenPGPcard? > > > gpg --card-edit > > admin > privatedo 1 > > Enter the value or use > > privatedo 1 > to read the value from file foo. As of now it is an undocumented > feature but it is unlikely that it will change. > > > Salam-Shalom, > > Werner > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > Thank you Kind regards Tristan Williams From alphasigmax at gmail.com Tue Jun 20 09:51:54 2006 From: alphasigmax at gmail.com (Alphax) Date: Tue Jun 20 09:52:59 2006 Subject: Moving to another computer In-Reply-To: <6D3004B6-364C-4CB9-AACA-2365E31DDD5C@sixdemonbag.org> References: <449462C8.60609@gmail.com> <44976E88.5050105@gmail.com> <6D3004B6-364C-4CB9-AACA-2365E31DDD5C@sixdemonbag.org> Message-ID: <4497A91A.7020202@gmail.com> Robert J. Hansen wrote: >> Matthew West wrote: >>> Hi, I have all of my gnupg information set up on this current machine. >>> How would I transfer my information to another computer. Is it fine to >>> use the same information on both computers? > >> Copy ~/.gnupg/* to your other computer; specifically, trustdb.gpg, >> secring.gpg, pubring.gpg, gpg.conf. > > Please don't follow this advice. > > Copying your entire .gnupg/ directory will also copy random_seed. You > don't want random_seed to be shared between two computers. That could > potentially result in a session key not being a one-time thing. If two > computers share a random seed file, the chances of their random > sequences being not-at-all-random increases. > > By all means, copy *.gpg and gpg.conf. Leave random_seed alone. You'll > be happier that way. > *thunk* Yeah, I should have thought of that... that's what comes of posting just before lunch. -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 569 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060620/7da53b74/signature.pgp From g5LdQh at ouragan.e7even.com Wed Jun 21 09:00:43 2006 From: g5LdQh at ouragan.e7even.com (Andrew Bunting) Date: Wed Jun 21 10:55:49 2006 Subject: (UK-specific) consultation about RIPA In-Reply-To: References: Message-ID: <20060621070043.GA682@virgil.zype.net> On Sun, Jun 18, 2006 at 09:20:07PM +0100, Adam Funk wrote: > Part III of the Regulation of Investigatory Powers Act 2000 > established powers to impose a requirement upon a person to put > protected electronic information into an intelligible form or to > disclose a key which will enable the data to be put into an > intelligible form. Interestingly there is a provision for a secrecy requirement, which makes it an offence for the recipient of a notice to disclose to others that he has been ordered to reveal a key or plaintext data. This is intended to allow covert investigators to obtain a key and continue to monitor traffic. However... ``Automatic tipping-off --------------------- Where a disclosure occurs contrary to a secrecy requirement it is a defence for a person to show that the disclosure was automatic and effected entirely by the operational software designed to indicate that a key to protect information ceases to be secure and they could not reasonably have prevented that taking place, whether after being given the notice or becoming aware of its contents.'' ( para 10.15 pg 52 ) In other words, if the software had a tripwire function that notified other nominated individuals when a private key was exported then the subject of the notice may not necessarily go to jail for ``tipping-off''. -- Andrew Bunting From wk at gnupg.org Wed Jun 21 19:17:25 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Jun 21 19:21:22 2006 Subject: (UK-specific) consultation about RIPA In-Reply-To: <20060621070043.GA682@virgil.zype.net> (Andrew Bunting's message of "Wed, 21 Jun 2006 08:00:43 +0100") References: <20060621070043.GA682@virgil.zype.net> Message-ID: <87wtbatom2.fsf@wheatstone.g10code.de> On Wed, 21 Jun 2006 09:00, Andrew Bunting said: > In other words, if the software had a tripwire function that > notified other nominated individuals when a private key was > exported then the subject of the notice may not necessarily go > to jail for ``tipping-off''. You mean a "gpg --export-secret-key" should record this in the public key and automatically upload it to keyservers? I am not sure whether this or TIPA is more of a privacy intrusion. It is probably easier to retire (sub)keys after some random time and state this in a policy document. Shalom-Salam, Werner From johnmoore3rd at joimail.com Wed Jun 21 21:54:52 2006 From: johnmoore3rd at joimail.com (John W. Moore III) Date: Wed Jun 21 21:53:46 2006 Subject: (UK-specific) consultation about RIPA In-Reply-To: <87wtbatom2.fsf@wheatstone.g10code.de> References: <20060621070043.GA682@virgil.zype.net> <87wtbatom2.fsf@wheatstone.g10code.de> Message-ID: <4499A40C.6010406@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Werner Koch wrote: > On Wed, 21 Jun 2006 09:00, Andrew Bunting said: > >> In other words, if the software had a tripwire function that >> notified other nominated individuals when a private key was >> exported then the subject of the notice may not necessarily go >> to jail for ``tipping-off''. > > You mean a "gpg --export-secret-key" should record this in the public > key and automatically upload it to keyservers? I am not sure whether > this or TIPA is more of a privacy intrusion. It is probably easier to > retire (sub)keys after some random time and state this in a policy > document. Welcome back from your UK vacation...my query is more along the lines of what should/can be added to gpg.conf to perhaps automatically protect the secret Key from being surrendered? In order to be able to provide the Session Key *only* what can be automatically introduced into GnuPG encryption 'each & every' time? If it isn't possible to do this via gpg.conf, can it be done via Enigmail "Additional Parameters'? TIA! JOHN ;) Timestamp: Wednesday 21 Jun 2006, 15:54 --400 (Eastern Daylight Time) - -- Programming is like sex: if you make a mistake, you have to support it for the rest of your life. --(unknown) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4-svn4159: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust (US26): http://www.gswot.org Comment: Homepage: http://tinyurl.com/9ubue Comment: Your Email! Anytime! Anywhere!: http://www.mobilityemail.net Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCgAGBQJEmaQIAAoJEBCGy9eAtCsPaCUH/jE1124E6rb47Jra617nVbKw 1CKsPZaeZ5oBZvcowIXZnfUwyXaOTYJ3zRy4bBnFczsQxIM12/4+8Avxe4O3Rgb8 QcJuq5us2v2rW5zEQc+/M4l7yhdsTGFeMz4dC98J7wzkd8R9kl90Pn1bOnl/NTkW nNRPyLv/jqp6OEIEftMDBu1xZ9ks6WB1H6dfAMZ3NGGhE3xQd7TovM6LClY731s/ 3sAFhcGFyq/vHWmBDaGTh2K4flAA/RQoOPi5RxOBeYA2m04N2xOYTvxBlDs5cVBO Wp9Ctq/9VU8/k6KBPi0j0bro2D4NZ0uHEiJiLNgfqmxRmQlvD8xBhxdvwbxSuEc= =TW1D -----END PGP SIGNATURE----- From jhoneycutt at gmail.com Wed Jun 21 20:59:01 2006 From: jhoneycutt at gmail.com (Jon Honeycutt) Date: Wed Jun 21 22:55:51 2006 Subject: Lib requires libgpg-error-0.dll Message-ID: This may address the wrong persons; if so, I apologize. I am building a DLL under Windows (mingw) that requires libgcrypt, libgpg-error. I build libgpg-error with both static and shared library support, then I use the linker options -lgcrypt -lgpg-error The output DLL, when loaded by my application, works OK, but only if it has access to "libgpg-error-0.dll." I'd like to not require another DLL be present, but rather statically link it into my own DLL. I have tried: -lgcrypt -lgpg-error -lgpg-error.dll for there is a gpg-error.dll.a, but this has no effect. Is there a proper way to link this code into my DLL such that I don't need also to rely on libgpg-error-0.dll? Thanks very much, Jon Honeycutt jhoneycutt@gmail.com From alphasigmax at gmail.com Thu Jun 22 09:11:32 2006 From: alphasigmax at gmail.com (Alphax) Date: Thu Jun 22 09:12:46 2006 Subject: Interesting error message on import Message-ID: <449A42A4.2030400@gmail.com> On importing a large number of keys from a keyring backup, I saw the message "gpg: assuming bad signature from key 0xE0BB4BCD due to an unknown critical bit" about a dozen times. Can anyone explain what this means, whether this is the correct behaviour, and if I should be worried about it? -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 569 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060622/4816b0ae/signature.pgp From kim at haverblad.se Thu Jun 22 10:10:57 2006 From: kim at haverblad.se (Kim Haverblad) Date: Thu Jun 22 12:30:13 2006 Subject: Startup problem with WinPT (missing keys after couple of weeks). Message-ID: <449A5091.7070205@haverblad.se> No for while and usually on a system (running Win XP Pro SP2) that has been in use for couple of weeks WinPT suddenly starts up and claims following "The keycache was not initialized or is empty. Please check your PGP config (keyrings, pathes...) and I'm then asked to identify and locate the keyrings. So when checking the directory where the keyring is located I found that the pubring.gpg has been copied to pubring.bak and pubring.gpg is now empty?! What went wrong here? From twoaday at gmx.net Thu Jun 22 18:42:48 2006 From: twoaday at gmx.net (Timo Schulz) Date: Thu Jun 22 18:41:36 2006 Subject: Startup problem with WinPT (missing keys after couple of weeks). In-Reply-To: <449A5091.7070205@haverblad.se> References: <449A5091.7070205@haverblad.se> Message-ID: <20060622164248.GA1179@daredevil.joesixpack.net> On Thu Jun 22 2006; 10:10, Kim Haverblad wrote: > located I found that the pubring.gpg has been copied to pubring.bak and > pubring.gpg is now empty?! What went wrong here? The WinPT program never openes any keyring in write-mode. For the backup, just the pubring.gpg will be copied to pubring-bak-%d.gpg. And this means, the pubring.bak was not even created by WinPT, because this extension is never used. Maybe any other program had access to the keyrings? Timo From dshaw at jabberwocky.com Thu Jun 22 21:02:18 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Jun 22 21:01:06 2006 Subject: Interesting error message on import In-Reply-To: <449A42A4.2030400@gmail.com> References: <449A42A4.2030400@gmail.com> Message-ID: <20060622190218.GA18613@jabberwocky.com> On Thu, Jun 22, 2006 at 04:41:32PM +0930, Alphax wrote: > On importing a large number of keys from a keyring backup, I saw the > message "gpg: assuming bad signature from key 0xE0BB4BCD due to an > unknown critical bit" about a dozen times. Can anyone explain what this > means, whether this is the correct behaviour, and if I should be worried > about it? It means that the signature has a subpacket on it that GPG doesn't know about, but yet it is also tagged as critical. In that case, GPG can't really "understand" the signature (as it doesn't know what the subpacket means). David From gentoowally at gmail.com Thu Jun 22 22:41:00 2006 From: gentoowally at gmail.com (Gentoo-Wally) Date: Fri Jun 23 00:25:53 2006 Subject: Quick --sign question Message-ID: If you sign a file using --sign gpg --output doc.sig --sign doc the docs say.... http://www.gnupg.org/gph/en/manual.html#AEN136 "The document is compressed before being signed, and the output is in binary format." This means that the output file doc.sig is compressed and signed. This does _NOT_ mean it is encrypted...correct? --sign does not sign and encrypt, right? Also, what is the compression method? Thx, Wally From dshaw at jabberwocky.com Fri Jun 23 02:18:02 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Jun 23 02:17:23 2006 Subject: Quick --sign question In-Reply-To: References: Message-ID: <20060623001802.GA19464@jabberwocky.com> On Thu, Jun 22, 2006 at 04:41:00PM -0400, Gentoo-Wally wrote: > If you sign a file using --sign > > gpg --output doc.sig --sign doc > > the docs say.... > > http://www.gnupg.org/gph/en/manual.html#AEN136 > > "The document is compressed before being signed, and the output is in > binary format." > > This means that the output file doc.sig is compressed and signed. > This does _NOT_ mean it is encrypted...correct? Correct. > --sign does not sign and encrypt, right? Right. You do '--sign --encrypt' to sign and encrypt. > Also, what is the compression method? It depends on your configuration, but by default it's the ZIP algorithm. David From gonzalo.bermudez at hotpop.com Fri Jun 23 03:38:09 2006 From: gonzalo.bermudez at hotpop.com (Gonzalo =?ISO-8859-1?Q?Berm=FAdez?=) Date: Fri Jun 23 03:37:28 2006 Subject: Quick --sign question In-Reply-To: References: Message-ID: <20060622223809.6ce9f3d7@gonzalo> On Thu, 22 Jun 2006 16:41:00 -0400 Gentoo-Wally wrote: > If you sign a file using --sign > > gpg --output doc.sig --sign doc > > the docs say.... > > http://www.gnupg.org/gph/en/manual.html#AEN136 > > "The document is compressed before being signed, and the output is in > binary format." > > This means that the output file doc.sig is compressed and signed. > This does _NOT_ mean it is encrypted...correct? --sign does not sign > and encrypt, right? That is correct. In order to encrypt you should use --encrypt or --symmetric. > > Also, what is the compression method? > The compression methods available can be seen with gpg --version: Compression: Uncompressed, ZIP, ZLIB, BZIP2 and the one actually used depends on the key's preferences and your gpg capabilities if I'm not mistaken. > Thx, > Wally > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Saludos Gonzalo From hhhobbit7 at netscape.net Fri Jun 23 08:05:42 2006 From: hhhobbit7 at netscape.net (Henry Hertz Hobbit) Date: Fri Jun 23 08:05:07 2006 Subject: Moving to another computer Message-ID: <237B342D.59990F13.0307202B@netscape.net> >Robert J. Hansen wrote: >>> Matthew West wrote: >>>> Hi, I have all of my gnupg information set up on this current machine. >>>> How would I transfer my information to another computer. Is it fine to >>>> use the same information on both computers? >> >>> Copy ~/.gnupg/* to your other computer; specifically, trustdb.gpg, >>> secring.gpg, pubring.gpg, gpg.conf. >> >> Please don't follow this advice. >> >> Copying your entire .gnupg/ directory will also copy random_seed. You >> don't want random_seed to be shared between two computers. That could >> potentially result in a session key not being a one-time thing. If two >> computers share a random seed file, the chances of their random >> sequences being not-at-all-random increases. >> >> By all means, copy *.gpg and gpg.conf. Leave random_seed alone. You'll >> be happier that way. >> > >*thunk* > >Yeah, I should have thought of that... that's what comes of posting just >before lunch. Hmm, that is better than after lunch since I am digesting it. The best time is 11:48 PM (now) when my mind is racing along. Depending on if you have bzip2 in your tar command: Option 1 (you have bzip2 integrated in tar command): ---------------------------------------------------- $ cd $ tar -cjvf gnupg.tbz --exclude random_seed ./.gnupg # copy gnupg.tbz to you new home folder on the new machine and type: $cd $ tar -xjvf gnupg.tbz Option 2 (you have gzip, but it is NOT integrated into tar): ------------------------------------------------------------ $ cd $ tar -cvf gnupg.tar --exclude random_seed ./.gnupg $ gzip -9 gnupg.tar # copy gnupg.tar.gz file to your home folder ... $ gzip -dc gnupg.tar.gz | tar -xvf - Option 3 (no compression - OUCH!): ---------------------------------- $ cd $ tar -cvf gnupg.tar -exclude random_seed ./.gnupg # copy gnupg.tar file to your home folder ... tar -xvf gnupg.tar Of course, you COULD use zip but on 'nix machines I think you are going to find gzip or bzip2 long before you have zip and unzip on your machine. It will create your random_seed file the first time you run it. Just make sure your umask is 077. Your key is your key is your key. It belongs to YOU, not a machine. I have mine in five places but I do NOT just leave the secring.gpg file around. When working on a shared machine I copy it into place when I need to use it and delete when I log off (still carrying my copy of secring.gpg with me on removable storage). HHH __________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp From j.lysdal at gmail.com Fri Jun 23 17:56:21 2006 From: j.lysdal at gmail.com (=?ISO-8859-1?Q?J=F8rgen_Lysdal?=) Date: Fri Jun 23 18:49:36 2006 Subject: personal-cipher/digest-preferences In-Reply-To: <44942663.6090905@joimail.com> References: <4494115A.4050005@gmail.com> <44942663.6090905@joimail.com> Message-ID: <449C0F25.6070609@gmail.com> Thanks for you guys help.. :) However, i have a small problem. I dont want to interfere with any selection process by having a personal-cipher/digest-preferences in my options file. I have a RSA and a DSA key, When im using the RSA key i want to use SHA256, and RIPEMD160 for my DSA key, when i use clearsign. Is there anything i can put in my options file that will make gpg use SHA256 for my RSA and RIPEMD160 for my DSA without having the personal-digest-preferences thing in my options file? This is really important to me because i when i clearsign something, i dont have a recipient as a target and i want to use an algorithm of my choice. For encrypt and sign, i want and algorithm of the recipient choice. --- Jorgen Lysdal / 0x01331B97 j.lysdal(at)gmail.com From listbox at sjoerger.net Fri Jun 23 19:42:29 2006 From: listbox at sjoerger.net (Steven Joerger) Date: Fri Jun 23 21:25:51 2006 Subject: Moving to another computer In-Reply-To: <237B342D.59990F13.0307202B@netscape.net> References: <237B342D.59990F13.0307202B@netscape.net> Message-ID: <449C2805.2040209@sjoerger.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Option 3 (no compression - OUCH!): > ---------------------------------- > $ cd > $ tar -cvf gnupg.tar -exclude random_seed ./.gnupg > # copy gnupg.tar file to your home folder ... > tar -xvf gnupg.tar Just out of curiosity, is there something wrong with not compressing the archive? Steve -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRJwoBeuBcF0zdCbOAQLjJgf8DifwQoIZGlZaW7LrqzUp8dkRj79bgWqI DAz30oS4U4Qi8iluy5zSZ8ViPNtKl/GCqKXBLU9Tqzru4Y6/Vjj5ymkqk+jkbrX4 aRsKmUs9W6M4ZUrsGeR1Db1SV3cnVoe+h8Rc3OhliMZtgP36rV+S79qt2FkXdSj2 fPbrzV06GLWQqn2ktgPvTD2C8OEs8feqNme8NbIkf/JJTEwn7EnwGoUtRfLO4f4/ iljFE3YNRLNu50gVuC9r/C7/yTWw6pITZfkaaysahOwfg6BWtDzLYKohTBvlLV10 pRdxjBAlAMNbFnXXCojY4nmgmawj7YVAiPIJubNSOHAai3A99Mw+yw== =Uldj -----END PGP SIGNATURE----- From johnmoore3rd at joimail.com Fri Jun 23 22:48:20 2006 From: johnmoore3rd at joimail.com (John W. Moore III) Date: Fri Jun 23 22:47:16 2006 Subject: personal-cipher/digest-preferences In-Reply-To: <449C0F25.6070609@gmail.com> References: <4494115A.4050005@gmail.com> <44942663.6090905@joimail.com> <449C0F25.6070609@gmail.com> Message-ID: <449C5394.6010404@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 J?rgen Lysdal wrote: > Is there anything i can put in my options file that will make > gpg use SHA256 for my RSA and RIPEMD160 for my DSA without > having the personal-digest-preferences thing in my options file? > > This is really important to me because i when i clearsign something, > i dont have a recipient as a target and i want to use an algorithm > of my choice. For encrypt and sign, i want and algorithm of the > recipient choice. Easiest method would be to ignore the gpg.conf/Options File and, using Enigmail, Open the Preferences > PGP/MIME tab and select the Digest algorithm from the drop down box. HTH JOHN ;) Timestamp: Friday 23 Jun 2006, 16:47 --400 (Eastern Daylight Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4-svn4169: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust (US26): http://www.gswot.org Comment: Homepage: http://tinyurl.com/9ubue Comment: Your Email! Anytime! Anywhere!: http://www.mobilityemail.net Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCgAGBQJEnFOPAAoJEBCGy9eAtCsPckUH/37vmy9iCamRKSjdn7NAZgAt Acl4JCNdwR/3XvczMuy2UeZ8Bycxqziw0ehGDpMxUUHdrgoYPh91sxrfJ5VuL3s9 IqCevJrEu9Rl4iZ5JwZKldqTPc/hnfKU34S+IKQgCWiDrundcyaA/ahGlMA3ai28 D4C2WmKwvpnPnrw5q1HSut0aGtmoHQr6AwfIbPakI5FF0oK2JlpNHVIe5WE57XDl r3QGLcd6yrDOExx6tKk7TtNqN21sHo9fzOXtlcHfSIEP47Vsn/Jc/9U5EydW5QMA fBw/vlwCRvdQpk5L2zEUmrbtvKTDRGGMfw2RYierSHBzUUEB6vQeg3STA+ZtSkM= =pRGm -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Fri Jun 23 22:54:04 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Jun 23 22:53:10 2006 Subject: personal-cipher/digest-preferences In-Reply-To: <449C0F25.6070609@gmail.com> References: <449C0F25.6070609@gmail.com> Message-ID: <20060623205404.GA23471@jabberwocky.com> On Fri, Jun 23, 2006 at 05:56:21PM +0200, J?rgen Lysdal wrote: > Thanks for you guys help.. :) > > However, i have a small problem. > > I dont want to interfere with any selection process > by having a personal-cipher/digest-preferences in my options > file. > > I have a RSA and a DSA key, When im using the RSA key i want to use > SHA256, and RIPEMD160 for my DSA key, when i use clearsign. > > Is there anything i can put in my options file that will make > gpg use SHA256 for my RSA and RIPEMD160 for my DSA without > having the personal-digest-preferences thing in my options file? You can do this outside of GPG if you like, but within GPG, no. > This is really important to me because i when i clearsign something, > i dont have a recipient as a target and i want to use an algorithm > of my choice. For encrypt and sign, i want and algorithm of the > recipient choice. Why? You are the person making the signature here. It's your choice what algorithm to use. The recipient only gets to say "these are the algorithms I will accept". Not "this is the algorithm I want you to use". Outside of DSA2, GPG will always select an algorithm that is usable by everyone. If all else fails, it's going to be SHA-1. David From utternoncesense at gmail.com Sat Jun 24 02:29:37 2006 From: utternoncesense at gmail.com (utternoncesense@gmail.com) Date: Sat Jun 24 02:28:23 2006 Subject: Encrypting with Private Key Message-ID: <2614f0720606231729w55bc0a63i3aab8e1340793c33@mail.gmail.com> Does GPG enable me to encrypt a file with my private key? Obviously it encrypts hashes with my private key for signatures, I'd like to do it for a file. And yes, I realize that this provides absolutely no security, and yes, I know I could more efficiently prove a file came from myself by just encrypting the hash/signing the message. So it's mostly an academic question, but I'm curious because I didn't see the option on the man page. From bob.henson at galen.org.uk Sat Jun 24 17:58:05 2006 From: bob.henson at galen.org.uk (Bob Henson) Date: Sat Jun 24 19:25:52 2006 Subject: Keyring Directory Message-ID: <449D610D.10300@galen.org.uk> Would someone kindly confirm the gpg.conf line for setting the keyring directory elsewhere than the standard one, please. As far as I can see, the --homedir command sets the directory for the executable files, but I'm not sure what to set to move the keyrings to another path to the standard (Win XP) path of ...../application data/gnupg. Maybe it's an environment variable needs setting? Regards, Bob -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 546 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060624/6c7f8582/signature.pgp From alphasigmax at gmail.com Sun Jun 25 04:24:16 2006 From: alphasigmax at gmail.com (Alphax) Date: Sun Jun 25 04:25:21 2006 Subject: Keyring Directory In-Reply-To: <449D610D.10300@galen.org.uk> References: <449D610D.10300@galen.org.uk> Message-ID: <449DF3D0.5000300@gmail.com> Bob Henson wrote: > Would someone kindly confirm the gpg.conf line for setting the keyring > directory elsewhere than the standard one, please. As far as I can see, > the --homedir command sets the directory for the executable files, but > I'm not sure what to set to move the keyrings to another path to the > standard (Win XP) path of ...../application data/gnupg. Maybe it's an > environment variable needs setting? > From the manpage: --homedir directory Set the name of the home directory to directory If this option is not used it defaults to "~/.gnupg". It does not make sense to use this in a options file. This also overrides the environment variable $GNUPGHOME. However, the "best" fix on Windows is in the registry: [HKEY_CURRENT_USER\Software\GNU\GnuPG] "HomeDir"="C:\\Documents and Settings\\Username\\Application Data\\GnuPG" "OptFile"="C:\\Documents and Settings\\Username\\Application Data\\GnuPG\\gpg.conf" -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 564 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060625/d75c563d/signature.pgp From jbloss at tampabay.rr.com Sun Jun 25 05:18:03 2006 From: jbloss at tampabay.rr.com (Jeffrey F. Bloss) Date: Sun Jun 25 06:56:03 2006 Subject: Keyring Directory In-Reply-To: <449DF3D0.5000300@gmail.com> References: <449D610D.10300@galen.org.uk> <449DF3D0.5000300@gmail.com> Message-ID: <20060624231803.71751af0@localhost.localdomain> Bob Henson wrote: > Would someone kindly confirm the gpg.conf line for setting the > keyring directory elsewhere than the standard one, please. As far > as I can see, the --homedir command sets the directory for the > executable files, but I'm not sure what to set to move the keyrings > to another path to the standard (Win XP) path of ...../application > data/gnupg. Maybe it's an environment variable needs setting? Sorry for the out of sequence reply, just joined the list. :) I think what you want is actually a series of entries in your options file. This works under Linux with a thumb drive, maybe you can get it to work under Windows(?) by just changing the paths to the keyrings. # Begin - Set keyrings to flash drive no-default-keyring keyring /mnt/cruiser/.gnupg/pubring.gpg secret-keyring /mnt/cruiser/.gnupg/secring.gpg # End. -- Hand Crafted on Sat. Jun 24, 2006 at 23:02 Outside of a dog, a book is a man's best friend. Inside of a dog, it's too dark to read. -- Groucho Marx -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 793 bytes Desc: not available Url : /pipermail/attachments/20060624/6dfadbf9/signature.pgp From alphasigmax at gmail.com Sun Jun 25 11:14:43 2006 From: alphasigmax at gmail.com (Alphax) Date: Sun Jun 25 11:15:48 2006 Subject: Keyring Directory In-Reply-To: <20060624231803.71751af0@localhost.localdomain> References: <449D610D.10300@galen.org.uk> <449DF3D0.5000300@gmail.com> <20060624231803.71751af0@localhost.localdomain> Message-ID: <449E5403.5010105@gmail.com> Jeffrey F. Bloss wrote: > Bob Henson wrote: > >> Would someone kindly confirm the gpg.conf line for setting the >> keyring directory elsewhere than the standard one, please. As far >> as I can see, the --homedir command sets the directory for the >> executable files, but I'm not sure what to set to move the keyrings >> to another path to the standard (Win XP) path of ...../application >> data/gnupg. Maybe it's an environment variable needs setting? > > > > Sorry for the out of sequence reply, just joined the list. :) > > I think what you want is actually a series of entries in your options > file. This works under Linux with a thumb drive, maybe you can get it to > work under Windows(?) by just changing the paths to the keyrings. > > # Begin - Set keyrings to flash drive > no-default-keyring > keyring /mnt/cruiser/.gnupg/pubring.gpg > secret-keyring /mnt/cruiser/.gnupg/secring.gpg > # End. > > Yes, that will work with gpg.conf on Windows too: # disable default pubring.gpg and secring.gpg no-default-keyring # # set the public keyring to use keyring c:\documents and settings\username\application data\gnupg\some-other-pubring.gpg # # set the keyring to import keys into primary-keyring c:\documents and settings\username\application data\gnupg\some-keyring-to-import-to.gpg # # set the secret keyring to use secret-keyring c:\documents and settings\username\application data\gnupg\some-other-secring.gpg # # set the trustdb to use trustdb-name c:\documents and settings\username\application data\gnupg\some-other-trustdb.gpg Note that on Windows paths are case insensitive, and unlike in the registry, backslashes do not need to be escaped and paths with spaces in them do not need to be quoted :) -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 564 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060625/12920ae1/signature.pgp From bob.henson at galen.org.uk Sun Jun 25 12:18:38 2006 From: bob.henson at galen.org.uk (Bob Henson) Date: Sun Jun 25 12:17:35 2006 Subject: Keyring Directory In-Reply-To: <449DF3D0.5000300@gmail.com> References: <449D610D.10300@galen.org.uk> <449DF3D0.5000300@gmail.com> Message-ID: <449E62FE.6050806@galen.org.uk> Alphax wrote > However, the "best" fix on Windows is in the registry: > > [HKEY_CURRENT_USER\Software\GNU\GnuPG] > "HomeDir"="C:\\Documents and Settings\\Username\\Application Data\\GnuPG" > "OptFile"="C:\\Documents and Settings\\Username\\Application > Data\\GnuPG\\gpg.conf" That worked just fine - all that was necessary was to change the homedir entry. I had a minor problem in that I was trying to set the path to a Truecrypt volume which kept moving drive numbers; however once I found how to set the Truecrypt volume to the same, fixed, drive letter all was well. Regards, Bob -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 546 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20060625/a20f974a/signature.pgp From j.lysdal at gmail.com Sun Jun 25 14:20:43 2006 From: j.lysdal at gmail.com (=?UTF-8?Q?J=C3=B8rgen_Lysdal?=) Date: Sun Jun 25 14:19:39 2006 Subject: personal-cipher/digest-preferences In-Reply-To: <20060623205404.GA23471@jabberwocky.com> References: <449C0F25.6070609@gmail.com> <20060623205404.GA23471@jabberwocky.com> Message-ID: <9afe34fe0606250520l5467af51t63aae58c96253e41@mail.gmail.com> 2006/6/23, David Shaw : > Why? You are the person making the signature here. It's your choice > what algorithm to use. The recipient only gets to say "these are the > algorithms I will accept". Not "this is the algorithm I want you to > use". Outside of DSA2, GPG will always select an algorithm that is > usable by everyone. If all else fails, it's going to be SHA-1. Because in my case, it is the recipient that wants to verify my Identity, not the other way around. But i get your point. From wk at gnupg.org Sun Jun 25 15:43:25 2006 From: wk at gnupg.org (Werner Koch) Date: Sun Jun 25 16:40:47 2006 Subject: [Announce] GnuPG 1.4.4 released (security bug fix) Message-ID: <87psgxic5e.fsf@wheatstone.g10code.de> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From shavital at mac.com Sun Jun 25 17:10:23 2006 From: shavital at mac.com (Charly Avital) Date: Sun Jun 25 17:09:18 2006 Subject: [Announce] GnuPG 1.4.4 released (security bug fix) In-Reply-To: <87psgxic5e.fsf@wheatstone.g10code.de> References: <87psgxic5e.fsf@wheatstone.g10code.de> Message-ID: <449EA75F.1020204@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Compiled from source with idea.c, under MacOS 10.4.6, configured for Darwin (powerpc-apple-darwin8.6.0) Thanks to the GnuPG Team. Charly Werner Koch wrote the following on 6/25/06 9:43 AM: > Hello! > > We are pleased to announce the availability of a new stable GnuPG > release: Version 1.4.4 [...] > Thanks > ====== > > We have to thank all the people who helped with this release, be it > testing, coding, translating, suggesting, auditing, administering the > servers, spreading the word or answering questions on the mailing > lists. > > > Happy Hacking, > > > The GnuPG Team (David, Werner and the other contributors) > Gnupg-announce mailing list > Gnupg-announce@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-announce -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRJ6nW83GMi2FW4PvAQgCkAf+OtOz0Q51i7bDRsyDVBKyBtaFC/ZOQ8Xh +OVZkPbVjZFvMfrriZxmflG8+5OeS+TCBFIVgHq6AJhSidVxQkRl4MgFbYp6TtbK GKmmYBNyhv/JjPZsR2zSmkGa8niqPebciHyPFHtwTTxU8VVHWvsqjpag3Piz4DWB 4CZhcNxxSqAgPcP6PUEumvRTzh4Z3km7Ojd3PK/rkCNUex2rvnHwNk49sq6KwqyN 7d4uWQCb4fubfi8LqBRqX+j4d9yfGI+jCvi7fXm8UDkEXZ2iaC6l81itSoGX0ZIg 73rFe67peWxxMm2XYeltLNOyoiXS+QKLIYXpx2gMqAvPrxmY7Ds+pw== =yYMh -----END PGP SIGNATURE----- From patrick at mozilla-enigmail.org Sun Jun 25 17:31:57 2006 From: patrick at mozilla-enigmail.org (Patrick Brunschwig) Date: Sun Jun 25 17:29:06 2006 Subject: Enigmail Problem??? In-Reply-To: <448C990C.4020906__45101.3983962641$1150067986$gmane$org@gmail.com> References: <448C990C.4020906__45101.3983962641$1150067986$gmane$org@gmail.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I don't think it's related to Enigmail since it does not add/modify/remove any code of the addressing widgets. - -Patrick > I posted this on the Thunderbird Forums. I thought that it might have > something to do with Enigmail/GnuGP... I thought I might get an > opinion from another perspective. What do you guys think? > > > >> Sometimes (maybe 2/5 times) Thunderbird will crash when I start >> typing an address into the "To:"/"cc:"/bcc"/etc. entry box to get the >> autocomplete list of contacts. This happens if I: > >> -write a new message >> -reply/reply-to-all to a message >> -forward a message > >> But again, this only happens sometimes; it seems to be random also. >> When the dialog comes up (in Windows XP) that says "Thunderbird is >> experiencing an error and needs to close..." I look in the details, >> and it says the module name (after thunderbird.exe) is >> "xpcom_core.dll". I've checked the TB directory and xpcom_core.dll >> *is* there. I thought it might be corrupted, so I searched the >> internet and downloaded another copy. I replaced it (backing up the >> old one) and it seemed to help. But about 10 minutes ago, it >happened >> again. > >> I really don't know why this is happening. The only thing I can >> think of is the Enigmail extension (which has caused problems before) >> but it is essential to my emails, so I can't afford to unistall it. > >> Versions and extensions: > >> TB: 1.5.0.4 (build 20060516) > >> -Enigmail 0.94.0 >> -MinimizeToTray 0.0.1 (build 2006030906+) >> -SwitchProxy Tool 1.4 > >> Installed after crashes (so they logically shouldn't have anything >> to do with it) >> -Lightning 0.1 (build) 2006031011 >> -AboutConfig 0.6 > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRJ6sbHcOpHodsOiwAQJDuwgAlj5bleyW2hdn5r57Oy1C4b8pZdWD/hRf CEmgnsoE6YQNAOkSzMyFNYzKgMAYXu5PUZJTDsEetdGPP+AjxTgVhZH8nJ6/It49 Xz6OoyYiW4yvq+EzUYDZuY9B4g82vM5pITj0tYA9fBjuap58pMOV3lYcpmVDh9/N xqOkXgwsTaFyNow4x3rTt+5PYQ0ShPVb4IwMGfViXGGc422e/WXfEjiufO+Pgda3 tBSNpAVZ3LkF7d9PIxkDfOpV84YT1YK4FIxRcTb6/Ch4HdYcXafMjdbRevpW8A4I 5VxO8jdSpe3vHanpF6BZwOf7XrLh1ezBFWeUm8uPJCZMxiB5sH+t2A== =FFM4 -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Sun Jun 25 18:24:05 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Jun 25 18:22:50 2006 Subject: Reminder about GPG 1.4.4 and the new DSA Message-ID: <20060625162405.GD23744@jabberwocky.com> Hi folks, GnuPG 1.4.4 was released today, and it contains a new feature (--enable-dsa2) that needs a bit of explanation. For many years, the DSA signing algorithm has been limited in two ways: first, you could not create a key larger than 1024 bits, and second, the key could only use a 160-bit hash, which in practice meant either SHA-1 or RIPEMD/160. Recently, the long awaited update to DSA was released by NIST. Most people have been calling it DSA2, though the official name has not changed. DSA2 allows for much larger keys and can work with almost any hash. The last release of GnuPG (1.4.3) contained limited support for DSA2 so it could at least verify (most) DSA2 signatures. Today's release of GnuPG (1.4.4) contains full support for DSA2. You can now generate DSA2 keys and you can issue DSA2 signatures. However, (and here's the problem): no other OpenPGP programs can currently use (all of) DSA2. No doubt that over the coming months and years, other OpenPGP programs will add support for DSA2, but this does not exist today. If you want to experiment with DSA2, that's fine, but fair warning: until other OpenPGP programs add DSA2 support, using DSA2 means isolating yourself to a GPG 1.4.3 or 1.4.4 world. David From sean at rima.ws Mon Jun 26 02:02:42 2006 From: sean at rima.ws (Sean Rima) Date: Mon Jun 26 04:02:32 2006 Subject: Using dirmngr with Claws Message-ID: <20060626010242.4c23f78e@bsod.rima.ws> Hi Folks I am trying to setup claws to use smime and the only part that I do not using stand is how to setup dirmngr so that I can use my thawte keys. Is there a guide or walk through that I can use Sean -- Strange Things happen under the midnight sun When men and dogs go hunting for gold -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 249 bytes Desc: not available Url : /pipermail/attachments/20060626/ddd23139/signature.pgp From wk at gnupg.org Mon Jun 26 09:01:18 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Jun 26 09:06:12 2006 Subject: Using dirmngr with Claws In-Reply-To: <20060626010242.4c23f78e@bsod.rima.ws> (Sean Rima's message of "Mon, 26 Jun 2006 01:02:42 +0100") References: <20060626010242.4c23f78e@bsod.rima.ws> Message-ID: <87d5cwieo1.fsf@wheatstone.g10code.de> On Mon, 26 Jun 2006 02:02, Sean Rima said: > I am trying to setup claws to use smime and the only part that I do not > using stand is how to setup dirmngr so that I can use my thawte keys. There are some problems with the current dirmngr. I am working on it. My suggestion is that you add disable-crl-checks to your gpgsm.conf . I didn't knew that Claws already supports S/MIME using gnupg. > Is there a guide or walk through that I can use info dirmngr as well as info gnupg might give some hints. Shalom-Salam, Werner From sean at rima.ws Mon Jun 26 11:10:57 2006 From: sean at rima.ws (Sean Rima) Date: Mon Jun 26 11:10:23 2006 Subject: Using dirmngr with Claws In-Reply-To: <20060626010242.4c23f78e@bsod.rima.ws> References: <20060626010242.4c23f78e@bsod.rima.ws> Message-ID: <20060626101057.33c89e83@bsod.rima.ws> On Mon, 26 Jun 2006 01:02:42 +0100 Sean Rima wrote: > Hi Folks > > I am trying to setup claws to use smime and the only part that I do > not using stand is how to setup dirmngr so that I can use my thawte > keys. Is there a guide or walk through that I can use > > Sean > With Werner's help I made progess but there is one last one that I cannot get past. I created a debug and get this: posix-io.c:135: closing fd 21 wait.c:160: setting fd 21 (item=0x90cea70) done posix-io.c:329: gpgme:select on [ r23 ] posix-io.c:375: select OK [ r23 ] posix-io.c:329: gpgme:select on [ r23 ] posix-io.c:375: select OK [ r23 ] posix-io.c:72: fd 22: about to read 1002 bytes posix-io.c:79: fd 22: got 0 bytes engine-gpgsm.c:702: fd 23: error from assuan (-1) getting status line : Invalid crypto engine posix-io.c:135: closing fd 23 wait.c:160: setting fd 23 (item=0x90ceab0) done Not sure why I am getting an invalid crypto engine -- Strange Things happen under the midnight sun When men and dogs go hunting for gold -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 1372 bytes Desc: not available Url : /pipermail/attachments/20060626/8e545d51/smime.bin From wk at gnupg.org Mon Jun 26 16:00:09 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Jun 26 16:16:33 2006 Subject: [Announce] Gpg4win 1.0.3 released (security fix) Message-ID: <873bdsf252.fsf@wheatstone.g10code.de> Hi! We are pleased to announce the availibility of Gpg4win, version 1.0.3. * This version contains security fixes for the GnuPG and Sylpheed-Claws components. *Updating to this version is strongly recommended*. * Please also make sure to subscribe to the new gpg4win announcement mailing list. We might stop in the future to cross post announcements to the general GnuPG annoucement list. See: http://lists.wald.intevation.org/mailman/listinfo/gpg4win-announce About Gpg4win ------------- The Gpg4win project aims at updating the Gpg4win Windows installation package with GnuPG encryption tool, associated applications and documentation on a regular basis. Especially the documentation (handbooks "Einsteiger" and "Durchblicker") are directly maintained as part of the gpg4win project. It is an international project. Due to the origin of the project the German language is fully supported. As of now the the handbooks are only available in German. People helping with translations are very welcome! The main difference compared to all other similar approaches (mainly GnuPP, GnuPT, Windows Privacy Tools and GnuPG-Basics) is that the first thing developed was the *gpg4win-Builder*. This builder allows to easily create new gpg4win.exe installers with updated components. The builder runs on any decent Unix system, preferable Debian GNU/Linux. Almost all products are automatically cross-compiled for integration into the installer. With this concept it is hoped to *prevent quick aging of the* *installer package*. This is due to easier updating and less dependancy on single developers. Noteworthy changes in version 1.0.3 (2006-06-26) ------------------------------------------------ * Fixed a security related bug in GnuPG (CVE-2006-3082). * Updated Sylpheed-Claws due to security problems. * Included components are: GnuPG: 1.4.4 [*] WinPT: 0.12.3 [*] GPA: 0.7.3 GPGol: 0.9.10 GPGee: 1.3.1 Sylpheed-Claws: 2.3.1 [*] Einsteiger: 2.0.2 Durchblicker: 2.0.2 (Marked packages are updated since the last release) Installation ------------ For installation instructions, please visit http://www.gpg4win.org or read on. Developers who want to *build an installer* need to get the following files from http://wald.intevation.org/projects/gpg4win/ : gpg4win-1.0.3.tar.bz2 (3.9M) gpg4win-1.0.3.tar.bz2.sig The second file is a digital signature of the the first file. Either check that this signature is fine or compare with the checksums given below. (see also http://www.gnupg.org/download/integrity_check.html) The *ready to use installer* is available at: http://ftp.gpg4win.org/gpg4win-1.0.3.exe (6.2M) http://ftp.gpg4win.org/gpg4win-1.0.3.exe.sig Or using the ftp protocol at: ftp://ftp.gpg4win.org/gpg4win/gpg4win-1.0.3.exe (6.2M) ftp://ftp.gpg4win.org/gpg4win/gpg4win-1.0.3.exe.sig SHA1 and MD5 checksums for these files are given below. If you don't need the German PDF manuals, you might alternatively download the "light" version of the installer: http://ftp.gpg4win.org/gpg4win-light-1.0.3.exe (4.6M) http://ftp.gpg4win.org/gpg4win-light-1.0.3.exe.sig or using the ftp protocol at: ftp://ftp.gpg4win.org/gpg4win/gpg4win-1.0.3.exe (4.6M) ftp://ftp.gpg4win.org/gpg4win/gpg4win-1.0.3.exe.sig A separate installer with the the sources used to build the above installer is available at: ftp://ftp.gpg4win.org/gpg4win/gpg4win-src-1.0.3.exe (41M) ftp://ftp.gpg4win.org/gpg4win/gpg4win-src-1.0.3.exe.sig Most people don't need this source installer; it is merely stored on that server to satisfy the conditions of the GPL. In general it is better to get the gpg4win builder tarball (see above) and follow the instructions in the README to build new installers; building the installer is not possible on Windows machines and works best on current Debian GNU/Linux systems (we use the mingw32 package from Sid). SHA1 checksums are: fb010c9d4ee9e4d51b2b43034562f39eb6b88cbf gpg4win-1.0.3.exe bdb1065aaa8f72fcd13158712f2b479586d3d677 gpg4win-light-1.0.3.exe fa5e30e95227edda40f53dfc424239de06f0980a gpg4win-src-1.0.3.exe 7f0877dbde8e20e0b50288fefe4f77f1574bc50b gpg4win-1.0.3.tar.bz2 MD5 checksums are: 543343e59df88354627e018e0d3052ce gpg4win-1.0.3.exe c5ea9009beb27e16f955cc83ca5573ef gpg4win-light-1.0.3.exe 0d247c343c5623cb459b5debdadd30f7 gpg4win-src-1.0.3.exe 6ed1496b1edacfc7d7416e4155e3fe9e gpg4win-1.0.3.tar.bz2 We like to thank the authors of the included packages, the NSIS authors, all other contributors and first of all, those folks who stayed with us and tested the early releases of gpg4win. Happy hacking, Jan, Marcus, Timo and Werner -- Werner Koch The GnuPG Experts http://g10code.com Join the Fellowship and protect your Freedom! http://www.fsfe.org _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From j.lysdal at gmail.com Mon Jun 26 19:45:34 2006 From: j.lysdal at gmail.com (=?ISO-8859-1?Q?J=F8rgen_Lysdal?=) Date: Mon Jun 26 19:44:17 2006 Subject: "valid from" date? Message-ID: <44A01D3E.2030804@gmail.com> Ive used PGP for some time, and it allows me to set a "valid from" date on my subkeys.. Is this also possible on GPG, or can i only select the expiration date? If two encryption subkeys are valid in the same period of time, how does gpg select which one to use? --- Jorgen Lysdal / 0x01331B97 j.lysdal(at)gmail.com From wk at gnupg.org Mon Jun 26 21:17:52 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Jun 26 21:21:09 2006 Subject: Using dirmngr with Claws In-Reply-To: <20060626101057.33c89e83@bsod.rima.ws> (Sean Rima's message of "Mon, 26 Jun 2006 10:10:57 +0100") References: <20060626010242.4c23f78e@bsod.rima.ws> <20060626101057.33c89e83@bsod.rima.ws> Message-ID: <87sllrenfj.fsf@wheatstone.g10code.de> On Mon, 26 Jun 2006 11:10, Sean Rima said: > engine-gpgsm.c:702: fd 23: error from assuan (-1) getting status line : Invalid crypto engine > posix-io.c:135: closing fd 23 > wait.c:160: setting fd 23 (item=0x90ceab0) done Running claws with GPGME_DEBUG=5:/tmp/mygpgme.log set, will log the communication between gpgme and the backend engine. This should reveal the problem. Shalom-Salam, Werner From johanw at vulcan.xs4all.nl Mon Jun 26 22:52:43 2006 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Mon Jun 26 22:56:43 2006 Subject: [Announce] GnuPG 1.4.4 released (security bug fix) In-Reply-To: <87psgxic5e.fsf@wheatstone.g10code.de> Message-ID: <200606262052.k5QKqhaI011871@vulcan.xs4all.nl> Werner Koch wrote: >We are pleased to announce the availability of a new stable GnuPG >release: Version 1.4.4 Compiles and runs OK on Slackware Linux 10.0. However, I noticed that the win32 binary doesn't show information in WinPT anymore (it does work OK with it). Instead, I het an error message about stdout. Is it compiled with a different compiler than 1.4.3? -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From SeidlS at schneider.com Mon Jun 26 23:18:34 2006 From: SeidlS at schneider.com (SeidlS@schneider.com) Date: Mon Jun 26 23:17:38 2006 Subject: Trust Issue Message-ID: Can someone explain to me what would have occurred within gpg to cause the following error: gpg: Warning: using insecure memory! gpg: using secondary key 11111111 instead of primary key 11111111 Could not find a valid trust path to the key. Let's see whether we can assign some missing owner trust values. No path leading to one of our keys found. 1024g/11111111 2001-06-11 "XXXXXXXXXXXXXX" Fingerprint: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa It is NOT certain that the key belongs to its owner. If you *really* know what you are doing, you may answer the next question with yes Use this key anyway? The process using this key was working fine last Wednesday, but quit working last Thursday. There were no changes (imports, edits, or deletes) to the key ring or the trustDB during that time. I have googled for the errors and have a work around in place (added --always-trust to the options file), but am curious what would have caused this issue, and what needs to be done to resolve? Please note, this is using an older version of gnupg (possibly 1.0.6) on AIX. Thanks Scott Seidl Electronic Communication Services seidls@schneider.com Tel) 920-592-2163 This document, and any attachments therein, contains proprietary and confidential information that may not be disclosed without the prior written permission of Schneider National, Inc. and its subsidiaries. Unauthorized use or misuse of this information and its contents is strictly prohibited. Schneider National, Inc. vigorously protects its rights. From dshaw at jabberwocky.com Mon Jun 26 23:27:04 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Jun 26 23:25:51 2006 Subject: Trust Issue In-Reply-To: References: Message-ID: <20060626212704.GA12940@jabberwocky.com> On Mon, Jun 26, 2006 at 04:18:34PM -0500, SeidlS@schneider.com wrote: > > Can someone explain to me what would have occurred within gpg to cause the > following error: > > gpg: Warning: using insecure memory! > gpg: using secondary key 11111111 instead of primary key 11111111 > Could not find a valid trust path to the key. Let's see whether we > can assign some missing owner trust values. > > No path leading to one of our keys found. > > 1024g/11111111 2001-06-11 "XXXXXXXXXXXXXX" > Fingerprint: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa > aaaa > > It is NOT certain that the key belongs to its owner. > If you *really* know what you are doing, you may answer > the next question with yes > > Use this key anyway? > > The process using this key was working fine last Wednesday, but quit > working last Thursday. There were no changes (imports, edits, or deletes) > to the key ring or the trustDB during that time. > > I have googled for the errors and have a work around in place (added > --always-trust to the options file), but am curious what would have caused > this issue, and what needs to be done to resolve? Most likely, a signature somewhere in the trust chain expired. Expired signatures do not carry trust. David From wk at gnupg.org Tue Jun 27 09:48:09 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Jun 27 09:51:13 2006 Subject: [Announce] GnuPG 1.4.4 released (security bug fix) In-Reply-To: <200606262052.k5QKqhaI011871@vulcan.xs4all.nl> (Johan Wevers's message of "Mon, 26 Jun 2006 22:52:43 +0200 (MET DST)") References: <200606262052.k5QKqhaI011871@vulcan.xs4all.nl> Message-ID: <87irmnca4m.fsf@wheatstone.g10code.de> On Mon, 26 Jun 2006 22:52, Johan Wevers said: > However, I noticed that the win32 binary doesn't show information in WinPT > anymore (it does work OK with it). Instead, I het an error message about > stdout. Is it compiled with a different compiler than 1.4.3? The problem is due to a failsafe function we added to make sure that stdin, stdout and stderr are open. This is actually not required under Windows but it went unnoticed until now. I am currently looking at it to decide what to do. Shalom-Salam, Werner From SeidlS at schneider.com Tue Jun 27 18:12:16 2006 From: SeidlS at schneider.com (SeidlS@schneider.com) Date: Tue Jun 27 18:14:24 2006 Subject: Trust Issue In-Reply-To: <20060626212704.GA12940@jabberwocky.com> Message-ID: One of the options we tried to resolve this was to remove the key from the key ring (--delete-key), re-import it, and then re-sign it. We continued to get the same error after completing those steps. Shouldn't this have removed any expired signatures? Also, another user ID has the same key in the keyring, and isn't having any issues. Our key is setup to expire every year, and last year we added a new subkey with a new expiration date. So the key we use for signing does have one subkey that is expired, and one that will expire in September. Is this contributing to the problem we are currently having? Thanks Scott Seidl Electronic Communication Services seidls@schneider.com Tel) 920-592-2163 This document, and any attachments therein, contains proprietary and confidential information that may not be disclosed without the prior written permission of Schneider National, Inc. and its subsidiaries. Unauthorized use or misuse of this information and its contents is strictly prohibited. Schneider National, Inc. vigorously protects its rights. David Shaw To Sent by: gnupg-users@gnupg.org gnupg-users-bounc cc es@gnupg.org Subject Re: Trust Issue 06/26/2006 04:27 PM On Mon, Jun 26, 2006 at 04:18:34PM -0500, SeidlS@schneider.com wrote: > > Can someone explain to me what would have occurred within gpg to cause the > following error: > > gpg: Warning: using insecure memory! > gpg: using secondary key 11111111 instead of primary key 11111111 > Could not find a valid trust path to the key. Let's see whether we > can assign some missing owner trust values. > > No path leading to one of our keys found. > > 1024g/11111111 2001-06-11 "XXXXXXXXXXXXXX" > Fingerprint: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa > aaaa > > It is NOT certain that the key belongs to its owner. > If you *really* know what you are doing, you may answer > the next question with yes > > Use this key anyway? > > The process using this key was working fine last Wednesday, but quit > working last Thursday. There were no changes (imports, edits, or deletes) > to the key ring or the trustDB during that time. > > I have googled for the errors and have a work around in place (added > --always-trust to the options file), but am curious what would have caused > this issue, and what needs to be done to resolve? Most likely, a signature somewhere in the trust chain expired. Expired signatures do not carry trust. David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From jkaye at celerasystems.com Tue Jun 27 18:02:16 2006 From: jkaye at celerasystems.com (jkaye) Date: Tue Jun 27 19:55:49 2006 Subject: Corrupt file issue? In-Reply-To: <20060612050501.27892.qmail@smasher.org> Message-ID: <02c401c69a03$12fdcc40$4ac811ac@celerasystems.com> Hello all, I've had some success solving problems here before thanks to the kindness of many of you and thought I would give this another try. We've got an intermittent issue (about once a week) where a daily process that generates a text file, encrypts it and transfers it by FTP will sometimes create a file that the recipient cannot decrypt. If I run the process again, it will produce an encrypted file which is a few bytes smaller than the original file. This new file can be decrypted by the recipient without a problem. Has anyone else encountered a similar issue? Here's the command I use to perform the (signed) encryption: gpg -r -e Any assistance would be greatly appreciated. Thanks, - Jack Jack Kaye Senior Business Analyst Celera Systems LLC (262) 834-0080 x204 From dshaw at jabberwocky.com Tue Jun 27 20:08:14 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Jun 27 20:07:00 2006 Subject: Corrupt file issue? In-Reply-To: <02c401c69a03$12fdcc40$4ac811ac@celerasystems.com> References: <20060612050501.27892.qmail@smasher.org> <02c401c69a03$12fdcc40$4ac811ac@celerasystems.com> Message-ID: <20060627180813.GB30992@jabberwocky.com> On Tue, Jun 27, 2006 at 11:02:16AM -0500, jkaye wrote: > Hello all, > > I've had some success solving problems here before thanks to the > kindness of many of you and thought I would give this another try. > > We've got an intermittent issue (about once a week) where a daily > process that generates a text file, encrypts it and transfers it by > FTP will sometimes create a file that the recipient cannot decrypt. > If I run the process again, it will produce an encrypted file which > is a few bytes smaller than the original file. This new file can > be decrypted by the recipient without a problem. You're sending the file by ascii FTP. That will corrupt binary data. You need to transfer with binary FTP. There are far too many FTP clients out there for me to tell you how to set your particular client to binary, but check the manual. David From r.post at sara.nl Tue Jun 27 20:14:22 2006 From: r.post at sara.nl (Remco Post) Date: Tue Jun 27 20:13:40 2006 Subject: Corrupt file issue? In-Reply-To: <02c401c69a03$12fdcc40$4ac811ac@celerasystems.com> References: <02c401c69a03$12fdcc40$4ac811ac@celerasystems.com> Message-ID: <44A1757E.2080200@sara.nl> jkaye wrote: > Hello all, > > I've had some success solving problems here before thanks to the > kindness of many of you and thought I would give this another try. > > We've got an intermittent issue (about once a week) where a daily > process that generates a text file, encrypts it and transfers it by > FTP will sometimes create a file that the recipient cannot decrypt. > If I run the process again, it will produce an encrypted file which > is a few bytes smaller than the original file. This new file can > be decrypted by the recipient without a problem. > > Has anyone else encountered a similar issue? > > Here's the command I use to perform the (signed) encryption: > > gpg -r -e > > Any assistance would be greatly appreciated. > things that come to mind: 1- binary safe ftp? 2- ascii armor gpg, add -a to your gpg options > Thanks, > > - Jack > > Jack Kaye > Senior Business Analyst > Celera Systems LLC > > (262) 834-0080 x204 > > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams From sean at rima.ws Wed Jun 28 07:10:21 2006 From: sean at rima.ws (Sean Rima) Date: Wed Jun 28 07:09:41 2006 Subject: Using dirmngr with Claws In-Reply-To: <20060626101057.33c89e83@bsod.rima.ws> References: <20060626010242.4c23f78e@bsod.rima.ws> <20060626101057.33c89e83@bsod.rima.ws> Message-ID: <20060628061021.4471ae6d@bsod.rima.ws> On Mon, 26 Jun 2006 10:10:57 +0100 Sean Rima wrote: > On Mon, 26 Jun 2006 01:02:42 +0100 > Sean Rima wrote: > > > Hi Folks > > > > I am trying to setup claws to use smime and the only part that I do > > not using stand is how to setup dirmngr so that I can use my thawte > > keys. Is there a guide or walk through that I can use > > > > Sean > > > > With Werner's help I made progess but there is one last one that I > cannot get past. I created a debug and get this: > > posix-io.c:135: closing fd 21 > wait.c:160: setting fd 21 (item=0x90cea70) done > posix-io.c:329: gpgme:select on [ r23 ] > posix-io.c:375: select OK [ r23 ] > posix-io.c:329: gpgme:select on [ r23 ] > posix-io.c:375: select OK [ r23 ] > posix-io.c:72: fd 22: about to read 1002 bytes > posix-io.c:79: fd 22: got 0 bytes > engine-gpgsm.c:702: fd 23: error from assuan (-1) getting status > line : Invalid crypto engine posix-io.c:135: closing fd 23 > wait.c:160: setting fd 23 (item=0x90ceab0) done > > > Not sure why I am getting an invalid crypto engine > Ok, it was a bit strange but the problem was that I was cjecking the sig on my sent mails which claws does't seem to do, but on incoming mails it is working prefectly. So I am happy :) Sean -- Strange Things happen under the midnight sun When men and dogs go hunting for gold -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 1372 bytes Desc: not available Url : /pipermail/attachments/20060628/d045e07e/smime.bin From wk at gnupg.org Wed Jun 28 19:54:36 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Jun 28 19:56:16 2006 Subject: "valid from" date? In-Reply-To: <44A01D3E.2030804@gmail.com> (=?utf-8?Q?J=C3=B8rgen?= Lysdal's message of "Mon, 26 Jun 2006 19:45:34 +0200") References: <44A01D3E.2030804@gmail.com> Message-ID: <877j314143.fsf@wheatstone.g10code.de> On Mon, 26 Jun 2006 19:45, J?rgen Lysdal said: > Ive used PGP for some time, and it allows me to set a "valid from" > date on my subkeys.. > > Is this also possible on GPG, or can i only select the expiration > date? It is not possible to set a valid from date. Actuall there is no valid from date but just the creatuion time of the key. When selecting a key, GnuPG ignores those created in the future. If you ant to hack support for it, check out make_timestamp(). I can see no reason for using a valid from key. Simply create it when you need it. > If two encryption subkeys are valid in the same period of time, how does > gpg select which one to use? The latest key which fits the requirements (preference, algorithms etc.) is used. Keys created in the future are ignored for this purpose. Shalom-Salam, Werner From j.lysdal at gmail.com Wed Jun 28 21:49:03 2006 From: j.lysdal at gmail.com (=?UTF-8?Q?J=C3=B8rgen_Lysdal?=) Date: Wed Jun 28 21:47:46 2006 Subject: "valid from" date? In-Reply-To: <877j314143.fsf@wheatstone.g10code.de> References: <44A01D3E.2030804@gmail.com> <877j314143.fsf@wheatstone.g10code.de> Message-ID: <9afe34fe0606281249t12298fc6k66758e9284dc261d@mail.gmail.com> 2006/6/28, Werner Koch : > It is not possible to set a valid from date. Actuall there is no > valid from date but just the creatuion time of the key. My key made with PGP shows this: sub 4096R/10BFF302 created: 2006-04-06 expires: 2008-04-06 usage: E sub 4096R/B3DF6DC0 created: 2008-04-06 expires: never usage: E So GPG will see the valid period on the second subkey as 2008-04-06 to never. and not use it before 2008-04-06 ? > When > selecting a key, GnuPG ignores those created in the future. uhm.. i dont think im getting this right... > If you ant to hack support for it, check out make_timestamp(). Can this enable me to set created date?s like, in 2010 if i want? > I can see no reason for using a valid from key. Simply create it when > you need it. For me, creating a key is a one-time-thing, why not add some sub?s from the start, so i dont have to mess with it later? > The latest key which fits the requirements (preference, algorithms > etc.) Isent theese algo settings stored with each uid? or do i mix things together? Thanks for your help. - Jorgen Ch. Lysdal From og at pre-secure.de Thu Jun 29 16:02:55 2006 From: og at pre-secure.de (Olaf Gellert) Date: Thu Jun 29 18:55:54 2006 Subject: "valid from" date? In-Reply-To: <9afe34fe0606281249t12298fc6k66758e9284dc261d@mail.gmail.com> References: <44A01D3E.2030804@gmail.com> <877j314143.fsf@wheatstone.g10code.de> <9afe34fe0606281249t12298fc6k66758e9284dc261d@mail.gmail.com> Message-ID: <44A3DD8F.3090702@pre-secure.de> J?rgen Lysdal wrote: > 2006/6/28, Werner Koch : >> I can see no reason for using a valid from key. Simply create it when >> you need it. I can imagine that it makes sense for a key with no subkeys. You can already collect signatures before you actually use the key. In the case of subkeys that seems to be not necessary. > For me, creating a key is a one-time-thing, why not add some sub?s from > the start, so i dont have to mess with it later? Well, producing cryptographic material years ahead does not really sound like very good idea. The used algorithms may have already proven to be insecure by the time the key get's valid. And advances in hardware technology and crpytographic attacks may enable an attacker to spend plenty of time on hacking your key in advance. These issues might render the key useless before the "start from" date is actually reached. So it's the usual trade off between convenience and security... Cheers, Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE og@pre-secure.de A daily view on Internet Attacks https://www.ecsirt.net/sensornet From gonzalo.bermudez at fibertel.com.ar Fri Jun 23 00:44:16 2006 From: gonzalo.bermudez at fibertel.com.ar (Gonzalo =?ISO-8859-1?Q?Berm=FAdez?=) Date: Wed Jul 5 11:37:36 2006 Subject: Quick --sign question In-Reply-To: References: Message-ID: <20060622194416.457019f5@gonzalo> On Thu, 22 Jun 2006 16:41:00 -0400 Gentoo-Wally wrote: > If you sign a file using --sign > > gpg --output doc.sig --sign doc > > the docs say.... > > http://www.gnupg.org/gph/en/manual.html#AEN136 > > "The document is compressed before being signed, and the output is in > binary format." > > This means that the output file doc.sig is compressed and signed. > This does _NOT_ mean it is encrypted...correct? --sign does not sign > and encrypt, right? That is correct. In order to encrypt you should use --encrypt or --symmetric. > > Also, what is the compression method? The compression methods available can be seen with gpg --version: Compression: Uncompressed, ZIP, ZLIB, BZIP2 and the one actually used depends on the key's preferences and your gpg capabilities if I'm not mistaken. -- Saludos Gonzalo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20060622/4429ffa3/attachment.pgp