From wk at gnupg.org Wed Nov 1 00:22:22 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Nov 1 00:25:05 2006 Subject: Logo contest closed Message-ID: <873b94t6j5.fsf@wheatstone.g10code.de> Hi, we have received 28 submissions to the logo contest. It is now up to the folks listed as GnuPG authors in AUTHORS to decide. I will mail them later the day. If you are interested in the submissions, please check out http://logo-contest.gnupg.org . Note: If you submitted a logo and your name does not appear in the list, please let me know. I had to fish quite some submissions out of my spam folder so there is a slight chance that one got lost. Salam-Shalom, Werner From wk at gnupg.org Wed Nov 1 11:59:02 2006 From: wk at gnupg.org (Werner Koch) Date: Wed Nov 1 12:01:53 2006 Subject: Logo contest closed In-Reply-To: <873b94t6j5.fsf@wheatstone.g10code.de> (Werner Koch's message of "Wed\, 01 Nov 2006 00\:22\:22 +0100") References: <873b94t6j5.fsf@wheatstone.g10code.de> Message-ID: <8764dzwhzd.fsf@wheatstone.g10code.de> On Wed, 1 Nov 2006 00:22, Werner Koch said: > If you are interested in the submissions, please check out > http://logo-contest.gnupg.org . I have added two more logo which reached me a bit too late due to greylisting. Salam-Shalom, Werner From randy at randyburns.us Wed Nov 1 15:00:24 2006 From: randy at randyburns.us (Randy Burns) Date: Wed Nov 1 16:54:59 2006 Subject: Logo contest closed In-Reply-To: <8764dzwhzd.fsf@wheatstone.g10code.de> Message-ID: <20061101140024.74110.qmail@web50906.mail.yahoo.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I'm not a contest judge, but if I were a judge, this contest would be over after seeing the Robbie Tingey submission. Win or not, that's a great one. Good job! Randy > On Wed, 1 Nov 2006 00:22, Werner Koch said: > > > If you are interested in the submissions, please check out > > http://logo-contest.gnupg.org . > > I have added two more logo which reached me a bit too late due > to greylisting. > > > Salam-Shalom, > > Werner -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) - GPGshell v3.52 Comment: Public Keys at http://geocities.com/burns98 iQEVAwUBRUioNqnb/pgz4RdHAQj6/Af/cSN3nKKQwDT0LDw++PZXq4pK4opRkipj PY5p6lL7rCvxpRTpv18H9ri47+fhxNLr3grPUbLXaqCtKhFar91SiiQw7FyQkRj3 q2+v0bAIsxURnc15zdzsQvTddJInQkMJYNpnxg4SVntiNQx0SFNkH0yKB3CG332y CiBaiaxxuz31epQfcdqF15DhcJSxc16QnrTGur9sYN0qIgikpgbI76WjEYfqFZov RALr6t7iBEILdHIYMuVFL8bgO4agEcX3moUNlrnTt2ZJO9/K/CMd46WVdy6lIyuw gPyJFVPYNZpXLTwgrDUPHVNkGFrJg/OTeDFVerLfoNb+g4IWRd1zoQ== =sbCl -----END PGP SIGNATURE----- From michael.kallas at web.de Wed Nov 1 18:18:08 2006 From: michael.kallas at web.de (Michael Kallas) Date: Wed Nov 1 18:16:52 2006 Subject: deleting signatures from uids In-Reply-To: <20061031135804.GV31897@localhost.localdomain> References: <20061031135804.GV31897@localhost.localdomain> Message-ID: <4548D6D0.1030707@web.de> Hi, Stijn Hoop schrieb: > On the keyservers, there are therefore lots of signatures on my key > from others that a) are really not useful anymore or b) that I have > never even met (how did those get there!). Fortunately it looks like > I can delete those signatures locally with --edit-key and then using > 'delsig'. However I cannot get the keyservers to accept the new key > without the useless signatures; they only seem to add new ones (as > is evident from the multiple self-signatures now present). This works as designed, as far as I know. Else an attacker might be able to remove signatures from your key. Best wishes Michael -- Nobody can save your freedom but YOU - become a fellow of the FSF Europe! http://www.fsfe.org/en -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 374 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061101/3572e181/signature.pgp From johanw at vulcan.xs4all.nl Wed Nov 1 19:23:52 2006 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed Nov 1 19:20:29 2006 Subject: deleting signatures from uids In-Reply-To: <20061031135804.GV31897@localhost.localdomain> Message-ID: <200611011823.kA1INq7c008409@vulcan.xs4all.nl> Stijn Hoop wrote: >'delsig'. However I cannot get the keyservers to accept the new key >without the useless signatures; they only seem to add new ones (as >is evident from the multiple self-signatures now present). Yes, keyservers will merge new signatures with the key but wil not delete signatures. Don't try, others have gone that path before and didn't succeed. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From randy at randyburns.us Wed Nov 1 20:03:19 2006 From: randy at randyburns.us (Randy Burns) Date: Wed Nov 1 20:01:51 2006 Subject: deleting signatures from uids In-Reply-To: <20061031135804.GV31897@localhost.localdomain> Message-ID: <20061101190320.28361.qmail@web50901.mail.yahoo.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - --- Stijn Hoop wrote: [snip] > Am I running into a limitation of the public key > server architecture? Yes. Just publish it yourself on a free website. I've done it myself about the simplest way available here: geocities (dot) com / burns98 All the best, Randy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) - GPGshell v3.52 Comment: Public Keys at http://geocities.com/burns98 iQEVAwUBRUjvmKnb/pgz4RdHAQj5Fwf9E3vhQ93wZ67EynQNIMqa2JPIOUDx1NGd iARVMFQXF4MmyO/Vd3Y6WWKkuGUK3/OtnZjATBOBsv1X0ELemhoCrd+zuxHCmMGS zb/M99unJanGQb8uhE06Qa2fA5COG9InLeYbVDu1WMtHQxScxxA1BDRrMKXT426X f8bRYoVJqmOza/km5w885DBh2w4EW0p23+wuqzDR+elswd7iICFRGHa6LkVXRggX KE/NwNqiI2XaUqg9S0fdkwk0bCT+LyTrIl+9fdfFTaNnSmMn+gN5uP0sf8azaD/y pUnPOf51kFeuR3KLNa7KUI3wTOUu1Tsoljbjq5fhIhl/3rkiol1koA== =jxnQ -----END PGP SIGNATURE----- From smolinski at de.ibm.com Wed Nov 1 21:30:29 2006 From: smolinski at de.ibm.com (Holger Smolinski) Date: Wed Nov 1 21:26:10 2006 Subject: Holger Smolinski/Germany/IBM is on a cource until 10/23 Message-ID: I will be out of the office starting 01.11.2006 and will not return until 02.11.2006. There is a public holiday in Germany, and I will respond when I will have returned. From DuWayne.Mahlen at lacek.com Wed Nov 1 23:09:35 2006 From: DuWayne.Mahlen at lacek.com (DuWayne.Mahlen@lacek.com) Date: Thu Nov 2 00:25:10 2006 Subject: Windows GnuPG implementation for the enterprise Message-ID: Hello all, I was told this is where to announce a new way to implement GnuPG in a Windows environment. As the transmission of PII has been scrutinized, we along with many other groups have had to require the encryption of all data in and out. As more users and novice users join the encryption front, my staff and I had been presented with the almost daunting task of user training and key management, not to mention the potential proprietary solution costs. After an extensive fruitless search, I decided to write a user friendly Windows frontend designed around a specific GnuPG install, integrated with Windows domain groups . I've dubbed it eGPG and released it to the world for free at www.egpg.org. Thank you for your time and my thanks to the GnuPG team. Thanks, DuWayne Mahlen IT Manager The Lacek Group Office: +1-612-596-3550 E-mail: duwayne.mahlen@lacek.com Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to email or messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of the sender's company shall be understood as neither given nor endorsed by it. From rmeden at yahoo.com Thu Nov 2 05:43:19 2006 From: rmeden at yahoo.com (Robert Eden) Date: Thu Nov 2 05:42:05 2006 Subject: Summary: Windows GUI recommendation for USB disk Message-ID: <20061102044319.93842.qmail@web52104.mail.yahoo.com> Thanks to everyone for their suggestions. I was looking for a simple exe-only tool I could put on a USB disk to make it very easy for Windows users to encrypt files with a symmetric key. Quite a few folks suggested GPGshell. It was a good choice, but had one problem... when it encrypts files it follows the GPG pattern of putting the new file in the same location of the old. If I used that, I'd be afraid users would copy the files to the USB drive and encrypt it there. Even if they deleted the file, it would have to be followed by an erase tool, which needs to be installed.... too much trouble. It also did more than symmetric keys, which may confuse my users.. I also learned that 7-zip now supports hard encryption. A *great* idea. We already use 7-zip internally, and that was actually my problem with it. If folk were already used to using 7-zip, I bet they wouldn't bother to check the "encrypt" button. So, I ended up writing my own tool in with wxGlade and WxPerl. I didn't know such a GUI tool existed for Perl! I've been programing perl for years... I did one TK project, and really didn't want to go down that path... wxGlade and wxPerl made it pretty painless, once I learned the tools. I'm sure I'll make use of it again. My tool prompts the user for a pass-phrase (twice), places some simple restrictions on the pass-phrase (10 characters, 3 words), and opens up a dialog box. The user then drags files/directories using explorer to the dialog box, which lists the files and starts gpg to encrypt them. (runs two encryption threads at once). Files are stored in the same directory as the executable. If someone wants a copy let me know and I'll look into releasing it. Robert ----- Original Message ---- From: Robert Eden To: gnupg-users@gnupg.org Sent: Monday, October 23, 2006 2:02:32 PM Subject: Windows GUI recommendation for USB disk I'd like to place a static windows GUI executable on a USB disk to encourage folks to encrypt data while using snail-mail. I don't want windows shell extensions as that would require an installer (WinPT ). I'm thinking just a single EXE that provides a simple GUI and supports symmetric keys... I don't know if GPA does this, I've been having trouble getting it to compile on my cygwin install. (The README talks about a pre-built binary, but it doesn't exist) Any recommendations? Robert _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From qed at tiscali.it Thu Nov 2 13:52:27 2006 From: qed at tiscali.it (Qed) Date: Thu Nov 2 13:50:31 2006 Subject: deleting signatures from uids In-Reply-To: <20061031135804.GV31897@localhost.localdomain> References: <20061031135804.GV31897@localhost.localdomain> Message-ID: <4549EA0B.6050808@tiscali.it> On 10/31/2006 02:58 PM, Stijn Hoop wrote: [..snip..] > In a way I can see why; removing signatures from uids seems like it > should require a passphrase, however it doesn't work that way. I've > also read that it's nearly impossible to remove a key from the > keyservers, however that's also not what I want to do, just update it. > > Am I running into a limitation of the public key server > architecture? If so I guess I'll have to live with the crufty > signatures, but if not, what am I doing wrong? This is not a limitation, it'a a feature :-) and this is also the reason why you should not play with PGP on keyservers, the result will be often another abandoned key. -- Q.E.D. War is Peace Freedom is Slavery Ignorance is Strength ICQ UIN: 301825501 OpenPGP key ID: 0x58D14EB3 Key fingerprint: 00B9 3E17 630F F2A7 FF96 DA6B AEE0 EC27 58D1 4EB3 Check fingerprints before trusting a key! From blueness at gmx.net Thu Nov 2 15:27:48 2006 From: blueness at gmx.net (Mica Mijatovic) Date: Thu Nov 2 15:34:04 2006 Subject: Summary: Windows GUI recommendation for USB disk In-Reply-To: <20061102044319.93842.qmail@web52104.mail.yahoo.com> References: <20061102044319.93842.qmail@web52104.mail.yahoo.com> Message-ID: <1262022374.20061102152748@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA224 Was Wed, 1 Nov 2006, at 20:43:19 -0800 (PST), when Robert Eden wrote: > My tool prompts the user for a pass-phrase (twice), places some > simple restrictions on the pass-phrase (10 characters, 3 words), and > opens up a dialog box. The user then drags files/directories using > explorer to the dialog box, which lists the files and starts gpg to > encrypt them. (runs two encryption threads at once). Files are stored > in the same directory as the executable. > If someone wants a copy let me know and I'll look into releasing it. I'd like to see it and try out, Robert. - -- Mica ~~~ For personal mail please use my address as it is *exactly* given in my "From" field, otherwise it will not reach me. ~~~ GPG keys/docs/software at: http://blueness.port5.com/pgpkeys/ http://tronogi.tripod.com/pgp/pgpkeys/ -----BEGIN PGP SIGNATURE----- iQCZAwUBRUoAYwYWnlFQ1cE7AQvzxAQghqq+1X8Rlpbzqd5++AJSv8T14nIUcBzo q7a4Fj0ivSFxYxGo6/bnKs502RAMf6BAyv70f192Oun93x5K1LsFlka9+txDn5cM i767O/nX31WdCSwhyk7rF+A/QIHv1hfBUmvjXBumbSe83l20Ao2XPY3EADmG1SeU gt5UNOazt6BXAH1t =8e8r -----END PGP SIGNATURE----- From hhhobbit at securemecca.net Thu Nov 2 18:49:20 2006 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Thu Nov 2 18:47:33 2006 Subject: Logo contest closed In-Reply-To: <0MKq2p-1GfUS318tk-0007LC@mx.perfora.net> References: <0MKq2p-1GfUS318tk-0007LC@mx.perfora.net> Message-ID: <1162489761.17510.52.camel@sirius.brigham.net> On Wed, 2006-11-01 at 06:00 -0800, randy@randyburns wrote: > I'm not a contest judge, but if I were a judge, this contest > would be over after seeing the Robbie Tingey submission. Win or > not, that's a great one. Good job! I am glad you picked so quickly. I am also not a judge and I am glad I am not a judge. That is because I have narrowed it to these with very great difficulty. I still have some concerns with how hard it would be to make T-Shirts or other memorabilia with some of them. Artists also need to know that a reversal of a black <-> white or color shift should be a possibility for a logo on dark media (I really do prefer black t-shirts in the winter - they are warmer). Submission 6: Thomas Wittek: ---------------------------- The first is classic and elegant, and it may even be possible to reverse color it for black t-shirts (hey it gets cold in some parts of the world and I am cold right now). Submission 9: Daniel Huber: --------------------------- By all means the first - classic and elegant, but some concerns about the key colors on t-shirts, etc. Submission 14: Christian Javier ALVAREZ de Toledo: -------------------------------------------------- I think it is possible by making making the black letters and horns white and the white P (key) black, to put it on a dark / black background. I also like the small thumbnails. Submission 18: Tri Seprian Damayanto: ------------------------------------- I especially liked the elegant simplicity of the third sketch of the Gnu. Again, with a black to white reversal, it can go on a dark background. Submission 19: Andrey Alekseev & Sergey Lukyanov: ------------------------------------------------- Drop dead gorgeous but it is copyrighted already! Where is the Gnu Copyright? The reproducibility on pages may not come off as well as what is showing on the page. I think the richness of colors would be impossible on a T-Shirt. It doesn't stop me from liking it. Keep how hard it is do a print of it on various media in mind judges. We aren't working with a Microsoft budget. Submission 29: Arnfinn Sarau: ------------------------------ THE FIRST! But do it with just "Gnu-Privacy-Guard" or with "Gnu-Privacy-Guard OpenPGP compliant" or even omit that altogether if that is okay with Arnfinn. You could also use a lighter blue in the PG on dark backgrounds like black t-shirts. This one is not only easily done in various ways, but the four (that is a dark brown sliver between the light gold / dark gold) color design is easy to work with and looks beautiful. That doesn't mean the others aren't good, but a Logo should be simple, easily put on various media including t-shirts, etc. You have five nanoseconds (what the attention span of humans has been reduced to now) before people don't see it any more. I would like to express thanks to all of the submissions and the work the people did. Thanks for all of the fine efforts! Judges, remember that the logo will exist for a long time, so pick well. I gave what I liked in numerical, not preference order. It is after all the judges preferences that count. I just hope I gave them some helpful pointers. Consider it like the vote of one of audience members in a game contest. You still have to make the final decision. HHH From wk at gnupg.org Thu Nov 2 19:12:30 2006 From: wk at gnupg.org (Werner Koch) Date: Thu Nov 2 19:14:37 2006 Subject: Logo contest closed In-Reply-To: <8764dzwhzd.fsf@wheatstone.g10code.de> (Werner Koch's message of "Wed\, 01 Nov 2006 11\:59\:02 +0100") References: <873b94t6j5.fsf@wheatstone.g10code.de> <8764dzwhzd.fsf@wheatstone.g10code.de> Message-ID: <87r6wlra41.fsf@wheatstone.g10code.de> Hi! I have been reminded of another logo in my spam filters. It was received on Monday; thus in time. It is now at http://logog-contest.gnupg.org/subm-31.html . Shalom-Salam, Werner From jmoore3rd at bellsouth.net Thu Nov 2 20:59:53 2006 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Thu Nov 2 20:58:39 2006 Subject: deleting signatures from uids In-Reply-To: <4549EA0B.6050808@tiscali.it> References: <20061031135804.GV31897@localhost.localdomain> <4549EA0B.6050808@tiscali.it> Message-ID: <454A4E39.7020008@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Qed wrote: > This is not a limitation, it'a a feature :-) and this is also the reason > why you should not play with PGP on keyservers, the result will be often > another abandoned key. Best alternative: Revoke UID and then reload Key to Keyservers. This will then indicate once the 'Gossip Sharing' is complete that the UID is no longer any good. :-/ JOHN ;) Timestamp: Thursday 02 Nov 2006, 14:59 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6-svn4315: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: My Homepage: http://tinyurl.com/yzhbhx Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCgAGBQJFSk4wAAoJEBCGy9eAtCsP8/gH/A/GSVpVWSz5KTVonbRc5XmT TZxTG1vNp48Vkvbtc9YOq7EZDbc69gT6dhb7/rneNgRRfi99UFHA4/dcmwJg2WCc Bzw4aCCUVBRrKsO7oPM0pvhSWHyqJtYj50JaUJsHo8OBN8Zn7Z6vQofvhc/oRsf7 paKVi6jWNYTJ51hPMxrKcwrS3JCXyZcJAvC/jTybimSs7Dmd5B7QUG+f/BBxfhNS GLKjNDfAwnyeOSxdzLxxO8BLpjFTHng64gZyKfiwrJCsaDJ/BJokM/hUjncCdrCL 1fLgM3yR76spUJYuhabzHBvTaarNVu3xgPbiPAIY2eSCMciIrBDMw/I3qvmn9FQ= =Nszc -----END PGP SIGNATURE----- From pdunbar at boothnewspapers.com Thu Nov 2 20:03:56 2006 From: pdunbar at boothnewspapers.com (Patrick R. Dunbar) Date: Thu Nov 2 20:59:45 2006 Subject: Question about use of --cipher-algo AES & --openpgp when encrypting a document Message-ID: <454A411C.2010204@boothnewspapers.com> I am required to encrypt a document using the --cipher-algo AES switch using gpg on a Solaris 10 system using gpg (GnuPG) 1.2.6. The company that is receiving this file requires that the file be encrypted with the --openpgp switch. I have run --edit-key showpref on the receiving key and it shows that AES is a usable cipher. My question: does the --openpgp switch interfere with the --cipher-algo AES switch? Also is there any way to check if a gpg encrypted file is encrypted using AES? Thanks in advance for any replies. Pat Dunbar From henkdebruijn at wanadoo.nl Thu Nov 2 20:31:49 2006 From: henkdebruijn at wanadoo.nl (Henk M. de Bruijn) Date: Thu Nov 2 21:13:04 2006 Subject: Logo contest closed In-Reply-To: <87r6wlra41.fsf@wheatstone.g10code.de> References: <873b94t6j5.fsf@wheatstone.g10code.de> <8764dzwhzd.fsf@wheatstone.g10code.de> <87r6wlra41.fsf@wheatstone.g10code.de> Message-ID: <671680680.20061102203149@wanadoo.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Thu, 02 Nov 2006 19:12:30 +0100GMT (2-11-2006, 19:12 +0200, where I live), Werner Koch wrote: WK> I have been reminded of another logo in my spam filters. It was WK> received on Monday; thus in time. It is now at WK> http://logog-contest.gnupg.org/subm-31.html . You typed a "g" too much ;-) http://logo-contest.gnupg.org/subm-31.html . - -- Henk ______________________________________________________________________ The Bat! Natural E-Mail System version 3.86.03 ALPHA (beta) Pro on Windows XP SP2 Request-PGP: http://www.biglumber.com/x/web?qs=0x6C9F6CE78C32408B Gossamer Spider Web of Trust http://www.gswot.org A progressive and innovative Web of Trust -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6-svn4315HdB-dynamic-IDEA-Tiger192 (Cygwin/MingW32) iQEVAwUBRUpHnxHuy+60ZN0PAQoRtgf/aB6uOw2XAw2CLp2tIbunL2GcieG/HMcv 9k/vFyPYi/wQcnWSLkqmx78AQjuZi71S6q2bg5J8uWNjXjMfuw8mCOjCqeJ+Wu3v orbMHsTBXb7ifOjzd07hG0mSNIjVw3PiLdwlBNLAngcx9i8CkMHZGmBN2qP8SW7y IrknWS7iYAf0/+Ni0k/kwCYMWTjgksIzNzc//IYNaeH0gxTVMIGUm3+4bP5LG3dU E/VsSZzquYe2FyGinYtrEam0tZBpDfKCiS+9IRBD2qdcTWF3ySicJOf1rkIctas7 FKGQPSlk9aMpbNaBGBqgxEBX58ZgKFPIpFGzxxEiubYc0HFI9DAXIQ== =AtBh -----END PGP SIGNATURE----- From hawke at hawkesnest.net Thu Nov 2 21:39:45 2006 From: hawke at hawkesnest.net (Alex Mauer) Date: Thu Nov 2 21:39:38 2006 Subject: deleting signatures from uids In-Reply-To: <4549EA0B.6050808__33980.4716445089$1162472273$gmane$org@tiscali.it> References: <20061031135804.GV31897@localhost.localdomain> <4549EA0B.6050808__33980.4716445089$1162472273$gmane$org@tiscali.it> Message-ID: Qed wrote: > This is not a limitation, it'a a feature :-) and this is also the reason > why you should not play with PGP on keyservers, the result will be often > another abandoned key. Is there any reason that the keyserver needs to continue to redistribute expired, revoked, or otherwise invalid (e.g. superseded) signatures? I can't think of any. I can kind of see why you might want to show the full history of a key, but does it really need to be distributed out to everyone? If this is a security risk, surely the keyserver options "import-clean-sigs" and "import-clean-uids" are also, are they not? -Alex Mauer "hawke" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061102/5ef1b0ca/signature.pgp From me at psmay.com Thu Nov 2 21:52:28 2006 From: me at psmay.com (Peter S. May) Date: Thu Nov 2 21:58:31 2006 Subject: deleting signatures from uids In-Reply-To: References: <20061031135804.GV31897@localhost.localdomain> <4549EA0B.6050808__33980.4716445089$1162472273$gmane$org@tiscali.it> Message-ID: <454A5A8C.8010007@psmay.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Mauer wrote: > Is there any reason that the keyserver needs to continue to redistribute > expired, revoked, or otherwise invalid (e.g. superseded) signatures? > > I can't think of any. I would think that it's important for keyservers to widely distribute the revocation certificates of revoked signatures. If the keyservers simply omitted revoked signatures from search results, how would a client know that this uid was revoked? Stripping data that isn't particularly useful is a job better left to the client. Word -- PSM -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFSlp7ei6R+3iF2vwRAm8bAJ0U4sYSBNg16mrkUt225GsKkFwhnACfYq7j 9Xt8sE66OrN4gZpxCmN1LAU= =JYLy -----END PGP SIGNATURE----- From jmoore3rd at bellsouth.net Thu Nov 2 22:24:07 2006 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Thu Nov 2 22:23:05 2006 Subject: Logo contest closed In-Reply-To: <671680680.20061102203149@wanadoo.nl> References: <873b94t6j5.fsf@wheatstone.g10code.de> <8764dzwhzd.fsf@wheatstone.g10code.de> <87r6wlra41.fsf@wheatstone.g10code.de> <671680680.20061102203149@wanadoo.nl> Message-ID: <454A61F7.4050001@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 NOT a Judge...But a very avid, discerning User. Since every submission has been made in .png Format I have save my Favorites. Those individuals using senderface.xpi within their T- Bird installs will be able to see some of my selections based upon the email address they Open the Header on. Now, I would like to make one Comment: this based upon the fact that many submissions were made with Comments about their suitability for T-Shirts and other Printed Media. Worldwide, there are a great many lithography presses using the 5 color method. Please keep in mind that this method of printing is going to be the 'least' expensive for the foreseeable future. Additionally; I, too, would love to have 2 XXL T-Shirts advocating GnuPG. Just provide breast pockets for Mountain Dew & cigs since this is required for future development! ;) I would also prefer the Final Selection be made available in .jpeg format for use on those Sites that will only accept this format for Upload. 'Nuff Said! Curious users may request my Reply direct and I'll do so with my preferred selections displayed in the senderface box. JOHN :-D Timestamp: Thursday 02 Nov 2006, 16:22 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6-svn4315: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: My Homepage: http://tinyurl.com/yzhbhx Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCgAGBQJFSmH1AAoJEBCGy9eAtCsP/ooH/R5OkXYYq+HuE2Pup3FiMmUa PLASv1/3Mv/vyxTvUltnHPDLFvMGx6KQ028HRD9Ed+2O5Trf9aozlz+r+5sB11r6 YM9OX7bi3t8oM4Spi5Wm1PCF7M6NNp+e+5w2NKic3O3QObtQZzLAXEq0F/yWt5/6 9YFd0VRf8Hm8mZEp1XG0nbUHKJ/Mp7SUMokjBgTVY2N7lrjeRcm0+1qC0iaBi1DD p7asFDLR1oVdOsbxwxX5wdG+Kr3DQjwCnGs0C9a10xf8U8vpXXotpnSCkqdcMDDs +KGyCjLW/YftZCkIL9V8ij3zKxKT31i6H38W7CMZgtoAklnRQSxyWZDYdvbjLmw= =vaGF -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: senderface0_9_4.xpi Type: application/x-xpinstall Size: 17361 bytes Desc: not available Url : /pipermail/attachments/20061102/1735d083/senderface0_9_4-0001.bin From hawke at hawkesnest.net Thu Nov 2 22:46:02 2006 From: hawke at hawkesnest.net (Alex L. Mauer) Date: Thu Nov 2 22:44:56 2006 Subject: deleting signatures from uids In-Reply-To: <454A5A8C.8010007__18987.6263998032$1162501427$gmane$org@psmay.com> References: <20061031135804.GV31897@localhost.localdomain> <4549EA0B.6050808__33980.4716445089$1162472273$gmane$org@tiscali.it> <454A5A8C.8010007__18987.6263998032$1162501427$gmane$org@psmay.com> Message-ID: Peter S. May wrote: > I would think that it's important for keyservers to widely distribute > the revocation certificates of revoked signatures. Agreed. But it's not important to distribute signatures that have been revoked. > If the keyservers > simply omitted revoked signatures from search results, how would a > client know that this uid was revoked? Because the server could, and presumably would, still distribute revocation signatures, but not the signatures they revoke. > Stripping data that isn't > particularly useful is a job better left to the client. I disagree. Downloading the data only to discard it is a waste of time and bandwidth. -Alex Mauer "hawke" -- Bad - You get pulled over for doing 90 in a school zone and you're drunk off your ass again at three in the afternoon. Worse - The cop is drunk too, and he's a mean drunk. FUCK! - A mean drunk that's actually a swarm of semi-sentient flesh-eating beetles. OpenPGP key id: 51192FF2 @ subkeys.pgp.net -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061102/2a50601d/signature.pgp From rjh at sixdemonbag.org Thu Nov 2 22:50:47 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu Nov 2 22:49:08 2006 Subject: Question about use of --cipher-algo AES & --openpgp when encrypting a document In-Reply-To: <454A411C.2010204@boothnewspapers.com> References: <454A411C.2010204@boothnewspapers.com> Message-ID: <454A6837.2050806@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Patrick R. Dunbar wrote: > My question: does the --openpgp switch interfere with the --cipher-algo > AES switch? No. > Also is there any way to check if a gpg encrypted file is encrypted > using AES? Add "-vvvv" to the command-line and you'll get a ton of useful output. E.g.: rjhansen:~ rjh$ gpg -vvvv foo.gpg gpg: using character set `US-ASCII' :pubkey enc packet: version 3, algo 1, keyid 97B2C95A0569E3E6 data: [2048 bits] gpg: public key is 0569E3E6 gpg: using subkey 0569E3E6 instead of primary key FEAF8109 You need a passphrase to unlock the secret key for user: "Robert J. Hansen" gpg: using subkey 0569E3E6 instead of primary key FEAF8109 2048-bit RSA key, ID 0569E3E6, created 2005-02-22 (main key ID FEAF8109) gpg: public key encrypted data: good DEK :encrypted data packet: length: 311 gpg: encrypted with 2048-bit RSA key, ID 0569E3E6, created 2005-02-22 "Robert J. Hansen" gpg: AES encrypted data :compressed packet: algo=1 :literal data packet: mode b (62), created 1162504119, name="rand.cc", raw data: 472 bytes gpg: original file name='rand.cc' gpg: decryption okay gpg: WARNING: message was not integrity protected ... Looks just fine to me. :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCgAGBQJFSmg3AAoJELcA9IL+r4EJVTIIAKe+ZznM+mBsj9bDDERZkfaL A38k/nNbRZEBc6H9ZpazbNhWDnqGNMYS3UOc40kQ20O/W/yrGyQ1IDP69pD/F7rG HhQAW9TwG6smsPFthDlrIOEs3E50Fk6Jsc4rH5qtNIVrbGSTFNkSh1VCQ0SlJofW +sv4MgifMr2dRMKGDi6EmwuM5yMpTjcQnbcNLTQotZR2ANnVOct7M/g2LtKqx0nX YtUxcROe5j7t2iqcIZGr9x+5ROrScv80DdRd1lnSy34rXEtHaTMjajZ0Mxm/KwwV 7kmjemNwrc8FJRGYikjiz6405+milMIpYuhOSvwBaRAEmR5QybajhpayZN+kPac= =JSkL -----END PGP SIGNATURE----- From me at psmay.com Thu Nov 2 23:01:12 2006 From: me at psmay.com (Peter S. May) Date: Thu Nov 2 22:59:29 2006 Subject: deleting signatures from uids In-Reply-To: References: <20061031135804.GV31897@localhost.localdomain> <4549EA0B.6050808__33980.4716445089$1162472273$gmane$org@tiscali.it> <454A5A8C.8010007__18987.6263998032$1162501427$gmane$org@psmay.com> Message-ID: <454A6AA8.4030206@psmay.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex L. Mauer wrote: > Peter S. May wrote: > >> I would think that it's important for keyservers to widely distribute >> the revocation certificates of revoked signatures. > > Agreed. But it's not important to distribute signatures that have been > revoked. > >> If the keyservers >> simply omitted revoked signatures from search results, how would a >> client know that this uid was revoked? > > Because the server could, and presumably would, still distribute > revocation signatures, but not the signatures they revoke. Yeah. Posted before thinking. The revocations are still good without the uids themselves. >> Stripping data that isn't >> particularly useful is a job better left to the client. > > I disagree. Downloading the data only to discard it is a waste of time > and bandwidth. Again, such is true for the uids themselves. But revocations for uids that the client doesn't have might or might not be considered superfluous. Perhaps we find a revocation for a uid we don't have yet on one keyserver and discard it, then find that uid still available on another keyserver, not yet revoked. I have no idea how that's handled. None whatsoever. Tired PSM -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFSmqlei6R+3iF2vwRAtt2AJ4xPW0IB+O8upVxTfh9wpYdV9oylgCeMi5/ XsJKh/f//z5rOafDA4DGZqw= =WlmY -----END PGP SIGNATURE----- From jmoore3rd at bellsouth.net Thu Nov 2 23:13:16 2006 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Thu Nov 2 23:11:49 2006 Subject: deleting signatures from uids In-Reply-To: <454A6AA8.4030206@psmay.com> References: <20061031135804.GV31897@localhost.localdomain> <4549EA0B.6050808__33980.4716445089$1162472273$gmane$org@tiscali.it> <454A5A8C.8010007__18987.6263998032$1162501427$gmane$org@psmay.com> <454A6AA8.4030206@psmay.com> Message-ID: <454A6D7C.9010308@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Peter S. May wrote: > Again, such is true for the uids themselves. But revocations for uids > that the client doesn't have might or might not be considered > superfluous. Perhaps we find a revocation for a uid we don't have yet > on one keyserver and discard it, then find that uid still available on > another keyserver, not yet revoked. I have no idea how that's handled. > None whatsoever. OK...More Interesting still. I Revoke a UID and provide a 'Reason' (which GnuPG allows) My Reason: Changed ISP (in my Case the Truth; joimail.com to bellsouth.net) Now I Upload to the Keyservers; what happens to the Signatures on my former UID? I still do not know. Based upon what what I have read/been told....no worries. I signed both New UIDs. And most of the Sigs were on my Generic UID. Therefore > Trust should follow with the signing of the new UID by a Good sig from the Generic UID. I kinda feel that this is where the GSWoT Sig on my New email address counts for something. JOHN ;) Timestamp: Thursday 02 Nov 2006, 17:13 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6-svn4315: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: My Homepage: http://tinyurl.com/yzhbhx Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCgAGBQJFSm17AAoJEBCGy9eAtCsPIl4H/2e3xhYqecy8aOBTQ8xoA+PV hQzA59uXpj6vJDNch2rZbVqlXcBMAU4M4ZbcXrxcfF43ZrHqMkqp+V5ZGEnHLe7U aUFzgE1ozMgR9C69FsuO92RY5/Ii77CKKxxgK/znEstdH8AwcFK8w4Vg0ikznvsy ZRWkP+Hj/NICyDvK2Yb9Iv6YgQeOIpf90OdsJrCiWRMdRmNUjbLSYz0RZgf2GqYj HNOcKD2s96pBW1HIPDVYepLAqoaMACUe2QBrZfU0ZD0QbvTJmd35wpHIDUqFCsUX Wh2gjMFNUBr0/6DTf7AaZJKM829sVYG5nnpt5ch7OJg0lBYhwob8oY4uZBV88+g= =UHbV -----END PGP SIGNATURE----- From hhhobbit at securemecca.net Thu Nov 2 23:56:49 2006 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Thu Nov 2 23:55:03 2006 Subject: Gnupg-users Digest, Vol 38, Issue 2 In-Reply-To: <0MKpmJ-1Gfk5500cq-0006bf@mx.perfora.net> References: <0MKpmJ-1Gfk5500cq-0006bf@mx.perfora.net> Message-ID: <1162508209.20169.26.camel@sirius.brigham.net> On Thu, 2006-11-02 at 19:12 +0100, Werner Koch wrote: > I have been reminded of another logo in my spam filters. It was > received on Monday; thus in time. It is now at > http://logog-contest.gnupg.org/subm-31.html . I think you meant (provided for those who use only the mouse: http://logo-contest.gnupg.org/subm-31.html HHH From hhhobbit at securemecca.net Thu Nov 2 23:58:25 2006 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Thu Nov 2 23:56:29 2006 Subject: Summary: Windows GUI recommendation for USB disk Message-ID: <1162508305.20169.28.camel@sirius.brigham.net> Robert Eden wrote: > Thanks to everyone for their suggestions. > > I was looking for a simple exe-only tool I could put on a USB > disk to make it very easy for Windows users to encrypt files > with a symmetric key. > > Quite a few folks suggested GPGshell. It was a good choice, but > had one problem... when it encrypts files it follows the GPG > pattern of putting the new file in the same location of the old. > If I used that, I'd be afraid users would copy the files to the > USB drive and encrypt it there. Even if they deleted the file, > it would have to be followed by an erase tool, which needs to be > installed.... too much trouble. It also did more than symmetric > keys, which may confuse my users.. > > I also learned that 7-zip now supports hard encryption. A > *great* idea. We already use 7-zip internally, and that was > actually my problem with it. If folk were already used to using > 7-zip, I bet they wouldn't bother to check the "encrypt" button. > > So, I ended up writing my own tool in with wxGlade and WxPerl. > I didn't know such a GUI tool existed for Perl! I've been > programing perl for years... I did one TK project, and really > didn't want to go down that path... wxGlade and wxPerl made it > pretty painless, once I learned the tools. I'm sure I'll make > use of it again. > > My tool prompts the user for a pass-phrase (twice), places some > simple restrictions on the pass-phrase (10 characters, 3 words), > and opens up a dialog box. The user then drags directories / > files using explorer to the dialog box, which lists the files > and starts gpg to encrypt them. (runs two encryption threads at > once). Files are stored in the same directory as the executable. > > If someone wants a copy let me know and I'll look into releasing > it. I will take more than the copy. Do you have any more pointers on wxGlade and wxPerl? I have some projects that aren't even affiliated with encryption that would be very useful to have. Send any pointers on wxPerl to me off-group. If you want to support it over 2-3 years (or longer), by all means release it! 7-zip, like most zip programs encryption doesn't even come close to the level of protection that you are getting with GnuPG. Even if you are using the lowest level cipher GnuPG provides, it is a quantum leap over the zip programs enciphering. Quoting from the man page for zip (roughly comparable to 7-zip and probably uses the exact same code for enciphering): (And where security is truly important, use strong encryption such as Pretty Good Privacy instead of the relatively weak encryption provided by standard zipfile utilities.) I think this would be a VERY useful tool to have. Your first alteration may be the choice of cipher to use and perhaps a settable default cipher. Most people don't set their default cipher in gpg.conf. HHH From hhhobbit at securemecca.net Fri Nov 3 01:10:11 2006 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Fri Nov 3 01:08:41 2006 Subject: Question abut use of --cipher-algo AES & --openpgp In-Reply-To: <0MKpmJ-1Gfk5500cq-0006bf@mx.perfora.net> References: <0MKpmJ-1Gfk5500cq-0006bf@mx.perfora.net> Message-ID: <1162512611.20169.79.camel@sirius.brigham.net> On Thu, 2006-11-02 at 16:26 -0500, Patrick R. Dunbar wrote: > I am required to encrypt a document using the --cipher-algo AES switch > using gpg on a Solaris 10 system using gpg (GnuPG) 1.2.6. > The company that is receiving this file requires that the file be > encrypted with the --openpgp switch. > I have run --edit-key showpref on the receiving key and it shows that > AES is a usable cipher. > > My question: does the --openpgp switch interfere with the --cipher-algo > AES switch? > Also is there any way to check if a gpg encrypted file is encrypted > using AES? > > Thanks in advance for any replies. The --openpgp should not cause any problems for you. For all of the following, I used the exact same file to encrypt and the same password and only changed the encipher program. I give the first six bytes of each file for each cipher method: 3DES: 8C 0D 04 02 03 02 CAST5: 8C 0D 04 03 03 02 BLOWFISH: 8C 0D 04 04 03 02 AES: 8C 0D 04 07 03 02 AES192: 8C 0D 04 08 03 02 AES256: 8C 0D 04 09 03 02 TWOFISH: 8C 0D 04 0A 03 02 It looks like byte four is your key, and 0x07 is what indicates an AES enciphered file. But if you are using AES192 it would be 0x08, and AES256 would be 0x09. Tell me if I got it wrong people! The reason why is rather than the "file" program saying "data", it could tell from the first three bytes that the file is an OpenPGP (only GnuPG?) file with a symmetric cipher (the 03 02 in bytes 5-6?), and the fourth byte can tell us which cipher it is. I ordered them in ascending order NUMERICALLY, not in choice of cipher, but they are roughly in order for that as well (with TWOFISH some where in among those AES ciphers, not necessarily better than any of them). Does that do it for you? I could send you the program to do it, but it would have to be compiled on Solaris 8 which is all I have available to me. This really does need to be integrated into all of the vendors "file" program on all of the nixes. I wouldn't worry too much about AES. Both PGP and GnuPG and a lot of other programs will handle it if that is REALLY what you are asking. I think it is what you are asking. I decided to turn on the fire hose 8^). Hey, you asked for it and "file" didn't provide it! I would use C, but you could use PERL and do it yourself. HHH From hhhobbit at securemecca.net Fri Nov 3 04:15:44 2006 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Fri Nov 3 04:14:05 2006 Subject: Question abut use of --cipher-algo AES & --openpgp In-Reply-To: <1162512611.20169.79.camel@sirius.brigham.net> References: <0MKpmJ-1Gfk5500cq-0006bf@mx.perfora.net> <1162512611.20169.79.camel@sirius.brigham.net> Message-ID: <1162523744.20169.113.camel@sirius.brigham.net> On Thu, 2006-11-02 at 17:10 -0700, Henry Hertz Hobbit wrote: > On Thu, 2006-11-02 at 16:26 -0500, Patrick R. Dunbar > wrote: > > > > I am required to encrypt a document using the --cipher-algo AES switch > > using gpg on a Solaris 10 system using gpg (GnuPG) 1.2.6. > > The company that is receiving this file requires that the file be > > encrypted with the --openpgp switch. > > I have run --edit-key showpref on the receiving key and it shows that > > AES is a usable cipher. > > > > My question: does the --openpgp switch interfere with the --cipher-algo > > AES switch? > > Also is there any way to check if a gpg encrypted file is encrypted > > using AES? > > > > Thanks in advance for any replies. > > The --openpgp should not cause any problems for you. And here is the program to check for the file type. It is ARDENTLY hoped that the "file" programmers get all of it squared away (I may have something wrong) so this program can disappear. /*********************************************************************** \ * * File: cfile.c * Date: Thu Nov 2 18:50:53 MST 2006 * Author: Henry Hertz Hobbit * Contact: hhhobbit at securemecca.com * * This program checks whether a file is an OpenPGP (GnuPG only?) * file that was encrypted with a symmetric cipher, and shows * what cipher was used to encrypt it. * * If somebody can show me how I am wrong in the header or in any * of the byte values for the encryption, please steer me in the * appropriate way. Here was what I found: * * 3DES: 8C 0D 04 02 03 02 * CAST5: 8C 0D 04 03 03 02 * BLOWFISH: 8C 0D 04 04 03 02 * AES: 8C 0D 04 07 03 02 * AES192: 8C 0D 04 08 03 02 * AES256: 8C 0D 04 09 03 02 * TWOFISH: 8C 0D 04 0A 03 02 * * * It is Gnu licensed and it is HOPED that the various versions * of the file program will incorporate this information into * them so that this program will no longer exist. * \***********************************************************************/ #include #include #include #include #include #include #define MESSAGE_STRING 256 #define INBLOCK_SIZE 16 #define KNOWN_CIPHERS 12 #define FILENAME argv char message[MESSAGE_STRING]; unsigned char inBlock[INBLOCK_SIZE]; char cipherName[KNOWN_CIPHERS][12] = { " unknown\n", " unknown\n", " 3DES\n", " CAST5\n", " BLOWFISH\n", " unknown\n", " unknown\n", " AES\n", " AES192\n", " AES256\n", " TWOFISH\n", " unknown\n" }; unsigned char preamble[4] = { 0x8c, 0x0d, 0x04, 0x00 }; unsigned char lastTwo[4] = { 0x03, 0x02, 0x00, 0x00 }; int main(int argc, char *argv[]) { int flp; int inFd; int bytesRead; unsigned char *lastTwoPtr; unsigned char *cipherTypePtr; unsigned char tmp; int cipherType; if (argc < 2) { puts("usage: cfile [file_spec ..]"); exit(0); } lastTwoPtr = (inBlock + 4); cipherTypePtr = (inBlock + 3); for (flp = 1; flp < argc; flp++) { if ((inFd = open(FILENAME[flp], O_RDONLY)) == -1) { fprintf(stderr, "could not open file %s...skipping\n", FILENAME[flp]); continue; } bytesRead = read(inFd, inBlock, (size_t)INBLOCK_SIZE); close(inFd); strncpy(message, FILENAME[flp], MESSAGE_STRING); if (bytesRead < 6) { if (bytesRead > 0) { strncat(message,": data\n", MESSAGE_STRING); } else { strncat(message, ": empty file\n", MESSAGE_STRING); } } else { if ((memcmp(inBlock, preamble, (size_t)3) == 0) && (memcmp(lastTwoPtr, lastTwo, (size_t)2) == 0)) { strncat(message, ": OpenPGP symmetric cipher = ",MESSAGE_STRING); tmp = *cipherTypePtr; cipherType = (int)tmp; if (cipherType < KNOWN_CIPHERS) { strncat(message, cipherName[cipherType], MESSAGE_STRING); } else { strncat(message, cipherName[0], MESSAGE_STRING); } } else /* not an OpenPGP symmetric cipher file */ { strncat(message, ": (unknown - use file command)\n", MESSAGE_STRING); } } fputs(message, stdout); } /* end of file loop */ exit(0); } If anybody that has PGP or any other symmetric cipher program could do the following, I would appreciate it. 1. Create a folder named PGP_SymCiphers 2. Create a file named test.txt with the following line in it: password = simple (or pick your own) Encrypted with = { YOUR Encryption Program Name } 3. backup the file if necessary to baktest.txt 4. Repeatedly encrypt test.txt with every cipher, but change the extension to the cipher name, e.g. test.3des for the 3DES encrypted file. 5. zip the folder and send it to me. I could care less what a RFC page says - THEY FREQUENTLY LIE! The acid test is what is actually in the file. HHH From me at psmay.com Fri Nov 3 04:56:53 2006 From: me at psmay.com (Peter S. May) Date: Fri Nov 3 04:59:58 2006 Subject: Question about use of --cipher-algo AES & --openpgp when encrypting a document In-Reply-To: <454A411C.2010204@boothnewspapers.com> References: <454A411C.2010204@boothnewspapers.com> Message-ID: <454ABE05.9070803@psmay.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Patrick R. Dunbar wrote: > Also is there any way to check if a gpg encrypted file is encrypted > using AES? Henry had some interesting answers, and his program does work for many cases, but it's slightly ad-hoc and there are many valid possibilities it might not work for. You really need a program that knows how to read the whole format. Last I checked, gpg does this nicely. ;-) Try: gpg --list-packets --list-only enc.gpg - --list-packets describes what's in the file. --list-only prevents it trying to decrypt just to look at what's inside; you don't need to decrypt to find out the cipher algo. Here's what the output looked like for something encrypted with CAST5: :symkey enc packet: version 4, cipher 3, s2k 3, hash 2 salt aa0896216033e71c, count 96 gpg: CAST5 encrypted data :encrypted data packet: length: unknown gpg: encrypted with 1 passphrase And with TWOFISH: :symkey enc packet: version 4, cipher 10, s2k 3, hash 2 salt 24fa7e952bcca00e, count 96 gpg: TWOFISH encrypted data :encrypted data packet: length: unknown mdc_method: 2 gpg: encrypted with 1 passphrase And with AES: :symkey enc packet: version 4, cipher 7, s2k 3, hash 2 salt 9182cb227dcb6d3b, count 96 gpg: AES encrypted data :encrypted data packet: length: unknown mdc_method: 2 gpg: encrypted with 1 passphrase The numbers after "cipher" (3 for CAST5, 10 for TWOFISH, 7 for AES-128) correspond to whatever the most current variant of RFC 2440 is (bis 18, http://www.ietf.org/internet-drafts/draft-ietf-openpgp-rfc2440bis-18.txt , is set to expire on the 11th of this month), or, more specifically, GPG's interpretation thereof. Hope that helps PSM -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFSr4Dei6R+3iF2vwRAsF9AKCTyz6rD1cjVTIr3XtWq8Q2xxOMzACgmQ9S KlcsACLpBh6HdfcNPYlhelY= =EB4R -----END PGP SIGNATURE----- From psmay at halfgeek.org Thu Nov 2 21:23:50 2006 From: psmay at halfgeek.org (Peter S. May) Date: Fri Nov 3 11:07:50 2006 Subject: libgcrypt: I think I found a mistake in doc/gcrypt.info Message-ID: <454A53D6.4080007@halfgeek.org> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061102/ac77428e/signature.pgp From malayter at gmail.com Fri Nov 3 15:53:21 2006 From: malayter at gmail.com (Ryan Malayter) Date: Fri Nov 3 16:17:52 2006 Subject: Summary: Windows GUI recommendation for USB disk In-Reply-To: <1162508305.20169.28.camel@sirius.brigham.net> References: <1162508305.20169.28.camel@sirius.brigham.net> Message-ID: <5d7f07420611030653y1c7ec612n9ef98888b300641d@mail.gmail.com> On 11/2/06, Henry Hertz Hobbit wrote: > 7-zip, like most zip programs encryption doesn't even come close > to the level of protection that you are getting with GnuPG. Even > if you are using the lowest level cipher GnuPG provides, it is a > quantum leap over the zip programs enciphering. Quoting from > the man page for zip (roughly comparable to 7-zip and probably > uses the exact same code for enciphering): > > (And where security is truly important, use strong > encryption such as Pretty Good Privacy instead of the > relatively weak encryption provided by standard zipfile > utilities.) > When encrypting to a *.7z file, 7-zip uses AES-256 in CBC mode, with a passphrase-to-key function based on SHA-256. This is actually stronger than most cipher preferences on OpenPGP keys. It is not the same as the weak "winZip"-derived encryption. Of course, these files can only be read by 7-zip, but it is free and open source. (It also compresses a lot better than standard ZIP's DEFLATE algoritm, if more slowly). -- RPM ========================= All problems can be solved by diplomacy, but violence and treachery are equally effective, and more fun. -Anonymous From wk at gnupg.org Fri Nov 3 16:29:18 2006 From: wk at gnupg.org (Werner Koch) Date: Fri Nov 3 16:31:54 2006 Subject: libgcrypt: I think I found a mistake in doc/gcrypt.info In-Reply-To: <454A53D6.4080007@halfgeek.org> (Peter S. May's message of "Thu\, 02 Nov 2006 15\:23\:50 -0500") References: <454A53D6.4080007@halfgeek.org> Message-ID: <87bqnok0q9.fsf@wheatstone.g10code.de> On Thu, 2 Nov 2006 21:23, Peter S. May said: > I think I spotted a little error in libgcrypt's doc/gcrypt.info. Context > diff from 1.2.3 attached. Thanks. Salam-Shalom, Werner From rjh at sixdemonbag.org Fri Nov 3 16:40:21 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri Nov 3 16:38:20 2006 Subject: Summary: Windows GUI recommendation for USB disk In-Reply-To: <5d7f07420611030653y1c7ec612n9ef98888b300641d@mail.gmail.com> References: <1162508305.20169.28.camel@sirius.brigham.net> <5d7f07420611030653y1c7ec612n9ef98888b300641d@mail.gmail.com> Message-ID: <454B62E5.10101@sixdemonbag.org> Ryan Malayter wrote: > When encrypting to a *.7z file, 7-zip uses AES-256 in CBC mode, with > a passphrase-to-key function based on SHA-256. This is actually > stronger than most cipher preferences on OpenPGP keys. This may be just my own personal quirk, but it seems misleading to me to describe AES256 as "stronger" than, say, AES128. The threshold just to break AES128 is so immense that it may as well be a brick wall; describing AES256 as "stronger" just means the brick wall is, well, still a brick wall. Once you reach a certain threshold point as far as resistance to brute-force attacks, to really make something "stronger" requires introducing resistance to other kinds of attacks. E.g., I'd say that an 3DES hardware token guarded by a fireteam of armed Marines is far stronger than an AES256 key stored on a PC running unpatched Windows 95 on an always-on unfirewalled Internet connection, despite the fact the AES256 key has about 144 bits more keyspace. Let's just describe 7zip as using strong crypto, and leave it at that. :) From dave.smith at st.com Fri Nov 3 17:07:34 2006 From: dave.smith at st.com (David SMITH) Date: Fri Nov 3 17:05:59 2006 Subject: Summary: Windows GUI recommendation for USB disk In-Reply-To: <454B62E5.10101@sixdemonbag.org> References: <1162508305.20169.28.camel@sirius.brigham.net> <5d7f07420611030653y1c7ec612n9ef98888b300641d@mail.gmail.com> <454B62E5.10101@sixdemonbag.org> Message-ID: <20061103160734.GC12355@bristol.st.com> On Fri, Nov 03, 2006 at 09:40:21AM -0600, Robert J. Hansen wrote: > The threshold just to > break AES128 is so immense that it may as well be a brick wall; ...at the moment. One Xbox360 runs more FLOPS than the world's fastest supercomputer of little more than a decade ago (a fact that I still find incredible). Of course, encryption is more about integer performance than FLOPS, but I suspect that integer performance has scaled in the same orders of magnitude. -- David Smith | Tel: +44 (0)1454 462380 Home: +44 (0)1454 616963 STMicroelectronics | Fax: +44 (0)1454 462305 Mobile: +44 (0)7932 642724 1000 Aztec West | TINA: 065 2380 GPG Key: 0xF13192F2 Almondsbury | Work Email: Dave.Smith@st.com BRISTOL, BS32 4SQ | Home Email: David.Smith@ds-electronics.co.uk From rjh at sixdemonbag.org Fri Nov 3 17:39:54 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri Nov 3 17:37:54 2006 Subject: Summary: Windows GUI recommendation for USB disk In-Reply-To: <20061103160734.GC12355@bristol.st.com> References: <1162508305.20169.28.camel@sirius.brigham.net> <5d7f07420611030653y1c7ec612n9ef98888b300641d@mail.gmail.com> <454B62E5.10101@sixdemonbag.org> <20061103160734.GC12355@bristol.st.com> Message-ID: <454B70DA.1040103@sixdemonbag.org> David SMITH wrote: > ...at the moment. Welcome to the Second Law of Thermodynamics! Enjoy your stay. By the Second Law, every time a bit of information is erased you have to pay the entropy tax of (kT * ln 2) J. Let's assume that for each key you try, you have to erase 1000 bits of information--this is wildly optimistic, given how complex key schedules usually are, but it'll make for nice numbers. On average you'll have to brute-force 2**127 keys before you find the proper 128-bit AES key. 1000 = 10**3 2**127 approx. eq. 10**38 10**41 * (3 * 10**-21) = 3 * 10**20 J A one-megaton nuclear weapon liberates approximately 10**15 J of energy. 3 * 10**20 J divided by 10**15 J = 300,000 megatons By comparison, the 1863 Krakatoa explosion liberated about 21,000 megatons. If you're interested, we can also do a quantum-mechanical analysis of the minimum time required to do this computation. It gets equally silly. http://en.wikipedia.org/wiki/Rolf_Landauer http://en.wikipedia.org/wiki/Margolus-Levitin_theorem ... It's true that quantum computers and reversible computing will both reduce this number considerably. However, if you're going to talk about science fiction--which is what large-scale quantum and reversible computing is nowadays--then why not go whole-hog and posit the existence of a psychic who's 100% effective in predicting keys? From blueness at gmx.net Fri Nov 3 18:38:23 2006 From: blueness at gmx.net (Mica Mijatovic) Date: Fri Nov 3 20:59:22 2006 Subject: Logo contest closed In-Reply-To: <87r6wlra41.fsf@wheatstone.g10code.de> References: <873b94t6j5.fsf@wheatstone.g10code.de> <8764dzwhzd.fsf@wheatstone.g10code.de> <87r6wlra41.fsf@wheatstone.g10code.de> Message-ID: <1734938651.20061103183823@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA224 Was Thu, 02 Nov 2006, at 19:12:30 +0100, when Werner Koch wrote: > Hi! > I have been reminded of another logo in my spam filters. It was > received on Monday; thus in time. It is now at > http://logog-contest.gnupg.org/subm-31.html . This one attracted my attention most. A bit pity, btw, that names of authors were revealed (both to the public and the "jury") before the final selection is made. - -- Mica ~~~ For personal mail please use my address as it is *exactly* given in my "From" field, otherwise it will not reach me. ~~~ GPG keys/docs/software at: http://blueness.port5.com/pgpkeys/ http://tronogi.tripod.com/pgp/pgpkeys/ Yes, this kid is a bit slow, but with respect to what the party it was, I am happy that he doesn't bark. -----BEGIN PGP SIGNATURE----- iQCZAwUBRUt+jgYWnlFQ1cE7AQvhCgQgyKAaKztbZpiynTRCRl0tv8AL71MgAqlD skh6M9IycxTgyB2P9tAVLPinR0kWSnkHbfTaKqozS33VnG9GN4/GYZ2uKPJTmPA5 23TP7qLbfLjO+BxYXd4RvGt88g4lqJefxnt6lohXGkHzkculZtnaL1GY4jmNjWhu rcX8j7grsLFp1yAP =6+Kq -----END PGP SIGNATURE----- From hhhobbit at securemecca.net Sat Nov 4 00:47:25 2006 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Sat Nov 4 00:45:52 2006 Subject: Summary: Windows GUI recommendation for USB disk In-Reply-To: <454B62E5.10101@sixdemonbag.org> References: <1162508305.20169.28.camel@sirius.brigham.net> <5d7f07420611030653y1c7ec612n9ef98888b300641d@mail.gmail.com> <454B62E5.10101@sixdemonbag.org> Message-ID: <1162597646.5017.135.camel@sirius.brigham.net> On Fri, 2006-11-03 at 09:40 -0600, Robert J. Hansen wrote: > Ryan Malayter wrote: > > When encrypting to a *.7z file, 7-zip uses AES-256 in CBC mode, with > > a passphrase-to-key function based on SHA-256. This is actually > > stronger than most cipher preferences on OpenPGP keys. > > This may be just my own personal quirk, but it seems misleading to me to > describe AES256 as "stronger" than, say, AES128. The threshold just to > break AES128 is so immense that it may as well be a brick wall; > describing AES256 as "stronger" just means the brick wall is, well, > still a brick wall. Once you reach a certain threshold point as far as > resistance to brute-force attacks, to really make something "stronger" > requires introducing resistance to other kinds of attacks. > > E.g., I'd say that an 3DES hardware token guarded by a fireteam of armed > Marines is far stronger than an AES256 key stored on a PC running > unpatched Windows 95 on an always-on unfirewalled Internet connection, > despite the fact the AES256 key has about 144 bits more keyspace. > > Let's just describe 7zip as using strong crypto, and leave it at that. :) I already told Ryan that WinZip also has both AES128 and AES256. I did a download of it yesterday and found that out for sure. I also asked Ryan to do a test to find if WinZip <-> 7-Zip can share their AES encrypted files. You are absolutely correct in saying that they are both brick walls. The weakness is not in the algorithm or even the number of bits you use. I primarily use TWOFISH, but it is still that brick wall. It just has different colored bricks. The weakness is normally in the pass-phrase (password). Trying as hard as I can, I have had nothing but grief in trying to train people in how to create them and have finally understood it is going to be "pencil", no matter what for some people. That is the limit of their memory and imagination. Well, even the smart ones will resort to using "joshua" (case-insensitive of course). Go look at War-Games if you don't know where the pass-phrases came from. I gave Ryan the humorous example of a fellow student who locked their terminal at school while they went to the restroom. I told him I could hack through his screen password. I did, and changed it to another one. I had noticed him looking at the pictures of nature on the wall and fixating on a green frog. I hacked in with only about four attempts, then locked it again with a pass-phrase indicating the hack. The strongest encryption in the world is useless without a GOOD password or pass-phrase. It may be useless even then with a keyboard logger. Kevin Mitnick didn't exploit weaknesses in systems so much as exploiting the weaknesses in people. This all kind of begs the question though. I can't even get the files to another security researcher (Mike Burgess) because the Symantec AV scanner on Comcast's SMTP server barfs on a PLAIN zipped file right now. It attaches my message (with the ZIP attachment) to a message saying it can't scan the zip file. It will ALWAYS do that if I encrypt the zip file (whether I use the salt-cipher or AES) that I zip. But I can attach a normal zipped file and use GnuPG (OpenPGP) encryption and it sails right on through. I can see my zip attachments that are bounced in both Thunderbird and Evolution, but Mike can't see them in Outlook (any pointers Outlook people?). If the message doesn't make it the other side and that is what you wanted to do in the first place the encryption is useless. Systems depend on EACH AND EVERY ELEMENT that go into their creation. Passwords and pass-phrases are what I will attack every time, not the brute force of something even as lowly as CAST5 or 3DES. I GUARANTEE that unless people are trained in how to create novel passwords and pass-phrases AND *DO* IT, I WILL probably be successful. And I only have a normal IQ. Don't go up against the geniuses like Mitnick, Schneier and Werner and others. They will beat you every time. HHH From wk at gnupg.org Sun Nov 5 13:13:20 2006 From: wk at gnupg.org (Werner Koch) Date: Sun Nov 5 13:17:08 2006 Subject: Logo contest closed In-Reply-To: <1734938651.20061103183823@gmx.net> (Mica Mijatovic's message of "Fri\, 3 Nov 2006 18\:38\:23 +0100") References: <873b94t6j5.fsf@wheatstone.g10code.de> <8764dzwhzd.fsf@wheatstone.g10code.de> <87r6wlra41.fsf@wheatstone.g10code.de> <1734938651.20061103183823@gmx.net> Message-ID: <87bqnm8527.fsf@wheatstone.g10code.de> On Fri, 3 Nov 2006 18:38, Mica Mijatovic said: > A bit pity, btw, that names of authors were revealed (both to the public > and the "jury") before the final selection is made. I thought about this but cleaning the submissions from the names would have been a lot of work. I sincerely hope all will vote on the content and not on the repudiation of the author. Shalom-Salam, Werner From maccrest at gmail.com Sun Nov 5 11:52:34 2006 From: maccrest at gmail.com (Crest da Zoltral) Date: Sun Nov 5 13:54:56 2006 Subject: How to enable a block cipher or hash algorithm for a keypair? Message-ID: <454DC272.7060606@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I searched any documentation i found on the net about how to edit keys, but I didn't found a way to enable a different cipher or digest? With `gpg --edit-key $key_id showpref` it's only possible to view the preferences and `gpg --edit-key $key_id pref` seems only to print the prefs in shorter harder to read form. So how can I enable Twofish and SHA-512 (without overriding the preferences with --cipher-algo and - --digest-algo)? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iQIVAwUBRU3CXP950yjRhRAFAQp7jA/+PYr2n3HLdDt35aElObrEiHayO6DdtD18 apjmFl/B+iKEitVzxCN3j3rHuBx7GoXABu8JvYnfwnvNecdJRtK5qGPmmUF57UAN JOCA6/a1W+0PdIdNqVjCTTErWecJziRe+94wJtdfIGjHj42+4j4J5TGZNBSsOcbe xMNUwHyuQVMb2PogBnVd3hKxIYB2ES/v78grgxGRb31y1Xh/257kSy4RDdss/0Re sRvMpsxKyupunwR+6ZSTWyIBX017mU0EW1L/Rzc4h/CIXQDafjvr1W4cOTdBvrCD ueCpUQ4J5OAEJkMgg84A02VQTvHFvCNTJUkzXSEM6UZZ0hPhHOAsDVtpgkgq3oxM IRYJ4cHj97/LKOSNFfNy5iMRnfG380BF5QKKoJ9Pt1xToa8TNUK3g10oWN3EPovM wYxSyGJgB4IbE9ffnw2UukSPhEZMHZ7Mi+DlNDWsIosVurHkPvHNFGyuX9mLc423 tq5cnkoHcLAoR2IuKLxT7Tks2utIPlWekXgzWQA6iLZ8Ehu9cEKTL4irqU9uVpqL pLueAibHGWz/iScpNeAJ8WqO7kldFJTPmpAR6BfGEc6H3z2Z1VRVE6ZLylG5DapR sWYo55c/pBq0ckUM5SUWhegfFRq5yDDeHbU9HK94843BF3Sy6EalEFij3+PXBezA W+qkWqXwZ6I= =xeZj -----END PGP SIGNATURE----- From alphasigmax at gmail.com Sun Nov 5 14:36:59 2006 From: alphasigmax at gmail.com (Alphax) Date: Sun Nov 5 14:35:57 2006 Subject: How to enable a block cipher or hash algorithm for a keypair? In-Reply-To: <454DC272.7060606@gmail.com> References: <454DC272.7060606@gmail.com> Message-ID: <454DE8FB.4030107@gmail.com> Crest da Zoltral wrote: > I searched any documentation i found on the net about how to edit keys, > but I didn't found a way to enable a different cipher or digest? With > `gpg --edit-key $key_id showpref` it's only possible to view the > preferences and `gpg --edit-key $key_id pref` seems only to print the > prefs in shorter harder to read form. So how can I enable Twofish and > SHA-512 (without overriding the preferences with --cipher-algo and > --digest-algo)? $ gpg --edit-key 0xDEADBEEF Secret key is available pub 2048R/0xDEADBEEF created: 2006-01-01 expires: never usage: SC trust: ultimate validity: ultimate sub 2048g/0xCAFEBABE created: 2006-01-01 expires: never usage: E [ultimate] (1). Person (comment) Command> setpref h8 h10 h3 h2 s4 s9 s10 s8 s7 z3 z2 z1 mdc no-ks-modify Set preference list to: Cipher: BLOWFISH, AES256, TWOFISH, AES192, AES, 3DES Digest: SHA256, SHA512, RIPEMD160, SHA1 Compression: BZIP2, ZLIB, ZIP, Uncompressed Features: MDC, Keyserver no-modify Really update the preferences? (y/N) You need a passphrase to unlock the secret key for user: "Person (comment) " 2048-bit RSA key, ID 0xDEADBEEF, created 2006-01-01 Enter passphrase: Command> quit Save changes? (y/N) y HTH, -- Alphax Death to all fanatics! Down with categorical imperative! OpenPGP key: http://tinyurl.com/lvq4g -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 569 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20061106/7a4e3013/signature.pgp From rjh at sixdemonbag.org Sun Nov 5 16:29:43 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun Nov 5 16:27:57 2006 Subject: How to enable a block cipher or hash algorithm for a keypair? In-Reply-To: <454DC272.7060606@gmail.com> References: <454DC272.7060606@gmail.com> Message-ID: <454E0367.20600@sixdemonbag.org> Crest da Zoltral wrote: > I searched any documentation i found on the net about how to edit keys, > but I didn't found a way to enable a different cipher or digest? With > `gpg --edit-key $key_id showpref` it's only possible to view the > preferences and `gpg --edit-key $key_id pref` seems only to print the > prefs in shorter harder to read form. So how can I enable Twofish and > SHA-512 (without overriding the preferences with --cipher-algo and > --digest-algo)? While Alphax gave you some good advice, it may also be unnecessary advice or irrelevant advice. You don't need to do anything, really, to enable a different cipher or digest. They're all enabled. It isn't as if, should you receive BLOWFISH-encrypted traffic, that you need to make sure your key is set to read BLOWFISH. The available algorithms--all of which are enabled--can be found just by typing: gpg --version For instance, I get: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 ... If what you want is to start using a different algorithm, a better idea than using --cipher-algo and --digest-algo is to use the algorithm preferences. Try adding these two lines to gpg.conf: personal-cipher-preferences TWOFISH AES256 AES192 AES128 3DES personal-digest-preferences SHA512 SHA384 SHA256 SHA224 RIPEMD160 ... Also, you may want to consider whether you really want to start using SHA512. There's nothing wrong with it, but only very recent versions of PGP understand it. If interoperability is a concern, you're much better off with SHA256, which is understood by PGP 8.1 and later. From jdever at triad.rr.com Mon Nov 6 00:38:35 2006 From: jdever at triad.rr.com (Jim Dever) Date: Mon Nov 6 02:35:23 2006 Subject: gpg error messag Message-ID: <454E75FB.8070604@triad.rr.com> Can anyone help me out with the meaning of this error message? Thanks! ===== enigmail> C:\Program Files\GNU\GnuPG\gpg.exe --charset utf8 --no-version --batch --no-tty --status-fd 2 --verify gpg: Signature made 10/10/06 01:02:23 using RSA key ID CA57AD7C gpg: WARNING: signature digest conflict in message gpg: Can't check signature: general error enigmail.js: Enigmail.decryptMessageEnd: Error in command execution ===== -- Jim From rjh at sixdemonbag.org Mon Nov 6 02:46:27 2006 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon Nov 6 02:44:27 2006 Subject: gpg error messag In-Reply-To: <454E75FB.8070604@triad.rr.com> References: <454E75FB.8070604@triad.rr.com> Message-ID: <454E93F3.6080507@sixdemonbag.org> Jim Dever wrote: > Can anyone help me out with the meaning of this error message? It will help us out considerably if you can tell us more about your problem. What operating system are you using? What version of GnuPG are you using? What hash algorithm does the message say it's using? What program generated the message in question? What version of Enigmail? What... etcetera? From dshaw at jabberwocky.com Mon Nov 6 03:52:38 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Nov 6 03:50:49 2006 Subject: How to enable a block cipher or hash algorithm for a keypair? In-Reply-To: <454E0367.20600@sixdemonbag.org> References: <454DC272.7060606@gmail.com> <454E0367.20600@sixdemonbag.org> Message-ID: <20061106025238.GA10246@jabberwocky.com> On Sun, Nov 05, 2006 at 09:29:43AM -0600, Robert J. Hansen wrote: > ... If what you want is to start using a different algorithm, a better > idea than using --cipher-algo and --digest-algo is to use the algorithm > preferences. Try adding these two lines to gpg.conf: > > personal-cipher-preferences TWOFISH AES256 AES192 AES128 3DES > personal-digest-preferences SHA512 SHA384 SHA256 SHA224 RIPEMD160 Note, though, that neither of these will take effect unless the other keys participating in the encryption agree. You can only use an algorithm that is present in the preferences of all keys you are encrypting to. David From jdever at triad.rr.com Mon Nov 6 04:44:26 2006 From: jdever at triad.rr.com (Jim Dever) Date: Mon Nov 6 04:42:40 2006 Subject: gpg error messag In-Reply-To: <454E93F3.6080507@sixdemonbag.org> References: <454E75FB.8070604@triad.rr.com> <454E93F3.6080507@sixdemonbag.org> Message-ID: <454EAF9A.3080300@triad.rr.com> Robert J. Hansen wrote: > Jim Dever wrote: >> Can anyone help me out with the meaning of this error message? > > It will help us out considerably if you can tell us more about your > problem. What operating system are you using? What version of GnuPG > are you using? What hash algorithm does the message say it's using? > What program generated the message in question? What version of > Enigmail? What... etcetera? Ok... Using Windows XP Pro, Thunderbird 1.5.0.7 Enigmail 0.94.1.0, GnuPG 1.4.5. I'm trying to verify the signature on the automated email from the PGP Global directory keyserver. This is the only email that has ever shown this message. Here's the Enigmail Console output with a -vv added to it. Hash appears to be SHA1. Thanks. ===== enigmail> C:\Program Files\GNU\GnuPG\gpg.exe --charset utf8 --no-version -vv --b atch --no-tty --status-fd 2 --verify gpg: armor: BEGIN PGP SIGNED MESSAGE gpg: armor header: Hash: SHA1 :packet 63: length 11 :literal data packet: mode t (74), created 0, name="", raw data: unknown length gpg: original file name='' gpg: armor: BEGIN PGP SIGNATURE gpg: armor header: Version: PGP Universal 2.0.4 :signature packet: algo 1, keyid 9710B89BCA57AD7C version 3, created 1160456543, md5len 5, sigclass 01 digest algo 8, begin of digest 0b 1a data: [2046 bits] gpg: Signature made 10/10/06 01:02:23 using RSA key ID CA57AD7C gpg: WARNING: signature digest conflict in message gpg: Can't check signature: general error enigmail.js: Enigmail.decryptMessageEnd: Error in command execution ===== -- Jim OpenPGP KeyID: 0x006921e Keyserver: ldap://keyserver.pgp.com From dshaw at jabberwocky.com Mon Nov 6 05:45:38 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Nov 6 05:43:40 2006 Subject: gpg error messag In-Reply-To: <454EAF9A.3080300@triad.rr.com> References: <454E75FB.8070604@triad.rr.com> <454E93F3.6080507@sixdemonbag.org> <454EAF9A.3080300@triad.rr.com> Message-ID: <20061106044538.GC10246@jabberwocky.com> On Sun, Nov 05, 2006 at 10:44:26PM -0500, Jim Dever wrote: > Robert J. Hansen wrote: > > Jim Dever wrote: > >> Can anyone help me out with the meaning of this error message? > > > > It will help us out considerably if you can tell us more about your > > problem. What operating system are you using? What version of GnuPG > > are you using? What hash algorithm does the message say it's using? > > What program generated the message in question? What version of > > Enigmail? What... etcetera? > > Ok... Using Windows XP Pro, Thunderbird 1.5.0.7 Enigmail 0.94.1.0, GnuPG > 1.4.5. > > I'm trying to verify the signature on the automated email from the PGP > Global directory keyserver. This is the only email that has ever shown > this message. Here's the Enigmail Console output with a -vv added to > it. Hash appears to be SHA1. The program that generated this message has a problem. First it announces that the signature hash is going to be SHA1: > gpg: armor header: Hash: SHA1 Then it provides the signature: > :signature packet: algo 1, keyid 9710B89BCA57AD7C > version 3, created 1160456543, md5len 5, sigclass 01 > digest algo 8, begin of digest 0b 1a > data: [2046 bits] Digest algo 8 is SHA256, not SHA1. You might be able to manipulate things into verifying the signature by editing the file to change the SHA1 string to SHA256, but the real problem is probably in whatever program generated the message. David From dshaw at jabberwocky.com Mon Nov 6 06:20:42 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Nov 6 06:19:02 2006 Subject: deleting signatures from uids In-Reply-To: References: <20061031135804.GV31897@localhost.localdomain> <4549EA0B.6050808__33980.4716445089$1162472273$gmane$org@tiscali.it> Message-ID: <20061106052042.GB1685@jabberwocky.com> On Thu, Nov 02, 2006 at 02:39:45PM -0600, Alex Mauer wrote: > Qed wrote: > > This is not a limitation, it'a a feature :-) and this is also the reason > > why you should not play with PGP on keyservers, the result will be often > > another abandoned key. > > Is there any reason that the keyserver needs to continue to redistribute > expired, revoked, or otherwise invalid (e.g. superseded) signatures? > > I can't think of any. > > I can kind of see why you might want to show the full history of a key, > but does it really need to be distributed out to everyone? > > If this is a security risk, surely the keyserver options > "import-clean-sigs" and "import-clean-uids" are also, are they not? No. GnuPG has the ability to verify signatures, and so can correctly do this. It's not as simple as just dropping all expired signatures. You must distribute some signatures, even though they aren't usable (for example, the last in a series of expired signatures). Keyservers don't have any crypto support, so can't verify signatures, and so can't do any sort of signature cleaning safely. David From jdever at triad.rr.com Mon Nov 6 06:47:18 2006 From: jdever at triad.rr.com (Jim Dever) Date: Mon Nov 6 06:46:00 2006 Subject: gpg error messag In-Reply-To: <20061106044538.GC10246@jabberwocky.com> References: <454E75FB.8070604@triad.rr.com> <454E93F3.6080507@sixdemonbag.org> <454EAF9A.3080300@triad.rr.com> <20061106044538.GC10246@jabberwocky.com> Message-ID: <454ECC66.1050501@triad.rr.com> David Shaw wrote: > > You might be able to manipulate things into verifying the signature by > editing the file to change the SHA1 string to SHA256, but the real > problem is probably in whatever program generated the message. Thanks! I thought that might be the problem although I didn't know how to determine what hash the message was actually using. What's ridiculous is that the message was produced by the PGP Global Directory keyserver. The message is PGP/MIME in HTML format and I don't even see a HASH string in the message source at all. Thanks for your help! -- Jim From patrick at mozilla-enigmail.org Mon Nov 6 11:19:18 2006 From: patrick at mozilla-enigmail.org (Patrick Brunschwig) Date: Mon Nov 6 11:18:00 2006 Subject: gpg error messag In-Reply-To: <454ECC66.1050501__24672.3227356144$1162792290$gmane$org@triad.rr.com> References: <454E75FB.8070604@triad.rr.com> <454E93F3.6080507@sixdemonbag.org> <454EAF9A.3080300@triad.rr.com> <20061106044538.GC10246@jabberwocky.com> <454ECC66.1050501__24672.3227356144$1162792290$gmane$org@triad.rr.com> Message-ID: Jim Dever wrote: > David Shaw wrote: > > >> You might be able to manipulate things into verifying the signature by >> editing the file to change the SHA1 string to SHA256, but the real >> problem is probably in whatever program generated the message. > > Thanks! I thought that might be the problem although I didn't know how > to determine what hash the message was actually using. What's > ridiculous is that the message was produced by the PGP Global Directory > keyserver. The message is PGP/MIME in HTML format and I don't even see > a HASH string in the message source at all. The hash string should be in the message header, something like Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; I'm pretty sure that something is defined -- Enigmail will not try to verify the message if no hash algorithm is provided. -Patrick From wk at gnupg.org Mon Nov 6 11:20:09 2006 From: wk at gnupg.org (Werner Koch) Date: Mon Nov 6 11:22:47 2006 Subject: GnuPG 1.9.95 released Message-ID: <87ac34op0m.fsf@wheatstone.g10code.de> Hi, I have just released version 1.9.95 of GnuPG. This one fixes some build problems and is expected to be the last release before 2.0.0. Thanks to Nilg?n Belma Bug?ner for providing the first complete translation (tr). Available at the usual place: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.9.95.tar.bz2 (3780k) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.9.95.tar.bz2.sig or as a patch (without PO file updates): ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.9.94-1.9.95.diff.bz2 (10k) Shalom-Salam, Werner -- Werner Koch The GnuPG Experts http://g10code.com Join the Fellowship and protect your Freedom! http://www.fsfe.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : /pipermail/attachments/20061106/ecc2f5eb/attachment.pgp From dshaw at jabberwocky.com Mon Nov 6 14:17:44 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Nov 6 14:15:56 2006 Subject: gpg error messag In-Reply-To: References: <454E75FB.8070604@triad.rr.com> <454E93F3.6080507@sixdemonbag.org> <454EAF9A.3080300@triad.rr.com> <20061106044538.GC10246@jabberwocky.com> <454ECC66.1050501__24672.3227356144$1162792290$gmane$org@triad.rr.com> Message-ID: <20061106131744.GA3057@jabberwocky.com> On Mon, Nov 06, 2006 at 11:19:18AM +0100, Patrick Brunschwig wrote: > Jim Dever wrote: > > David Shaw wrote: > > > > > >> You might be able to manipulate things into verifying the signature by > >> editing the file to change the SHA1 string to SHA256, but the real > >> problem is probably in whatever program generated the message. > > > > Thanks! I thought that might be the problem although I didn't know how > > to determine what hash the message was actually using. What's > > ridiculous is that the message was produced by the PGP Global Directory > > keyserver. The message is PGP/MIME in HTML format and I don't even see > > a HASH string in the message source at all. > > The hash string should be in the message header, something like > Content-Type: multipart/signed; micalg=pgp-sha1; > protocol="application/pgp-signature"; > > I'm pretty sure that something is defined -- Enigmail will not try to > verify the message if no hash algorithm is provided. Ah, I recall this problem. I reported it to the PGP GD people quite a while ago, and I thought it had been fixed. The GD was generating a PGP/MIME micalg setting of pgp-sha1, but the actual signature was being made with SHA256. David From jdever at triad.rr.com Mon Nov 6 18:05:44 2006 From: jdever at triad.rr.com (Jim Dever) Date: Mon Nov 6 18:03:50 2006 Subject: gpg error messag In-Reply-To: <20061106131744.GA3057@jabberwocky.com> References: <454E75FB.8070604@triad.rr.com> <454E93F3.6080507@sixdemonbag.org> <454EAF9A.3080300@triad.rr.com> <20061106044538.GC10246@jabberwocky.com> <454ECC66.1050501__24672.3227356144$1162792290$gmane$org@triad.rr.com> <20061106131744.GA3057@jabberwocky.com> Message-ID: <454F6B68.9060606@triad.rr.com> David Shaw wrote: > Ah, I recall this problem. I reported it to the PGP GD people quite a > while ago, and I thought it had been fixed. The GD was generating a > PGP/MIME micalg setting of pgp-sha1, but the actual signature was > being made with SHA256. Found it. That's exactly what's happening and obviously the problem still hasn't been fixed (or else it raised its ugly head again). ===== Content-type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary=PGP_Universal_2F4EB16A_4F41CA65_EABA882D_FCFE19A6 ===== Thanks to you both! -- Jim From johanw at vulcan.xs4all.nl Mon Nov 6 19:39:07 2006 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Mon Nov 6 19:40:43 2006 Subject: Question abut use of --cipher-algo AES & --openpgp In-Reply-To: <1162523744.20169.113.camel@sirius.brigham.net> Message-ID: <200611061839.kA6Id7xb011448@vulcan.xs4all.nl> Henry Hertz Hobbit wrote: >* 3DES: 8C 0D 04 02 03 02 >* CAST5: 8C 0D 04 03 03 02 >* BLOWFISH: 8C 0D 04 04 03 02 >* AES: 8C 0D 04 07 03 02 >* AES192: 8C 0D 04 08 03 02 >* AES256: 8C 0D 04 09 03 02 >* TWOFISH: 8C 0D 04 0A 03 02 I guess IDEA is 8C 0D 04 01 03 02. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From dshaw at jabberwocky.com Mon Nov 6 20:02:14 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Nov 6 20:00:24 2006 Subject: Question abut use of --cipher-algo AES & --openpgp In-Reply-To: <200611061839.kA6Id7xb011448@vulcan.xs4all.nl> References: <1162523744.20169.113.camel@sirius.brigham.net> <200611061839.kA6Id7xb011448@vulcan.xs4all.nl> Message-ID: <20061106190214.GA5029@jabberwocky.com> On Mon, Nov 06, 2006 at 07:39:07PM +0100, Johan Wevers wrote: > Henry Hertz Hobbit wrote: > > >* 3DES: 8C 0D 04 02 03 02 > >* CAST5: 8C 0D 04 03 03 02 > >* BLOWFISH: 8C 0D 04 04 03 02 > >* AES: 8C 0D 04 07 03 02 > >* AES192: 8C 0D 04 08 03 02 > >* AES256: 8C 0D 04 09 03 02 > >* TWOFISH: 8C 0D 04 0A 03 02 > > I guess IDEA is 8C 0D 04 01 03 02. This method for identifying ciphers is not reliable. There are many ways for a file to be packed, and this method will do the wrong thing for all but one of the ways. David From me at psmay.com Mon Nov 6 20:21:49 2006 From: me at psmay.com (Peter S. May) Date: Mon Nov 6 20:20:16 2006 Subject: Question abut use of --cipher-algo AES & --openpgp In-Reply-To: <200611061839.kA6Id7xb011448@vulcan.xs4all.nl> References: <200611061839.kA6Id7xb011448@vulcan.xs4all.nl> Message-ID: <454F8B4D.9090308@psmay.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Johan Wevers wrote: > Henry Hertz Hobbit wrote: > >> * 3DES: 8C 0D 04 02 03 02 >> * CAST5: 8C 0D 04 03 03 02 >> * BLOWFISH: 8C 0D 04 04 03 02 >> * AES: 8C 0D 04 07 03 02 >> * AES192: 8C 0D 04 08 03 02 >> * AES256: 8C 0D 04 09 03 02 >> * TWOFISH: 8C 0D 04 0A 03 02 > > I guess IDEA is 8C 0D 04 01 03 02. > For various reasons (in particular, the flexibility of packet formats in OpenPGP), you _must not_ expect the fourth byte of a message to always represent the cipher algorithm; it can appear elsewhere. If you need to know what cipher algorithm the message you have is in, pipe it to gpg --list-packets --list-only If you just want the number, try this: gpg --list-packets --list-only 2>&1 | \ perl -n -e '/^:symkey enc packet:.*?cipher (\d+)/ and print "$1\n"' The number that results, if any, maps according to RFC 2440 or its most current de facto variant. bis-18 () lists these ciphers: ID Algorithm -- --------- 0 - Plaintext or unencrypted data 1 - IDEA [IDEA] 2 - TripleDES (DES-EDE, [SCHNEIER] [HAC] - 168 bit key derived from 192) 3 - CAST5 (128 bit key, as per RFC 2144) 4 - Blowfish (128 bit key, 16 rounds) [BLOWFISH] 5 - Reserved 6 - Reserved 7 - AES with 128-bit key [AES] 8 - AES with 192-bit key 9 - AES with 256-bit key 10 - Twofish with 256-bit key [TWOFISH] 100 to 110 - Private/Experimental algorithm. If you'd rather have the name, try gpg --list-packets --list-only 2>&1 | \ perl -n -e '/^gpg: (.*?) encrypted data$/ and print "$1\n"' And note that this is not likely to work as expected on anything that isn't symmetric-encrypted input. Have fun PSM -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFT4tEei6R+3iF2vwRAuP6AJ4kvPtpt/3Ponzqr4JUdrNS6H5EpgCcCMS5 GC8pte0laTZU/EBDdO8t488= =vug9 -----END PGP SIGNATURE----- From brunij at earthlink.net Mon Nov 6 18:14:07 2006 From: brunij at earthlink.net (Joseph Bruni) Date: Mon Nov 6 20:50:09 2006 Subject: keyserver Message-ID: <2157265.1162833247825.JavaMail.root@elwamui-rubis.atl.sa.earthlink.net> Hello, I would like to set up a keyserver at my business for a small number of users (c. 100). I've tried to build the latest versions of PKS, CKS, and SKS, but these projects haven't been updated in a long time and no longer build because of old library dependencies. Does anyone on this list manage a keyserver and if so, what are you using? Regards, Joe From dshaw at jabberwocky.com Mon Nov 6 21:14:51 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Nov 6 21:13:01 2006 Subject: keyserver In-Reply-To: <2157265.1162833247825.JavaMail.root@elwamui-rubis.atl.sa.earthlink.net> References: <2157265.1162833247825.JavaMail.root@elwamui-rubis.atl.sa.earthlink.net> Message-ID: <20061106201451.GB5029@jabberwocky.com> On Mon, Nov 06, 2006 at 10:14:07AM -0700, Joseph Bruni wrote: > Hello, > > I would like to set up a keyserver at my business for a small number > of users (c. 100). I've tried to build the latest versions of PKS, > CKS, and SKS, but these projects haven't been updated in a long time > and no longer build because of old library dependencies. > > Does anyone on this list manage a keyserver and if so, what are you > using? There are two good ways to run a keyserver. If you are planning on syncing your internal keyserver with the outside world, then SKS is for you. If you are having problems building it, ask on the SKS mailing list at http://lists.nongnu.org/mailman/listinfo/sks-devel If you are not planning to sync with the outside world, then may I suggest using LDAP? Many sites already have a LDAP server, and GnuPG will quite happily use it as a keyserver. The LDAP schema for OpenPGP keys is at http://asteria.noreply.org/~weasel/PGPKeyserverSchema.zip David From nealpd at bellsouth.net Mon Nov 6 21:39:33 2006 From: nealpd at bellsouth.net (nealpd@bellsouth.net) Date: Mon Nov 6 23:24:44 2006 Subject: pgp decryption Failed - 2 Message-ID: <20061106203933.CVNP7297.ibm58aec.bellsouth.net@mail.bellsouth.net> We are using gnupg version 1.2.1. When our customer sends in an encrypted file we are unable to decrypt it because it keeps getting an error of "pgp decryption Failed - 2". The customer can then start completely over and encrypt the file again, send it through and it works fine then. The file always fails on the first couple of tries though. They have asked us to research and find out what the "pgp decryption Failed - 2" error message means and I can find nothing in my documention to tell me what it is. From brunij at earthlink.net Tue Nov 7 05:13:30 2006 From: brunij at earthlink.net (Joseph Oreste Bruni) Date: Tue Nov 7 05:11:33 2006 Subject: keyserver In-Reply-To: <20061106201451.GB5029@jabberwocky.com> References: <2157265.1162833247825.JavaMail.root@elwamui-rubis.atl.sa.earthlink.net> <20061106201451.GB5029@jabberwocky.com> Message-ID: On Nov 6, 2006, at 1:14 PM, David Shaw wrote: > If you are not planning to sync with the outside world, then may I > suggest using LDAP? I considered the use of LDAP since I just recently built an OpenLDAP server for us to use for centralized user authentication and it would fit right in. But, from what I understand about using LDAP as a keyserver, one would lack the key-data merging capability since LDAP servers don't know about OpenPGP-specific data. When GnuPG submits key data to an LDAP server, does it perform merging (read-modify-write) or does it just submit the local copy of the key, overwriting the previous key? I was able to get PKS to compile on Linux and it works. My problem was initially with trying to build on OS X since the db2 configure script is so old that it doesn't recognize Darwin. I pulled the pks- current code which uses the DB4.1 database and got it working on Linux. But it doesn't support some of the more recent OpenPGP features (attributes). (I'm not sure that that is a show-stopper, though.) I was intrigued by CKS but it's dependency on the defunct RpSQL was a show-stopper, and using PostgreSQL as a back-end is some serious over- kill for an access pattern that never changes. SKS seems good but the use of yet another oddball language (ocaml) is annoying and I ran into problems with it trying to compile on SuSE Linux -- I'll bring those issues up on the SKS list if anyone there is still participating. I noticed, David, that your name is one of the contributers to the PKS project. I was hoping that the GnuPG project might "adopt" the idea of a keyserver and run with it, keeping it up to date. Has the idea of public keyservers run out of steam? Joe -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2508 bytes Desc: not available Url : /pipermail/attachments/20061106/222999f1/smime.bin From brunij at earthlink.net Tue Nov 7 05:31:45 2006 From: brunij at earthlink.net (Joseph Oreste Bruni) Date: Tue Nov 7 05:29:51 2006 Subject: pgp decryption Failed - 2 In-Reply-To: <20061106203933.CVNP7297.ibm58aec.bellsouth.net@mail.bellsouth.net> References: <20061106203933.CVNP7297.ibm58aec.bellsouth.net@mail.bellsouth.net> Message-ID: Do you get the same result when using the current version of GnuPG (i.e. 1.4.5)? Is the file sent ASCII armored? When you say "sends" what is the method (FTP, email, etc.)? If using FTP, is the transfer method text or binary? Is one of the computers in question using Windows? What is your customer using for encryption (PGP, GnuPG)? You say that "they" asked you to research the error message. Who is "they"? Are they receiving the error message when encrypting or are you when decrypting? Or are they receiving an error message when you encrypt a response file to them? -Joe On Nov 6, 2006, at 1:39 PM, wrote: > We are using gnupg version 1.2.1. When our customer sends in an > encrypted file we are unable to decrypt it because it keeps > getting an > error of "pgp decryption Failed - 2". The customer can then start > completely over and encrypt the file again, send it through and it > works fine then. The file always fails on the first couple of tries > though. They have asked us to research and find out what the "pgp > decryption Failed - 2" error message means and I can find nothing > in my > documention to tell me what it is. > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2508 bytes Desc: not available Url : /pipermail/attachments/20061106/bc701cd1/smime.bin From olaf.gellert at intrusion-lab.net Tue Nov 7 10:12:07 2006 From: olaf.gellert at intrusion-lab.net (Olaf Gellert) Date: Tue Nov 7 10:08:06 2006 Subject: keyserver In-Reply-To: References: <2157265.1162833247825.JavaMail.root@elwamui-rubis.atl.sa.earthlink.net> <20061106201451.GB5029@jabberwocky.com> Message-ID: <45504DE7.4090106@intrusion-lab.net> Joseph Oreste Bruni wrote: > I considered the use of LDAP since I just recently built an OpenLDAP > server for us to use for centralized user authentication and it would > fit right in. But, from what I understand about using LDAP as a > keyserver, one would lack the key-data merging capability since LDAP > servers don't know about OpenPGP-specific data. Don't know. > I was able to get PKS to compile on Linux and it works. My problem was > initially with trying to build on OS X since the db2 configure script is > so old that it doesn't recognize Darwin. I pulled the pks-current code > which uses the DB4.1 database and got it working on Linux. But it > doesn't support some of the more recent OpenPGP features (attributes). > (I'm not sure that that is a show-stopper, though.) It is. PKS does not support multiple subkeys and some other features of modern keys. Actually nearly all keyserver administrators switched to SKS (it syncs fine and supports all recent keys). > SKS seems good but the use of yet another oddball language (ocaml) is > annoying and I ran into problems with it trying to compile on SuSE Linux > -- I'll bring those issues up on the SKS list if anyone there is still > participating. Should run on SuSE without too many problems (I have installed SKS on a SuSE system). Hopefully you have the correct version of the OCAML-Compiler etc. Just ask at the SKS mailing list, it is usually low traffic but very responsive. > I noticed, David, that your name is one of the contributers to the PKS > project. I was hoping that the GnuPG project might "adopt" the idea of a > keyserver and run with it, keeping it up to date. Has the idea of public > keyservers run out of steam? I guess not. There are some problems with recent public keyservers (which are not technical problems but legal problems, eg. privacy of the data (because keys actually cannot removed or blacklisted)), but this does not matter for a private key server. But a keyserver is something completely different than GnuPG, so the crypto gurus take care for GPG and some other gurus develop key servers. Maybe a key server that supports cryptography would need a team of both. Any takers? ;-) Cheers, Olaf -- Dipl.Inform. Olaf Gellert INTRUSION-LAB.NET Senior Researcher, www.intrusion-lab.net PKI - and IDS - Services olaf.gellert@intrusion-lab.net From dshaw at jabberwocky.com Tue Nov 7 15:01:59 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Nov 7 15:00:34 2006 Subject: keyserver In-Reply-To: References: <2157265.1162833247825.JavaMail.root@elwamui-rubis.atl.sa.earthlink.net> <20061106201451.GB5029@jabberwocky.com> Message-ID: <20061107140159.GC5584@jabberwocky.com> On Mon, Nov 06, 2006 at 09:13:30PM -0700, Joseph Oreste Bruni wrote: > > On Nov 6, 2006, at 1:14 PM, David Shaw wrote: > > >If you are not planning to sync with the outside world, then may I > >suggest using LDAP? > > > I considered the use of LDAP since I just recently built an OpenLDAP > server for us to use for centralized user authentication and it would > fit right in. But, from what I understand about using LDAP as a > keyserver, one would lack the key-data merging capability since LDAP > servers don't know about OpenPGP-specific data. > > When GnuPG submits key data to an LDAP server, does it perform > merging (read-modify-write) or does it just submit the local copy of > the key, overwriting the previous key? LDAP overwrites. SKS or PKS merges. It's an interesting question which behavior is better, but (as in many things) the answer comes down to the behavior that is "better" is the one that you like more. :) Personally, I think that LDAP is better for key populations that have a distinct boundary: a company, for example. In a company, key merging isn't really that useful or desirable, as generally there isn't much back-and-forth key signing. Rather, the company signs each key with the authoritative company key. Since you already have a running LDAP setup, it seems like an obvious solution to use it rather than have to maintain a whole second server (with backups, etc). LDAP has another side benefit if you choose to make it visible outside the company: people who use PGP will automatically find keys for your employees and encrypt their mail. When encrypting to user@example.com, PGP universal looks for ldap://keys.example.com and asks it for the user@example.com key. Put "auto-key-locate ldap" in your gpg.conf, and GnuPG will do the same. > I was able to get PKS to compile on Linux and it works. My problem > was initially with trying to build on OS X since the db2 configure > script is so old that it doesn't recognize Darwin. I pulled the pks- > current code which uses the DB4.1 database and got it working on > Linux. But it doesn't support some of the more recent OpenPGP > features (attributes). (I'm not sure that that is a show-stopper, > though.) I wouldn't use PKS at this point. It is unmaintained code, and has many known bugs. It is simply not an option any longer. > SKS seems good but the use of yet another oddball language (ocaml) is > annoying and I ran into problems with it trying to compile on SuSE > Linux -- I'll bring those issues up on the SKS list if anyone there > is still participating. SKS has a good user population on their list. They can very likely help you. > I noticed, David, that your name is one of the contributers to the > PKS project. I was hoping that the GnuPG project might "adopt" the > idea of a keyserver and run with it, keeping it up to date. Has the > idea of public keyservers run out of steam? My involvement with PKS was really that of desperation. PKS was the main and only keyserver software for years, and worked great. As OpenPGP grew, though, the keyserver wasn't really grown to match, and so had serious key-mangling problems with the the more modern OpenPGP features. I couldn't persuade many people to stop running it and move to SKS, so I got involved long enough to fix the worst of the bugs. The current state of PKS is that it still doesn't work with modern keys, but at least it doesn't destroy them any longer. The SKS developer (Yaron Minsky) has done an excellent job with SKS, and virtually all the public keyservers run SKS these days. David From hhhobbit at securemecca.net Tue Nov 7 17:04:35 2006 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Tue Nov 7 17:02:55 2006 Subject: Question abut use of --cipher-algo AES & --openpgp In-Reply-To: <0MKpyh-1GhAt80Ofz-00048g@mx.perfora.net> References: <0MKpyh-1GhAt80Ofz-00048g@mx.perfora.net> Message-ID: <1162915475.4894.261.camel@sirius.brigham.net> On Mon, 2006-11-06 at 14:02 -0500, David Shaw wrote: > On Mon, Nov 06, 2006 at 07:39:07PM +0100, Johan Wevers wrote: > > Henry Hertz Hobbit wrote: > > > > >* 3DES: 8C 0D 04 02 03 02 > > >* CAST5: 8C 0D 04 03 03 02 > > >* BLOWFISH: 8C 0D 04 04 03 02 > > >* AES: 8C 0D 04 07 03 02 > > >* AES192: 8C 0D 04 08 03 02 > > >* AES256: 8C 0D 04 09 03 02 > > >* TWOFISH: 8C 0D 04 0A 03 02 > > > > I guess IDEA is 8C 0D 04 01 03 02. > > This method for identifying ciphers is not reliable. > There are many ways for a file to be packed, and this > method will do the wrong thing for all but one of the > ways. I am from Missouri today, and I am stubborn mule. 8^) First, please remember that we are talking about only symmetrically enciphered files without email etc. Just encrypting a file on the computer. That was what the person was doing, and they were not using the --armor (-a) option. You will of course NOT get the above first six bytes with the armor option since the very first character is not a valid ASCII text character. Please specify at least one way (preferable to have two or three) where this is not the case for a symmetrically enciphered file that is written to the disk (not piped into email, etc.). I am not saying that you are wrong. It is just that I have tried it quite a few ways and I always come up with the same first six bytes for any given cipher, including even some where GnuGP gives me messages like this $ gpg -d < TOOMUCH.gpg > BACK gpg: AES encrypted data gpg: encrypted with 1 passphrase gpg: WARNING: message was not integrity protected $ diff TOOMUCH BACK $ rm BACK If it is a file created with a non-GnuPG, but OpenPGP compliant program, please send me the file and the password. I don't have anything but GnuPG. I will be removing all keys but mine to run the test with. I will be looking for: [1] gpg's message of what cipher was used to encrypt the file. It would be preferable to have the file that was encrypted with a symmetric cipher to contain only the phrase: Hello World! If I can't decrypt it, I would consider that to mean it is not OpenPGP compliant. [2] The first six bytes of the file. I will compare that with what is in the chart. Even if you do have an encrypted file that doesn't use these, is there anything wrong with the file command returning the answers given for the first six bytes of the file? I can't find any information that they are used for any other kind of file. Peter S. May - Thanks for the PERL scripts. HHH From wk at gnupg.org Tue Nov 7 17:38:46 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Nov 7 17:42:01 2006 Subject: Question abut use of --cipher-algo AES & --openpgp In-Reply-To: <1162915475.4894.261.camel@sirius.brigham.net> (Henry Hertz Hobbit's message of "Tue\, 07 Nov 2006 09\:04\:35 -0700") References: <0MKpyh-1GhAt80Ofz-00048g@mx.perfora.net> <1162915475.4894.261.camel@sirius.brigham.net> Message-ID: <878xinmctl.fsf@wheatstone.g10code.de> On Tue, 7 Nov 2006 17:04, hhhobbit@securemecca.net said: > First, please remember that we are talking about only symmetrically > enciphered files without email etc. Just encrypting a file on the This doesn't matter. There are still several ways such a file may look. It might work for you today but it my produce the wrong result with the next update or with another OpenPGP implementation. A script to detect the cipher algoritm needs to implement the standard and not merely use some heuristic. That is for what standards are. Salam-Shalom, Werner From dshaw at jabberwocky.com Tue Nov 7 17:44:50 2006 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Nov 7 17:42:56 2006 Subject: Question abut use of --cipher-algo AES & --openpgp In-Reply-To: <1162915475.4894.261.camel@sirius.brigham.net> References: <0MKpyh-1GhAt80Ofz-00048g@mx.perfora.net> <1162915475.4894.261.camel@sirius.brigham.net> Message-ID: <20061107164450.GC8338@jabberwocky.com> On Tue, Nov 07, 2006 at 09:04:35AM -0700, Henry Hertz Hobbit wrote: > On Mon, 2006-11-06 at 14:02 -0500, David Shaw wrote: > > > On Mon, Nov 06, 2006 at 07:39:07PM +0100, Johan Wevers wrote: > > > Henry Hertz Hobbit wrote: > > > > > > >* 3DES: 8C 0D 04 02 03 02 > > > >* CAST5: 8C 0D 04 03 03 02 > > > >* BLOWFISH: 8C 0D 04 04 03 02 > > > >* AES: 8C 0D 04 07 03 02 > > > >* AES192: 8C 0D 04 08 03 02 > > > >* AES256: 8C 0D 04 09 03 02 > > > >* TWOFISH: 8C 0D 04 0A 03 02 > > > > > > I guess IDEA is 8C 0D 04 01 03 02. > > > > This method for identifying ciphers is not reliable. > > There are many ways for a file to be packed, and this > > method will do the wrong thing for all but one of the > > ways. > > I am from Missouri today, and I am stubborn mule. 8^) > > First, please remember that we are talking about only symmetrically > enciphered files without email etc. Just encrypting a file on the > computer. That was what the person was doing, and they were not > using the --armor (-a) option. You will of course NOT get the > above first six bytes with the armor option since the very first > character is not a valid ASCII text character. > > Please specify at least one way (preferable to have two or three) > where this is not the case for a symmetrically enciphered file > that is written to the disk (not piped into email, etc.). I am > not saying that you are wrong. It is just that I have tried it > quite a few ways and I always come up with the same first six bytes > for any given cipher, including even some where GnuGP gives me > messages like this I've attached two files that will both give you the wrong answer using the "first six bytes" methodology. David -------------- next part -------------- ?^kp???%?-?????jFF? ?L -------------- next part -------------- A non-text attachment was scrubbed... Name: file2.gpg Type: application/octet-stream Size: 47 bytes Desc: not available Url : /pipermail/attachments/20061107/2b31b8ed/file2.obj From emlynj at gmail.com Tue Nov 7 15:50:45 2006 From: emlynj at gmail.com (Emlyn Jones) Date: Tue Nov 7 17:54:42 2006 Subject: Multiple Sym. Encrypted Packets Message-ID: Hello, I've written some code to generate an encrypted message which I can successfully decrypt using gpg. Currently the packet stream contains one Public-Key Encrypted Session Key Packet and one Symmetrically Encrypted Data Packet and works perfectly. However, I would like to set up the packet stream to contain multiple pairs of these packets. When I try it gpg fails to correctly read the packet immediately following the SED packet (it finds an invalid packet). Am I making sense? This works: [PKESK][SED] as does this: [PKESK] [PKESK][SED] This doesn't: [PKESK][SED][PKESK][SED] (fails reading the second PKESK) This will read the two PKESK packets and the first SED but not the final one: [PKESK][PKESK][SED][SED] I have two questions: i)Should this be possible? ii)Are there any tools (other than gpg -vvv) to help debug what gpg is finding in my packet stream? iii)I'm pretty confident the size of the SED packet is specified correctly but do I need to make sure that the SED packet size is a multiple of the algorithm's block size? Any pointers gratefully received. Thanks, Emlyn. From me at psmay.com Tue Nov 7 18:26:14 2006 From: me at psmay.com (Peter S. May) Date: Tue Nov 7 18:24:43 2006 Subject: Question abut use of --cipher-algo AES & --openpgp In-Reply-To: <1162915475.4894.261.camel@sirius.brigham.net> References: <0MKpyh-1GhAt80Ofz-00048g@mx.perfora.net> <1162915475.4894.261.camel@sirius.brigham.net> Message-ID: <4550C1B6.80201@psmay.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Henry Hertz Hobbit wrote: > Even if you do have an encrypted file that doesn't use these, > is there anything wrong with the file command returning the > answers given for the first six bytes of the file? I can't > find any information that they are used for any other kind > of file. A trivial example: Your specified headers all take the form 8c 0d 04 XX ... The first byte, 8c, or bin 10001100, represents an old-format packet, tag 3, length type 0 (one octet length). 0d is the length (13), 04 is the packet version (4), XX is the cipher algorithm, and the rest may vary. A 100% semantically identical packet could be formatted starting like this: c3 ff 00 00 00 0d 04 XX ... The point isn't that this is normal, but that it is _allowed_ and _could_ be normal in another implementation. A related (and more real) problem with this heuristic check is that no part of the standard requires the tag-3 packet to be the first packet in the file. Because of this, you really need to use a program that knows how to grok all of OpenPGP to do this sort of checking. It's really not that hard to design one after having read RFC 2440--I can think of a few ways I'd do it in Perl--but there's no point in writing a new program for checking the packets in a GnuPG-produced file when GnuPG already does the same thing. My two more cents -- PSM -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFUMGxei6R+3iF2vwRAj23AKCq5pGs9LUGWXdq1GKIRcNkckW8bQCfUV1N Udr4sof6gyjayVVOTpwvNaI= =wIh2 -----END PGP SIGNATURE----- From me at psmay.com Tue Nov 7 18:45:18 2006 From: me at psmay.com (Peter S. May) Date: Tue Nov 7 18:43:36 2006 Subject: Multiple Sym. Encrypted Packets In-Reply-To: References: Message-ID: <4550C62E.8070809@psmay.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 My thinking is that this isn't so much a problem with packet formats as general syntax. It sounds like you're trying to put two distinct OpenPGP messages into the same file. The section "OpenPGP Messages" (10.3 in RFC2440-bis-18) in the spec defines the orders of packets that make sense. If you've taken a compiler design course or know how to use yacc/bison, it's straightforward to find that [PKESK][SED][PKESK][SED] and [PKESK][PKESK][SED][SED] are not syntactically valid. If you want your stream to contain multiple OpenPGP messages, you'll have to figure out how to do it outside of OpenPGP proper. Good fortune PSM Emlyn Jones wrote: > Hello, > I've written some code to generate an encrypted message which I can > successfully decrypt using gpg. Currently the packet stream contains > one Public-Key Encrypted Session Key Packet and one Symmetrically > Encrypted Data Packet and works perfectly. However, I would like to > set up the packet stream to contain multiple pairs of these packets. > When I try it gpg fails to correctly read the packet immediately > following the SED packet (it finds an invalid packet). Am I making > sense? > This works: > [PKESK][SED] > as does this: > [PKESK] [PKESK][SED] > > This doesn't: > [PKESK][SED][PKESK][SED] (fails reading the second PKESK) > > This will read the two PKESK packets and the first SED but not the final > one: > [PKESK][PKESK][SED][SED] > > I have two questions: > i)Should this be possible? > ii)Are there any tools (other than gpg -vvv) to help debug what gpg > is finding in my packet stream? > iii)I'm pretty confident the size of the SED packet is specified > correctly but do I need to make sure that the SED packet size is a > multiple of the algorithm's block size? > > Any pointers gratefully received. > Thanks, > Emlyn. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFUMYmei6R+3iF2vwRAhZSAKCJFNWzaUbpIEsKLN5GhtAQ06r26wCgqIaq Rf35KOxBShwNvsekgo2kjHc= =hmp9 -----END PGP SIGNATURE----- From wk at gnupg.org Tue Nov 7 18:47:56 2006 From: wk at gnupg.org (Werner Koch) Date: Tue Nov 7 18:52:32 2006 Subject: Multiple Sym. Encrypted Packets In-Reply-To: (Emlyn Jones's message of "Tue\, 7 Nov 2006 14\:50\:45 +0000") References: Message-ID: <87u01bkv1v.fsf@wheatstone.g10code.de> On Tue, 7 Nov 2006 15:50, emlynj@gmail.com said: > This doesn't: > [PKESK][SED][PKESK][SED] (fails reading the second PKESK) Right. This is because the sematics of two concatenated OpenPGP messages are not well defined. > This will read the two PKESK packets and the first SED but not the final one: > [PKESK][PKESK][SED][SED] Indeed. GnuPG views this as [PKESK][PKESK][SED] and ignore the extra data at the end. > i)Should this be possible? > ii)Are there any tools (other than gpg -vvv) to help debug what gpg > is finding in my packet stream? Not really. > iii)I'm pretty confident the size of the SED packet is specified > correctly but do I need to make sure that the SED packet size is a > multiple of the algorithm's block size? PKESK = Public-Key Encrypted Session Key Packets (Tag 1) SKESK = Symmetric-Key Encrypted Session Key Packets (Tag 3) SED = Symmetrically Encrypted Data Packet (Tag 9 or 18) Using just an SED is only allowed for PGP2 compatibility. It is better to use a random session key for the ESD and encrypt that session key using a SKESK. Then you may use an arbitrary number and order of PKESK and SKESK: [PKESK][SKESK][PKESK][PKESK][SKESK][SKESK][SED] The actual content is encrypted in the SED and the other packets merely encrypt the random session used with the SED. Shalom-Salam, Werner From z.himsel at gmail.com Wed Nov 8 04:31:53 2006 From: z.himsel at gmail.com (Zach Himsel) Date: Wed Nov 8 04:29:49 2006 Subject: Shell script to encrypt/decrypt/sign/verify from clibpoard Message-ID: <8d5f78b30611071931i535adb3x60d55ae592459208@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm trying to make a shell script that would run in my that would read from the clipboard and encrypt/sign/decrypt/verify (probably have one script for each action, or pass an arg to the script to perform certain actions). How would I get gpg to read from the clipboard and then write the output back to that. Note: I am using gpg-agent, so user input is not a problem. - -- Zach Himsel OpenPGP Public Key: 0xD1093592 |_|0|_| =========================== |_|_|0| () ASCII Ribbon Campaign: against |0|0|0| /\ HTML mail & vCard signatures -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Key ID: 0xD1093592 Comment: ================================= Comment: () ASCII Ribbon Campaign: against Comment: /\ HTML mail & vCard signatures iQEVAwUBRVFPn5HoJdzRCTWSAQL4nwf/UsgYcucWMM0F3M8QzBwnVFwkW4IxisdI h39At5aaG9NqVqL59eKHbMz9wItwyIT+gOIWTC2nZZCMjySJesw3XEgUftfRHUFt ggpNFRwwQB+kCHizDwv3FemFVs/gB5xsmMf3iYkd7ZqEvJhoEemRM/uyoL6eWkx/ AynAb64/xDMBtLBBBCu+ivFBH6odDW/sA4DbXAd0XIIgU6gsgQmNePJW6awl1sR4 CeFUkBH+UXZUPQBUv6md5YpKCFLhXHifBzDJO+AxqUMEnqKTeqkgdpbhTOV+G2gt xMExg+04zuOWPlOggUJq1IX+U+G9O2epRxQxrXdYVU4v2Antqqa5eg== =QZ1e -----END PGP SIGNATURE----- From z.himsel at gmail.com Wed Nov 8 06:02:38 2006 From: z.himsel at gmail.com (Zach Himsel) Date: Wed Nov 8 06:01:04 2006 Subject: Fwd: Shell script to encrypt/decrypt/sign/verify from clibpoard In-Reply-To: <8d5f78b30611071955o1b16ddcapb55e4f8ac1493b5d@mail.gmail.com> References: <8d5f78b30611071931i535adb3x60d55ae592459208@mail.gmail.com> <8298be230611071945q11b50073ke8346d2b24bd76fb@mail.gmail.com> <8d5f78b30611071955o1b16ddcapb55e4f8ac1493b5d@mail.gmail.com> Message-ID: <8d5f78b30611072102l2c58e863v5c0258d76106db21@mail.gmail.com> SORRY GUYS!! I forgot to hit "Reply-to-all" so it didn't send to the group, just to Adam Schreiber. ---------- Forwarded message ---------- From: Zach Himsel Date: Nov 7, 2006 10:55 PM Subject: Re: Shell script to encrypt/decrypt/sign/verify from clibpoard To: Adam Schreiber -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/7/06, Adam Schreiber wrote: > If you're using the GNOME Desktop, Seahorse includes a panel applet > that does exactly that. > http://gnome.org/projects/seahorse > > Adam Schreiber > I'm using KDE, sorry. But I do actually use KGPG, which is (I'm guessing) the KDE equivalent of Seahorse. That is what I currently use to encrypt/sign/... my clipboard. But I have to go through 20 million steps in order to do that (copy input, click KGPG's Kicker icon, paste the input into KGPG's editor, click encrypt/sign/..., choose the key to encrypt it to (or my secret key for signing), copy the output to the clipboard, close the editor, paste the output to wherever I needed it). It becomes a pain in the ass to do *all the time*. I wanted to make a script to do all that in three steps (copy input, run script, paste output). I realized that KDE's clipboard program, Klipper, supports "actions". I.e. if it receives a clipboard entry beginning with a particular reg-exp, it will execute a certain action, or something like that. I'm not sure, but I'm investigating it. - -- Zach Himsel OpenPGP Public Key: 0xD1093592 |_|0|_| =========================== |_|_|0| () ASCII Ribbon Campaign: against |0|0|0| /\ HTML mail & vCard signatures -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Key ID: 0xD1093592 Comment: ================================= Comment: () ASCII Ribbon Campaign: against Comment: /\ HTML mail & vCard signatures iQEVAwUBRVFVN5HoJdzRCTWSAQLsPAf+NSsqdIcTc684YxuQsQwJtB856sXmW/EL nfHH6RLMJRf21Q8lf67SmLJend3AvqHpzLhkUuvKVGZlCajh/fMKN+MxHMeS3Dae JiRvCTomwUpADxX7R4rBT0puVOXShPvTbGMMibYXI9OSzSKVWUOKAy5kTF8jEs3Q MBtr8osKmv0JvFLYHJLVXhcavK2MPW5TOClNIUVvI5/Tn3W5t5mrr5tJbCy/D2uo /B5gBnUDcHJQBjxl2//5N9qDYskrOtM0FSLhXlUt/xSR4JXDk84HKx/baQBaPsaZ jpQjg9owNgJa5K8CWr7pDIZyw88iuCID+QtqD/CWrdGwX6GLAp3BuQ== =Myc7 -----END PGP SIGNATURE----- -- Zach Himsel OpenPGP Public Key: 0xD1093592 |_|0|_| =========================== |_|_|0| () ASCII Ribbon Campaign: against |0|0|0| /\ HTML mail & vCard signatures From z.himsel at gmail.com Wed Nov 8 06:19:35 2006 From: z.himsel at gmail.com (Zach Himsel) Date: Wed Nov 8 06:17:52 2006 Subject: Shell script to encrypt/decrypt/sign/verify from clibpoard In-Reply-To: <8298be230611072049l3fe8a08fxb2ecb3da4305ed86@mail.gmail.com> References: <8d5f78b30611071931i535adb3x60d55ae592459208@mail.gmail.com> <8298be230611071945q11b50073ke8346d2b24bd76fb@mail.gmail.com> <8d5f78b30611071955o1b16ddcapb55e4f8ac1493b5d@mail.gmail.com> <8298be230611072049l3fe8a08fxb2ecb3da4305ed86@mail.gmail.com> Message-ID: <8d5f78b30611072119x1b10bdfdi16803b8b3ada2c1f@mail.gmail.com> On 11/7/06, Adam Schreiber wrote: > That does sound complicated. It is... and it gets worse after *every* email I encrypt (which is quite a few) :-) > If you're in a programming mood, it might be interesting to see a QT > implementation of Seahorse's libcryptui. Our DBus interface can be > used in a desktop agnostic fashion. I'm *always* in a programming mood! :) But unfortunately, I don't know QT. Right now, I'll get by. I think there was a program I heard about somewhere that enabled the clipboard to be read from the console. OR.... Google could always code some kind of GnuPG encryption feature in their Gmail UI (which I am waiting for, and have suggested it to them many times). I know about Freenigma, but it is too "proprietary"/one-sided (it doesn't let you import your keyrings, and it locks your account with a custom created key) -- Zach Himsel OpenPGP Public Key: 0xD1093592 |_|0|_| =========================== |_|_|0| () ASCII Ribbon Campaign: against |0|0|0| /\ HTML mail & vCard signatures From brunij at earthlink.net Wed Nov 8 16:41:27 2006 From: brunij at earthlink.net (Joseph Oreste Bruni) Date: Wed Nov 8 16:40:11 2006 Subject: keyserver In-Reply-To: <20061107140159.GC5584@jabberwocky.com> References: <2157265.1162833247825.JavaMail.root@elwamui-rubis.atl.sa.earthlink.net> <20061106201451.GB5029@jabberwocky.com> <20061107140159.GC5584@jabberwocky.com> Message-ID: <28AC24D2-7D61-457B-803B-44D0AF2C2C82@earthlink.net> On Nov 7, 2006, at 7:01 AM, David Shaw wrote: > Personally, I think that LDAP is better for key populations that have > a distinct boundary: a company, for example. In a company, key > merging isn't really that useful or desirable, as generally there > isn't much back-and-forth key signing. Rather, the company signs each > key with the authoritative company key. > > Since you already have a running LDAP setup, it seems like an obvious > solution to use it rather than have to maintain a whole second server > (with backups, etc). > > LDAP has another side benefit if you choose to make it visible outside > the company: people who use PGP will automatically find keys for your > employees and encrypt their mail. When encrypting to > user@example.com, PGP universal looks for ldap://keys.example.com and > asks it for the user@example.com key. Put "auto-key-locate ldap" in > your gpg.conf, and GnuPG will do the same. I was able to get my LDAP server to work as a keyserver using the information found in the articles from earlier this year on this list but a few changes needed to be made to the layout and to the ACL. If I write up a how-to, would you be interested in hosting the page on the gnupg web site? I was thinking: OpenLDAP supports external modules. Perhaps an approach to supporting signature merging in LDAP would be to write a module that could perform this activity. Just a thought. That might be taking the LDAP server beyond what an LDAP server should be though... Joe -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2508 bytes Desc: not available Url : /pipermail/attachments/20061108/f09b197a/smime.bin From adam.schreiber at gmail.com Wed Nov 8 05:49:58 2006 From: adam.schreiber at gmail.com (Adam Schreiber) Date: Thu Nov 9 17:19:03 2006 Subject: Shell script to encrypt/decrypt/sign/verify from clibpoard In-Reply-To: <8d5f78b30611071955o1b16ddcapb55e4f8ac1493b5d@mail.gmail.com> References: <8d5f78b30611071931i535adb3x60d55ae592459208@mail.gmail.com> <8298be230611071945q11b50073ke8346d2b24bd76fb@mail.gmail.com> <8d5f78b30611071955o1b16ddcapb55e4f8ac1493b5d@mail.gmail.com> Message-ID: <8298be230611072049l3fe8a08fxb2ecb3da4305ed86@mail.gmail.com> On 11/7/06, Zach Himsel wrote: > On 11/7/06, Adam Schreiber wrote: > > If you're using the GNOME Desktop, Seahorse includes a panel applet > > that does exactly that. > > http://gnome.org/projects/seahorse > > > I'm using KDE, sorry. But I do actually use KGPG, which is (I'm > guessing) the KDE equivalent of Seahorse. That is what I currently use > to encrypt/sign/... my clipboard. But I have to go through 20 million > steps in order to do that (copy input, click KGPG's Kicker icon, paste > the input into KGPG's editor, click encrypt/sign/..., choose the key > to encrypt it to (or my secret key for signing), copy the output to > the clipboard, close the editor, paste the output to wherever I needed > it). It becomes a pain in the ass to do *all the time*. I wanted to > make a script to do all that in three steps (copy input, run script, > paste output). That does sound complicated. The applet I wrote simply takes the clipboard, acts upon it and then places the result back in the clipboard used either ctrl-v or middle click. If you're in a programming mood, it might be interesting to see a QT implementation of Seahorse's libcryptui. Our DBus interface can be used in a desktop agnostic fashion. Cheers, Adam From adam.schreiber at gmail.com Wed Nov 8 04:45:54 2006 From: adam.schreiber at gmail.com (Adam Schreiber) Date: Thu Nov 9 17:19:11 2006 Subject: Shell script to encrypt/decrypt/sign/verify from clibpoard In-Reply-To: <8d5f78b30611071931i535adb3x60d55ae592459208@mail.gmail.com> References: <8d5f78b30611071931i535adb3x60d55ae592459208@mail.gmail.com> Message-ID: <8298be230611071945q11b50073ke8346d2b24bd76fb@mail.gmail.com> On 11/7/06, Zach Himsel wrote: > I'm trying to make a shell script that would run in my that > would read from the clipboard and encrypt/sign/decrypt/verify > (probably have one script for each action, or pass an arg to the > script to perform certain actions). How would I get gpg to read from > the clipboard and then write the output back to that. If you're using the GNOME Desktop, Seahorse includes a panel applet that does exactly that. http://gnome.org/projects/seahorse Adam Schreiber From yahya_alameddine at yahoo.com Thu Nov 9 02:05:32 2006 From: yahya_alameddine at yahoo.com (Yahya Alameddine) Date: Thu Nov 9 17:19:16 2006 Subject: Gnupg Integrity check Message-ID: <20061109010532.22310.qmail@web56310.mail.re3.yahoo.com> Hello Guys I am a new user to Gnupg and i am having problems checking the integrity of the thunderbird Enigmail extension "enigmail-0.94.1.2-tb15-win+lin+mac.xpi" I have placed both the enigmail file (.xpi) and its signature file (.asc) provided by the official site in the same folder and i have used the following command: "gpg --verify enigmail-0.94.1.2-tb15-win+lin+mac.xpi.asc " It is returning the following result: gpg: Signature made 11/06/06 10:43:05 using DSA key ID 9369CDF3 gpg: Can't check signature: public key not found KNOWING THAT: I have placed the public key that i have copied from the site in the same folder under multiple names: 1-pubring.gpg 2-enigmail-0.94.1.2-tb15-win+lin+mac.xpi.gpg 3-pubring.asc The integrity check gave me the finger, i have searched everywhere for an answer but it is the same unclear answers. Please help Thk you guys From brunij at earthlink.net Thu Nov 9 17:51:18 2006 From: brunij at earthlink.net (Joseph Oreste Bruni) Date: Thu Nov 9 17:49:09 2006 Subject: Gnupg Integrity check In-Reply-To: <20061109010532.22310.qmail@web56310.mail.re3.yahoo.com> References: <20061109010532.22310.qmail@web56310.mail.re3.yahoo.com> Message-ID: You need to import the key in order for gpg to use it. Use the "gpg -- import" command. You will then need to sign the key so that gpg considers it "valid" using the "--sign-key" command or using the "sign" sub-command from inside the "--edit-key" menu. On Nov 8, 2006, at 6:05 PM, Yahya Alameddine wrote: > KNOWING THAT: I have placed the public key that i have copied from > the site in the same folder under > > multiple names: > > 1-pubring.gpg > 2-enigmail-0.94.1.2-tb15-win+lin+mac.xpi.gpg > 3-pubring.asc > > The integrity check gave me the finger, i have searched everywhere > for an answer but it is the same unclear answers. From dmdm00 at yahoo.com Thu Nov 9 19:06:17 2006 From: dmdm00 at yahoo.com (axel muller) Date: Thu Nov 9 20:25:04 2006 Subject: --edit-key command Message-ID: <20061109180617.18657.qmail@web55408.mail.re4.yahoo.com> what is the command in the edit-key section to add a missing uid to a key for example i have been asked in this way: Need add uid of send@... only has uid of config@... a) so how to add uid of send? Also would be nice for some unique shortname (8 characters or less) at the moment my key has a 12 charter name b) how to change to a unique shortname of say "pelt"? many thanks ___________________________________________________________ Der fr?he Vogel f?ngt den Wurm. Hier gelangen Sie zum neuen Yahoo! Mail: http://mail.yahoo.de From brunij at earthlink.net Thu Nov 9 20:33:02 2006 From: brunij at earthlink.net (Joseph Oreste Bruni) Date: Thu Nov 9 20:30:55 2006 Subject: --edit-key command In-Reply-To: <20061109180617.18657.qmail@web55408.mail.re4.yahoo.com> References: <20061109180617.18657.qmail@web55408.mail.re4.yahoo.com> Message-ID: <547ED771-2FC7-4233-ACD3-53A1036F0DD5@earthlink.net> Typing "help" at the --edit-key prompt will display a list and explanation of the various commands available. In this case, the "adduid" command would be used. Joe On Nov 9, 2006, at 11:06 AM, axel