From vedaal at hush.com Thu Feb 1 17:30:50 2007 From: vedaal at hush.com (vedaal at hush.com) Date: Thu, 01 Feb 2007 11:30:50 -0500 Subject: explain nrsign & lsign? Message-ID: <20070201163148.3B39422840@mailserver9.hushmail.com> David Shaw dshaw at jabberwocky.com Wed Jan 31 22:19:33 CET 2007 wrote: > Indeed. It is also possible that the keyservers aren't being targeted >specifically as keyservers, but rather that people have links to >keyserver searches out there, and the spammers are just using a >crawler that happens to follow that link. fwiw, i have two e-mail addresses in my 'real name' (one at hushmail, and one at a private address) and have a key on the pgp global keyserver with the primary address as the private address, and the hushmail address as a secondary id, and have sent it to gpg keyservers as well have not received _any_ spam in the more than 2 years that the key has been uploaded, maybe because those e-mail addresses are not part of any mailing lists, are not on any webpages or usenet posts, and are used only for formal work-related correspondence, in contrast, have tons of spam at the vedaal address ;-( vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 From randy at randyburns.us Thu Feb 1 18:43:52 2007 From: randy at randyburns.us (Randy Burns) Date: Thu, 1 Feb 2007 09:43:52 -0800 (PST) Subject: explain nrsign & lsign? In-Reply-To: <20070131211933.GD27765@jabberwocky.com> Message-ID: <17568.57261.qm@web50906.mail.yahoo.com> --- David Shaw wrote: > On Mon, Jan 29, 2007 at 05:20:20PM +0100, Werner Koch wrote: > > On Mon, 29 Jan 2007 16:22, dshaw at jabberwocky.com said: > > > > > etc. Nowadays, many spammers aren't using their own bandwidth or > CPU. > > > So why *not* hit the keyservers? It costs them essentially nothing. > > > > OTOH, addresses taken from the addressbook as available on the host > > (== zombie Windows PC) are much more effective than harvesting the web > > or kyeservers. These local addresses are more certain to actually be > > used and even better: the recipient of the spam knows the sender. > > Indeed. It is also possible that the keyservers aren't being targeted > specifically as keyservers, but rather that people have links to > keyserver searches out there, and the spammers are just using a > crawler that happens to follow that link. Some keyservers don't > obfuscate their search results. > > David > Something to think about when organizing a keysigning too. Avoid putting a participant list on a webpage. Just a keyring maybe. Randy From wk at gnupg.org Thu Feb 1 20:14:20 2007 From: wk at gnupg.org (Werner Koch) Date: Thu, 01 Feb 2007 20:14:20 +0100 Subject: New command line language parameter In-Reply-To: <200701300956.l0U9u38R019043@edison.ccupm.upm.es> (Juan =?utf-8?Q?Marug=C3=A1n's?= message of "Tue\, 30 Jan 2007 10\:52\:26 +0100") References: <200701300956.l0U9u38R019043@edison.ccupm.upm.es> Message-ID: <87ps8tu1v7.fsf@wheatstone.g10code.de> On Tue, 30 Jan 2007 10:52, jmarugan at alumnos.upm.es said: > ---Begining of .bat file ---------------------------------- > @echo off > cls > echo Verifying... > %1\gpg.exe --homedir %2 --langfile %1\gnupg.nls\es.mo --verify %3 > ---End of .bat file --------------------------------------- You may already use ---Begining of .bat file ---------------------------------- @echo off cls echo Verifying... set LANG=%1 gpg.exe --homedir %2 --verify %3 ---End of .bat file --------------------------------------- If you just care about the language. For Spanish es_ES should be the right argument. I have not looked at the other isues but setting --homedir should be enough to go without the defaults from the registry. Shalom-Salam, Werner From schneecrash+gnupg-users at gmail.com Thu Feb 1 20:23:58 2007 From: schneecrash+gnupg-users at gmail.com (snowcrash+gnupg-users) Date: Thu, 1 Feb 2007 11:23:58 -0800 Subject: 'sensitive' designated revoker -- are the keyservers still aware? Message-ID: <70f41ba20702011123h761d919bk1cd07773f0752dae@mail.gmail.com> if i've added a designated revoker to a key, WITH the 'sensitive' flag. am i correct that: (1) the 'sensitive' flag prevents the *export* of the add'l/designated revoker's key (2) the keyservers still learn/know that there IS a designated revoker, AND its KeyID/UID ? thanks. From dshaw at jabberwocky.com Thu Feb 1 21:04:27 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 1 Feb 2007 15:04:27 -0500 Subject: 'sensitive' designated revoker -- are the keyservers still aware? In-Reply-To: <70f41ba20702011123h761d919bk1cd07773f0752dae@mail.gmail.com> References: <70f41ba20702011123h761d919bk1cd07773f0752dae@mail.gmail.com> Message-ID: <20070201200427.GC23780@jabberwocky.com> On Thu, Feb 01, 2007 at 11:23:58AM -0800, snowcrash+gnupg-users wrote: > if i've added a designated revoker to a key, WITH the 'sensitive' flag. > > am i correct that: > > (1) the 'sensitive' flag prevents the *export* of the add'l/designated > revoker's key > (2) the keyservers still learn/know that there IS a designated > revoker, AND its KeyID/UID Not exactly. When exporting a key that has a sensitive designated revoker set, the key is exported, but the designated revoker information is not included. Anyone looking at the key from the outside cannot tell the difference between this state, and no designated revoker set at all. However, if the designated revoker has in fact revoked the key, then the designated revoker information IS included, along with the revocation. The idea behind this is that the relationship between the designated revoker and the key owner is sensitive, and so we must not reveal the identity designated revoker until we absolutely must (i.e. when they actually revoke the key). Note that there is an option "export-sensitive-revkeys" which tells GPG to export the designated revoker information even if the key isn't revoked. This essentially pretends that the "sensitive" flag is not set. Under normal circumstances, you don't want to do this. David From schneecrash+gnupg-users at gmail.com Thu Feb 1 21:12:14 2007 From: schneecrash+gnupg-users at gmail.com (snowcrash+gnupg-users) Date: Thu, 1 Feb 2007 12:12:14 -0800 Subject: 'sensitive' designated revoker -- are the keyservers still aware? In-Reply-To: <20070201200427.GC23780@jabberwocky.com> References: <70f41ba20702011123h761d919bk1cd07773f0752dae@mail.gmail.com> <20070201200427.GC23780@jabberwocky.com> Message-ID: <70f41ba20702011212r5d05e880uab9c48edea46ec44@mail.gmail.com> > When exporting a key that has a sensitive designated > revoker set, the key is exported, but the designated revoker > information is not included. Anyone looking at the key from the > outside cannot tell the difference between this state, and no > designated revoker set at all. However, if the designated revoker has > in fact revoked the key, then the designated revoker information IS > included, along with the revocation. > > The idea behind this is that the relationship between the designated > revoker and the key owner is sensitive, and so we must not reveal the > identity designated revoker until we absolutely must (i.e. when they > actually revoke the key). that, actually, is what i was hoping to hear/learn. :-) thanks for the clarification! From vedaal at hush.com Thu Feb 1 21:21:02 2007 From: vedaal at hush.com (vedaal at hush.com) Date: Thu, 01 Feb 2007 15:21:02 -0500 Subject: 'sensitive' designated revoker -- are the keyservers still aware? Message-ID: <20070201202103.453D2DA834@mailserver7.hushmail.com> David Shaw dshaw at jabberwocky.com wrote on Thu Feb 1 21:04:27 CET 2007 >The idea behind this is that the relationship >between the designated revoker and the key owner is sensitive, > and so we must not reveal the identity designated revoker >until we absolutely must >(i.e. when they actually revoke the key). why must the identity be revealed at all, if the key-owner who designated the revoker doesn't want it to be? it doesn't add to the security to know who revoked it, (whoever it as, it was someone the 'key-owner' decided it should be) it only compromises the revoker and/or key owner, as the revoker may become a target to revoke the original key-owner's replacement key (n.b. not a big deal, just curious as to why it was done this way there is a very simple workaround for anyone uncomfortable with it: the designated revoker doesn't have to be a 'person', it just has to be another 'key' which can have a fictitious name, and given to the person who is trusted to do the revoking when necessary) vedaal Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 From dshaw at jabberwocky.com Thu Feb 1 21:37:25 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 1 Feb 2007 15:37:25 -0500 Subject: 'sensitive' designated revoker -- are the keyservers still aware? In-Reply-To: <20070201202103.453D2DA834@mailserver7.hushmail.com> References: <20070201202103.453D2DA834@mailserver7.hushmail.com> Message-ID: <20070201203725.GD23780@jabberwocky.com> On Thu, Feb 01, 2007 at 03:21:02PM -0500, vedaal at hush.com wrote: > David Shaw dshaw at jabberwocky.com wrote on > Thu Feb 1 21:04:27 CET 2007 > > >The idea behind this is that the relationship > >between the designated revoker and the key owner is sensitive, > > and so we must not reveal the identity designated revoker > >until we absolutely must > >(i.e. when they actually revoke the key). > > > why must the identity be revealed at all, > if the key-owner who designated the revoker doesn't want it to be? Any anonymous revoker could not do their job as we wouldn't know whether to ignore the revocation or not. For example, say you designated me as your revoker. If my identity is kept secret, even after I issued a revocation, how could someone coming across that revocation know that they should accept it? David From dshaw at jabberwocky.com Thu Feb 1 22:39:34 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 1 Feb 2007 16:39:34 -0500 Subject: explain nrsign & lsign? In-Reply-To: <17568.57261.qm@web50906.mail.yahoo.com> References: <20070131211933.GD27765@jabberwocky.com> <17568.57261.qm@web50906.mail.yahoo.com> Message-ID: <20070201213934.GE23780@jabberwocky.com> On Thu, Feb 01, 2007 at 09:43:52AM -0800, Randy Burns wrote: > > > OTOH, addresses taken from the addressbook as available on the host > > > (== zombie Windows PC) are much more effective than harvesting the web > > > or kyeservers. These local addresses are more certain to actually be > > > used and even better: the recipient of the spam knows the sender. > > > > Indeed. It is also possible that the keyservers aren't being targeted > > specifically as keyservers, but rather that people have links to > > keyserver searches out there, and the spammers are just using a > > crawler that happens to follow that link. Some keyservers don't > > obfuscate their search results. > > Something to think about when organizing a keysigning too. Avoid putting a > participant list on a webpage. Just a keyring maybe. Good point. I like the service that biglumber provides for keysignings. It nicely automates a lot of the bookkeeping, tracks the participant list, etc. It also makes the information spam-unfriendly. David From atom at smasher.org Thu Feb 1 23:14:22 2007 From: atom at smasher.org (Atom Smasher) Date: Thu, 1 Feb 2007 17:14:22 -0500 (EST) Subject: 'sensitive' designated revoker -- are the keyservers still aware? In-Reply-To: <20070201202103.453D2DA834@mailserver7.hushmail.com> References: <20070201202103.453D2DA834@mailserver7.hushmail.com> Message-ID: <20070201221423.96884.qmail@smasher.org> On Thu, 1 Feb 2007, vedaal at hush.com wrote: > why must the identity be revealed at all, if the key-owner who > designated the revoker doesn't want it to be? > > it doesn't add to the security to know who revoked it, (whoever it as, > it was someone the 'key-owner' decided it should be) it only compromises > the revoker and/or key owner, as the revoker may become a target to > revoke the original key-owner's replacement key ============================ if that's a concern... bob wants to designate alice as a revoker, but bob [or alice] doesn't want to reveal that alice is the desiganted revoker, even if his key is revoked. the solution is for bob to generate a revocation certificate, encrypt it to alice, and send it to alice with instructions about if/when to publish it. this basically serves the same purpose, but doesn't necessarily reveal that alice was the designated revoker. a variation could break the revocation certificate into shares, requiring any number of "secret revokers" to assemble the revocation certificate. -- ...atom ________________________ http://atom.smasher.org/ 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "They tell us that we live in a great free republic; that our institutions are democratic; that we are a free and self-governing people. That is too much, even for a joke. Wars throughout history have been waged for conquest and plunder. And that is war in a nutshell. The master class has always declared the wars; the subject class has always fought the battles." -- Eugene V. Debs, 1918 From wk at gnupg.org Fri Feb 2 10:14:16 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 02 Feb 2007 10:14:16 +0100 Subject: [Announce] Libgcrypt 1.2.4 released Message-ID: <87wt30syzb.fsf@wheatstone.g10code.de> Hello! We are pleased to announce the availability of Libgcrypt 1.2.4. Libgcrypt is a general purpose library of cryptographic building blocks. It is originally based on the code used in GnuPG. This is a bug fix release solving a few minor issues. There are no new features. If you experience problems with an application using libgcrypt, you might want to update to this version. Noteworthy changes are: * Fixed a bug in the memory allocator which could have been the reason for some non-duplicable bugs. * Other minor bug fixes. Source code is hosted at the GnuPG FTP server and its mirrors as listed at http://www.gnupg.org/download/mirrors.html . On the primary server the source files and there digital signatures are: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.2.4.tar.bz2 (781k) ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.2.4.tar.bz2.sig These files are bzip2 compressed. If you can't use the bunzip2 tool, gzip compressed versions of the files are also available: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.2.4.tar.gz (990k) ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.2.4.tar.gz.sig As an alternative a patch against version 1.2.3 is available as: ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.2.3-1.2.4.diff.bz2 (87k) SHA-1 checksums are: c72406c69d6ad9fb3fa1e9824b04566cf204093b libgcrypt-1.2.4.tar.bz2 d279e7a4464cccf0cc4e29c374a1e8325fc65b9a libgcrypt-1.2.4.tar.gz d4f5525fa26e92ade2914c6581435171f8b4fc44 libgcrypt-1.2.3-1.2.4.diff.bz2 For help on installing or developing with Libgcrypt you should send mail to the grcypt-devel mailing list. For details see http://www.gnupg.org/documentation/mailing-lists.html . Improving Libgcrypt is costly, but you can help! We are looking for organizations that find Libgcrypt useful and wish to contribute back. You can contribute by reporting bugs, improve the software [1], or by donating money. Commercial support contracts for Libgcrypt are available [2], and they help finance continued maintenance. g10 Code GmbH, a Duesseldorf based company owned and headed by gpg's principal author, is currently funding Libgcrypt development. We are always looking for interesting development projects. Happy hacking, Werner [1] As a GNU project copyright assignments to the FSF are required. [2] See the service directory at http://www.gnupg.org/service.html . -- Werner Koch The GnuPG Experts http://g10code.com Join the Fellowship and protect your Freedom! http://www.fsfe.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : /pipermail/attachments/20070202/6194bdae/attachment.pgp -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From wk at gnupg.org Fri Feb 2 10:36:55 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 02 Feb 2007 10:36:55 +0100 Subject: [Announce] GnuPG 2.0.2 released Message-ID: <87sldosxxk.fsf@wheatstone.g10code.de> Hello! We are pleased to announce the availability of a new stable GnuPG-2 release: Version 2.0.2 This is maintenance release to fix build problems found after the release of 2.0.1. There are also some minor enhancements. The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It can be used to encrypt data, create digital signatures, help authenticating using Secure Shell and to provide a framework for public key cryptography. It includes an advanced key management facility and is compliant with the OpenPGP and S/MIME standards. GnuPG-2 has a different architecture than GnuPG-1 (e.g. 1.4.6) in that it splits up functionality into several modules. However, both versions may be installed alongside without any conflict. In fact, the gpg version from GnuPG-1 is able to make use of the gpg-agent as included in GnuPG-2 and allows for seamless passphrase caching. The advantage of GnuPG-1 is its smaller size and the lack of dependency on other modules at run and build time. We will keep maintaining GnuPG-1 versions because they are very useful for small systems and for server based applications requiring only OpenPGP support. GnuPG is distributed under the terms of the GNU General Public License (GPL). GnuPG-2 works best on GNU/Linux or *BSD systems. Getting the Software ==================== Please follow the instructions found at http://www.gnupg.org/download/ or read on: GnuPG 2.0.2 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt/ . The list of mirrors can be found at http://www.gnupg.org/mirrors.html . Note, that GnuPG is not available at ftp.gnu.org. On the mirrors you should find the following files in the *gnupg* directory: gnupg-2.0.2.tar.bz2 (3.8M) gnupg-2.0.2.tar.bz2.sig GnuPG source compressed using BZIP2 and OpenPGP signature. gnupg-2.0.1-2.0.2.diff.bz2 (53k) A patch file to upgrade a 2.0.1 GnuPG source. Note, that we don't distribute gzip compressed tarballs. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-2.0.2.tar.bz2 you would use this command: gpg --verify gnupg-2.0.2.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com or using a keyserver like gpg --recv-key 1CE0C630 The distribution key 1CE0C630 is signed by the well known key 5B0358A2. If you get an key expired message, you should retrieve a fresh copy as the expiration date might have been prolonged. NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! * If you are not able to use an old version of GnuPG, you have to verify the SHA-1 checksum. Assuming you downloaded the file gnupg-2.0.2.tar.bz2, you would run the sha1sum command like this: sha1sum gnupg-2.0.2.tar.bz2 and check that the output matches the first line from the following list: 1a3165c5b601f3244b8885143d02bea4210495e3 gnupg-2.0.2.tar.bz2 1d42f46ae2c0d00b56be34bcd95fff51b77163a6 gnupg-2.0.1-2.0.2.diff.bz2 What's New =========== * Fixed a serious and exploitable bug in processing encrypted packages. [CVE-2006-6235]. Note, that a patch was distributed along with the first report of that bug. * Added --passphrase-repeat to set the number of times GPG will prompt for a new passphrase to be repeated. This is useful to help memorize a new passphrase. The default is 1 repetition. * Using a PIN pad does now also work for the signing key. * A warning is displayed by gpg-agent if a new passphrase is too short. New option --min-passphrase-len defaults to 8. * The status code BEGIN_SIGNING now shows the used hash algorithms. Internationalization ==================== GnuPG comes with support for 27 languages. Due to a lot of new and changed strings most translations are not entirely complete. The Swedish, Turkish, German and Russian translations should be complete. Documentation ============= We are currently working on an installation guide to explain in more detail how to configure the new features. As of now the chapters on gpg-agent and gpgsm include brief information on how to set up the whole thing. Please watch the GnuPG website for updates of the documentation. In the meantime you may search the GnuPG mailing list archives or ask on the gnupg-users mailing lists for advise on how to solve problems. Many of the new features are around for several years and thus enough public knowledge is already available. KDE's KMail is the most prominent user of GnuPG. In fact it has been developed along with the Kmail folks. Mutt users might want to use the configure option "--enable-gpgme" and "set use_crypt_gpgme" in ~/.muttrc to make use of GnuPG-2 to enable S/MIME in addition to a reworked OpenPGP support. Support ======= Improving GnuPG is costly, but you can help! We are looking for organizations that find GnuPG useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or by donating money. Commercial support contracts for GnuPG are available, and they help finance continued maintenance. g10 Code GmbH, a Duesseldorf based company owned and headed by GnuPG's principal author, is currently funding GnuPG development. We are always looking for interesting development projects. A service directory is available at: http://www.gnupg.org/service.html Thanks ====== We have to thank all the people who helped with this release, be it testing, coding, translating, suggesting, auditing, administering the servers, spreading the word or answering questions on the mailing lists. Happy Hacking, The GnuPG Team (David, Marcus, Werner and all other contributors) -- Werner Koch The GnuPG Experts http://g10code.com Join the Fellowship and protect your Freedom! http://www.fsfe.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : /pipermail/attachments/20070202/8925fbd8/attachment-0001.pgp -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From r.post at sara.nl Fri Feb 2 11:15:00 2007 From: r.post at sara.nl (Remco Post) Date: Fri, 02 Feb 2007 11:15:00 +0100 Subject: smartcard and ssh Message-ID: <45C30F24.2030708@sara.nl> Hi All, just recently I've installed ubuntu 6.10 on my desktop. This comes with gpg-agent 1.9.21. I've set the agent with ssh support, and it quite nicely manages my ssh dsa key, but for some reason ssh-add -l does not show my smartcard rsa key while gpg --card-status does work (as does signing e-mail with my smartcard). Anybody any hint on what might be wrong? -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams From wk at gnupg.org Fri Feb 2 13:23:40 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 02 Feb 2007 13:23:40 +0100 Subject: smartcard and ssh In-Reply-To: <45C30F24.2030708@sara.nl> (Remco Post's message of "Fri\, 02 Feb 2007 11\:15\:00 +0100") References: <45C30F24.2030708@sara.nl> Message-ID: <87k5z0px2r.fsf@wheatstone.g10code.de> On Fri, 2 Feb 2007 11:15, r.post at sara.nl said: > I've set the agent with ssh support, and it quite nicely manages my ssh > dsa key, but for some reason ssh-add -l does not show my smartcard rsa > key while gpg --card-status does work (as does signing e-mail with my > smartcard). Do you have scdaemon installed? If so, you should put verbose debug 1024 debug 2048 log-file /home/foo/scdaemon.log into the ~/.gnupg/scdaemon.conf and kill the scdaemon process. Make sure that it really got killed. Then do an "ssh-add -l" again and watch the log file. Note, that gpg-agent starts scdaemon and restarts it if has crashed. Shalom-Salam, Werner From shavital at mac.com Fri Feb 2 13:33:29 2007 From: shavital at mac.com (Charly Avital) Date: Fri, 02 Feb 2007 07:33:29 -0500 Subject: [Announce] GnuPG 2.0.2 released In-Reply-To: <87sldosxxk.fsf@wheatstone.g10code.de> References: <87sldosxxk.fsf@wheatstone.g10code.de> Message-ID: <45C32F99.5090408@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Werner Koch wrote the following on 2/2/07 4:36 AM: | Hello! | | We are pleased to announce the availability of a new stable GnuPG-2 | release: Version 2.0.2 [...] | Thanks | ====== | | We have to thank all the people who helped with this release, be it | testing, coding, translating, suggesting, auditing, administering the | servers, spreading the word or answering questions on the mailing | lists. | | | Happy Hacking, | | The GnuPG Team (David, Marcus, Werner and all other contributors) GnuPG v2.0.2 has been configured as follows: ~ Platform: Darwin (powerpc-apple-darwin8.8.0) ~ OpenPGP: yes ~ S/MIME: yes ~ Agent: yes ~ Smartcard: yes ~ Protect tool: (default) ~ Default agent: (default) ~ Default pinentry: (default) ~ Default scdaemon: (default) ~ Default dirmngr: (default) ~ PKITS based tests: no All seems to be working fine. Shall try later (much later) for Mac Inter Core Duo. Thank you David, Marcus, Werner, all other contributors and Ben Donnachie. Charly KeyOnCard at: -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBRcMvayRJoUyU/RYhAQJqBwP5AYLO5bufqRhkCALlRAu3LMQ8bYrYUpRl pxM7SPzEeONGPpgzP1nxXmteANifPiivqYAogF0tjPa8loDM8MsNDiacj/KoEYIn Jflh4/JerRpUc3tJU6lev+hiLaYzQYKVI/yCo0PzUf5faosKO17AraHsIj+yejLo +ZSYOOsmHtU= =z0Ll -----END PGP SIGNATURE----- From r.post at sara.nl Fri Feb 2 14:00:23 2007 From: r.post at sara.nl (Remco Post) Date: Fri, 02 Feb 2007 14:00:23 +0100 Subject: smartcard and ssh In-Reply-To: <87k5z0px2r.fsf@wheatstone.g10code.de> References: <45C30F24.2030708@sara.nl> <87k5z0px2r.fsf@wheatstone.g10code.de> Message-ID: <45C335E7.8060102@sara.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Werner Koch wrote: > On Fri, 2 Feb 2007 11:15, r.post at sara.nl said: > >> I've set the agent with ssh support, and it quite nicely manages my ssh >> dsa key, but for some reason ssh-add -l does not show my smartcard rsa >> key while gpg --card-status does work (as does signing e-mail with my >> smartcard). > > Do you have scdaemon installed? If so, you should put > mope, I didn't. I tried installing it (as part of the gpgsm package) but the /usr/lib/gnupg/pcsc-wrapper seems to be missing in the package :( > verbose > debug 1024 > debug 2048 > log-file /home/foo/scdaemon.log > > into the ~/.gnupg/scdaemon.conf and kill the scdaemon process. Make > sure that it really got killed. Then do an "ssh-add -l" again and > watch the log file. > The log-file: 2007-02-02 13:41:20 scdaemon[5733] can't run PC/SC access module `/usr/lib/gnupg/pcsc-wrapper': No such file or directory scdaemon[5733.0x8096340] DBG: -> ERR 100663404 Card error scdaemon[5733.0x8096340] DBG: <- RESTART scdaemon[5733.0x8096340] DBG: -> OK > Note, that gpg-agent starts scdaemon and restarts it if has crashed. > > > > Shalom-Salam, > > Werner > - -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBRcM14irZkcVehrp5AQK+4wP/du5tH3w55xUIvpBirr4HbbAw3XWPUTgx Ni5zwYqM1NEr5G9E+Dx81VaNXSiqcabtaZC9sG9iuqUCqGMA8t2N3jv9m4TZ/avi fCWdTuB4RH1QEfgYKZdKzNDpmmInlAuai8/2CVone5mdz1t9G5vpc2uMb28NRwTS PgBg5Oysf9I= =aYNG -----END PGP SIGNATURE----- From sravan at atc.tcs.com Fri Feb 2 13:33:11 2007 From: sravan at atc.tcs.com (Sravan) Date: Fri, 02 Feb 2007 18:03:11 +0530 Subject: doubt in clear text signing Message-ID: <45C32F87.8020403@atc.tcs.com> Dear All, I have a question related to clear signing. As per the standard(rfc 2440), a signature of type 'Canonical text document' should be generated after removing any trailing spaces and making the line endings as '\r \n'. Is this the case with clear text signatures generated by gpg? Also, when i generate a signature(actually, i am signing and encrypting) for some data that doesn't contain a newline at the end, gpg inserts one at the end. Will this last new line considered a part of the signed data? Regards, Sravan From wk at gnupg.org Fri Feb 2 14:51:02 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 02 Feb 2007 14:51:02 +0100 Subject: doubt in clear text signing In-Reply-To: <45C32F87.8020403@atc.tcs.com> (sravan@atc.tcs.com's message of "Fri\, 02 Feb 2007 18\:03\:11 +0530") References: <45C32F87.8020403@atc.tcs.com> Message-ID: <8764akoegp.fsf@wheatstone.g10code.de> On Fri, 2 Feb 2007 13:33, sravan at atc.tcs.com said: > I have a question related to clear signing. As per the standard(rfc > 2440), a signature of type 'Canonical text document' should be generated > after removing any trailing spaces and making the line endings as '\r > \n'. Is this the case with clear text signatures generated by gpg? Yes, we don't include trailing ASCII spaces, tabs, CR and the LF when calculating the hast of a clear signed message. The constant string of a CR and a LF is then hashed. Note, that this is different from regular signatures created in textmode - the story behind them is more complicate. > Also, when i generate a signature(actually, i am signing and encrypting) > for some data that doesn't contain a newline at the end, gpg inserts one > at the end. > Will this last new line considered a part of the signed data? No the last line feed is not part of the signature. See the code in g10/textfilter.c. To avoid interpretation problems gpg always ends alinefeed to a message which does not end in one. A clear signed message is intended for human consumption and should not be used if you need to be sure that the verbatim text gets signed. Salam-Shalom, Werner From wk at gnupg.org Fri Feb 2 21:44:38 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 02 Feb 2007 21:44:38 +0100 Subject: smartcard and ssh In-Reply-To: <45C335E7.8060102@sara.nl> (Remco Post's message of "Fri\, 02 Feb 2007 14\:00\:23 +0100") References: <45C30F24.2030708@sara.nl> <87k5z0px2r.fsf@wheatstone.g10code.de> <45C335E7.8060102@sara.nl> Message-ID: <87veikjnm1.fsf@wheatstone.g10code.de> On Fri, 2 Feb 2007 14:00, r.post at sara.nl said: > mope, I didn't. I tried installing it (as part of the gpgsm package) but > the /usr/lib/gnupg/pcsc-wrapper seems to be missing in the package :( If you have an USB reader, try using the internal ccid-driver. You need to stop the pcscd first. You may test it with the plain gpg - it will also use the ccid-driver (--debug-ccid-driver helps to detect problems). Make sure that the usbfs is loaded and that the permissions are correct . The smart card howto at www.gnupg.org should be helpful. Shalom-Salam, Werner From alon.barlev at gmail.com Fri Feb 2 22:54:52 2007 From: alon.barlev at gmail.com (Alon Bar-Lev) Date: Fri, 2 Feb 2007 23:54:52 +0200 Subject: smartcard and ssh In-Reply-To: <87veikjnm1.fsf@wheatstone.g10code.de> References: <45C30F24.2030708@sara.nl> <87k5z0px2r.fsf@wheatstone.g10code.de> <45C335E7.8060102@sara.nl> <87veikjnm1.fsf@wheatstone.g10code.de> Message-ID: <9e0cf0bf0702021354j3afb4ba3x1b41a35ad9824833@mail.gmail.com> On 2/2/07, Werner Koch wrote: > On Fri, 2 Feb 2007 14:00, r.post at sara.nl said: > > > mope, I didn't. I tried installing it (as part of the gpgsm package) but > > the /usr/lib/gnupg/pcsc-wrapper seems to be missing in the package :( > > If you have an USB reader, try using the internal ccid-driver. You > need to stop the pcscd first. You may test it with the plain gpg - it > will also use the ccid-driver (--debug-ccid-driver helps to detect > problems). Make sure that the usbfs is loaded and that the > permissions are correct . The smart card howto at www.gnupg.org > should be helpful. Or if your smartcard supports PKCS#11 interface you can use the gnupg-pkcs11-scd from http://gnupg-pkcs11.sourceforge.net and OpenSSH PKCS#11 from http://alon.barlev.googlepages.com/openssh-pkcs11, this way you can use your smartcard with many application at the same time without stopping any interface or making the card locked by one of them. Best Regards, Alon Bar-Lev. From marcus.brinkmann at ruhr-uni-bochum.de Sat Feb 3 16:42:40 2007 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: Sat, 03 Feb 2007 16:42:40 +0100 Subject: [Announce] GPGME 1.1.3 released Message-ID: <878xff5jtb.wl%marcus.brinkmann@ruhr-uni-bochum.de> Hi, We are pleased to announce version 1.1.3 of GnuPG Made Easy, a library designed to make access to GnuPG easier for applications. It may be found in the file (about 897 KB/690 KB compressed) ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.3.tar.gz ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.3.tar.bz2 The following files are also available: ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.3.tar.gz.sig ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.3.tar.bz2.sig ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.1.2-1.1.3.diff.gz It should soon appear on the mirrors listed at: http://www.gnupg.org/mirrors.html Bug reports and requests for assistance should be sent to: gnupg-devel at gnupg.org The sha1sum checksums for this distibution are bf88701162d09a1bfacf72594fc32f374144158c gpgme-1.1.2-1.1.3.diff.gz e416854cb41a2e8b92a148ed17d2f2b97eeeba4a gpgme-1.1.3.tar.bz2 c41ca6df0b32281135ed95623dd5f8c0789b5671 gpgme-1.1.3.tar.bz2.sig 98ed8563da4870e3dd2d922e96983bf6a3e7cfb1 gpgme-1.1.3.tar.gz 303f46a7dfcf3581d2e6bad984d909e4f9359af1 gpgme-1.1.3.tar.gz.sig Noteworthy changes in version 1.1.3 (2007-01-29) ------------------------------------------------ * Fixed a memory leak in gpgme_data_release_and_get_mem. * Fixed a bug in Windows command line quoting. Marcus Brinkmann mb at g10code.de -- g10 Code GmbH http://g10code.com AmtsGer. Wuppertal HRB 14459 H?ttenstr. 61 Gesch?ftsf?hrung Werner Koch D-40699 Erkrath -=- The GnuPG Experts -=- USt-Id DE215605608 _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From j.lysdal at gmail.com Sun Feb 4 21:49:43 2007 From: j.lysdal at gmail.com (=?ISO-8859-1?Q?J=F8rgen_Lysdal?=) Date: Sun, 04 Feb 2007 21:49:43 +0100 Subject: openpgp card Message-ID: <45C646E7.9060403@gmail.com> On the back of my openpgp card, it says that it has "Private data storage" What is this storage? and can i use it to store anything? -- J?rgen Ch. Lysdal -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 368 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070204/a2c73021/attachment-0001.pgp From wk at gnupg.org Sun Feb 4 22:08:10 2007 From: wk at gnupg.org (Werner Koch) Date: Sun, 04 Feb 2007 22:08:10 +0100 Subject: openpgp card In-Reply-To: <45C646E7.9060403@gmail.com> (=?utf-8?Q?J=C3=B8rgen?= Lysdal's message of "Sun\, 04 Feb 2007 21\:49\:43 +0100") References: <45C646E7.9060403@gmail.com> Message-ID: <87sldltyv9.fsf@wheatstone.g10code.de> On Sun, 4 Feb 2007 21:49, j.lysdal at gmail.com said: > On the back of my openpgp card, it says that it has > "Private data storage" What is this storage? and can i use > it to store anything? While in the gpg --card-edit menu, optionally enter "admin" and then "privatedo" to change the 4 private DO fields. See the specs for the required permissions of the read/write the fields. Shalom-Salam, Werner From j.lysdal at gmail.com Sun Feb 4 23:19:35 2007 From: j.lysdal at gmail.com (=?ISO-8859-1?Q?J=F8rgen_Lysdal?=) Date: Sun, 04 Feb 2007 23:19:35 +0100 Subject: openpgp card In-Reply-To: <87sldltyv9.fsf@wheatstone.g10code.de> References: <45C646E7.9060403@gmail.com> <87sldltyv9.fsf@wheatstone.g10code.de> Message-ID: <45C65BF7.8050208@gmail.com> Werner Koch skrev: > While in the gpg --card-edit menu, optionally enter "admin" and then > "privatedo" to change the 4 private DO fields. See the specs for the > required permissions of the read/write the fields. Thanks for the hint. What i was interested in was if i could upload a file to the card and then retrieve it later. It appears i cant do that, anyway, i need at least 1600 bytes storage. -- J?rgen Ch. Lysdal -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 368 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070204/69ab9c41/attachment.pgp From roy_carin_mail-vtrcl at yahoo.com.au Mon Feb 5 03:08:54 2007 From: roy_carin_mail-vtrcl at yahoo.com.au (Roy Carin) Date: Sun, 04 Feb 2007 20:08:54 -0600 Subject: GPG fails to verify clamav Message-ID: <45C691B6.60202@yahoo.com.au> I downloaded clamav 0.90rc3 from http://sourceforge.net/project/showfiles.php?group_id=86638&package_id=90197&release_id=483125 I want to verify the integrity of the downloaded file. When I do gpg --keyserver random.sks.keyserver.penguin.de --verify clamav-0.90rc3.tar.gz.sig it fails, saying this: > gpg: Signature made Wed Jan 31 18:04:35 2007 CST using DSA key ID 985A444B > gpg: Can't check signature: public key not found Ren? Berber, in message , says that my GPG installation is broken. Can anyone tell me how I can fix it? Thanks in advance. P.S. I also tried using the protocol name in front of the keyserver address (hkp://). It didn't work. -- Send instant messages to your online friends http://au.messenger.yahoo.com From tmz at pobox.com Mon Feb 5 06:19:44 2007 From: tmz at pobox.com (Todd Zullinger) Date: Mon, 5 Feb 2007 00:19:44 -0500 Subject: GPG fails to verify clamav In-Reply-To: <45C691B6.60202@yahoo.com.au> References: <45C691B6.60202@yahoo.com.au> Message-ID: <20070205051944.GE2362@psilocybe.teonanacatl.org> Roy Carin wrote: > I downloaded clamav 0.90rc3 from > http://sourceforge.net/project/showfiles.php?group_id=86638&package_id=90197&release_id=483125 > > I want to verify the integrity of the downloaded file. When I do > > gpg --keyserver random.sks.keyserver.penguin.de --verify > clamav-0.90rc3.tar.gz.sig > > it fails, saying this: > >> gpg: Signature made Wed Jan 31 18:04:35 2007 CST using DSA key ID 985A444B >> gpg: Can't check signature: public key not found > > Ren? Berber, in message > > , says that my GPG installation is broken. > > Can anyone tell me how I can fix it? I think that the problem may be that you don't have the key on your keyring already and you don't have the auto-key-retrieve keyserver option enabled (it's not enabled by default). You can either enable that option or import the key before verifying the signature (via a keyserver webpage or using gpg --recv-key 985A444B). -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ====================================================================== What a terrible thing to have lost one's mind. Or not to have a mind at all. How true that is. -- Dan Quayle, speaking to the United Negro College Fund -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 542 bytes Desc: not available Url : /pipermail/attachments/20070205/7ddee2b5/attachment.pgp From dshaw at jabberwocky.com Mon Feb 5 06:12:26 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 5 Feb 2007 00:12:26 -0500 Subject: GPG fails to verify clamav In-Reply-To: <45C691B6.60202@yahoo.com.au> References: <45C691B6.60202@yahoo.com.au> Message-ID: <20070205051226.GD6299@jabberwocky.com> On Sun, Feb 04, 2007 at 08:08:54PM -0600, Roy Carin wrote: > I downloaded clamav 0.90rc3 from > http://sourceforge.net/project/showfiles.php?group_id=86638&package_id=90197&release_id=483125 > > I want to verify the integrity of the downloaded file. When I do > > gpg --keyserver random.sks.keyserver.penguin.de --verify > clamav-0.90rc3.tar.gz.sig > > it fails, saying this: > > > gpg: Signature made Wed Jan 31 18:04:35 2007 CST using DSA key ID 985A444B > > gpg: Can't check signature: public key not found Download the key 985A444B: gpg --keyserver random.sks.keyserver.penguin.de --recv-keys 985A444B Then do the verify. David From r.post at sara.nl Mon Feb 5 10:37:19 2007 From: r.post at sara.nl (Remco Post) Date: Mon, 05 Feb 2007 10:37:19 +0100 Subject: smartcard and ssh In-Reply-To: <87veikjnm1.fsf@wheatstone.g10code.de> References: <45C30F24.2030708@sara.nl> <87k5z0px2r.fsf@wheatstone.g10code.de> <45C335E7.8060102@sara.nl> <87veikjnm1.fsf@wheatstone.g10code.de> Message-ID: <45C6FACF.3060400@sara.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Werner Koch wrote: > On Fri, 2 Feb 2007 14:00, r.post at sara.nl said: > >> mope, I didn't. I tried installing it (as part of the gpgsm package) but >> the /usr/lib/gnupg/pcsc-wrapper seems to be missing in the package :( > > If you have an USB reader, try using the internal ccid-driver. You > need to stop the pcscd first. You may test it with the plain gpg - it > will also use the ccid-driver (--debug-ccid-driver helps to detect > problems). Make sure that the usbfs is loaded and that the > permissions are correct . The smart card howto at www.gnupg.org > should be helpful. > hmmm, more problems. I've decided that the ubuntu packages are broken. I'll try again in a new release or when I gain some more patience ;-) Normal gpg operations work, it's just the ssh-compatebility and only for the smartcard, well, I gues I can do another few months without, just like the past few years when I suffered a windows desktop ;-) > > Shalom-Salam, > > Werner > - -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBRcb6yirZkcVehrp5AQKrsgQAmmPinNNA0LUJZbEnI7ioOGZfwD6/7OsP o31ffvu7bsyuXDFbrtA/UD6gZt4xCPe3N3W/4ygQgwbkFGWgedrV9muIqtmbvexL kGzt0p0RiIxXJHZ1El1XBfiV6z0gqNEVBvAZd5AYlK+dyLE6S6IC8tfVVlcwSdLS WjqtcD+d2zE= =j0XP -----END PGP SIGNATURE----- From roy_carin_mail-vtrcl at yahoo.com.au Mon Feb 5 18:52:16 2007 From: roy_carin_mail-vtrcl at yahoo.com.au (Roy Carin) Date: Mon, 05 Feb 2007 11:52:16 -0600 Subject: GPG fails to verify clamav In-Reply-To: <20070205051226.GD6299@jabberwocky.com> References: <45C691B6.60202@yahoo.com.au> <20070205051226.GD6299@jabberwocky.com> Message-ID: <45C76ED0.5070801@yahoo.com.au> On 02/04/2007 11:12 PM, David Shaw wrote: > On Sun, Feb 04, 2007 at 08:08:54PM -0600, Roy Carin wrote: >> I downloaded clamav 0.90rc3 from >> http://sourceforge.net/project/showfiles.php?group_id=86638&package_id=90197&release_id=483125 >> >> I want to verify the integrity of the downloaded file. When I do >> >> gpg --keyserver random.sks.keyserver.penguin.de --verify >> clamav-0.90rc3.tar.gz.sig >> >> it fails, saying this: >> >>> gpg: Signature made Wed Jan 31 18:04:35 2007 CST using DSA key ID 985A444B >>> gpg: Can't check signature: public key not found > > Download the key 985A444B: > > gpg --keyserver random.sks.keyserver.penguin.de --recv-keys 985A444B > > Then do the verify. > > David > Thanks. The first couple of times it didn't work. Netstat said SYN_SENT for 62.94.26.10 port 11371 but didn't connect. The third time was the charm :-) -- Send instant messages to your online friends http://au.messenger.yahoo.com From roy_carin_mail-vtrcl at yahoo.com.au Mon Feb 5 18:53:03 2007 From: roy_carin_mail-vtrcl at yahoo.com.au (Roy Carin) Date: Mon, 05 Feb 2007 11:53:03 -0600 Subject: GPG fails to verify clamav In-Reply-To: <20070205051944.GE2362@psilocybe.teonanacatl.org> References: <45C691B6.60202@yahoo.com.au> <20070205051944.GE2362@psilocybe.teonanacatl.org> Message-ID: <45C76EFF.4060601@yahoo.com.au> On 02/04/2007 11:19 PM, Todd Zullinger wrote: > Roy Carin wrote: >> I downloaded clamav 0.90rc3 from >> http://sourceforge.net/project/showfiles.php?group_id=86638&package_id=90197&release_id=483125 >> >> I want to verify the integrity of the downloaded file. When I do >> >> gpg --keyserver random.sks.keyserver.penguin.de --verify >> clamav-0.90rc3.tar.gz.sig >> >> it fails, saying this: >> >>> gpg: Signature made Wed Jan 31 18:04:35 2007 CST using DSA key ID 985A444B >>> gpg: Can't check signature: public key not found >> Ren? Berber, in message >> >> , says that my GPG installation is broken. >> >> Can anyone tell me how I can fix it? > > I think that the problem may be that you don't have the key on your > keyring already and you don't have the auto-key-retrieve keyserver > option enabled (it's not enabled by default). You can either enable > that option or import the key before verifying the signature (via a > keyserver webpage or using gpg --recv-key 985A444B). > Thanks. Done. -- Send instant messages to your online friends http://au.messenger.yahoo.com From benjamin at py-soft.co.uk Tue Feb 6 01:14:28 2007 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Tue, 06 Feb 2007 00:14:28 +0000 Subject: openpgp card In-Reply-To: <45C65BF7.8050208@gmail.com> References: <45C646E7.9060403@gmail.com> <87sldltyv9.fsf@wheatstone.g10code.de> <45C65BF7.8050208@gmail.com> Message-ID: <45C7C864.2020900@py-soft.co.uk> J?rgen Lysdal wrote: > Thanks for the hint. What i was interested in was if i could upload a > file to the card and then retrieve it later. That's one of the aims of the project for the "open implementation of the openpgp smart card standard", see http://www.py-soft.co.uk/wiki/index.php/Openpgp Ben From groups at sowa.cc Sat Feb 3 15:14:50 2007 From: groups at sowa.cc (Thomas Sowa) Date: Sat, 3 Feb 2007 15:14:50 +0100 Subject: gpg.conf missing Message-ID: <1170512090.45c498da17ea1@webmail.in-berlin.de> Hi, i just created my .gnupg file --> gpg --gen-key All is good, but the gpg.conf is missing. It's already the 2run, the first created the file but it was empty. Why, and how do I get this file to modify it? Thanks, Tom From wk at gnupg.org Tue Feb 6 10:24:02 2007 From: wk at gnupg.org (Werner Koch) Date: Tue, 06 Feb 2007 10:24:02 +0100 Subject: New command line language parameter In-Reply-To: <200702051357.l15DvWds001544@edison.ccupm.upm.es> (Juan =?utf-8?Q?Marug=C3=A1n's?= message of "Mon\, 05 Feb 2007 14\:57\:32 +0100") References: <200701300956.l0U9u38R019043@edison.ccupm.upm.es> <87ps8tu1v7.fsf@wheatstone.g10code.de> <200702012226.l11MQ0RF008768@edison.ccupm.upm.es> <87abzxt0jb.fsf@wheatstone.g10code.de> <200702051357.l15DvWds001544@edison.ccupm.upm.es> Message-ID: <878xfboczx.fsf@wheatstone.g10code.de> On Mon, 5 Feb 2007 14:57, jmarugan at alumnos.upm.es said: > I tried the SET LANG=xx and as far as i read in the GPG documentation > and mailing list's posts, this is only for POSIX systems, not for > windows, at least in windows doesn't work in all the ways i tried. You are right. It works for GPA but not for GPG because with gpg we use a simplified version of gettext. This is easy to fix. > I'm afraid the only way to use a language file in windows is the > registry or a new command line parameter. No. A command line option won't work because how would you then print a localized message like "invalid option" or diagnostics printed even before any option has been parsed. Shalom-Salam, Werner From m-iizuka at cp.jp.nec.com Tue Feb 6 10:14:41 2007 From: m-iizuka at cp.jp.nec.com (Mitsuho Iizuka) Date: Tue, 06 Feb 2007 18:14:41 +0900 (JST) Subject: No Public Key Problem Message-ID: <20070206.181441.74753944.m-iizuka@cp.jp.nec.com> Getting errors as follows, I can't sign by myself with gpgsm of gnupg2.0.1 on Fedora Core 5 Linux. Could you give some hint ? gpgsm: can't sign using `': No public key [GNUPG:] INV_RECP 1 command line are as follows. % ./gpgsm --detach-sign --include-certs 3 --status-fd 2 --local-user '' --output smime.p7s mew5430s-F I tried 2 other user specifying way, such as, m-iizuka at ... and ''. Those results gave almost same error. Only m-iizuka.cp.jp.nec.com gave me valid sign. My certification is as follows(~/.gnupg/keyring.kbx). % gpgsm -kv : Serial number: XXXXXXX Issuer: /CN=NEC Group Certification Authority SMIME/OU=Class 2 CA - OnSite Individual Subscriber/OU=Terms of use at https:\x2f\x2fwww.verisign.co.jp\x2fRPA (c)99/OU=VeriSign Trust Network/O=NEC Corporation Subject: /CN=Mitsuho Iizuka (061221 m-iizuka.cp.jp.nec.com)/OU=www.verisign.com\x2frepository\x2fCPS Incorp. by Ref.,LIAB.LTD(c)96/OU=NEC Group Certification Authority SMIME/O=NEC Corporation/EMail=m-iizuka at cp.jp.nec.com : According to keydb.c at around 1035 line, I don't think there is a method to specify myself with my e-mail address on the above my certicication. How can I specify myself with gpgsm2.0.1 ? Thanks in advance Regards, // Mitsuho Iizuka From info at webinfo.de Tue Feb 6 13:35:00 2007 From: info at webinfo.de (=?iso-8859-15?Q?Bj=F6rn_Mayer?=) Date: Tue, 06 Feb 2007 13:35:00 +0100 Subject: JADE-S, secure communication with DF? Message-ID: Hi folks, supposed all features of JADE-S are activated - is it possible to encrypt and sign messages adressed to the DF like DFService.register requests? Best regards, Bjorn From JPClizbe at tx.rr.com Tue Feb 6 21:13:30 2007 From: JPClizbe at tx.rr.com (John Clizbe) Date: Tue, 06 Feb 2007 14:13:30 -0600 Subject: gpg.conf missing In-Reply-To: <1170512090.45c498da17ea1@webmail.in-berlin.de> References: <1170512090.45c498da17ea1@webmail.in-berlin.de> Message-ID: <45C8E16A.1020407@tx.rr.com> Thomas Sowa wrote: > Hi, > > i just created my .gnupg file --> gpg --gen-key > > All is good, but the gpg.conf is missing. It's already the 2run, the first > created the file but it was empty. > > Why, and how do I get this file to modify it? gpg.conf is just a text file. You may create it with any editor of your choice. It is for you to use to specify common options to gpg. For example: default-recipient-self default-cert-check-level 3 keyserver pool.sks-keyservers.net keyserver-options auto-key-retrieve include-revoked include-subkeys -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 663 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070206/6cccb4ff/attachment.pgp From hawke at hawkesnest.net Wed Feb 7 23:47:11 2007 From: hawke at hawkesnest.net (Alex Mauer) Date: Wed, 07 Feb 2007 16:47:11 -0600 Subject: smartcard and ssh In-Reply-To: <45C6FACF.3060400__12348.8685269423$1170668386$gmane$org@sara.nl> References: <45C30F24.2030708@sara.nl> <87k5z0px2r.fsf@wheatstone.g10code.de> <45C335E7.8060102@sara.nl> <87veikjnm1.fsf@wheatstone.g10code.de> <45C6FACF.3060400__12348.8685269423$1170668386$gmane$org@sara.nl> Message-ID: Remco Post wrote: > > hmmm, more problems. I've decided that the ubuntu packages are broken. > I'll try again in a new release or when I gain some more patience ;-) Have you looked for and/or reported the bugs you found? It works for me pretty much "out of the box" with ubuntu/feisty, less so with earlier releases. Here are the problems I found and what I had to do to fix them: * gnupg was trying to use pcsc-wrapper at the wrong location (see bug #68047, https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/68047 ). It is installed in /usr/lib/gnupg2 rather than /usr/lib/gnupg where the scd is looking for it. This can be solved either by copying the file, or with a symlink. This seems to have been fixed in feisty. * Another was that the ssh-agent support is not enabled out of the box. This may be enabled by editing /etc/X11/Xsession.d/90gpg-agent and adding "--enable-ssh-support" in the appropriate place (around line 17). *The final thing I needed to do was to install the package libpcsclite-dev. This installs the symlink /usr/lib/libpcsclite.so, linked to /usr/lib/libpcslite.so.1.0.0. Or of course, you could create that symlink yourself. This also appears to have been fixed in feisty, though you do still need libpcsclite1 (and pcscd). -Alex Mauer "hawke" From hawke at hawkesnest.net Wed Feb 7 23:47:26 2007 From: hawke at hawkesnest.net (Alex Mauer) Date: Wed, 07 Feb 2007 16:47:26 -0600 Subject: OpenPGP card and secret keys Message-ID: I seem to be having some trouble with my openpgp card: gnupg knows I have secret keys on an openpgp card: $ gpg --list-secret-keys /home/amauer/.gnupg/secring.gpg ------------------------------- sec# 1024D/51192FF2 2002-03-22 ssb> 1024R/4A1C1224 2005-06-27 (output has been modified showing only what I think are relevant lines) but then when I try to sign a file, gpg ignores these keys: $ gpg --clearsign test.txt gpg: secret key parts are not available gpg: no default secret key: general error gpg: test.txt: clearsign failed: general error Even if I specify the signing subkey from the card, it doesn't work: $ gpg --clearsign -u '0x4a1c1224' test.txt gpg: secret key parts are not available gpg: skipped "0x4a1c1224": general error gpg: test.txt: clearsign failed: general error If I force that subkey, it works: $ gpg --clearsign -u '0x4a1c1224!' test.txt $ (gpg agent popped up a pinentry dialog, and I was able to enter the PIN on the pinpad) What am I doing wrong? -Alex Mauer "hawke" From wk at gnupg.org Thu Feb 8 06:43:50 2007 From: wk at gnupg.org (Werner Koch) Date: Thu, 08 Feb 2007 06:43:50 +0100 Subject: OpenPGP card and secret keys In-Reply-To: (Alex Mauer's message of "Wed\, 07 Feb 2007 16\:47\:26 -0600") References: Message-ID: <87odo5td9l.fsf@wheatstone.g10code.de> On Wed, 7 Feb 2007 23:47, hawke at hawkesnest.net said: > If I force that subkey, it works: > $ gpg --clearsign -u '0x4a1c1224!' test.txt Okay, so it is not a communication problem with teh card. Please run gpg --debug 64 --clearsign test.txt To see why gpg tries to use the primary key. Salam-Shalom, Werner From r.post at sara.nl Thu Feb 8 09:21:41 2007 From: r.post at sara.nl (Remco Post) Date: Thu, 08 Feb 2007 09:21:41 +0100 Subject: smartcard and ssh In-Reply-To: References: <45C30F24.2030708@sara.nl> <87k5z0px2r.fsf@wheatstone.g10code.de> <45C335E7.8060102@sara.nl> <87veikjnm1.fsf@wheatstone.g10code.de> <45C6FACF.3060400__12348.8685269423$1170668386$gmane$org@sara.nl> Message-ID: <45CADD95.3030007@sara.nl> Alex Mauer wrote: > Remco Post wrote: >> hmmm, more problems. I've decided that the ubuntu packages are broken. >> I'll try again in a new release or when I gain some more patience ;-) > > Have you looked for and/or reported the bugs you found? > > It works for me pretty much "out of the box" with ubuntu/feisty, less so > with earlier releases. > > Here are the problems I found and what I had to do to fix them: > > * gnupg was trying to use pcsc-wrapper at the wrong location (see bug > #68047, https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/68047 ). > It is installed in /usr/lib/gnupg2 rather than /usr/lib/gnupg where the > scd is looking for it. This can be solved either by copying the file, > or with a symlink. This seems to have been fixed in feisty. > ok, that's a nice one.... > * Another was that the ssh-agent support is not enabled out of the box. > This may be enabled by editing /etc/X11/Xsession.d/90gpg-agent and > adding "--enable-ssh-support" in the appropriate place (around line 17). > I've made a gpg-agent.conf file to the same effect. > *The final thing I needed to do was to install the package > libpcsclite-dev. This installs the symlink /usr/lib/libpcsclite.so, > linked to /usr/lib/libpcslite.so.1.0.0. Or of course, you could create > that symlink yourself. This also appears to have been fixed in feisty, > though you do still need libpcsclite1 (and pcscd). > since normal gpg operations (signing) do work, this doesn't seem to be a problem for me. > -Alex Mauer "hawke" > > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams From r.post at sara.nl Thu Feb 8 10:47:13 2007 From: r.post at sara.nl (Remco Post) Date: Thu, 08 Feb 2007 10:47:13 +0100 Subject: smartcard and ssh In-Reply-To: References: <45C30F24.2030708@sara.nl> <87k5z0px2r.fsf@wheatstone.g10code.de> <45C335E7.8060102@sara.nl> <87veikjnm1.fsf@wheatstone.g10code.de> <45C6FACF.3060400__12348.8685269423$1170668386$gmane$org@sara.nl> Message-ID: <45CAF1A1.6020203@sara.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Mauer wrote: > Remco Post wrote: >> hmmm, more problems. I've decided that the ubuntu packages are broken. >> I'll try again in a new release or when I gain some more patience ;-) > > Have you looked for and/or reported the bugs you found? > > It works for me pretty much "out of the box" with ubuntu/feisty, less so > with earlier releases. > > Here are the problems I found and what I had to do to fix them: > > * gnupg was trying to use pcsc-wrapper at the wrong location (see bug > #68047, https://bugs.launchpad.net/ubuntu/+source/gnupg2/+bug/68047 ). > It is installed in /usr/lib/gnupg2 rather than /usr/lib/gnupg where the > scd is looking for it. This can be solved either by copying the file, > or with a symlink. This seems to have been fixed in feisty. > ok, installing gnupg2 and symlinking this file as well as the libpcslite helped, thanks a lot! > * Another was that the ssh-agent support is not enabled out of the box. > This may be enabled by editing /etc/X11/Xsession.d/90gpg-agent and > adding "--enable-ssh-support" in the appropriate place (around line 17). > > *The final thing I needed to do was to install the package > libpcsclite-dev. This installs the symlink /usr/lib/libpcsclite.so, > linked to /usr/lib/libpcslite.so.1.0.0. Or of course, you could create > that symlink yourself. This also appears to have been fixed in feisty, > though you do still need libpcsclite1 (and pcscd). > > -Alex Mauer "hawke" > > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users - -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBRcrxnCrZkcVehrp5AQKo2wP9GNeFlAKXH1J6xCml/tCoap16xxqn8lEp JZ99bwap7GpChuX0qEfHZT6KDK5GuVlJgJ8HzkOmERy/lXIw423bR/M1sWJH/DI2 NTeYiGZ0etS9yDGn6fGfHnLZLpN9djbEYTHCehNz7futl+oYFZxygzP6i8jPFsq3 PxqQf3E3rU4= =GUgP -----END PGP SIGNATURE----- From ber at webschuur.com Thu Feb 8 13:03:05 2007 From: ber at webschuur.com (=?iso-8859-1?q?B=E8r_Kessels?=) Date: Thu, 8 Feb 2007 13:03:05 +0100 Subject: Keyrings for websites Message-ID: <200702081303.09540.ber@webschuur.com> Hello, With the current growth of online services that talk to eachother (the web2.0) I thought it a good idea to think about a way to determine "trust" between the sites. If my site shares its spam tokens, comments, search results, tags and pictures (etc) with a cloud of sites, it could be a good idea to establish a trust-ring. I therefore thought it an interesting idea to make keys not just for people, but for a website. That way I can sign public keys from other sites and give them a trust weight. That way one can establish a web of trust between sites. A good way to make sure spammers don't get inbetween your comments, for example. By allowing so called trackbacks from trusted sites only, one can reduce the amount of spam greatly. By sending my tags to trusted sites only, I can make sure that not some malafide "content thief" runs off with my valuable content, yet still share it. It is still an idea. And no code is made yet. But I am heavy into Drupal (been full time developer for it for over 4 years), and I can introduce this concept there, then hope it takes off into wordpress, plone and other Open Source, or Closed source CMses. All I need is some general idea wether or not this will a) work at all and b) is possible with gnupg, and c) if it would not 'threaten' gnug too much. thanks for reading, B?r -- Drupal, Ruby on Rails and Joomla! development: webschuur.com | Drupal hosting: www.sympal.nl -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20070208/7d647a3f/attachment.pgp From jbruni at mac.com Thu Feb 8 15:36:37 2007 From: jbruni at mac.com (Joseph Oreste Bruni) Date: Thu, 8 Feb 2007 07:36:37 -0700 Subject: Keyrings for websites In-Reply-To: <200702081303.09540.ber@webschuur.com> References: <200702081303.09540.ber@webschuur.com> Message-ID: You might want to check out "Domain Keys" which is used to authenticate email sessions between MTA's. Also, peer-to-peer authentication can be accomplished via X.509 certificates and SSL. Joe On Feb 8, 2007, at 5:03 AM, B?r Kessels wrote: > Hello, > > With the current growth of online services that talk to eachother > (the web2.0) > I thought it a good idea to think about a way to determine "trust" > between > the sites. > ... > B?r > -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2508 bytes Desc: not available Url : /pipermail/attachments/20070208/4d8a1abb/attachment.bin From markybob at gmail.com Thu Feb 8 10:59:26 2007 From: markybob at gmail.com (Mark Pinto) Date: Thu, 8 Feb 2007 04:59:26 -0500 Subject: gen-key non-interactively Message-ID: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com> I'm wanting to pass all of the information that gpg needs to create a key (key size, type, expiration, userid, etc) initially and not have gpg keep pausing to ask the user. I've read the man page, read gpg --help, googled, and I still cant figure out how to pass those things to gpg while using --gen-key. Any help would be *greatly* appreciated. Thank you, Mark Pinto From schneecrash+gnupg-users at gmail.com Thu Feb 8 16:44:02 2007 From: schneecrash+gnupg-users at gmail.com (snowcrash+gnupg-users) Date: Thu, 8 Feb 2007 07:44:02 -0800 Subject: gen-key non-interactively In-Reply-To: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com> References: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com> Message-ID: <70f41ba20702080744s1d71f49bs8e27e749feff96a4@mail.gmail.com> here's an "expect"-based function i use in a bash script for just such purpose, # function: "DO_GENKEY_SESSION" # auto-execute a GPG --gen-key session # usage: # DO_GENKEY_SESSION (SELECTION) $NOTATION $COMMENT # gen-key dialog options (SELECTION): # Please select what kind of key you want: # (1) DSA and Elgamal (default) # (2) DSA (sign only) # (3) DSA (set your own capabilities) # (5) RSA (sign only) # (7) RSA (set your own capabilities) DO_GENKEY_SESSION () { echo "START: $COMMENT" VAR=$($EXPECT -c " spawn $GPG $GPG_RING_OPTS --expert --cert-notation $NOTATION --gen-key set timeout -1 stty -echo expect \"Your selection? \" exp_send \"$1\n\" expect -re \"(What keysize do you want\?).*\\\$\[0-9\]*\\\$ \" exp_send \"$BITS\n\" expect \"Key is valid for? (0) \" exp_send \"0\n\" expect \"Is this correct? (y/N) \" exp_send \"y\n\" expect \"Real name: \" exp_send \"$NAME_REAL\n\" expect \"Email address: \" exp_send \"$EMAIL\n\" expect \"Comment: \" exp_send \"$SIG_COMMENT\n\" expect \"(O)kay/(Q)uit? \" exp_send \"O\n\" expect \"Enter passphrase: \" exp_send \"$PASS\n\" expect \"Repeat passphrase: \" exp_send \"$PASS\n\" expect exp_continue -continue_timer ") echo " DONE" } of course, you define/pass/replace the various vars as you need/like ... hth! From dshaw at jabberwocky.com Thu Feb 8 17:08:36 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 8 Feb 2007 11:08:36 -0500 Subject: gen-key non-interactively In-Reply-To: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com> References: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com> Message-ID: <20070208160836.GA22488@jabberwocky.com> On Thu, Feb 08, 2007 at 04:59:26AM -0500, Mark Pinto wrote: > I'm wanting to pass all of the information that gpg needs to create a > key (key size, type, expiration, userid, etc) initially and not have > gpg keep pausing to ask the user. I've read the man page, read gpg > --help, googled, and I still cant figure out how to pass those things > to gpg while using --gen-key. Any help would be *greatly* > appreciated. Make a file that looks like this: %echo Generating a standard key Key-Type: DSA Key-Length: 1024 Subkey-Type: ELG-E Subkey-Length: 1024 Name-Real: Joe Tester Name-Email: joe at foo.bar Passphrase: abc %pubring foo.pub %secring foo.sec # Do a commit here, so that we can later print "done" :-) %commit %echo done Then do: gpg --batch --gen-key /path/to/the/file/above End result will be a public key in foo.pub and secret key in foo.sec. See the DETAILS file (in the doc directory) for the various things you can do. David From wk at gnupg.org Thu Feb 8 17:13:13 2007 From: wk at gnupg.org (Werner Koch) Date: Thu, 08 Feb 2007 17:13:13 +0100 Subject: gen-key non-interactively In-Reply-To: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com> (Mark Pinto's message of "Thu\, 8 Feb 2007 04\:59\:26 -0500") References: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com> Message-ID: <871wl0pqzq.fsf@wheatstone.g10code.de> On Thu, 8 Feb 2007 10:59, markybob at gmail.com said: > I'm wanting to pass all of the information that gpg needs to create a > key (key size, type, expiration, userid, etc) initially and not have > gpg keep pausing to ask the user. I've read the man page, read gpg > --help, googled, and I still cant figure out how to pass those things > to gpg while using --gen-key. Any help would be *greatly* Check out the the file DETAILS. It should explain everything. I have copied the section below. Shalom-Salam, Werner Unattended key generation ========================= This feature allows unattended generation of keys controlled by a parameter file. To use this feature, you use --gen-key together with --batch and feed the parameters either from stdin or from a file given on the commandline. The format of this file is as follows: o Text only, line length is limited to about 1000 chars. o You must use UTF-8 encoding to specify non-ascii characters. o Empty lines are ignored. o Leading and trailing spaces are ignored. o A hash sign as the first non white space character indicates a comment line. o Control statements are indicated by a leading percent sign, the arguments are separated by white space from the keyword. o Parameters are specified by a keyword, followed by a colon. Arguments are separated by white space. o The first parameter must be "Key-Type", control statements may be placed anywhere. o Key generation takes place when either the end of the parameter file is reached, the next "Key-Type" parameter is encountered or at the control statement "%commit" o Control statements: %echo Print . %dry-run Suppress actual key generation (useful for syntax checking). %commit Perform the key generation. An implicit commit is done at the next "Key-Type" parameter. %pubring %secring Do not write the key to the default or commandline given keyring but to . This must be given before the first commit to take place, duplicate specification of the same filename is ignored, the last filename before a commit is used. The filename is used until a new filename is used (at commit points) and all keys are written to that file. If a new filename is given, this file is created (and overwrites an existing one). Both control statements must be given. o The order of the parameters does not matter except for "Key-Type" which must be the first parameter. The parameters are only for the generated keyblock and parameters from previous key generations are not used. Some syntactically checks may be performed. The currently defined parameters are: Key-Type: | Starts a new parameter block by giving the type of the primary key. The algorithm must be capable of signing. This is a required parameter. Key-Length: Length of the key in bits. Default is 1024. Key-Usage: Space or comma delimited list of key usage, allowed values are "encrypt", "sign", and "auth". This is used to generate the key flags. Please make sure that the algorithm is capable of this usage. Note that OpenPGP requires that all primary keys are capable of certification, so no matter what usage is given here, the "cert" flag will be on. If no Key-Usage is specified, all the allowed usages for that particular algorithm are used. Subkey-Type: | This generates a secondary key. Currently only one subkey can be handled. Subkey-Length: Length of the subkey in bits. Default is 1024. Subkey-Usage: Similar to Key-Usage. Passphrase: If you want to specify a passphrase for the secret key, enter it here. Default is not to use any passphrase. Name-Real: Name-Comment: Name-Email: The 3 parts of a key. Remember to use UTF-8 here. If you don't give any of them, no user ID is created. Expire-Date: |([d|w|m|y]) Set the expiration date for the key (and the subkey). It may either be entered in ISO date format (2000-08-15) or as number of days, weeks, month or years. Without a letter days are assumed. Preferences: Set the cipher, hash, and compression preference values for this key. This expects the same type of string as "setpref" in the --edit menu. Revoker: : [sensitive] Add a designated revoker to the generated key. Algo is the public key algorithm of the designated revoker (i.e. RSA=1, DSA=17, etc.) Fpr is the fingerprint of the designated revoker. The optional "sensitive" flag marks the designated revoker as sensitive information. Only v4 keys may be designated revokers. Handle: This is an optional parameter only used with the status lines KEY_CREATED and KEY_NOT_CREATED. STRING may be up to 100 characters and should not contain spaces. It is useful for batch key generation to associate a key parameter block with a status line. Keyserver: This is an optional parameter that specifies the preferred keyserver URL for the key. Here is an example: $ cat >foo < ssb 1024g/8F70E2C0 2000-03-09 From ber at webschuur.com Thu Feb 8 17:32:30 2007 From: ber at webschuur.com (=?utf-8?q?B=C3=A8r_Kessels?=) Date: Thu, 8 Feb 2007 17:32:30 +0100 Subject: Keyrings for websites In-Reply-To: References: <200702081303.09540.ber@webschuur.com> Message-ID: <200702081732.31135.ber@webschuur.com> Hello, Op donderdag 8 februari 2007 15:36, schreef Joseph Oreste Bruni: > You might want to check out "Domain Keys" which is used to ? > authenticate email sessions between MTA's. > > Also, peer-to-peer authentication can be accomplished via X.509 ? > certificates and SSL. Ye, I am aware of the X.509 to authenticate servers. Also I know my way around in the SSL "stuff". This, however, is a different thing then what I want to achieve. I am not so much interested in secure connections, nor in authentication, between peers. What I want, is a way to say 'look, I am Foo.com, and I trust Bar.com ultimately. Since you trust me, you can trust Bar.com too'. That way one can allow sign-ins from other trusted sites, trackbacs etc. Thanks for the feedback, though. B?r -- Drupal, Ruby on Rails and Joomla! development: webschuur.com | Drupal hosting: www.sympal.nl -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20070208/ff852ca0/attachment-0001.pgp From anon-bounces at deuxpi.ca Thu Feb 8 14:43:46 2007 From: anon-bounces at deuxpi.ca (Anonyma) Date: Thu, 8 Feb 2007 08:43:46 -0500 (EST) Subject: making a passphrase by doubling a password and tweaking the end Message-ID: (This is as much about ssh as gpg, but I figure there should be some passphrase expertise here.) Suppose my shell password is "SapNilph4" (I just got that from APG), is it stupid to make a passphrase for an ssh or gpg key by doubling it and changing the end, for example "SapNilph4SapNilph3"? Or am I really wasting potential entropy this way? thanks From dshaw at jabberwocky.com Thu Feb 8 17:10:02 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 8 Feb 2007 11:10:02 -0500 Subject: gen-key non-interactively In-Reply-To: <70f41ba20702080744s1d71f49bs8e27e749feff96a4@mail.gmail.com> References: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com> <70f41ba20702080744s1d71f49bs8e27e749feff96a4@mail.gmail.com> Message-ID: <20070208161002.GB22488@jabberwocky.com> On Thu, Feb 08, 2007 at 07:44:02AM -0800, snowcrash+gnupg-users wrote: > here's an "expect"-based function i use in a bash script for just such purpose, > > # function: "DO_GENKEY_SESSION" > # auto-execute a GPG --gen-key session > # usage: > # DO_GENKEY_SESSION (SELECTION) $NOTATION $COMMENT > # gen-key dialog options (SELECTION): > # Please select what kind of key you want: > # (1) DSA and Elgamal (default) > # (2) DSA (sign only) > # (3) DSA (set your own capabilities) > # (5) RSA (sign only) > # (7) RSA (set your own capabilities) > DO_GENKEY_SESSION () { > echo "START: $COMMENT" > VAR=$($EXPECT -c " I strongly advise against using expect to generate keys. Your expect script will break when we change the text that GPG displays. If you want to generate keys unattended, then use the --batch --gen-key interface. David From rjh at sixdemonbag.org Thu Feb 8 18:07:58 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 8 Feb 2007 11:07:58 -0600 Subject: making a passphrase by doubling a password and tweaking the end In-Reply-To: References: Message-ID: <3555FBDB-5298-4E4A-B5DD-D57B1FEFEA3D@sixdemonbag.org> > Suppose my shell password is "SapNilph4" (I just got that from APG), > is it stupid to make a passphrase for an ssh or gpg key by doubling it > and changing the end, for example "SapNilph4SapNilph3"? Or am I > really wasting potential entropy this way? Stupid? No. May not be especially wise, though. GnuPG passphrases, like root login passwords, are very high-value secrets. You should plan for them to be compromised at some point. If your root login gets compromised and your GnuPG passphrase is derivable from your root login, then you've got two high-value secrets compromised. Vice- versa is the same way. So while no, you're not wasting entropy, this may not be wise due to how it complicates your failsafe plans. From schneecrash+gnupg-users at gmail.com Thu Feb 8 18:14:19 2007 From: schneecrash+gnupg-users at gmail.com (snowcrash+gnupg-users) Date: Thu, 8 Feb 2007 09:14:19 -0800 Subject: gen-key non-interactively In-Reply-To: <20070208161002.GB22488@jabberwocky.com> References: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com> <70f41ba20702080744s1d71f49bs8e27e749feff96a4@mail.gmail.com> <20070208161002.GB22488@jabberwocky.com> Message-ID: <70f41ba20702080914s6927c25bq910476c36ef997bd@mail.gmail.com> > I strongly advise against using expect to generate keys. Your expect > script will break when we change the text that GPG displays. If you > want to generate keys unattended, then use the --batch --gen-key > interface. i clearly understand that, and will manage my script(s) accordingly. thanks. :-) fwiw, the snippet i attached is a part of a larger, expect-based script i use to roll-out gpg "key packages" to new employees. as 'batch' support is only, currently provided (afaict ...) for gen-key, i simply use expect (even though i think it's a major pita!) to be consistent across all my other script functions. atm, there's no other convenient full-autommation option that i'm aware of; and, again, yes, i know it's 'upgrade fragile'. thanks. From hawke at hawkesnest.net Thu Feb 8 18:22:02 2007 From: hawke at hawkesnest.net (Alex Mauer) Date: Thu, 08 Feb 2007 11:22:02 -0600 Subject: OpenPGP card and secret keys In-Reply-To: <87odo5td9l.fsf__10151.5237045989$1170913958$gmane$org@wheatstone.g10code.de> References: <87odo5td9l.fsf__10151.5237045989$1170913958$gmane$org@wheatstone.g10code.de> Message-ID: Werner Koch wrote: > Okay, so it is not a communication problem with teh card. Please run > > gpg --debug 64 --clearsign test.txt > > To see why gpg tries to use the primary key. aha! it does not. It's trying to use a different subkey instead. Surely missing secret key parts would be cause to reject that subkey as a candidate for use, and just because secret parts are missing for one subkey doesn't mean they're missing for all subkeys, right? $ gpg --debug 64 --clearsign test.txt gpg: DBG: finish_lookup: checking key 51192FF2 (all)(req_usage=0) gpg: DBG: using key 51192FF2 gpg: DBG: finish_lookup: checking key 51192FF2 (all)(req_usage=1) gpg: DBG: checking subkey 4A1C1224 gpg: DBG: subkey looks fine gpg: DBG: checking subkey F4878DDE gpg: DBG: usage does not match: want=1 have=2 gpg: DBG: checking subkey 9A37EEFF gpg: DBG: subkey looks fine gpg: DBG: using key 9A37EEFF gpg: DBG: cache_user_id: already in cache gpg: secret key parts are not available gpg: no default secret key: general error gpg: test.txt: clearsign failed: general error secmem usage: 1408/3488 bytes in 2/15 blocks of pool 3488/32768 From roam at ringlet.net Thu Feb 8 16:51:03 2007 From: roam at ringlet.net (Peter Pentchev) Date: Thu, 8 Feb 2007 17:51:03 +0200 Subject: gen-key non-interactively In-Reply-To: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com> References: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com> Message-ID: <20070208155103.GB1621@straylight.m.ringlet.net> On Thu, Feb 08, 2007 at 04:59:26AM -0500, Mark Pinto wrote: > I'm wanting to pass all of the information that gpg needs to create a > key (key size, type, expiration, userid, etc) initially and not have > gpg keep pausing to ask the user. I've read the man page, read gpg > --help, googled, and I still cant figure out how to pass those things > to gpg while using --gen-key. Any help would be *greatly* > appreciated. If you are trying to do this as part of a bigger program, you might want to check out the gpgme and libgcrypt libraries. Otherwise, the gnupg manual page mentions an experimental method for using --gen-key non-interactively, which is described in the DETAILS file in the doc/ subdirectory of the gnupg source archive. Thus, you need to download the gnupg source (either 1.4.x or 2.0.x, depending on which version you're using anyway), read the doc/DETAILS file, and see if the method described there works for you. I just tried it with GnuPG 1.4.6, and it worked just fine here. G'luck, Peter -- Peter Pentchev roam at ringlet.net roam at cnsys.bg roam at FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If the meanings of 'true' and 'false' were switched, then this sentence wouldn't be false. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20070208/0a3372dc/attachment.pgp From roam at ringlet.net Thu Feb 8 16:01:30 2007 From: roam at ringlet.net (Peter Pentchev) Date: Thu, 8 Feb 2007 17:01:30 +0200 Subject: Keyrings for websites In-Reply-To: <200702081303.09540.ber@webschuur.com> References: <200702081303.09540.ber@webschuur.com> Message-ID: <20070208150130.GA1621@straylight.m.ringlet.net> On Thu, Feb 08, 2007 at 01:03:05PM +0100, B?r Kessels wrote: > Hello, > > With the current growth of online services that talk to eachother (the > web2.0) I thought it a good idea to think about a way to determine > "trust" between the sites. > > If my site shares its spam tokens, comments, search results, tags and > pictures (etc) with a cloud of sites, it could be a good idea to > establish a trust-ring. > > I therefore thought it an interesting idea to make keys not just for > people, but for a website. That way I can sign public keys from other > sites and give them a trust weight. [snip] > > It is still an idea. And no code is made yet. But I am heavy into > Drupal (been full time developer for it for over 4 years), and I can > introduce this concept there, then hope it takes off into wordpress, > plone and other Open Source, or Closed source CMses. > > All I need is some general idea wether or not this will a) work at all > and b) is possible with gnupg, and c) if it would not 'threaten' gnug > too much. It ought to be both possible and trivial. ISTR several discussions on this mailing list, where people mentioned using PGP keys (or rather, uid's) with only names, no e-mail addresses. You could either use such keys with the hostname (or the full path to the web application) placed directly in the "name" part of the user ID, or develop some kind of machine-readable encoding to represent a host name, application path, application name, or any level of detail you feel comfortable with, and then place those in the "name" or the "comment" part of the key's user ID. After that, proceed as usual - sign the user-ID with the key itself (GnuPG should do that as part of the key generation anyway), sign it with your own key, and send the public key to the others. They should generate keys for their web apps too, sign them with their own (developers') keys, and send them to you. Then each of you establishes his own trustdb, places trust in (some of) the developers' keys, and off you go. G'luck, Peter -- Peter Pentchev roam at ringlet.net roam at cnsys.bg roam at FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This inert sentence is my body, but my soul is alive, dancing in the sparks of your brain. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20070208/72ecdc95/attachment.pgp From alex at bofh.net.pl Thu Feb 8 17:49:11 2007 From: alex at bofh.net.pl (Janusz A. Urbanowicz) Date: Thu, 8 Feb 2007 17:49:11 +0100 Subject: Keyrings for websites In-Reply-To: <200702081732.31135.ber@webschuur.com> References: <200702081303.09540.ber@webschuur.com> <200702081732.31135.ber@webschuur.com> Message-ID: <20070208164911.GG11476@hell.pl> On Thu, Feb 08, 2007 at 05:32:30PM +0100, B??r Kessels wrote: > Hello, > > Op donderdag 8 februari 2007 15:36, schreef Joseph Oreste Bruni: > > You might want to check out "Domain Keys" which is used to ? > > authenticate email sessions between MTA's. > > > > Also, peer-to-peer authentication can be accomplished via X.509 ? > > certificates and SSL. > > Ye, I am aware of the X.509 to authenticate servers. Also I know my way around > in the SSL "stuff". This, however, is a different thing then what I want to > achieve. I am not so much interested in secure connections, nor in > authentication, between peers. > > What I want, is a way to say 'look, I am Foo.com, and I trust Bar.com > ultimately. Since you trust me, you can trust Bar.com too'. That way one can > allow sign-ins from other trusted sites, trackbacs etc. > > Thanks for the feedback, though. Check out OpenID, although it is not cryptography based (AFAIK). Alex -- JID: alex at hell.pl PGP: 0x46399138 od zwracania uwagi na detale s? lekarze, adwokaci, programi?ci i zegarmistrze -- Czerski From hawke at hawkesnest.net Thu Feb 8 20:10:00 2007 From: hawke at hawkesnest.net (Alex Mauer) Date: Thu, 08 Feb 2007 13:10:00 -0600 Subject: Keyrings for websites In-Reply-To: <20070208150130.GA1621__4230.98337273604$1170958920$gmane$org@straylight.m.ringlet.net> References: <200702081303.09540.ber@webschuur.com> <20070208150130.GA1621__4230.98337273604$1170958920$gmane$org@straylight.m.ringlet.net> Message-ID: Peter Pentchev wrote: > using PGP keys (or rather, uid's) with only names, no e-mail addresses. > You could either use such keys with the hostname (or the full path to > the web application) placed directly in the "name" part of the user ID, > or develop some kind of machine-readable encoding to represent a host > name, application path, application name, or any level of detail you > feel comfortable with, and then place those in the "name" or the > "comment" part of the key's user ID. After that, proceed as usual - This sort of overloading of the name/comment/email fields bothers me. I wish that UIDs were more of a key/value system (one key/value pair per IUID), e.g. name=William Surrey, email=bill at home.example.org, email=william.surrey at business.example.com, comment=Billy's key, alias=Bill; or name=Example's awesome wiki!, hostname=www.example.org, application=mediawiki (for the purpose given above). I'm thinking something equivalent to what vorbis comments are for ogg vorbis audio files. See http://xiph.org/vorbis/doc/v-comment.html Of course, I doubt that the OpenPGP spec allows for this sort of extensibility in the comments, or if it does that anyone's willing to implement it (or it would have been done by now). But it sure would be great if it were to happen. From newsgroups at thomas-huehn.de Thu Feb 8 20:24:37 2007 From: newsgroups at thomas-huehn.de (=?iso-8859-1?Q?Thomas_H=FChn?=) Date: Thu, 08 Feb 2007 20:24:37 +0100 Subject: Keyrings for websites References: <200702081303.09540.ber@webschuur.com> <20070208150130.GA1621__4230.98337273604$1170958920$gmane$org@straylight.m.ringlet.net> Message-ID: <87d54kpi4q.fsf@mid.thomas-huehn.de> Alex Mauer writes: > This sort of overloading of the name/comment/email fields bothers me. I > wish that UIDs were more of a key/value system (one key/value pair per As far as I understand it there are no such fields. User ID is freeform, just a string. So feel free to put in "Key: Value" or whatever you'd like to. Thomas From wk at gnupg.org Thu Feb 8 20:28:55 2007 From: wk at gnupg.org (Werner Koch) Date: Thu, 08 Feb 2007 20:28:55 +0100 Subject: gen-key non-interactively In-Reply-To: <20070208155103.GB1621@straylight.m.ringlet.net> (Peter Pentchev's message of "Thu\, 8 Feb 2007 17\:51\:03 +0200") References: <62eb359a0702080159y45480389ycfbc59b44918da87@mail.gmail.com> <20070208155103.GB1621@straylight.m.ringlet.net> Message-ID: <87veicla88.fsf@wheatstone.g10code.de> On Thu, 8 Feb 2007 16:51, roam at ringlet.net said: > Otherwise, the gnupg manual page mentions an experimental method for BTW, I forgot to remove the "experimental" tag. That is a stable feature and useful for production. Salam-Shalom, Werner From wk at gnupg.org Thu Feb 8 20:44:00 2007 From: wk at gnupg.org (Werner Koch) Date: Thu, 08 Feb 2007 20:44:00 +0100 Subject: Keyrings for websites In-Reply-To: (Alex Mauer's message of "Thu\, 08 Feb 2007 13\:10\:00 -0600") References: <200702081303.09540.ber@webschuur.com> <20070208150130.GA1621__4230.98337273604$1170958920$gmane$org@straylight.m.ringlet.net> Message-ID: <87d54kl9j3.fsf@wheatstone.g10code.de> On Thu, 8 Feb 2007 20:10, hawke at hawkesnest.net said: > wish that UIDs were more of a key/value system (one key/value pair per You may use notations for this. They are however stored with the self-signature, so some care needs to be taken. If you need something simialr to the user ID, use the User Attribute Packet (Tag 17). It is currently only used for the photo ID but it may be extended. From the latest OpenPGP I-D: The User Attribute packet is a variation of the User ID packet. It is capable of storing more types of data than the User ID packet which is limited to text. Like the User ID packet, a User Attribute packet may be certified by the key owner ("self-signed") or any other key owner who cares to certify it. Except as noted, a User Attribute packet may be used anywhere that a User ID packet may be used. While User Attribute packets are not a required part of the OpenPGP standard, implementations SHOULD provide at least enough compatibility to properly handle a certification signature on the User Attribute packet. A simple way to do this is by treating the User Attribute packet as a User ID packet with opaque contents, but an implementation may use any method desired. The User Attribute packet is made up of one or more attribute subpackets. Each subpacket consists of a subpacket header and a body. The header consists of: - the subpacket length (1, 2, or 5 octets) - the subpacket type (1 octet) and is followed by the subpacket specific data. The only currently defined subpacket type is 1, signifying an image. An implementation SHOULD ignore any subpacket of a type that it does not recognize. Subpacket types 100 through 110 are reserved for private or experimental use. Salam-Shalom, Werner From j.lysdal at gmail.com Thu Feb 8 21:24:17 2007 From: j.lysdal at gmail.com (=?ISO-8859-1?Q?J=F8rgen_Lysdal?=) Date: Thu, 08 Feb 2007 21:24:17 +0100 Subject: GnuPG on MS Vista Message-ID: <45CB86F1.7000607@gmail.com> Hi, it appears to be impossible to connect to any keyservers through gpg on my newly installed Vista box. I have disabled UAC and im running as admin, so that should not be the cause of any problems. Whenever i try to get something from a keyserver i get: gpg: refreshing 1 key from hkp://pgpkeys.pca.dfn.de gpg: requesting key xxxxxxxx from hkp server pgpkeys.pca.dfn.de gpgkeys: no key data found for hkp://pgpkeys.pca.dfn.de/ gpg: no valid OpenPGP data found. gpg: Total number processed: 0 All the keyservers i have tried works well when using their web interface. Does anyone know how to solve this problem? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 368 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070208/2f93c123/attachment.pgp From hhhobbit at securemecca.net Thu Feb 8 21:37:29 2007 From: hhhobbit at securemecca.net (Henry Hertz Hobbit) Date: Thu, 08 Feb 2007 13:37:29 -0700 Subject: New command line language parameter In-Reply-To: References: Message-ID: <45CB8A09.7090004@securemecca.net> Werner Koch said: > On Mon, 5 Feb 2007 14:57, jmarugan at alumnos.upm.es said: > > >>I tried the SET LANG=xx and as far as i read in the GPG documentation >>and mailing list's posts, this is only for POSIX systems, not for >>windows, at least in windows doesn't work in all the ways i tried. > > > You are right. It works for GPA but not for GPG because with gpg we > use a simplified version of gettext. This is easy to fix. > > >>I'm afraid the only way to use a language file in windows is the >>registry or a new command line parameter. > > > No. A command line option won't work because how would you then print > a localized message like "invalid option" or diagnostics printed even > before any option has been parsed. Now be patient here for a moment. All of the following IS related to running GnuPG on Windows! To lead it all off, if you are running as an Administrator user all the time on Windows you are doing the equivalent of RUNNING AS root ALL THE TIME ON A UNIX SYSTEM! The present Windows GnuPG 1.4.X installs assume people do this. Most of them probably do run their Windows system this way, but that doesn't make it the only way, and I believe it is NOT THE RIGHT WAY! Microsoft isn't helping them do it properly either. NOW HAVING SAID WHAT I JUST SAID, IF YOU ARE *NOT* A MICROSOFT WINDOWS USER DELETE THIS MESSAGE AND MOVE ON! TRUST ME! You are wasting your time reading unless you use Microsoft Windows either ALL or a substantial amount of the time. You will just get confused until you understand how Microsoft Windows works. Even a lot of full-time Microsoft Windows users don't know how it works. I should know. I help them all the time and am apalled at how little they know about a system they have used for years. Some of them I have given up on them EVER understanding their systems. Where is the URL on setting these language settings in the HKCU registry keys? I am getting ready to put a lot of this stuff up on web pages. I already have a ZIP file with SOME of what is needed in it. I will have a web page or a set of web pages that will be devoted strictly to GnuPG (1.4.x) on Windows. I WILL provide REG files for what some people think in this forum are strange situations. I suppose this could be one of them. I posted an actual REG file in this forum and somebody didn't even see the REG4 at the top of it and said I should provide the actual REG file. I DID provide the actual REG file! All they had to do was to copy and paste, AND THEN ALTER SOME VARIABLES. You cannot use ENVIRONMENT variables in a REG file since they are part of the registry anyway. But this forum is NOT the right place to do it. What I posted was partially wrong anyway. It had the HKLM entries which I will either let the install do, or provide an HKLM.reg file. What is needed for most people are the HKCU keys for each Windows user that is running as a restricted user. You can fix the code if you want to Werner, but the proper way for a lot of this stuff on Windows is to put it into the registry. Even the ENVIRONMENT variables are stored in, you guessed it - THE REGISTRY! They are in the HKLM hive for the ones in the lower everybody panel and in the HKCU area for the ones in the uppger panel if you use the Control Panel method to look at the environment variables. There are several other things going along with this like the fact that without using higher order registry editing tools (not regedit) you can't normally dive into anybody else's HKCU hive. You normally only see your own (the one belonging to who you logged in as). Reading and adding or modifying somebody else's HKCU entries is possible but I consider that more esoteric than just providing somebody with a REG file and telling them to modify it. I am looking at writing a program that will actually create the REG file for them (yes, overkill, but it saves people from typing mistakes). What is being provided in the GnuPG install is only suitable for idiots who run as an Administrator, all the time with only one account on the system and that one is an Administrator account (you need at least one). They can keep their account as an Administrator and install the Drop My Rights program (which I give to everybody because that is usually more than they can do even if I provide them *.lnk files to paste onto the desktop and in the Start folders which even then they seem to muck up): http://tinyurl.com/3u46a That is unsuitable because likely or not somebody is going to message the default browser which is running in admin space and can thus modify the HKLM keys and all the files in the %WinDir% folder and all sub-folders. Even if the browser is messaged into running with lower privileges via DropMyRights.exe, a RealPlayer or Windows Media Player is messaged into running as the logged in user. Windows dows NOT fork off the App like Unix systems do. Nevertheless, that is what I used for years on Administrator accounts for my logon type administrator accounts. There IS a better Windows way of doing it - the LUA method. I recommend this way of doing it in home situations: http://blogs.msdn.com/aaron_margosis/archive/2004/06/17/158806.aspx That is a MUCH better way of doing it in home or other situations where you control access to the computer. You are now protecting your HKLM keys and your %WinDir% folder. That is the reason I was arguing for putting the iconv.dll file over in the %WinDir% folder. Now you CAN do an attrib +s on the file where it is at but I have no guarantees that will keep it safe. You should do an attrib +s on all your files in the %ProgramFiles% area anyway, unless you don't consider GnuPG a security product. I just happen to believe it is a security product. But it is only ONE piece of securing Windows systems. One of the things that has occurred to me is to ask the question "can I make GnuPG say a signed message is okay whether it is or not?" By that I mean, can I by changing just the message strings of GnuPG make all signed messages show up as okay? If you don't think that if GnuPG takes off like mad on Windows and that you don't have that situation covered that it won't happen, you better think again. I spend a LOT of time finding out how people subvert Windows systems. That is because it is done so much. That is probably more of a flame against Windows users who run their systems in a stupid manner than a slam against Microsoft, although Microsoft doesn't help very much. They need to look very seriously at making it possible for users to login as restricted users and still have anti-virus programs do their updating, firewalls to lock the network connections when they walk away, etc. That is OUTSIDE THE SCOPE OF THIS NEWSGROUP. Doing a proper install of GnuPG on Windows IS a part of this newsgroup. If any of you have information of running GnuPG in a Windows environment with some other way of doing it other than as always one user with an Administrator account ship it to me. And do NOT ask me to install CygWin. If I want to run a Nix I shift to running Fedora Core Linux which I use over 85% of the time. That does NOT mean I am not a very knowledgeable Windows user. I am VERY good at understanding it. On the other hand if you want to flame me and say I am stupid, or that I need lessons in writing, or that all I am doing is spamming like a University Computer Science Professor recently said I was doing (I believe he was the department chair), then HIT THE DELETE BUTTON instead. But please stop being arrogant unless you really know more about Windows than I do. If you have information for setting up GnuPG for WINDOWS users that run their systems as safely as possible (GnuPG is only one piece of that puzzle), then send it to me. But do it out of group please. I don't think it is of much general interest. >From now on I will just write a simple - check this page out and paste the the URL in it, mostly OUT of newsgroup in private email messages. Thanks HHH From dshaw at jabberwocky.com Thu Feb 8 21:45:32 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 8 Feb 2007 15:45:32 -0500 Subject: GnuPG on MS Vista In-Reply-To: <45CB86F1.7000607@gmail.com> References: <45CB86F1.7000607@gmail.com> Message-ID: <20070208204532.GA23127@jabberwocky.com> On Thu, Feb 08, 2007 at 09:24:17PM +0100, J?rgen Lysdal wrote: > Hi, it appears to be impossible to connect to any keyservers > through gpg on my newly installed Vista box. I have disabled > UAC and im running as admin, so that should not be the cause > of any problems. > > Whenever i try to get something from a keyserver i get: > > gpg: refreshing 1 key from hkp://pgpkeys.pca.dfn.de > gpg: requesting key xxxxxxxx from hkp server pgpkeys.pca.dfn.de > gpgkeys: no key data found for hkp://pgpkeys.pca.dfn.de/ > gpg: no valid OpenPGP data found. > gpg: Total number processed: 0 > > All the keyservers i have tried works well when using their > web interface. Does anyone know how to solve this problem? Can you do the request, but add --debug 1024 --keyserver-options "use-temp-files keep-temp-files" There will be a line that says something like "DBG: Using temp file such-and-such". Send me the tempin.txt and tempout.txt file. David From rjh at sixdemonbag.org Thu Feb 8 21:58:16 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 8 Feb 2007 14:58:16 -0600 Subject: GnuPG on MS Vista In-Reply-To: <20070208204532.GA23127@jabberwocky.com> References: <45CB86F1.7000607@gmail.com> <20070208204532.GA23127@jabberwocky.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > There will be a line that says something like "DBG: Using temp file > such-and-such". Send me the tempin.txt and tempout.txt file. David-- Vista has radically changed the process of compiling code for the platform. Neither MinGW nor Cygwin GCC work under Vista without substantial kludges and workarounds; Microsoft recommends against VS.NET and VS2003; VS2005 is only supported with the latest service pack and some known issues. GnuPG will not build with VS2005 without some major overhauls to the build environment. While I know that generally the Windows build system involves Linux and a cross-compiler for Win32, it's very possible behind-the-scenes changes in Vista will lead to breakage. It may be worth considering telling people that Vista is an unsupported OS for GnuPG 1.4.x. (goes back to hacking CMake and VS2005's command-line compiler) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) iQEcBAEBCAAGBQJFy47oAAoJELcA9IL+r4EJeqAH/0Vdb98seQf6gtE8HQLoilgz l/FaqsxYT1yoq+2rbUcrGyMfBXkeXZMgK31DbEEIapdGSNtwgts0KuIlI7d2y542 IVfe1orchdUtbCJYDAimKufsOlAAl9bqz0gFKvR9VXW+S/YKBMvMjwzxlmSXjZsp 6FkJhPsVDkWWVYinUu8IYHYRp4FdxSQIz5Y4+m2X1SKwLQTTSukGj1QF9x7XTewT ZO75khQLDT5tbQZM0hvCM90jCWhQb7viw9N1NVsI6RkjOwvv3qRFeavHme/6KDlB th884fOga/7K0GNmTqNFdkvV2FK8GDf7LNkeXkNZiQBrd5srKAve7VmdSmkfXkg= =Zs3+ -----END PGP SIGNATURE----- From j.lysdal at gmail.com Thu Feb 8 22:09:41 2007 From: j.lysdal at gmail.com (=?ISO-8859-1?Q?J=F8rgen_Lysdal?=) Date: Thu, 08 Feb 2007 22:09:41 +0100 Subject: GnuPG on MS Vista In-Reply-To: References: <45CB86F1.7000607@gmail.com> <20070208204532.GA23127@jabberwocky.com> Message-ID: <45CB9195.40304@gmail.com> Robert J. Hansen skrev: > It may be worth considering > telling people that Vista is an unsupported OS for GnuPG 1.4.x. But will it be supported in any near future? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 368 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20070208/afa35aa0/attachment.pgp From rjh at sixdemonbag.org Thu Feb 8 23:02:10 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 8 Feb 2007 16:02:10 -0600 Subject: GnuPG on MS Vista In-Reply-To: <45CB9195.40304@gmail.com> References: <45CB86F1.7000607@gmail.com> <20070208204532.GA23127@jabberwocky.com> <45CB9195.40304@gmail.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > But will it be supported in any near future? That's up to the GnuPG developers, and whether they have any Vista boxes available to do regression testing on. They may have already tested it against Vista; I don't know. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) iQEcBAEBCAAGBQJFy53iAAoJELcA9IL+r4EJQaAH/1lDIIFrnuHMIKidli6PDD0q +lDHObUHNlAaYOwQinui+O4lyZT2NohRW/ADmtZCw3/qb3H9yhfslQJGuM+8Fqs/ WEjQIbVnVajK6mW5XRE2935YObq8pQKejpcvNS7Bf9sIvj/rQTy9gIzdPYQw/pdM aBpwzTAVyITFWVPZLnokHgudBMZ4d+kuWB9SKrQ84hpAdTUPbmuRlK1Mq7yttMAX osXMOUWhwcP8v0O2NIGgfGwSQrVtezMbdGH10Ezs8DqtKq5mTnSp7BOkWjMpBZsm UMR13AqN8OqPUxeuLHmyzWxdJ8lm8D7of3rMVEtvteGCOqhvgs588j6DNUNub9s= =yLXD -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Thu Feb 8 23:37:05 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 8 Feb 2007 16:37:05 -0600 Subject: New command line language parameter In-Reply-To: <45CB8A09.7090004@securemecca.net> References: <45CB8A09.7090004@securemecca.net> Message-ID: <55C09D1F-B0D1-49DF-89E8-922BE1CEC491@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > The present Windows GnuPG 1.4.X installs assume people [run > as Administrator]. The installer requires Administrator rights to install to the program files directory, just like every other Win32 program that wants to install there. Once installed, GnuPG does not require Administrator rights to run. > All they had to do was to copy and paste, AND THEN ALTER > SOME VARIABLES. This is unwise from a security perspective. Messing up a registry file can have terrible consequences. If you're advocating that people make edits to a registry file without understanding the registry, what they're looking at, what they're changing, etcetera, then disaster is waiting in the wings. Regular users should not edit the Windows registry. Ever. > There are several other things going along with this like the fact > that > without using higher order registry editing tools (not regedit) you > can't normally dive into anybody else's HKCU hive. This is by design; it's an important security mechanism. Alice shouldn't be allowed to inspect or modify Bob's registry entries. Only the Administrator should have access to everyone's registry entries. Please consider the implications of advocating that people bypass a security mechanism so they can install a piece of security software. It doesn't make much sense. > What is being provided in the GnuPG install is only suitable for > idiots who run as an Administrator, all the time with only one > account on the system and that one is an Administrator account... Please do not insult regular users by calling them idiots. The GnuPG installer is suitable for many kinds of Windows users. Speaking for myself, I administer a small XP network with several users, all of whom have GnuPG available to them. Their user accounts don't have Administrator privileges. The installer worked just fine for us. > One of the things that has occurred to me is to ask the question > "can I make GnuPG say a signed message is okay whether it is or > not?" By that I mean, can I by changing just the message strings > of GnuPG make all signed messages show up as okay? Sure. But if you install it as Administrator, then you need Administrator privileges to modify the file. If a malicious attacker has Administrator access to your Windows box, then it's a game-over condition anyway and there's nothing GnuPG can do to fix this. > If you don't think that if GnuPG takes off like mad on Windows According to the Enigmail folks, their number of Windows downloads are routinely an order of magnitude larger than their number of UNIX downloads. This strongly suggests more people run GnuPG on Windows than run GnuPG on UNIX. > That is probably more of a flame against Windows users who run their > systems in a stupid manner than a slam against Microsoft, although > Microsoft doesn't help very much. Again, we don't need to insult either users or corporations as being "stupid". > If any of you have information of running GnuPG in a Windows > environment with some other way of doing it other than as always > one user with an Administrator account ship it to me. Get the zip archive, uncompress it to some directory you own, add that directory to your own personal PATH. > On the other hand if you want to flame me and say I am stupid, > or that I need lessons in writing, or that all I am doing is > spamming like a University Computer Science Professor recently > said I was doing (I believe he was the department chair), I'm not a professor. I'm a pre-comps Ph.D. candidate in computer science. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) iQEcBAEBCAAGBQJFy6YRAAoJELcA9IL+r4EJw1MH/0pbmIf7FiLrt1Q7b7g/udTF Urg+DxdhmjujowJLg1qIcD6ntmkiItCjp2ww3zff8/We12faktxt72gyXoV+Qgw+ 1gLa1EqATXrLVKxighkg/Yw0PT1yGGHnqFvbnTBT48N5sD8RRjxhu71yD5JzuQCJ mQS8RF2xGArb0qJTCns0QGsPyD5S83+IE4rMVO6Uc16dpAJmFNdEVlKGcnd2EFU3 aiJ5Mv0tJScPyjP7aGVbCN8nx1eHgwfj8KKK/ExdjkyTaj3ZqMyi8F9zjD2oT28y etHbI2/ifMZlFEvk9FtWwP+Vx/p08F2vMFpP0G4F4iIZnVRJBWKIjbzpyyWx3KY= =iaCr -----END PGP SIGNATURE----- From sjlopezb at hackindex.com Thu Feb 8 22:21:00 2007 From: sjlopezb at hackindex.com (=?ISO-8859-15?Q?Santiago_Jos=E9_L=F3pez_Borraz=E1s?=) Date: Thu, 08 Feb 2007 22:21:00 +0100 Subject: A question... Message-ID: <45CB943C.5010109@foo.hackindex.es> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi: I ask a question: How the two lines are removed that appears above all of the signed of messages? There is some human way to tell him al GnuPG to that show not those two lines of BEGIN PGP MESSAGE? TIA. - -- Slds de Santiago Jos? L?pez Borraz?s. Admin de hackindex.com/.es Conocimientos avanzados en seguridad inform?tica. Conocimientos avanzados en redes. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQIVAwUBRcuUO7uF9/q6J55WAQpemhAAopGfH/12MM15MGw8QVDt+607rSiXOLFr 7EWz+TjCLrykZRnCpejq5Bpi6Px9po4YqMyXHJUnHIGuGxlBBCKIXCuohzqlCmJY Gq8DcY+MXAszqMmpIeLYxYkhRivCJnx7vN+S6AxAvb6wtsChZ53DJDT7fhRpSCHQ ENEMQqN+AXue7AHA8mO285v3Ago5MccbxiQ9vR+B4y3+5kosaYJFqThlNfPV8Qws UT/fyfgHQ8nZbQrVlXyLF0Elq32M2sTfecSnL22ZeRfTGpqH2UIZnt00Yo5HJTo4 KRSa+MjlSTTBJfinb/n2yL5aGmxjArdiY/558l+jYIt2dbxpF1t5alXADcBsysJY ZMIcrJLx9A2OB1wr0QOf2KdaI0iKZGLXiR/hEBo6nMue857uB4TdZt0QV76EKsRY k6vRTwofk4CZyhy78ceNf3iCoSDRrMCgQzZpvalBCT5hBGEbwEQaxD+4dsmteFv7 5wEXMcTDSWNHaNoiyGuZZuNRgvkCgsczu1KiTN1MBp8/0bBZ3zNym/bWnZdDkDpp ojoc53ISZwoKji3cxNPuuktcJQBQ7fFrNlJr5GpY+Ssa1hzCZmc3pUIjae6pJB3H y1Cgj4JilKVoltfrrArk0kGyY+SiqaiUt5MnISUl9lXYUD/upq3vJadyQettdP45 /G0iFEGRVys= =LvJD -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Thu Feb 8 23:56:35 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 8 Feb 2007 16:56:35 -0600 Subject: A question... In-Reply-To: <45CB943C.5010109@foo.hackindex.es> References: <45CB943C.5010109@foo.hackindex.es> Message-ID: <7AF6DCD9-005C-457A-A1D2-DE2D304F46E9@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > There is some human way to tell him al GnuPG to that show not those > two > lines of BEGIN PGP MESSAGE? Those two lines are required by OpenPGP and must be present in any clearsigned message. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) iQEcBAEBCAAGBQJFy6qjAAoJELcA9IL+r4EJ7AgH/2gsEbgOv+mcKDk85YykKIiY NXnn6dajCXg5/cF4MM3Fsnwu/9Ox6cSLUVDCPZKejZsCMEiNLMOrcjh2N/kGt6mw OWL7Xoy7gOdKJI56aFDbQlTu2/xtI702tu+uabPZt8HHoE6Wd+LOhNjeCagl4mk+ lIoOl5BxMfCr658gwv3Z9fVblGL3W4DnrqDMyx/uPJP24y2HqwbY950bN6ONpX6X mganwtJd1Jy/KRuu0628bY14Jxs1DjPQF2zBxnDtTsYx+EJSXgwusnD3N10w6pzX r/OmGWqjDua2b727cnPLTKvnPBXxzFX7QWGucFbFjeu4DJQep5nb9ZXneP4UKHA= =On13 -----END PGP SIGNATURE----- From laurent.jumet at skynet.be Fri Feb 9 01:03:56 2007 From: laurent.jumet at skynet.be (Laurent Jumet) Date: Fri, 09 Feb 2007 01:03:56 +0100 Subject: A question... In-Reply-To: <45CB943C.5010109@foo.hackindex.es> Message-ID: Hello Santiago ! Santiago Jos? L?pez Borraz?s wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > How the two lines are removed that appears above all of the signed of > messages? > There is some human way to tell him al GnuPG to that show not those two > lines of BEGIN PGP MESSAGE? No, there is no human, and inclusive no God, that could remove the two first lines of a PGP message. -- Laurent Jumet KeyID: 0xCFAF704C From rjh at sixdemonbag.org Fri Feb 9 07:18:19 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 9 Feb 2007 00:18:19 -0600 Subject: Random numbers Message-ID: <4B919F51-BAC3-476B-B890-26A1578EF5F0@sixdemonbag.org> While this may be off-topic, sometimes the community needs a good laugh, and today's XKCD provides a good laugh about random numbers. :) http://www.xkcd.net From wk at gnupg.org Fri Feb 9 10:25:36 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 09 Feb 2007 10:25:36 +0100 Subject: GnuPG on MS Vista In-Reply-To: (Robert J. Hansen's message of "Thu\, 8 Feb 2007 16\:02\:10 -0600") References: <45CB86F1.7000607@gmail.com> <20070208204532.GA23127@jabberwocky.com> <45CB9195.40304@gmail.com> Message-ID: <87veibisxb.fsf@wheatstone.g10code.de> On Thu, 8 Feb 2007 23:02, rjh at sixdemonbag.org said: > That's up to the GnuPG developers, and whether they have any Vista > boxes available to do regression testing on. They may have already No, I don't have decent hardware to install Vista on it. I plan to do so but it may take sometime. A points which needs some investigation is the entropy gatherer - this is very system specific code and we need to check whether it will still deliver enough entropy. Shalom-Salam, Werner From antonio.bleile at seac02.it Fri Feb 9 11:11:41 2007 From: antonio.bleile at seac02.it (Antonio Bleile) Date: Fri, 9 Feb 2007 11:11:41 +0100 Subject: Newbie question Message-ID: <45CBFFE900039C45@> (added by postmaster@aa001msb.fastweb.it) Hi all, I have a question concerning an "unusual" way of using gnuPG... I don't want to encrypt emails, I just want to encrypt binary data and deliver that over the internet. Consider the following scenario: I have a program that gets deliverd to various clients. The program is a viewer for 3d models. The viewer can load and display various types of input formats (e.g. CAD models). It can also load models directly from a URL. Now we'd like to put some cool models on our web page but we don't want people to disassemble the file and thus getting to the mathematic definition of a CAD model (people giving you a CAD model of e.g. a brandnew car are very concerned about their data!!!). So I thought to protect the data with public/private key encryption. We encrypt the data with a private key and put the result on our server. Our viewer contains the public key for decryption. You might say that it's easy to get to the data anyway, you just have to dump the memory of the program after the data has been decypted.... But that requires some higher "criminal energy", and I think I can live with the risk... - So actually, my question is: Does this approach make any sense for you crypto-gurus out there? (Please forgive me my ignorance, I have just a vague memory of my cryptography lessons...). - Does libcrypt do the job? - The CAD data may contain a fixed header, so an atacker knowing the header might use this info to easily get the private key? Thank you and kind regards, Toni From antonio.bleile at seac02.it Fri Feb 9 11:36:35 2007 From: antonio.bleile at seac02.it (Antonio Bleile) Date: Fri, 9 Feb 2007 11:36:35 +0100 Subject: Newbie question In-Reply-To: <45CC4D3E.907@radde.name> Message-ID: <45CBFFE900041DDE@> (added by postmaster@aa001msb.fastweb.it) Hi Sven, > Hi! > > Private/Public key does not buy you much in this case if all > you want is to obfuscate the file contents. > Just use some AES implementation with the same symmetric key > on the server and the client. > > Despite you seem to be aware of it, let me stress again: > It cannot possibly be secure if the decryption key is stored > alongside with the enrcypted data (which is why I chose the > word "obfuscate" above). Mh... That means I've missed something really fundamental... When you send an encrypted mail you send the encrypted data and the receiver at some point has both, the public key and your encrypted mail. Else, how should he read your mail? Am I totally wrong? Bye, Toni From wk at gnupg.org Fri Feb 9 11:54:27 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 09 Feb 2007 11:54:27 +0100 Subject: Newbie question In-Reply-To: <45CBFFE900041DDE@> (added by postmaster@aa001msb.fastweb.it) (Antonio Bleile's message of "Fri\, 9 Feb 2007 11\:36\:35 +0100") References: <45CBFFE900041DDE@> Message-ID: <87veibfvoc.fsf@wheatstone.g10code.de> On Fri, 9 Feb 2007 11:36, antonio.bleile at seac02.it said: > Mh... That means I've missed something really fundamental... > When you send an encrypted mail you send the encrypted > data and the receiver at some point has both, the public > key and your encrypted mail. Else, how should he read your > mail? Am I totally wrong? It is the way around. You use the *public* key to *en*crypt to the recipient. The recipent uses his *private* key to *de*crypt. Of course you could include a private key in a viewer software so that anyone can encrypt files for use by this viewer. I think that is what you had in mind. Salam-Shalom, Werner From antonio.bleile at seac02.it Fri Feb 9 12:01:45 2007 From: antonio.bleile at seac02.it (Antonio Bleile) Date: Fri, 9 Feb 2007 12:01:45 +0100 Subject: Newbie question In-Reply-To: <87veibfvoc.fsf@wheatstone.g10code.de> Message-ID: <45CC027200049718@> (added by postmaster@aa002msb.fastweb.it) Hi, > On Fri, 9 Feb 2007 11:36, antonio.bleile at seac02.it said: > > > Mh... That means I've missed something really fundamental... > > When you send an encrypted mail you send the encrypted data and the > > receiver at some point has both, the public key and your encrypted > > mail. Else, how should he read your mail? Am I totally wrong? > > It is the way around. You use the *public* key to *en*crypt > to the recipient. The recipent uses his *private* key to *de*crypt. > > Of course you could include a private key in a viewer > software so that anyone can encrypt files for use by this > viewer. I think that is what you had in mind. Exactly. I interchanged the terms. Weird. Shouldn't public be "public"??? Thank you for clearing this up. There are the other two questions still open ;) : - Does libcrypt do the job? I guess so... - The CAD data may contain a fixed header, so an atacker knowing the header might use this info to easily get the private key? Thank's and Salam, Toni From hans.ekbrand at gmail.com Fri Feb 9 11:53:22 2007 From: hans.ekbrand at gmail.com (Hans Ekbrand) Date: Fri, 9 Feb 2007 11:53:22 +0100 Subject: Newbie question In-Reply-To: <45CBFFE900041DDE@> References: <45CC4D3E.907@radde.name> <45CBFFE900041DDE@> Message-ID: <20070209105322.GG28831@localhost.localdomain> On Fri, Feb 09, 2007 at 11:36:35AM +0100, Antonio Bleile wrote: > Hi Sven, > > > Hi! > > > > Private/Public key does not buy you much in this case if all > > you want is to obfuscate the file contents. > > Just use some AES implementation with the same symmetric key > > on the server and the client. > > > > Despite you seem to be aware of it, let me stress again: > > It cannot possibly be secure if the decryption key is stored > > alongside with the enrcypted data (which is why I chose the > > word "obfuscate" above). > > Mh... That means I've missed something really fundamental... > When you send an encrypted mail you send the encrypted > data and the receiver at some point has both, the public > key and your encrypted mail. The receiver has the *private* key. The sender encrypts with the *public* key. -- Hans Ekbrand (http://sociologi.cjb.net) Q. What is that strange attachment in this mail? A. My digital signature, see www.gnupg.org for info on how you could use it to ensure that this mail is from me and has not been altered on the way to you. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: Digital signature Url : /pipermail/attachments/20070209/e5418791/attachment.pgp From wk at gnupg.org Fri Feb 9 14:56:58 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 09 Feb 2007 14:56:58 +0100 Subject: Newbie question In-Reply-To: <45CC027200049718@> (added by postmaster@aa002msb.fastweb.it) (Antonio Bleile's message of "Fri\, 9 Feb 2007 12\:01\:45 +0100") References: <45CC027200049718@> Message-ID: <87ps8je8np.fsf@wheatstone.g10code.de> On Fri, 9 Feb 2007 12:01, antonio.bleile at seac02.it said: > - Does libcrypt do the job? I guess so... No. Libgcrypt provides basic building blocks but has no support for any specific protocol. > - The CAD data may contain a fixed header, so an atacker knowing > the header might use this info to easily get the private key? It all depends on the protocol used. Getting the protocol right is not easy and thus the best advise I can give is to use an established protocol like OpenPGP or CMS (pkcs#7) For your application I would simply use a different file suffix or a special MIME type and pipe the data through gpg while reading. Salam-Shalom, Werner From jharris at widomaker.com Sat Feb 10 00:41:51 2007 From: jharris at widomaker.com (Jason Harris) Date: Fri, 9 Feb 2007 18:41:51 -0500 Subject: new (2007-02-04) keyanalyze results (+sigcheck) Message-ID: <20070209234151.GA33946@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2007-02-04/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: b3d0aacd19c088a661a19e37d74d7e1996fccb15 14459760 preprocess.keys c946effa31b83959f501dbfe95109d38cab85a69 8480415 othersets.txt b072ddbaceabe9eaa3a4256e7a4aaf10d0a6f6e0 3477622 msd-sorted.txt ee7513d6673185c48dd654a1e8e683b1f7c8788f 1450 index.html fccd1b1cf5e7c6611e7950a2a7d741aff08f9153 2278 keyring_stats 397cd852840bb462638ca7096800399f828b7c47 1368288 msd-sorted.txt.bz2 e0ced60c9562daa3032abe7551a26a7a5afce36b 26 other.txt e86c800743a8ab0a16952ebeb6de2e355e27d87f 1839751 othersets.txt.bz2 82ce02825d887ff48aed71efa4ba82b0a7e59957 5880850 preprocess.keys.bz2 3c86a21d7d6e444e43a15f98bc92f8bbf50e0593 14725 status.txt d4973bf6a1f33319d91cd4e7c1f5f6c46214a81f 194595 top1000table.html a23e213fb8c0a2a6064100d392b337127824fdf4 29780 top1000table.html.gz dae7b4ddf0d5d71940632bffb9cdbfe9a54cd80d 9782 top50table.html e26e21e89dc47cbe4a79f8bf775c7eb0edb24341 2529 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris at widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 313 bytes Desc: not available Url : /pipermail/attachments/20070209/65be30bf/attachment.pgp From greg at reaume.name Sat Feb 10 01:09:02 2007 From: greg at reaume.name (Greg Reaume) Date: Fri, 09 Feb 2007 19:09:02 -0500 Su