From jbruni at mac.com  Fri Jun  1 20:01:02 2007
From: jbruni at mac.com (Joseph Oreste Bruni)
Date: Fri, 1 Jun 2007 11:01:02 -0700
Subject: setting expiration dates
Message-ID: <83C02188-51D6-44E4-9F5E-59CC25125396@mac.com>

When creating a new subkey, I'm given the option of setting an  
expiration. The prompt allows me to specify a duration for the new  
subkey.

Please specify how long the key should be valid.
          0 = key does not expire
       <n>  = key expires in n days
       <n>w = key expires in n weeks
       <n>m = key expires in n months
       <n>y = key expires in n years
Key is valid for? (0)

Is it possible to set an explicit date (e.g. 31 Dec) rather than a  
duration? I suppose I could compute the number of days, but that's  
annoying.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2508 bytes
Desc: not available
Url : /pipermail/attachments/20070601/7ed2fada/attachment.bin 

From dshaw at jabberwocky.com  Fri Jun  1 20:31:26 2007
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri, 1 Jun 2007 14:31:26 -0400
Subject: setting expiration dates
In-Reply-To: <83C02188-51D6-44E4-9F5E-59CC25125396@mac.com>
References: <83C02188-51D6-44E4-9F5E-59CC25125396@mac.com>
Message-ID: <20070601183126.GC8685@jabberwocky.com>

On Fri, Jun 01, 2007 at 11:01:02AM -0700, Joseph Oreste Bruni wrote:
> When creating a new subkey, I'm given the option of setting an expiration. 
> The prompt allows me to specify a duration for the new subkey.
>
> Please specify how long the key should be valid.
>          0 = key does not expire
>       <n>  = key expires in n days
>       <n>w = key expires in n weeks
>       <n>m = key expires in n months
>       <n>y = key expires in n years
> Key is valid for? (0)
>
> Is it possible to set an explicit date (e.g. 31 Dec) rather than a 
> duration? I suppose I could compute the number of days, but that's 
> annoying.

Yes, it is possible.  At the prompt, enter the date in YYYY-MM-DD
format.

David


From jbruni at mac.com  Fri Jun  1 22:01:34 2007
From: jbruni at mac.com (Joseph Oreste Bruni)
Date: Fri, 1 Jun 2007 13:01:34 -0700
Subject: setting expiration dates
In-Reply-To: <20070601183126.GC8685@jabberwocky.com>
References: <83C02188-51D6-44E4-9F5E-59CC25125396@mac.com>
	<20070601183126.GC8685@jabberwocky.com>
Message-ID: <A1595EF1-C6C2-4649-8B8A-BFF5D52B5377@mac.com>


On Jun 1, 2007, at 11:31 AM, David Shaw wrote:

> On Fri, Jun 01, 2007 at 11:01:02AM -0700, Joseph Oreste Bruni wrote:
>> When creating a new subkey, I'm given the option of setting an  
>> expiration.
>> The prompt allows me to specify a duration for the new subkey.
>>
>> Please specify how long the key should be valid.
>>          0 = key does not expire
>>       <n>  = key expires in n days
>>       <n>w = key expires in n weeks
>>       <n>m = key expires in n months
>>       <n>y = key expires in n years
>> Key is valid for? (0)
>>
>> Is it possible to set an explicit date (e.g. 31 Dec) rather than a
>> duration? I suppose I could compute the number of days, but that's
>> annoying.
>
> Yes, it is possible.  At the prompt, enter the date in YYYY-MM-DD
> format.
>
> David


Awesome. Would you consider updating the prompt reflecting that  
capability?

Thanks for the tip.
Joe

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2508 bytes
Desc: not available
Url : /pipermail/attachments/20070601/f331ff29/attachment-0001.bin 

From jbruni at mac.com  Sat Jun  2 03:16:09 2007
From: jbruni at mac.com (Joseph Oreste Bruni)
Date: Fri, 1 Jun 2007 18:16:09 -0700
Subject: setting expiration dates
In-Reply-To: <20070601183126.GC8685@jabberwocky.com>
References: <83C02188-51D6-44E4-9F5E-59CC25125396@mac.com>
	<20070601183126.GC8685@jabberwocky.com>
Message-ID: <E44ABB5E-4DDC-419B-BE8C-737F67BACA20@mac.com>


On Jun 1, 2007, at 11:31 AM, David Shaw wrote:

> On Fri, Jun 01, 2007 at 11:01:02AM -0700, Joseph Oreste Bruni wrote:
>> When creating a new subkey, I'm given the option of setting an  
>> expiration.
>> The prompt allows me to specify a duration for the new subkey.
>>
>> Please specify how long the key should be valid.
>>          0 = key does not expire
>>       <n>  = key expires in n days
>>       <n>w = key expires in n weeks
>>       <n>m = key expires in n months
>>       <n>y = key expires in n years
>> Key is valid for? (0)
>>
>> Is it possible to set an explicit date (e.g. 31 Dec) rather than a
>> duration? I suppose I could compute the number of days, but that's
>> annoying.
>
> Yes, it is possible.  At the prompt, enter the date in YYYY-MM-DD
> format.
>

I have another question about key expirations. Suppose I have a key  
that was originally created without an expiration, and I distribute  
that key. Later, I add an expiration date to the original key. Does  
the new expiration have any effect if someone has my key without the  
expiration? In other words, is the expiration date considered a  
discretionary control or a mandatory control?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2508 bytes
Desc: not available
Url : /pipermail/attachments/20070601/7040fe23/attachment.bin 

From dshaw at jabberwocky.com  Sat Jun  2 04:20:04 2007
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri, 1 Jun 2007 22:20:04 -0400
Subject: setting expiration dates
In-Reply-To: <E44ABB5E-4DDC-419B-BE8C-737F67BACA20@mac.com>
References: <83C02188-51D6-44E4-9F5E-59CC25125396@mac.com>
	<20070601183126.GC8685@jabberwocky.com>
	<E44ABB5E-4DDC-419B-BE8C-737F67BACA20@mac.com>
Message-ID: <20070602022004.GA10179@jabberwocky.com>

On Fri, Jun 01, 2007 at 06:16:09PM -0700, Joseph Oreste Bruni wrote:

> I have another question about key expirations. Suppose I have a key
> that was originally created without an expiration, and I distribute
> that key.  Later, I add an expiration date to the original key. Does
> the new expiration have any effect if someone has my key without the
> expiration? In other words, is the expiration date considered a
> discretionary control or a mandatory control?

The expiration does not apply to someone who has the key without the
expiration.  It's not really a question of mandatory or discretionary,
but just an out-of-date key.  If and when they update their copy of
your key, they will get the expiration.

David


From henry.bremridge at xobie.com  Sat Jun  2 17:42:33 2007
From: henry.bremridge at xobie.com (Henry Bremridge)
Date: Sat, 2 Jun 2007 16:42:33 +0100
Subject: SmartCards and Debian Lenny
Message-ID: <200706021544.l52Fi2fZ027318@rs26.luxsci.com>


Last night my system was updated

cron-apt: Setting up libccid (1.3.0-1) ...
cron-apt: Installing new version of config file /etc/reader.conf.d/libccidtwin ...
cron-apt: Installing new version of config file /etc/libccid_Info.plist ...
cron-apt: Installing new version of config file /etc/udev/pcscd_ccid.rules ...
cron-apt: Restarting PCSC Lite resource manager: pcscd.

Since then on trying to access my smart card (SCR335) I get the following

$ gpg --card-status
winscard_msg.c:97:SHMClientSetupSession() Error: connect to client socket: No such file or directory
gpg: pcsc_establish_context failed: no service (0x8010001d)
gpg: card reader not available
gpg: OpenPGP card not available: general error


I have removed and added all the files specified in http://www.fsfe.org/en/card/howto/card_reader_howto_udev and in particular
-   libpcsclite-dev
-   libpcsclite1
-   pcscd

Can anyone suggest any solutions?


--
Henry
Sat Jun  2 16:42:19 BST 2007


From henry.bremridge at xobie.com  Sat Jun  2 19:49:12 2007
From: henry.bremridge at xobie.com (Henry Bremridge)
Date: Sat, 2 Jun 2007 18:49:12 +0100
Subject: SmartCards and Debian Lenny
In-Reply-To: <200706021544.l52Fi2fZ027318@rs26.luxsci.com>
References: <200706021544.l52Fi2fZ027318@rs26.luxsci.com>
Message-ID: <200706021750.l52Ho2Tr000395@rs26.luxsci.com>

On Sat, Jun 02, 2007 at 04:42:33PM +0100, Henry Bremridge wrote:
 

Many apologies: the solution as highlighted in my syslog was to delete
/var/run/pcscd.pid


--
Henry
Sat Jun  2 18:48:49 BST 2007
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: Digital signature
Url : /pipermail/attachments/20070602/7e421a5b/attachment.pgp 

From jharris at widomaker.com  Sun Jun  3 23:25:43 2007
From: jharris at widomaker.com (Jason Harris)
Date: Sun, 3 Jun 2007 17:25:43 -0400
Subject: new (2007-05-27) keyanalyze results (+sigcheck)
Message-ID: <20070603212543.GA4324@wilma.widomaker.com>


New keyanalyze results are available at:

  http://keyserver.kjsl.com/~jharris/ka/2007-05-27/

Signatures are now being checked using keyanalyze+sigcheck:

  http://dtype.org/~aaronl/

Earlier reports are also available, for comparison:

  http://keyserver.kjsl.com/~jharris/ka/

Even earlier monthly reports are at:

  http://dtype.org/keyanalyze/

SHA-1 hashes and sizes for all the "permanent" files:

6484659effbda4ce7a1da75569a09c1d5d4bce92        14829318        preprocess.keys
2e93f9a98200260202983ac16ce0613ea772010e        8623499 othersets.txt
e4956d5b215f4d9dd77f0f972f5abcff1265e310        3552252 msd-sorted.txt

f38aeff391fc2b8ed07f6d62620992fbea1fe9fb        2278    keyring_stats
f37b6a7973cec8e39a13b2d8ae7a6f79f1af64bc        1397141 msd-sorted.txt.bz2
15c97abcbcd6b13e82a8d95330d0a5d08a303b7d        26      other.txt
f742c2f21896b4e07d9fede9e1c4ded8fe3cd88b        1873083 othersets.txt.bz2
92568db2c700760127a373ed2fc98adfeb7edbf1        6047516 preprocess.keys.bz2
9ba4d9b29ecf8c424fbd8c054621c70171e2d1d0        15205   status.txt
6bbb0681e9d48b08777635234ab15b83207b5ec8        194432  top1000table.html
ca90144b3158b5789011e0741687286c10c2921e        29612   top1000table.html.gz
543753bdb2fee73548f6b8e3a2bc993159894621        9763    top50table.html
846209e98a82e5003577bdea5643041fc9219f09        2529    D3/D39DA0E3

-- 
Jason Harris           |  NIC:  JH329, PGP:  This _is_ PGP-signed, isn't it?
jharris at widomaker.com _|_ web:  http://keyserver.kjsl.com/~jharris/
          Got photons?   (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 313 bytes
Desc: not available
Url : /pipermail/attachments/20070603/94560957/attachment.pgp 

From sunblaster5 at gmail.com  Mon Jun  4 00:40:55 2007
From: sunblaster5 at gmail.com (rocko)
Date: Sun, 03 Jun 2007 15:40:55 -0700
Subject: Can't generate new keys
Message-ID: <1180910455.5793.3.camel@starshatter>

When i try to make a new key i get the following error:
gpg: no writable public keyring found: eof
Key generation failed: eof
I'm using Ubuntu 7.04 and logged on as regular user.
I've generated a key before but i used: sudo gpg --gen-key
that works fine.
I just can't seem to do it as regular user.
Do i have to be root to gen a new key pair?



From tmz at pobox.com  Mon Jun  4 01:36:55 2007
From: tmz at pobox.com (Todd Zullinger)
Date: Sun, 3 Jun 2007 19:36:55 -0400
Subject: Can't generate new keys
In-Reply-To: <1180910455.5793.3.camel@starshatter>
References: <1180910455.5793.3.camel@starshatter>
Message-ID: <20070603233655.GE5027@psilocybe.teonanacatl.org>

rocko wrote:
> When i try to make a new key i get the following error:
> gpg: no writable public keyring found: eof
> Key generation failed: eof
> I'm using Ubuntu 7.04 and logged on as regular user.
> I've generated a key before but i used: sudo gpg --gen-key
> that works fine.
> I just can't seem to do it as regular user.

I'd guess that the ownership/permissions on your ~/.gnupg dir and/or
keyring files are not correct.  Check that you own the directory and
the files in ~/.gnupg using "ls -la ~/.gnupg" (as a regular user).  It
should look something like this:

$ ls -la .gnupg/
total 88K
drwx------  2 user user 4.0K Apr  3 15:18 .
drwx------ 43 user user 4.0K Jun  3 20:34 ..
-rw-------  1 user user 9.0K Dec  8 15:51 gpg.conf
-rw-------  1 user user  11K Dec  8 16:02 pubring.gpg
-rw-------  1 user user 9.7K Dec  8 15:56 pubring.gpg~
-rw-------  1 user user  600 Dec  8 15:57 random_seed
-rw-------  1 user user 1.3K Dec  8 15:52 secring.gpg
-rw-------  1 user user 1.3K Dec  8 15:56 trustdb.gpg

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Subtlety is the art of saying what you think and getting out of the
way before it is understood.
    -- Anonymous

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
Url : /pipermail/attachments/20070603/62081cc4/attachment.pgp 

From breen.mullins at gmail.com  Mon Jun  4 02:23:16 2007
From: breen.mullins at gmail.com (Breen Mullins)
Date: Sun, 3 Jun 2007 17:23:16 -0700
Subject: Can't generate new keys
In-Reply-To: <1180910455.5793.3.camel@starshatter>
References: <1180910455.5793.3.camel@starshatter>
Message-ID: <20070604002316.GB29299@Breens-Computer.local>

* rocko <sunblaster5 at gmail.com> [2007-06-03 15:40 -0700]:

>I just can't seem to do it as regular user.
>Do i have to be root to gen a new key pair?

You shouldn't have to be. What are the permissions on 
~/.gnupg ?

Breen
-- 
Breen Mullins
Menlo Park, California


From tmz at pobox.com  Mon Jun  4 03:00:35 2007
From: tmz at pobox.com (Todd Zullinger)
Date: Sun, 3 Jun 2007 21:00:35 -0400
Subject: Can't generate new keys
In-Reply-To: <1180919328.5793.6.camel@starshatter>
References: <1180910455.5793.3.camel@starshatter>
	<20070603233655.GE5027@psilocybe.teonanacatl.org>
	<1180919328.5793.6.camel@starshatter>
Message-ID: <20070604010035.GF5027@psilocybe.teonanacatl.org>

rocko wrote:
> Your right it seems my permissions are wrong:
> acidblue at starshatter:~$ ls -la .gnupg/
> total 40
> drwx------  2 acidblue acidblue 4096 2007-06-03 15:42 .
> drwxr-xr-x 72 acidblue acidblue 4096 2007-06-03 17:59 ..
> -rw-------  1 acidblue acidblue   28 2007-05-19 11:47 gpg.conf
> -rw-------  1 root     root     4203 2007-05-19 11:54 pubring.gpg
> -rw-------  1 root     root     4203 2007-05-19 11:54 pubring.gpg~
> -rw-------  1 acidblue acidblue  600 2007-06-03 15:36 random_seed
> -rw-------  1 root     root     1313 2007-05-19 11:54 secring.gpg
> -rw-------  1 root     root     1280 2007-05-19 11:54 trustdb.gpg
> 
> How do i change this?
> Can i simply 'sudo chmod' the files 
> or do i have to reinstall gpg?

chown is what you want.  Something like this should do the trick:

$ sudo chown -R acidblue. ~/.gnupg

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If the world didn't suck, we'd all fall off.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
Url : /pipermail/attachments/20070603/83dafe82/attachment-0001.pgp 

From rjh at sixdemonbag.org  Mon Jun  4 04:12:50 2007
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sun, 3 Jun 2007 22:12:50 -0400
Subject: Can't generate new keys
In-Reply-To: <20070603233655.GE5027@psilocybe.teonanacatl.org>
References: <1180910455.5793.3.camel@starshatter>
	<20070603233655.GE5027@psilocybe.teonanacatl.org>
Message-ID: <6CACFA41-9104-45AD-861B-F1DB50CA21FC@sixdemonbag.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> I'd guess that the ownership/permissions on your ~/.gnupg dir and/or
> keyring files are not correct.  Check that you own the directory and

Additionally, the command 'chown -R my_user_name:my_user_name .gnupg'  
can do magic to fix these problems.

- --
Robert J. Hansen <rjh at sixdemonbag.org>

"Most people are never thought about after they're gone.  'I wonder
where Rob got the plutonium?' is better than most get." -- Phil Munson



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iFYEAREIAAYFAkZjdSIACgkQf2XByo0Cu7MNsQDbBigv89TAx/EOOzU3T1I43Cw9
0sSNO6NXZdTwpQDeLbT/1dK/D5+YJ8Eck0U1bp1Jcw/odNOWfyB804kBHAQBAQgA
BgUCRmN1IgAKCRC3APSC/q+BCesRB/4+a/B1Zr+B8rpDylI5EaMBhgg6s1HrIHoc
pxiHx4Qo47Ef2JL/tNOT8HUCCwYqCgvRWeL5BpmivvWMcSRKbRnSQR/xeFk0hDK3
p1o/UpCW6HD5DKpm8AR0EPfdnLV7UcD6DOE7akR6K3Oc7DDaX02pKzZ8z/hYN+WW
XEvE/e1M1C9JKmmJfE6ao+FLrwHDnKvG0L/meUPXtIUFsa7tIb2m7C9gbINY6k/j
ieRYScqN0NDXSUMZiCzzPSrCh/nBxLxFtnw0EPDKt9S324NlTbbZDV4LyzVElFFQ
MnZUung9ciGmVnoakiNfDSEEErlByAZsJ9v8xCxKZrL5qNpAWhBP
=dpXF
-----END PGP SIGNATURE-----


From sunblaster5 at gmail.com  Mon Jun  4 05:49:20 2007
From: sunblaster5 at gmail.com (rocko)
Date: Sun, 03 Jun 2007 20:49:20 -0700
Subject: Can't generate new keys
In-Reply-To: <20070604010035.GF5027@psilocybe.teonanacatl.org>
References: <1180910455.5793.3.camel@starshatter>
	<20070603233655.GE5027@psilocybe.teonanacatl.org>
	<1180919328.5793.6.camel@starshatter>
	<20070604010035.GF5027@psilocybe.teonanacatl.org>
Message-ID: <1180928960.27953.1.camel@starshatter>

'chown -R user' worked!
thanks everyone

On Sun, 2007-06-03 at 21:00 -0400, Todd Zullinger wrote:
> rocko wrote:
> > Your right it seems my permissions are wrong:
> > acidblue at starshatter:~$ ls -la .gnupg/
> > total 40
> > drwx------  2 acidblue acidblue 4096 2007-06-03 15:42 .
> > drwxr-xr-x 72 acidblue acidblue 4096 2007-06-03 17:59 ..
> > -rw-------  1 acidblue acidblue   28 2007-05-19 11:47 gpg.conf
> > -rw-------  1 root     root     4203 2007-05-19 11:54 pubring.gpg
> > -rw-------  1 root     root     4203 2007-05-19 11:54 pubring.gpg~
> > -rw-------  1 acidblue acidblue  600 2007-06-03 15:36 random_seed
> > -rw-------  1 root     root     1313 2007-05-19 11:54 secring.gpg
> > -rw-------  1 root     root     1280 2007-05-19 11:54 trustdb.gpg
> > 
> > How do i change this?
> > Can i simply 'sudo chmod' the files 
> > or do i have to reinstall gpg?
> 
> chown is what you want.  Something like this should do the trick:
> 
> $ sudo chown -R acidblue. ~/.gnupg
> 



From daneshwar.mishra at wipro.com  Mon Jun  4 08:49:06 2007
From: daneshwar.mishra at wipro.com (daneshwar.mishra at wipro.com)
Date: Mon, 4 Jun 2007 12:19:06 +0530
Subject: PLEASE UNSUSCRIBE ME
In-Reply-To: <C1BBF34889A04C4C8ACEE5C7CC753FDF02C2E5AE@PNE-HJN-MBX01.wipro.com>
Message-ID: <C1BBF34889A04C4C8ACEE5C7CC753FDF02D0355C@PNE-HJN-MBX01.wipro.com>


 


Thanks & Regards,
 
Danesh Mishra
 
 

-----Original Message-----
From: gnupg-users-bounces at gnupg.org
[mailto:gnupg-users-bounces at gnupg.org] On Behalf Of
daneshwar.mishra at wipro.com
Sent: Friday, May 18, 2007 2:52 PM
To: vesely at tana.it; gnupg-users at gnupg.org
Subject: RE: Secure text editor?


Hi all,
 
 We are planning to use GPG tool in our application which is JAVA Based.
 Could you please let me know that, how can i use GPG encryption and
decryption using JAVA.
   
 
 
below is criteria on which i have to evaluate GPG
 
Evaluate GPG tool -- 
 
i.Invoking this tool from Java. If this is not supported some other tool
ii.Storage of keys/certificated in keystore iii.Using the
keys/certificates for encryption & decryption.
Note: Encryption and decryption will be of a given file name at any
location.
Means I gon't want to pass input as string but a file name.
I have already gone through GNUPG.java file which does e/d of passed
string.
I am looking for some API which I can directly use.
iv.Encrypt and decrypt for compressed as well as other files like text,
pdf, excel etc.

 
   any help will be appritiable.
 
 
regards,
Danesh 

-----Original Message-----
From: gnupg-users-bounces at gnupg.org
[mailto:gnupg-users-bounces at gnupg.org] On Behalf Of Alessandro Vesely
Sent: Friday, May 18, 2007 12:58 PM
To: gnupg
Subject: Re: Secure text editor?

Ryan Malayter wrote:
> On 5/17/07, Alessandro Vesely <vesely at tana.it> wrote:
>> Not quite. That may happen as an undocumented side effect on some (or

>> all) OS versions, and is not what the function is meant to do.
> 
> The documentation clearly states:
> "These pages are guaranteed not to be written to the pagefile while 
> they are locked."

Ooops, I hadn't noticed that. Yes, then VirtualAlloc and VirtualLock can
be used to avoid leaving traces of sensitive data on the swap file in
the way you described (i.e. lock before fill and sweep before
unlock.)

I still think that's not the kind of task that the function has been
designed for. The authorization constrain you mentioned and other
possible side effect tend to make it unpractical for naive usage.

However, a background console app that allocates a few memory pages for
storing sensitive data (e.g. a gpg agent?) should use it to increase
data security.


_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


The information contained in this electronic message and any attachments
to this message are intended for the exclusive use of the addressee(s)
and may contain proprietary, confidential or privileged information. If
you are not the intended recipient, you should not disseminate,
distribute or copy this e-mail. Please notify the sender immediately and
destroy all copies of this message and any attachments. 

WARNING: Computer viruses can be transmitted via email. The recipient
should check this email and any attachments for the presence of viruses.
The company accepts no liability for any damage caused by any virus
transmitted by this email.
 
www.wipro.com

_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. 

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
 
www.wipro.com


From wk at gnupg.org  Mon Jun  4 10:42:19 2007
From: wk at gnupg.org (Werner Koch)
Date: Mon, 04 Jun 2007 10:42:19 +0200
Subject: setting expiration dates
In-Reply-To: <A1595EF1-C6C2-4649-8B8A-BFF5D52B5377@mac.com> (Joseph Oreste
	Bruni's message of "Fri, 1 Jun 2007 13:01:34 -0700")
References: <83C02188-51D6-44E4-9F5E-59CC25125396@mac.com>
	<20070601183126.GC8685@jabberwocky.com>
	<A1595EF1-C6C2-4649-8B8A-BFF5D52B5377@mac.com>
Message-ID: <87hcpoxg9g.fsf@wheatstone.g10code.de>

On Fri,  1 Jun 2007 22:01, jbruni at mac.com said:

> Awesome. Would you consider updating the prompt reflecting that
> capability?

Enter a question mark at the prompt to see a help text.


Shalom-Salam,

   Werner




From shavital at mac.com  Mon Jun  4 11:19:48 2007
From: shavital at mac.com (Charly Avital)
Date: Mon, 04 Jun 2007 12:19:48 +0300
Subject: PLEASE UNSUSCRIBE ME
In-Reply-To: <C1BBF34889A04C4C8ACEE5C7CC753FDF02D0355C@PNE-HJN-MBX01.wipro.com>
References: <C1BBF34889A04C4C8ACEE5C7CC753FDF02D0355C@PNE-HJN-MBX01.wipro.com>
Message-ID: <4663D934.1030902@mac.com>

daneshwar.mishra at wipro.com wrote the following on 6/4/07 9:49 AM:
>  
> 
> 
> Thanks & Regards,
>  
> Danesh Mishra

To unsubscribe, please open
<http://lists.gnupg.org/mailman/listinfo/gnupg-users>

Scroll down to:

To unsubscribe from Gnupg-users, get a password reminder, or change your
subscription options enter your subscription email address:
  If you leave the field blank, you will be prompted for your email address

Regards,


From hs2412 at gmail.com  Mon Jun  4 17:26:23 2007
From: hs2412 at gmail.com (hs2412 at gmail.com)
Date: Mon, 04 Jun 2007 20:56:23 +0530
Subject: Question about check command
Message-ID: <1180970783.12442.1193338545@webmail.messagingengine.com>

Hi All

When I run the check command in edit-key mode, it shows me something
like

sig!
or sig!1
or sig!3

What does this mean? 

Regards
Hardeep
Hardeep Singh
h.singh at seeingwithc.org
OpenPGP KeyID: 0x39B8B23B Key: http://tinyurl.com/yghqcg



From pubmb01 at skynet.be  Mon Jun  4 18:09:29 2007
From: pubmb01 at skynet.be (Bruno Costacurta)
Date: Mon, 4 Jun 2007 18:09:29 +0200
Subject: decrypt and secret key location
Message-ID: <200706041809.29624.pubmb01@skynet.be>

Hello,
I received an encrypted file called 'test.asc' (recipient is correct, 
hereafter it is truncated) but trying to decrypt it I 
have following error :

gpg --decrypt test.asc
gpg: encrypted with 2048-bit ELG-E key, ID 0CC897B5, created 2006-06-11
      "Bruno Costacurta <bruno at __nospam_here__org>"
gpg: decryption failed: secret key not available

Is it only key location?
If so, how / where can I indicate my private key location ?
If not, what type of problem ?

Many thanks for help,
Bruno Costacurta

-- 
PGP key ID: 0x2e604d51
Key : http://www.costacurta.org/keys/bruno_costacurta_pgp_key.html
Key fingerprint = 713F 7956 9441 7DEF 58ED  1951 7E07 569B 2E60 4D51
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20070604/d4a20b78/attachment.pgp 

From michael at vorlon.ping.de  Mon Jun  4 19:00:05 2007
From: michael at vorlon.ping.de (Michael Bienia)
Date: Mon, 4 Jun 2007 19:00:05 +0200
Subject: Problem decrypting a mail with an OpenPGP card
Message-ID: <20070604170005.GA8633@vorlon.ping.de>

Hello,

I've got three mails (from the same person) with my signed key (one for
each uid). I can decrypt two of the three mails but not the third:

$ gpg broken-gpg.mail 
gpg: sending command `SCD PKDECRYPT' to agent failed: ec=6.131
gpg: encrypted with 1024-bit RSA key, ID AF58F2B4, created 2006-03-13
      "Michael Bienia <michael at vorlon.ping.de>"
gpg: public key decryption failed: general error
gpg: decryption failed: secret key not available

$ gpg2 broken-gpg.mail 
gpg: encrypted with 1024-bit RSA key, ID AF58F2B4, created 2006-03-13
      "Michael Bienia <michael at vorlon.ping.de>"
gpg: public key decryption failed: Conditions of use not satisfied
gpg: decryption failed: No secret key

gpg is version 1.4.6, gpg2 is version 2.0.4 and I'm running Ubuntu
feisty. I'm using the gpg-agent but I've also tried without the agent
but it failed also.

What could be the problem?

Here is the output for one of the working mails:

$ gpg2 -vv good-gpg.mail 
gpg: armor: BEGIN PGP MESSAGE
Version: GnuPG v1.4.6 (GNU/Linux)
:pubkey enc packet: version 3, algo 1, keyid FB50DDA4AF58F2B4
        data: [1024 bits]
gpg: armor header: 
gpg: public key is AF58F2B4
gpg: using subkey AF58F2B4 instead of primary key 968BD587
gpg: public key encrypted data: good DEK
:encrypted data packet:
        length: unknown
        mdc_method: 2
gpg: using subkey AF58F2B4 instead of primary key 968BD587
gpg: encrypted with 1024-bit RSA key, ID AF58F2B4, created 2006-03-13
      "Michael Bienia <michael at vorlon.ping.de>"
gpg: AES256 encrypted data
:compressed packet: algo=3
:literal data packet:
        mode b (62), created 1180971809, name="",
        raw data: unknown length
gpg: original file name=''
gpg: good-gpg.mail: unknown suffix

and here for the non-working mail:

$ gpg2 -vv broken-gpg.mail 
gpg: armor: BEGIN PGP MESSAGE
Version: GnuPG v1.4.6 (GNU/Linux)
:pubkey enc packet: version 3, algo 1, keyid FB50DDA4AF58F2B4
        data: [1013 bits]
gpg: armor header: 
gpg: public key is AF58F2B4
gpg: using subkey AF58F2B4 instead of primary key 968BD587
:encrypted data packet:
        length: unknown
        mdc_method: 2
gpg: using subkey AF58F2B4 instead of primary key 968BD587
gpg: encrypted with 1024-bit RSA key, ID AF58F2B4, created 2006-03-13
      "Michael Bienia <michael at vorlon.ping.de>"
gpg: public key decryption failed: Conditions of use not satisfied
gpg: decryption failed: No secret key


Michael


From bahamut at digital-signal.net  Mon Jun  4 21:38:30 2007
From: bahamut at digital-signal.net (Andrew Berg)
Date: Mon, 04 Jun 2007 14:38:30 -0500
Subject: [Fwd: Re: decrypt and secret key location]
Message-ID: <46646A36.4050402@digital-signal.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
 
Bruno Costacurta wrote:
> Hello, I received an encrypted file called 'test.asc' (recipient is
> correct, hereafter it is truncated) but trying to decrypt it I have
> following error :
>
> gpg --decrypt test.asc gpg: encrypted with 2048-bit ELG-E key, ID
> 0CC897B5, created 2006-06-11 "Bruno Costacurta
> <bruno at __nospam_here__org>" gpg: decryption failed: secret key not
> available
>
> Is it only key location? If so, how / where can I indicate my
> private key location ? If not, what type of problem ?
Your secret key should be in ~./gnupg/secring.gpg. If you ran GPG from
the command line and don't have homedir explicitly overwritten, that's
where it is created when you generate a new key pair.

If you run gpg --help, what does it say is the home directory?
If you run gpg -K, are any keys listed?
If you run gpg --list-keys, is your public key listed?



[forgot to change the address again :p]
- --
Windows NT 5.1.2600.2180 | Thunderbird 2.0.0.0 | Enigmail 0.95.0 | GPG
1.4.7
Key ID: 0x60A78FCB - available on major keyservers and upon request
Fingerprint: 4A84 CAE2 A0D3 2AEB 71F6 07FD F88E 0340 60A7 8FCB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iQEVAwUBRmRqNviOA0Bgp4/LAQN2kwf+PyPszDM1wFNhn+GrPB4fWTUn8FIlFEQH
nrtjbSoUOoKLbWzkrWqJqit7XZ2W6xfJMhZYSeaunLGyRPQ9bm1RgJlgUCfuR8kM
I1qwT5bCmDY6QcVuM0aw869DyJQJT6HdUI7fiBQeIOmPpujBJeT5+oi/jihaA34P
+j5ZLitgHLhycyQLy5Ryw1iaxmwMFLNZRGlwsLATHgO2j8BFxYQYuiXbV1Hcx5Cc
VJ4bGXrD/Frd7syMWGN3iG5MsRHnnGDfzhwJ6w0z6XQyg4rG4ClKas2gOQHnc8GK
lzjSYtDu/e3KtNlEq0jQxgmXTWvuuY6H5r+h5j9nt+1RdY4OCxYi8Q==
=2Yn8
-----END PGP SIGNATURE-----



From pubmb01 at skynet.be  Mon Jun  4 22:41:06 2007
From: pubmb01 at skynet.be (Bruno Costacurta)
Date: Mon, 4 Jun 2007 22:41:06 +0200
Subject: [Fwd: Re: decrypt and secret key location]
In-Reply-To: <46646A36.4050402@digital-signal.net>
References: <46646A36.4050402@digital-signal.net>
Message-ID: <200706042241.06517.pubmb01@skynet.be>

On Monday 04 June 2007 21:38, Andrew Berg wrote:
> Bruno Costacurta wrote:
> > Hello, I received an encrypted file called 'test.asc' (recipient is
> > correct, hereafter it is truncated) but trying to decrypt it I have
> > following error :
> >
> > gpg --decrypt test.asc gpg: encrypted with 2048-bit ELG-E key, ID
> > 0CC897B5, created 2006-06-11 "Bruno Costacurta
> > <bruno at __nospam_here__org>" gpg: decryption failed: secret key not
> > available
> >
> > Is it only key location? If so, how / where can I indicate my
> > private key location ? If not, what type of problem ?
>
> Your secret key should be in ~./gnupg/secring.gpg. If you ran GPG from
> the command line and don't have homedir explicitly overwritten, that's
> where it is created when you generate a new key pair.
>
> If you run gpg --help, what does it say is the home directory?
> If you run gpg -K, are any keys listed?
> If you run gpg --list-keys, is your public key listed?
>
>
>
Thanks for your attention.
However my GPG setup looks fine:

/home/bruno: gpg -K
/home/bruno/.gnupg/secring.gpg
------------------------------
sec   1024D/2E604D51 2006-06-11
uid                  Bruno Costacurta <bruno at __nospam_here__org>
uid                  Bruno Costacurta <pubmb01 at skynet.be>

/home/bruno: gpg --list-keys 0x2e604d51
pub   1024D/2E604D51 2006-06-11
uid                  Bruno Costacurta <bruno at __nospam_here__org>
uid                  Bruno Costacurta <cob1 at biz.tiscali.be>
uid                  Bruno Costacurta <contract at __nospam_here__org>
uid                  Bruno Costacurta <pubmb01 at skynet.be>
sub   2048g/0CC897B5 2006-06-11


Thanks for any clue.
Bye,
Bruno Costacurta


From jbruni at mac.com  Tue Jun  5 00:17:21 2007
From: jbruni at mac.com (Joseph Oreste Bruni)
Date: Mon, 4 Jun 2007 15:17:21 -0700
Subject: setting expiration dates
In-Reply-To: <87hcpoxg9g.fsf@wheatstone.g10code.de>
References: <83C02188-51D6-44E4-9F5E-59CC25125396@mac.com>
	<20070601183126.GC8685@jabberwocky.com>
	<A1595EF1-C6C2-4649-8B8A-BFF5D52B5377@mac.com>
	<87hcpoxg9g.fsf@wheatstone.g10code.de>
Message-ID: <A48988D0-A339-42E8-9EBA-3389998C21FF@mac.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


On Jun 4, 2007, at 1:42 AM, Werner Koch wrote:

> On Fri,  1 Jun 2007 22:01, jbruni at mac.com said:
>
>> Awesome. Would you consider updating the prompt reflecting that
>> capability?
>
> Enter a question mark at the prompt to see a help text.


This is interesting: After changing my encryption subkey's expiration  
by a few days (from 2008-02-07 to 2008-01-01), I tried to upload the  
updated key to the PGP Global Directory (http://keyserver.pgp.com).  
It complained that my key had expired, but it hasn't. Submitting the  
key to the SKS key servers (hkp://pool.sks-keyservers.net) didn't  
have a problem. My key ID is CD5518C7 if you want to look at it.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iQEVAwUBRmSPcVGV1jrNVRjHAQhiUQf/dZ8K+X/7XnmOooDRfiDaEzTixUk5PQMb
23omFxrzwF7spckQILuxapGPh55RAKL9NlCXfRIRR+HJOLbTNjLeEfPDIgU3IWHr
x3jd4lC7lqbcbNRHisF1K4bF1GUzSg0cOHRI8oqgx6OWa3pIGhR0VGvuF7AJq/XY
rXvkwbL+U4BBiIHwR92dZmUpATvAs8twBdRv7/0BP2pZBhCubL19kIuUiMJPJMfK
CcnD1VVSUMOce2PhTMzhBCZBb33rkw73aokTFxoJulA29ZST/aR2wcC5od8GbTJO
05RVrPDko2DOE8gdL6WCoWkAfFpbRRbhPGYDOmkn7SHTbsvFe4wFqg==
=/BQI
-----END PGP SIGNATURE-----


From hhhobbit at securemecca.net  Tue Jun  5 02:59:24 2007
From: hhhobbit at securemecca.net (Henry Hertz Hobbit)
Date: Mon, 04 Jun 2007 18:59:24 -0600
Subject: gpg and cron
In-Reply-To: <mailman.4149.1180728147.22484.gnupg-users@gnupg.org>
References: <mailman.4149.1180728147.22484.gnupg-users@gnupg.org>
Message-ID: <4664B56C.6010605@securemecca.net>

Peter S. May wrote:

> 
> Arsha Bertie wrote:
>> i have been trying to run a script which encrypts and transfers files
>> between 2 branches, i am using gpg for encryption, i have written a bash
>> script and the script is working perfectly fine, but when i run it off a
>> cron it doesnt want to work. 
> 
> Are you also testing the command manually as root?  If not, you'll
> probably want to run the task from your own user instead (you can edit
> your own user's cron tasks by doing "crontab -e").
> 
>> 30 * * * * root /backup/encrypt.sh > /tmp/ab.log
>> ~
>>
>>
>> Thr log file /tmp/ab.log is created after the cron executes but it is an
> 
> If you're trying to get the errors, you need to redirect stderr (i.e.
> "2>"), not stdout (i.e., ">").  Try:
> 
> /backup/encrypt.sh 2> /tmp/ab.log
> 
> Good fortune
> PSM

I am sorry I didn't see this earlier.  I would have answered it
individually.  cron frequently gives your shell script a very
abbreviated PATH since almost nothing is sourced.  In fact it is
so abbreviated that on some systems it is only /bin and /usr/bin.
It varies depending on the system you are on and which shell you
are using. First try a testgpgpath.sh script via cron:

#!/bin/bash

SAVEHISTSIZE=${HISTSIZE}
HISTSIZE=0
export HISTSIZE

rm -f /tmp/cron.log
touch /tmp/cron.kog
echo default cron PATH is >> /tmp/cron.log 2>&1
echo $PATH >>  /tmp/cron.log 2>&1
echo >> /tmp/cron.log 2>&1

# just make sure the gpg version you are using is in the PATH first
PATH=/usr/local/bin:${PATH}:/usr/local/sbin ; export PATH
echo enhanced cron PATH is >> /tmp/cron.log 2>&1
echo $PATH >>  /tmp/cron.log 2>&1
echo >> /tmp/cron.log 2>&1

echo GPG version >> /tmp/cron.log 2>&1
gpg --version >> /tmp/cron.log 2>&1

HISTSIZE=${SAVEHISTSIZE}
export HISTSIZE

exit

The BASH you have may or may not do the history in the way I
mentioned but you probably don't want a history of the encryption
taking place even if you are encrypting to secret key and thus
don't need a password (the history MAY not be advisable, but the
password NOT being in the script IS advisable).

You can get a good idea of what to put where with a:

$ echo $PATH

Rather than adding as I did above, I SET the path in the script
so I know exactly what I have.  I also frequently specify the
path of the shell (in case you forget to give the file the
proper perms):

30 * * * * /bin/sh < /backup/encrypt.sh > /tmp/ab.log 2>&1

I don't know what the "root" is doing there.  If you want it to be
run by root, then login as root and do a "crontab -e" to enter the
information (be sure to set EDITOR to the editor of your choice).
Are you sure you want this done every 30 minutes? It seems like
something you would want done every 24 hours, and if that was done
at 3:30 every morning the line would be:

30 3 * * * /bin/sh < /backup/encrypt.sh > /tmp/ab.log 2>&1
0,15,30,45 * * * * /bin/sh < /backup/testgpgpath.sh > \
	/tmp/testgpgpath.log 2>&1

Don't forget to remove the testgpgpath.  The other thing is that
root usually doesn't have keys, but just copying the ones you
want to /root/.gnupg makes that possible.

HHH


From ivalladt at punkass.com  Tue Jun  5 10:04:13 2007
From: ivalladt at punkass.com (Ismael Valladolid Torres)
Date: Tue, 05 Jun 2007 10:04:13 +0200
Subject: decrypt and secret key location
In-Reply-To: <200706041809.29624.pubmb01@skynet.be>
References: <200706041809.29624.pubmb01@skynet.be>
Message-ID: <20070605080413.GC3712@punkass.com>

Bruno Costacurta escribe:
> If so, how / where can I indicate my private key location ?

Of course so it seems. Where's your private key located?

Cordially, Ismael
-- 
Ismael Valladolid Torres  m. +34679156321
La media hostia           j. ivalladt at gmail.com

http://lamediahostia.blogspot.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : /pipermail/attachments/20070605/ef804218/attachment.pgp 

From claude at poliakoff.org  Sun Jun  3 09:05:56 2007
From: claude at poliakoff.org (Claude Poliakoff, MD FACS)
Date: Sun, 03 Jun 2007 00:05:56 -0700
Subject: initial GnuPG install?
Message-ID: <46626854.30004@poliakoff.org>

Your posted instructions were quite clear. I checked for prior instances 
of gpg.exe and found none. downloaded and installed the Windows XP 
binary, tried entering gpg.exe in a DOS cmd window, and command not 
recognized, so off to Control Panel>System>advanced tab & added    
;C:\Program Files\GNU\GnuPG    with no improvement. So checked again for 
instance of gpg.exe in search of entire system, again finding no 
instance thereof. Help appreciated as I am very intrigued by the 
prospect of pluggin in OpenPGP for both authentication and encryption.

Thanks in advance.
Claude


From pubmb01 at skynet.be  Tue Jun  5 11:16:08 2007
From: pubmb01 at skynet.be (Bruno Costacurta)
Date: Tue, 5 Jun 2007 11:16:08 +0200
Subject: decrypt and secret key location
In-Reply-To: <20070605080413.GC3712@punkass.com>
References: <200706041809.29624.pubmb01@skynet.be>
	<20070605080413.GC3712@punkass.com>
Message-ID: <200706051116.08316.pubmb01@skynet.be>

On Tuesday 05 June 2007 10:04:13 Ismael Valladolid Torres wrote:
> Bruno Costacurta escribe:
> > If so, how / where can I indicate my private key location ?
>
> Of course so it seems. Where's your private key located?
>
> Cordially, Ismael


Thanks for attention.
Private key is located in ~/.gnupg (as reflected hereafter) which is the 
standard location.

gpg -K
/home/bruno/.gnupg/secring.gpg
------------------------------
sec   1024D/2E604D51 2006-06-11
uid                  Bruno Costacurta <bruno at _anti_spam_here.org>
uid                  pubmb01 <pubmb01 at skynet.be>
uid                  Bruno Costacurta <contract at _anti_spam_here.org>

 /home/bruno: gpg --list-secret-keys 0x2e604D51
sec   1024D/2E604D51 2006-06-11
uid                  Bruno Costacurta <bruno at _anti_spam_here.org>
uid                  Bruno Costacurta <contract at _anti_spam_here.org>
uid       [ revoked] pubmb01 <pubmb01 at skynet.be>
uid       [ revoked] Bruno Costacurta <cob1 at biz.tiscali.be>
uid       [ revoked] pubmb02 <pubmb02 at skynet.be>
uid                  Bruno Costacurta <pubmb01 at skynet.be>


Thanks for any clue or idea.
Bye,
Bruno

-- 
PGP key ID: 0x2e604d51
Key : http://www._anti_spam_here.org/keys/bruno_costacurta_pgp_key.html
Key fingerprint = 713F 7956 9441 7DEF 58ED  1951 7E07 569B 2E60 4D51
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20070605/4292410d/attachment.pgp 

From stefan at mail.swiftos.de  Tue Jun  5 10:20:30 2007
From: stefan at mail.swiftos.de (Stefan Grote)
Date: Tue, 05 Jun 2007 10:20:30 +0200
Subject: Unerwartetes IPC Kommando
Message-ID: <46651CCE.8050006@mail.swiftos.de>

Hallo *,

ich habe gpg agent mit Smartcard und Openssh Support installiert, und 
moechte nun mich via SSH an einem entfernten Rechner anmelden, dabei 
soll der Key von der Smartcard genutzt werden.

Hier meine config Files:

.gnupg/gpg-agent.conf

pinentry-programm /usr/bin/pinentry-qt
enable-ssh-support
scdaemon-program /usr/bin/scdaemon

default cache-ttl-ssh 7200
default-cache-ttl        7200
max-cache-ttl-ssh       7200
max-cache-ttl              7200
default-cache-ttl         200

allow-preset-passphrase
no-grab


.gnupg/scdaemon.conf

verbose
debug 2048
log-file /home/stefan/scdaemon.log


ssh-add -l und ssh-add -L geben den Korrekten Fingerprint und Public Key 
der Karte aus,
versuche ich nun mich via SSH anzumelden bekomme ich folgende 
Fehlermeldung:

Agent admitted failure to sign using the key.

aus fruheren postings wei? ich das dies meist etwas mit dem Pinentry bzw 
mit dem PIN callback.


tail -f scdaemon.log:

scdaemon[2171] DBG: asking for PIN 'PIN'
scdaemon[2171] PIN callback returned error:  Unerwartetes IPC Kommando
scdaemon[2171] operation auth result: Unerwartetes IPC Kommando
scdaemon[2171] app_auth_sign failed: Unterwartetes IPC Kommando


Das Pinentry Programm erscheint auch nicht. Wenn ich pinentry <getpin> 
eingebe erscheint es allerdings.

Jemand eine idee woran das liegen kann?

Danke!

Stefan


From bahamut at digital-signal.net  Wed Jun  6 14:56:44 2007
From: bahamut at digital-signal.net (Andrew Berg)
Date: Wed, 06 Jun 2007 07:56:44 -0500
Subject: initial GnuPG install?
In-Reply-To: <46626854.30004@poliakoff.org>
References: <46626854.30004@poliakoff.org>
Message-ID: <4666AF0C.1030608@digital-signal.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
 
Claude Poliakoff, MD FACS wrote:
> downloaded and installed the Windows XP binary, tried entering
> gpg.exe in a DOS cmd window, and command not recognized, so off to
> Control Panel>System>advanced tab & added ;C:\Program
> Files\GNU\GnuPG    with no improvement. So checked again for
> instance of gpg.exe in search of entire system, again finding no
> instance thereof.
So you ran the installer, but no copy of gpg.exe was on the drive
afterward. Is that correct?

- --
Windows NT 5.1.2600.2180 | Thunderbird 2.0.0.0 | Enigmail 0.95.0 | GPG
1.4.7
Key ID: 0x60A78FCB - available on major keyservers and upon request
Fingerprint: 4A84 CAE2 A0D3 2AEB 71F6 07FD F88E 0340 60A7 8FCB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iQEVAwUBRmavC/iOA0Bgp4/LAQNXnAgAzAUuGMbcCA+gb8Wqkbo+/MPFDt4dHbmo
7ev+5CPzzXDKjNeVfR8nuRHv2oaj1s27bNh0BWDklkIFwiUWK+tPzimNjMdaoO1Q
wB3i+JUPHFJ9QMwVWB9oRcKTLkar+ardQLeA690fkj47JL+OHjWcNzc9ONxFi8On
hRuXepRVYb1TRlWD4F09T3KW2MoV+En1OJPdnXHjbbGdvssY9L0AdmwRZdulQmSU
+VjR3iXp1PHyBJ2vj1S+OyyX64zczCg7ygHMfv0h6P7Iem9soqnpBAOqMsKRdxnI
cHcO8QSIvuNGua7EO9O8A9+GjnVTu/xIltU0PoPPvN5qnVG9XxLXOg==
=h3gi
-----END PGP SIGNATURE-----



From bahamut at digital-signal.net  Wed Jun  6 16:09:18 2007
From: bahamut at digital-signal.net (Andrew Berg)
Date: Wed, 06 Jun 2007 09:09:18 -0500
Subject: decrypt and secret key location
In-Reply-To: <200706061504.43712.pubmb01@skynet.be>
References: <200706041809.29624.pubmb01@skynet.be>
	<200706042208.26422.pubmb01@skynet.be>
	<4666AD2B.9030306@digital-signal.net>
	<200706061504.43712.pubmb01@skynet.be>
Message-ID: <4666C00E.5070708@digital-signal.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
 
Bruno Costacurta wrote:
> I received an email from you with an ecrypted message. When I tried
> to decrypt :
>
> gpg -v -v --decrypt test01.asc gpg: armor: BEGIN PGP MESSAGE gpg:
> armor header: Charset: UTF-8 gpg: armor header: Version: GnuPG
> v1.4.7 (MingW32) gpg: armor header: Comment: Using GnuPG with
> Mozilla - http://enigmail.mozdev.org :pubkey enc packet: version 3,
> algo 16, keyid 42531C9A0CC897B5 data: [2048 bits] data: [2047 bits]
>  gpg: public key is 0CC897B5 :pubkey enc packet: version 3, algo 1,
> keyid BBC3C45BBBC5C9CF data: [2046 bits] gpg: public key is
> BBC5C9CF :encrypted data packet: length: unknown mdc_method: 2 gpg:
> using subkey BBC5C9CF instead of primary key 60A78FCB gpg:
> encrypted with 2048-bit RSA key, ID BBC5C9CF, created 2007-04-20
> "Andrew Berg <bahamut at digital-signal.net>" gpg: using subkey
> 0CC897B5 instead of primary key 2E604D51 gpg: encrypted with
> 2048-bit ELG-E key, ID 0CC897B5, created 2006-06-11 "Bruno
> Costacurta <bruno at costacurta.org>" gpg: decryption failed: secret
> key not available
>
>
> So I'm still having the problem about my secret key not
> available...
Looks like a subkey problem. I used the public key I got from a
keyserver, which verifies that signed message.
The lines that say it's using a subkey instead of the primary key seem
to be the problem. Unfortunately, I know almost nothing about subkeys.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iQEVAwUBRmbADfiOA0Bgp4/LAQN/QQf+IGqq1rs+aLBe+Xy4ZjbD4Za2wjnMGeoB
D9akrHJw+Tf7J/m+cqIYFrG/9lhm9Jf6sAdQRSYiUmuQ7qMl1fdaBkhnjrvOPw1o
NUWp2SBay0HPZGC9eCU36Lj+/wtuQZN9OR/2Y9YvEL92r/t9oT0poYtE0DSvxH4U
Md9orLNgBHwbi8N1Yp5jD2P6CtlkRKkLEDSg4QEh4f5LOP6GZRc90046ceJ4a+UH
xZviIsf5Zk8XdcJBb5xjVVOpGPvwftCZ2+D7QrFUu7a0rjNpjCVnlrmOe3w/+E4x
dQ8aAgL0V4DTkTS2ZSMtmH2f2A8xK9bZoaoymtTpTwuWCJIhgAOeHQ==
=kIIj
-----END PGP SIGNATURE-----



From pubmb01 at skynet.be  Wed Jun  6 16:23:58 2007
From: pubmb01 at skynet.be (Bruno Costacurta)
Date: Wed, 6 Jun 2007 16:23:58 +0200
Subject: decrypt : primary key or subkey ?
Message-ID: <200706061623.59065.pubmb01@skynet.be>

Hello,
I'm not able to decrpyt message as I received hereafter message about using 
subkey instead of primary key. 

Is this correct ? Could it be the problem relies on the usage of this subkey ?
If yes, how to manage my keyring regarding this 
subkey (which is obviously used for en/decrypting not for signing) to be able 
to decrypt ?

gpg -v -v --decrypt msg.asc
gpg: armor: BEGIN PGP MESSAGE
gpg: armor header: Version: GnuPG v1.4.6 (GNU/Linux)
:pubkey enc packet: version 3, algo 16, keyid 42531C9A0CC897B5
        data: [2048 bits]
        data: [2048 bits]
gpg: public key is 0CC897B5
:encrypted data packet:
        length: unknown
        mdc_method: 2
gpg: using subkey 0CC897B5 instead of primary key 2E604D51
gpg: encrypted with 2048-bit ELG-E key, ID 0CC897B5, created 2006-06-11
      "Bruno Costacurta <bruno at costacurta.org>"
gpg: decryption failed: secret key not available

Bye,
Bruno

-- 
PGP key ID: 0x2e604d51
Key : http://www.costacurta.org/keys/bruno_costacurta_pgp_key.html
Key fingerprint = 713F 7956 9441 7DEF 58ED  1951 7E07 569B 2E60 4D51
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20070606/12d93be6/attachment.pgp 

From dave.smith at st.com  Wed Jun  6 16:48:45 2007
From: dave.smith at st.com (David SMITH)
Date: Wed, 6 Jun 2007 15:48:45 +0100
Subject: decrypt : primary key or subkey ?
In-Reply-To: <200706061623.59065.pubmb01@skynet.be>
References: <200706061623.59065.pubmb01@skynet.be>
Message-ID: <20070606144845.GH10506@bristol.st.com>

On Wed, Jun 06, 2007 at 04:23:58PM +0200, Bruno Costacurta wrote:
> Hello,
> I'm not able to decrpyt message as I received hereafter message about using 
> subkey instead of primary key. 
> 
> Is this correct ? Could it be the problem relies on the usage of this subkey ?
> If yes, how to manage my keyring regarding this 
> subkey (which is obviously used for en/decrypting not for signing) to be able 
> to decrypt ?

IME it is normal to get this message when using subkeys.

If you do 'gpg --list-keys --verbose', does it list the subkey 0CC897B5?
What about when you do 'gpg --list-secret-keys'?


-- 
David Smith        | Tel: +44 (0)1454 462380    Home: +44 (0)1454 616963
STMicroelectronics | Fax: +44 (0)1454 462305  Mobile: +44 (0)7932 642724
1000 Aztec West    | TINA: 065 2380          GPG Key: 0xF13192F2
Almondsbury        | Work Email: Dave.Smith at st.com
BRISTOL, BS32 4SQ  | Home Email: David.Smith at ds-electronics.co.uk


From hhhobbit at securemecca.net  Wed Jun  6 17:20:48 2007
From: hhhobbit at securemecca.net (Henry Hertz Hobbit)
Date: Wed, 06 Jun 2007 09:20:48 -0600
Subject: initial GnuPG install? 
In-Reply-To: <mailman.4449.1181138794.22484.gnupg-users@gnupg.org>
References: <mailman.4449.1181138794.22484.gnupg-users@gnupg.org>
Message-ID: <4666D0D0.9020301@securemecca.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Andrew Berg <bahamut at digital-signal.net> wrote:
>
> Claude Poliakoff, MD FACS wrote:
>> downloaded and installed the Windows XP binary, tried entering
>> gpg.exe in a DOS cmd window, and command not recognized, so off
>> to Control Panel -> System -> advanced tab & added
>> ;C:\Program Files\GNU\GnuPG  with no improvement. So checked
>> again for instance of gpg.exe in search of entire system, again
>> finding no instance thereof.
> So you ran the installer, but no copy of gpg.exe was on the
> drive afterward. Is that correct?

Yes, in which case nothing got installed. BUT type the following
in case you have both 2003 Server installed first and XP second
(or some other dual Microsoft OS arrangement) on the same machine:

C:\> set

Search for your %SystemDrive% variable in XP and make sure it is
C:, since in the scenario I just gave, your %SystemDrive% for the
XP OS will be E: (one CD/DVD drive) or F: (two CD/DVD drives).
A good installer actually uses the %ProgramFiles% environment
variable to do a proper install.  Don't feel bad if that is what
you did - I do it frequently myself.  You get used to C: be the
%SystemDrive%.  Another way you can end up with there not being
a C: %SystemDrive% is a reinstall of an OS.

The other thing is that after you made the change to the %Path%
environment variable, did you close the Command Prompt and open
a new one up?  The change doesn't take affect until you do that
on XP or 2003 Server.  With W2K you actually have to log out and
log back in to get the new path.  The output of the "set" command
should reflect the addition in the %Path% list.

HHH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGZtDQr3QZv1upb6wRClxQAKCBdzRc4xdxyA5rZwKOUzZAZL/tjwCdEjME
dQAhGQOzd5kt4upJ/DbVKYc=
=ev/r
-----END PGP SIGNATURE-----


From pubmb01 at skynet.be  Wed Jun  6 17:14:18 2007
From: pubmb01 at skynet.be (Bruno Costacurta)
Date: Wed, 6 Jun 2007 17:14:18 +0200
Subject: decrypt : primary key or subkey ?
In-Reply-To: <20070606144845.GH10506@bristol.st.com>
References: <200706061623.59065.pubmb01@skynet.be>
	<20070606144845.GH10506@bristol.st.com>
Message-ID: <200706061714.18438.pubmb01@skynet.be>

On Wednesday 06 June 2007 16:48:45 David SMITH wrote:
> On Wed, Jun 06, 2007 at 04:23:58PM +0200, Bruno Costacurta wrote:
> > Hello,
> > I'm not able to decrpyt message as I received hereafter message about
> > using subkey instead of primary key.
> >
> > Is this correct ? Could it be the problem relies on the usage of this
> > subkey ? If yes, how to manage my keyring regarding this
> > subkey (which is obviously used for en/decrypting not for signing) to be
> > able to decrypt ?
>
> IME it is normal to get this message when using subkeys.
>
> If you do 'gpg --list-keys --verbose', does it list the subkey 0CC897B5?
> What about when you do 'gpg --list-secret-keys'?


It seems the problem is here...

gpg --list-secret-keys -v  0x2E604D51
gpg: using PGP trust model
gpg: no secret subkey for public subkey 0CC897B5 - ignoring
sec   1024D/2E604D51 2006-06-11
uid                  Bruno Costacurta <bruno at costacurta.org>
uid                  Bruno Costacurta <contract at costacurta.org>
uid       [ revoked] pubmb01 <pubmb01 at skynet.be>
uid       [ revoked] Bruno Costacurta <cob1 at biz.tiscali.be>
uid       [ revoked] pubmb02 <pubmb02 at skynet.be>
uid                  Bruno Costacurta <pubmb01 at skynet.be>

So I simply do not have a secret for my subkey.
How can I add one ?
Thanks for your attention.

Bye,
Bruno

-- 
PGP key ID: 0x2e604d51
Key : http://www.costacurta.org/keys/bruno_costacurta_pgp_key.html
Key fingerprint = 713F 7956 9441 7DEF 58ED  1951 7E07 569B 2E60 4D51
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20070606/8f2cb312/attachment.pgp 

From dave.smith at st.com  Wed Jun  6 18:01:21 2007
From: dave.smith at st.com (David SMITH)
Date: Wed, 6 Jun 2007 17:01:21 +0100
Subject: decrypt : primary key or subkey ?
In-Reply-To: <200706061714.18438.pubmb01@skynet.be>
References: <200706061623.59065.pubmb01@skynet.be>
	<20070606144845.GH10506@bristol.st.com>
	<200706061714.18438.pubmb01@skynet.be>
Message-ID: <20070606160121.GI10506@bristol.st.com>

On Wed, Jun 06, 2007 at 05:14:18PM +0200, Bruno Costacurta wrote:
> gpg --list-secret-keys -v  0x2E604D51
> gpg: using PGP trust model
> gpg: no secret subkey for public subkey 0CC897B5 - ignoring
> sec   1024D/2E604D51 2006-06-11
> uid                  Bruno Costacurta <bruno at costacurta.org>
> uid                  Bruno Costacurta <contract at costacurta.org>
> uid       [ revoked] pubmb01 <pubmb01 at skynet.be>
> uid       [ revoked] Bruno Costacurta <cob1 at biz.tiscali.be>
> uid       [ revoked] pubmb02 <pubmb02 at skynet.be>
> uid                  Bruno Costacurta <pubmb01 at skynet.be>
> 
> So I simply do not have a secret for my subkey.
> How can I add one ?

You can't "add" a secret key to a public one - otherwise, there wouldn't
be much point to public key cryptography...

You will have generated a secret key when you generated the public key -
they're generated together.  Somehow you've managed to lose the secret
key.  You need to look around in the places where you generated/stored
the key to see if you can find it.  If you can't find it, then I'm
afraid that you're stuffed - you won't be able to decrypt your encrypted
information (short of brute-force cracking it).

Sorry for being the bearer of bad news...

-- 
David Smith        | Tel: +44 (0)1454 462380    Home: +44 (0)1454 616963
STMicroelectronics | Fax: +44 (0)1454 462305  Mobile: +44 (0)7932 642724
1000 Aztec West    | TINA: 065 2380          GPG Key: 0xF13192F2
Almondsbury        | Work Email: Dave.Smith at st.com
BRISTOL, BS32 4SQ  | Home Email: David.Smith at ds-electronics.co.uk


From pubmb01 at skynet.be  Wed Jun  6 18:53:48 2007
From: pubmb01 at skynet.be (Bruno Costacurta)
Date: Wed, 6 Jun 2007 18:53:48 +0200
Subject: decrypt : primary key or subkey ?
In-Reply-To: <20070606160121.GI10506@bristol.st.com>
References: <200706061623.59065.pubmb01@skynet.be>
	<200706061714.18438.pubmb01@skynet.be>
	<20070606160121.GI10506@bristol.st.com>
Message-ID: <200706061853.56601.pubmb01@skynet.be>

On Wednesday 06 June 2007 18:01, David SMITH wrote:
> On Wed, Jun 06, 2007 at 05:14:18PM +0200, Bruno Costacurta wrote:
> > gpg --list-secret-keys -v  0x2E604D51
> > gpg: using PGP trust model
> > gpg: no secret subkey for public subkey 0CC897B5 - ignoring
> > sec   1024D/2E604D51 2006-06-11
> > uid                  Bruno Costacurta <bruno at costacurta.org>
> > uid                  Bruno Costacurta <contract at costacurta.org>
> > uid       [ revoked] pubmb01 <pubmb01 at skynet.be>
> > uid       [ revoked] Bruno Costacurta <cob1 at biz.tiscali.be>
> > uid       [ revoked] pubmb02 <pubmb02 at skynet.be>
> > uid                  Bruno Costacurta <pubmb01 at skynet.be>
> >
> > So I simply do not have a secret for my subkey.
> > How can I add one ?
>
> You can't "add" a secret key to a public one - otherwise, there wouldn't
> be much point to public key cryptography...
>
> You will have generated a secret key when you generated the public key -
> they're generated together.  Somehow you've managed to lose the secret
> key.  You need to look around in the places where you generated/stored
> the key to see if you can find it.  If you can't find it, then I'm
> afraid that you're stuffed - you won't be able to decrypt your encrypted
> information (short of brute-force cracking it).
>
> Sorry for being the bearer of bad news...

Sorry but indeed I have the secret key for 0x2E604D51 and it's valid (I just 
installed my gpg keyrings on a new computer and use it for signing).
The 0CC897B5 is a subkey and was created automatically with 0x2E604D5 creation 
and never ask specific password.

Bye,
Bruno

--
PGP key ID: 0x2e604d51
Key : http://www.costacurta.org/keys/bruno_costacurta_pgp_key.html
Key fingerprint = 713F 7956 9441 7DEF 58ED ?1951 7E07 569B 2E60 4D51
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20070606/fdd62d82/attachment.pgp 

From shavital at mac.com  Wed Jun  6 18:56:20 2007
From: shavital at mac.com (Charly Avital)
Date: Wed, 06 Jun 2007 19:56:20 +0300
Subject: decrypt : primary key or subkey ?
In-Reply-To: <200706061623.59065.pubmb01@skynet.be>
References: <200706061623.59065.pubmb01@skynet.be>
Message-ID: <4666E734.8020305@mac.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Bruno Costacurta wrote the following on 6/6/07 5:23 PM:
> Hello,
> I'm not able to decrpyt message as I received hereafter message about using 
> subkey instead of primary key. 

This is your public key, as I have just downloaded it from the servers:
- ----------
pub  1024D/2E604D51  created: 2006-06-11  expires: never       usage: SC
                     trust: unknown       validity: unknown
sub  2048g/0CC897B5  created: 2006-06-11  expires: never       usage: E
[ unknown] (1). Bruno Costacurta <bruno at costacurta.org>
[ revoked] (2)  pubmb01 <pubmb01 at skynet.be>
[ revoked] (3)  pubmb02 <pubmb02 at skynet.be>
[ revoked] (4)  Bruno Costacurta <cob1 at biz.tiscali.be>
[ unknown] (5)  Bruno Costacurta <pubmb01 at skynet.be>
[ unknown] (6)  Bruno Costacurta <contract at costacurta.org>
- ----------
> 
> Is this correct ? Could it be the problem relies on the usage of this subkey ?
> If yes, how to manage my keyring regarding this 
> subkey (which is obviously used for en/decrypting not for signing) to be able 
> to decrypt ?

As you can see, your primary key 1024D/2E604D51 is used for SC (Sign,
Certify).
The subkey 2048g/0CC897B5 is used for E encrypting *to you*. Not for
decrypting.

For decrypting you use your secret key (copy/paste of your own
prompt/output):
/home/bruno: gpg --list-secret-keys 0x2e604D51
sec   1024D/2E604D51 2006-06-11

The message "...using subkey...instead of primary key..." is exactly as
it should be, as pointed out by dave.smith at st.com in this forum.

The secret key required for decryption is reported to be where it should be.

The problem might be with the encryption process used by the sender of
that message.

> 
> gpg -v -v --decrypt msg.asc
> gpg: armor: BEGIN PGP MESSAGE
> gpg: armor header: Version: GnuPG v1.4.6 (GNU/Linux)
> :pubkey enc packet: version 3, algo 16, keyid 42531C9A0CC897B5
>         data: [2048 bits]
>         data: [2048 bits]
> gpg: public key is 0CC897B5
> :encrypted data packet:
>         length: unknown

I am not sure this 'length: unknown' is as it should be. I have carried
out a few tests with encrypted messages, and there is always a value
after 'length: ..... As I pointed out above, *maybe* there is some
problem with the encryption process used by the sender of the message
you have not been able to decrypt.

>         mdc_method: 2
> gpg: using subkey 0CC897B5 instead of primary key 2E604D51
> gpg: encrypted with 2048-bit ELG-E key, ID 0CC897B5, created 2006-06-11
>       "Bruno Costacurta <bruno at costacurta.org>"
> gpg: decryption failed: secret key not available

I am sending you, separately, a encrypted test message, please let me
know if you can decrypt it.

Charly
MacOS 10.4.9 - MacBook Intel C2Duo - GnuPG 1.4.7 - GPG2 2.0.4
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (Darwin)
Comment: GnuPG for Privacy
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBRmbnCM3GMi2FW4PvAQhdAQgAg/qYzSf1pUlKt93QFArARWB3gW/BEsGT
2INSNIKbbYpeUGXMo19F5PMTFm1kxasxKUPt6GlKQKuS79qgZccqo2MHKMDRJlRi
LBvhKo73rXBOmFPXWNEAgjyMzMV2+UdO2JJSMTLKEaGihxhvx6QjnWk/p0NXTw+M
Ag1/gM++saMS6KozXortRJMzQnv14LNsG7S6tbIk7PZ76nOk2LGzwPyGPZxej5CI
FVG98pC2te8CH34ZyWO/EpZjnIMo0bGCKU6XCm71MYRkIw8ZXJTuJHqki9xQk2Oz
WiHgE/2Lms45IbtXKPro+sVbBzfJ4VII8T1K/t6AVBUmAB35ANaLwQ==
=loXj
-----END PGP SIGNATURE-----


From hhhobbit at securemecca.net  Thu Jun  7 03:57:44 2007
From: hhhobbit at securemecca.net (Henry Hertz Hobbit)
Date: Wed, 06 Jun 2007 19:57:44 -0600
Subject: setting expiration dates
In-Reply-To: <mailman.4449.1181138794.22484.gnupg-users@gnupg.org>
References: <mailman.4449.1181138794.22484.gnupg-users@gnupg.org>
Message-ID: <46676618.60200@securemecca.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Joseph Oreste Bruni wrote:

> This is interesting: After changing my encryption subkey's expiration  
> by a few days (from 2008-02-07 to 2008-01-01), I tried to upload the  
> updated key to the PGP Global Directory (http://keyserver.pgp.com).  
> It complained that my key had expired, but it hasn't. Submitting the  
> key to the SKS key servers (hkp://pool.sks-keyservers.net) didn't  
> have a problem. My key ID is CD5518C7 if you want to look at it.

I think PGP Global Directory is complaining that the pub key
your sub key is attached to is expired. If it is working by allowing
people to encrypt to you, maybe these are those new changes WK said
have been made. Here is the key I got from PGP Global Directory for
your KEYID after I imported it:

pub   2048R/CD5518C7 2005-02-17
uid       Joseph Oreste Bruni <jbruni_FRAT_mac_com>
uid       Joseph Oreste Bruni <brunij_GNAT_earthlink_net>
uid       Joseph Oreste Bruni <joe.bruni_ATBAT_bestwestern_com>
uid       Joseph Oreste Bruni <brunij_NOSPACE_bestwestern_com>
uid       [jpeg image of size 1173]
sub   2048R/EEA4EC97 2007-01-31 [expires: 2008-01-31]

Well, the email addresses were changed by moe, but you get the
idea.  Your pub key IS expired!  Assuming you still have the same
email address you used when you gave them (PGP) the key, you can
just have them remove your key with the following page:

http://keyserver.pgp.com/vkd/GetRemoveKeyScreen.event

PGP Global Directory doesn't work like the other key servers by
giving you the ability to delete your keys (breaks WOT, but ...).
Having just said the foregoing, here is how your key came down
from pgp.mit.edu (HKP):

pub   2048R/CD5518C7 2005-02-17
uid       Joseph Oreste Bruni <jbruni_FRAT_mac_com>
uid       Joseph Oreste Bruni <brunij_GNAT_earthlink_net>
uid       Joseph Oreste Bruni <joe.bruni_ATBAT_bestwestern_com>
uid       Joseph Oreste Bruni <brunij_NOSPACE_bestwestern_com>
uid       [jpeg image of size 1173]

Hmm, where is the sub key? And here is how it comes down from
the Penguin (X-HKP) in Germany:

pub   2048R/CD5518C7 2005-02-17
uid       Joseph Oreste Bruni <jbruni_FRAT_mac_com>
uid       Joseph Oreste Bruni <brunij_GNAT_earthlink_net>
uid       Joseph Oreste Bruni <joe.bruni_ATBAT_bestwestern_com>
uid       Joseph Oreste Bruni <brunij_NOSPACE_bestwestern_com>
uid       [jpeg image of size 1173]
sub   2048R/EEA4EC97 2007-01-31 [expires: 2008-01-01]

Please do the following as a test for me with the key you
have now (a # indicates a comment):

$ gpg --edit-key CD5518C7
Command> expire
# change the expire date of your pub key to match your
# sub key or at least so it is NOT expired
$ gpg --keyserver hkp://pgp.mit.edu --send-keys CD5518C7
$ gpg --keyserver x-hkp://random.sks.keyserver.penguin.de \
  --send-keys CD5518C7

If desired, after you have deleted your key from the PGP
Global Directory, you can also submit it to them again. Let
me know if you do any of this and I will do the tests again.
Next time I will be FAR shorter in my reply (will just show
any changes from what I have here depending on what you have
done).

You will have to ask the others if having a pub key that is
expired on the key servers is a good idea or even if it is
possible - I don't think it is possible but don't know for
sure.  I was able to sign your key but have NO idea what that
means.  What good does it do to sign an expired key?  My
OPINION is to either say goodbye to the pub key and all the
sub-keys, or keep them ALL freshened up on their expire
date so people know that the key is still good. I normally
interpret a pub key that is expired as having an implicit
meaning that it is no longer used and the person has replaced
that key with a newer key.  So if I intend to keep using a key,
I change the expire dates for the pub key and all sub-keys at
least one month before any of them expire for the desired period
I want to keep them - lots of options to consider, like revoking
your present sub-key and adding a new sub-key, when the expire
date for each key is, etc.  Then I upload my pub key to at least
two keyservers again if if was on the keyservers.

No reply from you means you don't want me to do the tests
and didn't make any changes. If you do the changes, let me
know when you have done it with a Bcc: to me.  I only read
the Digest. Sometimes it goes days before I get a new
bundle of messages.  Sometimes I don't seem to get them at
all, but maybe they fell through the cracks.

HHH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGZ2YYr3QZv1upb6wRCjMSAJ9A/qWNgeQofviDpKpEAat0pMZWLwCgst9+
0U8xKtWRX2r/1Ch+FhAjFho=
=9OYY
-----END PGP SIGNATURE-----


From dshaw at jabberwocky.com  Thu Jun  7 04:20:39 2007
From: dshaw at jabberwocky.com (David Shaw)
Date: Wed, 6 Jun 2007 22:20:39 -0400
Subject: setting expiration dates
In-Reply-To: <A48988D0-A339-42E8-9EBA-3389998C21FF@mac.com>
References: <83C02188-51D6-44E4-9F5E-59CC25125396@mac.com>
	<20070601183126.GC8685@jabberwocky.com>
	<A1595EF1-C6C2-4649-8B8A-BFF5D52B5377@mac.com>
	<87hcpoxg9g.fsf@wheatstone.g10code.de>
	<A48988D0-A339-42E8-9EBA-3389998C21FF@mac.com>
Message-ID: <20070607022039.GB16676@jabberwocky.com>

On Mon, Jun 04, 2007 at 03:17:21PM -0700, Joseph Oreste Bruni wrote:
> 
> On Jun 4, 2007, at 1:42 AM, Werner Koch wrote:
> 
> > On Fri,  1 Jun 2007 22:01, jbruni at mac.com said:
> >
> >> Awesome. Would you consider updating the prompt reflecting that
> >> capability?
> >
> > Enter a question mark at the prompt to see a help text.
> 
> 
> This is interesting: After changing my encryption subkey's expiration  
> by a few days (from 2008-02-07 to 2008-01-01), I tried to upload the  
> updated key to the PGP Global Directory (http://keyserver.pgp.com).  
> It complained that my key had expired, but it hasn't. Submitting the  
> key to the SKS key servers (hkp://pool.sks-keyservers.net) didn't  
> have a problem. My key ID is CD5518C7 if you want to look at it.

Your key looks fine to me.  Possibly the GD was complaining that you
have two expired subkeys, though this should not matter as you also
have an unexpired one.

Perhaps try deleting the expired subkeys before submitting the key to
the GD.  If that works, you might submit a bug report on the GD, since
an expired subkey should not prevent uploading the whole key.

David


From jbruni at mac.com  Thu Jun  7 06:17:31 2007
From: jbruni at mac.com (Joseph Oreste Bruni)
Date: Wed, 6 Jun 2007 21:17:31 -0700
Subject: setting expiration dates
In-Reply-To: <20070607022039.GB16676@jabberwocky.com>
References: <83C02188-51D6-44E4-9F5E-59CC25125396@mac.com>
	<20070601183126.GC8685@jabberwocky.com>
	<A1595EF1-C6C2-4649-8B8A-BFF5D52B5377@mac.com>
	<87hcpoxg9g.fsf@wheatstone.g10code.de>
	<A48988D0-A339-42E8-9EBA-3389998C21FF@mac.com>
	<20070607022039.GB16676@jabberwocky.com>
Message-ID: <29DE25BB-D9B1-4EAB-999C-09704C133EF4@mac.com>


On Jun 6, 2007, at 7:20 PM, David Shaw wrote:

> On Mon, Jun 04, 2007 at 03:17:21PM -0700, Joseph Oreste Bruni wrote:
>>
>> This is interesting: After changing my encryption subkey's expiration
>> by a few days (from 2008-01-31 to 2008-01-01), I tried to upload the
>> updated key to the PGP Global Directory (http://keyserver.pgp.com).
>> It complained that my key had expired, but it hasn't. Submitting the
>> key to the SKS key servers (hkp://pool.sks-keyservers.net) didn't
>> have a problem. My key ID is CD5518C7 if you want to look at it.
>
> Your key looks fine to me.  Possibly the GD was complaining that you
> have two expired subkeys, though this should not matter as you also
> have an unexpired one.
>
> Perhaps try deleting the expired subkeys before submitting the key to
> the GD.  If that works, you might submit a bug report on the GD, since
> an expired subkey should not prevent uploading the whole key.
>
> David


The key as you see it in GD has expirations on all three subkey; two  
expired, but one currently unexpired. The change I performed was to  
move the expiration of the third subkey (EEA4EC97) to 2008-01-01. It  
is this changed key that was rejected by GD. Would it be helpful to  
send you the key as it currently exists in my keyring (which was  
rejected) for comparison with what was previous acceptable? Also, the  
expiration date on the subkey as it exists in GD was set at the time  
the subkey was created, whereas the expiration on the subkey in my  
keyring was changed post creation. Would that make a difference in  
the representation? I'm not familiar enough with the details of the  
spec. to know if this even makes sense.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2508 bytes
Desc: not available
Url : /pipermail/attachments/20070606/a98ed1dc/attachment.bin 

From pubmb01 at skynet.be  Thu Jun  7 08:44:51 2007
From: pubmb01 at skynet.be (Bruno Costacurta)
Date: Thu, 7 Jun 2007 08:44:51 +0200
Subject: decrypt : primary key or subkey ?
In-Reply-To: <4666E734.8020305@mac.com>
References: <200706061623.59065.pubmb01@skynet.be> <4666E734.8020305@mac.com>
Message-ID: <200706070844.58702.pubmb01@skynet.be>

On Wednesday 06 June 2007 18:56:20 Charly Avital wrote:
> Bruno Costacurta wrote the following on 6/6/07 5:23 PM:
> > Hello,
> > I'm not able to decrpyt message as I received hereafter message about
> > using subkey instead of primary key.
>
> This is your public key, as I have just downloaded it from the servers:
> ----------
> pub  1024D/2E604D51  created: 2006-06-11  expires: never       usage: SC
>                      trust: unknown       validity: unknown
> sub  2048g/0CC897B5  created: 2006-06-11  expires: never       usage: E
> [ unknown] (1). Bruno Costacurta <bruno at costacurta.org>
> [ revoked] (2)  pubmb01 <pubmb01 at skynet.be>
> [ revoked] (3)  pubmb02 <pubmb02 at skynet.be>
> [ revoked] (4)  Bruno Costacurta <cob1 at biz.tiscali.be>
> [ unknown] (5)  Bruno Costacurta <pubmb01 at skynet.be>
> [ unknown] (6)  Bruno Costacurta <contract at costacurta.org>
> ----------
>
> > Is this correct ? Could it be the problem relies on the usage of this
> > subkey ? If yes, how to manage my keyring regarding this
> > subkey (which is obviously used for en/decrypting not for signing) to be
> > able to decrypt ?
>
> As you can see, your primary key 1024D/2E604D51 is used for SC (Sign,
> Certify).
> The subkey 2048g/0CC897B5 is used for E encrypting *to you*. Not for
> decrypting.
>
> For decrypting you use your secret key (copy/paste of your own
> prompt/output):
> /home/bruno: gpg --list-secret-keys 0x2e604D51
> sec   1024D/2E604D51 2006-06-11
>
> The message "...using subkey...instead of primary key..." is exactly as
> it should be, as pointed out by dave.smith at st.com in this forum.
>
> The secret key required for decryption is reported to be where it should
> be.
>
> The problem might be with the encryption process used by the sender of
> that message.
>
> > gpg -v -v --decrypt msg.asc
> > gpg: armor: BEGIN PGP MESSAGE
> > gpg: armor header: Version: GnuPG v1.4.6 (GNU/Linux)
> >
> > :pubkey enc packet: version 3, algo 16, keyid 42531C9A0CC897B5
> >
> >         data: [2048 bits]
> >         data: [2048 bits]
> > gpg: public key is 0CC897B5
> >
> > :encrypted data packet:
> >
> >         length: unknown
>
> I am not sure this 'length: unknown' is as it should be. I have carried
> out a few tests with encrypted messages, and there is always a value
> after 'length: ..... As I pointed out above, *maybe* there is some
> problem with the encryption process used by the sender of the message
> you have not been able to decrypt.
>
> >         mdc_method: 2
> > gpg: using subkey 0CC897B5 instead of primary key 2E604D51
> > gpg: encrypted with 2048-bit ELG-E key, ID 0CC897B5, created 2006-06-11
> >       "Bruno Costacurta <bruno at costacurta.org>"
> > gpg: decryption failed: secret key not available
>
> I am sending you, separately, a encrypted test message, please let me
> know if you can decrypt it.
Hello Charly,
thanks for your attention and help

Unfortunately I cannot decrypt your test message : 
gpg --decrypt charly.asc
gpg: encrypted with 2048-bit ELG-E key, ID CE3A0945, created 2002-02-11
      "Charly Avital (GnuPG) <shavital at mac.com>"
gpg: encrypted with 2048-bit ELG-E key, ID 0CC897B5, created 2006-06-11
      "Bruno Costacurta <bruno at costacurta.org>"
gpg: decryption failed: secret key not available

Is there a way to modify subkey attributes, eg.  adding decryption 
capabilities. If not, can I'll create a new subket with correct attributes. 

Considering I (probably) already lost (mean: cannot decypt) received encrypted 
message but will be able to use future messages encrypted with the new 
correct subkey.

Bye,
Bruno

>
> Charly
> MacOS 10.4.9 - MacBook Intel C2Duo - GnuPG 1.4.7 - GPG2 2.0.4
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users



-- 
PGP key ID: 0x2e604d51
Key : http://www.costacurta.org/keys/bruno_costacurta_pgp_key.html
Key fingerprint = 713F 7956 9441 7DEF 58ED  1951 7E07 569B 2E60 4D51
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20070607/275fd59e/attachment.pgp 

From dave.smith at st.com  Thu Jun  7 10:27:08 2007
From: dave.smith at st.com (David SMITH)
Date: Thu, 7 Jun 2007 09:27:08 +0100
Subject: decrypt : primary key or subkey ?
In-Reply-To: <200706061853.56601.pubmb01@skynet.be>
References: <200706061623.59065.pubmb01@skynet.be>
	<200706061714.18438.pubmb01@skynet.be>
	<20070606160121.GI10506@bristol.st.com>
	<200706061853.56601.pubmb01@skynet.be>
Message-ID: <20070607082708.GJ10506@bristol.st.com>

On Wed, Jun 06, 2007 at 06:53:48PM +0200, Bruno Costacurta wrote:
> Sorry but indeed I have the secret key for 0x2E604D51 and it's valid (I just 
> installed my gpg keyrings on a new computer and use it for signing).
> The 0CC897B5 is a subkey and was created automatically with 0x2E604D5 creation 
> and never ask specific password.

No, you should have a subkey for both 0x2E604D51 /and/ 0x0CC897B5.

Here are the details of my keys:

bris0085(23)% gpg --list-keys --verbose
/home/damia/users/dsmith/.gnupg/pubring.gpg
-------------------------------------------
pub   1024D/F13192F2 2002-02-12
uid                  David Smith (STMicroelectronics) <Dave.Smith at st.com>
uid                  David Smith (Home) <David.Smith at ds-electronics.co.uk>
sub   1024g/FA5EA4A2 2002-02-12 [expired: 2002-08-11]
sub   1024g/BE299CC1 2002-07-20 [expired: 2003-01-16]
sub   1024g/C8D6DAB9 2003-01-18 [expired: 2003-07-17]
sub   1024g/B643FF36 2003-11-09 [expired: 2004-05-07]
sub   1024g/80454033 2004-05-17 [expired: 2004-11-13]
sub   1024g/F5FE6DF8 2004-12-07 [expired: 2005-06-05]
sub   1024g/0DD8A13F 2005-09-05 [expired: 2006-03-04]
sub   1024g/9249F278 2006-06-20 [expired: 2006-12-17]
sub   1024g/3712DE29 2006-12-22 [expired: 2006-12-24]
sub   4096g/42F250C4 2007-01-13 [expires: 2007-07-12]

bris0085(22)% gpg --list-secret-keys
/home/damia/users/dsmith/.gnupg/secring.gpg
-------------------------------------------
sec   1024D/F13192F2 2002-02-12
uid                  David Smith (Home) <David.Smith at ds-electronics.co.uk>
uid                  David Smith (STMicroelectronics) <Dave.Smith at st.com>
ssb   1024g/FA5EA4A2 2002-02-12
ssb   1024g/BE299CC1 2002-07-20
ssb   1024g/C8D6DAB9 2003-01-18
ssb   1024g/B643FF36 2003-11-09
ssb   1024g/80454033 2004-05-17
ssb   1024g/F5FE6DF8 2004-12-07
ssb   1024g/0DD8A13F 2005-09-05
ssb   1024g/9249F278 2006-06-20

Note that my main (signing) key has both public (pub) and secret (sec)
parts, and each of my subkeys have public (sub) and secret (ssb) parts.

Compare this with yours:

% gpg --list-secret-keys -v  0x2E604D51
gpg: no secret subkey for public subkey 0CC897B5 - ignoring
sec   1024D/2E604D51 2006-06-11
uid                  Bruno Costacurta <bruno at costacurta.org>
uid                  Bruno Costacurta <contract at costacurta.org>
uid       [ revoked] pubmb01 <pubmb01 at skynet.be>
uid       [ revoked] Bruno Costacurta <cob1 at biz.tiscali.be>
uid       [ revoked] pubmb02 <pubmb02 at skynet.be>
uid                  Bruno Costacurta <pubmb01 at skynet.be>


You seem to have managed to lose the secret part of your subkey, either
through a bug or data corruption, or through human error.

Unless you can find the secret part of your subkey again, the public
part is worthless, and should be revoked by publishing a revocation
certificate.  This does, of course, assume that you generated a
revocation certificate before you lost the secret part....

-- 
David Smith        | Tel: +44 (0)1454 462380    Home: +44 (0)1454 616963
STMicroelectronics | Fax: +44 (0)1454 462305  Mobile: +44 (0)7932 642724
1000 Aztec West    | TINA: 065 2380          GPG Key: 0xF13192F2
Almondsbury        | Work Email: Dave.Smith at st.com
BRISTOL, BS32 4SQ  | Home Email: David.Smith at ds-electronics.co.uk


From pubmb01 at skynet.be  Thu Jun  7 12:31:19 2007
From: pubmb01 at skynet.be (Bruno Costacurta)
Date: Thu, 7 Jun 2007 12:31:19 +0200
Subject: decrypt : primary key or subkey ?
In-Reply-To: <20070607082708.GJ10506@bristol.st.com>
References: <200706061623.59065.pubmb01@skynet.be>
	<200706061853.56601.pubmb01@skynet.be>
	<20070607082708.GJ10506@bristol.st.com>
Message-ID: <200706071231.19630.pubmb01@skynet.be>

On Thursday 07 June 2007 10:27:08 David SMITH wrote:
> On Wed, Jun 06, 2007 at 06:53:48PM +0200, Bruno Costacurta wrote:
> > Sorry but indeed I have the secret key for 0x2E604D51 and it's valid (I
> > just installed my gpg keyrings on a new computer and use it for signing).
> > The 0CC897B5 is a subkey and was created automatically with 0x2E604D5
> > creation and never ask specific password.
>
> No, you should have a subkey for both 0x2E604D51 /and/ 0x0CC897B5.
>
> Here are the details of my keys:
>
> bris0085(23)% gpg --list-keys --verbose
> /home/damia/users/dsmith/.gnupg/pubring.gpg
> -------------------------------------------
> pub   1024D/F13192F2 2002-02-12
> uid                  David Smith (STMicroelectronics) <Dave.Smith at st.com>
> uid                  David Smith (Home) <David.Smith at ds-electronics.co.uk>
> sub   1024g/FA5EA4A2 2002-02-12 [expired: 2002-08-11]
> sub   1024g/BE299CC1 2002-07-20 [expired: 2003-01-16]
> sub   1024g/C8D6DAB9 2003-01-18 [expired: 2003-07-17]
> sub   1024g/B643FF36 2003-11-09 [expired: 2004-05-07]
> sub   1024g/80454033 2004-05-17 [expired: 2004-11-13]
> sub   1024g/F5FE6DF8 2004-12-07 [expired: 2005-06-05]
> sub   1024g/0DD8A13F 2005-09-05 [expired: 2006-03-04]
> sub   1024g/9249F278 2006-06-20 [expired: 2006-12-17]
> sub   1024g/3712DE29 2006-12-22 [expired: 2006-12-24]
> sub   4096g/42F250C4 2007-01-13 [expires: 2007-07-12]
>
> bris0085(22)% gpg --list-secret-keys
> /home/damia/users/dsmith/.gnupg/secring.gpg
> -------------------------------------------
> sec   1024D/F13192F2 2002-02-12
> uid                  David Smith (Home) <David.Smith at ds-electronics.co.uk>
> uid                  David Smith (STMicroelectronics) <Dave.Smith at st.com>
> ssb   1024g/FA5EA4A2 2002-02-12
> ssb   1024g/BE299CC1 2002-07-20
> ssb   1024g/C8D6DAB9 2003-01-18
> ssb   1024g/B643FF36 2003-11-09
> ssb   1024g/80454033 2004-05-17
> ssb   1024g/F5FE6DF8 2004-12-07
> ssb   1024g/0DD8A13F 2005-09-05
> ssb   1024g/9249F278 2006-06-20
>
> Note that my main (signing) key has both public (pub) and secret (sec)
> parts, and each of my subkeys have public (sub) and secret (ssb) parts.
>
> Compare this with yours:
>
> % gpg --list-secret-keys -v  0x2E604D51
> gpg: no secret subkey for public subkey 0CC897B5 - ignoring
> sec   1024D/2E604D51 2006-06-11
> uid                  Bruno Costacurta <bruno at costacurta.org>
> uid                  Bruno Costacurta <contract at costacurta.org>
> uid       [ revoked] pubmb01 <pubmb01 at skynet.be>
> uid       [ revoked] Bruno Costacurta <cob1 at biz.tiscali.be>
> uid       [ revoked] pubmb02 <pubmb02 at skynet.be>
> uid                  Bruno Costacurta <pubmb01 at skynet.be>
>
>
> You seem to have managed to lose the secret part of your subkey, either
> through a bug or data corruption, or through human error.
>
> Unless you can find the secret part of your subkey again, the public
> part is worthless, and should be revoked by publishing a revocation
> certificate.  This does, of course, assume that you generated a
> revocation certificate before you lost the secret part....

Hello David,

(note: I'm able to revoke this subkey (done but not sent to keyserver yet)).

The problem is that subkey comes alone and automatically when keypair is 
generated (and related keyring created).
During creation there is only one password required which is linked to the 
primary key. My secret key and related password are OK.

Where in this process is the secret part (and related password) of subkey 
specified ?
How to specify correct attributes for subkey like encrypt & decrypt ?

Bye,
Bruno

-- 
PGP key ID: 0x2e604d51
Key : http://www.costacurta.org/keys/bruno_costacurta_pgp_key.html
Key fingerprint = 713F 7956 9441 7DEF 58ED  1951 7E07 569B 2E60 4D51
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20070607/c8116dc6/attachment-0001.pgp 

From dave.smith at st.com  Thu Jun  7 16:00:49 2007
From: dave.smith at st.com (David SMITH)
Date: Thu, 7 Jun 2007 15:00:49 +0100
Subject: decrypt : primary key or subkey ?
In-Reply-To: <200706071231.19630.pubmb01@skynet.be>
References: <200706061623.59065.pubmb01@skynet.be>
	<200706061853.56601.pubmb01@skynet.be>
	<20070607082708.GJ10506@bristol.st.com>
	<200706071231.19630.pubmb01@skynet.be>
Message-ID: <20070607140049.GL10506@bristol.st.com>

On Thu, Jun 07, 2007 at 12:31:19PM +0200, Bruno Costacurta wrote:
> Hello David,
> 
> (note: I'm able to revoke this subkey (done but not sent to keyserver yet)).

Do you mean that you have already generated the revocation certificate
previously, or that you have just generated one now?

> The problem is that subkey comes alone and automatically when keypair is 
> generated (and related keyring created).
> During creation there is only one password required which is linked to the 
> primary key. My secret key and related password are OK.

You only have one passphrase to protect the primary key; this passphrase
automatically protects all of its subkeys.

(Actually, I think that the passphrase protects the keyring file rather
than the key, but ICBW).  The fact that you don't have a separate
passphrase for your subkey is normal and not a problem.

> Where in this process is the secret part (and related password) of subkey 
> specified ?

As I mentioned, you don't have a separate password.

Public and secret parts are always generated together; they cannot be
generated separately.

> How to specify correct attributes for subkey like encrypt & decrypt ?

Public parts are always used for encryption, and private parts are
always used for decryption.  There is an exception to this, where some
keys are used for signing, but I am ignoring this since you are talking
about keys generated for en/decryption.

There is no point in generating a key for encryption but not decryption -
they are always generated as a pair - public for encryption, and secret
for decryption.  If you think about it, any other scheme is nonsensical.
For example, encrypting with the secret key would mean that anyone could
decrypt the encrypted message (since the public key is, well, public).

The secret key can't be generated from the public key, for obvious
reasons.

Somehow I think you've lost the secret part of the subkey.

-- 
David Smith        | Tel: +44 (0)1454 462380    Home: +44 (0)1454 616963
STMicroelectronics | Fax: +44 (0)1454 462305  Mobile: +44 (0)7932 642724
1000 Aztec West    | TINA: 065 2380          GPG Key: 0xF13192F2
Almondsbury        | Work Email: Dave.Smith at st.com
BRISTOL, BS32 4SQ  | Home Email: David.Smith at ds-electronics.co.uk


From shavital at mac.com  Thu Jun  7 17:32:08 2007
From: shavital at mac.com (Charly Avital)
Date: Thu, 07 Jun 2007 18:32:08 +0300
Subject: decrypt : primary key or subkey ?
In-Reply-To: <200706071231.19630.pubmb01@skynet.be>
References: <200706061623.59065.pubmb01@skynet.be>
	<200706061853.56601.pubmb01@skynet.be>
	<20070607082708.GJ10506@bristol.st.com>
	<200706071231.19630.pubmb01@skynet.be>
Message-ID: <466824F8.7090500@mac.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Bruno Costacurta wrote the following on 6/7/07 1:31 PM:
[...]

> 
> Hello David,
> 
> (note: I'm able to revoke this subkey (done but not sent to keyserver yet)).
> 
>[...]

Bruno,

I have just downloaded (again) your key now, and it looks like:

pub  1024D/2E604D51  created: 2006-06-11  expires: never       usage: SC
                     trust: unknown       validity: unknown
This key was revoked on 2007-06-07 by DSA key 2E604D51 Bruno Costacurta
<bruno at costacurta.org>
sub  2048g/0CC897B5  created: 2006-06-11  revoked: 2007-06-07  usage: E
[ unknown] (1). Bruno Costacurta <bruno at costacurta.org>
[ revoked] (2)  pubmb01 <pubmb01 at skynet.be>
[ revoked] (3)  pubmb02 <pubmb02 at skynet.be>
[ revoked] (4)  Bruno Costacurta <cob1 at biz.tiscali.be>
[ unknown] (5)  Bruno Costacurta <pubmb01 at skynet.be>
[ unknown] (6)  Bruno Costacurta <contract at costacurta.org>

It would seem that you have revoked both the primary key and the subkey.

I *believe*, but I am not sure, that you could have revoked *only* the
subkey, and generated a new subkey in its stead. That would have kept
your primary key "alive", with a new subkey, hopefully valid for
encryption to you.

I might be wrong, but I believe that in the present situation,
generating a new E subkey will not resuscitate your primary key.

I hope you get more definite opinions from other forum subscribers.

Regards,
Charly





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (Darwin)
Comment: GnuPG for Privacy
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBRmgk9M3GMi2FW4PvAQhXJAgAsIzxvD3mn3+kxKUUQsGqkLdGBi19lIhW
cWORBVMiIbG2XfRGcErIKdrsJ8yz3VNOWCdv7jPLCbCRJcow6HQcD+h+Rh1zdDtZ
Hs7RstoLGP4+7rCCPkFtCmiIHA1VC/vN7PZ+6HKbMzxqbHAKIUnmkoFvPvod1fkB
a6fgZbNcD/Yimz0cLognDRem9wBV/zPCcuutlgqIO7faCzrcMsub/Uz+OGwzsIi5
elGvcQm/c2Vx46C85IUzm8V1goE4RGSc5CDmwOHhOLkd76Oim/kS1Xwk0u6LmbOI
6E1C4aHb7ikL7YLkTKpDcn5exwNnKFWVbzhagahW7dB9RmcnMB0XeA==
=FXjD
-----END PGP SIGNATURE-----


From khellman at mcprogramming.com  Fri Jun  8 09:41:38 2007
From: khellman at mcprogramming.com (Keith Hellman)
Date: Fri, 8 Jun 2007 01:41:38 -0600
Subject: Verifying Signatures in a Script
Message-ID: <20070608074137.GA27256@localhost.localdomain>

I would like a script to verify that I've signed a document.  Verifying
a signature is easy with gnupg, but I can't find a switch that requires 
the signature be that of a particular public key.

As it is, a document signed by someone else (whose public key I have)
would slip through my script if I just use the exit code.  My best
solution so far is to detect the identity printed out by gpg on stderr
--- but this seems a fragile solution.

I'd like to be able to say:
  $ gpg --verify-specific-user khellman at mcprogramming.com 
          --verify signedoc.gpg

Does this functionality exist? Did I miss something in the docs? Is
there a workaround?

TIA
-- 
Keith Hellman                             #include <disclaimer.h>
khellman at mcprogramming.com                from disclaimer import standard
khellman at mines.edu
                                   -*-                                    
                    public key @ pgp.mit.edu B5354B76                     
    Y!M: mcprogramming                           AIM/ICQ: 485403897       
                     gtalk: jabber at mcprogramming.com                      
                                   -*-                                    

"In any project that is multi-threaded, most bugs will come from threading
issues.  This is regardless of programming language -- it's a deep, as yet
ununderstood property of threads."

-- Guido van Rossum
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : /pipermail/attachments/20070608/b704c175/attachment.pgp 

From james at freecharity.org.uk  Fri Jun  8 16:52:10 2007
From: james at freecharity.org.uk (James Davis)
Date: Fri, 08 Jun 2007 15:52:10 +0100
Subject: Importing backed up card generated key
Message-ID: <46696D1A.6050609@freecharity.org.uk>

I've just generated a key pair using my smartcard and asked it to make a
backup which it did. I'm doing a practice restore to see how the
procedure works and I'm a little stuck. I can import my new public key
onto my keyring but when I try to import the secret key it fails to do
so and I get the following output.

$ gpg --import james.davis at ja.net-20070608-secret.gpg
gpg: key D7DDFF42: no user ID
gpg: Total number processed: 1
gpg:       secret keys read: 1
$

What should I be doing? :-)

James

-- 
http://www.freecharity.org.uk/ - Free IT services for charities
http://www.freecharity.org.uk/wiki/ - The VCSWiki


From dan_yt555 at yahoo.com  Sun Jun 10 19:33:47 2007
From: dan_yt555 at yahoo.com (Dan T.)
Date: Sun, 10 Jun 2007 10:33:47 -0700 (PDT)
Subject: Verifying Signatures in a Script
In-Reply-To: <20070608074137.GA27256@localhost.localdomain>
Message-ID: <455059.34542.qm@web63102.mail.re1.yahoo.com>

--- Keith Hellman <khellman at mcprogramming.com> wrote:

> I would like a script to verify that I've signed a
document. 
> Verifying a signature is easy with gnupg, but I
can't find a switch
> that requires the signature be that of a particular
public key.
> 
> As it is, a document signed by someone else (whose
public key I
> have) would slip through my script if I just use the
exit code.  My
> best solution so far is to detect the identity
printed out by gpg
> on stderr --- but this seems a fragile solution.
> 
> I'd like to be able to say: $ gpg
--verify-specific-user
> khellman at mcprogramming.com --verify signedoc.gpg
> 
> Does this functionality exist? Did I miss something
in the docs? Is
> there a workaround?


Keith,

Look into the --status-fd output, I think the VALIDSIG
value is what you want.

I hope this help.

Dan




 
____________________________________________________________________________________
Looking for earth-friendly autos? 
Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center.
http://autos.yahoo.com/green_center/


From hs2412 at gmail.com  Mon Jun 11 18:51:16 2007
From: hs2412 at gmail.com (Hardeep Singh)
Date: Mon, 11 Jun 2007 22:21:16 +0530
Subject: PGP software pirated
In-Reply-To: <d7a3cfdf0706092214q45ec7b47m85c03c202ceba549@mail.gmail.com>
References: <d7a3cfdf0706092214q45ec7b47m85c03c202ceba549@mail.gmail.com>
Message-ID: <d7a3cfdf0706110951n1c0a611doec92871798225881@mail.gmail.com>

Hi All

Someone gave me a PGP signed message that unlocks the paid version of
PGP. Just to be sure it worked, I tried it and then uninstalled the
software (I dont use pirated stuff, GPG is much better for me).
However, does this mean that someone was able to find the private key
for the key PGP uses to sign licenses? If that could be found, then
probably our keys can also be cracked. While I personally find this
impossible, I want to know how the hackers were able to  give me a
signed message? Is it possible they tweaked PGP to use their private
key instead of PGPs and hence PGP is not really broken?

Regards
Hardeep Singh


From hs2412 at gmail.com  Mon Jun 11 18:54:23 2007
From: hs2412 at gmail.com (Hardeep Singh)
Date: Mon, 11 Jun 2007 22:24:23 +0530
Subject: Revoke and expire
Message-ID: <d7a3cfdf0706110954h1e9e4452y8b78ebd3fa143e08@mail.gmail.com>

Hi

When a key is revoked using the revocation certificate, does it have
the same effect as reaching the expiry date of the key? In other words
if I set a key to no expire but generate a revocation certificate, it
is equally safe?

Regards
Hardeep


From khellman at mcprogramming.com  Mon Jun 11 18:56:38 2007
From: khellman at mcprogramming.com (Keith Hellman)
Date: Mon, 11 Jun 2007 10:56:38 -0600
Subject: Verifying Signatures in a Script
In-Reply-To: <455059.34542.qm@web63102.mail.re1.yahoo.com>
References: <20070608074137.GA27256@localhost.localdomain>
	<455059.34542.qm@web63102.mail.re1.yahoo.com>
Message-ID: <20070611165638.GB4294@localhost.localdomain>

On Sun, Jun 10, 2007 at 10:33:47AM -0700, Dan T. wrote:
> Look into the --status-fd output, I think the VALIDSIG
> value is what you want.
> 
> I hope this help.
> 
> Dan
> 

Just as a follow-up, I pursued Sven's idea and simply created a
specialized directory:
  $ mkdir .my_signature
Exported my public key to its location
  $ gpg --home ~/.my_signature --import <(gpg --export <my_key_identifier>)
(or something like that...)

And now I simply invoke gpg (or gpgv) from within my script as
  if gpg --home ~/.my_signature --verify ${FILE} ; then ...

Works like a charm, it also has a benefit of easily managing the
signatures I want my script to accept, without cluttering up my 
script will silly whose-signed-this-thing logic.  I just import or
remove the appropriate public keys from ./my_signature's database.

Cheers.
-- 
Keith Hellman                             #include <disclaimer.h>
khellman at mcprogramming.com                from disclaimer import standard
khellman at mines.edu
                                   -*-                                    
                    public key @ pgp.mit.edu B5354B76                     
    Y!M: mcprogramming                           AIM/ICQ: 485403897       
                     gtalk: jabber at mcprogramming.com                      
                                   -*-                                    

Experience is a harsh teacher.  She gives the test before you learn the
lesson.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : /pipermail/attachments/20070611/cd7fbdea/attachment.pgp 

From rjh at sixdemonbag.org  Mon Jun 11 19:11:08 2007
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 11 Jun 2007 12:11:08 -0500
Subject: Revoke and expire
In-Reply-To: <d7a3cfdf0706110954h1e9e4452y8b78ebd3fa143e08@mail.gmail.com>
References: <d7a3cfdf0706110954h1e9e4452y8b78ebd3fa143e08@mail.gmail.com>
Message-ID: <099E6B17-D2AC-49BB-8F43-A4E520817E89@sixdemonbag.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> When a key is revoked using the revocation certificate, does it have
> the same effect as reaching the expiry date of the key? In other words
> if I set a key to no expire but generate a revocation certificate, it
> is equally safe?

It depends on what you mean by "same effect".  You can't encrypt a  
message to an expired key, precisely because it's expired.  You can't  
encrypt a message to a revoked key, precisely because it's revoked.

If by "same effect" you mean "both keys are equally unusable", then  
yeah.  Same effect.

If by "same effect" you mean "they work the same way", then no.   
Different.  With one, GnuPG simply sees that the key has expired.   
You can unexpire the key just by resetting your computer's clock.   
With the other, GnuPG sees the key has been revoked, and unrevoking  
it is kind of problematic.

- --
Robert J. Hansen <rjh at sixdemonbag.org>

"Most people are never thought about after they're gone.  'I wonder
where Rob got the plutonium?' is better than most get." -- Phil Munson



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iFYEAREIAAYFAkZtgiwACgkQf2XByo0Cu7PQdgDfYSHgpicOUcseTUVpWEFLp6aS
hRaYL23H5181vADeP+aK/WkQFsFq401z3AJLwyIqN2KOn9cfxdnaeokBHAQBAQgA
BgUCRm2CLAAKCRC3APSC/q+BCT//B/9QYb9SN30BABc/HZOzr5M702l8KT/Y1i7g
2wmHMWo6tYFO9XOdkbVApDFLHDYzK5UzphajUwkuY2rNk0Lk4/lBW725igOTIbl0
Utc2VvHd3+Ltbzli9Tpj6VjHrsV+gc1vLjF8B60A8kj9zHy88+QOUmZXFEI+r/y/
721zF2qSf60xXRCkugn1/sttzX2fV6fi5E4S/n62n/VrkbFjUloGF2wmT5VO9dXm
bmLkSHU23Z2qWNa0JUcrfc+UYT2kDSIVRO5LkvCAG/v0ViSg7GASEze+AaGrnU/3
WZnUWZumeuFoyHxoptvXALrbWRudXn2TM6hv8Cz1jndjXyILwGFN
=nlgN
-----END PGP SIGNATURE-----


From dshaw at jabberwocky.com  Mon Jun 11 19:26:16 2007
From: dshaw at jabberwocky.com (David Shaw)
Date: Mon, 11 Jun 2007 13:26:16 -0400
Subject: Revoke and expire
In-Reply-To: <d7a3cfdf0706110954h1e9e4452y8b78ebd3fa143e08@mail.gmail.com>
References: <d7a3cfdf0706110954h1e9e4452y8b78ebd3fa143e08@mail.gmail.com>
Message-ID: <20070611172616.GA9020@jabberwocky.com>

On Mon, Jun 11, 2007 at 10:24:23PM +0530, Hardeep Singh wrote:
> Hi
> 
> When a key is revoked using the revocation certificate, does it have
> the same effect as reaching the expiry date of the key? In other words
> if I set a key to no expire but generate a revocation certificate, it
> is equally safe?

They're similar, but different.  A key that has reached its expiration
date is not usable, but a new expiration date can be put on it that
makes the key usable again.  A key that has been revoked cannot be
easily un-revoked.

Note that I'm talking about whole keys here.  It is possible to
un-revoke a revoked user ID on a key.

David


From rjh at sixdemonbag.org  Mon Jun 11 19:08:31 2007
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 11 Jun 2007 12:08:31 -0500
Subject: PGP software pirated
In-Reply-To: <d7a3cfdf0706110951n1c0a611doec92871798225881@mail.gmail.com>
References: <d7a3cfdf0706092214q45ec7b47m85c03c202ceba549@mail.gmail.com>
	<d7a3cfdf0706110951n1c0a611doec92871798225881@mail.gmail.com>
Message-ID: <DC3C4459-6462-4474-8ADB-266ECF9EC886@sixdemonbag.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> However, does this mean that someone was able to find the private key
> for the key PGP uses to sign licenses?

All license enforcement mechanisms are fundamentally DRM  
technologies.  DRM uses encryption algorithms, but DRM is not an  
encryption algorithm.

Pretty much all computer security authorities agree that DRM is a  
shell game.  Not only doesn't it work, but it can't work.  There are  
some very strong arguments supporting this proposition.

Don't worry about encrypted messages.  There's very little chance  
that someone has figured out how to break the crypto going into an  
OpenPGP-encrypted message.  All that's happened is a DRM system has  
been circumvented... again.

> I want to know how the hackers were able to  give me a
> signed message?

Due to the provisions of the Digital Millennium Copyright Act, this  
is a very dangerous question for any U.S. citizen to answer.  An  
overzealous federal prosecutor could easily claim that an in-depth  
technical explanation amounts to trafficking in circumvention devices.

If other people want to answer you, they certainly can.  However, I'm  
not.

- --
Robert J. Hansen <rjh at sixdemonbag.org>

"Most people are never thought about after they're gone.  'I wonder
where Rob got the plutonium?' is better than most get." -- Phil Munson



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iFYEAREIAAYFAkZtgY8ACgkQf2XByo0Cu7M8wADeJAAahSg4kDj3a/uLh0h87KD3
lW0Sw7jMW2PhEADeNgQxkFSyTfNGnLRglgzvFKQf8I2Pg9YXSgK6YokBHAQBAQgA
BgUCRm2BjwAKCRC3APSC/q+BCTYkCAC7wD1IhLuFCnoiZdwMOwrOl+tkIGRka4Li
b3uzpKhsXIf/dan1wQcettdM3Yvy5V8B+Bpv4SzYD8Y1wPbfwaLiQ0ygqjZ6JTTF
HG2Kr1IldOo3sULGSiN/PVMbutHWbMGfvm/WRiuDG4BMudovu3LSXNGpk/bbCjgy
eDsAzgMru+3TIXnykP4kbP9HeGwXDrQbFKt4mSJUaceKwPc1ZOdgxJTgT0afoh5x
Mbbl7fyD8aPQIvW7XZruS9jiwL7pwcZB1+k7geVx0ay8xeU6KbyfifvZXCfarQGW
v9s8pM6nie+ZbbrFQL+H8QQmtFZsdSrH0GwoND0rlLqRhuN0BdbI
=rA5x
-----END PGP SIGNATURE-----


From dshaw at jabberwocky.com  Mon Jun 11 19:39:59 2007
From: dshaw at jabberwocky.com (David Shaw)
Date: Mon, 11 Jun 2007 13:39:59 -0400
Subject: PGP software pirated
In-Reply-To: <d7a3cfdf0706110951n1c0a611doec92871798225881@mail.gmail.com>
References: <d7a3cfdf0706092214q45ec7b47m85c03c202ceba549@mail.gmail.com>
	<d7a3cfdf0706110951n1c0a611doec92871798225881@mail.gmail.com>
Message-ID: <20070611173959.GB9020@jabberwocky.com>

On Mon, Jun 11, 2007 at 10:21:16PM +0530, Hardeep Singh wrote:
> Hi All
> 
> Someone gave me a PGP signed message that unlocks the paid version of
> PGP. Just to be sure it worked, I tried it and then uninstalled the
> software (I dont use pirated stuff, GPG is much better for me).
> However, does this mean that someone was able to find the private key
> for the key PGP uses to sign licenses? If that could be found, then
> probably our keys can also be cracked. While I personally find this
> impossible, I want to know how the hackers were able to  give me a
> signed message? Is it possible they tweaked PGP to use their private
> key instead of PGPs and hence PGP is not really broken?

I suspect what you got was either someone elses license file, or
possibly something that patches the PGP code itself to bypass the need
for licensing.

Even if the PGP license key was somehow compromised (which I highly
doubt), it does not follow that "probably our keys can also be
cracked".

David


From hs2412 at gmail.com  Tue Jun 12 17:27:05 2007
From: hs2412 at gmail.com (Hardeep Singh)
Date: Tue, 12 Jun 2007 20:57:05 +0530
Subject: PGP software pirated
In-Reply-To: <20070611173959.GB9020@jabberwocky.com>
References: <d7a3cfdf0706092214q45ec7b47m85c03c202ceba549@mail.gmail.com>
	<d7a3cfdf0706110951n1c0a611doec92871798225881@mail.gmail.com>
	<20070611173959.GB9020@jabberwocky.com>
Message-ID: <d7a3cfdf0706120827s7282d1em446433fe2c5ed555@mail.gmail.com>

> Even if the PGP license key was somehow compromised (which I highly
> doubt), it does not follow that "probably our keys can also be
> cracked".


Why not?


From rjh at sixdemonbag.org  Tue Jun 12 19:16:08 2007
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 12 Jun 2007 12:16:08 -0500
Subject: PGP software pirated
In-Reply-To: <d7a3cfdf0706120827s7282d1em446433fe2c5ed555@mail.gmail.com>
References: <d7a3cfdf0706092214q45ec7b47m85c03c202ceba549@mail.gmail.com>	<d7a3cfdf0706110951n1c0a611doec92871798225881@mail.gmail.com>	<20070611173959.GB9020@jabberwocky.com>
	<d7a3cfdf0706120827s7282d1em446433fe2c5ed555@mail.gmail.com>
Message-ID: <466ED4D8.5060904@sixdemonbag.org>

Hardeep Singh wrote:
>> Even if the PGP license key was somehow compromised (which I highly
>> doubt), it does not follow that "probably our keys can also be
>> cracked".
> 
> Why not?

Because DRM is not the same as encryption.  It's like saying "just
because you saw a car break down doesn't mean there's a fundamental
problem with the wheels that we all use every day."

DRM uses encryption, but DRM has a _lot_ more going on under the hood.
It's far more likely that, _if_ the PGP license key was compromised,
that it was compromised by an insider who knew it, that it was
deliberately leaked, that it was... etc., etc.  Breaking the crypto
involved is literally the last thing on the list to consider.


From jbruni at mac.com  Wed Jun 13 03:33:46 2007
From: jbruni at mac.com (Joseph Oreste Bruni)
Date: Tue, 12 Jun 2007 18:33:46 -0700
Subject: PGP software pirated
In-Reply-To: <d7a3cfdf0706120827s7282d1em446433fe2c5ed555@mail.gmail.com>
References: <d7a3cfdf0706092214q45ec7b47m85c03c202ceba549@mail.gmail.com>
	<d7a3cfdf0706110951n1c0a611doec92871798225881@mail.gmail.com>
	<20070611173959.GB9020@jabberwocky.com>
	<d7a3cfdf0706120827s7282d1em446433fe2c5ed555@mail.gmail.com>
Message-ID: <5B3F959D-2ED0-4698-8416-72DEE9CC6FF0@mac.com>


On Jun 12, 2007, at 8:27 AM, Hardeep Singh wrote:

>> Even if the PGP license key was somehow compromised (which I highly
>> doubt), it does not follow that "probably our keys can also be
>> cracked".
>
>
> Why not?
>

Breaking PGP's license key doesn't not in any way imply that my  
private key has been compromised.




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2508 bytes
Desc: not available
Url : /pipermail/attachments/20070612/ab8bc8aa/attachment.bin 

From pubmb01 at skynet.be  Wed Jun 13 17:15:47 2007
From: pubmb01 at skynet.be (Bruno Costacurta)
Date: Wed, 13 Jun 2007 17:15:47 +0200
Subject: decrypt : primary key or subkey ?
In-Reply-To: <466824F8.7090500@mac.com>
References: <200706061623.59065.pubmb01@skynet.be>
	<200706071231.19630.pubmb01@skynet.be> <466824F8.7090500@mac.com>
Message-ID: <200706131715.47908.pubmb01@skynet.be>

On Thursday 07 June 2007 17:32:08 Charly Avital wrote:
> Bruno Costacurta wrote the following on 6/7/07 1:31 PM:
> [...]
>
> > Hello David,
> >
> > (note: I'm able to revoke this subkey (done but not sent to keyserver
> > yet)).
> >
> >[...]
>
> Bruno,
>
> I have just downloaded (again) your key now, and it looks like:
>
> pub  1024D/2E604D51  created: 2006-06-11  expires: never       usage: SC
>                      trust: unknown       validity: unknown
> This key was revoked on 2007-06-07 by DSA key 2E604D51 Bruno Costacurta
> <bruno at costacurta.org>
> sub  2048g/0CC897B5  created: 2006-06-11  revoked: 2007-06-07  usage: E
> [ unknown] (1). Bruno Costacurta <bruno at costacurta.org>
> [ revoked] (2)  pubmb01 <pubmb01 at skynet.be>
> [ revoked] (3)  pubmb02 <pubmb02 at skynet.be>
> [ revoked] (4)  Bruno Costacurta <cob1 at biz.tiscali.be>
> [ unknown] (5)  Bruno Costacurta <pubmb01 at skynet.be>
> [ unknown] (6)  Bruno Costacurta <contract at costacurta.org>
>
> It would seem that you have revoked both the primary key and the subkey.
>
> I *believe*, but I am not sure, that you could have revoked *only* the
> subkey, and generated a new subkey in its stead. That would have kept
> your primary key "alive", with a new subkey, hopefully valid for
> encryption to you.
>
> I might be wrong, but I believe that in the present situation,
> generating a new E subkey will not resuscitate your primary key.
>

(sorry for delays. I was off and abroad).

Correct. But at least the revoked key will not be used anymore for future 
encryption I cannot decrypt. And future sender will use a valid encryption / 
decyption setup.


> I hope you get more definite opinions from other forum subscribers.
>
> Regards,
> Charly
>
>
>
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users



-- 
PGP key ID: 0x2e604d51
Key : http://www.costacurta.org/keys/bruno_costacurta_pgp_key.html
Key fingerprint = 713F 7956 9441 7DEF 58ED  1951 7E07 569B 2E60 4D51
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20070613/368d6687/attachment-0001.pgp 

From pubmb01 at skynet.be  Wed Jun 13 17:18:54 2007
From: pubmb01 at skynet.be (Bruno Costacurta)
Date: Wed, 13 Jun 2007 17:18:54 +0200
Subject: decrypt : primary key or subkey ?
In-Reply-To: <20070607140049.GL10506@bristol.st.com>
References: <200706061623.59065.pubmb01@skynet.be>
	<200706071231.19630.pubmb01@skynet.be>
	<20070607140049.GL10506@bristol.st.com>
Message-ID: <200706131718.54944.pubmb01@skynet.be>

On Thursday 07 June 2007 16:00:49 David SMITH wrote:
> On Thu, Jun 07, 2007 at 12:31:19PM +0200, Bruno Costacurta wrote:
> > Hello David,
> >
> > (note: I'm able to revoke this subkey (done but not sent to keyserver
> > yet)).
>
> Do you mean that you have already generated the revocation certificate
> previously, or that you have just generated one now?

(sorry for delays. I was off and abroad).

I simply revoked the subkey Elgamal and sent update to keyserver.
Looks like now this is reflected and so I do not (currently) have any key for 
encryption. This what I intended to do as I was not able to decrypt.
Later I'll created a new subkey and update it the same way (after verification 
of correct encrypt/decrypt behaviour).

I think that the problem came few months ago : as I changed computer I 
exported secret key only,  but not secret-subkey. And so I installed the 
keyring but without secret part of my subkey on my current computer. 

Question: An export-secret should be followed by a export-secret-subkey ?
Correct ?

>
> > The problem is that subkey comes alone and automatically when keypair is
> > generated (and related keyring created).
> > During creation there is only one password required which is linked to
> > the primary key. My secret key and related password are OK.
>
> You only have one passphrase to protect the primary key; this passphrase
> automatically protects all of its subkeys.
>
> (Actually, I think that the passphrase protects the keyring file rather
> than the key, but ICBW).  The fact that you don't have a separate
> passphrase for your subkey is normal and not a problem.
>
> > Where in this process is the secret part (and related password) of subkey
> > specified ?
>
> As I mentioned, you don't have a separate password.
>
> Public and secret parts are always generated together; they cannot be
> generated separately.

>
> > How to specify correct attributes for subkey like encrypt & decrypt ?
>
> Public parts are always used for encryption, and private parts are
> always used for decryption.  There is an exception to this, where some
> keys are used for signing, but I am ignoring this since you are talking
> about keys generated for en/decryption.
>
> There is no point in generating a key for encryption but not decryption -
> they are always generated as a pair - public for encryption, and secret
> for decryption.  If you think about it, any other scheme is nonsensical.
> For example, encrypting with the secret key would mean that anyone could
> decrypt the encrypted message (since the public key is, well, public).
>
> The secret key can't be generated from the public key, for obvious
> reasons.
>
> Somehow I think you've lost the secret part of the subkey.



-- 
PGP key ID: 0x2e604d51
Key : http://www.costacurta.org/keys/bruno_costacurta_pgp_key.html
Key fingerprint = 713F 7956 9441 7DEF 58ED  1951 7E07 569B 2E60 4D51
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20070613/7911ad51/attachment-0001.pgp 

From dshaw at jabberwocky.com  Wed Jun 13 18:04:08 2007
From: dshaw at jabberwocky.com (David Shaw)
Date: Wed, 13 Jun 2007 12:04:08 -0400
Subject: decrypt : primary key or subkey ?
In-Reply-To: <200706131718.54944.pubmb01@skynet.be>
References: <200706061623.59065.pubmb01@skynet.be>
	<200706071231.19630.pubmb01@skynet.be>
	<20070607140049.GL10506@bristol.st.com>
	<200706131718.54944.pubmb01@skynet.be>
Message-ID: <20070613160408.GA27488@jabberwocky.com>

On Wed, Jun 13, 2007 at 05:18:54PM +0200, Bruno Costacurta wrote:

> I think that the problem came few months ago : as I changed computer
> I exported secret key only, but not secret-subkey. And so I
> installed the keyring but without secret part of my subkey on my
> current computer.
> 
> Question: An export-secret should be followed by a
> export-secret-subkey ?  Correct ?

No. --export-secret exports the whole secret key, including subkeys.
--export-secret-subkeys exports ONLY the subkeys, and is likely not
what you want.

David


From hhhobbit at securemecca.net  Wed Jun 13 22:02:14 2007
From: hhhobbit at securemecca.net (Henry Hertz Hobbit)
Date: Wed, 13 Jun 2007 14:02:14 -0600
Subject: Revoke and expire
In-Reply-To: <mailman.4562.1181747856.22484.gnupg-users@gnupg.org>
References: <mailman.4562.1181747856.22484.gnupg-users@gnupg.org>
Message-ID: <46704D46.4090503@securemecca.net>

gnupg-users-request at gnupg.org wrote:
David Shaw <dshaw at jabberwocky.com> wrote:

> On Mon, Jun 11, 2007 at 10:24:23PM +0530, Hardeep Singh wrote:
>> Hi
>>
>> When a key is revoked using the revocation certificate, does it have
>> the same effect as reaching the expiry date of the key? In other words
>> if I set a key to no expire but generate a revocation certificate, it
>> is equally safe?
> 
> They're similar, but different.  A key that has reached its expiration
> date is not usable, but a new expiration date can be put on it that
> makes the key usable again.  A key that has been revoked cannot be
> easily un-revoked.
> 
> Note that I'm talking about whole keys here.  It is possible to
> un-revoke a revoked user ID on a key.

How do you unrevoke a key, especially if it is on the keyservers?
I can think of making a backup of the key, revoking it and then
sending the revocation to the keyservers, then unpacking the non-
revoked folder, extending the date, and squirreling that away in
some safe deposit box just in case I need it some time in the future.
Once you are pretty sure you will never need it again you can destroy
the backup.  But that means it is only unrevoked for myself. Was
that what you meant?

But more to the point, what would most people prefer for somebody
else to do when they no longer intend to use a key, especially if
it is on the keyservers - allow it to expire or revoke it with
some message like "key deprecated"?  This is more along the line
of human usability and preferences, not technical.  I am assuming
from what has been said that most people want the key revoked,
rather than just allowing it to elapse and expire like Johannes
Ullrich does. Any opinions?

HHH
-- 
Why hack in when you can drive in on Hwys. 80, 110, 194, 220, 443, 993,
994 & 995?


From dshaw at jabberwocky.com  Wed Jun 13 22:38:25 2007
From: dshaw at jabberwocky.com (David Shaw)
Date: Wed, 13 Jun 2007 16:38:25 -0400
Subject: Revoke and expire
In-Reply-To: <46704D46.4090503@securemecca.net>
References: <mailman.4562.1181747856.22484.gnupg-users@gnupg.org>
	<46704D46.4090503@securemecca.net>
Message-ID: <20070613203825.GA28035@jabberwocky.com>

On Wed, Jun 13, 2007 at 02:02:14PM -0600, Henry Hertz Hobbit wrote:
> gnupg-users-request at gnupg.org wrote:
> David Shaw <dshaw at jabberwocky.com> wrote:
> 
> > On Mon, Jun 11, 2007 at 10:24:23PM +0530, Hardeep Singh wrote:
> >> Hi
> >>
> >> When a key is revoked using the revocation certificate, does it have
> >> the same effect as reaching the expiry date of the key? In other words
> >> if I set a key to no expire but generate a revocation certificate, it
> >> is equally safe?
> > 
> > They're similar, but different.  A key that has reached its expiration
> > date is not usable, but a new expiration date can be put on it that
> > makes the key usable again.  A key that has been revoked cannot be
> > easily un-revoked.
> > 
> > Note that I'm talking about whole keys here.  It is possible to
> > un-revoke a revoked user ID on a key.
> 
> How do you unrevoke a key, especially if it is on the keyservers?
> I can think of making a backup of the key, revoking it and then
> sending the revocation to the keyservers, then unpacking the non-
> revoked folder, extending the date, and squirreling that away in
> some safe deposit box just in case I need it some time in the future.
> Once you are pretty sure you will never need it again you can destroy
> the backup.  But that means it is only unrevoked for myself. Was
> that what you meant?

Essentially, yes, though there are simpler ways to do it.  Save a
revoked key to a file and run 'gpgsplit' on it.  Delete the revocation
packet.  Join the parts back together again, and poof: you have a
unrevoked key.

The catch, of course, is that the key on the keyservers is still
revoked.  You can send out this "non-revoked" key, but as soon as
someone refreshes from a keyserver, it'll become revoked again.

There are a few interesting attacks around this sort of packet
tampering.  Say that Alice got a copy of Bob's private key and his
passphrase.  Bob finds this out, and immediately revokes his key and
sends the revocation to a keyserver.  Later, Charlie wants to
communicate with Bob, and Alice "helpfully" gives him a copy of Bob's
un-revoked public key, knowing that she can read anything encrypted to
it.  This doesn't work in practice, as Bob will presumably notice that
Charlie is using a revoked key.  (GPG will actually warn Bob when
decrypting Charlie's message) Still, Alice could get one message that
way...

> But more to the point, what would most people prefer for somebody
> else to do when they no longer intend to use a key, especially if
> it is on the keyservers - allow it to expire or revoke it with
> some message like "key deprecated"?  This is more along the line
> of human usability and preferences, not technical.  I am assuming
> from what has been said that most people want the key revoked,
> rather than just allowing it to elapse and expire like Johannes
> Ullrich does. Any opinions?

I have a different opinion for full keys (for which I mildly favor
revocation because it's an explicit step that means "this key is dead,
full stop") and subkeys, which I'd just let expire.

It's not really a big deal though - either way, the key and/or subkey
isn't usable.

David


From rjh at sixdemonbag.org  Wed Jun 13 22:43:18 2007
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Wed, 13 Jun 2007 15:43:18 -0500
Subject: Revoke and expire
In-Reply-To: <46704D46.4090503@securemecca.net>
References: <mailman.4562.1181747856.22484.gnupg-users@gnupg.org>
	<46704D46.4090503@securemecca.net>
Message-ID: <B84CF273-D37C-44CA-9150-144DBBA2E9BC@sixdemonbag.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> How do you unrevoke a key, especially if it is on the keyservers?

You don't.

Data can only be added to keys on the keyservers.  It can't be  
removed.  This is a deliberate design decision on the part of the  
keyservers, and helps to prevent certain kinds of attacks.

However, given that revocations typically happen by adding a  
revocation signature, by removing the revocation signature from your  
own local copy of the key you should be able to make the key usable  
again.

- --
Robert J. Hansen <rjh at sixdemonbag.org>

"Most people are never thought about after they're gone.  'I wonder
where Rob got the plutonium?' is better than most get." -- Phil Munson



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iFYEAREIAAYFAkZwVuYACgkQf2XByo0Cu7NYhADfVZh2PGLikec9+BShXp7ymgrl
2Mm949xhkgFh1ADeM+u2GHMzCfyGXQJkSS1OwEHNiCODrIZ8DGB3JYkBHAQBAQgA
BgUCRnBW5gAKCRC3APSC/q+BCbxwCAC9CchWGx1zXslM/UKnf7mQPAmN+CkWU/js
nh7k3ecfYPNq/sZ3jCtdBgFbTNexirZfdcVa5OATD6WMRjfI8LmOAA1N3cOtzY6v
rLezmITdYSdkuG90sR9pitNDjWVOB21nCwrW69l3fgwP2qNBgEv4bZSqtFxGVdvE
xI/vHRnEGXdBdyU8qwziCT5oxb1KR7szi56E2zcBdCw7+azgIkvCvfZbmo+W66L9
/85AReBM8kDByk0CaHNdJBSB/051Eta/ZtVUuC2BkDcum+828EtLRQCCFXqkSAzJ
HVZ6ARjUKeQDwa7kngVb4yUNKOk24e2pv1MKygLrVvUi9KdUlbAE
=UHqG
-----END PGP SIGNATURE-----


From pubmb01 at skynet.be  Thu Jun 14 08:39:03 2007
From: pubmb01 at skynet.be (Bruno Costacurta)
Date: Thu, 14 Jun 2007 08:39:03 +0200
Subject: decrypt : primary key or subkey ?
In-Reply-To: <20070613160408.GA27488@jabberwocky.com>
References: <200706061623.59065.pubmb01@skynet.be>
	<200706131718.54944.pubmb01@skynet.be>
	<20070613160408.GA27488@jabberwocky.com>
Message-ID: <200706140839.03436.pubmb01@skynet.be>

On Wednesday 13 June 2007 18:04:08 David Shaw wrote:
> On Wed, Jun 13, 2007 at 05:18:54PM +0200, Bruno Costacurta wrote:
> > I think that the problem came few months ago : as I changed computer
> > I exported secret key only, but not secret-subkey. And so I
> > installed the keyring but without secret part of my subkey on my
> > current computer.
> >
> > Question: An export-secret should be followed by a
> > export-secret-subkey ?  Correct ?
>
> No. --export-secret exports the whole secret key, including subkeys.
> --export-secret-subkeys exports ONLY the subkeys, and is likely not
> what you want.
>
> David

Humm...so I can definitely not explain why my subkey was unable to decrypt  
message as secret key was not found. Remind: signature validation works fine.
Anyway this not-working key is now revoked...
...and now what is the best way to create / add a new subkey with encryption / 
decryption capabilities (under Linux) ?

Thanks.
Bruno

>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users



-- 
PGP key ID: 0x2e604d51
Key : http://www.costacurta.org/keys/bruno_costacurta_pgp_key.html
Key fingerprint = 713F 7956 9441 7DEF 58ED  1951 7E07 569B 2E60 4D51
--


From pubmb01 at skynet.be  Thu Jun 14 13:11:40 2007
From: pubmb01 at skynet.be (Bruno Costacurta)
Date: Thu, 14 Jun 2007 13:11:40 +0200
Subject: Can someone test my encryption subkey ?
Message-ID: <200706141311.48067.pubmb01@skynet.be>

Hello, 

could you please email me an encrypted message for test ?

PGP key ID: 0x2e604d51
Keyserver hkp://subkeys.pgp.net

Many thanks.

Bye,
Bruno
-- 
PGP key ID: 0x2e604d51
Keyserver hkp://subkeys.pgp.net
Key fingerprint = 713F 7956 9441 7DEF 58ED  1951 7E07 569B 2E60 4D51
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20070614/004e6f2b/attachment.pgp 

From guillaume.yziquel at free.fr  Thu Jun 14 13:00:56 2007
From: guillaume.yziquel at free.fr (Guillaume Yziquel)
Date: Thu, 14 Jun 2007 13:00:56 +0200
Subject: Regenerating keys on a cryptocard.
Message-ID: <46711FE8.5070409@free.fr>

Hello,

I've got a cryptocard, and I wish to regenerate keys on it. I've already
got a few keys on it, that I wish to discard. Here's part of the output
of what I did:

> yziquel at seldon:~$ gpg --card-edit
> 
> Version ..........: 1.1
> Manufacturer .....: PPC Card Systems
> Name of cardholder: Guillaume Yziquel
> Signature PIN ....: forced
> 
> Command> admin
> Admin commands are allowed
> 
> Command> generate
> Make off-card backup of encryption key? (Y/n) Y
> 
> gpg: NOTE: keys are already stored on the card!
> 
> Replace existing keys? (y/N) y
> gpg: sending command `SCD SETATTR' to agent failed: ec=6.32769
> gpg: error clearing forced signature PIN flag: general error
> 
> Command>

I do not really get the meaning of this message.

Any help would be highly appreciated.

Sincerely yours,

Guillaume Yziquel.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 370 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20070614/9eafabdb/attachment.pgp 

From pubmb01 at skynet.be  Fri Jun 15 11:35:19 2007
From: pubmb01 at skynet.be (Bruno Costacurta)
Date: Fri, 15 Jun 2007 11:35:19 +0200
Subject: 'export-secret-subkeys' between 2 computers
Message-ID: <200706151135.19984.pubmb01@skynet.be>

Hello to all,

I work on two computer and, as I created a new subkey on the first (test on 
this new key are OK) I'm trying to export this new secret subkey to the 
second computer (keyring and main secret key already present on it) 

'gpg --export-secret-subkey > myfile' on computer A
'gpg --import myfile' on B

However subkjey doesn't appear on B and indeed I cannot decrypt on 
B (but works on A) as secret is not found.
(sorry do not have more log yet as currently present on A)

Are my commands correct ?
Or is there something specific to do to update / exported secret subkey 
between two computers ?

Thanks.
Bye,
Bruno

-- 
PGP key ID: 0x2e604d51
Key server: hkp://subkeys.pgp.net
Key fingerprint = 713F 7956 9441 7DEF 58ED  1951 7E07 569B 2E60 4D51
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20070615/0bbc574d/attachment.pgp 

From snoken at tunedal.nu  Sat Jun 16 10:58:55 2007
From: snoken at tunedal.nu (Snoken)
Date: Sat, 16 Jun 2007 10:58:55 +0200
Subject: RSA 1024 ridiculous
Message-ID: <200706160932.l5G9W0QT001130@www11.aname.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
I just read the latest CRYPTO-GRAM, June 15, 2007, by Bruce Schneier.
He writes:

"We have a new factoring record:  307 digits (1023 bits).  It's a
special number -- 2^1039 - 1 -- but the techniques can be
generalized.  Expect regular 1024-bit numbers to be factored soon.  I
hope RSA application users would have moved away from 1024-bit
security years ago, but for those who haven't yet: wake up.
http://www.physorg.com/news98962171.html "

I suppose this means that 1024 bit RSA-keys are ridiculous and the
Open PGP Card is a joke. And what about all web sites protected by
SSL with a 1024-bit RSA-certificate?
Snoken

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32) - GPGrelay v0.959

iD8DBQFGc65EWisObvnr8tQRAi0rAJ9jIiFPcG+vojmX874gdNQog5MNfwCdFanW
aF6loNTtu/DC85G4qoyUni8=
=zURT
-----END PGP SIGNATURE-----


From brian at briansmith.org  Sat Jun 16 17:05:20 2007
From: brian at briansmith.org (Brian Smith)
Date: Sat, 16 Jun 2007 22:05:20 +0700
Subject: RSA 1024 ridiculous
In-Reply-To: <200706160932.l5G9W0QT001130@www11.aname.net>
References: <200706160932.l5G9W0QT001130@www11.aname.net>
Message-ID: <000001c7b027$cc874a20$5e01a8c0@Junk>

Snoken wrote:
> I suppose this means that 1024 bit RSA-keys are ridiculous 
> and the Open PGP Card is a joke. And what about all web sites 
> protected by SSL with a 1024-bit RSA-certificate?

This seems to be more-or-less on schedule:
http://en.wikipedia.org/wiki/Key_size#Asymmetric_algorithm_key_lengths

IF you have a life-long digital secret that you want to protect from
people with hundreds of millions of dollars to spend, and you insist on
using RSA public key encryption to protect it during transit over the
internet, then you need to use RSA 15,360 (not a typo) + AES 256 + hope.
But, I think RSA 3072 + AES 128 should be good enough to get you a
waterboarding ticket; even RSA 1024 + 3DES would result in spyware or a
key logger on your client machine to prevent them from having to fill up
the bucket.

Regarding HTTPS: If you go to any SSL certificate vendor, you will see
them talking only about "256 bit SSL" and they usually have no
recommendations at all regarding the RSA key length. The certificate
vendors treat HTTPS as a marketing feature and not a security feature.
As a result, the RSA 1024 + AES 256 is the most common combination I see
when I'm browsing with Firefox.

I cannot find it in the specs right now, but I think that even the
latest S/MIME and PGP/MIME specs only require implementations to support
RSA keys sizes up to 2048 bits. I have used 4096 bit keys for (Thawte
Freemail) S/MIME certificates in Thunderbird and Outlook 2003 without
problems.

Regards,
Brian



From r.post at sara.nl  Sat Jun 16 15:49:35 2007
From: r.post at sara.nl (Remco Post)
Date: Sat, 16 Jun 2007 15:49:35 +0200
Subject: RSA 1024 ridiculous
In-Reply-To: <200706160932.l5G9W0QT001130@www11.aname.net>
References: <200706160932.l5G9W0QT001130@www11.aname.net>
Message-ID: <4673EA6F.7000607@sara.nl>

Snoken wrote:
> Hi,
> I just read the latest CRYPTO-GRAM, June 15, 2007, by Bruce Schneier.
> He writes:
> 
> "We have a new factoring record:  307 digits (1023 bits).  It's a
> special number -- 2^1039 - 1 -- but the techniques can be
> generalized.  Expect regular 1024-bit numbers to be factored soon.  I
> hope RSA application users would have moved away from 1024-bit
> security years ago, but for those who haven't yet: wake up.
> http://www.physorg.com/news98962171.html "
> 
> I suppose this means that 1024 bit RSA-keys are ridiculous and the
> Open PGP Card is a joke. And what about all web sites protected by
> SSL with a 1024-bit RSA-certificate?

As I read the article, last time it took 9 years to generalize the
method used for the special number to any number. Now, my key is valid
for one year, and I expect messages protected by that key to be a secret
for maybe a year longer, that means that at the current rate I'll be
able to use my card for at least 5 more years end maybe longer.

And then still, it takes 11 months on a huge cluster of computers to
factor out my key, or to compare, all of the compute power available in
this country for a substantial amount of time.

I guess you're right, if the nsa is after you, you need stronger keys.
If it's just anybody else, I'd say you'll be safe fo