From hs2412 at gmail.com  Sat Nov  1 09:26:09 2008
From: hs2412 at gmail.com (Hardeep Singh)
Date: Sat, 1 Nov 2008 13:56:09 +0530
Subject: Use of gen-random
In-Reply-To: <490B40EA.7010503@optusnet.com.au>
References: <490B40EA.7010503@optusnet.com.au>
Message-ID: <d7a3cfdf0811010126k39b68f7v8fae00fa81f92704@mail.gmail.com>

I am sure people have still not explained at a level you would
understand. Hence I am having a go.
In physical terms entropy means the amount of disorder. Example, take
a square box and add some white marbles to it. then add some black
marbles. At this time all white marbles lie at the lower levels where
as black marbles are at higher levels. Which means there is order, and
entropy is less. Shake the box. Now entropy has increased.

In the same way, when you work on the PC, entropy generating processes
keep recording random data. For example each person has a different
typing speed/habbit. This is used as one basis for entropy. Another
way is disk access. When a process asks for random data, its given out
of the pool.

The story forward is well explained in the other replies.


Hardeep Singh
http://blog.Hardeep.name



On Fri, Oct 31, 2008 at 11:01 PM, Michael <mjkortve at optusnet.com.au> wrote:
>  Hi all, I was trying out one of the options of gpg, as it arose during
> a discussion on the group.
>
>  gpg --gen-random [012] n
>
>  does what I would reasonably expect: generates 'n' random bits of data
> using one of three methods. However, on reading up the option in the man
> page it mentions the possibility of "removing entropy from your system".
>
>  Actually, from the man page:
>
> --gen-random 0|1|2
>              Emit _____ random bytes of the given quality level. If
>
>              count is not given  or zero, an endless sequence of
>              random bytes will be emitted.  PLEASE, don't use this
>                                              command unless you know
> what you are doing; it may
>              remove precious entropy from the system!
>
>
>  Now I'll admit openly I don't always know /exactly/ what I am doing,
> but am prepared to make mistakes to learn. At first I thought perhaps
> the documentation writers were having a bit of a joke a la many unix
> man pages have a geeky sense of humour. But on reflection I realise
> that they are being serious here.
>
>  So I am curious, how might I _lose_ entropy by _generating_ random
> numbers? What do each of the three methods do?
>
>  So I experiment, and generate a small number (20 bits) of random
> numbers at the command line as per
>  gpg --gen-random 0 20
>  and it outputs what looks like gibberish to me. I won't copy the
> actual output simply because anyone can do this experiment for
> themselves to see the sort of output you get.
>
>  But when I use the 2 method, I get an error/warning about running
> diskperf in order to generate disk statistics. Well, I don't have
> diskperf on my windows system (though there may well be a win version, I
> don't know). What I am concerned about is why it might want disk
> statistics and have I "lost precious entropy" from my system?
>
>  Let me say, I'm partly humorous here; if I understand roughly what is
> happening, then the danger is to not set a specific number of bits and
> hence run the risk of gen-random simply emitting random data until it
> eventually somehow 'overflows the available randomness' inherent in my
> system. But simply outputting 20 random bits wouldn't risk doing that, so
> my little experiment is fairly safe. Since it doesn't go much into the
> details in the man page about what the methods are, and what the risk
> actually is (it may be highly technical and hence beyond the scope of a
> manual) it seems appropriate to ask in this forum, since it came up.
>
>  Although my background is technical, and I can understand mathematical
> expressions, I don't read source code for breakfast and am really more
> curious about the engineering details of what is going on rather than a
> mathematical description. Where does gpg "gather" it's randomness, and
> just how much is available in a simple system such as mine?
>
>  And just finally, may I take the opportunity to say how much I enjoy
> the various discussions in this group, generally the quality of the
> questions and the help has consistently been excellent.
>
>  Cheers for now,
> Michael Kortvelyesy.
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>


From hs2412 at gmail.com  Sat Nov  1 09:26:52 2008
From: hs2412 at gmail.com (Hardeep Singh)
Date: Sat, 1 Nov 2008 13:56:52 +0530
Subject: Encrypt / Decrypt Scripts
In-Reply-To: <4AA17D53AB8846B785966F216AB18C16@PCSALTORR>
References: <57aa0910810271752s616971f2o9f146f6aee2866d7@mail.gmail.com>
	<d7a3cfdf0810280550i5ab57e8ei705b080db390f18c@mail.gmail.com>
	<4AA17D53AB8846B785966F216AB18C16@PCSALTORR>
Message-ID: <d7a3cfdf0811010126w16ccbe21ic446cf5570975c9e@mail.gmail.com>

so you were on Windows :-) you didnt mention it and I assumed *nix.
Hardeep Singh
http://blog.Hardeep.name



On Wed, Oct 29, 2008 at 9:19 AM, Saltorr <saltorr07 at gmail.com> wrote:
> Thanks Hardeep,
>
> I think I found a very simple solution.... if the Command ends successfully
> then the ERRORLEVEL will be ZERO (0)
>
>
> REM Encrypt
>
> gpg --batch --encrypt-files -r "KEY" *.zip
>
>
> echo.ERROR LEVEL: %ERRORLEVEL%
>
> IF %ERRORLEVEL% ==0 GOTO ZERO
> IF %ERRORLEVEL% ==2 GOTO TWO
> IF %ERRORLEVEL% ==1 GOTO ONE
>
> GOTO END
>
> :ZERO
> ECHO ENCRYPTION_OKAY !!!!!
> del *.zip
> GOTO END
>
> :TWO
> ECHO PROCESS FAIL
> SEND MAIL
> GOTO END
>
> :ONE
> ECHO PROCESS FAIL
> SEND MAIL
>
> :END
>
> Regards,
> Salvador Torres C.
>
>
> --------------------------------------------------
> From: "Hardeep Singh" <hs2412 at gmail.com>
> Sent: Tuesday, October 28, 2008 5:50 AM
> To: "Salvador Torres" <saltorr07 at gmail.com>
> Cc: <gnupg-users at gnupg.org>
> Subject: Re: Encrypt / Decrypt Scripts
>
>> This may be of help, although it doesnt apply directly:
>>
>> http://blog.hardeep.name/computer/20080904/auto-gpg/
>>
>> Hardeep Singh
>> http://blog.Hardeep.name
>>
>>
>>
>> 2008/10/28 Salvador Torres <saltorr07 at gmail.com>:
>>>
>>> Hi,
>>> I'm trying to run some Scripts to Encrypt and Decrypt files
>>> automatically..
>>>
>>> now the questions are:
>>>
>>> How can I delete the *.ZIP files after this command is executed without
>>> errors ?
>>>
>>> gpg --batch --encrypt-files -r "KEY" c:\test2\*.zip
>>>
>>> Same case here:
>>>
>>> How can I delete the *.gpg files after this command is executed without
>>> errors and Successfully?
>>>
>>> gpg --passphrase-fd 0 --batch --decrypt-files *.gpg <phrase.txt
>>>
>>> Thanks,
>>> SalTorr
>>> _______________________________________________
>>> Gnupg-users mailing list
>>> Gnupg-users at gnupg.org
>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>>
>>>
>


From ramon.loureiro at upf.edu  Sat Nov  1 12:26:08 2008
From: ramon.loureiro at upf.edu (Ramon Loureiro)
Date: Sat, 01 Nov 2008 12:26:08 +0100
Subject: receive my signed keys
Message-ID: <490C3CD0.9010804@upf.edu>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
hi
Imagine that I  loose my pubring...
Is it posible to ask a keyserver for all the public keys I have signed

gpg --receive-keys-sgned-by 0x80C7D647 ?????

cheers

- --
Ramon Loureiro
GPG BE8E 5136 6A32 B5EF 0105 0DFB C559 2ACB 80C7 D647
Thawte Notary
Gossamer Web of Trust http://www.gswot.org
_____________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iQEcBAEBAgAGBQJJDDyPAAoJEMVZKsuAx9ZHiQEH/jEgsOxkvWNGaqXJ5RxbaRSq
vi/eRBzozripZAWq3Os9r7yFy8tYgynHh74Mga5o/rE777LP70+Zgu9oiIMtE0GY
GHl7geDZgROx6dqfmowXa+UIuEVfU2pwiENQKNYMj5m6qS9Fwcbv/5Kqnj84789+
Yag6YDguAjdY2tD+eKXxT7pfo3HAFXTqWv4+5CLQlaJuNhelNBLOX3zXwtcHg3kK
k5o4LfGHVISO4aGbRoxxDBLH6hAcirIpAIMW+NKMUJcs7n2Tg+nVySwLDHVG3wLt
itOtPBDUtXWPPzfgFnmUyVxubZI69q9bXXckUjlMd3ls/a/JwR42MRBwyvCgUzE=
=L/YD
-----END PGP SIGNATURE-----



From petersonmaxx at googlemail.com  Sat Nov  1 11:55:04 2008
From: petersonmaxx at googlemail.com (M. Peterson)
Date: Sat, 1 Nov 2008 11:55:04 +0100
Subject: GnuPG with Qt Gui for an email client
Message-ID: <bccbc6690811010355i474a1627hbe18f9a18a41c1ef@mail.gmail.com>

Hello
we develop an email client based on c++/ Qt gui and want to ask, if there is
some Qt gui for GnuPG:
Or if someone has experience in implementing the GnuPG library for an email
client or with Qt gui.
Thanks for some hints.
Regards Max
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20081101/7062faf0/attachment.htm>

From jmoore3rd at bellsouth.net  Sat Nov  1 12:57:11 2008
From: jmoore3rd at bellsouth.net (John W. Moore III)
Date: Sat, 01 Nov 2008 07:57:11 -0400
Subject: receive my signed keys
In-Reply-To: <490C3CD0.9010804@upf.edu>
References: <490C3CD0.9010804@upf.edu>
Message-ID: <490C4417.7080908@bellsouth.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Ramon Loureiro wrote:

> Imagine that I  loose my pubring...
> Is it posible to ask a keyserver for all the public keys I have signed

Short Answer = NO

Assuming that You have 'Signed' Keys and returned them to the Key Owner
then there is no guarantee that they have 'shared' Your endorsement with
the 'Servers'.  :(

Look in Your GnuPG Directory and _always_ back-up 'trustdb.gpg' so that
Your assigned Trust will always be available.

JOHN ;)
Timestamp: Saturday 01 Nov 2008, 07:56  --400 (Eastern Daylight Time)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10-svn4845: (MingW32)
Comment: Public Key at:  http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust: https://www.gswot.org
Comment: Homepage:  http://tinyurl.com/yzhbhx

iQEcBAEBCgAGBQJJDEQVAAoJEBCGy9eAtCsP3SUH/ib+LmbJfbSCDhtmnNddeRiM
DH1KwvSa9hTFxxxU86rxeTUJc5KhX7gyEZO8DZW+YGJT18+bXX0BK2isajQ65eg1
2sehbdq4EIPXqbd/sODm2UClhg7JuWPiM+SFIa5cjwoTlNP9hXHsttjZGPBgwBxO
2q3jW8Pdt4paRmrX0Nqm7PSZEzTb9ngMophqDVdWTdnnysTHwnkbtkpEP/hUQgiP
TYNCLnta7FBG5iJvU78x+gpEehzQ+Fw+yVCWL4/MbPsb5F5crYE/WEPKHETcc5SX
YyTrUEcp1wXkMjvDmwB/y5uKMSyP2mIdbWaRvM1lM75QxsvoA9zJSphYqnrAe6s=
=3uIb
-----END PGP SIGNATURE-----


From dshaw at jabberwocky.com  Sat Nov  1 14:17:44 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Sat, 1 Nov 2008 09:17:44 -0400
Subject: receive my signed keys
In-Reply-To: <490C3CD0.9010804@upf.edu>
References: <490C3CD0.9010804@upf.edu>
Message-ID: <68107DE6-B4A1-41C7-AD51-3B181FD2BDD4@jabberwocky.com>

On Nov 1, 2008, at 7:26 AM, Ramon Loureiro wrote:

> hi
> Imagine that I  loose my pubring...
> Is it posible to ask a keyserver for all the public keys I have signed
>
> gpg --receive-keys-sgned-by 0x80C7D647 ?????

For most keyservers, there is no way to ask such a question (it  
actually is possible in the LDAP keyserver, but the LDAP servers -  
intentionally - aren't synchronized with the rest of the pool).

You can do it yourself though: go to Wotsap and search on your own key  
in the "Key Statistics" section.  This will give you a list of all  
keys signed by your key.  Then fetch those keys from any handy  
keyserver.

This only works, of course, if the key that you signed is on the  
keyservers in the first place.  If it isn't, then it won't appear in  
the list and won't be fetchable from the keyservers anyway.

David


From saltorr07 at gmail.com  Sat Nov  1 16:57:04 2008
From: saltorr07 at gmail.com (Saltorr)
Date: Sat, 1 Nov 2008 08:57:04 -0700
Subject: Encrypt / Decrypt Scripts
References: <57aa0910810271752s616971f2o9f146f6aee2866d7@mail.gmail.com>
	<d7a3cfdf0810280550i5ab57e8ei705b080db390f18c@mail.gmail.com>
	<4AA17D53AB8846B785966F216AB18C16@PCSALTORR>
	<d7a3cfdf0811010126w16ccbe21ic446cf5570975c9e@mail.gmail.com>
Message-ID: <4D0D6BEC4F4D48FA9094B8F33F4E2BDA@PCSALTORR>

That's true :) .. Thanks.
ST

--------------------------------------------------
From: "Hardeep Singh" <hs2412 at gmail.com>
Sent: Saturday, November 01, 2008 1:26 AM
To: "Saltorr" <saltorr07 at gmail.com>
Cc: <gnupg-users at gnupg.org>
Subject: Re: Encrypt / Decrypt Scripts

> so you were on Windows :-) you didnt mention it and I assumed *nix.
> Hardeep Singh
> http://blog.Hardeep.name
>
>
>
> On Wed, Oct 29, 2008 at 9:19 AM, Saltorr <saltorr07 at gmail.com> wrote:
>> Thanks Hardeep,
>>
>> I think I found a very simple solution.... if the Command ends 
>> successfully
>> then the ERRORLEVEL will be ZERO (0)
>>
>>
>> REM Encrypt
>>
>> gpg --batch --encrypt-files -r "KEY" *.zip
>>
>>
>> echo.ERROR LEVEL: %ERRORLEVEL%
>>
>> IF %ERRORLEVEL% ==0 GOTO ZERO
>> IF %ERRORLEVEL% ==2 GOTO TWO
>> IF %ERRORLEVEL% ==1 GOTO ONE
>>
>> GOTO END
>>
>> :ZERO
>> ECHO ENCRYPTION_OKAY !!!!!
>> del *.zip
>> GOTO END
>>
>> :TWO
>> ECHO PROCESS FAIL
>> SEND MAIL
>> GOTO END
>>
>> :ONE
>> ECHO PROCESS FAIL
>> SEND MAIL
>>
>> :END
>>
>> Regards,
>> Salvador Torres C.
>>
>>
>> --------------------------------------------------
>> From: "Hardeep Singh" <hs2412 at gmail.com>
>> Sent: Tuesday, October 28, 2008 5:50 AM
>> To: "Salvador Torres" <saltorr07 at gmail.com>
>> Cc: <gnupg-users at gnupg.org>
>> Subject: Re: Encrypt / Decrypt Scripts
>>
>>> This may be of help, although it doesnt apply directly:
>>>
>>> http://blog.hardeep.name/computer/20080904/auto-gpg/
>>>
>>> Hardeep Singh
>>> http://blog.Hardeep.name
>>>
>>>
>>>
>>> 2008/10/28 Salvador Torres <saltorr07 at gmail.com>:
>>>>
>>>> Hi,
>>>> I'm trying to run some Scripts to Encrypt and Decrypt files
>>>> automatically..
>>>>
>>>> now the questions are:
>>>>
>>>> How can I delete the *.ZIP files after this command is executed without
>>>> errors ?
>>>>
>>>> gpg --batch --encrypt-files -r "KEY" c:\test2\*.zip
>>>>
>>>> Same case here:
>>>>
>>>> How can I delete the *.gpg files after this command is executed without
>>>> errors and Successfully?
>>>>
>>>> gpg --passphrase-fd 0 --batch --decrypt-files *.gpg <phrase.txt
>>>>
>>>> Thanks,
>>>> SalTorr
>>>> _______________________________________________
>>>> Gnupg-users mailing list
>>>> Gnupg-users at gnupg.org
>>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>>>
>>>>
>> 


From ramon.loureiro at upf.edu  Sat Nov  1 22:57:49 2008
From: ramon.loureiro at upf.edu (Ramon Loureiro)
Date: Sat, 01 Nov 2008 22:57:49 +0100
Subject: receive my signed keys
In-Reply-To: <68107DE6-B4A1-41C7-AD51-3B181FD2BDD4@jabberwocky.com>
References: <490C3CD0.9010804@upf.edu>
	<68107DE6-B4A1-41C7-AD51-3B181FD2BDD4@jabberwocky.com>
Message-ID: <490CD0DD.2060804@upf.edu>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
David Shaw wrote:
> On Nov 1, 2008, at 7:26 AM, Ramon Loureiro wrote:
>
>> hi Imagine that I  loose my pubring... Is it posible to ask a
>> keyserver for all the public keys I have signed
>>
>> gpg --receive-keys-sgned-by 0x80C7D647 ?????
>
> For most keyservers, there is no way to ask such a question (it
> actually is possible in the LDAP keyserver, but the LDAP servers -
> intentionally - aren't synchronized with the rest of the pool).
>
> You can do it yourself though: go to Wotsap and search on your own
> key in the "Key Statistics" section.  This will give you a list of
> all keys signed by your key.  Then fetch those keys from any handy
> keyserver.
>
Very cool aplication!
> This only works, of course, if the key that you signed is on the
> keyservers in the first place.  If it isn't, then it won't appear
> in the list and won't be fetchable from the keyservers anyway.
I wonder why the keyserver he/they use
(http://wwwkeys.ch.pgp.net:11371/pks/) is not synced with the others
(I found a very old version of my key...)

- --
Ramon Loureiro
GPG BE8E 5136 6A32 B5EF 0105 0DFB C559 2ACB 80C7 D647
Thawte Notary
Gossamer Web of Trust http://www.gswot.org
_____________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iQEcBAEBAgAGBQJJDNDcAAoJEMVZKsuAx9ZHNvEH/2GExcUvbFkJNa54NYOFIDG+
csHuPOfH2zcwUMjH4r8GaX3AaM1+FzBd27LLA3iIYpCxTXiNJ8ku5J76jM/iPCHq
U4VjDrOyj1WGeFe29vuKps619/tPita0Due8xcoV+mes182whI3ptIOdUrCPsWHF
3o5b/Cftmba22Xru9RSKrchce+d1f2jfKlgdJyDkZRmUYfhBLowfkg8R+wfclaUX
oHzyj8+smLhOYHvuruZ8fhoDFh8hGmcJ2Flsgq7UHsQ2KfPpKfJzR5um6ZbWuaXk
6cwkKfqdSKO+kb1wfr9klsFYvWWmcMUAXzTunWhV6+B1CcQt+w5GDT27L8pSu1A=
=ckIn
-----END PGP SIGNATURE-----



From kevhilton at gmail.com  Mon Nov  3 03:55:26 2008
From: kevhilton at gmail.com (Kevin Hilton)
Date: Sun, 2 Nov 2008 20:55:26 -0600
Subject: Anyone know what became of the Gaim-E Project?
Message-ID: <96c450350811021855s3192bfd3iec9ae5dc0ea2f774@mail.gmail.com>

Just wondering if anyone was familar with the Gaim-E project?
Supposedly this was a plugin for the former IM client Gaim - now known
as Pidgin -- that provided for encrypted IM communication using
GnuPG.http://sourceforge.net/projects/gaim-e/

Interesting concept, however looks as if the project was abandoned.

-- 
Kevin Hilton


From rjh at sixdemonbag.org  Mon Nov  3 04:33:02 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sun, 02 Nov 2008 22:33:02 -0500
Subject: Anyone know what became of the Gaim-E Project?
In-Reply-To: <96c450350811021855s3192bfd3iec9ae5dc0ea2f774@mail.gmail.com>
References: <96c450350811021855s3192bfd3iec9ae5dc0ea2f774@mail.gmail.com>
Message-ID: <1225683182.14456.4.camel@chronicles>

> Interesting concept, however looks as if the project was abandoned.

It died due to lack of interest, mostly.  Some IM protocols require
short message blocks; OpenPGP messages are usually quite long.  Thus,
Gaim-E was never able to support as many protocols as Gaim/Pidgin itself
could.

A different project, OTR, provides confidential instant messaging.  I
have some minor quibbles with it, but all in all, OTR seems to be the
best thing going for IM confidentiality.



From faramir.cl at gmail.com  Mon Nov  3 04:49:57 2008
From: faramir.cl at gmail.com (Faramir)
Date: Mon, 03 Nov 2008 00:49:57 -0300
Subject: Anyone know what became of the Gaim-E Project?
In-Reply-To: <1225683182.14456.4.camel@chronicles>
References: <96c450350811021855s3192bfd3iec9ae5dc0ea2f774@mail.gmail.com>
	<1225683182.14456.4.camel@chronicles>
Message-ID: <490E74E5.4090707@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Robert J. Hansen escribi?:
>> Interesting concept, however looks as if the project was abandoned.
> 
> It died due to lack of interest, mostly.  Some IM protocols require
> short message blocks; OpenPGP messages are usually quite long.  Thus,
> Gaim-E was never able to support as many protocols as Gaim/Pidgin itself
> could.
> 
> A different project, OTR, provides confidential instant messaging.  I
> have some minor quibbles with it, but all in all, OTR seems to be the
> best thing going for IM confidentiality.

  Also, there is a plugin named Pidgin-Encryption
http://pidgin-encrypt.sourceforge.net/

  I don't know which one is better, but at least, there are things to
provide encryption...

  Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBCAAGBQJJDnTkAAoJEMV4f6PvczxAq/wH/0TkjTIiXZWcz+snMwNMwOUK
mNeyFO2uZk63Yl0Pq/9NYREtOUnegX4NG9EVkOoGVJt5acZiSSnFf21BJAE+EtaY
30cZ+5VycD0aHEhoNyRZAvKNAZkU2XBQ0VyN4cl7ktR1OpmnpzdRTL7PWpFMC913
jiAcTkByP/EJicWLjUgnt/8NkYtgw4VnkxUBlqR9OWVnRROCs04Wrh/795B5LEJy
QumCgofYozI9sfHpIlj5LSpHjP/42IbkxZ8R6N0YsJNWnekrBA+MHcZmQLNr/p3c
ohVYI/rbzFmu6C6wUZtZjK1tYoqFL3fIWcNOYyvwYXSDlNmR6It7nl4595sXpb4=
=VJwC
-----END PGP SIGNATURE-----


From jmoore3rd at bellsouth.net  Mon Nov  3 05:09:42 2008
From: jmoore3rd at bellsouth.net (John W. Moore III)
Date: Sun, 02 Nov 2008 23:09:42 -0500
Subject: Anyone know what became of the Gaim-E Project?
In-Reply-To: <1225683182.14456.4.camel@chronicles>
References: <96c450350811021855s3192bfd3iec9ae5dc0ea2f774@mail.gmail.com>
	<1225683182.14456.4.camel@chronicles>
Message-ID: <490E7986.9080408@bellsouth.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Robert J. Hansen wrote:
>> Interesting concept, however looks as if the project was abandoned.
> 
> It died due to lack of interest, mostly.  Some IM protocols require
> short message blocks; OpenPGP messages are usually quite long.  Thus,
> Gaim-E was never able to support as many protocols as Gaim/Pidgin itself
> could.
> 
> A different project, OTR, provides confidential instant messaging.  I
> have some minor quibbles with it, but all in all, OTR seems to be the
> best thing going for IM confidentiality.

There is also a Plug-In for Pidgin called RSA Encryption that provides
seamless IM Encryption as well.

JOHN ;)
Timestamp: Sunday 02 Nov 2008, 23:09  --500 (Eastern Standard Time)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10-svn4845: (MingW32)
Comment: Public Key at:  http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust: https://www.gswot.org
Comment: Homepage:  http://tinyurl.com/yzhbhx

iQEcBAEBCgAGBQJJDnmEAAoJEBCGy9eAtCsPi44IAI0G34gAc+2qheLPdkAdG0ay
8Bhg+ncfuJfZOp6JnnyXhd1bqamsFZl1A333zC41ncW47vZwpb1ETsF4sslxIyrp
eOa61AIFPP2cWZoOshxfMNR5jb+OY0w5mtwdWBqXBMhHfR3x812dFltHesll19LZ
EURXlvAU02NkNYoiP/hJRBQXk7Q/qCCmjBvoRLomkKHp3ttuBuJ9a0+/Zs5OE4+k
EkOWIASmCMG8yfJ4ua4n+lLM0jJ2FHJ044yq/aXijMuPyfCKORE/AOcKaym42SSd
I7KyI9kGzwiBK2QNjhVgPmtWUd+3rRELGNhgur7NdjLQASvIGF1Y48wSV+s1V+w=
=LtVH
-----END PGP SIGNATURE-----


From elmer.espinosa at gmail.com  Mon Nov  3 04:02:15 2008
From: elmer.espinosa at gmail.com (Elmer Espinosa)
Date: Mon, 3 Nov 2008 11:02:15 +0800
Subject: Checksum
Message-ID: <78f71be20811021902k2fa569d1ucc4c2428007451f4@mail.gmail.com>

Hi to all,

I am a little bit confused what is checksum in encryption and decryption.

Thanks,
Aylmer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20081103/539b15ec/attachment.htm>

From Moritz.Schulte at rub.de  Sun Nov  2 14:31:11 2008
From: Moritz.Schulte at rub.de (Moritz Schulte)
Date: 2 Nov 2008 14:31:11 +0100
Subject: Poldi and kdesu
In-Reply-To: <49083CB3.8030504@gmx.de>
References: <49083CB3.8030504@gmx.de>
Message-ID: <490DAB9F.8090406@rub.de>

Hi,

> But there is a problem with kdesu. It only works when the PIN of my card
>  is already cached.

I cannot really see right now, what's wrong in respect to kdesu. But it
needs to be debugged of course.

Please add to your poldi.conf file something like:

  # Specify the log file:
  log-file /home/moritz/logs/poldi.txt

  # Enable debugging messages
  debug

And send me (private mail) the relevant debugging messages. (Note that
poldi.conf is not a per-user configuration file stored beneath ~/.gnupg
but a system configuration file stored wherever your SYSCONFDIR is
located (e.g. /usr/local/etc/poldi/poldi.conf...)).

Furthermore you could do the same for scdaemon/gpg-agent:

In my ~/.gnupg/gpg-agent.conf and in my ~/.gnupg/scdaemon.conf I have:

  verbose
  debug-all
  log-file /home/moritz/logs/gpg-agent # or .../logs/scdaemon

Make sure that the logs do not contain any sensible information. e.g.
the PIN in scdaemon logs (i think that can happen...).

thanks,
mo


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20081102/2efa84ba/attachment.pgp>

From kevhilton at gmail.com  Mon Nov  3 13:37:29 2008
From: kevhilton at gmail.com (Kevin Hilton)
Date: Mon, 3 Nov 2008 06:37:29 -0600
Subject: Anyone know what became of the Gaim-E Project?
In-Reply-To: <96c450350811022108g2150979eo391c97f5508a460@mail.gmail.com>
References: <96c450350811021855s3192bfd3iec9ae5dc0ea2f774@mail.gmail.com>
	<1225682203.14456.3.camel@chronicles>
	<96c450350811022108g2150979eo391c97f5508a460@mail.gmail.com>
Message-ID: <96c450350811030437naf7146el1edfe2ac11fa0cc5@mail.gmail.com>

As others have mentioned there is another pidgin encryption technique:
http://pidgin-encrypt.sourceforge.net/ .
This project also seems to have stalled if I'm looking at the release
dates as an appropriate indication.

The OTR website specifically addresses this plugin with the following:
"How is this different from the pidgin-encryption plugin?
    The pidgin-encryption plugin provides encryption and
authentication, but not deniability or perfect forward secrecy. If an
attacker or a virus gets access to your machine, all of your past
pidgin-encryption conversations are retroactively compromised.
Further, since all of the messages are digitally signed, there is
difficult-to-deny proof that you said what you did: not what we want
for a supposedly private conversation!"

This explanation doesn't make a lot of sense to me.


From gordian.klein at gmx.de  Mon Nov  3 16:10:47 2008
From: gordian.klein at gmx.de (Gordian Klein)
Date: Mon, 03 Nov 2008 16:10:47 +0100
Subject: Poldi and kdesu
In-Reply-To: <490DAB9F.8090406@rub.de>
References: <49083CB3.8030504@gmx.de> <490DAB9F.8090406@rub.de>
Message-ID: <490F1477.3020302@gmx.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello again,

im very happy to tell you that i found the Problem :-)
It seems that kdesu is looking for a ':' at the end of the Password Prompt.
In pam_poldi the prompt is '||Please enter the PIN' (inside getpin-cb.c).
This didnt work.
But when i put a ':' at the end so that the prompt now is '||Please
enter the PIN:' kdesu just works fine.
I dont know if this is a bug in kdesu or pam_poldi.

Nevertheless i have found another problem concerning scdaemon:
When im logged in to my linux as normal user with scdaemon running and
then do a
sudo somecmd
i get an scdaemon error:
(scdamon log:)

2008-11-03 16:04:59 scdaemon[7575] Handhabungsroutine f?r fd -1 gestartet
2008-11-03 16:04:59 scdaemon[7575] PC/SC OPEN failed: sharing violation
scdaemon[7575.0] DBG: -> OK GNU Privacy Guard's Smartcard server ready
scdaemon[7575.0] DBG: <- SERIALNO
2008-11-03 16:04:59 scdaemon[7575] no supported card application found:
Allgemeiner Fehler
scdaemon[7575.0] DBG: -> ERR 100663297 Allgemeiner Fehler <SCD>
scdaemon[7575.0] DBG: <- SERIALNO
2008-11-03 16:04:59 scdaemon[7575] no supported card application found:
Allgemeiner Fehler
scdaemon[7575.0] DBG: -> ERR 100663297 Allgemeiner Fehler <SCD>
scdaemon[7575.0] DBG: <- RESTART
scdaemon[7575.0] DBG: -> OK
scdaemon[7575.0] DBG: <- BYE
scdaemon[7575.0] DBG: -> OK closing connection
2008-11-03 16:04:59 scdaemon[7575] Handhabungsroutine f?r den fd -1 beendet
2008-11-03 16:05:01 scdaemon[7575] scdaemon (GnuPG) 2.0.9 angehalten

i guess the problem is the line "PC/SC OPEN failed: sharing violation".
What can i do here?

If i kill all scdaemons and do a sudo it works fine.

Thank you!
Regards,
Gordian Klein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iJwEAQECAAYFAkkPFHIACgkQJQ/nLhGdw57emAP/RI58it1Gmwy6/XCWcSFtK/pf
HgiSrAxxJef55eeLUR2DpzE6ftOmxffNGoAGaWEXTEbCQJg26XR6MqRpQeEf0a8k
AMyldaDuuwaKtBgJd8B6azSDHAoUErZJ9bAw0UPxoTkn81r82bdcuQoKDFd4ggh1
6r5daPDOSjWhJTQVsLg=
=w8UT
-----END PGP SIGNATURE-----


From rjh at sixdemonbag.org  Mon Nov  3 16:12:43 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 03 Nov 2008 07:12:43 -0800
Subject: Anyone know what became of the Gaim-E Project?
In-Reply-To: <96c450350811030437naf7146el1edfe2ac11fa0cc5@mail.gmail.com>
References: <96c450350811021855s3192bfd3iec9ae5dc0ea2f774@mail.gmail.com>
	<1225682203.14456.3.camel@chronicles>
	<96c450350811022108g2150979eo391c97f5508a460@mail.gmail.com>
	<96c450350811030437naf7146el1edfe2ac11fa0cc5@mail.gmail.com>
Message-ID: <20081103071243.ar29enctw8sk80c4@shards.monkeyblade.net>

>     The pidgin-encryption plugin provides encryption and
> authentication, but not deniability or perfect forward secrecy. If an
> attacker or a virus gets access to your machine, all of your past
> pidgin-encryption conversations are retroactively compromised.
> Further, since all of the messages are digitally signed, there is
> difficult-to-deny proof that you said what you did: not what we want
> for a supposedly private conversation!"

This is increasingly off-topic from GnuPG; let's bring this thread to  
a close pretty soon.

I don't buy OTR's hype, which is basically what you're quoting here.   
What they're saying is simple: if an attacker eavesdrops on your  
secured communications and gets copies of them, then if the attacker  
is able to compromise your box, the attacker can get your GnuPG key  
and use it to decrypt previously sent Gaim-E traffic.

I also don't buy the argument that an OpenPGP signature is difficult  
to deny.  Or, perhaps, the problem is that I _do_ buy the argument.   
Signature semantics are the most pernicious part of OpenPGP, if you  
ask me.  I can count my hands the number of people I know whom I think  
have a good grip on signature semantics.

A correct signature from a valid key belonging to a trusted party  
means the reader can feel confident the message is in the same state  
as the signer saw it.  That's all.  Nothing else.

Imagine that Alice sends Bob a very short note.  "I love you."  Bob,  
who wants to gloat about his romantic victory to his archrival  
Charlie, forwards Alice's message on to Charlie... but Bob's mailer  
appends a signature to the message.  Now Charlie has a signed message  
from Bob in which Bob appears to swear his love for Charlie.  Major  
embarrassment ensues because everybody thinks the signature is proof  
that Bob wrote the message, when he actually didn't.

The absence of a signature is also not proof of anything other than  
the absence of a signature.  Imagine that I'm concerned about people  
forging my messages, so I make it a point to sign everything.  A  
malicious undergrad, upset over the grade I gave, decides to ruin my  
reputation anyway by posting vitriolic, hate-filled messages to a  
white supremacist mailing list using my name.  When the Dean summons  
me to explain my actions, I say "... but that's not me!  I sign  
everything!  I have a years-long history of signing everything!"  The  
Dean, who is a smart mathematician, will say "ah, but perhaps you  
deliberately left your signature off these messages so you could deny  
them later if they surfaced.  You understand that we have to open an  
investigation into you, Rob, correct?"

So my objection to OTR's characterization of OpenPGP signatures as  
"difficult-to-deny proof" is that it's simply not so.  The public  
misconceptions around signatures are so vast that I seriously doubt  
the utility of signatures.  Most people don't understand them and  
don't especially want to, either.



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.



From kevhilton at gmail.com  Mon Nov  3 16:58:41 2008
From: kevhilton at gmail.com (Kevin Hilton)
Date: Mon, 3 Nov 2008 09:58:41 -0600
Subject: Anyone know what became of the Gaim-E Project?
In-Reply-To: <20081103071243.ar29enctw8sk80c4@shards.monkeyblade.net>
References: <96c450350811021855s3192bfd3iec9ae5dc0ea2f774@mail.gmail.com>
	<1225682203.14456.3.camel@chronicles>
	<96c450350811022108g2150979eo391c97f5508a460@mail.gmail.com>
	<96c450350811030437naf7146el1edfe2ac11fa0cc5@mail.gmail.com>
	<20081103071243.ar29enctw8sk80c4@shards.monkeyblade.net>
Message-ID: <96c450350811030758o36e93c65qbcd832c05934360@mail.gmail.com>

I'm going to try to steer this back onto a relevant topic

Robert

I love your "off the cuff feelings" about things.  Its when you are at
your best.  Question:

What value do signatures serve then however other than to provide data
authentication but not sender authentication? How can you be sure in
any case that if you get an unsigned transmission, that the data is
secure, was altered, or that a signature was just mistakingly not
appended?  As a counter argument -- if the private key was stolen and
a message signed using the stolen signature, it really doesn't act to
prove sender authenticity either -- but I guess it does serve to prove
data authenticity.

So in the best case scenario if the private keys are kept truly
private and secure, the signature mechanism works as designed.  In
unideal circumstances however, this "trust" mechanism falls apart
however.  Seems like somewhat of a quandary?


From gordian.klein at gmx.de  Mon Nov  3 17:54:09 2008
From: gordian.klein at gmx.de (Gordian Klein)
Date: Mon, 03 Nov 2008 17:54:09 +0100
Subject: Poldi and kdesu
In-Reply-To: <490F1477.3020302@gmx.de>
References: <49083CB3.8030504@gmx.de> <490DAB9F.8090406@rub.de>
	<490F1477.3020302@gmx.de>
Message-ID: <490F2CB1.9060404@gmx.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello again,

just in case someone wants to see the (poor) changes i made im sending a
diff to the current head of the pam_poldi trunc. (revision 150 i think)
It includes the new ':' signs and two new options:
- --quiet (works only for localdb authentication)
- --timeout x (x is an integer) (time to wait for a card, 0 means infinite)

Regards,
Gordian Klein

Gordian Klein schrieb:
> Hello again,
> 
> im very happy to tell you that i found the Problem :-)
> It seems that kdesu is looking for a ':' at the end of the Password Prompt.
> In pam_poldi the prompt is '||Please enter the PIN' (inside getpin-cb.c).
> This didnt work.
> But when i put a ':' at the end so that the prompt now is '||Please
> enter the PIN:' kdesu just works fine.
> I dont know if this is a bug in kdesu or pam_poldi.
> 
> Nevertheless i have found another problem concerning scdaemon:
> When im logged in to my linux as normal user with scdaemon running and
> then do a
> sudo somecmd
> i get an scdaemon error:
> (scdamon log:)
> 
> 2008-11-03 16:04:59 scdaemon[7575] Handhabungsroutine f?r fd -1 gestartet
> 2008-11-03 16:04:59 scdaemon[7575] PC/SC OPEN failed: sharing violation
> scdaemon[7575.0] DBG: -> OK GNU Privacy Guard's Smartcard server ready
> scdaemon[7575.0] DBG: <- SERIALNO
> 2008-11-03 16:04:59 scdaemon[7575] no supported card application found:
> Allgemeiner Fehler
> scdaemon[7575.0] DBG: -> ERR 100663297 Allgemeiner Fehler <SCD>
> scdaemon[7575.0] DBG: <- SERIALNO
> 2008-11-03 16:04:59 scdaemon[7575] no supported card application found:
> Allgemeiner Fehler
> scdaemon[7575.0] DBG: -> ERR 100663297 Allgemeiner Fehler <SCD>
> scdaemon[7575.0] DBG: <- RESTART
> scdaemon[7575.0] DBG: -> OK
> scdaemon[7575.0] DBG: <- BYE
> scdaemon[7575.0] DBG: -> OK closing connection
> 2008-11-03 16:04:59 scdaemon[7575] Handhabungsroutine f?r den fd -1 beendet
> 2008-11-03 16:05:01 scdaemon[7575] scdaemon (GnuPG) 2.0.9 angehalten
> 
> i guess the problem is the line "PC/SC OPEN failed: sharing violation".
> What can i do here?
> 
> If i kill all scdaemons and do a sudo it works fine.
> 
> Thank you!
> Regards,
> Gordian Klein
> 

_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iJwEAQECAAYFAkkPLK8ACgkQJQ/nLhGdw57ftAP/edNRyBsmrV0/AxySxchuF5TO
ttYF6sbAcKDWSoT2Lf3wdCqTrGou1NDGlrKnJ5BO2rhKiUqZqJt+Mkjl9UAXEZe/
Q1JD/p0k53OjtBJWJIjrufiV7HLOS96Z6nJ8dNpVDRC5aaPzUyQWZ8Wnf/zLnHos
WVICObQttfeujekF0YM=
=7YRf
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: quietmode-timeout-kdesufix.dif
Type: video/dv
Size: 5828 bytes
Desc: not available
URL: </pipermail/attachments/20081103/f4a4b65b/attachment.dif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: quietmode-timeout-kdesufix.dif.sig
Type: application/pgp-signature
Size: 158 bytes
Desc: not available
URL: </pipermail/attachments/20081103/f4a4b65b/attachment.pgp>

From david at miradoiro.com  Mon Nov  3 17:23:32 2008
From: david at miradoiro.com (=?iso-8859-1?Q?David_Pic=F3n_=C1lvarez?=)
Date: Mon, 3 Nov 2008 17:23:32 +0100
Subject: Anyone know what became of the Gaim-E Project?
References: <96c450350811021855s3192bfd3iec9ae5dc0ea2f774@mail.gmail.com><1225682203.14456.3.camel@chronicles><96c450350811022108g2150979eo391c97f5508a460@mail.gmail.com><96c450350811030437naf7146el1edfe2ac11fa0cc5@mail.gmail.com><20081103071243.ar29enctw8sk80c4@shards.monkeyblade.net>
	<96c450350811030758o36e93c65qbcd832c05934360@mail.gmail.com>
Message-ID: <4BF6B4595FC845E28CC5E484C94F902D@Nautilus>

As far as I'm concerned signature semantics are indeed a bit problematic, 
not the least reason being that it isn't really the user who signs, but a 
piece of software, ideally by the agency of the user, but in actuality this 
is in itself hard to verify. I think an idea is that digital signatures 
should rather be regarded as seals, like in the ancient days when documents 
were authenticated that way. The reason I think this is a better metaphor is 
it follows more closely the reality of digital signing: it authentifies that 
the document passed through the hands of the seal-holder, but was not 
necessarily authored by them; it gives a clear feel of what happens when you 
lose your privkey (same as when you lose a seal, anyone can seal with it); 
and it detaches the idea of signing (which often implies active consent) 
from sealing (which is more like a mechanical act), which is good because a 
digital seal can end up there by accident (for instance if someone does not 
compromise your keys but compromises your mail client, they might be able to 
get you to send something with your seal).

Where I have a difference is in the I love you example. Clearly you could 
send the unsealed data (plaintext, whatever) to someone else and end up in 
trouble, but the reasonable thing to do would be to send the document sealed 
by the original sender, as you received it, same as when you forward an 
e-mail the headers are on top indicating it does not come from you, so the 
example is, I think, a bit contrived and inapplicable.

--David.



From rjh at sixdemonbag.org  Mon Nov  3 18:34:50 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 3 Nov 2008 12:34:50 -0500
Subject: Anyone know what became of the Gaim-E Project?
In-Reply-To: <4BF6B4595FC845E28CC5E484C94F902D@Nautilus>
References: <96c450350811021855s3192bfd3iec9ae5dc0ea2f774@mail.gmail.com><1225682203.14456.3.camel@chronicles><96c450350811022108g2150979eo391c97f5508a460@mail.gmail.com><96c450350811030437naf7146el1edfe2ac11fa0cc5@mail.gmail.com><20081103071243.ar29enctw8sk80c4@shards.monkeyblade.net>
	<96c450350811030758o36e93c65qbcd832c05934360@mail.gmail.com>
	<4BF6B4595FC845E28CC5E484C94F902D@Nautilus>
Message-ID: <793EDA5F-DAF6-4256-91B8-7CD3514B72DE@sixdemonbag.org>

> Where I have a difference is in the I love you example. Clearly you  
> could send the unsealed data (plaintext, whatever) to someone else  
> and end up in trouble, but the reasonable thing to do would be to  
> send the document sealed by the original sender, as you received it,  
> same as when you forward an e-mail the headers are on top indicating  
> it does not come from you, so the example is, I think, a bit  
> contrived and inapplicable.

To turn the "I love you" example into an attack, consider this: Alice  
sends Bob a message saying "Remember, you need to deliver the product  
at midnight."  Bob, who doesn't want responsibility for delivering the  
product, cuts-and-pastes Alice's message and sends it on to Charlie,  
forging it as being from Alice.  Charlie receives a message that seems  
to be from Alice, has a meaningful message, and has a valid signature  
from a trusted key.  Charlie delivers the product at midnight.  The  
next day Alice sees the product was delivered, and sends Bob a message  
saying "thank you for delivering the product, the check is in the mail."

Presto, Bob gets paid for Charlie's work.

Yes, attacks like these have been spotted in the wild.  Schneier's  
blog covered one of them recently, an outfit that used attacks like  
these in connection with long distance trucking companies.   
Fascinating work, really.




From kloecker at kde.org  Mon Nov  3 21:08:29 2008
From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=)
Date: Mon, 03 Nov 2008 21:08:29 +0100
Subject: Anyone know what became of the Gaim-E Project?
In-Reply-To: <4BF6B4595FC845E28CC5E484C94F902D@Nautilus>
References: <96c450350811021855s3192bfd3iec9ae5dc0ea2f774@mail.gmail.com>
	<96c450350811030758o36e93c65qbcd832c05934360@mail.gmail.com>
	<4BF6B4595FC845E28CC5E484C94F902D@Nautilus>
Message-ID: <200811032108.36699@thufir.ingo-kloecker.de>

On Monday 03 November 2008, David Pic?n ?lvarez wrote:
> As far as I'm concerned signature semantics are indeed a bit
> problematic, not the least reason being that it isn't really the user
> who signs, but a piece of software, ideally by the agency of the
> user, but in actuality this is in itself hard to verify. I think an
> idea is that digital signatures should rather be regarded as seals,
> like in the ancient days when documents were authenticated that way.
> The reason I think this is a better metaphor is it follows more
> closely the reality of digital signing: it authentifies that the
> document passed through the hands of the seal-holder, but was not
> necessarily authored by them; it gives a clear feel of what happens
> when you lose your privkey (same as when you lose a seal, anyone can
> seal with it); and it detaches the idea of signing (which often
> implies active consent) from sealing (which is more like a mechanical
> act), which is good because a digital seal can end up there by
> accident (for instance if someone does not compromise your keys but
> compromises your mail client, they might be able to get you to send
> something with your seal).

There's a slight problem with the seal analogy. The seal has to be 
broken before one can read the letter and once the seal has been broken 
it does no longer prove anything. This can even be a good thing because 
it would have prevented the "Remember, you need to deliver the product ?
at midnight." attack described by Robert (unless Bob would have 
forwarded the sealed letter to Charlie without having read it).


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20081103/c9c6833a/attachment.pgp>

From david at miradoiro.com  Mon Nov  3 22:23:08 2008
From: david at miradoiro.com (=?iso-8859-1?Q?David_Pic=F3n_=C1lvarez?=)
Date: Mon, 3 Nov 2008 22:23:08 +0100
Subject: Anyone know what became of the Gaim-E Project?
References: <96c450350811021855s3192bfd3iec9ae5dc0ea2f774@mail.gmail.com><96c450350811030758o36e93c65qbcd832c05934360@mail.gmail.com><4BF6B4595FC845E28CC5E484C94F902D@Nautilus>
	<200811032108.36699@thufir.ingo-kloecker.de>
Message-ID: <EA51C7BB97E742CD93878689280C73D0@Nautilus>

From: "Ingo Kl?cker" <kloecker at kde.org>
"There's a slight problem with the seal analogy. The seal has to be
broken before one can read the letter and once the seal has been broken
it does no longer prove anything."

I was referring to seals as in http://en.wikipedia.org/wiki/Seal_(device) 
and not in the sense of closing a letter with glue. The kind of seals you 
stamp on the letter (or other documents like laws) itself. It's true that 
these seals could also be used to impress over a closed envelope and assure 
confidentiality, so that once opened they could not be used to verify again. 
That would be the equivalent of opaque signing, where you encrypt first and 
sign later.

--David.



From david at miradoiro.com  Mon Nov  3 22:08:03 2008
From: david at miradoiro.com (=?iso-8859-1?Q?David_Pic=F3n_=C1lvarez?=)
Date: Mon, 3 Nov 2008 22:08:03 +0100
Subject: Anyone know what became of the Gaim-E Project?
References: <96c450350811021855s3192bfd3iec9ae5dc0ea2f774@mail.gmail.com><1225682203.14456.3.camel@chronicles><96c450350811022108g2150979eo391c97f5508a460@mail.gmail.com><96c450350811030437naf7146el1edfe2ac11fa0cc5@mail.gmail.com><20081103071243.ar29enctw8sk80c4@shards.monkeyblade.net>
	<96c450350811030758o36e93c65qbcd832c05934360@mail.gmail.com>
	<4BF6B4595FC845E28CC5E484C94F902D@Nautilus>
	<793EDA5F-DAF6-4256-91B8-7CD3514B72DE@sixdemonbag.org>
Message-ID: <2B2A38E5454946449B89AB585F41F205@Nautilus>

From: "Robert J. Hansen" <rjh at sixdemonbag.org>
> To turn the "I love you" example into an attack, consider this: Alice 
> sends Bob a message saying "Remember, you need to deliver the product  at 
> midnight."  Bob, who doesn't want responsibility for delivering the 
> product, cuts-and-pastes Alice's message and sends it on to Charlie, 
> forging it as being from Alice.  Charlie receives a message that seems  to 
> be from Alice, has a meaningful message, and has a valid signature  from a 
> trusted key.  Charlie delivers the product at midnight.  The  next day 
> Alice sees the product was delivered, and sends Bob a message  saying 
> "thank you for delivering the product, the check is in the mail."

Fair enough, but I think all these examples rely on faulty or insufficient 
metadata. For instance if the from, to, cc, bcc and subject headers were 
included in the sealing, things like this would not happen. (Not sure 
exactly what headers pgp-mime does include much less s/mime).

--David.



From dshaw at jabberwocky.com  Mon Nov  3 22:47:01 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Mon, 3 Nov 2008 16:47:01 -0500
Subject: Signature semantics (was Re: Anyone know what became of the Gaim-E
	Project?)
In-Reply-To: <4BF6B4595FC845E28CC5E484C94F902D@Nautilus>
References: <96c450350811030758o36e93c65qbcd832c05934360@mail.gmail.com>
	<4BF6B4595FC845E28CC5E484C94F902D@Nautilus>
Message-ID: <20081103214701.GD17229@jabberwocky.com>

On Mon, Nov 03, 2008 at 05:23:32PM +0100, David Pic?n ?lvarez wrote:
> As far as I'm concerned signature semantics are indeed a bit problematic, 
> not the least reason being that it isn't really the user who signs, but a 
> piece of software, ideally by the agency of the user, but in actuality 
> this is in itself hard to verify. I think an idea is that digital 
> signatures should rather be regarded as seals, like in the ancient days 
> when documents were authenticated that way. The reason I think this is a 
> better metaphor is it follows more closely the reality of digital 
> signing: it authentifies that the document passed through the hands of 
> the seal-holder, but was not necessarily authored by them; it gives a 
> clear feel of what happens when you lose your privkey (same as when you 
> lose a seal, anyone can seal with it); and it detaches the idea of 
> signing (which often implies active consent) from sealing (which is more 
> like a mechanical act), which is good because a digital seal can end up 
> there by accident (for instance if someone does not compromise your keys 
> but compromises your mail client, they might be able to get you to send 
> something with your seal).

OpenPGP (properly) does not get very involved in the meaning of a
signature.  Regular signatures, in fact, are defined in RFC-4880 as
"This means the signer owns it, created it, or certifies that it has
not been modified." which is fairly wide open to whatever meaning
anyone wants to apply to it (that's a feature, not a bug).

> Where I have a difference is in the I love you example. Clearly you could 
> send the unsealed data (plaintext, whatever) to someone else and end up 
> in trouble, but the reasonable thing to do would be to send the document 
> sealed by the original sender, as you received it, same as when you 
> forward an e-mail the headers are on top indicating it does not come from 
> you, so the example is, I think, a bit contrived and inapplicable.

The problem with a seal or a signature that it doesn't say anything
about the intended recipient of the message.  It's very easy for
someone to forward the message elsewhere as a man-in-the-middle.  An
example using OpenPGP in particular: Alice sends Baker the signed "I
love you" message.  Baker then forwards it to his rival Charlie.
Charlie sees a signed message from Alice, without any indication that
he is not the real recipient, and proceeds to make a fool of himself.

Encryption doesn't help this situation as (in most cryptosystems), the
encryption is a wrapper around the signature.  So Alice creates this:

  "I love you"

and signs it:

  Alice_sign( "I love you" )

now encrypts it to Baker:

  Encrypt_Baker( Alice_sign( "I love you" ) )

Baker gets it, and decrypts it:

  Alice_sign( "I love you" )

Then encrypts it again to Charlie:

  Encrypt_Charlie( Alice_sign( "I love you" ) )

One lesson that can be learned from this is that the signed portion of
a message should contain sufficient context so that the message cannot
be repurposed in this fashion.  Also, Alice should know better than to
trust Baker.  The cad.

David


From rjh at sixdemonbag.org  Mon Nov  3 22:50:06 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 3 Nov 2008 16:50:06 -0500
Subject: Anyone know what became of the Gaim-E Project?
In-Reply-To: <2B2A38E5454946449B89AB585F41F205@Nautilus>
References: <96c450350811021855s3192bfd3iec9ae5dc0ea2f774@mail.gmail.com><1225682203.14456.3.camel@chronicles><96c450350811022108g2150979eo391c97f5508a460@mail.gmail.com><96c450350811030437naf7146el1edfe2ac11fa0cc5@mail.gmail.com><20081103071243.ar29enctw8sk80c4@shards.monkeyblade.net>
	<96c450350811030758o36e93c65qbcd832c05934360@mail.gmail.com>
	<4BF6B4595FC845E28CC5E484C94F902D@Nautilus>
	<793EDA5F-DAF6-4256-91B8-7CD3514B72DE@sixdemonbag.org>
	<2B2A38E5454946449B89AB585F41F205@Nautilus>
Message-ID: <A7E8AF92-D8EE-413B-AA47-E94FDF7E58BA@sixdemonbag.org>

> Fair enough, but I think all these examples rely on faulty or  
> insufficient metadata. For instance if the from, to, cc, bcc and  
> subject headers were included in the sealing, things like this would  
> not happen. (Not sure exactly what headers pgp-mime does include  
> much less s/mime).

How is Alice supposed to know what metadata is necessary?  Alice isn't  
omniscient.  Even if Alice puts in metadata A, B and C, Bob will just  
use an attack that relies on the non-presence of metadata D.




From dshaw at jabberwocky.com  Mon Nov  3 23:04:56 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Mon, 3 Nov 2008 17:04:56 -0500
Subject: Seals (was Re: Anyone know what became of the Gaim-E Project?)
In-Reply-To: <EA51C7BB97E742CD93878689280C73D0@Nautilus>
References: <200811032108.36699@thufir.ingo-kloecker.de>
	<EA51C7BB97E742CD93878689280C73D0@Nautilus>
Message-ID: <20081103220456.GE17229@jabberwocky.com>

On Mon, Nov 03, 2008 at 10:23:08PM +0100, David Pic?n ?lvarez wrote:
> From: "Ingo Kl?cker" <kloecker at kde.org>
> "There's a slight problem with the seal analogy. The seal has to be
> broken before one can read the letter and once the seal has been broken
> it does no longer prove anything."
>
> I was referring to seals as in http://en.wikipedia.org/wiki/Seal_(device) 
> and not in the sense of closing a letter with glue. The kind of seals you 
> stamp on the letter (or other documents like laws) itself. It's true that 
> these seals could also be used to impress over a closed envelope and 
> assure confidentiality, so that once opened they could not be used to 
> verify again. That would be the equivalent of opaque signing, where you 
> encrypt first and sign later.

Rather offtopic, but I read an interesting paper on seals a while back
(I'm afraid I don't recall where offhand).  Seals never really assured
confidentiality.  A person who wanted to open a letter would just make
a mold of the seal, melt it free, read the letter and then re-make the
seal using the mold.

The countermeasure was to use multiple colors in the seal so that
melting it free would mix up the colors so the new seal wouldn't look
right.  The catch was that you'd have to send a drawing of how the
first seal looked using a different communications channel so the
recipient could compare...

David


From rjh at sixdemonbag.org  Tue Nov  4 00:38:08 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 3 Nov 2008 18:38:08 -0500
Subject: Signature semantics (was Re: Anyone know what became of the
	Gaim-E Project?)
In-Reply-To: <20081103214701.GD17229@jabberwocky.com>
References: <96c450350811030758o36e93c65qbcd832c05934360@mail.gmail.com>
	<4BF6B4595FC845E28CC5E484C94F902D@Nautilus>
	<20081103214701.GD17229@jabberwocky.com>
Message-ID: <82E20871-B265-43DE-9EA3-109AB89219ED@sixdemonbag.org>

> which is fairly wide open to whatever meaning
> anyone wants to apply to it (that's a feature, not a bug).

Right, and this much doesn't bother me.  It's when people start  
ascribing meaning to bad signatures, or the nonexistence of  
signatures, that I begin to get frustrated.  A bad signature doesn't  
mean the message was tampered with -- the alteration could have been  
in the signature and not the message itself, just to name one  
possibility.

The flaw isn't in OpenPGP, but rather in the popular conception (or,  
in this case, misconception) of it.




From dshaw at jabberwocky.com  Tue Nov  4 06:32:19 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Tue, 4 Nov 2008 00:32:19 -0500
Subject: Anyone know what became of the Gaim-E Project?
In-Reply-To: <2B2A38E5454946449B89AB585F41F205@Nautilus>
References: <96c450350811021855s3192bfd3iec9ae5dc0ea2f774@mail.gmail.com><1225682203.14456.3.camel@chronicles><96c450350811022108g2150979eo391c97f5508a460@mail.gmail.com><96c450350811030437naf7146el1edfe2ac11fa0cc5@mail.gmail.com><20081103071243.ar29enctw8sk80c4@shards.monkeyblade.net>
	<96c450350811030758o36e93c65qbcd832c05934360@mail.gmail.com>
	<4BF6B4595FC845E28CC5E484C94F902D@Nautilus>
	<793EDA5F-DAF6-4256-91B8-7CD3514B72DE@sixdemonbag.org>
	<2B2A38E5454946449B89AB585F41F205@Nautilus>
Message-ID: <369A3FB6-CEC4-41B3-92BF-60B4122A2168@jabberwocky.com>

On Nov 3, 2008, at 4:08 PM, David Pic?n ?lvarez wrote:

> From: "Robert J. Hansen" <rjh at sixdemonbag.org>
>> To turn the "I love you" example into an attack, consider this:  
>> Alice sends Bob a message saying "Remember, you need to deliver the  
>> product  at midnight."  Bob, who doesn't want responsibility for  
>> delivering the product, cuts-and-pastes Alice's message and sends  
>> it on to Charlie, forging it as being from Alice.  Charlie receives  
>> a message that seems  to be from Alice, has a meaningful message,  
>> and has a valid signature  from a trusted key.  Charlie delivers  
>> the product at midnight.  The  next day Alice sees the product was  
>> delivered, and sends Bob a message  saying "thank you for  
>> delivering the product, the check is in the mail."
>
> Fair enough, but I think all these examples rely on faulty or  
> insufficient metadata. For instance if the from, to, cc, bcc and  
> subject headers were included in the sealing, things like this would  
> not happen. (Not sure exactly what headers pgp-mime does include  
> much less s/mime).

Both PGP/MIME and S/MIME are built over MIME, and have the same  
metadata protection.  Specifically, none of the mail headers are  
included.  This is not a flaw - it's just not how MIME handles this  
sort of thing (with some headers covered, and some not).  If you want  
to protect an message, you protect the entire thing as a message/ 
rfc822 object which is completely covered.  Think of it as treating  
the message you are protecting as an attachment to another message.

David

From kloecker at kde.org  Tue Nov  4 11:25:54 2008
From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=)
Date: Tue, 04 Nov 2008 11:25:54 +0100
Subject: Anyone know what became of the Gaim-E Project?
In-Reply-To: <A7E8AF92-D8EE-413B-AA47-E94FDF7E58BA@sixdemonbag.org>
References: <96c450350811021855s3192bfd3iec9ae5dc0ea2f774@mail.gmail.com>
	<2B2A38E5454946449B89AB585F41F205@Nautilus>
	<A7E8AF92-D8EE-413B-AA47-E94FDF7E58BA@sixdemonbag.org>
Message-ID: <200811041125.59371@thufir.ingo-kloecker.de>

On Monday 03 November 2008, Robert J. Hansen wrote:
> > Fair enough, but I think all these examples rely on faulty or
> > insufficient metadata. For instance if the from, to, cc, bcc and
> > subject headers were included in the sealing, things like this
> > would not happen. (Not sure exactly what headers pgp-mime does
> > include much less s/mime).
>
> How is Alice supposed to know what metadata is necessary?  Alice
> isn't omniscient.  Even if Alice puts in metadata A, B and C, Bob
> will just use an attack that relies on the non-presence of metadata
> D.

It's not Alice, but Charlie who needs to know what metadata he needs to 
trust that the message was meant for him. If this metadata is not 
present he should ignore the message or ask Alice for confirmation. 
Alice might have made the attack possible, but it's Charlie who has 
fallen for the attack. He's to blame, not Alice.


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20081104/f83a0520/attachment.pgp>

From gordian.klein at gmx.de  Tue Nov  4 13:49:54 2008
From: gordian.klein at gmx.de (Gordian Klein)
Date: Tue, 04 Nov 2008 13:49:54 +0100
Subject: Poldi and kdesu
In-Reply-To: <490F1477.3020302@gmx.de>
References: <49083CB3.8030504@gmx.de> <490DAB9F.8090406@rub.de>
	<490F1477.3020302@gmx.de>
Message-ID: <491044F2.5040901@gmx.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello again,

sudo works now.

> i guess the problem is the line "PC/SC OPEN failed: sharing violation".
> What can i do here?
> 
> If i kill all scdaemons and do a sudo it works fine.
> 

The problem was that the env variable GPG_AGENT_INFO was not set for
root. So pam_poldi trys to start a new scdaemon instead of querying
gpg-agent for the current one. I dont know why, but the second scdaemon
has no access to the openpgp card.
So in /etc/sudoers i added GPG_AGENT_INFO to the env_keep line.
Now pam_poldi finds gpg-agent and therewith the currently running
scdaemon and so sudo works.
Is adding GPG_AGENT_INFO to env_keep a security risk?

Regards,
Gordian Klein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iJwEAQECAAYFAkkQRPEACgkQJQ/nLhGdw57MBAP/VUpOgGCHu7NFSAkgGSluHOm6
Ok/Uus1tbQLTgk1w3sehHQLn7fTcPQU9np93hHa3MDjoQbUdWyDBugYnEgGCH9ds
RCIpVqYX8gdmhPIJOYS7BYSY2ymo/og7jY0E5vOgXKoG3HhqhOxbm6gUUkBldenX
b7gPIVIHiDI+YJRPRHE=
=ACVL
-----END PGP SIGNATURE-----


From a24061 at ducksburg.com  Tue Nov  4 14:53:07 2008
From: a24061 at ducksburg.com (Adam Funk)
Date: Tue, 4 Nov 2008 13:53:07 +0000
Subject: Seals
References: <200811032108.36699@thufir.ingo-kloecker.de>
	<EA51C7BB97E742CD93878689280C73D0@Nautilus>
	<20081103220456.GE17229__47541.5242407054$1225752935$gmane$org@jabberwocky.com>
Message-ID: <3n06u5-8mr.ln1@news.ducksburg.com>

On 2008-11-03, David Shaw wrote:

> Rather offtopic, but I read an interesting paper on seals a while back
> (I'm afraid I don't recall where offhand).  Seals never really assured
> confidentiality.  A person who wanted to open a letter would just make
> a mold of the seal, melt it free, read the letter and then re-make the
> seal using the mold.
>
> The countermeasure was to use multiple colors in the seal so that
> melting it free would mix up the colors so the new seal wouldn't look
> right.  The catch was that you'd have to send a drawing of how the
> first seal looked using a different communications channel so the
> recipient could compare...

Hey, that sounds like a key distribution problem!




From rjh at sixdemonbag.org  Tue Nov  4 15:18:22 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 4 Nov 2008 09:18:22 -0500
Subject: Seals
In-Reply-To: <3n06u5-8mr.ln1@news.ducksburg.com>
References: <200811032108.36699@thufir.ingo-kloecker.de>
	<EA51C7BB97E742CD93878689280C73D0@Nautilus>
	<20081103220456.GE17229__47541.5242407054$1225752935$gmane$org@jabberwocky.com>
	<3n06u5-8mr.ln1@news.ducksburg.com>
Message-ID: <A8B7D6B9-4CA2-4604-9551-A443D03E93D1@sixdemonbag.org>

> Hey, that sounds like a key distribution problem!

It is, quite literally.  The scheme can be thought of as a message  
authentication code (MAC), with a shared key that has to be negotiated  
ahead of time; and just like with a MAC, anyone who has the secret key  
is capable of forging the message.



From dshaw at jabberwocky.com  Tue Nov  4 17:18:03 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Tue, 4 Nov 2008 11:18:03 -0500
Subject: Seals
In-Reply-To: <3n06u5-8mr.ln1@news.ducksburg.com>
References: <200811032108.36699@thufir.ingo-kloecker.de>
	<EA51C7BB97E742CD93878689280C73D0@Nautilus>
	<20081103220456.GE17229__47541.5242407054$1225752935$gmane$org@jabberwocky.com>
	<3n06u5-8mr.ln1@news.ducksburg.com>
Message-ID: <20081104161803.GC19913@jabberwocky.com>

On Tue, Nov 04, 2008 at 01:53:07PM +0000, Adam Funk wrote:
> On 2008-11-03, David Shaw wrote:
> 
> > Rather offtopic, but I read an interesting paper on seals a while back
> > (I'm afraid I don't recall where offhand).  Seals never really assured
> > confidentiality.  A person who wanted to open a letter would just make
> > a mold of the seal, melt it free, read the letter and then re-make the
> > seal using the mold.
> >
> > The countermeasure was to use multiple colors in the seal so that
> > melting it free would mix up the colors so the new seal wouldn't look
> > right.  The catch was that you'd have to send a drawing of how the
> > first seal looked using a different communications channel so the
> > recipient could compare...
> 
> Hey, that sounds like a key distribution problem!

Yep.  If you read about the history of crypto and message/information
security in general it's striking how things haven't really changed
all that much.  We do it faster/better/safer to be sure, but there are
a lot of fundamental concepts that have been around for hundreds or
even thousands of years.

David


From vedaal at hush.com  Tue Nov  4 17:19:17 2008
From: vedaal at hush.com (vedaal at hush.com)
Date: Tue, 04 Nov 2008 11:19:17 -0500
Subject: Signature semantics
Message-ID: <20081104161917.CB7C11A0039@smtp.hushmail.com>

>Date: Mon, 3 Nov 2008 16:47:01 -0500
>From: David Shaw <dshaw at jabberwocky.com>
>Subject: Signature semantics (was Re: Anyone know what became of 
>the
>	Gaim-E	Project?)
>To: gnupg-users at gnupg.org
>Message-ID: <20081103214701.GD17229 at jabberwocky.com>


>One lesson that can be learned from this is that the signed 
>portion of
>a message should contain sufficient context so that the message 
>cannot be repurposed in this fashion.  


one of the ways to protect Alice (or any unwary sender)
is to have a feature to do exactly that,

that if a message is sent signed and encrypted,
to have gnupg prompt the following:

gpg: you have chosen to sign and encrypt your message
gpg: would you like to have gnupg add a line to the plaintext 
before the signature, saying "this message is encrypted to 
<keyname>" ?  y/n
gpg: you have chosen  n
gpg: your signed and encrypted message can separated and re-
encrypted to another key with its signature intact
gpg: really choose n ? y/n


this way,
if Alice started her message with,
" Hi Baker!"
she can ignore the option,

but if she were unaware of it,
she could opt for adding the line,
and the re-encryption attack would be defeated by having the 
original recipient verified by the signature

yes,
i know it's a 'change to the plaintext'

but it's a change where the user is asked for permission beforehand,
and can always choose to deny gnupg to do so

not meant to be an 'open-pgp feature request'
just a 
'courtesy gnupg request'

(no reason that gnupg can't be 'better' than what open-pgp' 
requires,
as long as gnupg is 'compatible')


vedaal

any ads or links below this message are added by hushmail without 
my endorsement or awareness of the nature of the link

--
Save for the future with great IRA Funds. Click now!
http://tagline.hushmail.com/fc/Ioyw6h4eN0eOfmN5OaUXh5FbHFtsCZgu2MRnPpNQYhqL6Y1zfhykYv/



From rjh at sixdemonbag.org  Tue Nov  4 17:28:28 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 4 Nov 2008 11:28:28 -0500
Subject: Signature semantics
In-Reply-To: <20081104161917.CB7C11A0039@smtp.hushmail.com>
References: <20081104161917.CB7C11A0039@smtp.hushmail.com>
Message-ID: <D8485C19-E8B9-41F6-9757-321F1986268C@sixdemonbag.org>

> (no reason that gnupg can't be 'better' than what open-pgp'
> requires, as long as gnupg is 'compatible')

Idiot-proofing is a very bad idea.  Systems cannot be made idiot- 
proof, since we're constantly developing higher and better grades of  
idiots.  Systems can be made user-friendly; they cannot be made idiot- 
proof.

(As an example of what suggestions like this lead to in practice, look  
at Vista's User Access Control.  HCI studies have shown UAC does not  
provide better security.  UAC is designed to give users a last chance  
opportunity to prevent programs from running with elevated privileges,  
but it does not actually do this.  UAC was not designed to train users  
to blindly click "Yes" without thinking at all about what they're  
doing, but that's what it actually does.)



From dshaw at jabberwocky.com  Tue Nov  4 17:58:49 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Tue, 4 Nov 2008 11:58:49 -0500
Subject: Signature semantics
In-Reply-To: <20081104161917.CB7C11A0039@smtp.hushmail.com>
References: <20081104161917.CB7C11A0039@smtp.hushmail.com>
Message-ID: <20081104165849.GD19913@jabberwocky.com>

On Tue, Nov 04, 2008 at 11:19:17AM -0500, vedaal at hush.com wrote:

> >One lesson that can be learned from this is that the signed 
> >portion of
> >a message should contain sufficient context so that the message 
> >cannot be repurposed in this fashion.  
> 
> 
> one of the ways to protect Alice (or any unwary sender)
> is to have a feature to do exactly that,
> 
> that if a message is sent signed and encrypted,
> to have gnupg prompt the following:
> 
> gpg: you have chosen to sign and encrypt your message
> gpg: would you like to have gnupg add a line to the plaintext 
> before the signature, saying "this message is encrypted to 
> <keyname>" ?  y/n
> gpg: you have chosen  n
> gpg: your signed and encrypted message can separated and re-
> encrypted to another key with its signature intact
> gpg: really choose n ? y/n

It is not the place of GPG to modify the plaintext.  If it is needed,
that's the job of a mail program or other program that uses GPG.  GPG
should just provide necessary primitives to solve this, and it does:

  gpg --sig-notation "whatever at example.com=I encrypted this to Baker!" --sign --encrypt  blah.txt

The notation will be hashed into the signature and cannot be removed
without invalidating the signature.

All that said, doing this isn't a cure-all.  Alice (the signer here)
may not want her intended target to be public.

David


From dshaw at jabberwocky.com  Tue Nov  4 18:04:19 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Tue, 4 Nov 2008 12:04:19 -0500
Subject: Signature semantics (was Re: Anyone know what became of the
	Gaim-E Project?)
In-Reply-To: <82E20871-B265-43DE-9EA3-109AB89219ED@sixdemonbag.org>
References: <96c450350811030758o36e93c65qbcd832c05934360@mail.gmail.com>
	<4BF6B4595FC845E28CC5E484C94F902D@Nautilus>
	<20081103214701.GD17229@jabberwocky.com>
	<82E20871-B265-43DE-9EA3-109AB89219ED@sixdemonbag.org>
Message-ID: <20081104170419.GE19913@jabberwocky.com>

On Mon, Nov 03, 2008 at 06:38:08PM -0500, Robert J. Hansen wrote:
>> which is fairly wide open to whatever meaning
>> anyone wants to apply to it (that's a feature, not a bug).
>
> Right, and this much doesn't bother me.  It's when people start  
> ascribing meaning to bad signatures, or the nonexistence of signatures, 
> that I begin to get frustrated.  A bad signature doesn't mean the message 
> was tampered with -- the alteration could have been in the signature and 
> not the message itself, just to name one possibility.

Indeed.  The alteration also may or may not be malicious.  The most
common alteration I've ever seen are mail programs that break the
signature via word-wrap or the like.  (Hence the frequent "Does my
signature verify now?" message chains on some crypto mailing lists).

David


From jmoore3rd at bellsouth.net  Tue Nov  4 18:41:50 2008
From: jmoore3rd at bellsouth.net (John W. Moore III)
Date: Tue, 04 Nov 2008 12:41:50 -0500
Subject: Signature semantics
In-Reply-To: <D8485C19-E8B9-41F6-9757-321F1986268C@sixdemonbag.org>
References: <20081104161917.CB7C11A0039@smtp.hushmail.com>
	<D8485C19-E8B9-41F6-9757-321F1986268C@sixdemonbag.org>
Message-ID: <4910895E.1080805@bellsouth.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Robert J. Hansen wrote:

> (As an example of what suggestions like this lead to in practice, look
> at Vista's User Access Control.  HCI studies have shown UAC does not
> provide better security.  UAC is designed to give users a last chance
> opportunity to prevent programs from running with elevated privileges,
> but it does not actually do this.  UAC was not designed to train users
> to blindly click "Yes" without thinking at all about what they're doing,
> but that's what it actually does.)

Actually, what has occurred is disabling UAC is the most common &
popular 'tweak' to Vista.  In fact, UAC is rated such a High Annoyance
that it has been made "more User friendly" in Windows 7.

- From My perusal of early Windows 7 Alpha reviews the 'Newest' M$
offering appears to be Vista re-released with 2 years of Vista hacks
incorporated into the default Settings code.  This goes back to Robert's
statement that the Developer Goal is to make successful Applications
'User Friendly' rather than 'Idiot Proof'.

JOHN ;)
Timestamp: Tuesday 04 Nov 2008, 12:41  --500 (Eastern Standard Time)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10-svn4845: (MingW32)
Comment: Public Key at:  http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust: https://www.gswot.org
Comment: Homepage:  http://tinyurl.com/yzhbhx

iQEcBAEBCgAGBQJJEIlcAAoJEBCGy9eAtCsPr7YH/iLFKlbrJrvEyoU4CL+LC+yt
gc4a+yJHeC5PijhHZWSnn7qqXRpAXPKAAba2PcTl4HjLspD1Uy4/RucR+Ydb4Tu3
pws49C3ZGXMfDAbmKCNpCJDcFjsdppD7hr1MZDRXTdON+zgvrfCSzWAoYLiVG5Tj
2qzmSJMm0fN88YNLfGHT3pX6dVDwvQQVWmzV5UXq7G8yA5CNZQdSNu4hbzDI/t3R
fnqwY8AfgmsuzVdp7Zarv34ESGYkMHQPqxdeE+rn+vu1Vo8Ty74wTt3NMxINSgwO
STCuKbagU9RlypbY/1i7jcmEXv6XL0Gm+bpEp0hpduFd/RvGHicaJNbMgL3KkNk=
=UUTf
-----END PGP SIGNATURE-----


From vedaal at hush.com  Tue Nov  4 19:18:23 2008
From: vedaal at hush.com (vedaal at hush.com)
Date: Tue, 04 Nov 2008 13:18:23 -0500
Subject: Signature semantics
Message-ID: <20081104181823.78AC91A0039@smtp.hushmail.com>

David Shaw dshaw at jabberwocky.com
wrote on Tue Nov 4 17:58:49 CET 2008 :

> It is not the place of GPG to modify the plaintext.

ok

>GPG should just provide necessary primitives to solve this, 
>and it does:

>gpg --sig-notation 
>"whatever at example.com=I encrypted this to Baker!" 
>--sign --encrypt  blah.txt

>The notation will be hashed into the signature and cannot be 
removed
>without invalidating the signature.

ok,
works nicely,
but needs a user to be reminded to do it ;-)

how about a friendly gnupg reminder prompt:

gpg: you have chosen to sign with 'u' and encrypt to 'r'
gpg: would you like to add a sig-notation "encrypted-to-keyname-r" 
y/n


>All that said, doing this isn't a cure-all.  Alice (the signer 
here)
>may not want her intended target to be public.

then, in that case, 
(where Alice chooses 'n' to the above well-meaning prompt)
how about this as a feature;

when gnupg decrypts and verifies,
if there is a delay of more than 1 minute between signing and 
encrypting,
then gnupg gives the following 'alert':

gpg: message is signed and encrypted
gpg: signature made at time x, encryption made at time y
gpg: duration between signing and encrypting: time z
gpg: please verify with sender, also check time of e-mail sending

now, even if the attacker goes through the trouble of altering his 
computer time-clock to the time of the signature and then encrypts,
there will still be an unmistakable 'suspicious' delay in the e-
mail sending 


vedaal

any ads or links below this message are added by hushmail without 
my endorsement or awareness of the nature of the link

--
Click here to find your roomate.  Search 1000's of available roomates.
http://tagline.hushmail.com/fc/Ioyw6h4erX3HxVZjXoEdVXXcPEngXmDbFclbyT5HN6w3H14Uqq2qMv/



From rjh at sixdemonbag.org  Tue Nov  4 19:43:33 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 4 Nov 2008 13:43:33 -0500
Subject: Signature semantics
In-Reply-To: <20081104181823.78AC91A0039@smtp.hushmail.com>
References: <20081104181823.78AC91A0039@smtp.hushmail.com>
Message-ID: <AF925AD2-4EE9-474C-9116-CF97AF801089@sixdemonbag.org>

> but needs a user to be reminded to do it ;-)

Again, this is idiot-proofing, not making GnuPG user-friendly.  If you  
want to do this, GnuPG will let you do this.  It is not GnuPG's  
responsibility to hold your hand along the way.  This is a proposal  
which would be better suited to an email plugin like Enigmail.




From dshaw at jabberwocky.com  Tue Nov  4 20:42:56 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Tue, 4 Nov 2008 14:42:56 -0500
Subject: Signature semantics
In-Reply-To: <20081104181823.78AC91A0039@smtp.hushmail.com>
References: <20081104181823.78AC91A0039@smtp.hushmail.com>
Message-ID: <20081104194256.GF19913@jabberwocky.com>

On Tue, Nov 04, 2008 at 01:18:23PM -0500, vedaal at hush.com wrote:
> David Shaw dshaw at jabberwocky.com
> wrote on Tue Nov 4 17:58:49 CET 2008 :
> 
> > It is not the place of GPG to modify the plaintext.
> 
> ok
> 
> >GPG should just provide necessary primitives to solve this, 
> >and it does:
> 
> >gpg --sig-notation 
> >"whatever at example.com=I encrypted this to Baker!" 
> >--sign --encrypt  blah.txt
> 
> >The notation will be hashed into the signature and cannot be 
> removed
> >without invalidating the signature.
> 
> ok,
> works nicely,
> but needs a user to be reminded to do it ;-)

Not really GPG's job.  Just like it isn't GPG's job to remind a user
to encrypt in the first place.  I'm all for making the tools that GPG
makes available more capable of handling this case, but an interactive
prompt isn't the way.

> when gnupg decrypts and verifies,
> if there is a delay of more than 1 minute between signing and 
> encrypting,
> then gnupg gives the following 'alert':
> 
> gpg: message is signed and encrypted
> gpg: signature made at time x, encryption made at time y
> gpg: duration between signing and encrypting: time z
> gpg: please verify with sender, also check time of e-mail sending

Also not really GPG's job, but it's not possible in any event.
OpenPGP does not timestamp encryptions.  There are only two timestamps
in an encrypted and signed message and they are the stamp of the
original file, and the stamp of the signature.  Decrypting and
re-encrypting doesn't change them.

> now, even if the attacker goes through the trouble of altering his 
> computer time-clock to the time of the signature and then encrypts,
> there will still be an unmistakable 'suspicious' delay in the e-
> mail sending 

Not at all.  The attacker controls his own clock, so it would just
look like a regular SMTP retransmit.  They happen hundreds of times a
day on any reasonably large mail server.

David


From rjh at sixdemonbag.org  Tue Nov  4 21:15:00 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 04 Nov 2008 15:15:00 -0500
Subject: Anyone know what became of the Gaim-E Project?
In-Reply-To: <96c450350811030758o36e93c65qbcd832c05934360@mail.gmail.com>
References: <96c450350811021855s3192bfd3iec9ae5dc0ea2f774@mail.gmail.com>
	<1225682203.14456.3.camel@chronicles>
	<96c450350811022108g2150979eo391c97f5508a460@mail.gmail.com>
	<96c450350811030437naf7146el1edfe2ac11fa0cc5@mail.gmail.com>
	<20081103071243.ar29enctw8sk80c4@shards.monkeyblade.net>
	<96c450350811030758o36e93c65qbcd832c05934360@mail.gmail.com>
Message-ID: <1225829700.7687.18.camel@chronicles>

On Mon, 2008-11-03 at 09:58 -0600, Kevin Hilton wrote:
> What value do signatures serve then however other than to provide data
> authentication but not sender authentication?

YASD (Yet Another Subtle Distinction).  Signatures make it possible for
the sender to be authenticated.  However, the sender still has to take
concrete steps so the recipient can enjoy sender authentication.

I like to put small personal details in my signed messages; if I talk
about "hey, I really enjoyed lunch the other day" and the recipient
didn't have lunch with me, that's a clear sign some kind of sender games
have been played.  That's an example of what I'm talking about here.

>  How can you be sure in
> any case that if you get an unsigned transmission, that the data is
> secure, was altered, or that a signature was just mistakingly not
> appended?

You can't.  A bad signature conveys the exact same information as an
absent signature.  Maybe the message was tampered with; maybe it wasn't;
maybe it was tampered with innocently; maybe it wasn't; maybe... etc.
The only information a bad signature conveys is that someone -- perhaps
the original sender, and perhaps someone else -- attempted to do a
signature operation.  The informational content of that fact is pretty
much zero.

> So in the best case scenario if the private keys are kept truly
> private and secure, the signature mechanism works as designed.  In
> unideal circumstances however, this "trust" mechanism falls apart
> however.  Seems like somewhat of a quandary?

Yep.  Like I said, I generally don't buy digital signatures.  When used
correctly by people who understand the subtleties of what they can and
cannot do, digital signatures can be very useful.  The rest of the time
I think they're a distraction.

A few years ago over on PGP-Basics, one list member was adamant that
signatures should be used for _everything_, regardless of whether the
recipients had validated your key, met you, or formed any opinion on
whether you were trustworthy.  Speaking the Sweet Voice of Reason did
not dissuade this person, so John Moore, John Clizbe and I did a small
experiment.

I created a keypair, removed the passphrase from it, and shared it with
John and John.  We did not upload it to the keyservers.  We then used
this keypair to sign all of our traffic to the list... all three of us,
using the exact same key.

It was months before anyone noticed.  Few people cared that our messages
kept on getting flagged as "no key available" and the key wasn't on the
keyserver.  What people cared about was that it was signed, and as long
as it was signed, that was enough.

Now, remember, PGP-Basics is a pretty clueful group.  It's very newbie
friendly, but there are a lot of people there who have years of
experience using OpenPGP.  If they didn't notice the subterfuge, what
chance does a normal user have?

For all I know, someone on this mailing list could be repeating that
experiment right now.  If so, I'm totally blind to it.  This just goes
to show that I'm no more observant than anyone else.

... So yeah.  I am not a believer in the usefulness of digital
signatures.  They're very useful when you have:

	* a correct signature
	* from a validated key
	* belonging to someone you trust

If any of those three conditions fail, I think digital signatures are
pretty much useless.  Given how specific and exacting the "useful"
conditions are, I think the only conclusion to draw is that in the
general case digital signatures are magic crypto fairy dust.  Sprinkle a
little on and you're safe from identity theft, message fraud and other
tampering!  Pay no attention to the man behind the curtain!







From reynt0 at cs.albany.edu  Tue Nov  4 21:43:48 2008
From: reynt0 at cs.albany.edu (reynt0)
Date: Tue, 4 Nov 2008 15:43:48 -0500 (EST)
Subject: keyboard sniffing - old topic, more info
In-Reply-To: <96c450350811030758o36e93c65qbcd832c05934360@mail.gmail.com>
References: <96c450350811021855s3192bfd3iec9ae5dc0ea2f774@mail.gmail.com>
	<1225682203.14456.3.camel@chronicles>
	<96c450350811022108g2150979eo391c97f5508a460@mail.gmail.com>
	<96c450350811030437naf7146el1edfe2ac11fa0cc5@mail.gmail.com>
	<20081103071243.ar29enctw8sk80c4@shards.monkeyblade.net>
	<96c450350811030758o36e93c65qbcd832c05934360@mail.gmail.com>
Message-ID: <Pine.GSO.4.61.0811032346350.7931@dionne.cs.albany.edu>

Some months ago the topic arose of sniffability of keyboard
sounds, about which I gave a little information.  I now see 
that some researchers in der Schweiz recently did sniffing
of keyboard EMF radiations which might be of interest here
(http://lasecwww.epfl.ch/keyboard/ (note the lab name includes 
crypto, "Security and Cryptography Laboratory")).  They mention 
success from some distance away, including through walls.

Further giving urls, I gave no cites before about sniffing
of keyboard sounds, so here are some :-) :
from 2004:
http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=1301311
(need a login to download full article, but can websearch it)
And followups/derivatives (maybe need a login to download full):
from 2005:
http://portal.acm.org/citation.cfm?id=1102120.1102169
from 2006:
http://portal.acm.org/citation.cfm?id=1180405.1180436

HTH


From reynt0 at cs.albany.edu  Tue Nov  4 22:15:22 2008
From: reynt0 at cs.albany.edu (reynt0)
Date: Tue, 4 Nov 2008 16:15:22 -0500 (EST)
Subject: Signature semantics
In-Reply-To: <82E20871-B265-43DE-9EA3-109AB89219ED@sixdemonbag.org>
References: <96c450350811030758o36e93c65qbcd832c05934360@mail.gmail.com>
	<4BF6B4595FC845E28CC5E484C94F902D@Nautilus>
	<20081103214701.GD17229@jabberwocky.com>
	<82E20871-B265-43DE-9EA3-109AB89219ED@sixdemonbag.org>
Message-ID: <Pine.GSO.4.61.0811041612560.10603@dionne.cs.albany.edu>

On Mon, 3 Nov 2008, Robert J. Hansen wrote:
  . . .
> Right, and this much doesn't bother me.  It's when people start ascribing 
> meaning to bad signatures, or the nonexistence of signatures, that I begin to 
> get frustrated.  A bad signature doesn't mean the message was tampered with 
> -- the alteration could have been in the signature and not the message 
> itself, just to name one possibility.
  . . .

In a single word, be "prudent".


From reynt0 at cs.albany.edu  Tue Nov  4 22:21:53 2008
From: reynt0 at cs.albany.edu (reynt0)
Date: Tue, 4 Nov 2008 16:21:53 -0500 (EST)
Subject: Signature semantics
In-Reply-To: <D8485C19-E8B9-41F6-9757-321F1986268C@sixdemonbag.org>
References: <20081104161917.CB7C11A0039@smtp.hushmail.com>
	<D8485C19-E8B9-41F6-9757-321F1986268C@sixdemonbag.org>
Message-ID: <Pine.GSO.4.61.0811041615410.10603@dionne.cs.albany.edu>

On Tue, 4 Nov 2008, Robert J. Hansen wrote:
  . . .
> Idiot-proofing is a very bad idea.  Systems cannot be made idiot-proof, since 
> we're constantly developing higher and better grades of idiots.  Systems can 
> be made user-friendly; they cannot be made idiot-proof.
  . . .

Hmmmm, so the problem is ..... It's hard to be smart enough to
understand idiots well enough to predict them?  *<;*}



From reynt0 at cs.albany.edu  Tue Nov  4 23:06:19 2008
From: reynt0 at cs.albany.edu (reynt0)
Date: Tue, 4 Nov 2008 17:06:19 -0500 (EST)
Subject: Signature semantics
In-Reply-To: <20081104181823.78AC91A0039@smtp.hushmail.com>
References: <20081104181823.78AC91A0039@smtp.hushmail.com>
Message-ID: <Pine.GSO.4.61.0811041622210.10603@dionne.cs.albany.edu>

On Tue, 4 Nov 2008 vedaal at hush.com wrote:
  . . .
> then, in that case,
  . . .
> how about this as a feature;
  . . .

FWIW, as others in this thread have suggested without
being explicit, the KISS (Keep It Simple Stupid) idea 
may be better than an aim to have something like a
popup wizard which responds to every little thing that
by the (non-idiot :-} ) programmer's guess might in some
situation or other be a problem for some idiot (or
some innocent).  Elegant software design is the real
skill of, in a reasonable amount of time, figuring out
how to finesse the whole use, not just the presentation,
right?


From reynt0 at cs.albany.edu  Tue Nov  4 23:11:02 2008
From: reynt0 at cs.albany.edu (reynt0)
Date: Tue, 4 Nov 2008 17:11:02 -0500 (EST)
Subject: Anyone know what became of the Gaim-E Project?
In-Reply-To: <1225829700.7687.18.camel@chronicles>
References: <96c450350811021855s3192bfd3iec9ae5dc0ea2f774@mail.gmail.com>
	<1225682203.14456.3.camel@chronicles>
	<96c450350811022108g2150979eo391c97f5508a460@mail.gmail.com>
	<96c450350811030437naf7146el1edfe2ac11fa0cc5@mail.gmail.com>
	<20081103071243.ar29enctw8sk80c4@shards.monkeyblade.net>
	<96c450350811030758o36e93c65qbcd832c05934360@mail.gmail.com>
	<1225829700.7687.18.camel@chronicles>
Message-ID: <Pine.GSO.4.61.0811041629530.10603@dionne.cs.albany.edu>

On Tue, 4 Nov 2008, Robert J. Hansen wrote:
  . . .
> signatures.  They're very useful when you have:
>
> 	* a correct signature
> 	* from a validated key
> 	* belonging to someone you trust
>
> If any of those three conditions fail, I think digital signatures are
> pretty much useless.  Given how specific and exacting the "useful"
> conditions are, I think the only conclusion to draw is that in the
> general case digital signatures are magic crypto fairy dust.  Sprinkle a
> little on and you're safe from identity theft, message fraud and other
> tampering!  Pay no attention to the man behind the curtain!

You could say, if when evaluating signed content you find any 
of these failing, it's a clue to be even more prudent.  That 
is, a strategy of teaching the prudence skill, and then adding:
what are activators to be alert for?  Ie, in this environment,
crypto signatures give some activators, and are definitely
better than nothing.  Like in the animal kingdom, rustling
sounds from the grass over there is an activator for the deer
to be more prudent.   :-)



From rjh at sixdemonbag.org  Tue Nov  4 23:34:35 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 04 Nov 2008 17:34:35 -0500
Subject: Anyone know what became of the Gaim-E Project?
In-Reply-To: <Pine.GSO.4.61.0811041629530.10603@dionne.cs.albany.edu>
References: <96c450350811021855s3192bfd3iec9ae5dc0ea2f774@mail.gmail.com>
	<1225682203.14456.3.camel@chronicles>
	<96c450350811022108g2150979eo391c97f5508a460@mail.gmail.com>
	<96c450350811030437naf7146el1edfe2ac11fa0cc5@mail.gmail.com>
	<20081103071243.ar29enctw8sk80c4@shards.monkeyblade.net>
	<96c450350811030758o36e93c65qbcd832c05934360@mail.gmail.com>
	<1225829700.7687.18.camel@chronicles>
	<Pine.GSO.4.61.0811041629530.10603@dionne.cs.albany.edu>
Message-ID: <1225838075.7687.65.camel@chronicles>

> You could say, if when evaluating signed content you find any 
> of these failing, it's a clue to be even more prudent.  That 
> is, a strategy of teaching the prudence skill, and then adding:
> what are activators to be alert for?

This presupposes that (a) there exist a significant number of people who
are qualified to teach, and (b) there exists a large number of people
who want to learn.

I don't agree with either presupposition.  OpenPGP does not do what many
(most, it seems) of its users think it does; and many (most, it seems)
users are just fine with that state of ignorance.

You guys who are willing to put in the work, change your minds, think
critically?  You guys are angels.  Don't ever change.  I just wish you
weren't in the minority.

(The preceding is applicable to a lot of life, and not just OpenPGP.)





From faramir.cl at gmail.com  Wed Nov  5 00:33:43 2008
From: faramir.cl at gmail.com (Faramir)
Date: Tue, 04 Nov 2008 20:33:43 -0300
Subject: Signature semantics
In-Reply-To: <Pine.GSO.4.61.0811041622210.10603@dionne.cs.albany.edu>
References: <20081104181823.78AC91A0039@smtp.hushmail.com>
	<Pine.GSO.4.61.0811041622210.10603@dionne.cs.albany.edu>
Message-ID: <4910DBD7.5050903@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

reynt0 escribi?:

> FWIW, as others in this thread have suggested without
> being explicit, the KISS (Keep It Simple Stupid) idea may be better than

  I have an idea... maybe not a good idea, but, what about adding some
message to the installation wizard? Something like: "remember gpg can
improve the security, but only if it is used properly. Please check the
quick start guide so see some examples of what can do signatures for
you, and most important, what they can't do for you. Do you want to open
the quick start guide now? [yes/no]". I suppose the message would have
to be done in a non-scary way, but also, something that raise the user's
curiosity about how use signatures properly (and probably some advices
about keeping the private key secure too).

 Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBCAAGBQJJENvWAAoJEMV4f6PvczxAKuEH/jyZCqwqjv5/VLiEhDqJQjfM
4H72ATk8d4isU2FQiaw9ROaspvb4q8XGXxLsD3geu4UgZu2wEZ/hB9tE1aXKbjz7
6HfjFiUV61NfdsgchmuEZcIEC94I8iVuqR5VHw5ZRLFQ8P/rNxm9HZU0H3ThpGeb
dfJaRcm1mW00ZIuJn97oKR6iSy3LjDQjgkZaccR0fL4t7IFb5MsZX+RmiDvf5M24
bLi5072rkKXfzAzZCTQ1KXcl+I5nOTGvipCbrL8gtxEql5xDnIYir9fBm7S3yueV
vhif8criW7SO5PvZNHBdL31X5GkkHEswOt25nbcohIDMKwYtadmqXBEQ//yUWCs=
=4WUX
-----END PGP SIGNATURE-----


From dshaw at jabberwocky.com  Wed Nov  5 15:29:27 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Wed, 5 Nov 2008 09:29:27 -0500
Subject: Signature semantics
In-Reply-To: <4910DBD7.5050903@gmail.com>
References: <20081104181823.78AC91A0039@smtp.hushmail.com>
	<Pine.GSO.4.61.0811041622210.10603@dionne.cs.albany.edu>
	<4910DBD7.5050903@gmail.com>
Message-ID: <6EDE8AB5-BD44-4A95-959D-C1196389D499@jabberwocky.com>

On Nov 4, 2008, at 6:33 PM, Faramir wrote:

>> FWIW, as others in this thread have suggested without
>> being explicit, the KISS (Keep It Simple Stupid) idea may be better  
>> than
>
>  I have an idea... maybe not a good idea, but, what about adding some
> message to the installation wizard? Something like: "remember gpg can
> improve the security, but only if it is used properly. Please check  
> the
> quick start guide so see some examples of what can do signatures for
> you, and most important, what they can't do for you. Do you want to  
> open
> the quick start guide now? [yes/no]". I suppose the message would have
> to be done in a non-scary way, but also, something that raise the  
> user's
> curiosity about how use signatures properly (and probably some advices
> about keeping the private key secure too).

I'm always in favor of documentation.  I wouldn't restrict it to notes  
about signatures though - a general quick start guide (there are  
several out there that can be used or adapted) would be very handy to  
ship in the installer.

David


From hamilric at us.ibm.com  Wed Nov  5 15:05:44 2008
From: hamilric at us.ibm.com (Richard Hamilton)
Date: Wed, 5 Nov 2008 08:05:44 -0600
Subject: Problems with gpg-agent
Message-ID: <OF29D07BFC.CF6269A2-ON872574F8.004D35EC-862574F8.004D6E56@us.ibm.com>

Running gnupg 2.0.7 on AIX 5.3 using pinentry-curses 0.7.3, batch 
operations work all day long but interactive gpg operations do not. The 
problem looks a lot like the tty problem described in multiple posts but I 
can?t see the problem in this configuration. The gpg-agent is running:
 
$ echo $GPG_AGENT_INFO
/tmp/gpg-evdBeO/S.gpg-agent:1314974:1
$ ps -ef | grep 1314974
     pgp 1314974       1   0 18:48:00      -  0:00 gpg-agent --daemon
 
The tty device is set:
 
$ echo $GPG_TTY
/dev/pts/4
 
The agent configuration is:
 
pinentry-program /opt/TWWfsw/bin/pinentry
no-grab
default-cache-ttl 1800
ignore-cache-for-signing
 
Tried several options in the agent configuration. In the the gpg.conf have 
the option use-agent. I cannot get interactive operations to work. An 
example (with agent debug set to guru):
 
/apps/gisbt/programs $ gpg --edit-key 0xDDC90A19
pub  1024R/DDC90A19  created: 2005-06-07  expires: never       usage: SCEA
                     trust: never         validity: unknown
[ unknown] (1). CCEGASECPTEST
 
Command> sign
 
pub  1024R/DDC90A19  created: 2005-06-07  expires: never       usage: SCEA
                     trust: never         validity: unknown
 Primary key fingerprint: B4 E2 C2 AC 6E 8B 00 0E  8E 55 A2 F5 71 72 71 50
     CCEGASECPTEST
Are you sure that you want to sign this key with your
key "WILLIAMS <wisgisb at williams.com>" (3CDC9091)
Really sign? (y/N) y
 
You need a passphrase to unlock the secret key for
user: "WILLIAMS <wisgisb at williams.com>"
1024-bit DSA key, ID 3CDC9091, created 2002-11-13
 
gpg-agent[2203674]: handler 0x2001ffe8 for fd 6 started
gpg-agent[2203674.6] DBG: -> OK Pleased to meet you
gpg-agent[2203674.6] DBG: <- RESET
gpg-agent[2203674.6] DBG: -> OK
gpg-agent[2203674.6] DBG: <- OPTION ttyname=/dev/pts/4
gpg-agent[2203674.6] DBG: -> OK
gpg-agent[2203674.6] DBG: <- OPTION ttytype=xterm
gpg-agent[2203674.6] DBG: -> OK
gpg-agent[2203674.6] DBG: <- OPTION lc-ctype=en_US
gpg-agent[2203674.6] DBG: -> OK
gpg-agent[2203674.6] DBG: <- OPTION lc-messages=en_US
gpg-agent[2203674.6] DBG: -> OK
gpg-agent[2203674.6] DBG: <- GET_PASSPHRASE --data -- 
1B20B1BCE6CA7A6CD354C7A42F2149A73CDC9091 X X 
You+need+a+passphrase+to+unlock+the+secret+key+for+user:%0A"WILLIAMS+<wisgisb at williams.com>"%0A1024-bit+DSA+key,+ID+3CDC9091,+created+2002-11-13%0A
gpg-agent[2203674]: DBG: agent_get_cache 
`1B20B1BCE6CA7A6CD354C7A42F2149A73CDC9091'...
gpg-agent[2203674]: DBG: ... miss
gpg-agent[2203674]: starting a new PIN Entry
gpg-agent[2203674]: DBG: connection to PIN entry established
gpg-agent[2203674]: command get_passphrase failed: Operation cancelled
gpg-agent[2203674.6] DBG: -> ERR 67108963 ec=4.99
gpg: cancelled by user
gpg: signing failed: General error
 
Command>
 
 
Any insights would be appreciated.
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20081105/49b95fcf/attachment.htm>

From lists at michel-messerschmidt.de  Wed Nov  5 22:22:04 2008
From: lists at michel-messerschmidt.de (Michel Messerschmidt)
Date: Wed, 5 Nov 2008 22:22:04 +0100
Subject: Signature semantics
In-Reply-To: <20081104170419.GE19913@jabberwocky.com>
References: <96c450350811030758o36e93c65qbcd832c05934360@mail.gmail.com>
	<4BF6B4595FC845E28CC5E484C94F902D@Nautilus>
	<20081103214701.GD17229@jabberwocky.com>
	<82E20871-B265-43DE-9EA3-109AB89219ED@sixdemonbag.org>
	<20081104170419.GE19913@jabberwocky.com>
Message-ID: <20081105212203.GB4954@koshi.matrix>

On Tue, Nov 04, 2008 at 12:04:19PM -0500, David Shaw wrote:
> Indeed.  The alteration also may or may not be malicious.  The most
> common alteration I've ever seen are mail programs that break the
> signature via word-wrap or the like.  (Hence the frequent "Does my
> signature verify now?" message chains on some crypto mailing lists).

The most common signature invalidation I've seen is the addition of 
corporate disclaimers to every outgoing and incoming message on the 
server :(


Michel


From reynt0 at cs.albany.edu  Thu Nov  6 20:09:43 2008
From: reynt0 at cs.albany.edu (reynt0)
Date: Thu, 6 Nov 2008 14:09:43 -0500 (EST)
Subject: Signature semantics
In-Reply-To: <6EDE8AB5-BD44-4A95-959D-C1196389D499@jabberwocky.com>
References: <20081104181823.78AC91A0039@smtp.hushmail.com>
	<Pine.GSO.4.61.0811041622210.10603@dionne.cs.albany.edu>
	<4910DBD7.5050903@gmail.com>
	<6EDE8AB5-BD44-4A95-959D-C1196389D499@jabberwocky.com>
Message-ID: <Pine.GSO.4.61.0811061404500.27539@dionne.cs.albany.edu>

On Wed, 5 Nov 2008, David Shaw wrote:
  . . .
> I'm always in favor of documentation.  I wouldn't restrict it to notes about 
> signatures though - a general quick start guide (there are several out there 
> that can be used or adapted) would be very handy to ship in the installer.

If someone really knowledgeable gets something like that
going, I'll volunteer to read it critically ( ie like an
idiot :-) ), and just proofread it too.  A good way to learn.


From hidekis at gmail.com  Fri Nov  7 08:21:21 2008
From: hidekis at gmail.com (Hideki Saito)
Date: Thu, 06 Nov 2008 23:21:21 -0800
Subject: Making GnuPG ISO/IEC 19790 compliant
Message-ID: <4913EC71.8030207@gmail.com>

Just read on IPA (which is Information Technology Promotion Agency in
Japan) is now calling for proposal for making GnuPG ISO/IEC 19790 compliant.

http://www.ipa.go.jp/software/open/ossc/2008/gpg/koubo2.html

Looks like what they are doing is "design bidding."
Wonder how this will go...


From John at Mozilla-Enigmail.org  Fri Nov  7 19:30:38 2008
From: John at Mozilla-Enigmail.org (John Clizbe)
Date: Fri, 07 Nov 2008 12:30:38 -0600
Subject: Making GnuPG ISO/IEC 19790 compliant
In-Reply-To: <4913EC71.8030207@gmail.com>
References: <4913EC71.8030207@gmail.com>
Message-ID: <4914894E.3040006@Mozilla-Enigmail.org>

Hideki Saito wrote:
> Just read on IPA (which is Information Technology Promotion Agency in Japan)
> is now calling for proposal for making GnuPG ISO/IEC 19790 compliant.
> 
> http://www.ipa.go.jp/software/open/ossc/2008/gpg/koubo2.html
> 
> Looks like what they are doing is "design bidding." Wonder how this will
> go...

Have a link in English?

-- 
John P. Clizbe                      Inet:John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net  or
     mailto:pgp-public-keys at gingerbear.net?subject=HELP

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 679 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20081107/78b90f9a/attachment.pgp>

From hidekis at gmail.com  Fri Nov  7 20:21:33 2008
From: hidekis at gmail.com (Hideki Saito)
Date: Fri, 07 Nov 2008 11:21:33 -0800
Subject: Making GnuPG ISO/IEC 19790 compliant
In-Reply-To: <4914894E.3040006@Mozilla-Enigmail.org>
References: <4913EC71.8030207@gmail.com>
	<4914894E.3040006@Mozilla-Enigmail.org>
Message-ID: <4914953D.1050507@gmail.com>

I did look for one, but no...
> Hideki Saito wrote:
>   
>> Just read on IPA (which is Information Technology Promotion Agency in Japan)
>> is now calling for proposal for making GnuPG ISO/IEC 19790 compliant.
>>
>> http://www.ipa.go.jp/software/open/ossc/2008/gpg/koubo2.html
>>
>> Looks like what they are doing is "design bidding." Wonder how this will
>> go...
>>     
>
> Have a link in English?
>
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>   



From ml at mareichelt.de  Fri Nov  7 22:54:13 2008
From: ml at mareichelt.de (markus reichelt)
Date: Fri, 07 Nov 2008 22:54:13 +0100
Subject: Making GnuPG ISO/IEC 19790 compliant
In-Reply-To: <4914953D.1050507@gmail.com>
References: <4913EC71.8030207@gmail.com>
	<4914894E.3040006@Mozilla-Enigmail.org> <4914953D.1050507@gmail.com>
Message-ID: <20081107215413.GA4485@tatooine.rebelbase.local>

* Hideki Saito <hidekis at gmail.com> wrote:

> I did look for one, but no...

you could give it your best shot :)

-- 
left blank, right bald
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: </pipermail/attachments/20081107/2d91d38d/attachment.pgp>

From hidekis at gmail.com  Sat Nov  8 01:27:57 2008
From: hidekis at gmail.com (Hideki Saito)
Date: Fri, 07 Nov 2008 16:27:57 -0800
Subject: Making GnuPG ISO/IEC 19790 compliant
In-Reply-To: <20081107215413.GA4485@tatooine.rebelbase.local>
References: <4913EC71.8030207@gmail.com>	<4914894E.3040006@Mozilla-Enigmail.org>
	<4914953D.1050507@gmail.com>
	<20081107215413.GA4485@tatooine.rebelbase.local>
Message-ID: <4914DD0D.8080208@gmail.com>

I will translate it, if enough people are interested knowing what it all
about...

> * Hideki Saito <hidekis at gmail.com> wrote:
>
>   
>> I did look for one, but no...
>>     
>
> you could give it your best shot :)
>
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>   



From akindejujt at yahoo.co.uk  Sun Nov  9 04:03:10 2008
From: akindejujt at yahoo.co.uk (Taiwo Akindeju)
Date: Sun, 9 Nov 2008 03:03:10 +0000 (GMT)
Subject: Recursive Directory encryption for Windows - gpgwindir
Message-ID: <617209.82570.qm@web26005.mail.ukl.yahoo.com>

Hi,
?
I have been using the gpg for a while and have developed a recursive directory encryption for windows environment. You download this at http://www21.brinkster.com/taiwoakindeju/gpgwindir.htm
?
Regards to all
Akindeju
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20081109/1d41032b/attachment.htm>

From lorenl at north-winds.org  Sun Nov  9 12:56:42 2008
From: lorenl at north-winds.org (Loren M. Lang)
Date: Sun, 09 Nov 2008 03:56:42 -0800
Subject: Resign existing key with higher trust
Message-ID: <1226231802.28761.5.camel@ruth.aloha.tallye.com>

I cross-signed two of my keys without specifying a certification level,
but now I want to change the certification level to positive since both
are mine and on the same key chain, but GnuPG doesn't let me saying I've
already signed them.  I have no need to revoke the existing signatures,
I just want to increase the certification level and generate new
signatures.
-- 
Loren M. Lang
lorenl at north-winds.org
http://www.north-winds.org/


Public Key: ftp://ftp.north-winds.org/pub/lorenl_pubkey.asc
Fingerprint: 10A0 7AE2 DAF5 4780 888A  3FA4 DCEE BB39 7654 DE5B

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: </pipermail/attachments/20081109/60a68012/attachment.pgp>

From dshaw at jabberwocky.com  Sun Nov  9 16:30:16 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Sun, 9 Nov 2008 10:30:16 -0500
Subject: Resign existing key with higher trust
In-Reply-To: <1226231802.28761.5.camel@ruth.aloha.tallye.com>
References: <1226231802.28761.5.camel@ruth.aloha.tallye.com>
Message-ID: <1B8DC720-C00A-4A9D-9F5A-CA3224E78104@jabberwocky.com>

On Nov 9, 2008, at 6:56 AM, Loren M. Lang wrote:

> I cross-signed two of my keys without specifying a certification  
> level,
> but now I want to change the certification level to positive since  
> both
> are mine and on the same key chain, but GnuPG doesn't let me saying  
> I've
> already signed them.  I have no need to revoke the existing  
> signatures,
> I just want to increase the certification level and generate new
> signatures.

You have a few options here.  If you haven't sent the key to a  
keyserver (i.e. nobody but you has the signature in question), then  
just use "delsig" to delete the signature.  Then sign it again however  
you like.

If you have already distributed the key with the signature in  
question, the usual way to handle this is to revoke the old signature  
(revsig) and then sign again.  I'm not sure why you object to that -  
it gives you exactly what you want.

If you really want to sign it again without deleting or revoking the  
original signature, then you can re-sign it by adding --expert to your  
command line.  GPG will tell you you've already signed the user ID,  
but then offer to sign it again anyway.  Note that the end result of  
this would be two signatures from you on the particular user ID.

David


From jmoore3rd at bellsouth.net  Sun Nov  9 17:45:12 2008
From: jmoore3rd at bellsouth.net (John W. Moore III)
Date: Sun, 09 Nov 2008 11:45:12 -0500
Subject: Resign existing key with higher trust
In-Reply-To: <1B8DC720-C00A-4A9D-9F5A-CA3224E78104@jabberwocky.com>
References: <1226231802.28761.5.camel@ruth.aloha.tallye.com>
	<1B8DC720-C00A-4A9D-9F5A-CA3224E78104@jabberwocky.com>
Message-ID: <49171398.6080207@bellsouth.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

David Shaw wrote:

> If you really want to sign it again without deleting or revoking the
> original signature, then you can re-sign it by adding --expert to your
> command line.  GPG will tell you you've already signed the user ID, but
> then offer to sign it again anyway.  Note that the end result of this
> would be two signatures from you on the particular user ID.

Note that if You opt for this last mentioned method then You can run the
'clean' command on the Key and GnuPG will strip the 'lower ranking'
signature from it.  Of course, if it is already uploaded to Keyservers
then 'refreshing' Your Key from there will again display 2 Sigs unless
You also use --import-clean.

JOHN ;)
Timestamp: Sunday 09 Nov 2008, 11:44  --500 (Eastern Standard Time)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10-svn4845: (MingW32)
Comment: Public Key at:  http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust: https://www.gswot.org
Comment: Homepage:  http://tinyurl.com/yzhbhx

iQEcBAEBCgAGBQJJFxOWAAoJEBCGy9eAtCsPxkoH/1QARsEb2iA97B6EIutott2v
vTVHd0i9A0KhuHo6Z6wd6ZzGNRLbu4ZZnY7MMCZNLvY86YPW8xFfd1ACm063NaSF
WoLVF5X04SoYUirKuDYyhyrBGOE9r+2oS6c7sguz8GtJq8Inu1sWRo85lKaPpvdu
I6o33XxCrd7R96Ybp9UeJCuK5GowBqLlo1B3AArmeuInoXXZqTHTGwKPsTYT2e57
l9YnqX/Bf9T4OxrT536ZX7omoy5gcm683L3qrouNbfG5HJqDtQ0wMH/t7Q8dZ/T4
abmEU6INBb52vIavqmAbq87TVMpJw6wYk8IAXNHwf2ltLVhourNX8v/1wsNqhkM=
=Tx9I
-----END PGP SIGNATURE-----


From carloswill at gmail.com  Mon Nov 10 22:43:44 2008
From: carloswill at gmail.com (Carlos Williams)
Date: Mon, 10 Nov 2008 16:43:44 -0500
Subject: Unable To Export My Public Key
Message-ID: <d80f793f0811101343h3531a89fpe4d67cc416cf552d@mail.gmail.com>

It appears I can't export my key for some reason and was wondering if
there is another method?

tunafush:~# gpg --keyserver x-hkp://pool.sks-keyservers.net --send-key
0xFC7B6AB7
gpg: sending key FC7B6AB7 to hkp server pool.sks-keyservers.net
?: pool.sks-keyservers.net: Connection refused
gpgkeys: HTTP post error 7: couldn't connect: Connection refused
gpg: keyserver internal error
gpg: keyserver send failed: keyserver error


From shavital at mac.com  Tue Nov 11 07:34:14 2008
From: shavital at mac.com (Charly Avital)
Date: Tue, 11 Nov 2008 01:34:14 -0500
Subject: Unable To Export My Public Key
In-Reply-To: <d80f793f0811101343h3531a89fpe4d67cc416cf552d@mail.gmail.com>
References: <d80f793f0811101343h3531a89fpe4d67cc416cf552d@mail.gmail.com>
Message-ID: <49192766.5070507@mac.com>

Carlos Williams wrote the following on 11/10/08 4:43 PM:
> It appears I can't export my key for some reason and was wondering if
> there is another method?
> 
> tunafush:~# gpg --keyserver x-hkp://pool.sks-keyservers.net --send-key
> 0xFC7B6AB7
> gpg: sending key FC7B6AB7 to hkp server pool.sks-keyservers.net
> ?: pool.sks-keyservers.net: Connection refused
> gpgkeys: HTTP post error 7: couldn't connect: Connection refused
> gpg: keyserver internal error
> gpg: keyserver send failed: keyserver error

I believe the method you are using is correct, I have tested it (with my
own key ID) and had no problems.
I am running MacOS 10.5.5, and the CLI was sent through Terminal.

I have searched with keywords 'HTTP post error', and it seems that when
the verb POST is used to access HTTP, the access request is denied.
Is it possible that your system, for some reason, is using the verb POST
when trying to access the server's site?

For all it is worth.
Charly
MacOS 10.5.5 - MacBook Intel C2Duo "Aluminum Late 2008"- GnuPG 1.4.9 -
GPG2 2.0.9 - Thunderbird 2.0.0.17 (20080914)- Enigmail 0.96a
(20080706-1537)- Apple's Mail+GPGMail d54



From intelp.sh at gmail.com  Tue Nov 11 14:40:36 2008
From: intelp.sh at gmail.com (huang shinfu)
Date: Tue, 11 Nov 2008 21:40:36 +0800
Subject: [GPGME] Decrypt doc. for auto-input Passphrase
Message-ID: <9d272d1a0811110540r67686902i7a6c9564dfd5dc46@mail.gmail.com>

Dear all:

I use "GPGME" to develop my program. I want to decrypt a doc. ,but i want
not to keyin my passphrase in "GUI". I hope can save my  passphrase ,then
use it to auto-decrypt my doc. .

I don't find have about it any function call.

For detail:
I need privacy key for decrypt doc. ,but i want to have a system can
auto-input passphrase to call privacy key do it. Not keyin passphrase by
myself.

regards, intelp.SH
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20081111/64288da3/attachment.htm>

From carloswill at gmail.com  Tue Nov 11 16:35:51 2008
From: carloswill at gmail.com (Carlos Williams)
Date: Tue, 11 Nov 2008 10:35:51 -0500
Subject: GnuPG and PGP Compatibility
Message-ID: <d80f793f0811110735g77dff8c3nb5d62a18e9268ce@mail.gmail.com>

I am looking to see if I can export my GnuPG public key I created on
my Linux machine here at work and exchange this with 15 users in the
office who are using a licensed copy of PGP Desktop 9.9. All their 15
public keys were generated by the PGP software and I wanted to export
my public key from GPG and exchange it with the 15 users using PGP. Is
this possible for digital encryption and signatures between the two
products? Will there be any issues or incompatibility?

Thanks for any info and or help!


From dshaw at jabberwocky.com  Tue Nov 11 18:06:13 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Tue, 11 Nov 2008 12:06:13 -0500
Subject: GnuPG and PGP Compatibility
In-Reply-To: <d80f793f0811110735g77dff8c3nb5d62a18e9268ce@mail.gmail.com>
References: <d80f793f0811110735g77dff8c3nb5d62a18e9268ce@mail.gmail.com>
Message-ID: <A63209CB-4F32-4C3B-ACFF-840C99E7A74D@jabberwocky.com>

On Nov 11, 2008, at 10:35 AM, Carlos Williams wrote:

> I am looking to see if I can export my GnuPG public key I created on
> my Linux machine here at work and exchange this with 15 users in the
> office who are using a licensed copy of PGP Desktop 9.9. All their 15
> public keys were generated by the PGP software and I wanted to export
> my public key from GPG and exchange it with the 15 users using PGP. Is
> this possible for digital encryption and signatures between the two
> products? Will there be any issues or incompatibility?

Go right ahead.  Both PGP and GnuPG follow the same OpenPGP standard.

David


From rookcifer at gmail.com  Mon Nov 10 03:41:20 2008
From: rookcifer at gmail.com (chr0n0)
Date: Sun, 9 Nov 2008 18:41:20 -0800 (PST)
Subject: GPG.conf Cipher Preference
Message-ID: <20413592.post@talk.nabble.com>


I am trying to get gpg to encrypt files with a certain cipher preference.  I
am using Gentoo Linux, btw.  I have my gpg.conf set-up like so:

default-preference-list S10 S9 S8 S4 S2 S7 S3 H10 H9 H8 H11 H3 H2 H1
personal-cipher-preferences S10 S9 S8 S4 S2 S7 S3
personal-digest-preferences H10 H9 H8 H11 H3 H2 H1
personal-compress-preferences Z3 Z1 Z2

I am using a DSA2 (3072 bit) pub key along with an Elgamal sub-key (4096).

My problem: Whenever I encrypt a file it always uses 3DES.  I have noticed
that I can change the order of 3DES and CAST5 and it will encrypt with
whichever comes first.  However, it totally ignores TWOFISH, AES(all of
them) and BLOWFISH, even if they come in front of 3DES and CAST5.  

I have already checked and I have all of the above algorithms compiled into
my kernel.

Now, if I add:

cipher-algo TWOFISH

it WILL use TWOFISH to encrypt files.  

So, my question is, if I use this flag to always make it encrypt with
TWOFISH, will that allow me to communicate with those who are not using
TWOFISH on their machine?  Can I add more than one cipher to the
"--cipher-algo" flag?

What is the difference in "cipher-preferences" and "cipher-algo?"  I take it
that cipher-algo only allows one cipher, thus my question.

Thanks in advance.
-- 
View this message in context: http://www.nabble.com/GPG.conf-Cipher-Preference-tp20413592p20413592.html
Sent from the GnuPG - User mailing list archive at Nabble.com.



From rookcifer at gmail.com  Mon Nov 10 03:48:49 2008
From: rookcifer at gmail.com (chr0n0)
Date: Sun, 9 Nov 2008 18:48:49 -0800 (PST)
Subject: GPG.conf Cipher Preference
In-Reply-To: <20413592.post@talk.nabble.com>
References: <20413592.post@talk.nabble.com>
Message-ID: <20413639.post@talk.nabble.com>


Hmmm.  I figured it out just after I posted this.  

It's odd.  I went and uncommented the "cipher-algo" flag, then suddenly it
started encrypting in the order I had them set in the cipher-preferences
flag.  It wasn't doing this before.  It was only after I added cipher-algo
and then removed it that it worked.
-- 
View this message in context: http://www.nabble.com/GPG.conf-Cipher-Preference-tp20413592p20413639.html
Sent from the GnuPG - User mailing list archive at Nabble.com.



From faramir.cl at gmail.com  Tue Nov 11 18:34:36 2008
From: faramir.cl at gmail.com (Faramir)
Date: Tue, 11 Nov 2008 14:34:36 -0300
Subject: GPG.conf Cipher Preference
In-Reply-To: <20413592.post@talk.nabble.com>
References: <20413592.post@talk.nabble.com>
Message-ID: <4919C22C.5000404@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello!

> What is the difference in "cipher-preferences" and "cipher-algo?"  I take it
> that cipher-algo only allows one cipher, thus my question.

  *If I am not wrong*, the preferences list would select the "most
preferred" algo in _your list_ that can be decripted by the recipient
(disregarding the recipient's preferences, but respecting his/her
capabilities -there is no point in sending a message that can't be
decrypted). However, the cipher-algo command _forces_ the use of the
chosen algo... no matter if the intended recipient can actually decrypt
the message...

  So (again, if I am not wrong about this), if you chose to force
camellia algo, probably most GPG users won't be able to decrypt the
message...

 Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBCAAGBQJJGcIrAAoJEMV4f6PvczxA9cEH/2uJS0JG9o65Lua0UFlGtoVz
MoeTSveEOwFkS0c0B5hErleQtJRGeNuUsYwxsIDkuDQ2A5BZiuqcM7kB2T0NBErz
+uibPEObzAcFFdVmL1cpBYBHOvQRGMpeOv1z5KBgeWL1QvF3e/pK9pBUAqaeyhRb
54m+RYqRN0q/9aQ7VCfgGl5yV/Cdq6aHAQuOtykJ2BtSYmfXvJ3yw9JlFggV8CmH
Wg7uI2+NGg2b+LohHMPJXoAykr5c5pvTuU5RSh4GBloj4UH0qmtXQX4B50q9pEZA
ejlaxfpnS6KIdtmR4q8Z2tL7oRpoWAF88MMu+1kEFA3sr+qHW146UgI42fU3TgQ=
=faSI
-----END PGP SIGNATURE-----


From rjh at sixdemonbag.org  Tue Nov 11 18:40:20 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Tue, 11 Nov 2008 12:40:20 -0500
Subject: GPG.conf Cipher Preference
In-Reply-To: <4919C22C.5000404@gmail.com>
References: <20413592.post@talk.nabble.com> <4919C22C.5000404@gmail.com>
Message-ID: <4919C384.7020007@sixdemonbag.org>

Faramir wrote:
>   *If I am not wrong*, the preferences list would select the "most
> preferred" algo in _your list_ that can be decripted by the recipient

It can be succinctly described this way:

default-cipher-preferences is a feature.  cipher-algo is a misfeature.
Virtually everyone wants default-cipher-preferences.




From jmoore3rd at bellsouth.net  Tue Nov 11 18:50:54 2008
From: jmoore3rd at bellsouth.net (John W. Moore III)
Date: Tue, 11 Nov 2008 12:50:54 -0500
Subject: GPG.conf Cipher Preference
In-Reply-To: <4919C384.7020007@sixdemonbag.org>
References: <20413592.post@talk.nabble.com> <4919C22C.5000404@gmail.com>
	<4919C384.7020007@sixdemonbag.org>
Message-ID: <4919C5FE.2070903@bellsouth.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Robert J. Hansen wrote:

> It can be succinctly described this way:
> 
> default-cipher-preferences is a feature.  cipher-algo is a misfeature.
> Virtually everyone wants default-cipher-preferences.

Actually, the GnuPG Manual refers to this 'feature' as:

Foolish/Unrecommended things One _can_ do but WHY?

I paraphrased and freely admit that I do several of these things.  I
also accept that I am 'foolish' & 'unrecommended' by most Mothers.  :-D

JOHN ;)
Timestamp: Tuesday 11 Nov 2008, 12:50  --500 (Eastern Standard Time)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10-svn4845: (MingW32)
Comment: Public Key at:  http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust: https://www.gswot.org
Comment: Homepage:  http://tinyurl.com/yzhbhx

iQEcBAEBCgAGBQJJGcX8AAoJEBCGy9eAtCsPTr0H/AwKWaBx7Q7qisYGSpGua20o
CMt/epgF8IfM3XZnOdICyZ+9sBzC3bE5sanKBldf8ugDIIwaHSPQ9jZMdnlxSRjv
RhLTA1tiXrtEUO3tPx7w+URUDwFGYQ2tGpLYKOIoq7ePWnOl8CVb512fOqSvflpI
3R2INArDoS260AjhhELXLuW9QDuwbLz+drsX6Q+cjWPYLXU2uTn2pLCwPAWukxTJ
nnKWly8MTzy2qeVNu53zzpO2nFs4g7XnWGsNXkoPMg1Hz1BOoXj44BWzOtagfS8k
4LLOHiImwwxmyuAG0K7H1pkMXNIBgsywE905U0viVkJTi7atcKDBM4Rj2B5a2sI=
=RD3k
-----END PGP SIGNATURE-----


From kevhilton at gmail.com  Mon Nov 17 03:11:20 2008
From: kevhilton at gmail.com (Kevin Hilton)
Date: Sun, 16 Nov 2008 20:11:20 -0600
Subject: Question regarding s2k algorithms
Message-ID: <96c450350811161811s397ac160gcb54a19f9972d961@mail.gmail.com>

Just wondering specifically is the option
s2k-digest-algo

Does this option specifically refer to one particular digest algorithm
or a list of algorithms.  I'm just thinking there may be a problem
with a few different scenarios if this refers to only one algorithm if
for example the SHA256 algorithm is used.
1. Symmetric Encryption -- Using symmetric encryption to specifically
password protect a file, the chosen password is salted and hashed with
the algorithm specificied with the s2k-digest-algo.  I would assume
however if this file along with the password was distributed, that the
recipient's gpg version would need to specifcally have to have the
SHA256 enabled in their build or a problem would result.

2. Asymmetric Encrytion -- Am I wrong to assume, but isn't the session
key salted and hashed in the same manner?  Again, wouldn't the
recipient need the specific hashes installed.

s2k-cipher-algo

If you are using a "stock" gpg.conf file, and say for example this
variable is set to Camellia, or IDEA.  If you use this "stock"
gpg.conf file with another gpg version that doesn't have these ciphers
compiled in -- What results?  A default back to CAST5?  What if you
change this parameter after keys are already stored on the keyring?
Will this confuse things?


And lastly what specifically is the purpose of the -for-your-eyes-only
flag?  Is this option currently still in use, or only included for
backwards compatibility purposes.

-- 
Kevin Hilton


From dshaw at jabberwocky.com  Mon Nov 17 03:29:59 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Sun, 16 Nov 2008 21:29:59 -0500
Subject: Question regarding s2k algorithms
In-Reply-To: <96c450350811161811s397ac160gcb54a19f9972d961@mail.gmail.com>
References: <96c450350811161811s397ac160gcb54a19f9972d961@mail.gmail.com>
Message-ID: <3FBF5EA1-2489-4A47-B10E-5F00E4B39C76@jabberwocky.com>

On Nov 16, 2008, at 9:11 PM, Kevin Hilton wrote:

> Just wondering specifically is the option
> s2k-digest-algo
>
> Does this option specifically refer to one particular digest algorithm
> or a list of algorithms.  I'm just thinking there may be a problem
> with a few different scenarios if this refers to only one algorithm if
> for example the SHA256 algorithm is used.
> 1. Symmetric Encryption -- Using symmetric encryption to specifically
> password protect a file, the chosen password is salted and hashed with
> the algorithm specificied with the s2k-digest-algo.  I would assume
> however if this file along with the password was distributed, that the
> recipient's gpg version would need to specifcally have to have the
> SHA256 enabled in their build or a problem would result.

Yes.  This is the same issue with picking a symmetric cipher that your  
recipient doesn't have.  When you're encrypting using --symmetric it's  
your responsibility to pick algorithms that your recipient can handle.

> 2. Asymmetric Encrytion -- Am I wrong to assume, but isn't the session
> key salted and hashed in the same manner?  Again, wouldn't the
> recipient need the specific hashes installed.

No.  "S2K" means "String to Key".  There is no string to key  
conversion in the session key.  s2k-digest-algo only applies to your  
local secret protection in this case, so there is no issue with  
asymmetric encryption.

> s2k-cipher-algo
>
> If you are using a "stock" gpg.conf file, and say for example this
> variable is set to Camellia, or IDEA.  If you use this "stock"
> gpg.conf file with another gpg version that doesn't have these ciphers
> compiled in -- What results?  A default back to CAST5?  What if you
> change this parameter after keys are already stored on the keyring?
> Will this confuse things?

I can't quite parse a question here.  Use the cipher for what?   
Symmetric?  Asymmetric?  You need to state what you're trying to do.   
Be specific.

> And lastly what specifically is the purpose of the -for-your-eyes-only
> flag?  Is this option currently still in use, or only included for
> backwards compatibility purposes.

It tags the data as "for your eyes only", which can be interpreted in  
different ways by different clients.  GnuPG in particular won't  
display it to the screen, but will save it to a file.  Note that this  
feature is more of a "please don't display this file", than a "this  
cannot be displayed".  It's just a hint.

David


From rjh at sixdemonbag.org  Mon Nov 17 03:32:44 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sun, 16 Nov 2008 21:32:44 -0500
Subject: Question regarding s2k algorithms
In-Reply-To: <96c450350811161811s397ac160gcb54a19f9972d961@mail.gmail.com>
References: <96c450350811161811s397ac160gcb54a19f9972d961@mail.gmail.com>
Message-ID: <4920D7CC.5010305@sixdemonbag.org>

Kevin Hilton wrote:
> I would assume however if this file along with the password was
> distributed, that the recipient's gpg version would need to
> specifcally have to have the SHA256 enabled in their build or a
> problem would result.

Potentially.  This is why we tell people not to muck about with the
defaults.  If there's an actual critical need to alter the s2k, then
fine, tweak it: otherwise, leave it with the defaults and don't muck
about with it.

By default, GnuPG will use SHA1 for this task.  All OpenPGP applications
are guaranteed to support SHA1, so it's a nonissue.  Further, the recent
attacks against SHA1 are irrelevant in this particular crypto domain.
For this purpose, SHA1 is still as strong as it's ever been.

> 2. Asymmetric Encrytion -- Am I wrong to assume, but isn't the
> session key salted and hashed in the same manner?  Again, wouldn't
> the recipient need the specific hashes installed.

No.  A random session key is generated.  There's no need to hash random
data; in fact, you can argue that hashing random data will probably
decrease its randomness.

> If you are using a "stock" gpg.conf file, and say for example this 
> variable is set to Camellia, or IDEA.

Contradiction.  The stock gpg.conf file does not set this option.  If a
user is going to muck about with the defaults, then they're responsible
for the consequences of that mucking.  You may wish to clarify what you
mean.

> If you use this "stock" gpg.conf file with another gpg version that
> doesn't have these ciphers compiled in -- What results?  A default
> back to CAST5?

Beats me.  GnuPG tends to bail out if there's an invalid option in the
gpg.conf file.  I don't know if that's the case for this option, but
that's what's happened to me in the past.

> What if you change this parameter after keys are already stored on
> the keyring? Will this confuse things?

No.

> And lastly what specifically is the purpose of the
> -for-your-eyes-only flag?  Is this option currently still in use, or
> only included for backwards compatibility purposes.

The specific purpose is to be compatible with a PGP 2.6 'feature' which
was really just marketing hype.  As the GnuPG manpage says, this option
does not actually do what people want it to do.  That said, I am
absolutely certain if the GnuPG developers were to remove it there would
be a hue and cry.




From kevhilton at gmail.com  Mon Nov 17 03:47:44 2008
From: kevhilton at gmail.com (Kevin Hilton)
Date: Sun, 16 Nov 2008 20:47:44 -0600
Subject: Question regarding s2k algorithms
In-Reply-To: <4920D7CC.5010305@sixdemonbag.org>
References: <96c450350811161811s397ac160gcb54a19f9972d961@mail.gmail.com>
	<4920D7CC.5010305@sixdemonbag.org>
Message-ID: <96c450350811161847m1a73193o3d25cdec009509e5@mail.gmail.com>

Ok so let me ask things in a different way

Is the s2k-cipher-algo used in any other methods other than for
protection of the keyring?  Seems odd to me that CAST5 is the default
-- however I'm sure this is specified according the one of the RFCs.

There is no current security implication for using the SHA1 hash for
password hashing when using symmetric encryption?  I'm only asking
this in regards to selecting hash algorithms, because there seems to
be a little hedging on the tried and true statement "Use the defaults"
when it comes to the selection of hash algorithms.  The intention of
the last statement is not to rehash the old discussion of which hash
algorithm to use -- really it is not!!


From rjh at sixdemonbag.org  Mon Nov 17 05:07:47 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Sun, 16 Nov 2008 23:07:47 -0500
Subject: Question regarding s2k algorithms
In-Reply-To: <96c450350811161847m1a73193o3d25cdec009509e5@mail.gmail.com>
References: <96c450350811161811s397ac160gcb54a19f9972d961@mail.gmail.com>	<4920D7CC.5010305@sixdemonbag.org>
	<96c450350811161847m1a73193o3d25cdec009509e5@mail.gmail.com>
Message-ID: <4920EE13.702@sixdemonbag.org>

Kevin Hilton wrote:
> Is the s2k-cipher-algo used in any other methods other than for 
> protection of the keyring?  Seems odd to me that CAST5 is the default
>  -- however I'm sure this is specified according the one of the RFCs.

Dunno; this is one of the parts of GnuPG I've never mucked with, so I
can't talk intelligently about it.  However, regarding your observation
that CAST5 is a weird choice, many non-PGP people would agree with you.
Like most of OpenPGP's weirdnesses, this is done to make backwards
compatibility with PGP 5 and 6 easier.

> There is no current security implication for using the SHA1 hash for 
> password hashing when using symmetric encryption?

None.  Well... potentially.  A largely theoretical attack has been
demonstrated against SHA1 when used for message authentication purposes;
it is possible this research will spur on attacks against SHA1 when used
for password hashing purposes.  However, I don't find it to be very
likely.  If it were to happen, then /wow/, would it be news.

> I'm only asking this in regards to selecting hash algorithms, because
> there seems to be a little hedging on the tried and true statement
> "Use the defaults" when it comes to the selection of hash algorithms.

I can't talk about the community's hedging in general; I can only talk
about my own.

Algorithms get used in a lot of very different ways.  Hash algorithms
get used to provide password hashing and message authentication.  It is
possible for an algorithm to be broken for one purpose and still useful
for another.

For instance, although I consider MD5 to be horribly broken for most
cryptographic purposes, I still use it to create one-time passwords.
The attacks against MD5 focus on MD5 as it is used in one problem
domain; MD5 in other domains is still quite useful.

The same thing is happening to SHA1.  SHA1 for purposes of signatures is
not looking very good.  SHA1 for other purposes is still perfectly fine.

However -- good luck explaining this to people.  It's one of those
infamous "subtle distinctions" I talk about incessantly.  Most people
don't want to spend the time and energy it takes to be a competent
cryptographic engineer.  They just want an answer.  For these people,
"SHA1 is still secure but is not looking good in the long-term; migrate
to something else; SHA256 looks pretty good" is the advice I give people.

And even then, with the subtleties reduced that far, it never fails that
people misconstrue what I say to be "SHA1 is broken!  We must use SHA256
for everything!".

It's kind of frustrating.



From dshaw at jabberwocky.com  Mon Nov 17 05:24:13 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Sun, 16 Nov 2008 23:24:13 -0500
Subject: Question regarding s2k algorithms
In-Reply-To: <96c450350811161847m1a73193o3d25cdec009509e5@mail.gmail.com>
References: <96c450350811161811s397ac160gcb54a19f9972d961@mail.gmail.com>
	<4920D7CC.5010305@sixdemonbag.org>
	<96c450350811161847m1a73193o3d25cdec009509e5@mail.gmail.com>
Message-ID: <4AD28896-EC2B-48DB-B4F9-1A4DC5696418@jabberwocky.com>

On Nov 16, 2008, at 9:47 PM, Kevin Hilton wrote:

> Ok so let me ask things in a different way
>
> Is the s2k-cipher-algo used in any other methods other than for
> protection of the keyring?  Seems odd to me that CAST5 is the default
> -- however I'm sure this is specified according the one of the RFCs.

The RFC says nothing about it.  CAST5 was chosen to maximize  
compatibility with older versions of PGP, but not be as slow as 3DES.   
If you specify --openpgp, it becomes 3DES.

It is used whenever a key needs to encrypted/decrypted with a  
passphrase.  The huge majority of the time that is protecting secret  
keys.  The other spot where this is needed is a little obscure:  
creating a message with both passphrase *and* public key encryption.   
That is, some recipients use their secret keys to decrypt, and some  
recipients use a passphrase.  In this case, the s2k-cipher-algo is  
used to encrypt the session key to the passphrase recipients (and like  
all symmetric encryption, it's up to you to make sure those recipients  
can decrypt it).

> There is no current security implication for using the SHA1 hash for
> password hashing when using symmetric encryption?  I'm only asking
> this in regards to selecting hash algorithms, because there seems to
> be a little hedging on the tried and true statement "Use the defaults"
> when it comes to the selection of hash algorithms.  The intention of
> the last statement is not to rehash the old discussion of which hash
> algorithm to use -- really it is not!!

Don't like SHA1?  That's fine, and we give you the ability to change  
it to something else, but then you become responsible for not shooting  
yourself in the foot. :)

Use the defaults.  Really.  If we felt that overall there was a better  
algorithm to use than the current default, we'd make that algorithm  
into the new default.

David



From dmkennedy at gmail.com  Mon Nov 17 17:46:30 2008
From: dmkennedy at gmail.com (David Kennedy)
Date: Mon, 17 Nov 2008 11:46:30 -0500
Subject: appending to gpg file?
Message-ID: <9c3169680811170846m127fc069ifc8628137b28e40c@mail.gmail.com>

hello..

I am trying to append new data to a gpg log file id like to keep running.

Lets say i run

echo "line1" | gpg -z 0 -r test at test.com -e > testfile

is there a way to append to testfile and reparse/unencrypt later?

Concatenating to the file doesnt help:

echo "line2" | gpg -z 0 -r test at test.com -e >> testfile

Is there a clean way to go about this from the command line?  Another
packaging option (hopefully something with minimal overhead)?

Thanks!

Dave Kennedy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20081117/34513bc4/attachment-0001.htm>

From dshaw at jabberwocky.com  Mon Nov 17 19:07:59 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Mon, 17 Nov 2008 13:07:59 -0500
Subject: appending to gpg file?
In-Reply-To: <9c3169680811170846m127fc069ifc8628137b28e40c@mail.gmail.com>
References: <9c3169680811170846m127fc069ifc8628137b28e40c@mail.gmail.com>
Message-ID: <20081117180759.GA4532@jabberwocky.com>

On Mon, Nov 17, 2008 at 11:46:30AM -0500, David Kennedy wrote:
> hello..
> 
> I am trying to append new data to a gpg log file id like to keep running.
> 
> Lets say i run
> 
> echo "line1" | gpg -z 0 -r test at test.com -e > testfile
> 
> is there a way to append to testfile and reparse/unencrypt later?
> 
> Concatenating to the file doesnt help:
> 
> echo "line2" | gpg -z 0 -r test at test.com -e >> testfile
> 
> Is there a clean way to go about this from the command line?  Another
> packaging option (hopefully something with minimal overhead)?

Not really.  You can do this as a running append (i.e. keep a file
descriptor open to your gpg process and keep pushing data at it),
which would create one large file.  You can't do it with '>>' as that
creates multiple OpenPGP messages in a single file, which is not
required to be supported by an OpenPGP client.

David


From dmkennedy at gmail.com  Mon Nov 17 19:16:05 2008
From: dmkennedy at gmail.com (David Kennedy)
Date: Mon, 17 Nov 2008 13:16:05 -0500
Subject: appending to gpg file?
In-Reply-To: <20081117180759.GA4532@jabberwocky.com>
References: <9c3169680811170846m127fc069ifc8628137b28e40c@mail.gmail.com>
	<20081117180759.GA4532@jabberwocky.com>
Message-ID: <9c3169680811171016o360ad9edxa1844516f9aa49a8@mail.gmail.com>

Is there a safe ascii delimiter i could use between messages in one file,
then? Maybe insert a delimited 'line break' of sorts, parse out individual
gpg messsages, and decrypt each piece?

Thanks for the brainstorm..

On Mon, Nov 17, 2008 at 1:07 PM, David Shaw <dshaw at jabberwocky.com> wrote:

>
> Not really.  You can do this as a running append (i.e. keep a file
> descriptor open to your gpg process and keep pushing data at it),
> which would create one large file.  You can't do it with '>>' as that
> creates multiple OpenPGP messages in a single file, which is not
> required to be supported by an OpenPGP client.
>
> David
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20081117/cebac9e1/attachment.htm>

From lopaki at gmail.com  Mon Nov 17 19:41:02 2008
From: lopaki at gmail.com (Scott Lambdin)
Date: Mon, 17 Nov 2008 13:41:02 -0500
Subject: appending to gpg file?
In-Reply-To: <9c3169680811171016o360ad9edxa1844516f9aa49a8@mail.gmail.com>
References: <9c3169680811170846m127fc069ifc8628137b28e40c@mail.gmail.com>
	<20081117180759.GA4532@jabberwocky.com>
	<9c3169680811171016o360ad9edxa1844516f9aa49a8@mail.gmail.com>
Message-ID: <529e76830811171041n483742bagfe41bf8385238bb5@mail.gmail.com>

Yes:  "Sponge Bob Squarepants"  is guaranteed to not occur in encrypted
file.

2008/11/17 David Kennedy <dmkennedy at gmail.com>

> Is there a safe ascii delimiter i could use between messages in one file,
> then? Maybe insert a delimited 'line break' of sorts, parse out individual
> gpg messsages, and decrypt each piece?
>
> Thanks for the brainstorm..
>
> On Mon, Nov 17, 2008 at 1:07 PM, David Shaw <dshaw at jabberwocky.com> wrote:
>
>>
>> Not really.  You can do this as a running append (i.e. keep a file
>> descriptor open to your gpg process and keep pushing data at it),
>> which would create one large file.  You can't do it with '>>' as that
>> creates multiple OpenPGP messages in a single file, which is not
>> required to be supported by an OpenPGP client.
>>
>> David
>>
>> _______________________________________________
>> Gnupg-users mailing list
>> Gnupg-users at gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>


-- 
There's a box?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20081117/356b2e66/attachment.htm>

From rjh at sixdemonbag.org  Mon Nov 17 20:26:07 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Mon, 17 Nov 2008 14:26:07 -0500
Subject: appending to gpg file?
In-Reply-To: <529e76830811171041n483742bagfe41bf8385238bb5@mail.gmail.com>
References: <9c3169680811170846m127fc069ifc8628137b28e40c@mail.gmail.com>	<20081117180759.GA4532@jabberwocky.com>	<9c3169680811171016o360ad9edxa1844516f9aa49a8@mail.gmail.com>
	<529e76830811171041n483742bagfe41bf8385238bb5@mail.gmail.com>
Message-ID: <4921C54F.3050200@sixdemonbag.org>

Scott Lambdin wrote:
> Yes:  "Sponge Bob Squarepants"  is guaranteed to not occur in encrypted
> file.

First, it's not: those characters are all valid Base64.

Second, these sorts of responses are not exactly helpful.


For the original poster, David Kennedy:

Explaining to us what it is you're trying to achieve, goal-wise, will
allow us to point out ways you can do it, either with GnuPG or with some
other solution.  Otherwise, we're kind of fumbling in the dark here.





From lorenl at north-winds.org  Mon Nov 17 20:35:29 2008
From: lorenl at north-winds.org (Loren M. Lang)
Date: Mon, 17 Nov 2008 11:35:29 -0800
Subject: Trust Signatures
Message-ID: <1226950529.7802.10.camel@ruth.aloha.tallye.com>

What the GnuPG users mailing list down for a while?  There appears to be
a gap in my Inbox and none of my messages sent during that time have
shown up.  It's been 4 days so I'm resending it.


I having trouble understanding trust signatures in OpenPGP so I decided
to run an experiment.  I created a new private key for me in a fresh
GNUPGHOME followed by private keys for Alice, Bobbie, Charlie, and
Mallory in a separate GNUPGHOME.  I had Alice sign Bobbie's public key
who signed Charlie's who signed Mallory's.  I then imported Alice,
Bobbie, Charlie, and Mallory's public keys into my GNUPGHOME.  All there
keys showed up as unknown trust and unknown validity as expected.  I
then signed Alice's public key.  All signatures so far have been trust
signatures with a depth of 4 and full trust with no domain specified.
At this point Alice's key shows up as fully trusted and fully valid as
expected.  Bobbie's key became automatically fully valid without me
setting an ownertrust on Alice, but Bobbie's trust is marked as unknown.
Charlie's key is unknown trust with undefined validity.  As I understand
trust signatures, all keys up to Mallory should be valid, what am I
missing?
-- 
Loren M. Lang
lorenl at north-winds.org
http://www.north-winds.org/


Public Key: ftp://ftp.north-winds.org/pub/lorenl_pubkey.asc
Fingerprint: 10A0 7AE2 DAF5 4780 888A  3FA4 DCEE BB39 7654 DE5B

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: </pipermail/attachments/20081117/cf6dafc1/attachment.pgp>

From dmkennedy at gmail.com  Mon Nov 17 20:41:50 2008
From: dmkennedy at gmail.com (David Kennedy)
Date: Mon, 17 Nov 2008 14:41:50 -0500
Subject: appending to gpg file?
In-Reply-To: <4921C54F.3050200@sixdemonbag.org>
References: <9c3169680811170846m127fc069ifc8628137b28e40c@mail.gmail.com>
	<20081117180759.GA4532@jabberwocky.com>
	<9c3169680811171016o360ad9edxa1844516f9aa49a8@mail.gmail.com>
	<529e76830811171041n483742bagfe41bf8385238bb5@mail.gmail.com>
	<4921C54F.3050200@sixdemonbag.org>
Message-ID: <9c3169680811171141l362948dm74987c9520ad9294@mail.gmail.com>

Thanks for the help!

I'm using an app to pipe events (text strings) through an instance of gpg to
a file.  This works great for me now, in an ideal environment.

Two issues:
1)The problem occurs if/when the app breaks, breaking the pipe and killing
my stream.  GPG terminates, and the resulting file is unreadable (i get an
error decrypting it after entering in the passphrase).  so, the whole log is
no good.

2)Then, what if i'd like to start the app again, and stream back to the same
file?

My thought is to individually encrypt each "line" in the output file as its
own gpg encrypted package.  No dependencies on other individual "lines" not
being corrupt, as long as some sort of delimiter is in place.

Thanks,

Dave

On Mon, Nov 17, 2008 at 2:26 PM, Robert J. Hansen <rjh at sixdemonbag.org>wrote:

> Scott Lambdin wrote:
> > Yes:  "Sponge Bob Squarepants"  is guaranteed to not occur in encrypted
> > file.
>
> First, it's not: those characters are all valid Base64.
>
> Second, these sorts of responses are not exactly helpful.
>
>
> For the original poster, David Kennedy:
>
> Explaining to us what it is you're trying to achieve, goal-wise, will
> allow us to point out ways you can do it, either with GnuPG or with some
> other solution.  Otherwise, we're kind of fumbling in the dark here.
>
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20081117/10a58ca2/attachment.htm>

From lorenl at north-winds.org  Mon Nov 17 20:29:21 2008
From: lorenl at north-winds.org (Loren M. Lang)
Date: Mon, 17 Nov 2008 11:29:21 -0800
Subject: appending to gpg file?
In-Reply-To: <9c3169680811171016o360ad9edxa1844516f9aa49a8@mail.gmail.com>
References: <9c3169680811170846m127fc069ifc8628137b28e40c@mail.gmail.com>
	<20081117180759.GA4532@jabberwocky.com>
	<9c3169680811171016o360ad9edxa1844516f9aa49a8@mail.gmail.com>
Message-ID: <1226950161.7802.7.camel@ruth.aloha.tallye.com>

On Mon, 2008-11-17 at 13:16 -0500, David Kennedy wrote:
> Is there a safe ascii delimiter i could use between messages in one
> file, then? Maybe insert a delimited 'line break' of sorts, parse out
> individual gpg messsages, and decrypt each piece?

I'd recommend just ascii-armoring it.  That will cleanly separate out
the messages and be easy to parse back in.  Use the -a option to gpg.

> 
> Thanks for the brainstorm..
> 
> On Mon, Nov 17, 2008 at 1:07 PM, David Shaw <dshaw at jabberwocky.com>
> wrote:
>         
>         
>         
>         Not really.  You can do this as a running append (i.e. keep a
>         file
>         descriptor open to your gpg process and keep pushing data at
>         it),
>         which would create one large file.  You can't do it with '>>'
>         as that
>         creates multiple OpenPGP messages in a single file, which is
>         not
>         required to be supported by an OpenPGP client.
>         
>         David
>         
>         _______________________________________________
>         Gnupg-users mailing list
>         Gnupg-users at gnupg.org
>         http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
-- 
Loren M. Lang
lorenl at north-winds.org
http://www.north-winds.org/


Public Key: ftp://ftp.north-winds.org/pub/lorenl_pubkey.asc
Fingerprint: 10A0 7AE2 DAF5 4780 888A  3FA4 DCEE BB39 7654 DE5B

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: </pipermail/attachments/20081117/cfcabd2a/attachment-0001.pgp>

From dshaw at jabberwocky.com  Mon Nov 17 21:01:58 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Mon, 17 Nov 2008 15:01:58 -0500
Subject: appending to gpg file?
In-Reply-To: <9c3169680811171141l362948dm74987c9520ad9294@mail.gmail.com>
References: <9c3169680811170846m127fc069ifc8628137b28e40c@mail.gmail.com>
	<20081117180759.GA4532@jabberwocky.com>
	<9c3169680811171016o360ad9edxa1844516f9aa49a8@mail.gmail.com>
	<529e76830811171041n483742bagfe41bf8385238bb5@mail.gmail.com>
	<4921C54F.3050200@sixdemonbag.org>
	<9c3169680811171141l362948dm74987c9520ad9294@mail.gmail.com>
Message-ID: <20081117200158.GB4532@jabberwocky.com>

On Mon, Nov 17, 2008 at 02:41:50PM -0500, David Kennedy wrote:
> Thanks for the help!
> 
> I'm using an app to pipe events (text strings) through an instance of gpg to
> a file.  This works great for me now, in an ideal environment.
> 
> Two issues:
> 1)The problem occurs if/when the app breaks, breaking the pipe and killing
> my stream.  GPG terminates, and the resulting file is unreadable (i get an
> error decrypting it after entering in the passphrase).  so, the whole log is
> no good.
> 
> 2)Then, what if i'd like to start the app again, and stream back to the same
> file?
> 
> My thought is to individually encrypt each "line" in the output file as its
> own gpg encrypted package.  No dependencies on other individual "lines" not
> being corrupt, as long as some sort of delimiter is in place.

(please don't top-post)

Do this:

  echo "my log line" | gpg --armor >> my_log_file.txt

(Use whatever gpg options you like.  The important bit is that you
have --armor in there)

You will end up with a log file that looks like this:

  -----BEGIN PGP MESSAGE-----
  (Lots of base64 stuff)
  -----END PGP MESSAGE-----
  -----BEGIN PGP MESSAGE-----
  (Lots of base64 stuff)
  -----END PGP MESSAGE-----
  -----BEGIN PGP MESSAGE-----
  (Lots of base64 stuff)
  -----END PGP MESSAGE-----

and so on.  To decrypt, split up the file so that each BEGIN/END pair
is in its own file, and decrypt that.

Note this is a pretty space-inefficient way to store things, but it
does answer your question of how to do it.  There might be a better
way to solve the original problem, but I'm not sure what what is from
your email.

David


From dshaw at jabberwocky.com  Mon Nov 17 21:18:34 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Mon, 17 Nov 2008 15:18:34 -0500
Subject: Trust Signatures
In-Reply-To: <1226950529.7802.10.camel@ruth.aloha.tallye.com>
References: <1226950529.7802.10.camel@ruth.aloha.tallye.com>
Message-ID: <20081117201833.GC4532@jabberwocky.com>

On Mon, Nov 17, 2008 at 11:35:29AM -0800, Loren M. Lang wrote:

> I having trouble understanding trust signatures in OpenPGP so I decided
> to run an experiment.  I created a new private key for me in a fresh
> GNUPGHOME followed by private keys for Alice, Bobbie, Charlie, and
> Mallory in a separate GNUPGHOME.  I had Alice sign Bobbie's public key
> who signed Charlie's who signed Mallory's.  I then imported Alice,
> Bobbie, Charlie, and Mallory's public keys into my GNUPGHOME.  All there
> keys showed up as unknown trust and unknown validity as expected.  I
> then signed Alice's public key.  All signatures so far have been trust
> signatures with a depth of 4 and full trust with no domain specified.
> At this point Alice's key shows up as fully trusted and fully valid as
> expected.  Bobbie's key became automatically fully valid without me
> setting an ownertrust on Alice, but Bobbie's trust is marked as unknown.
> Charlie's key is unknown trust with undefined validity.  As I understand
> trust signatures, all keys up to Mallory should be valid, what am I
> missing?

You do understand correctly.  This is a known bug in GnuPG, and will
be fixed for the next version.  If you have the ability to, I'd love
if you would try the patch at:
http://lists.gnupg.org/pipermail/gnupg-users/2008-June/033814.html

David


From ragnar12 at gmx.de  Tue Nov 18 08:51:44 2008
From: ragnar12 at gmx.de (ragnar12 at gmx.de)
Date: Tue, 18 Nov 2008 08:51:44 +0100
Subject: Fetch smartcard key from disk
Message-ID: <20081118075144.322650@gmx.net>

Hi,

I'm a new user of the GnuPG Smartcard, and everything is working fine at my home :-)

Now, I have the problem at my working place to fetch the public smartcard key from a webserver, because of the proxy settings at my office.

So, i wonder if it possible to fetch a public smartcard key from the harddisk/stick. e.g. set the url to "file://C:\smartkey.asc"

Or asking more generell, which protocolls are supported from "fetch" method?

Thanks in advance,
Burkhard
-- 
Psssst! Schon vom neuen GMX MultiMessenger geh?rt? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger


From aheinlein at gmx.com  Tue Nov 18 09:52:49 2008
From: aheinlein at gmx.com (Andreas Heinlein)
Date: Tue, 18 Nov 2008 09:52:49 +0100
Subject: appending to gpg file?
In-Reply-To: <20081117200158.GB4532@jabberwocky.com>
References: <9c3169680811170846m127fc069ifc8628137b28e40c@mail.gmail.com>	<20081117180759.GA4532@jabberwocky.com>	<9c3169680811171016o360ad9edxa1844516f9aa49a8@mail.gmail.com>	<529e76830811171041n483742bagfe41bf8385238bb5@mail.gmail.com>	<4921C54F.3050200@sixdemonbag.org>	<9c3169680811171141l362948dm74987c9520ad9294@mail.gmail.com>
	<20081117200158.GB4532@jabberwocky.com>
Message-ID: <49228261.3080207@gmx.com>

David Shaw schrieb:
> On Mon, Nov 17, 2008 at 02:41:50PM -0500, David Kennedy wrote:
>   
>> Thanks for the help!
>>
>> I'm using an app to pipe events (text strings) through an instance of gpg to
>> a file.  This works great for me now, in an ideal environment.
>>
>> Two issues:
>> 1)The problem occurs if/when the app breaks, breaking the pipe and killing
>> my stream.  GPG terminates, and the resulting file is unreadable (i get an
>> error decrypting it after entering in the passphrase).  so, the whole log is
>> no good.
>>
>> 2)Then, what if i'd like to start the app again, and stream back to the same
>> file?
>>
>> My thought is to individually encrypt each "line" in the output file as its
>> own gpg encrypted package.  No dependencies on other individual "lines" not
>> being corrupt, as long as some sort of delimiter is in place.
>>     
>
> (please don't top-post)
>
> Do this:
>
>   echo "my log line" | gpg --armor >> my_log_file.txt
>
> (Use whatever gpg options you like.  The important bit is that you
> have --armor in there)
>
> You will end up with a log file that looks like this:
>
>   -----BEGIN PGP MESSAGE-----
>   (Lots of base64 stuff)
>   -----END PGP MESSAGE-----
>   -----BEGIN PGP MESSAGE-----
>   (Lots of base64 stuff)
>   -----END PGP MESSAGE-----
>   -----BEGIN PGP MESSAGE-----
>   (Lots of base64 stuff)
>   -----END PGP MESSAGE-----
>
> and so on.  To decrypt, split up the file so that each BEGIN/END pair
> is in its own file, and decrypt that.
>
> Note this is a pretty space-inefficient way to store things, but it
> does answer your question of how to do it.  There might be a better
> way to solve the original problem, but I'm not sure what what is from
> your email.
>
>   
>From what he wrote, this looks like it could be solved better with
filesystem encryption like eCryptfs or encrypted
loopback/dm_crypt/TrueCrypt/etc. That would imply, however, that access
to the file/volume can be restricted securely as long as it's open.

Bye,
Andreas


From lorenl at alzatex.com  Mon Nov 17 20:28:06 2008
From: lorenl at alzatex.com (Loren M. Lang)
Date: Mon, 17 Nov 2008 11:28:06 -0800
Subject: appending to gpg file?
In-Reply-To: <9c3169680811171016o360ad9edxa1844516f9aa49a8@mail.gmail.com>
References: <9c3169680811170846m127fc069ifc8628137b28e40c@mail.gmail.com>
	<20081117180759.GA4532@jabberwocky.com>
	<9c3169680811171016o360ad9edxa1844516f9aa49a8@mail.gmail.com>
Message-ID: <1226950086.7802.4.camel@ruth.aloha.tallye.com>

On Mon, 2008-11-17 at 13:16 -0500, David Kennedy wrote:
> Is there a safe ascii delimiter i could use between messages in one
> file, then? Maybe insert a delimited 'line break' of sorts, parse out
> individual gpg messsages, and decrypt each piece?

I'd recommend just ascii-armoring it.  That will cleanly separate out
the messages and be easy to parse back in.  Use the -a option to gpg.

> 
> Thanks for the brainstorm..
> 
> On Mon, Nov 17, 2008 at 1:07 PM, David Shaw <dshaw at jabberwocky.com>
> wrote:
>         
>         
>         
>         Not really.  You can do this as a running append (i.e. keep a
>         file
>         descriptor open to your gpg process and keep pushing data at
>         it),
>         which would create one large file.  You can't do it with '>>'
>         as that
>         creates multiple OpenPGP messages in a single file, which is
>         not
>         required to be supported by an OpenPGP client.
>         
>         David
>         
>         _______________________________________________
>         Gnupg-users mailing list
>         Gnupg-users at gnupg.org
>         http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
-- 
Loren M. Lang
lorenl at alzatex.com
http://www.alzatex.com/


Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc
Fingerprint: 10A0 7AE2 DAF5 4780 888A  3FA4 DCEE BB39 7654 DE5B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3157 bytes
Desc: not available
URL: </pipermail/attachments/20081117/bb69ca64/attachment-0001.bin>

From lorenl at alzatex.com  Mon Nov 17 20:15:37 2008
From: lorenl at alzatex.com (Loren M. Lang)
Date: Mon, 17 Nov 2008 11:15:37 -0800
Subject: Trust Signatures
Message-ID: <1226949337.7802.1.camel@ruth.aloha.tallye.com>

What the GnuPG users mailing list down for a while?  There appears to be
a gap in my Inbox and none of my messages sent during that time have
shown up.  It's been 4 days so I'm resending it.


I having trouble understanding trust signatures in OpenPGP so I decided
to run an experiment.  I created a new private key for me in a fresh
GNUPGHOME followed by private keys for Alice, Bobbie, Charlie, and
Mallory in a separate GNUPGHOME.  I had Alice sign Bobbie's public key
who signed Charlie's who signed Mallory's.  I then imported Alice,
Bobbie, Charlie, and Mallory's public keys into my GNUPGHOME.  All there
keys showed up as unknown trust and unknown validity as expected.  I
then signed Alice's public key.  All signatures so far have been trust
signatures with a depth of 4 and full trust with no domain specified.
At this point Alice's key shows up as fully trusted and fully valid as
expected.  Bobbie's key became automatically fully valid without me
setting an ownertrust on Alice, but Bobbie's trust is marked as unknown.
Charlie's key is unknown trust with undefined validity.  As I understand
trust signatures, all keys up to Mallory should be valid, what am I
missing?
-- 
Loren M. Lang
lorenl at alzatex.com
http://www.alzatex.com/


Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc
Fingerprint: 10A0 7AE2 DAF5 4780 888A  3FA4 DCEE BB39 7654 DE5B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3157 bytes
Desc: not available
URL: </pipermail/attachments/20081117/fa4714af/attachment-0001.bin>

From carloswill at gmail.com  Tue Nov 18 14:17:11 2008
From: carloswill at gmail.com (Carlos Williams)
Date: Tue, 18 Nov 2008 08:17:11 -0500
Subject: Key Format For Exchange
Message-ID: <d80f793f0811180517l3fefe9eakdcee33a76be4183c@mail.gmail.com>

Myself and office mate just installed GnuPG on our Linux machines and
generated a key:

========================================

carloswill at tunafish:~$ gpg --list-keys
/home/carloswill/.gnupg/pubring.gpg
----------------------------------
pub   1024D/7351884D 2008-11-14
uid                  Carlos Williams <user at myemail.com>
sub   2048g/49148CB4 2008-11-14

========================================

My question is what is the proper way to export this to a file for
both of us so we can import this to our keyrings? When I check the
How-To page : http://www.gnupg.org/gph/en/manual.html#AEN84
I see they're importing a *.gpg file. I was told from another site
that I can export my public key as .asc so I am really confused what
the correct way is to export my public key so my co-worker can import
it.
Can anyone please pull me out of the dark?

Thanks!


From dshaw at jabberwocky.com  Tue Nov 18 15:01:24 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Tue, 18 Nov 2008 09:01:24 -0500
Subject: Key Format For Exchange
In-Reply-To: <d80f793f0811180517l3fefe9eakdcee33a76be4183c@mail.gmail.com>
References: <d80f793f0811180517l3fefe9eakdcee33a76be4183c@mail.gmail.com>
Message-ID: <8BECC1A2-5CA9-4578-B6CF-799BEFD0ABD2@jabberwocky.com>

On Nov 18, 2008, at 8:17 AM, Carlos Williams wrote:

> Myself and office mate just installed GnuPG on our Linux machines and
> generated a key:
>
> ========================================
>
> carloswill at tunafish:~$ gpg --list-keys
> /home/carloswill/.gnupg/pubring.gpg
> ----------------------------------
> pub   1024D/7351884D 2008-11-14
> uid                  Carlos Williams <user at myemail.com>
> sub   2048g/49148CB4 2008-11-14
>
> ========================================
>
> My question is what is the proper way to export this to a file for
> both of us so we can import this to our keyrings?

You do:
   gpg --export 7351884D > carlos-key.gpg

He does:
   gpg --import carlos-key.gpg

David



From dshaw at jabberwocky.com  Tue Nov 18 15:13:54 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Tue, 18 Nov 2008 09:13:54 -0500
Subject: Fetch smartcard key from disk
In-Reply-To: <20081118075144.322650@gmx.net>
References: <20081118075144.322650@gmx.net>
Message-ID: <4C4060C9-2F12-4591-80BB-4C87252F719B@jabberwocky.com>

On Nov 18, 2008, at 2:51 AM, ragnar12 at gmx.de wrote:

> Hi,
>
> I'm a new user of the GnuPG Smartcard, and everything is working  
> fine at my home :-)
>
> Now, I have the problem at my working place to fetch the public  
> smartcard key from a webserver, because of the proxy settings at my  
> office.
>
> So, i wonder if it possible to fetch a public smartcard key from the  
> harddisk/stick. e.g. set the url to "file://C:\smartkey.asc"
>
> Or asking more generell, which protocolls are supported from "fetch"  
> method?

It depends on whether you have built your GnuPG with libcurl or not.   
Libcurl is a URL-fetching library that GnuPG can use to, well, fetch  
URLs.  If you are using libcurl then yes, you can use 'file' URLs.  If  
your GnuPG was not built with libcurl, the you can only use the 'http'  
method.

The easiest way to tell if you have libcurl support is to try doing:

   gpg --fetch-keys file://C:\smartkey.asc

If it works, then you're all set.  If it doesn't work, then you might  
try building your GnuPG with libcurl support.

David



From bernhard.kleine at gmx.net  Tue Nov 18 16:06:29 2008
From: bernhard.kleine at gmx.net (Bernhard Kleine)
Date: Tue, 18 Nov 2008 16:06:29 +0100
Subject: keyformat
Message-ID: <1227020789.5156.13.camel@amd2000bk.kleinedaheim>

Hi,

I try to import a key which is availabe via finger (see below).
How to save this key that it can be imported by the seahorse application
(debian SID/actual versions)? 

$ finger rfrancoise/key at db.debian.org
[db.debian.org]
uid=rfrancoise,ou=users,dc=debian,dc=org
gpg: keyblock resource `/nonexistent/.gnupg/secring.gpg': file open
error
Key block: 
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.6 (GNU/Linux)

mQGiBDr1v4QRBACWMLFceAHx31RxpHEBFQZfEVVho1Epz/c72J27eIezxONFRPlv
Q29cFXWhXFpe87MK6aPTM+VCEY/wdN4w2txxFMOV9z3LMLMzb4wcfNBnrsSYOOxn
SbLCC3jsMO4oGYxcrOS9WZ7B+BHJQK9da5A1ILbKH4Icvdx6RngIl672lwCg5FKo
h/1E/GglLEM5wbWiXl5X4PcD/2o7TbyhTcPHWSNx7HjFKg1NwgrFS996V1oN7Y+d
G4I2Oack+gG6oj3HuYl++k7VZxz4eHVVsLe4xAbNqigfQcRJGYSm6dtrh9GFmes+
Mlzfj3R8wCn2xEs1gEt5T7E838suNCDx9EeKne9mt/2I/RY7MqB379Lb5wwfW/uK
OZWAA/4tJKPlMKiNByFCY00X2vOEFbD3x8UYgtT2mhbSaAP/0ILDvO01pQ3Xntzd
wiCjQir3jweVcvmQuMohcKX/eDits0h63WwvDqui/2Agta7Z+hgdFGoNzxOvdpXK
nTzRT/jrwzUOJCjG3/Nol0KEsMDn9Aitax4J4YnVx9Q2lTRRILQzUm9tYWluIEZy
YW5jb2lzZSAob3JlYm9rZWNoKSA8cm9tYWluQG9yZWJva2VjaC5jb20+iEYEEBEC
AAYFAju1lt8ACgkQZ1SJHeqsYt9TpACgql8NqX8F7UcgB0kpL1aL2yd7TwoAni/M
MTpTeZgcja/X2c7UKr8fgH69iEYEEBECAAYFAju185EACgkQEw7pZRwyobdwdwCf
bH34q51A/veuc50lMKftWZp8ByAAmwfB+Am6RWlJMqHaTx6Gt3Y/e9PViEYEEBEC
AAYFAju19HQACgkQfk6lT9CrQHVGXwCcDMWMul3k2XoSCO/EtHP+hZfzFuIAoIz+
90VrxdZKAxUdkcTE+3S2M2+FiEYEEBECAAYFAju19dgACgkQh17yMxXpIxk3AwCd
HC67L8zEXqvoFACjc93pgLY3q/IAn3RzXZO7ouMzYWZ7SpqtWVJx/lU/iEYEEBEC
AAYFAju1+44ACgkQyAf3wgFyy1DH3wCg5MD4uPzQXvjwzUsguG7sOlq6KroAn1Mk
Bl5hdK5YsbHFRr+DtRcc8SudiEYEEBECAAYFAju1/jAACgkQ65kP8SuEflV0EgCg
3ZkAskhF4pjDJ9bJsdxuT1UUdl0AniY5tv0Ghu0XeNVoakbKqx6w9rvWiEYEEBEC
AAYFAju2MmEACgkQO/YJxouvzb24cQCgwRazgDOvWPjm6lbETOx/Id65FhAAn1Al
ug2voiAEer2qEV+K+R7v0yMliEYEEBECAAYFAju2PaoACgkQ7x7+8YQ+8/+GCwCe
On8gGZVRKitHJK8/ZOtbbJQ8gXYAn2vDJsjmjzY6ZYAz2fvZ4IjgTKIGiEYEEBEC
AAYFAju2U70ACgkQGM0lpSLzivNUCgCfdJkJsmC7l1N27UqCysQZXziOk7oAn2Gf
OBxrZ/Kia80m2+dNpsjlP5V0iEYEEBECAAYFAju2YnAACgkQ7FXIBgIOvlmRzgCf
dmfbQI9VSUFD6klWXcOOllajwr4An11xwF/sK2GGPjRp+LaBRKkSjoVSiEYEEBEC
AAYFAju2YvYACgkQX1807qC7PevqogCgsRgoBKNAjUDuPHwlM3eyam+qoDwAnjTP
kWcriFP2G84WZYV96oocp7HviEYEEBECAAYFAju2yFEACgkQo8bUSpyJfwPpjACg
hOwYQ7ok+pQLQoo2LPSxYdQmyoMAoKtggb5mBNpMgn/shfGj1BZKOEkziEYEEBEC
AAYFAju3ED4ACgkQLBigKrTF838gTgCgruOOpaZF56cDjZ22mo9yCaOcN38AnihX
/ZGOeVSvGJ1zQBLGahDolKNAiEYEEBECAAYFAju4G5EACgkQ0aPur6/RCs9opwCf
fyC7ZGTOjm9vp3RMFymea64ReBAAoIsXyFgsSQ0tsQ3uzQ7B3AG1J9SiiEYEEBEC
AAYFAju5bxUACgkQwbCcmo4F2gIb0QCfQM35e0VqtmGiHlxl2M3LflkKBLsAn2Pw
ZdMV0SoXa0cJ2/MgIiyIE1/biEYEEBECAAYFAju80vcACgkQG/QCYu6J8+cf3gCf
UlgG55g1GKS49RPl3fMM4z8A4voAnjsDIsVmacv22xQ7e/4rxg/ERjWqiEYEEBEC
AAYFAjv+J4cACgkQ8dLMyEl6F20oMQCgmYwylBIpu+NBfUtcmwW0DzFIawwAn3aJ
vH8SnBAVMl6MYLyI5JgaBVf2iEYEEBECAAYFAjwE/YAACgkQneRUb7/U0TXSIQCd
FkIqJOgRhbNmz2Up7kLEVOz7gLoAnilwYEnN3+kK+WuAWBWuWXwNKZgXiEYEEBEC
AAYFAjwht6EACgkQvPbGD26BadLvfgCeKMOZtvW7ZwUDy0iHx84GnXkCTUUAoJTk
f2Ol8eukDbCVNszhwcoI6Cj7iEYEExECAAYFAj4rPSIACgkQHFEfP1t2bsLnagCf
eGUxHoBZBYKeomBATPdD0TAo708An1G2RJgSwGtVIVsdnZWF0X3VWN3hiF8EExEC
ABcFAjr1v4QFCwcKAwQDFQMCAxYCAQIXgAASCRCiA3a+wDxW3wdlR1BHAAEBi2sA
oL3g3L5+feTx441rLokb7fdGUBe8AKCVQMNqg1fNHWasB8Tz3nPLvWnDSohiBBMR
AgAaBQsHCgMEAxUDAgMWAgECF4ACGQEFAjr1v4UAEgkQogN2vsA8Vt8HZUdQRwAB
AVJdAJwP2QBSmkyZVFO562K6N1jJcsPmcQCgwAYjsFKX6NTyEF37sG6CuuRFVriI
RgQQEQIABgUCPFmv2gAKCRAw3C5QL/0tRELAAJ9JWBS1Su2/8l+bohkFNHq4sZuZ
QACg3Elo9TEN1h/oyCSV3J255NYnfTi0IVJvbWFpbiBGcmFuY29pc2UgPG9yZUBn
bnVzZXIub3JnPohGBBMRAgAGBQI+Kz0qAAoJEBxRHz9bdm7CsxoAnRfNxoeyIb7q
+yR+KFGOejEx53LkAKCACCiIlOTCGEeiQOzUXjeXDD6fPIhkBBMRAgAcBQI+KHuw
AhsDBAsHAwIDFQIDAxYCAQIeAQIXgAASCRCiA3a+wDxW3wdlR1BHAAEBUDcAn2tF
AvX0K3KbsAMa3oSmNVGgl8e7AJwPBvplKahrzfmHpX5swpy2ESBxJ4hJBDARAgAJ
BQJEnRASAh0gAAoJEKIDdr7APFbf0yAAoL3cNjN4Eavm03GOeLATKyBauYw0AKCL
zVcY0241V0leFo1T7A1s0eZY77QjUm9tYWluIEZyYW5jb2lzZSA8cm9tYWluQHNk
YmRjLm9yZz6IRgQTEQIABgUCPis9KgAKCRAcUR8/W3ZuwmSuAJ98zstcsavfIrDT
PNEYXvBja1HEkwCfSvsnMsyASx/e5liykrl9TfupCguIZAQTEQIAHAUCPih71QIb
AwQLBwMCAxUCAwMWAgECHgECF4AAEgkQogN2vsA8Vt8HZUdQRwABAQRiAKCP80bA
jBuMDDt6qIhCganeDn88hACg1VEUfOWkB8WPpCVBY+5AfElxTzCISQQwEQIACQUC
RJ0QJgIdIAAKCRCiA3a+wDxW30CwAJ9YdLB6auJMJ5zu+OLGCuYKu5yXTQCgpWDl
Cs0yPbXuhM7/fTZU1a0WgLm0JVJvbWFpbiBGcmFuY29pc2UgPHJvbWFpbkBsaW51
eGZyLm9yZz6IRgQQEQIABgUCO/4nigAKCRDx0szISXoXbQY2AJ43EoA0luSnV5NA
jHDnFuZdphRl+wCePin30Qcy9ZQdxYA9tXBvHMpsOiGIRgQQEQIABgUCPAT9hQAK
CRCd5FRvv9TRNefwAJ9qJTNOCvpWWU+I9ChU4AfObqZr4ACeJZ7nUKEgIvCu3rit
iEs8Do6oeYGIRgQQEQIABgUCPCG3pQAKCRC89sYPboFp0hIpAJ4oyDAIg2ofsfMI
2/44muBLzr5QBwCcDIQcuHBFCGphpCc5j/uEVXlDAZGIRgQTEQIABgUCPis9KgAK
CRAcUR8/W3Zuwrz7AJ9S9VQ/Ahe/WNPya107IMTHlMqaWwCeL218r3IMREeYTYRH
n5H9kktpGxGIXwQTEQIAFwUCO9gJMwULBwoDBAMVAwIDFgIBAheAABIJEKIDdr7A
PFbfB2VHUEcAAQFspwCgrzlFrZUnqab/qsXxLctMkTuLw+gAnjmVeCgL1HulyvnJ
Gyh7EUvKAl9hiEYEEBECAAYFAjxZr+AACgkQMNwuUC/9LUQu8wCgoGKLQ270+NK/
3pQS7CILPupJcd4An0il3g7wlifGwDSmuV3cEcwgc1m1iEkEMBECAAkFAkSdEDcC
HSAACgkQogN2vsA8Vt/JMACdFZpqtKRJaHvuEnsz7hiZLbA4eQwAnRG5CQZ2hCZ5
idvkElzrSW1uHtK4tChSb21haW4gRnJhbmNvaXNlIDxvcmVib2tlY2hAbGludXhm
ci5vcmc+iEYEEBECAAYFAju1luIACgkQZ1SJHeqsYt9BqgCfW4zbkihAZN6Gj8jM
7jWcUtA5zbwAoLTKT1Nq9uV5xtXbdYXJqhgb55IoiEYEEBECAAYFAju185cACgkQ
Ew7pZRwyobeetgCeNu+lH4ohitNjbrRmQpE5E33bThUAn0lDullvo+qpzG2N1sVc
7gUmrtmqiEYEEBECAAYFAju19HUACgkQfk6lT9CrQHUXBgCgz0Lu2arpbdJmsayH
pFTqrrb68QEAoIA1TZuN9JgxG6M831MGNEWg84EZiEYEEBECAAYFAju19eIACgkQ
h17yMxXpIxkOwgCfWq4HvGVdWleoaCIW8byp5tcN/xEAnA6iz5lzPU5h1gb/TqlM
kww/euf4iEYEEBECAAYFAju1/jMACgkQ65kP8SuEflW91ACfW+OBEAjiSGXnQDek
QyQ9tFB8Jm8AoJPHBG0KjylZsfSwB9QD7FSvspV9iEYEEBECAAYFAju2MmYACgkQ
O/YJxouvzb3H+gCg4BGUc0D4pcPHCOJ5iVgLGJM68OMAnAq2KBl21nCM3OkUKOx7
l7z/nTXXiEYEEBECAAYFAju2PbIACgkQ7x7+8YQ+8/9dKgCdEyQ3mqE9XANAbFmA
5Rl8TgLKP9UAnR7PfGr1E0I8KZECXboyFAa7i9h9iEYEEBECAAYFAju2U78ACgkQ
GM0lpSLzivMhwQCfUusuaatHNmXue7gLkJgltKyg7eUAnivZExlRBHDEA/EHLtDE
O+UNcQLOiEYEEBECAAYFAju2YnoACgkQ7FXIBgIOvllIoQCdH6MoHWs0pgI3/IcT
RCeAJPCDFgEAn1QWNYAFYRaW/wkraOGTV4KnDPY4iEYEEBECAAYFAju2yFwACgkQ
o8bUSpyJfwPGsACfYuQBNOJELKuiExz80hicWHcg34sAn32MP5ZMXxjqMMUC9A6w
Qhk/pWIkiEYEEBECAAYFAju3EEcACgkQLBigKrTF83+F4QCg7Y+TLUXldFZNyk0s
kR4AoN0bcCQAoIIUuDGtjIOAIzA8ERWNyjmiBjsciEYEEBECAAYFAju4G5YACgkQ
0aPur6/RCs+KbQCeKxv+k5DMhLR+fQgY7OGMmLuYPAUAoNPCPOd9n/5kkFEPkLAP
lZrD6whniEYEEBECAAYFAju5bxgACgkQwbCcmo4F2gIKvwCZAQMgRmaxlzN+DlgF
JE6MZrDF4wcAnRIk8adHdmrTo+BIrOjsyHZ9kRxhiEYEEBECAAYFAju80wAACgkQ
G/QCYu6J8+fiAgCcCv7CzmoeeOajzxWwZUe9+7Izub8AniFDyriKWPgsv9BQqX7T
RZcRf6TNiEYEEBECAAYFAjv+J4oACgkQ8dLMyEl6F23x3gCfd6IWjCHH7l1fR9Vl
NnReRzJyyJkAoJjVVRr5YW9VS5EO9IXAS4+ez4+DiEYEEBECAAYFAjwE/YUACgkQ
neRUb7/U0TUgBwCgnvVKjZpvgC28rWQlN93xQCTgSSkAn1dcpOtnMh4Gq79La10Z
bMiGu8lPiEYEEBECAAYFAjwht6UACgkQvPbGD26BadK+0ACfemw6VXU4VrMKns9m
2D6aGr+wdv8AoKwxRDSqcjItYje32oFAy3kI9/e0iEYEExECAAYFAj4rPSoACgkQ
HFEfP1t2bsJ61ACgkU7wNdGvIMQc83qBemaDolMqsCsAmgJXRZ1eLq8hKUTceYa3
PoM/Q7Q9iF8EExECABcFAjt+P3IFCwcKAwQDFQMCAxYCAQIXgAASCRCiA3a+wDxW
3wdlR1BHAAEB1i0AoOQo0xDMLW5n9Qx1L9QGyb/+VyfYAKCQYiXVEH0I6A/NxmVU
WidY4N4FJohGBBARAgAGBQI8Wa/gAAoJEDDcLlAv/S1ES+cAn00uhribc7DMFIvn
+QWfhAWZvsumAKDOP3sNUH2FLqr5iCnzT5qev7aWGohJBDARAgAJBQJEnRBEAh0g
AAoJEKIDdr7APFbfQcUAniL8Hm1Np4Jl9YFmtECuHB8Su34oAKDYm+u8w538rwKS
V3P3G6cHAAA7B7QoUm9tYWluIEZyYW5jb2lzZSA8cmZyYW5jb2lzZUBkZWJpYW4u
b3JnPohmBBMRAgAeBQI/dVPaAhsDBgsJCAcDAgMVAgMDFgIBAh4BAheAABIJEKID
dr7APFbfB2VHUEcAAQFgrgCg2WFmqgv1H5G3vt+4Lt4xVfF36QsAnRRNr7N8cVwa
Fv921jjV6js9rRV1tCVSb21haW4gRnJhbmNvaXNlIDxyZnJhbmNvaXNlQGdudS5v
cmc+iF4EExECAB4FAkMYUmgCGwMGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQogN2
vsA8Vt9nLwCgrqPWV26pIj7RmqGlynRsev6/CTkAoMgqi4OJMQjpjWe2wvGQyLTZ
g23wuQENBDr1v4gQBAC6Zyd2+Y2Tf7l4nKxvSOlB1KjRXgoqEio+uOJ465Vo61tW
sAyqaPxlG29FQ2Y1j6Sbmp6lBOLL0V5W9b1PC6jmeBurKB3mOWAu3TqZUB6qaJMm
GzHKpf3E3YwLuwxRSGR+EAwzPaFJyFBo8YUXOPzL3WZR1I2bAtvGtF5JkNzWSwAD
BgP/RyQkm7nXfRV16zaOK0loo+is2lrj3lEplcuODNkBJYrLYdw2iB8Xin5iAzHA
apqKyq5i1pjZtcrvalnFVQeE0mmNAMHE1X6kfpWpWkVfNq7ffpmGgFG96dOzuT81
+3o0jBdNP51V4R4I8P5zOv0oLEmA5alTBEYw52fh8v2iskiITgQYEQIABgUCOvW/
iAASCRCiA3a+wDxW3wdlR1BHAAEBefYAn2OP0ZhJwncMbPoG4rmhwV+iy4VAAKCr
ZJUTGTfDj9ylVi3Zx1P4BvQdHA==
=UcJC
-----END PGP PUBLIC KEY BLOCK-----

Key block: 0
~$ 

-- 
Bernhard Kleine <bernhard.kleine at gmx.net>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: </pipermail/attachments/20081118/2b143af9/attachment.pgp>

From dshaw at jabberwocky.com  Tue Nov 18 16:55:09 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Tue, 18 Nov 2008 10:55:09 -0500
Subject: keyformat
In-Reply-To: <1227020789.5156.13.camel@amd2000bk.kleinedaheim>
References: <1227020789.5156.13.camel@amd2000bk.kleinedaheim>
Message-ID: <20081118155509.GA1156@jabberwocky.com>

On Tue, Nov 18, 2008 at 04:06:29PM +0100, Bernhard Kleine wrote:
> Hi,
> 
> I try to import a key which is availabe via finger (see below).
> How to save this key that it can be imported by the seahorse application
> (debian SID/actual versions)? 
> 
> $ finger rfrancoise/key at db.debian.org
> [db.debian.org]
> uid=rfrancoise,ou=users,dc=debian,dc=org

  gpg --fetch-keys finger:rfrancoise/key at db.debian.org

David


From meadj at odscompanies.com  Tue Nov 18 19:58:06 2008
From: meadj at odscompanies.com (Jennifer L. Mead)
Date: Tue, 18 Nov 2008 10:58:06 -0800
Subject: compiling on AIX 5.3 for gnupg-2.0.9
Message-ID: <14D5D468207E184380ECC7A9BDA208F2013F2308@pdxex3.pdx.odshp.com>

Hello,

 

I am trying to update our version of gpg to the latest and greatest.  I
am having too much fun compiling the code.  For some reason I have had
to modify install scripts so that that configure and gmake find the zlib
libraries and iconv libraries.  Okay good.  Now I get a core dump during
the tests.  Let me give some detail.  I am on :

 

X:[su]/usr/local/gnupg-2.0.9>oslevel -rq

Known Recommended Maintenance Levels

------------------------------------

5300-05

5300-04

5300-03

5300-02

5300-01

5300-00

 

X:[su]/usr/local/gnupg-2.0.9>bootinfo -K

64

 

Here is my core dump announcement:

 

Making all in tests

gmake[2]: Entering directory `/usr/local/gnupg-2.0.9/tests'

Making all in openpgp

gmake[3]: Entering directory `/usr/local/gnupg-2.0.9/tests/openpgp'

echo '#!/bin/sh' >./gpg_dearmor

echo "../../g10/gpg2 --no-options --no-greeting \

             --no-secmem-warning --batch --dearmor" >>./gpg_dearmor

chmod 755 ./gpg_dearmor

./gpg_dearmor > ./pubring.gpg < ./pubring.asc

./gpg_dearmor[2]: 139414 Memory fault(coredump)

gmake[3]: *** [pubring.gpg] Error 139

gmake[3]: Leaving directory `/usr/local/gnupg-2.0.9/tests/openpgp'

gmake[2]: *** [all-recursive] Error 1

gmake[2]: Leaving directory `/usr/local/gnupg-2.0.9/tests'

gmake[1]: *** [all-recursive] Error 1

gmake[1]: Leaving directory `/usr/local/gnupg-2.0.9'

gmake: *** [all] Error 2

 

Any suggestions on what to do next?  Could it be as silly as no pubring
exists?  I don't think so, but it would be sweet if that were it!!!

 

 

Regards,

Jen

 

----------------------------------

The ODS Companies

Jennifer L. Mead

Sr. Unix Administrator

503.243.4486
http://www.odscompanies.com <http://www.odscompanies.com/> 

 

This message is intended for the sole use of the individual and entity
to whom it is addressed, and may contain information that is privileged,
confidential and exempt from disclosure under applicable law. If you are
not the intended addressee, nor authorized to receive for the intended
addressee, you are hereby notified that you may not use, copy, disclose
or distribute to anyone the message or any information contained in the
message. If you have received this message in error, please immediately
advise the sender by reply email and delete the message.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20081118/6e09dc7a/attachment-0001.htm>

From wk at gnupg.org  Tue Nov 18 20:00:38 2008
From: wk at gnupg.org (Werner Koch)
Date: Tue, 18 Nov 2008 20:00:38 +0100
Subject: Trust Signatures
In-Reply-To: <1226949337.7802.1.camel@ruth.aloha.tallye.com> (Loren M. Lang's
	message of "Mon, 17 Nov 2008 11:15:37 -0800")
References: <1226949337.7802.1.camel@ruth.aloha.tallye.com>
Message-ID: <873ahog8q1.fsf@wheatstone.g10code.de>

On Mon, 17 Nov 2008 20:15, lorenl at alzatex.com said:
> What the GnuPG users mailing list down for a while?  There appears to be

Right.  The disk was full.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.



From carloswill at gmail.com  Tue Nov 18 21:16:16 2008
From: carloswill at gmail.com (Carlos Williams)
Date: Tue, 18 Nov 2008 15:16:16 -0500
Subject: Key Format For Exchange
In-Reply-To: <8BECC1A2-5CA9-4578-B6CF-799BEFD0ABD2@jabberwocky.com>
References: <d80f793f0811180517l3fefe9eakdcee33a76be4183c@mail.gmail.com>
	<8BECC1A2-5CA9-4578-B6CF-799BEFD0ABD2@jabberwocky.com>
Message-ID: <d80f793f0811181216s78ef455by333805b5491f6267@mail.gmail.com>

On Tue, Nov 18, 2008 at 9:01 AM, David Shaw <dshaw at jabberwocky.com> wrote:
> You do:
>  gpg --export 7351884D > carlos-key.gpg
>
> He does:
>  gpg --import carlos-key.gpg

So we both now appear to have each others public keys in our local
PC's keyring. Now is there a way we both can send encrypted email from
Thunderbird using our GnuPG keys? We are both using the same email
client and have each others public keys listed in our local PC's
keyring. I just don't know how we can test this from the point we're
at now.


From dshaw at jabberwocky.com  Tue Nov 18 21:57:43 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Tue, 18 Nov 2008 15:57:43 -0500
Subject: Key Format For Exchange
In-Reply-To: <d80f793f0811181216s78ef455by333805b5491f6267@mail.gmail.com>
References: <d80f793f0811180517l3fefe9eakdcee33a76be4183c@mail.gmail.com>
	<8BECC1A2-5CA9-4578-B6CF-799BEFD0ABD2@jabberwocky.com>
	<d80f793f0811181216s78ef455by333805b5491f6267@mail.gmail.com>
Message-ID: <20081118205742.GC1855@jabberwocky.com>

On Tue, Nov 18, 2008 at 03:16:16PM -0500, Carlos Williams wrote:
> On Tue, Nov 18, 2008 at 9:01 AM, David Shaw <dshaw at jabberwocky.com> wrote:
> > You do:
> >  gpg --export 7351884D > carlos-key.gpg
> >
> > He does:
> >  gpg --import carlos-key.gpg
> 
> So we both now appear to have each others public keys in our local
> PC's keyring. Now is there a way we both can send encrypted email from
> Thunderbird using our GnuPG keys? We are both using the same email
> client and have each others public keys listed in our local PC's
> keyring. I just don't know how we can test this from the point we're
> at now.

For specific instructions and software to use GnuPG in Thunderbird,
please refer to the Enigmail folks:

  http://enigmail.mozdev.org/

David


From mkesper at fsfe.org  Wed Nov 19 11:25:31 2008
From: mkesper at fsfe.org (Michael Kesper)
Date: Wed, 19 Nov 2008 11:25:31 +0100
Subject: Fetch smartcard key from disk
In-Reply-To: <4C4060C9-2F12-4591-80BB-4C87252F719B@jabberwocky.com>
References: <20081118075144.322650@gmx.net>
	<4C4060C9-2F12-4591-80BB-4C87252F719B@jabberwocky.com>
Message-ID: <20081119102531.GA4436@localhost>

Hi,

* David Shaw <dshaw at jabberwocky.com> [2008-11-18 09:13:54 -0500]:
?
> The easiest way to tell if you have libcurl support is to try doing:
>
>   gpg --fetch-keys file://C:\smartkey.asc

What about simply using gpg --import <filename> ?

Best wishes
Michael
-- 
Free Software Foundation Europe (FSFE) []         (http://fsfeurope.org)
Treten Sie der Fellowship bei!       [][][]       (http://fsfe.org/join)
Ihre Spende erm?glicht unsere Arbeit!  ||  (http://fsfeurope.org/donate)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 315 bytes
Desc: Digital signature
URL: </pipermail/attachments/20081119/6df1d5a4/attachment.pgp>

From dshaw at jabberwocky.com  Wed Nov 19 13:48:24 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Wed, 19 Nov 2008 07:48:24 -0500
Subject: Fetch smartcard key from disk
In-Reply-To: <20081119102531.GA4436@localhost>
References: <20081118075144.322650@gmx.net>
	<4C4060C9-2F12-4591-80BB-4C87252F719B@jabberwocky.com>
	<20081119102531.GA4436@localhost>
Message-ID: <3BB19F32-16FB-4A7B-87D1-2959D475F52A@jabberwocky.com>

On Nov 19, 2008, at 5:25 AM, Michael Kesper wrote:

> Hi,
>
> * David Shaw <dshaw at jabberwocky.com> [2008-11-18 09:13:54 -0500]:
>
>> The easiest way to tell if you have libcurl support is to try doing:
>>
>>  gpg --fetch-keys file://C:\smartkey.asc
>
> What about simply using gpg --import <filename> ?

This allows you to generalize.  The card can store a URL to the key,  
whether it's HTTP or FILE, or what have you.  --import only works for  
local files.  The card "fetch" command works for all ways to get a key.

David


From s_angelov at filibeto.org  Thu Nov 20 09:05:30 2008
From: s_angelov at filibeto.org (Stoyan Angelov)
Date: Thu, 20 Nov 2008 10:05:30 +0200
Subject: gnupg 1.4.9 binaries for hp-ux (11.23 hppa)
Message-ID: <483AAB85-DEF3-45C8-A279-0E761A00A85D@filibeto.org>

hello all,

i noticed that there is no recent binary distribution for the hp-ux  
plaform.
i have built and packaged gnupg 1.4.9 (32-bit binaries for hp-ux  
11.23, PA-RISC platform).

details about the build are available here:
http://www.filibeto.org/~aduritz/truetrue/gnupg/1.4.9/gnupg-1.4.9-hppa-11.23.README

the binary "depot" distribution itself:
http://www.filibeto.org/~aduritz/truetrue/gnupg/1.4.9/gnupg-1.4.9-hppa-11.23.depot.gz

dependencies:
http://www.filibeto.org/~aduritz/truetrue/gnupg/1.4.9/gnupg-1.4.9-hppa-11.23-dependencies.tar

signatures and md5 digests are available on the url below:
http://www.filibeto.org/~aduritz/truetrue/gnupg/1.4.9/

i have tested the binaries and believe they are working well.
hope someone finds these useful.


greetings,

Stoyan Angelov


From carloswill at gmail.com  Thu Nov 20 16:42:45 2008
From: carloswill at gmail.com (Carlos Williams)
Date: Thu, 20 Nov 2008 10:42:45 -0500
Subject: Supported Formats
Message-ID: <d80f793f0811200742l7241ea7ei4e544326f0273730@mail.gmail.com>

I had someone at a co-location (different network / domain) install a
Verisign Class 1 Digital certification. I was able to share the
Verisign cert with another user who has the same kind of class 1
certificate and we can now send encrypted and signed email back to
each other fine. My question is now I would like to take my
certificate and send it to any of the users with class 1 Verisign
cert. The problem is when I export my GnuPG public key and send it to
him, it does not recognize it at all. It does not like the .asc file
extension. How can exchange keys with anyone using a class 1
certificate in Outlook 2003 and or Mozilla Thunderbird. I am guessing
neither of the machines configured are unable to read the .asc format
I am exporting my public key as.

Any advice.


From dshaw at jabberwocky.com  Thu Nov 20 17:16:31 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Thu, 20 Nov 2008 11:16:31 -0500
Subject: Supported Formats
In-Reply-To: <d80f793f0811200742l7241ea7ei4e544326f0273730@mail.gmail.com>
References: <d80f793f0811200742l7241ea7ei4e544326f0273730@mail.gmail.com>
Message-ID: <20081120161631.GB7682@jabberwocky.com>

On Thu, Nov 20, 2008 at 10:42:45AM -0500, Carlos Williams wrote:
> I had someone at a co-location (different network / domain) install a
> Verisign Class 1 Digital certification. I was able to share the
> Verisign cert with another user who has the same kind of class 1
> certificate and we can now send encrypted and signed email back to
> each other fine. My question is now I would like to take my
> certificate and send it to any of the users with class 1 Verisign
> cert. The problem is when I export my GnuPG public key and send it to
> him, it does not recognize it at all. It does not like the .asc file
> extension. How can exchange keys with anyone using a class 1
> certificate in Outlook 2003 and or Mozilla Thunderbird. I am guessing
> neither of the machines configured are unable to read the .asc format
> I am exporting my public key as.

You can't do this.

There are two popular ways to encrypt mail, one is S/MIME and the
other is OpenPGP.  Your GnuPG key is OpenPGP.  The Verisign certs are
S/MIME.  The two are not interchangeable without very special surgery.

David


From John at Mozilla-Enigmail.org  Thu Nov 20 17:27:19 2008
From: John at Mozilla-Enigmail.org (John Clizbe)
Date: Thu, 20 Nov 2008 10:27:19 -0600
Subject: Supported Formats
In-Reply-To: <d80f793f0811200742l7241ea7ei4e544326f0273730@mail.gmail.com>
References: <d80f793f0811200742l7241ea7ei4e544326f0273730@mail.gmail.com>
Message-ID: <49258FE7.9050102@Mozilla-Enigmail.org>

Carlos Williams wrote:
> I had someone at a co-location (different network / domain) install a
> Verisign Class 1 Digital certification. I was able to share the
> Verisign cert with another user who has the same kind of class 1
> certificate and we can now send encrypted and signed email back to
> each other fine. My question is now I would like to take my
> certificate and send it to any of the users with class 1 Verisign
> cert. The problem is when I export my GnuPG public key and send it to
> him, it does not recognize it at all. It does not like the .asc file
> extension. How can exchange keys with anyone using a class 1
> certificate in Outlook 2003 and or Mozilla Thunderbird. I am guessing
> neither of the machines configured are unable to read the .asc format
> I am exporting my public key as.
> 
> Any advice.

Short answer: You can't.

Digital Certificates are X.509. You are using OpenPGP.

X.509 is the native encryption builtin to web browsers and email apps such as
Outlook and Thunderbird (S/MIME).

OpenPGP and X.509 are similar in some respects but mostly incompatible. You
cannot mix X.509 and OpenPGP in the same mail message. Nor can each make use of
the other's keys/certificates.

Regards.

-- 
John P. Clizbe                      Inet:John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net  or
     mailto:pgp-public-keys at gingerbear.net?subject=HELP

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 679 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20081120/d8a3b07b/attachment.pgp>

From John at Mozilla-Enigmail.org  Thu Nov 20 18:09:26 2008
From: John at Mozilla-Enigmail.org (John Clizbe)
Date: Thu, 20 Nov 2008 11:09:26 -0600
Subject: Supported Formats
In-Reply-To: <49258FE7.9050102@Mozilla-Enigmail.org>
References: <d80f793f0811200742l7241ea7ei4e544326f0273730@mail.gmail.com>
	<49258FE7.9050102@Mozilla-Enigmail.org>
Message-ID: <492599C6.10204@Mozilla-Enigmail.org>

John Clizbe wrote:
> Carlos Williams wrote:
>> Any advice.
> 
> Short answer: You can't.
> 
> Digital Certificates are X.509. You are using OpenPGP.
> 
> X.509 is the native encryption builtin to web browsers and email apps such as
> Outlook and Thunderbird (S/MIME).
> 
> OpenPGP and X.509 are similar in some respects but mostly incompatible. You
> cannot mix X.509 and OpenPGP in the same mail message. Nor can each make use of
> the other's keys/certificates.

I forgot to add, If you wish to use encryption with Digital Certificate users,
you will need to get at least one of your own.

Free Class I certificates are available from CA Cert[1] or Thawte[2].
TC TrustCenter[3] used to offer free Class 1 certificates but that option seems
to have gone missing from their site.

Beyond those there are numerous Certificate Authorities willing to issue you
certificates, usually at a cost of about $15/yr. Vendors include Verisign (and
its acquisitions Thawte and Geotrust), Comodo, GoDaddy, GlobalSign, Enrust.
There are about 50 trusted CA in most of the popular browsers, many of them will
sell you a certificate.


1: http://www.cacert.org/
2: http://www.thawte.com/secure-email/personal-email-certificates/index.html
3: http://www.trustcenter.de/en/products/tc_personal_id.htm

-- 
John P. Clizbe                      Inet:John (a) Mozilla-Enigmail.org
You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net  or
     mailto:pgp-public-keys at gingerbear.net?subject=HELP

Q:"Just how do the residents of Haiku, Hawai'i hold conversations?"
A:"An odd melody / island voices on the winds / surplus of vowels"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 679 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20081120/d2ba09d4/attachment-0001.pgp>

From faramir.cl at gmail.com  Thu Nov 20 18:34:49 2008
From: faramir.cl at gmail.com (Faramir)
Date: Thu, 20 Nov 2008 14:34:49 -0300
Subject: Supported Formats
In-Reply-To: <492599C6.10204@Mozilla-Enigmail.org>
References: <d80f793f0811200742l7241ea7ei4e544326f0273730@mail.gmail.com>	<49258FE7.9050102@Mozilla-Enigmail.org>
	<492599C6.10204@Mozilla-Enigmail.org>
Message-ID: <49259FB9.4070600@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

John Clizbe escribi?:

> I forgot to add, If you wish to use encryption with Digital Certificate users,
> you will need to get at least one of your own.
> 
> Free Class I certificates are available from CA Cert[1] or Thawte[2].
> TC TrustCenter[3] used to offer free Class 1 certificates but that option seems
> to have gone missing from their site.
....

> 1: http://www.cacert.org/
> 2: http://www.thawte.com/secure-email/personal-email-certificates/index.html
> 3: http://www.trustcenter.de/en/products/tc_personal_id.htm

  For now, I would recommend Thawte for free digital certificates, since
it would be recognised as valid by most browsers/email clients. A CAcert
certificate would require other people importing their root certificate,
and set it as "Trusted CA", and I am not sure if the other people would
know how to do it, or if they would be willing to do it :(

  (CAcert is currently trying to get its certificate included by default
in FireFox... but I don't know how much time will it take.)

  Best Regards

P.S: I have nothing against CAcert, in fact, I am willing to become a
CAcert assurer, but I can't ignore the disadvantage they have...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBCAAGBQJJJZ+5AAoJEMV4f6PvczxAW3QH/3Aj9N/ql05AxdVTCHuQn6QC
HAw6pkZxpSud4Rz/3glpEwcKP9+s15LwbXXhsFfebPW79LRESVgtxyKDzxSTzYDd
dfT9vM/qUwB517dl9NCbrm23s086JjkYThzv1un3gKtzzld/IeaoPShmvvq3qEA+
suE6K7sKefnkUNJIysc0ku9GGE1h5JDC7n/B4aCS7sX7mvXS7ihzRp3aYcUFFW3/
VmOhJBEevjiEjD5hJTCmJnEZD76lr4EsAikXvDWNM9cxJJsF8xk+EeyWSEcwEhKa
G3J7wJOjDKKIWa/MvsKO5OFpYPNlk2Odk/Asx8ozeIs+QfSejLEwfCMxyCbozDA=
=C1KU
-----END PGP SIGNATURE-----


From Brett.Carr at nominet.org.uk  Fri Nov 21 16:56:22 2008
From: Brett.Carr at nominet.org.uk (Brett.Carr at nominet.org.uk)
Date: Fri, 21 Nov 2008 15:56:22 +0000
Subject: gnupg compilation problems on Solaris 10 64 bit
Message-ID: <OF5274EF41.5CE604E3-ON80257508.00509095-80257508.00578EEF@nominet.org.uk>


Hello,
    I'm trying to build gnupg 1.4.9 on a clean build of Solaris 10 Sparc 64
Bit, the configure stage goes through without any problems and creates my
Makefile, when I run the make things seem to be going fine but after a few
minutes the compile falls over, I have pasted in from where it starts to go
wrong below, any help greatly appreciated.

Note the problems occur if I build as 64 bit, building as 32 bit works
fine.

/usr/sfw/bin/gcc -E -I.. -I../include -DHAVE_CONFIG_H mpih-add1.S | grep -v
'^#' > _mpih-add1.s
/usr/sfw/bin/gcc -DHAVE_CONFIG_H -I. -I.. -I.. -I../include   -D_REENTRANT
-O2 -m64 -mcpu=v9 -Wall   -c _mpih-add1.s
/usr/ccs/bin/as: "_mpih-add1.s", line 23: error: detect global register use
not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 26: error: detect global register use
not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 37: error: detect global register use
not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 41: error: detect global register use
not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 43: error: detect global register use
not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 45: error: detect global register use
not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 47: error: detect global register use
not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 49: error: detect global register use
not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 51: error: detect global register use
not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 53: error: detect global register use
not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 55: error: detect global register use
not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 57: error: detect global register use
not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 59: error: detect global register use
not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 61: error: detect global register use
not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 63: error: detect global register use
not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 77: error: detect global register use
not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 79: error: detect global register use
not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 81: error: detect global register use
not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 90: error: detect global register use
not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 91: error: detect global register use
not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 100: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 101: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 132: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 135: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 144: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 146: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 146: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 147: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 148: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 148: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 149: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 150: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 152: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 152: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 153: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 154: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 154: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 155: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 156: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 158: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 158: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 159: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 160: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 160: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 161: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 162: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 164: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 164: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 165: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 166: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 166: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 167: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 179: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 181: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 181: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 182: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 183: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 183: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 184: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 197: error: detect global register
use not covered .register pseudo-op
/usr/ccs/bin/as: "_mpih-add1.s", line 198: error: detect global register
use not covered .register pseudo-op
*** Error code 1
make: Fatal error: Command failed for target `mpih-add1.o'
Current working directory /export/home/brettcarr/gnupg-1.4.9/mpi
*** Error code 1
The following command caused the error:
failcom='exit 1'; \
for f in x $MAKEFLAGS; do \
  case $f in \
    *=* | --[!k]*);; \
    *k*) failcom='fail=yes';; \
  esac; \
done; \
dot_seen=no; \
target=`echo all-recursive | sed s/-recursive//`; \
list='m4 intl zlib util mpi cipher tools g10 keyserver po doc checks'; for
subdir in $list; do \
  echo "Making $target in $subdir"; \
  if test "$subdir" = "."; then \
    dot_seen=yes; \
    local_target="$target-am"; \
  else \
    local_target="$target"; \
  fi; \
  (cd $subdir && make  $local_target) \
  || eval $failcom; \
done; \
if test "$dot_seen" = "no"; then \
  make  "$target-am" || exit 1; \
fi; test -z "$fail"
make: Fatal error: Command failed for target `all-recursive'
Current working directory /export/home/brettcarr/gnupg-1.4.9
*** Error code 1
make: Fatal error: Command failed for target `all'


Thanks

Brett




Brett Carr
Systems Administrator
Nominet UK



From OHuang at RobertsOxygen.com  Fri Nov 21 17:16:48 2008
From: OHuang at RobertsOxygen.com (Huang, Ou)
Date: Fri, 21 Nov 2008 11:16:48 -0500
Subject: Error when compiling gnupg-1.4.9
Message-ID: <7BAD011E5546FF4398B54CE2F6C73C0703F1E4AF61@ROBOX3.robertsoxygen.com>

Hello,
I am trying to compile gnupg 1.4.9 on an AIX 5.3 machine and got the following error:

mpih-div.c:99: error: can't find a register in class `MQ_REGS' while reloading `
asm'
mpih-div.c:105: error: can't find a register in class `MQ_REGS' while reloading
`asm'
mpih-div.c:105: error: can't find a register in class `MQ_REGS' while reloading
`asm'
mpih-div.c:135: error: can't find a register in class `MQ_REGS' while reloading
`asm'
mpih-div.c:135: error: can't find a register in class `MQ_REGS' while reloading
`asm'
make: 1254-004 The error code from the last command is 1.


Stop.
make: 1254-004 The error code from the last command is 1.


Stop.
make: 1254-004 The error code from the last command is 2.


Does anybody know why I am getting this error and how to fix it?


Thank you!

Ou Huang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20081121/cb66258b/attachment.htm>

From dshaw at jabberwocky.com  Fri Nov 21 17:43:00 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri, 21 Nov 2008 11:43:00 -0500
Subject: Error when compiling gnupg-1.4.9
In-Reply-To: <7BAD011E5546FF4398B54CE2F6C73C0703F1E4AF61@ROBOX3.robertsoxygen.com>
References: <7BAD011E5546FF4398B54CE2F6C73C0703F1E4AF61@ROBOX3.robertsoxygen.com>
Message-ID: <20081121164300.GB2294@jabberwocky.com>

On Fri, Nov 21, 2008 at 11:16:48AM -0500, Huang, Ou wrote:
> Hello,
> I am trying to compile gnupg 1.4.9 on an AIX 5.3 machine and got the following error:
> 
> mpih-div.c:99: error: can't find a register in class `MQ_REGS' while reloading `
> asm'

What happens if you build with ./configure --disable-asm ?

David


From dshaw at jabberwocky.com  Fri Nov 21 17:43:36 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri, 21 Nov 2008 11:43:36 -0500
Subject: gnupg compilation problems on Solaris 10 64 bit
In-Reply-To: <OF5274EF41.5CE604E3-ON80257508.00509095-80257508.00578EEF@nominet.org.uk>
References: <OF5274EF41.5CE604E3-ON80257508.00509095-80257508.00578EEF@nominet.org.uk>
Message-ID: <20081121164336.GC2294@jabberwocky.com>

On Fri, Nov 21, 2008 at 03:56:22PM +0000, Brett.Carr at nominet.org.uk wrote:
> 
> Hello,
>     I'm trying to build gnupg 1.4.9 on a clean build of Solaris 10 Sparc 64
> Bit, the configure stage goes through without any problems and creates my
> Makefile, when I run the make things seem to be going fine but after a few
> minutes the compile falls over, I have pasted in from where it starts to go
> wrong below, any help greatly appreciated.

Try building with ./configure --disable-asm

David


From OHuang at RobertsOxygen.com  Fri Nov 21 19:49:00 2008
From: OHuang at RobertsOxygen.com (Huang, Ou)
Date: Fri, 21 Nov 2008 13:49:00 -0500
Subject: Error when compiling gnupg-1.4.9
In-Reply-To: <20081121164300.GB2294@jabberwocky.com>
References: <7BAD011E5546FF4398B54CE2F6C73C0703F1E4AF61@ROBOX3.robertsoxygen.com>
	<20081121164300.GB2294@jabberwocky.com>
Message-ID: <7BAD011E5546FF4398B54CE2F6C73C0703F1E4B1B4@ROBOX3.robertsoxygen.com>

Thanks David but I am still getting the same error after I tried build with "--disable-asm".



-----Original Message-----
From: gnupg-users-bounces at gnupg.org [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of David Shaw
Sent: Friday, November 21, 2008 11:43 AM
To: gnupg-users at gnupg.org
Subject: Re: Error when compiling gnupg-1.4.9

On Fri, Nov 21, 2008 at 11:16:48AM -0500, Huang, Ou wrote:
> Hello,
> I am trying to compile gnupg 1.4.9 on an AIX 5.3 machine and got the following error:
> 
> mpih-div.c:99: error: can't find a register in class `MQ_REGS' while reloading `
> asm'

What happens if you build with ./configure --disable-asm ?

David

_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


From Brett.Carr at nominet.org.uk  Fri Nov 21 22:14:23 2008
From: Brett.Carr at nominet.org.uk (Brett.Carr at nominet.org.uk)
Date: Fri, 21 Nov 2008 21:14:23 +0000
Subject: gnupg compilation problems on Solaris 10 64 bit
In-Reply-To: <20081121164336.GC2294@jabberwocky.com>
References: <OF5274EF41.5CE604E3-ON80257508.00509095-80257508.00578EEF@nominet.org.uk>
	<20081121164336.GC2294@jabberwocky.com>
Message-ID: <OF197316DD.284FEB6C-ON80257508.0074979D-80257508.0074AC81@nominet.org.uk>



gnupg-users-bounces at gnupg.org wrote on 21/11/2008 16:43:36:

> David Shaw <dshaw at jabberwocky.com>
> Sent by: gnupg-users-bounces at gnupg.org
>
> 21/11/08 16:45
>
> To
>
> gnupg-users at gnupg.org
>
> cc
>
> Subject
>
> Re: gnupg compilation problems on Solaris 10 64 bit
>
> On Fri, Nov 21, 2008 at 03:56:22PM +0000, Brett.Carr at nominet.org.uk
wrote:
> >
> > Hello,
> >     I'm trying to build gnupg 1.4.9 on a clean build of Solaris 10
Sparc 64
> > Bit, the configure stage goes through without any problems and creates
my
> > Makefile, when I run the make things seem to be going fine but after a
few
> > minutes the compile falls over, I have pasted in from where it starts
to go
> > wrong below, any help greatly appreciated.
>
> Try building with ./configure --disable-asm
>

Thanks this fixed the problem, out of interest what does this disable?

Brett



From dshaw at jabberwocky.com  Fri Nov 21 23:11:21 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri, 21 Nov 2008 17:11:21 -0500
Subject: gnupg compilation problems on Solaris 10 64 bit
In-Reply-To: <OF197316DD.284FEB6C-ON80257508.0074979D-80257508.0074AC81@nominet.org.uk>
References: <OF5274EF41.5CE604E3-ON80257508.00509095-80257508.00578EEF@nominet.org.uk>
	<20081121164336.GC2294@jabberwocky.com>
	<OF197316DD.284FEB6C-ON80257508.0074979D-80257508.0074AC81@nominet.org.uk>
Message-ID: <20081121221121.GA2757@jabberwocky.com>

On Fri, Nov 21, 2008 at 09:14:23PM +0000, Brett.Carr at nominet.org.uk wrote:
> > >     I'm trying to build gnupg 1.4.9 on a clean build of Solaris 10
> Sparc 64
> > > Bit, the configure stage goes through without any problems and creates
> my
> > > Makefile, when I run the make things seem to be going fine but after a
> few
> > > minutes the compile falls over, I have pasted in from where it starts
> to go
> > > wrong below, any help greatly appreciated.
> >
> > Try building with ./configure --disable-asm
> >
> 
> Thanks this fixed the problem, out of interest what does this disable?

GnuPG has some assembler code for doing math on large numbers.  Every
now and then a new platform has trouble with it until we tweak things.
--disable-asm uses portable C code instead of the assembly.

David


From rjh at sixdemonbag.org  Sat Nov 22 00:01:19 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Fri, 21 Nov 2008 18:01:19 -0500
Subject: gnupg compilation problems on Solaris 10 64 bit
In-Reply-To: <20081121221121.GA2757@jabberwocky.com>
References: <OF5274EF41.5CE604E3-ON80257508.00509095-80257508.00578EEF@nominet.org.uk>	<20081121164336.GC2294@jabberwocky.com>	<OF197316DD.284FEB6C-ON80257508.0074979D-80257508.0074AC81@nominet.org.uk>
	<20081121221121.GA2757@jabberwocky.com>
Message-ID: <49273DBF.8070108@sixdemonbag.org>

David Shaw wrote:
> GnuPG has some assembler code for doing math on large numbers.  Every
> now and then a new platform has trouble with it until we tweak things.
> --disable-asm uses portable C code instead of the assembly.

What's the engineering reason for the ASM code as opposed to just
sticking with the C code?  It seems that for the vast majority of users,
there's no difference in performance between the C code and the
ASM-tuned code.  My guess (prejudice?) is that this would really only
make a big difference for high volume operations.




From dshaw at jabberwocky.com  Sat Nov 22 01:56:45 2008
From: dshaw at jabberwocky.com (David Shaw)
Date: Fri, 21 Nov 2008 19:56:45 -0500
Subject: gnupg compilation problems on Solaris 10 64 bit
In-Reply-To: <49273DBF.8070108@sixdemonbag.org>
References: <OF5274EF41.5CE604E3-ON80257508.00509095-80257508.00578EEF@nominet.org.uk>
	<20081121164336.GC2294@jabberwocky.com>
	<OF197316DD.284FEB6C-ON80257508.0074979D-80257508.0074AC81@nominet.org.uk>
	<20081121221121.GA2757@jabberwocky.com>
	<49273DBF.8070108@sixdemonbag.org>
Message-ID: <20081122005644.GA20102@jabberwocky.com>

On Fri, Nov 21, 2008 at 06:01:19PM -0500, Robert J. Hansen wrote:
> David Shaw wrote:
> > GnuPG has some assembler code for doing math on large numbers.  Every
> > now and then a new platform has trouble with it until we tweak things.
> > --disable-asm uses portable C code instead of the assembly.
> 
> What's the engineering reason for the ASM code as opposed to just
> sticking with the C code?  It seems that for the vast majority of users,
> there's no difference in performance between the C code and the
> ASM-tuned code.  My guess (prejudice?) is that this would really only
> make a big difference for high volume operations.

There is a nonzero benefit to the assembly code, but it is not large.
On the 3ghz 32-bit Linux box I'm currently sitting in front of, 100
encrypts of a 2-byte file to a 1024DSA/4096ElG key takes 11.3 seconds
on average for the assembly version, and 13.0 seconds on average for
the portable C version.

Unless you're going a lot of public key operations in a row, any
difference is going to be dwarfed by other factors.

David


From rjh at sixdemonbag.org  Sat Nov 22 02:06:03 2008
From: rjh at sixdemonbag.org (Robert J. Hansen)
Date: Fri, 21 Nov 2008 20:06:03 -0500
Subject: gnupg compilation problems on Solaris 10 64 bit
In-Reply-To: <20081122005644.GA20102@jabberwocky.com>
References: <OF5274EF41.5CE604E3-ON80257508.00509095-80257508.00578EEF@nominet.org.uk>	<20081121164336.GC2294@jabberwocky.com>	<OF197316DD.284FEB6C-ON80257508.0074979D-80257508.0074AC81@nominet.org.uk>	<20081121221121.GA2757@jabberwocky.com>	<49273DBF.8070108@sixdemonbag.org>
	<20081122005644.GA20102@jabberwocky.com>
Message-ID: <49275AFB.50506@sixdemonbag.org>

David Shaw wrote:
> There is a nonzero benefit to the assembly code, but it is not large.

So wouldn't it make more sense to have --disable-asm be the default?
The increase in portability seems to be a bigger win than shaving two
hundredths of a second off of each public key operation, and if people
need that extra two hundredths, they can compile their own using
--enable-asm.




From kevhilton at gmail.com  Mon Nov 24 04:20:03 2008
From: kevhilton at gmail.com (Kevin Hilton)
Date: Sun, 23 Nov 2008 21:20:03 -0600
Subject: Happy Thanksgiving
Message-ID: <96c450350811231920j7e4a6c2bkb39b339acd17f158@mail.gmail.com>

A little off topic, however I wanted to wish Happy Thanksgiving to all
those users in America, and actually give Thanks to the regular
contributors to this mailing list.

Thanks

-- 
Kevin Hilton


From wk at gnupg.org  Mon Nov 24 09:26:16 2008
From: wk at gnupg.org (Werner Koch)
Date: Mon, 24 Nov 2008 09:26:16 +0100
Subject: gnupg compilation problems on Solaris 10 64 bit
In-Reply-To: <49275AFB.50506@sixdemonbag.org> (Robert J. Hansen's message of
	"Fri, 21 Nov 2008 20:06:03 -0500")
References: <OF5274EF41.5CE604E3-ON80257508.00509095-80257508.00578EEF@nominet.org.uk>
	<20081121164336.GC2294@jabberwocky.com>
	<OF197316DD.284FEB6C-ON80257508.0074979D-80257508.0074AC81@nominet.org.uk>
	<20081121221121.GA2757@jabberwocky.com>
	<49273DBF.8070108@sixdemonbag.org>
	<20081122005644.GA20102@jabberwocky.com>
	<49275AFB.50506@sixdemonbag.org>
Message-ID: <87r651bkd3.fsf@wheatstone.g10code.de>

On Sat, 22 Nov 2008 02:06, rjh at sixdemonbag.org said:

> So wouldn't it make more sense to have --disable-asm be the default?
> The increase in portability seems to be a bigger win than shaving two

Although modern compilers generation quite good code, the asm code is
highly optimized for certain CPUs.  Unfortunately the code for ia32 CPUs
does not cope well with the majority of todays ia32 CPUs.  It is also
hard to replace that because you would need to optimize the code for a
certain CPU model and thus also means that the code selection needs to
be done at runtime and not at build time.

Still there are a lot of CPUs where asm code make a lot of difference,
for example the amd64 code we introduced in libgcrypt helped a lot to
make ZRTP (encrypted VoIP) usable on such boxes.  I guess the same holds
for some other architectures.

In many cases the problems come from a mixed toolchain like using gcc
along with the native asm.


Salam-Shalom,

   Werner


-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.



From lists at jorge.cc  Mon Nov 24 17:36:13 2008
From: lists at jorge.cc (Jorge Luis)
Date: Mon, 24 Nov 2008 11:36:13 -0500
Subject: Elementary Question
Message-ID: <20081124163613.GA99790@jorge.cc>

I've googled and checked the docs for an answer to this, but have come
up empty-handed.

Is it possible to verify public keys without actually adding them to my
keyring?  For example, I don't want to add keys from mailing lists under
most circumstances, but I would like to retreive the correspondent's key
and verify it.  On the other hand, I'd like to add the key from
correspondence with private parties to my keyring.  I can configure mutt
to retrieve selected keys only, but the process always adds the key to
my keyring.  I'd like to do a "provisional" check of the key if it's
attached to a mailing list message, without adding it to the keyring.

I hope my question makes sense.  Thank you for any suggestions.

	JL

-- 
JL <lists at jorge.cc>
This message optimized for teletypes.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 155 bytes
Desc: not available
URL: </pipermail/attachments/20081124/08b5cb63/attachment.pgp>

From aheinlein at gmx.com  Tue Nov 25 09:54:31 2008
From: aheinlein at gmx.com (Andreas Heinlein)
Date: Tue, 25 Nov 2008 09:54:31 +0100
Subject: Elementary Question
In-Reply-To: <20081124163613.GA99790@jorge.cc>
References: <20081124163613.GA99790@jorge.cc>
Message-ID: <492BBD47.7000909@gmx.com>

Jorge Luis schrieb:
> I've googled and checked the docs for an answer to this, but have come
> up empty-handed.
>
> Is it possible to verify public keys without actually adding them to my
> keyring?  For example, I don't want to add keys from mailing lists under
> most circumstances, but I would like to retreive the correspondent's key
> and verify it.  On the other hand, I'd like to add the key from
> correspondence with private parties to my keyring.  I can configure mutt
> to retrieve selected keys only, but the process always adds the key to
> my keyring.  I'd like to do a "provisional" check of the key if it's
> attached to a mailing list message, without adding it to the keyring.
>
> I hope my question makes sense.  Thank you for any suggestions
Hello,

I doubt this is possible, but it is possible to use multiple keyrings
with gnupg using the --keyring option and set the one to import new keys
to with the --primary-keyring option.

This way, you could have a separate keyring for mailing list keys or you
could just use a temporary keyring which you delete afterwards.

Bye,
Andreas


From s_angelov at filibeto.org  Tue Nov 25 19:52:07 2008
From: s_angelov at filibeto.org (Stoyan Angelov)
Date: Tue, 25 Nov 2008 20:52:07 +0200
Subject: gnupg 2.0.9 compile problem on hp-ux 11.23 (hppa)
Message-ID: <AF13ACAE-9244-4222-89E2-C8168AC331DD@filibeto.org>

hello list,

i am trying to compile gnupg 2.0.9 on hp-ux 11.23 (hppa), using hp's C/ 
aC++ compiler.

the following dependencies are installed:
libgpg-error 1.6
libgcrypt 1.4.3
libassuan 1.0.5
libksba 1.0.4

gmake gives the error below:
cc -DHAVE_CONFIG_H -I. -I..  -I../intl -O -I/usr/local/gnupg2/include - 
I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/ 
local/include -I/usr/local/gnupg2/include -g -Ae -D_HPUX_SOURCE -c  
mischelp.c
cc: "/usr/include/sys/socket.h", line 535: warning 562: Redeclaration  
of "sendfile" with a different storage class specifier: "sendfile"  
will have internal linkage.
cc: "/usr/include/sys/socket.h", line 536: warning 562: Redeclaration  
of "sendpath" with a different storage class specifier: "sendpath"  
will have internal linkage.
rm -f libjnlib.a
ar cru libjnlib.a stringhelp.o strlist.o utf8conv.o argparse.o  
logging.o dotlock.o mischelp.o
/bin/true libjnlib.a
source='t-stringhelp.c' object='t-stringhelp.o' libtool=no \
         DEPDIR=.deps depmode=hp /bin/sh ../scripts/depcomp \
         cc -DHAVE_CONFIG_H -I. -I..  -I../intl -O -I/usr/local/gnupg2/ 
include -I/usr/local/include -I/usr/local/include -I/usr/local/include  
-I/usr/local/include -I/usr/local/gnupg2/include -g -Ae -D_HPUX_SOURCE  
-c t-stringhelp.c
source='t-support.c' object='t-support.o' libtool=no \
         DEPDIR=.deps depmode=hp /bin/sh ../scripts/depcomp \
         cc -DHAVE_CONFIG_H -I. -I..  -I../intl -O -I/usr/local/gnupg2/ 
include -I/usr/local/include -I/usr/local/include -I/usr/local/include  
-I/usr/local/include -I/usr/local/gnupg2/include -g -Ae -D_HPUX_SOURCE  
-c t-support.c
cc -I/usr/local/gnupg2/include -g -Ae -D_HPUX_SOURCE  -L/usr/local/ 
gnupg2/lib -L/usr/local/lib -L/usr/local/lib -L/usr/local/lib -o t- 
stringhelp t-stringhelp.o t-support.o libjnlib.a /usr/local/lib/ 
libintl.sl -L/usr/local/lib /usr/local/lib/libiconv.sl /usr/local/lib/ 
libiconv.sl
/usr/ccs/bin/ld: Unsatisfied symbols:
    gpg_err_code_from_errno (first referenced in  
libjnlib.a(stringhelp.o)) (code)
    gpg_err_code_from_syserror (first referenced in  
libjnlib.a(stringhelp.o)) (code)
gmake[2]: *** [t-stringhelp] Error 1
gmake[2]: Leaving directory `/install/users/aduritz/buildfarm/gnupg/ 
gnupg-2.0.9/jnlib'
gmake[1]: *** [all-recursive] Error 1
gmake[1]: Leaving directory `/install/users/aduritz/buildfarm/gnupg/ 
gnupg-2.0.9'
gmake: *** [all] Error 2

any help will be appreciated.

greetings,

Stoyan Angelov




From wk at gnupg.org  Wed Nov 26 13:18:43 2008
From: wk at gnupg.org (Werner Koch)
Date: Wed, 26 Nov 2008 13:18:43 +0100
Subject: gnupg 2.0.9 compile problem on hp-ux 11.23 (hppa)
In-Reply-To: <AF13ACAE-9244-4222-89E2-C8168AC331DD@filibeto.org> (Stoyan
	Angelov's message of "Tue, 25 Nov 2008 20:52:07 +0200")
References: <AF13ACAE-9244-4222-89E2-C8168AC331DD@filibeto.org>
Message-ID: <87r64yadek.fsf@wheatstone.g10code.de>

On Tue, 25 Nov 2008 19:52, s_angelov at filibeto.org said:

> mischelp.c
> cc: "/usr/include/sys/socket.h", line 535: warning 562: Redeclaration
> of "sendfile" with a different storage class specifier: "sendfile"
> will have internal linkage.

That seems to be a problem of your toochain.  No problem however.

> cc -I/usr/local/gnupg2/include -g -Ae -D_HPUX_SOURCE  -L/usr/local/
> gnupg2/lib -L/usr/local/lib -L/usr/local/lib -L/usr/local/lib -o t-
> stringhelp t-stringhelp.o t-support.o libjnlib.a /usr/local/lib/
> libintl.sl -L/usr/local/lib /usr/local/lib/libiconv.sl /usr/local/lib/
> libiconv.sl
> /usr/ccs/bin/ld: Unsatisfied symbols:
>    gpg_err_code_from_errno (first referenced in
> libjnlib.a(stringhelp.o)) (code)

Strange: We don't use any libgpg-error functions in the jnlib directory.
Can you figure out where this symbol is used?  Feel free to send me the
stringhelp.o file by PM.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.



From mikeb at mikebanahan.com  Wed Nov 26 18:40:59 2008
From: mikeb at mikebanahan.com (mikeb at mikebanahan.com)
Date: Wed, 26 Nov 2008 17:40:59 +0000
Subject: Smartcard problem (no secret keys) when moving to new machine
Message-ID: <20081126174059.GA22560@lager.gbdirect.co.uk>

Summary: secret keys not marked on secret keyring when 'fetch' is used to retrieve card public keys.

I'm using Ubuntu which as standard ships with gpg 1.4.6

When I move to a 'virgin' system, i.e one with gpg but no keyrings, I insert
card, use --card-edit to access the card and then use the 'fetch' command to retrieve
the public key from a server.

All goes well.

If I then attempt to sign using the key on the card, I get a 'no secret key available' message.

If I subsequently issue 'gpg --card-status' this resolves the problem.

It appears that after the fetch of the public keys, the private keyring is not updated.

I have subequently checked this by deleting all keyrings, then using --card-edit/fetch.
After that gpg -K lists no secret keys.
A subsequent --card-status followed by -K DOES show secret keys.

This may be nit-picking but it just cost me a couple of hours to track down.

If it's documented can someone tell me where?

Thanks,

Mike
-- 
Mike Banahan - http://www.gbdirect.co.uk - Tel 0870 200 7273, Mobile 07970 942590
gpg secure email key fingerprint: 8197 386A 206D E0B7 7307 6091 5C29 F51D B3CA 298A


From wk at gnupg.org  Thu Nov 27 12:22:08 2008
From: wk at gnupg.org (Werner Koch)
Date: Thu, 27 Nov 2008 12:22:08 +0100
Subject: gnupg 2.0.9 compile problem on hp-ux 11.23 (hppa)
In-Reply-To: <87r64yadek.fsf@wheatstone.g10code.de> (Werner Koch's message of
	"Wed, 26 Nov 2008 13:18:43 +0100")
References: <AF13ACAE-9244-4222-89E2-C8168AC331DD@filibeto.org>
	<87r64yadek.fsf@wheatstone.g10code.de>
Message-ID: <8763m95s7z.fsf@wheatstone.g10code.de>

Hi,

and thanks for the extr ainfo you sent.

On Wed, 26 Nov 2008 13:18, wk at gnupg.org said:

> Strange: We don't use any libgpg-error functions in the jnlib directory.
> Can you figure out where this symbol is used?  Feel free to send me the
> stringhelp.o file by PM.

I was wrong here: All jnlib code includes gcrypt.h via libjnlib-config.h
to access the libgcrypt memory allocation fuctnions.  By including
gcrypt.h gpg-error.h is also included and the problem is that we have
this code in gpg-error.h:

  #ifdef __GNUC__
  #define GPG_ERR_INLINE __inline__
  #elif __STDC_VERSION__ >= 199901L
  #define GPG_ERR_INLINE inline
  #else
  #ifndef GPG_ERR_INLINE
  #define GPG_ERR_INLINE
  #endif 
  #endif
  
  static GPG_ERR_INLINE gpg_error_t
  gpg_err_make_from_errno (gpg_err_source_t source, int err)
  {
    return gpg_err_make (source, gpg_err_code_from_errno (err));
  }
  
Now if your compiler is not gcc and not C-99 compliant, we don't get
an inline function but

  static gpg_error_t
  gpg_err_make_from_errno (gpg_err_source_t source, int err)
  {
    return gpg_err_make (source, gpg_err_code_from_errno (err));
  }

which adds a dependency to libgpg-error :-(.  A smart linker could
remove such unused functions but that is not the case here.  There are
two solution I can think of: a) Macro trickery to replace the symbols or
b) link against libgpg-error if needed.  Given that it is just a test
function I tend to option b.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.



From cwsiv at copper.net  Fri Nov 28 00:31:15 2008
From: cwsiv at copper.net (Carl Spitzer)
Date: Thu, 27 Nov 2008 15:31:15 -0800
Subject: Happy Thanksgiving
In-Reply-To: <96c450350811231920j7e4a6c2bkb39b339acd17f158@mail.gmail.com>
References: <96c450350811231920j7e4a6c2bkb39b339acd17f158@mail.gmail.com>
Message-ID: <1227828675.13061.4.camel@linux.site>

On Sun, 2008-11-23 at 21:20 -0600, Kevin Hilton wrote:
> A little off topic, however I wanted to wish Happy Thanksgiving to all
> those users in America, and actually give Thanks to the regular
> contributors to this mailing list.
> 
> Thanks
> 
Thank you.  shame about Detroit, the Titans had them for lunch.

CWSIV



From Aman_Sehgal at infosys.com  Wed Nov 26 06:06:48 2008
From: Aman_Sehgal at infosys.com (Aman Sehgal)
Date: Wed, 26 Nov 2008 10:36:48 +0530
Subject: Regarding installation of GPG
Message-ID: <126E03635C3419488A97E3EE6E2C3EFC660D280AD7@CHNSHLMBX02.ad.infosys.com>

Hi,

I need to install GNUGP on a UNIX server with following version of OS:
HP-UX sdhrs10a B.11.11 U 9000/800 686369363 unlimited-user license

I have downloaded the .jar file for the GPG installable available on your site.Can u please send across the steps I need to follow to compile and install GPG. Or if there is any compiled version of the Installable available.

Thanks and Regards
Aman Sehgal

**************** CAUTION - Disclaimer *****************
This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely 
for the use of the addressee(s). If you are not the intended recipient, please 
notify the sender by e-mail and delete the original message. Further, you are not 
to copy, disclose, or distribute this e-mail or its contents to any other person and 
any such actions are unlawful. This e-mail may contain viruses. Infosys has taken 
every reasonable precaution to minimize this risk, but is not liable for any damage 
you may sustain as a result of any virus in this e-mail. You should carry out your 
own virus checks before opening the e-mail or attachment. Infosys reserves the 
right to monitor and review the content of all messages sent to or from this e-mail 
address. Messages sent to or from this e-mail address may be stored on the 
Infosys e-mail system.
***INFOSYS******** End of Disclaimer ********INFOSYS***
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20081126/c6ea3300/attachment.htm>

From myckel at sdf.lonestar.org  Sun Nov 30 20:19:08 2008
From: myckel at sdf.lonestar.org (Myckel Habets)
Date: Sun, 30 Nov 2008 20:19:08 +0100
Subject: Rare condition incompatibility of public key
Message-ID: <20081130201908.7e69a4cc@sdf.lonestar.org>

Hello list,

Last week I had contact with someone who said that my public key was
"bad" according his validation program. I've mailed with many people
before while using this key, but he was the first to tell me that. When
I checked with a friend he said that the key was valid for him.

The key was created in 2005 and at creation time I added an expiration
date of the same day 2 years later. However within some time I thought
this was not really needed, so I removed that expiration date (gpg let
me do that, so I thought it was ok) and kept using that key without any
problems.

Currently my key looks like this:

pub  1024D/9A3D206F  created: 2005-12-10  expires: never       usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048g/D5904978  created: 2005-12-10  expires: never       usage: E   
[ultimate] (1). Myckel Habets (E-mail key) <myckel at sdf.lonestar.org>

The person who said to me that the key validates as bad uses the PGPkeys
program from the PGP corporation software (version 6.58, last version
that was released when Phil Zimmerman worked there, he doesn't trust
later versions) to do the validation.

To sum this up I have two questions:

1) What is causing this problem? Is my key really bad or is this an
incompatibility between PGPkeys version 6.58 and GPG?

2) Do I need to create new keys and revoke this key?

Thank you in advance.

Myckel Habets
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: </pipermail/attachments/20081130/6a166fe6/attachment.pgp>

From jmoore3rd at bellsouth.net  Sun Nov 30 21:12:44 2008
From: jmoore3rd at bellsouth.net (John W. Moore III)
Date: Sun, 30 Nov 2008 15:12:44 -0500
Subject: Rare condition incompatibility of public key
In-Reply-To: <20081130201908.7e69a4cc@sdf.lonestar.org>
References: <20081130201908.7e69a4cc@sdf.lonestar.org>
Message-ID: <4932F3BC.7010209@bellsouth.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Myckel Habets wrote:
> Hello list,
> 
> Last week I had contact with someone who said that my public key was
> "bad" according his validation program. 

> The person who said to me that the key validates as bad uses the PGPkeys
> program from the PGP corporation software (version 6.58, last version
> that was released when Phil Zimmerman worked there, he doesn't trust
> later versions) to do the validation.
> 
> To sum this up I have two questions:
> 
> 1) What is causing this problem? Is my key really bad or is this an
> incompatibility between PGPkeys version 6.58 and GPG?
> 
> 2) Do I need to create new keys and revoke this key?

Was the 'Key Bad' or the Signature?  Since Your "friend" insists upon
using 6.5.8 [deprecated] then My suspicion is that the Signature failed
to verify simply because the Hash used was one which isn't available in
6.5.8.    You do not need to create a New Key but You do have 2 choices:

1.)  Drag Your Neanderthal Friend out of the Encryption 'Stone Age' by
convincing Him to Upgrade to an Application RFC4880 compliant, or

2.)  Correspond with Him/Her using _only_ a Hash which is compatible
with 6.5.8.  :-\

JOHN ;)
Timestamp: Sunday 30 Nov 2008, 15:12  --500 (Eastern Standard Time)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10-svn4878: (MingW32)
Comment: Public Key at:  http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust: https://www.gswot.org
Comment: Homepage:  http://tinyurl.com/yzhbhx

iQEcBAEBCgAGBQJJMvO1AAoJEBCGy9eAtCsP9OgIAJ3tVk29PA1toYjulHFI0roD
AEmV23D2DFq25TES3aWJF2tnb4YBW/Xvn1hl2lHetN7HuzKNtYZOtaumeOPZBrcG
DYhlu7ag9vPw8QHFyuaMNOEluTSzpx/F8kjJp1IIGgrC3J0/Cyf8i8sH2A1OyVx+
H5gJbwZKyQ2Bsasp90vAD9wS+WO9YdliWXbA3hdiNxfQ83Z6S5fvG6NmfuJUi9Sc
d1htPgQuYbHhog/vJA0/fyGRIHWZ8EkBQdy7054CDQZ3n1/SnxAW677ex8OLLpwv
7mcfA/r1a82Y22Snz8GCq55Z+AKCjFyeRzkyA2JQLwXX6ik+vDHi9CGN6Rih/Us=
=dj0d
-----END PGP SIGNATURE-----