From jmoore3rd at bellsouth.net Sun Feb 1 01:17:19 2009 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Sat, 31 Jan 2009 19:17:19 -0500 Subject: gpg.exe Vista Crash In-Reply-To: <4984D2D0.3010903@gmail.com> References: <498310C4.8020805@gmail.com> <49834A7F.60407@Mozilla-Enigmail.org> <4984D2D0.3010903@gmail.com> Message-ID: <4984EA0F.2000005@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Brian wrote: > I downloaded 1.4.9 and installed it. I then grabbed WinPT and when > launching WinPT, I get repeated gpg.exe crashes, like I did before. > > I also downloaded GnuPT and installed that, which comes with 1.4.9 and > running that also causes gpg.exe crashes. > > I then took all of the EXEs from w32cli install and copied them over to > the GnuPT folder and had the same result. > > I am really at a loss as to how to get a GUI interface to work with GnuPG. Uninstall all versions of WinPT & GnuPT [???] and ascertain that the only version/copy of GnuPG You have installed is 1.4.9. Then, I suggest using GPGshell with GnuPG for a Frontend since this can be used with Thunderbird/Enigmail also installed and provides an excellent Tray Tool and superior Key Management Tools. http://www.jumaros.de/rsoft/index.html Once configured and running smoothly GPGshell also provides a tool for transferring both itself and relevant parts of GPG to a thumb drive for portable use. JOHN ;) Timestamp: Saturday 31 Jan 2009, 19:16 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4907: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJhOoMAAoJEBCGy9eAtCsPqOwH/1z5ovnmjgNBwWSVa4Bp8PXC V+Lek7AavVUcQFVYQAsKHWbTb1RgRMpLIKeadf/GchC6djZuFd3/Mo8Xra/PiRLA fuGseAqIWKrTfSisjjSj0q15j3zxK9yjMXHB82GOa0zCwgpHVcXh+zxihP9O5yXP WB0LHYjxdLBQCvNhfCC/aYnqqSmgywQg1ssvPINpKRP1E8P5dIR5l2La5/x2bmKH JfGsDGS43i9nQaMRCOiyluZUeOZa22dEV7XPEeGfLOXsKBzr3x49R6TW9cQo9VLJ 6CR+y40hfZLh1Cy2LnnaOGfoR+B8h1+xFrhAeBIraKyVONWUJ7VqrG6jg1RWeS4= =u6JY -----END PGP SIGNATURE----- From faramir.cl at gmail.com Sun Feb 1 03:16:30 2009 From: faramir.cl at gmail.com (Faramir) Date: Sat, 31 Jan 2009 23:16:30 -0300 Subject: gpg.exe Vista Crash In-Reply-To: <4984D2D0.3010903@gmail.com> References: <498310C4.8020805@gmail.com> <49834A7F.60407@Mozilla-Enigmail.org> <4984D2D0.3010903@gmail.com> Message-ID: <498505FE.7050901@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Brian escribi?: > I am really at a loss as to how to get a GUI interface to work with GnuPG. > > What should I try next? GPGShell, probably. While it has not been tested in Windows Vista, a friend of me installed it on Vista, and used it without any problem... If GPGShell works fine for you, maybe you should tell it to its author, since the compatibility list says there is no info about compatibility with Vista due lack of feedback from users... The URL is http://www.jumaros.de/rsoft/index.html Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJhQX+AAoJEMV4f6PvczxAMFAH/1sWRnJK9xiE9pr/rEt5nfHi DFNDr/RDq4BFVbDW35CojDcl8aOEZU/pnKgnsRHD3i8GYGnUInWHjvcFafdgKIek vIQBs+gUVN3h4ibDMiNr1hGr9rAERFJQa54OSb52sAV64fH0wVxTNYu5/KnrpT6P bzAWxkIMLzZgyEnoLQSs1mEhsT9qIC+VjCbJvEIcTV+9Tewu80mOSXQQ4gbgYiNj 8bB/yaaRHJzRsr3SVDi7tjzmlu/hC67DzAhew0RIy6Bxj/ncK+nQ3AjDdsbZQz7z BxL5USHqmgUHdujFTitboUzltRuL8dSRAHpCNAH0apP/PeNvloSKWB98q96C86U= =djMS -----END PGP SIGNATURE----- From malte.gell at gmx.de Sun Feb 1 06:13:17 2009 From: malte.gell at gmx.de (Malte Gell) Date: Sun, 1 Feb 2009 06:13:17 +0100 Subject: trouble getting GnuPG 2.0.9 working with smartcard Message-ID: <200902010613.25430.malte.gell@gmx.de> Hi there, with hope of finding more response I place my question now here. I have a Reiner SCT Cyberjack Secoder card reader and with the driver from Reiner SCT's web site it works now, the diagnosis tool "cyberjack" says the reader is available and accessable. In ~/.gnupg/scdaemon.conf i specified the PCSC driver, it contains the following: debug-level advanced pcsc-driver /usr/lib/readers/ifd-cyberjack.bundle/Contents/Linux/ifd- cyberjack.so.2.3.0 But, when inserting a blank smartcard i only get the following: 1[root at linux-61r3]4339-06:06~> gpg --card-status can't connect to `/root/.gnupg/S.gpg-agent': Connection refused scdaemon[28645]: listening on socket `/tmp/gpg-Gxylwx/S.scdaemon' scdaemon[28645]: handler for fd -1 started scdaemon[28645]: error sending PC/SC OPEN request: Broken pipe scdaemon[28645.0] DBG: -> OK GNU Privacy Guard's Smartcard server ready scdaemon[28645.0] DBG: <- GETINFO socket_name scdaemon[28645.0] DBG: -> D /tmp/gpg-Gxylwx/S.scdaemon scdaemon[28645.0] DBG: -> OK scdaemon[28645.0] DBG: <- OPTION event-signal=12 scdaemon[28645.0] DBG: -> OK scdaemon[28645.0] DBG: <- SERIALNO scdaemon[28645]: no supported card application found: General error scdaemon[28645.0] DBG: -> ERR 100663297 General error gpg-agent[28644]: command learn failed: General error gpg: OpenPGP card not available: General error [2]1[root at linux-61r3]4340-06:07~> scdaemon[28645.0] DBG: <- RESTART scdaemon[28645.0] DBG: -> OK scdaemon[28645.0] DBG: <- [EOF] scdaemon[28645]: handler for fd -1 terminated scdaemon[28645]: scdaemon (GnuPG) 2.0.9 stopped In my naive thoughts I hoped to be able to "format" a blank card to put my key on it. Is this now a driver / GnuPG vs card reader issue or is it not possible to just use any blank smart card (it is a 8 kB smartcard from Atmel it seems) Malte -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 315 bytes Desc: This is a digitally signed message part. URL: From akindejujt at yahoo.co.uk Sun Feb 1 10:09:44 2009 From: akindejujt at yahoo.co.uk (Gabriel Taiwo Akindeju) Date: Sun, 1 Feb 2009 09:09:44 +0000 (GMT) Subject: gpgwindir In-Reply-To: <224840.66232.qm@web26006.mail.ukl.yahoo.com> Message-ID: <116297.38626.qm@web26002.mail.ukl.yahoo.com> Hi all, ? gpgwindir ver 3 was released today and available for download at http://www21.brinkster.com/taiwoakindeju/gpgwindir.htm. ? Additions to / improvements in version 3 Optimised memory utilisation. Optimised hard Disk?space utilisation Enhanced file security (fail safe) ? Regards Gabriel -------------- next part -------------- An HTML attachment was scrubbed... URL: From John at Mozilla-Enigmail.org Sun Feb 1 10:45:14 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Sun, 01 Feb 2009 03:45:14 -0600 Subject: gpg.exe Vista Crash In-Reply-To: <4984D2D0.3010903@gmail.com> References: <498310C4.8020805@gmail.com> <49834A7F.60407@Mozilla-Enigmail.org> <4984D2D0.3010903@gmail.com> Message-ID: <49856F2A.5050405@Mozilla-Enigmail.org> Brian wrote: > I downloaded 1.4.9 and installed it. I then grabbed WinPT and when > launching WinPT, I get repeated gpg.exe crashes, like I did before. > > I also downloaded GnuPT and installed that, which comes with 1.4.9 and > running that also causes gpg.exe crashes. > > I then took all of the EXEs from w32cli install and copied them over to > the GnuPT folder and had the same result. > > I am really at a loss as to how to get a GUI interface to work with GnuPG. > > What should I try next? Please QUIT installing add-ons until the program is working. You won't fix it by throwing more code at the problem. It sounds like your system is still finding the GPG4win binaries first. You may verify that by opening a command window (Start->Run-> cmd.exe click OK) then enter the command gpg --version The first line of output should either specify 1.4.7 if the GPG4win code is found first, 1.4.9 otherwise. If it's 1.4.7, enter the command path That will display the value of the PATH environment variable. C:\Program Files\Gnu\GnuPG\pub will likely occur before C:\Program Files\Gnu\GnuPG. That's what is causing your problem. To fix it, you may either edit the PATH value (Control Panel -> System -> Advanced -> Environment Variables) Perhaps the easiest would be to run both the GnuPG for Windows (GPG4Win) and GnuPG uninstallers. Then delete any files remaining in C:\Program Files\Gnu\GnuPG. Re-run the gnupg-w32cli-1.4.9.exe installer. Open a fresh command window and give the command 'gpg --version' again. It should report 1.4.9 as the version. I see you are using Thunderbird. Are you also wishing to use Enigmail for email OpenPGP use? If so, set it up npw and get it working next. If you already have keys, you do not need to generate a new key pair unless you just want to. http://enigmail.mozdev.org/home/index.php Quick Start Guide: http://enigmail.mozdev.org/documentation/quickstart.php If you wish a separate GUI similar to PGP's most PGP users I know who have moved to GnuPG prefer GPGshell. Download and unzip the installer from http://www.jumaros.de/rsoft/index.html. I like to install GPGshell as a subdirectory under GnuPG (C:\Program Files\Gnu\GnuPG\GPGshell) -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 680 bytes Desc: OpenPGP digital signature URL: From wolfgang at rosenauer.org Sun Feb 1 13:04:23 2009 From: wolfgang at rosenauer.org (Wolfgang Rosenauer) Date: Sun, 01 Feb 2009 13:04:23 +0100 Subject: trouble getting GnuPG 2.0.9 working with smartcard In-Reply-To: <200902010613.25430.malte.gell@gmx.de> References: <200902010613.25430.malte.gell@gmx.de> Message-ID: <49858FC7.2030001@rosenauer.org> Hi, Malte Gell schrieb: > with hope of finding more response I place my question now here. > > I have a Reiner SCT Cyberjack Secoder card reader and with the driver from > Reiner SCT's web site it works now, the diagnosis tool "cyberjack" says the > reader is available and accessable. > > In ~/.gnupg/scdaemon.conf i specified the PCSC driver, it contains the > following: > > debug-level advanced > pcsc-driver /usr/lib/readers/ifd-cyberjack.bundle/Contents/Linux/ifd- > cyberjack.so.2.3.0 AFAIK that is not correct. The pcsc-driver is either /usr/lib64/libpcsclite.so or /usr/lib/libpcsclite.so (on your system I guess). > In my naive thoughts I hoped to be able to "format" a blank card to put my key > on it. Is this now a driver / GnuPG vs card reader issue or is it not possible > to just use any blank smart card (it is a 8 kB smartcard from Atmel it seems) Also AFAIK (my knowledge is not up to date here) gnupg can only use so called OpenPGP smartcards like those: http://www.g10code.de/p-card.html http://fellowship.fsfe.org/en/card I'm sure others will correct me if I'm wrong. HTH, Wolfgang From wk at gnupg.org Sun Feb 1 17:30:11 2009 From: wk at gnupg.org (Werner Koch) Date: Sun, 01 Feb 2009 17:30:11 +0100 Subject: gpg.exe Vista Crash In-Reply-To: <49834CC2.3050300@Mozilla-Enigmail.org> (John Clizbe's message of "Fri, 30 Jan 2009 12:53:54 -0600") References: <498310C4.8020805@gmail.com> <810345752.20090130191518@gswot.org> <49834CC2.3050300@Mozilla-Enigmail.org> Message-ID: <87zlh686i4.fsf@wheatstone.g10code.de> On Fri, 30 Jan 2009 19:53, John at Mozilla-Enigmail.org said: > The patch that allows execution on Vista was committed about a week after > 1.4.7's release and first appears in 1.4.8. I was not really aware of that problem. Given that Gpg4win 2.0 is still not in a state to replace 1.1.3 it might be useful to spend some time on getting 1.1.4 out. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From John at Mozilla-Enigmail.org Sun Feb 1 21:35:51 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Sun, 01 Feb 2009 14:35:51 -0600 Subject: gpg.exe Vista Crash In-Reply-To: <87zlh686i4.fsf@wheatstone.g10code.de> References: <498310C4.8020805@gmail.com> <810345752.20090130191518@gswot.org> <49834CC2.3050300@Mozilla-Enigmail.org> <87zlh686i4.fsf@wheatstone.g10code.de> Message-ID: <498607A7.3050304@Mozilla-Enigmail.org> Werner Koch wrote: > On Fri, 30 Jan 2009 19:53, John at Mozilla-Enigmail.org said: > >> The patch that allows execution on Vista was committed about a week after >> 1.4.7's release and first appears in 1.4.8. > > I was not really aware of that problem. See ChangeLog entries for 446[12] > Given that Gpg4win 2.0 is still not in a state to replace 1.1.3 it might be > useful to spend some time on getting 1.1.4 out. very useful, IMO. This is the single most common issue with Vista and GPG4win 1.1.3 users. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 680 bytes Desc: OpenPGP digital signature URL: From p4.thomas at googlemail.com Mon Feb 2 01:58:51 2009 From: p4.thomas at googlemail.com (Peter Thomas) Date: Mon, 2 Feb 2009 01:58:51 +0100 Subject: Series of minor questions about OpenPGP 3 In-Reply-To: <9ef756150901271344y61c5124cn71d0d69bdd5c34c@mail.gmail.com> References: <9ef756150901270446t3808fbb6k51ae6112da252d74@mail.gmail.com> <9ef756150901271344y61c5124cn71d0d69bdd5c34c@mail.gmail.com> Message-ID: <9ef756150902011658udd079e6td0411cb4c68c13db@mail.gmail.com> Hi list. On Tue, Jan 27, 2009 at 10:44 PM, Peter Thomas wrote: > On Tue, Jan 27, 2009 at 4:48 PM, David Shaw wrote: >> The RFC is really a file format document more so than a "how to use trust" >> document. Every now and then it is suggested that a trust document or >> something like an OpenPGP best practices document should be written, but >> nobody has taken up the suggestion yet. So the RFC that we have (4880) does >> not specify or deny this behavior: it simply lists the signature types for >> reference. So all that said, I don't know if any other products ignore 0x11 >> signatures. > Ok,.. so this means basically that I, as an end user, must expect that > some (stupid) implementation may take my 0x11 and fully trusts it, > right? Was this assumption correct? > And which one did you mean with the second? Ah. I've probably found this one out myself. The embedded back-signatures are inside the un-hashed area. What was the reason for this? Simply because it's not necessary as the back-signature secures itself? > Ok so I assume the Issuer (16) subpacket is a hint that tells which > public key should be used for verification, and the 16 bits are the 16 > leftmost bits. > So to speed up things, an implementation uses the public key from the > Issuer subpacket for calculations, makes a first check after the 16 > bits of the signature hash, and only if these are equal, checks the > remaining ones. > Is this correct? Same as above,... were these assumptions correct? Thanks, Peter From p4.thomas at googlemail.com Mon Feb 2 02:28:09 2009 From: p4.thomas at googlemail.com (Peter Thomas) Date: Mon, 2 Feb 2009 02:28:09 +0100 Subject: Series of minor questions about OpenPGP 1 In-Reply-To: <9DA411F8-1CBB-4F6C-A668-6599B07FE609@jabberwocky.com> References: <9ef756150901260602g2ca87672kdd1fa2affdd4b1@mail.gmail.com> <9ef756150901260822j4cbb1fefv960e09aa08ae31f0@mail.gmail.com> <20090126164004.GB27006@jabberwocky.com> <9ef756150901270415t5efb356ag995d7fb5768df1c6@mail.gmail.com> <9ef756150901280305p7b41e52dq97683339e51c7e6@mail.gmail.com> <9DA411F8-1CBB-4F6C-A668-6599B07FE609@jabberwocky.com> Message-ID: <9ef756150902011728i7a3156adr95bb7b75ccc4d9bc@mail.gmail.com> On really last addition on this (promised :-) ): I tried to mix up keys with new and old packet header types. Is it desired that gnupg simply converts them back to old packet headers (if possible) without any notice to the user? What will keyservers do when someone uploads a key with e.g. old packet headers,... that's already there, but just with new packet headers? Cheers, Peter From John at Mozilla-Enigmail.org Mon Feb 2 02:43:19 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Sun, 01 Feb 2009 19:43:19 -0600 Subject: Series of minor questions about OpenPGP 1 In-Reply-To: <9ef756150902011728i7a3156adr95bb7b75ccc4d9bc@mail.gmail.com> References: <9ef756150901260602g2ca87672kdd1fa2affdd4b1@mail.gmail.com> <9ef756150901260822j4cbb1fefv960e09aa08ae31f0@mail.gmail.com> <20090126164004.GB27006@jabberwocky.com> <9ef756150901270415t5efb356ag995d7fb5768df1c6@mail.gmail.com> <9ef756150901280305p7b41e52dq97683339e51c7e6@mail.gmail.com> <9DA411F8-1CBB-4F6C-A668-6599B07FE609@jabberwocky.com> <9ef756150902011728i7a3156adr95bb7b75ccc4d9bc@mail.gmail.com> Message-ID: <49864FB7.2080406@Mozilla-Enigmail.org> Peter Thomas wrote: > On really last addition on this (promised :-) ): > I tried to mix up keys with new and old packet header types. > Is it desired that gnupg simply converts them back to old packet > headers (if possible) without any notice to the user? > > What will keyservers do when someone uploads a key with e.g. old > packet headers,... that's already there, but just with new packet > headers? I imagine that would depend on the individual keyserver code and how the author(s) read the RFC at the time the code was created. The code is available. Help yourself. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 680 bytes Desc: OpenPGP digital signature URL: From dshaw at jabberwocky.com Mon Feb 2 03:43:37 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 1 Feb 2009 21:43:37 -0500 Subject: Series of minor questions about OpenPGP 1 In-Reply-To: <9ef756150902011728i7a3156adr95bb7b75ccc4d9bc@mail.gmail.com> References: <9ef756150901260602g2ca87672kdd1fa2affdd4b1@mail.gmail.com> <9ef756150901260822j4cbb1fefv960e09aa08ae31f0@mail.gmail.com> <20090126164004.GB27006@jabberwocky.com> <9ef756150901270415t5efb356ag995d7fb5768df1c6@mail.gmail.com> <9ef756150901280305p7b41e52dq97683339e51c7e6@mail.gmail.com> <9DA411F8-1CBB-4F6C-A668-6599B07FE609@jabberwocky.com> <9ef756150902011728i7a3156adr95bb7b75ccc4d9bc@mail.gmail.com> Message-ID: <06EFF26B-CE6C-4A1D-9F2C-236403D7042D@jabberwocky.com> On Feb 1, 2009, at 8:28 PM, Peter Thomas wrote: > On really last addition on this (promised :-) ): > I tried to mix up keys with new and old packet header types. > Is it desired that gnupg simply converts them back to old packet > headers (if possible) without any notice to the user? The packet header for any packet number less than 16 is utterly irrelevant in every possible way. GnuPG can change it to the new format, the old format, or even mix the two in a pretty pattern. And without notifying the user. Again, the packet header for any packet number less than 16 is utterly irrelevant in every possible way > What will keyservers do when someone uploads a key with e.g. old > packet headers,... that's already there, but just with new packet > headers? The packet header for any packet number less than 16 is utterly irrelevant in every possible way. Keyservers can change it to the new format, the old format, or even mix the two in a pretty pattern. And without notifying the user. Again, the packet header for any packet number less than 16 is utterly irrelevant in every possible way David From wk at gnupg.org Mon Feb 2 09:38:02 2009 From: wk at gnupg.org (Werner Koch) Date: Mon, 02 Feb 2009 09:38:02 +0100 Subject: Series of minor questions about OpenPGP 2 In-Reply-To: <9ef756150901290822g2e662385jf8fda40a90bbb83b@mail.gmail.com> (Peter Thomas's message of "Thu, 29 Jan 2009 17:22:01 +0100") References: <9ef756150901261354q17d60f44lbf5dd6ff87a6f8b@mail.gmail.com> <20090126222815.GA27590@jabberwocky.com> <9ef756150901261520v4a745bc6n6144417a96581421@mail.gmail.com> <60E7E188-FB53-4F27-9E4E-83536476E2AB@jabberwocky.com> <9ef756150901290822g2e662385jf8fda40a90bbb83b@mail.gmail.com> Message-ID: <87tz7d8c9h.fsf@wheatstone.g10code.de> Hi, please move future message threads to the gnupg-devel@ list. Longer technical discussions on gnupg-users@ are not appropriate. Thanks, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Mon Feb 2 09:43:16 2009 From: wk at gnupg.org (Werner Koch) Date: Mon, 02 Feb 2009 09:43:16 +0100 Subject: Format of colon listings for list-sigs? In-Reply-To: <4982B825.5000500@upf.edu> (Ramon Loureiro's message of "Fri, 30 Jan 2009 09:19:49 +0100") References: <4982B825.5000500@upf.edu> Message-ID: <87pri18c0r.fsf@wheatstone.g10code.de> On Fri, 30 Jan 2009 09:19, ramon.loureiro at upf.edu said: > but where is the info for --list-sigs ? It is also in DETAILS. Please consider to use gpgme as that library makes it much easier to access the output of gpg. For example there is a documented structure for key signatures (see below) and you can retrieve all information by walking a linked list. Example code can be found in the regression test suite. Salam-Shalom, Werner /* A signature on a user ID. */ struct _gpgme_key_sig { struct _gpgme_key_sig *next; /* True if the signature is a revocation signature. */ unsigned int revoked : 1; /* True if the signature is expired. */ unsigned int expired : 1; /* True if the signature is invalid. */ unsigned int invalid : 1; /* True if the signature should be exported. */ unsigned int exportable : 1; /* The public key algorithm used to create the signature. */ gpgme_pubkey_algo_t pubkey_algo; /* The key ID of key used to create the signature. */ char *keyid; /* The creation timestamp, -1 if invalid, 0 if not available. */ long int timestamp; /* The expiration timestamp, 0 if the subkey does not expire. */ long int expires; /* Same as in gpgme_signature_t. */ gpgme_error_t status; /* The user ID string. */ char *uid; /* The name part of the user ID. */ char *name; /* The email part of the user ID. */ char *email; /* The comment part of the user ID. */ char *comment; /* Crypto backend specific signature class. */ unsigned int sig_class; /* Notation data and policy URLs. */ gpgme_sig_notation_t notations; }; typedef struct _gpgme_key_sig *gpgme_key_sig_t; -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Mon Feb 2 09:49:38 2009 From: wk at gnupg.org (Werner Koch) Date: Mon, 02 Feb 2009 09:49:38 +0100 Subject: app_readcert failed (smartcard) In-Reply-To: <498370C6.3020202@rosenauer.org> (Wolfgang Rosenauer's message of "Fri, 30 Jan 2009 22:27:34 +0100") References: <498370C6.3020202@rosenauer.org> Message-ID: <87ljsp8bq5.fsf@wheatstone.g10code.de> On Fri, 30 Jan 2009 22:27, wolfgang at rosenauer.org said: > scdaemon[18495.0] DBG: <- READCERT OPENPGP.1 > 2009-01-30 22:24:17 scdaemon[18495] app_readcert failed: Nicht > unterst?tzte Verarbeitungsaufgabe > scdaemon[18495.0] DBG: -> ERR 100663420 Nicht unterst?tzte > Verarbeitungsaufgabe There is no certificate stored on the card and gpg should ignore the error code. I don't know why this does not happen. BTW, you should update to 2.0.10 for your tests. > Another question is about the status of ctapi support. I failed to set > it up and read that it's deprecated. But my online banking software is I don't have any ctapi reader anymore, or well I did not tested them in years. It is very likely that the ctapi interface does not work anymore. It is obsolete and will eventually be removed. > also using ctapi so I think having gnupg using pcsc-lite and the ctapi is not a standard and really really odl. There is no need for it and we can't support it. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From email at sven-radde.de Mon Feb 2 10:45:16 2009 From: email at sven-radde.de (Sven Radde) Date: Mon, 02 Feb 2009 10:45:16 +0100 Subject: Notations / PKA Message-ID: <4986C0AC.2040002@sven-radde.de> Hi GnuPG-Users! Is there anywhere a list of notations that do currently have any kind of "canonical" meaning (or, rather, are interpreted by GnuPG and/or popular MUAs in any way)? I found out about "pka-adress at gnupg.org=..." and a quite old notation that tells the commercial PGP about PGP/MIME capabilities but that seems to be it. PKA seems to be an interesting feature btw. Is it widely used? cu, Sven From dshaw at jabberwocky.com Mon Feb 2 15:49:44 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 2 Feb 2009 09:49:44 -0500 Subject: Notations / PKA In-Reply-To: <4986C0AC.2040002@sven-radde.de> References: <4986C0AC.2040002@sven-radde.de> Message-ID: <55887820-164B-4BB4-830A-B33EBDE95F4E@jabberwocky.com> On Feb 2, 2009, at 4:45 AM, Sven Radde wrote: > Hi GnuPG-Users! > > Is there anywhere a list of notations that do currently have any > kind of > "canonical" meaning (or, rather, are interpreted by GnuPG and/or > popular > MUAs in any way)? > > I found out about "pka-adress at gnupg.org=..." and a quite old notation > that tells the commercial PGP about PGP/MIME capabilities but that > seems > to be it. Those are the only two real ones that I know of. GPG interprets pka- address, of couse, but it merely "knows about" preferred-email-encoding at pgp.com (i.e. GPG accepts it, but it is up to the MUA to act on it). PKA information: http://lists.gnupg.org/pipermail/gnupg-devel/2005-August/022254.html preferred-email-encoding information: http://www.imc.org/ietf-openpgp/mail-archive/msg08704.html In the "non-real" category, I've seen "comment" used, but that is an illegal notation name (it lacks the @ and domain, and is not registered with the IETF). > PKA seems to be an interesting feature btw. Is it widely used? That, I couldn't say. It's been my experience that things involving DNS and OpenPGP have not had particularly good adoption: not that many people have access to their own DNS, and that acts as a barrier on top of all the other usual OpenPGP barriers. David From wolfgang at rosenauer.org Mon Feb 2 16:33:19 2009 From: wolfgang at rosenauer.org (Wolfgang Rosenauer) Date: Mon, 02 Feb 2009 16:33:19 +0100 Subject: app_readcert failed (smartcard) In-Reply-To: <87ljsp8bq5.fsf@wheatstone.g10code.de> References: <498370C6.3020202@rosenauer.org> <87ljsp8bq5.fsf@wheatstone.g10code.de> Message-ID: <4987123F.4030805@rosenauer.org> Werner Koch schrieb: > On Fri, 30 Jan 2009 22:27, wolfgang at rosenauer.org said: > >> scdaemon[18495.0] DBG: <- READCERT OPENPGP.1 >> 2009-01-30 22:24:17 scdaemon[18495] app_readcert failed: Nicht >> unterst?tzte Verarbeitungsaufgabe >> scdaemon[18495.0] DBG: -> ERR 100663420 Nicht unterst?tzte >> Verarbeitungsaufgabe > > There is no certificate stored on the card and gpg should ignore the > error code. I don't know why this does not happen. BTW, you should > update to 2.0.10 for your tests. Upgrading to 2.0.10 actually fixed this issue. Thanks, Wolfgang From belstsrv at gmail.com Mon Feb 2 16:53:40 2009 From: belstsrv at gmail.com (Brian) Date: Mon, 02 Feb 2009 10:53:40 -0500 Subject: gpg.exe Vista Crash In-Reply-To: <49856F2A.5050405@Mozilla-Enigmail.org> References: <498310C4.8020805@gmail.com> <49834A7F.60407@Mozilla-Enigmail.org> <4984D2D0.3010903@gmail.com> <49856F2A.5050405@Mozilla-Enigmail.org> Message-ID: <49871704.4080606@gmail.com> John Clizbe wrote: > Brian wrote: >> I downloaded 1.4.9 and installed it. I then grabbed WinPT and when >> launching WinPT, I get repeated gpg.exe crashes, like I did before. >> >> I also downloaded GnuPT and installed that, which comes with 1.4.9 and >> running that also causes gpg.exe crashes. >> >> I then took all of the EXEs from w32cli install and copied them over to >> the GnuPT folder and had the same result. >> >> I am really at a loss as to how to get a GUI interface to work with GnuPG. >> >> What should I try next? > > Please QUIT installing add-ons until the program is working. You won't fix it by > throwing more code at the problem. > > It sounds like your system is still finding the GPG4win binaries first. > You may verify that by opening a command window (Start->Run-> cmd.exe click OK) > then enter the command > > gpg --version > > The first line of output should either specify 1.4.7 if the GPG4win code is > found first, 1.4.9 otherwise. If it's 1.4.7, enter the command > > path > > That will display the value of the PATH environment variable. > C:\Program Files\Gnu\GnuPG\pub will likely occur before > C:\Program Files\Gnu\GnuPG. That's what is causing your problem. > > To fix it, you may either edit the PATH value (Control Panel -> System -> > Advanced -> Environment Variables) > > Perhaps the easiest would be to run both the GnuPG for Windows (GPG4Win) and > GnuPG uninstallers. Then delete any files remaining in > C:\Program Files\Gnu\GnuPG. Re-run the gnupg-w32cli-1.4.9.exe installer. > > Open a fresh command window and give the command 'gpg --version' again. It > should report 1.4.9 as the version. > > I see you are using Thunderbird. Are you also wishing to use Enigmail for email > OpenPGP use? If so, set it up npw and get it working next. If you already have > keys, you do not need to generate a new key pair unless you just want to. > http://enigmail.mozdev.org/home/index.php > > Quick Start Guide: http://enigmail.mozdev.org/documentation/quickstart.php > > If you wish a separate GUI similar to PGP's most PGP users I know who have moved > to GnuPG prefer GPGshell. Download and unzip the installer from > http://www.jumaros.de/rsoft/index.html. I like to install GPGshell as a > subdirectory under GnuPG (C:\Program Files\Gnu\GnuPG\GPGshell) > Thanks John, and everyone else for their assistance. I removed everything and executed the gpg --version command and it reports: gpg (GnuPG) 1.4.9 Copyright (C) 2008 Free Software Foundation, Inc. I did the path command, and it reports: C:\Program Files\GNU\GnuPG as the only PGP related entry. My main use for GunPG is really key storage and creation for some other processes/projects I have. Not really using it for Thunderbird or any other email, yet. I am really confounded by this issue. I have disabled UAC in Vista as well. It has been disabled this entire time. I've now removed everything and am going to try to reinstall just the w32cli. What could I try and do that might simulate the issues I am seeing when using a GUI frontend (without installing the frontend)? I want to just use the command line a little to see if that works. Thanks again! From belstsrv at gmail.com Mon Feb 2 17:44:03 2009 From: belstsrv at gmail.com (Brian) Date: Mon, 02 Feb 2009 11:44:03 -0500 Subject: gpg.exe Vista Crash In-Reply-To: <49856F2A.5050405@Mozilla-Enigmail.org> References: <498310C4.8020805@gmail.com> <49834A7F.60407@Mozilla-Enigmail.org> <4984D2D0.3010903@gmail.com> <49856F2A.5050405@Mozilla-Enigmail.org> Message-ID: <498722D3.9060203@gmail.com> John Clizbe wrote: > Brian wrote: >> I downloaded 1.4.9 and installed it. I then grabbed WinPT and when >> launching WinPT, I get repeated gpg.exe crashes, like I did before. >> >> I also downloaded GnuPT and installed that, which comes with 1.4.9 and >> running that also causes gpg.exe crashes. >> >> I then took all of the EXEs from w32cli install and copied them over to >> the GnuPT folder and had the same result. >> >> I am really at a loss as to how to get a GUI interface to work with GnuPG. >> >> What should I try next? > > Please QUIT installing add-ons until the program is working. You won't fix it by > throwing more code at the problem. > > It sounds like your system is still finding the GPG4win binaries first. > You may verify that by opening a command window (Start->Run-> cmd.exe click OK) > then enter the command > > gpg --version > > The first line of output should either specify 1.4.7 if the GPG4win code is > found first, 1.4.9 otherwise. If it's 1.4.7, enter the command > > path > > That will display the value of the PATH environment variable. > C:\Program Files\Gnu\GnuPG\pub will likely occur before > C:\Program Files\Gnu\GnuPG. That's what is causing your problem. > > To fix it, you may either edit the PATH value (Control Panel -> System -> > Advanced -> Environment Variables) > > Perhaps the easiest would be to run both the GnuPG for Windows (GPG4Win) and > GnuPG uninstallers. Then delete any files remaining in > C:\Program Files\Gnu\GnuPG. Re-run the gnupg-w32cli-1.4.9.exe installer. > > Open a fresh command window and give the command 'gpg --version' again. It > should report 1.4.9 as the version. > > I see you are using Thunderbird. Are you also wishing to use Enigmail for email > OpenPGP use? If so, set it up npw and get it working next. If you already have > keys, you do not need to generate a new key pair unless you just want to. > http://enigmail.mozdev.org/home/index.php > > Quick Start Guide: http://enigmail.mozdev.org/documentation/quickstart.php > > If you wish a separate GUI similar to PGP's most PGP users I know who have moved > to GnuPG prefer GPGshell. Download and unzip the installer from > http://www.jumaros.de/rsoft/index.html. I like to install GPGshell as a > subdirectory under GnuPG (C:\Program Files\Gnu\GnuPG\GPGshell) > I removed everything and rebooted. Then went and installed just the command line component. The version shows as 1.4.9 and the path variable is correct. I tried this command: gpg -K gog.exe crashed and the command line window give this info: gpg: checking the trustdb Assertion failed: keyblock->pkt->pkttype == PKT_PUBLIC_KEY, file keyring.c, line 1387 This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information. Hopefully this will help troubleshoot this a little. If there is anything I can do to debug or produce a log file, just let me know. Thanks again. From skl99999 at gmx.net Mon Feb 2 18:25:38 2009 From: skl99999 at gmx.net (skl99999 at gmx.net) Date: Mon, 02 Feb 2009 18:25:38 +0100 Subject: Detached Signature / Timestapm Message-ID: <20090202172538.112690@gmx.net> Hello, is there a possibility to have gpg2 make a detached cleartext signature? I only seem to be able to have it do either the one or the other. And the more complex follow on question for all the crypto experts out there: the reason why I want to do that is because I would like to timestamp some files, eg using www.itconsult.co.uk/stamper.htm. Now my thought was that I do not really send the file itself (which might be rather big) but that I could sign the file and then timestamp the signature. Would this be enough (1), and would it matter if the password of my signature key would become compromised (2)? May guess is (1) yes, (2) no because I am really only making use of the hashing algorithm, and indeed I also could simply timestamp a hash (is this true?). The reason that I want to to have a timestamped detached cleartext signature is that I believe that this is a bit more stable than a timestamped detached signature of a binary - views on this? Thanks -skl From dshaw at jabberwocky.com Mon Feb 2 19:54:15 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 2 Feb 2009 13:54:15 -0500 Subject: Detached Signature / Timestapm In-Reply-To: <20090202172538.112690@gmx.net> References: <20090202172538.112690@gmx.net> Message-ID: <20090202185415.GA31701@jabberwocky.com> On Mon, Feb 02, 2009 at 06:25:38PM +0100, skl99999 at gmx.net wrote: > Hello, > > is there a possibility to have gpg2 make a detached cleartext > signature? I only seem to be able to have it do either the one or > the other. What do you mean by a detached cleartext signature? A detached signature that is ascii armored? If so, then: --armor --detach-sign > And the more complex follow on question for all the crypto experts > out there: the reason why I want to do that is because I would like > to timestamp some files, eg using > www.itconsult.co.uk/stamper.htm. Now my thought was that I do not > really send the file itself (which might be rather big) but that I > could sign the file and then timestamp the signature. Would this be > enough (1), and would it matter if the password of my signature key > would become compromised (2)? May guess is (1) yes, (2) no because I > am really only making use of the hashing algorithm, and indeed I > also could simply timestamp a hash (is this true?). 1) It depends on what you plan on doing with the signatures. If you're just trying to show a timestamp for the document creation, then yes, it's fine. 2) Again, assuming you're trying to show a timestamp, then no, it does not matter. The relevant timestamp is that imposed by the stamper service, not the one imposed by your key. Thus your key can be compromised without affecting the timestamps. > The reason that I want to to have a timestamped detached cleartext > signature is that I believe that this is a bit more stable than a > timestamped detached signature of a binary - views on this? Armored signatures are not any more stable than binary signatures. The data is identical. Only the file format is different. If you're just doing timestamping, note that you can also just hash the document and send that hash to the stamper service (i.e. your personal signature doesn't add much to the equation): gpg --print-md sha256 (thedocument) | mail the-stamper-service David From sattva at pgpru.com Mon Feb 2 19:30:30 2009 From: sattva at pgpru.com (Vlad "SATtva" Miller) Date: Tue, 03 Feb 2009 00:30:30 +0600 Subject: Detached Signature / Timestapm In-Reply-To: <20090202172538.112690@gmx.net> References: <20090202172538.112690@gmx.net> Message-ID: <49873BC6.9070606@pgpru.com> skl99999 at gmx.net (02.02.2009 23:25): > Hello, > > is there a possibility to have gpg2 make a detached cleartext > signature? I only seem to be able to have it do either the one or the > other. gpg --armor --detach-sign --sign > And the more complex follow on question for all the crypto experts > out there: the reason why I want to do that is because I would like > to timestamp some files, eg using www.itconsult.co.uk/stamper.htm. I wouldn't consider Stamper's keys as secure. They date back to 1995, they are a v3 keys, they are even not self-signed so it's not so easy to even import them on the keyring. Try using something like this: http://timemarker.org/en/ > Now my thought was that I do not really send the file itself (which > might be rather big) but that I could sign the file and then > timestamp the signature. Would this be enough (1), and would it > matter if the password of my signature key would become compromised > (2)? May guess is (1) yes, (2) no because I am really only making use > of the hashing algorithm, and indeed I also could simply timestamp a > hash (is this true?). Using a hash value from a secure hash algorithm will suffice. Keep in mind that you should timestamp not a hash value alone, but a hash value along with the name of hashing algorithm, e.g. SHA256:1234ABCD0987... > The reason that I want to to have a timestamped detached cleartext > signature is that I believe that this is a bit more stable than a > timestamped detached signature of a binary - views on this? What do you mean by stable? -- SATtva | security & privacy consulting www.vladmiller.info | www.pgpru.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 513 bytes Desc: OpenPGP digital signature URL: From paramouse at nc.rr.com Mon Feb 2 21:20:17 2009 From: paramouse at nc.rr.com (paramouse) Date: Mon, 02 Feb 2009 15:20:17 -0500 Subject: gpg.exe Vista Crash In-Reply-To: <498722D3.9060203@gmail.com> References: <498310C4.8020805@gmail.com> <49834A7F.60407@Mozilla-Enigmail.org> <4984D2D0.3010903@gmail.com> <49856F2A.5050405@Mozilla-Enigmail.org> <498722D3.9060203@gmail.com> Message-ID: <49875581.7060500@nc.rr.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Brian wrote: > I removed everything and rebooted. Then went and installed just the > command line component. The version shows as 1.4.9 and the path > variable is correct. > > I tried this command: > gpg -K > > gog.exe crashed and the command line window give this info: > gpg: checking the trustdb > Assertion failed: keyblock->pkt->pkttype == PKT_PUBLIC_KEY, file > keyring.c, line > 1387 Just a thought, but is something wrong with your trustdb.gpg, secring.gpg or pubring.gpg files? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iEYEAREKAAYFAkmHVYEACgkQUw0FZ6oFC79GEACgkNDzuo7hKjZ5Y52wvF8VP7ck 5JUAn1cKYJuMJ+YJepGKtAMGxQLm70Ei =30jE -----END PGP SIGNATURE----- From John at Mozilla-Enigmail.org Mon Feb 2 23:08:34 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Mon, 02 Feb 2009 16:08:34 -0600 Subject: gpg.exe Vista Crash In-Reply-To: <498722D3.9060203@gmail.com> References: <498310C4.8020805@gmail.com> <49834A7F.60407@Mozilla-Enigmail.org> <4984D2D0.3010903@gmail.com> <49856F2A.5050405@Mozilla-Enigmail.org> <498722D3.9060203@gmail.com> Message-ID: <49876EE2.301@Mozilla-Enigmail.org> Brian wrote: > I tried this command: > gpg -K > > gog.exe crashed and the command line window give this info: > gpg: checking the trustdb > Assertion failed: keyblock->pkt->pkttype == PKT_PUBLIC_KEY, file > keyring.c, line > 1387 > > This application has requested the Runtime to terminate it in an unusual > way. > Please contact the application's support team for more information. > > > Hopefully this will help troubleshoot this a little. If there is > anything I can do to debug or produce a log file, just let me know. How did you move your keys? Did you export/import or copy the three keyring files (pubring.gpg, secring.gpg, trustdb.gpg) along with any gpg.conf? If copied, did you copy them to the correct location? On Windows 2000/XP, the default Home directory is C:\Documents and Settings\\Application Data\GnuPG On Vista, it is C:\Users\\AppData\Roaming\GnuPG Do other keyring commands work? gpg --list-keys or gpg --check-trustdb -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 680 bytes Desc: OpenPGP digital signature URL: From yochanon at localnet.com Tue Feb 3 07:36:49 2009 From: yochanon at localnet.com (John B) Date: Tue, 3 Feb 2009 00:36:49 -0600 Subject: Keyserver question...again Message-ID: <200902030036.49581.yochanon@localnet.com> Hiya gang, Sorry for being redundant, but what are some good keyservers to use? The ones that are on a stock Kgpg setup don't seem to work too well. Thanks -- As the Founding Fathers knew well, a government that does not trust its honest, law-abiding, taxpaying citizens with the means of self-defense, is not itself worthy of trust. From ramon.loureiro at upf.edu Tue Feb 3 10:20:28 2009 From: ramon.loureiro at upf.edu (Ramon Loureiro) Date: Tue, 03 Feb 2009 10:20:28 +0100 Subject: Format of colon listings for list-sigs? In-Reply-To: <87pri18c0r.fsf@wheatstone.g10code.de> References: <4982B825.5000500@upf.edu> <87pri18c0r.fsf@wheatstone.g10code.de> Message-ID: <49880C5C.1040206@upf.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Werner Koch wrote: > On Fri, 30 Jan 2009 09:19, ramon.loureiro at upf.edu said: >> but where is the info for --list-sigs ? > > It is also in DETAILS. > > Please consider to use gpgme as that library makes it much easier > to access the output of gpg. Thanks Werner (and Robert) for your response and information I'm building an application that needs to extract UIDs and SIGs from the keys. At the begining, it was for my own usage, but now I'm thinking that maybe it is useful for the community... Since I still don't know where to host it (maybe I won't have permissions to install everything needed) I think that the parsing solution of the colon-format is the only solution I can find... Cheers! - -- Ramon Loureiro -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJJiAxcAAoJEMVZKsuAx9ZH0KQH/AveBl2CVAsk9w5Hr5oZAntS ylucl0eueLuyn4Olay+lD0a3ngXL1lNvI/QA4PklvFe9QEtkkF1eK2h6hJT/SVwe F3DzRt/ib6OhnUhvpTmtfNZUSD9DGThyb70AuZfcEQyKv8xPK3MhKAkMun1RN/U2 DHe1u1c1FOpGIGTN353ZIf9VGVK48WAlRIo4YR2O7f46lIXit15kylEhylylaT+u 7fNTZulWAWzRC8LRWrialu+t6oDMaDo5FpttVm8g5Ey65GTrKuQweUZs0F60tsLk XBB5BR8eYnCmfzzpj3Dz2hr+Kio6oX8p7hYjSNmEpRpd5WfQB1zr69p1INgaZ9Y= =FTtL -----END PGP SIGNATURE----- From John at Mozilla-Enigmail.org Tue Feb 3 10:23:49 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Tue, 03 Feb 2009 03:23:49 -0600 Subject: Keyserver question...again In-Reply-To: <200902030036.49581.yochanon@localnet.com> References: <200902030036.49581.yochanon@localnet.com> Message-ID: <49880D25.4040906@Mozilla-Enigmail.org> John B wrote: > Sorry for being redundant, but what are some good keyservers to use? The > ones that are on a stock Kgpg setup don't seem to work too well. pool.sks-keyservers.net pool.sks-keyservers.net is a DNS round-robin consisting of a random selection of 20 servers from a pool of well-connected and synchronized servers (presently about 50 total). It is updated twice daily. Details are at http://sks-keyservers.net/status/ -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 680 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Tue Feb 3 10:27:57 2009 From: wk at gnupg.org (Werner Koch) Date: Tue, 03 Feb 2009 10:27:57 +0100 Subject: Keyserver question...again In-Reply-To: <200902030036.49581.yochanon@localnet.com> (John B.'s message of "Tue, 3 Feb 2009 00:36:49 -0600") References: <200902030036.49581.yochanon@localnet.com> Message-ID: <87k587yin6.fsf@wheatstone.g10code.de> On Tue, 3 Feb 2009 07:36, yochanon at localnet.com said: > Sorry for being redundant, but what are some good keyservers to use? The > ones that are on a stock Kgpg setup don't seem to work too well. hkp://keys.gnupg.net or if you need to use http: http://http-keys.gnupg.net There is a simple statistics page for these keyserver pools at http://keystats.gnupg.net . While talking about that: If you know other reliable servers to put it, please let me know. Also let me know if one of these servers is down for too long in case I missed it (I know about 86.59.21.34). Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From alex at amiryan.org Tue Feb 3 10:40:54 2009 From: alex at amiryan.org (Alex Amiryan) Date: Tue, 03 Feb 2009 13:40:54 +0400 Subject: Keyserver question...again In-Reply-To: <200902030036.49581.yochanon@localnet.com> References: <200902030036.49581.yochanon@localnet.com> Message-ID: <49881126.5020009@amiryan.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The most popular ones are: hkp://pgp.mit.edu hkp://subkeys.pgp.net My favorite one is http://keyserver.pgp.com (ldap://keyserver.pgp.com for KGpg). It also requires to confirm your email address. John B wrote: > Hiya gang, > > Sorry for being redundant, but what are some good keyservers to use? The > ones that are on a stock Kgpg setup don't seem to work too well. > > Thanks > - -- Alex Amiryan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFJiBEm1KOfm1RDUTERAmTHAJ4uWpc4Z/IjgjL8JiFKBiR5IaetxwCcD8j6 Caujwdc3HD64REXXzz3PqUQ= =kc9w -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3579 bytes Desc: S/MIME Cryptographic Signature URL: From wk at gnupg.org Tue Feb 3 11:48:55 2009 From: wk at gnupg.org (Werner Koch) Date: Tue, 03 Feb 2009 11:48:55 +0100 Subject: Keyserver question...again In-Reply-To: <49881126.5020009@amiryan.org> (Alex Amiryan's message of "Tue, 03 Feb 2009 13:40:54 +0400") References: <200902030036.49581.yochanon@localnet.com> <49881126.5020009@amiryan.org> Message-ID: <873aevyew8.fsf@wheatstone.g10code.de> On Tue, 3 Feb 2009 10:40, alex at amiryan.org said: > The most popular ones are: > hkp://pgp.mit.edu Do not use this server becuase it runs way too old software! > hkp://subkeys.pgp.net If you can't avoid it it is okay, the servers in this pool at least don't mangle your keys. > My favorite one is http://keyserver.pgp.com (ldap://keyserver.pgp.com This keyserver is not syncronized with the other servers. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From christoph.anton.mitterer at physik.uni-muenchen.de Tue Feb 3 12:04:21 2009 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Tue, 03 Feb 2009 12:04:21 +0100 Subject: Keyserver question...again In-Reply-To: <873aevyew8.fsf@wheatstone.g10code.de> References: <200902030036.49581.yochanon@localnet.com> <49881126.5020009@amiryan.org> <873aevyew8.fsf@wheatstone.g10code.de> Message-ID: <1233659061.4224.41.camel@fermat.scientia.net> On Tue, 2009-02-03 at 11:48 +0100, Werner Koch wrote: > > hkp://pgp.mit.edu > > Do not use this server becuase it runs way too old software! Has ever anyone tried to convince the Athena guys at MIT, to switch their server? Unfortunately it's still very well-known... -- Christoph Anton Mitterer Ludwig-Maximilians-Universit?t M?nchen christoph.anton.mitterer at physik.uni-muenchen.de mail at christoph.anton.mitterer.name -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3375 bytes Desc: not available URL: From alex at amiryan.org Tue Feb 3 13:07:32 2009 From: alex at amiryan.org (Alex Amiryan) Date: Tue, 03 Feb 2009 16:07:32 +0400 Subject: Keyserver question...again In-Reply-To: <873aevyew8.fsf@wheatstone.g10code.de> References: <200902030036.49581.yochanon@localnet.com> <49881126.5020009@amiryan.org> <873aevyew8.fsf@wheatstone.g10code.de> Message-ID: <49883384.8020803@amiryan.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Werner Koch wrote: > On Tue, 3 Feb 2009 10:40, alex at amiryan.org said: >> The most popular ones are: >> hkp://pgp.mit.edu > > Do not use this server becuase it runs way too old software! What disadvantage have this? What kind of features it is not supporting? - -- Alex Amiryan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFJiDOE1KOfm1RDUTERAsrGAKDSbKhHoW8s6ekcYE7Q4lDnzf8/HQCgulgj wvZmFtHVa/QXqH+3rbp0ofc= =L4/r -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3579 bytes Desc: S/MIME Cryptographic Signature URL: From John at Mozilla-Enigmail.org Tue Feb 3 13:55:45 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Tue, 03 Feb 2009 06:55:45 -0600 Subject: Keyserver question...again In-Reply-To: <49883384.8020803@amiryan.org> References: <200902030036.49581.yochanon@localnet.com> <49881126.5020009@amiryan.org> <873aevyew8.fsf@wheatstone.g10code.de> <49883384.8020803@amiryan.org> Message-ID: <49883ED1.5080301@Mozilla-Enigmail.org> Alex Amiryan wrote: > Werner Koch wrote: >> On Tue, 3 Feb 2009 10:40, alex at amiryan.org said: >>> The most popular ones are: >>> hkp://pgp.mit.edu > >> Do not use this server because it runs way too old software! > > What disadvantage have this? What kind of features it is not supporting? Quoting myself from this list, 13-Oct-2005: PKS does not handle V4 key features well. Notable examples of mangled features are multiple subkeys, a revoked subkey (tag 0x28), duplicate keyids, direct key signatures (tag 0x1F), revocation signatures on userids (tag 0x30), or photo IDs. There is also no development or maintenance being done on the pks platform. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 680 bytes Desc: OpenPGP digital signature URL: From rjh at sixdemonbag.org Tue Feb 3 14:21:24 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 03 Feb 2009 08:21:24 -0500 Subject: Keyserver question...again In-Reply-To: <49881126.5020009@amiryan.org> References: <200902030036.49581.yochanon@localnet.com> <49881126.5020009@amiryan.org> Message-ID: <498844D4.2070203@sixdemonbag.org> Alex Amiryan wrote: > hkp://pgp.mit.edu Friends don't let friends use pgp.mit.edu. It is irreparably broken for modern OpenPGP keys. From henkdebruijn at gswot.org Tue Feb 3 14:15:20 2009 From: henkdebruijn at gswot.org (Henk M. de Bruijn) Date: Tue, 3 Feb 2009 14:15:20 +0100 Subject: Keyserver question...again In-Reply-To: <49880D25.4040906@Mozilla-Enigmail.org> References: <200902030036.49581.yochanon@localnet.com> <49880D25.4040906@Mozilla-Enigmail.org> Message-ID: <1977146781.20090203141520@gswot.org> On Tue, 03 Feb 2009, at 03:23:49 [GMT -0600] (which was 10:23 where I live) John Clizbe wrote: > John B wrote: >> Sorry for being redundant, but what are some good keyservers to use? The >> ones that are on a stock Kgpg setup don't seem to work too well. > pool.sks-keyservers.net > pool.sks-keyservers.net is a DNS round-robin consisting of a random selection of > 20 servers from a pool of well-connected and synchronized servers (presently > about 50 total). It is updated twice daily. Details are at > http://sks-keyservers.net/status/ That's in my config.log too, works fine... -- Henk M. de Bruijn _________________________________________________________________________ The Bat! Natural Email System 4.1.11.2 on Microsoft? Windows Vista? Home Premium Versie 6.0.6001 Service Pack 1 Build 6001 Intel(R) Core(TM)2 Quad CPU Q8200 @ 2.33GHz, 2333 MHz,4 core('s),4 logic processors AntispamSniper for The Bat! Pro 3.0.1.5 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 505 bytes Desc: not available URL: From dshaw at jabberwocky.com Tue Feb 3 15:00:06 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 3 Feb 2009 09:00:06 -0500 Subject: Keyserver question...again In-Reply-To: <49881126.5020009@amiryan.org> References: <200902030036.49581.yochanon@localnet.com> <49881126.5020009@amiryan.org> Message-ID: <91045966-DCF1-4369-92B5-37147E88991D@jabberwocky.com> On Feb 3, 2009, at 4:40 AM, Alex Amiryan wrote: > The most popular ones are: > hkp://pgp.mit.edu Don't use this one. It unfortunately still runs pks, and does not handle things like subkeys properly. > My favorite one is http://keyserver.pgp.com (ldap://keyserver.pgp.com > for KGpg). It also requires to confirm your email address. This server does not synchronize with the rest of the keyservers. That's a feature, not a bug, as the intent of the server is to validate your email address, as you noted, and it cannot do that if it could learn keys from places other than the user. It also signs your key for you to show that the email address was checked (this can get a little annoying as it re-signs the key now and then). It's an excellent server for particular uses. Note in particular that it is the default server in the commercial PGP product, so if you really want your key to be found... David From vedaal at hush.com Tue Feb 3 20:30:26 2009 From: vedaal at hush.com (vedaal at hush.com) Date: Tue, 03 Feb 2009 14:30:26 -0500 Subject: Keyserver question...again Message-ID: <20090203193026.728CD15804A@smtp.hushmail.com> David Shaw dshaw at jabberwocky.com wrote on Tue Feb 3 15:00:06 CET 2009 : >>http://keyserver.pgp.com (ldap://keyserver.pgp.com >>It also requires to confirm your email address. >This server does not synchronize with the rest of the keyservers. >That's a feature, not a bug, as the intent of the server is to >validate your email address it also has other quirks: it refuses to recognize a key with a hushmail domain [even when it is clear that the key is not a hushmail generated pgp key] (even this wouldn't be so terrible, except that it doesn't alert anyone on the key submission interface page that it has this requirement it just instructs users how to upload the key, and then says it will send a confirmatory e-mail to the e-mail address on the key, and to follow the instructions in the e-mail and then it NEVER sends the e-mail to the hushmail address on the key, and is not heard from again ... vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Click now for instant access to public records! http://tagline.hushmail.com/fc/PnY6qxtBI01DDkRM8ACuXa3NEtJsYlSkHsZfaTVTfIPIroVXnYMRR/ From jbruni at me.com Tue Feb 3 20:21:36 2009 From: jbruni at me.com (Joseph Oreste Bruni) Date: Tue, 03 Feb 2009 12:21:36 -0700 Subject: man page typo Message-ID: <0EC3CC8A-B51D-4969-A5B9-464E5FF62EE0@me.com> In the man page for gpg2, in the --import section: --import --fast-import Import/merge keys. This adds the given keys to the keyring. The fast version is cur- rently just a synonym. There are a few other options which control how this command works. Most notable here -->> is the --keyserver-options merge-only option which does not insert new keys but does only the merging of new signatures, user-IDs and subkeys. I think the "merge-only" applies to "--import-options," not "-- keyserver-options." -Joe From lee_andre at bellsouth.net Tue Feb 3 21:28:49 2009 From: lee_andre at bellsouth.net (lee_andre at bellsouth.net) Date: Tue, 03 Feb 2009 20:28:49 +0000 Subject: gpg: failed to create temporary file Message-ID: <020320092028.14372.4988A901000C20EC0000382422243323629B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> Good Afternoon, I am currently trying to decrypt a file through an automated process that is called by a webservice called BPEL. Now in my development environment it works great but in my test enviroment I receive the following errors: Error string = gpg: failed to create temporary file `~/.gnupg/.#lk0x552ac57230.tst-dataexch.19415': No such file or directory or Error string = gpg: failed to create temporary file `~/.gnupg/.#lk0x552ac57230.tst-dataexch.19127': No such file or directory gpg: fatal: ~/.gnupg: can't create directory: No such file or directory secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768 My system admin and I did the following troublshooting steps: The application runs as the user oracle and in the oracle profile there /.gnupg does exist in its home directory We open up permissions on the /.gnupg directory to 777 but received the same issues. We then found that my dev and test environment were different, Dev is running red hat 5.0 and test red hat 4.7, so the gpg versions were different. On the dev GPG version is 1.4.5 and the test is 1.2.6. We've upgraded the version in the test environment to 1.4.5 the same as Dev. But I produce the same results. I am able to decrypt the file manually by typing in the command but not throught the application. We also added GNUPGHOME in the oracle user bash profile but still no luck. Please any help is appreciated. Thank you in Advance Andre -------------- next part -------------- An HTML attachment was scrubbed... URL: From jbruni at me.com Tue Feb 3 22:23:43 2009 From: jbruni at me.com (Joseph Oreste Bruni) Date: Tue, 03 Feb 2009 14:23:43 -0700 Subject: gpg: failed to create temporary file In-Reply-To: <020320092028.14372.4988A901000C20EC0000382422243323629B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> References: <020320092028.14372.4988A901000C20EC0000382422243323629B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> Message-ID: <76C68D4A-7365-4410-AE58-C4C85A838570@me.com> On Feb 3, 2009, at 1:28 PM, lee_andre at bellsouth.net wrote: > Good Afternoon, > > I am currently trying to decrypt a file through an automated process > that is called by a webservice called BPEL. Now in my development > environment it works great but in my test enviroment I receive the > following errors: > > Error string = gpg: failed to create temporary file > `~/.gnupg/.#lk0x552ac57230.tst-dataexch.19415': No such file or > directory > > or > > Error string = gpg: failed to create temporary file > `~/.gnupg/.#lk0x552ac57230.tst-dataexch.19127': No such file or > directory gpg: fatal: ~/.gnupg: can't create directory: No such file > or directory secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768 > > My system admin and I did the following troublshooting steps: > The application runs as the user oracle and in the oracle profile > there /.gnupg does exist in its home directory > We open up permissions on the /.gnupg directory to 777 but received > the same issues. > We then found that my dev and test environment were different, Dev > is running red hat 5.0 and test red hat 4.7, so the gpg versions > were different. On the dev GPG version is 1.4.5 and the test is > 1.2.6. > We've upgraded the version in the test environment to 1.4.5 the same > as Dev. But I produce the same results. > I am able to decrypt the file manually by typing in the command but > not throught the application. > We also added GNUPGHOME in the oracle user bash profile but still no > luck. > Please any help is appreciated. > > Thank you in Advance > Andre > Most likely, your application is not actually running as the "oracle" user. Try adding a call to "whoami" in your script to make sure it really is running as "oracle". You might add "env" as well so you have a good picture of your environment variables. -Joe From lee_andre at bellsouth.net Tue Feb 3 22:51:50 2009 From: lee_andre at bellsouth.net (lee_andre at bellsouth.net) Date: Tue, 03 Feb 2009 21:51:50 +0000 Subject: gpg: failed to create temporary file In-Reply-To: <76C68D4A-7365-4410-AE58-C4C85A838570@me.com> References: <020320092028.14372.4988A901000C20EC0000382422243323629B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> <76C68D4A-7365-4410-AE58-C4C85A838570@me.com> Message-ID: <020320092151.16388.4988BC760002062E0000400422228869349B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> way ahead of you. I have a whoami bpel utility process and tells me that is running as oracle -------------- Original message from Joseph Oreste Bruni : -------------- > On Feb 3, 2009, at 1:28 PM, lee_andre at bellsouth.net wrote: > > > Good Afternoon, > > > > I am currently trying to decrypt a file through an automated process > > that is called by a webservice called BPEL. Now in my development > > environment it works great but in my test enviroment I receive the > > following errors: > > > > Error string = gpg: failed to create temporary file > > `~/.gnupg/.#lk0x552ac57230.tst-dataexch.19415': No such file or > > directory > > > > or > > > > Error string = gpg: failed to create temporary file > > `~/.gnupg/.#lk0x552ac57230.tst-dataexch.19127': No such file or > > directory gpg: fatal: ~/.gnupg: can't create directory: No such file > > or directory secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768 > > > > My system admin and I did the following troublshooting steps: > > The application runs as the user oracle and in the oracle profile > > there /.gnupg does exist in its home directory > > We open up permissions on the /.gnupg directory to 777 but received > > the same issues. > > We then found that my dev and test environment were different, Dev > > is running red hat 5.0 and test red hat 4.7, so the gpg versions > > were different. On the dev GPG version is 1.4.5 and the test is > > 1.2.6. > > We've upgraded the version in the test environment to 1.4.5 the same > > as Dev. But I produce the same results. > > I am able to decrypt the file manually by typing in the command but > > not throught the application. > > We also added GNUPGHOME in the oracle user bash profile but still no > > luck. > > Please any help is appreciated. > > > > Thank you in Advance > > Andre > > > > > Most likely, your application is not actually running as the "oracle" > user. Try adding a call to "whoami" in your script to make sure it > really is running as "oracle". You might add "env" as well so you have > a good picture of your environment variables. > > -Joe > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From dshaw at jabberwocky.com Tue Feb 3 22:58:23 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 3 Feb 2009 16:58:23 -0500 Subject: gpg: failed to create temporary file In-Reply-To: <020320092028.14372.4988A901000C20EC0000382422243323629B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> References: <020320092028.14372.4988A901000C20EC0000382422243323629B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> Message-ID: <20090203215823.GA35846@jabberwocky.com> On Tue, Feb 03, 2009 at 08:28:49PM +0000, lee_andre at bellsouth.net wrote: > Good Afternoon, > > I am currently trying to decrypt a file through an automated process that is called by a webservice called BPEL. Now in my development environment it works great but in my test enviroment I receive the following errors: > > Error string = gpg: failed to create temporary file `~/.gnupg/.#lk0x552ac57230.tst-dataexch.19415': No such file or directory > > or > > Error string = gpg: failed to create temporary file `~/.gnupg/.#lk0x552ac57230.tst-dataexch.19127': No such file or directory gpg: fatal: ~/.gnupg: can't create directory: No such file or directory secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768 > > My system admin and I did the following troublshooting steps: > The application runs as the user oracle and in the oracle profile there /.gnupg does exist in its home directory > We open up permissions on the /.gnupg directory to 777 but received the same issues. > We then found that my dev and test environment were different, Dev is running red hat 5.0 and test red hat 4.7, so the gpg versions were different. On the dev GPG version is 1.4.5 and the test is 1.2.6. > We've upgraded the version in the test environment to 1.4.5 the same as Dev. But I produce the same results. > I am able to decrypt the file manually by typing in the command but not throught the application. > We also added GNUPGHOME in the oracle user bash profile but still no luck. What is GNUPGHOME set to? Is it fully qualified or is there a ~ in there? David From lee_andre at bellsouth.net Tue Feb 3 23:23:24 2009 From: lee_andre at bellsouth.net (lee_andre at bellsouth.net) Date: Tue, 03 Feb 2009 22:23:24 +0000 Subject: gpg: failed to create temporary file In-Reply-To: <20090203215823.GA35846@jabberwocky.com> References: <020320092028.14372.4988A901000C20EC0000382422243323629B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> <20090203215823.GA35846@jabberwocky.com> Message-ID: <020320092223.22487.4988C3DC00039503000057D722230682229B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> GNUPGHOME = /opt/oracle/.gnupg -------------- Original message from David Shaw : -------------- > On Tue, Feb 03, 2009 at 08:28:49PM +0000, lee_andre at bellsouth.net wrote: > > Good Afternoon, > > > I am currently trying to decrypt a file through an automated process that is called by a webservice called BPEL. Now in my development environment it works > great but in my test enviroment I receive the following errors: > > > Error string = gpg: failed to create temporary file > `~/.gnupg/.#lk0x552ac57230.tst-dataexch.19415': No such file or directory > > > > or > > > Error string = gpg: failed to create temporary file `~/.gnupg/.#lk0x552ac57230.tst-dataexch.19127': No such file or directory gpg: fatal: ~/.gnupg: can't create directory: No such file or directory secmem usage: > 0/0 bytes in 0/0 blocks of pool 0/32768 > > > > My system admin and I did the following troublshooting steps: > The application runs as the user oracle and in the oracle profile there > /.gnupg does exist in its home directory > We open up permissions on the /.gnupg directory to 777 but received the same > issues. > > We then found that my dev and test environment were different, Dev is running > red hat 5.0 and test red hat 4.7, so the gpg versions were different. On the > dev GPG version is 1.4.5 and the test is 1.2.6. > > We've upgraded the version in the test environment to 1.4.5 the same as Dev. > But I produce the same results. > > I am able to decrypt the file manually by typing in the command but not > throught the application. > > We also added GNUPGHOME in the oracle user bash profile but still no luck. > > What is GNUPGHOME set to? Is it fully qualified or is there a ~ in > there? > > David > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From lopaki at gmail.com Wed Feb 4 04:31:27 2009 From: lopaki at gmail.com (Scott Lambdin) Date: Tue, 3 Feb 2009 22:31:27 -0500 Subject: gpg: failed to create temporary file In-Reply-To: <020320092223.22487.4988C3DC00039503000057D722230682229B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> References: <020320092028.14372.4988A901000C20EC0000382422243323629B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> <20090203215823.GA35846@jabberwocky.com> <020320092223.22487.4988C3DC00039503000057D722230682229B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> Message-ID: <529e76830902031931w756623ddj86fb6496ad9c6f9a@mail.gmail.com> Does your BPEL call a shell that understands ~? 2009/2/3 > GNUPGHOME = /opt/oracle/.gnupg > > -------------- Original message from David Shaw : > -------------- > > > > On Tue, Feb 03, 2009 at 08:28:49PM +0000, lee_andre at bellsouth.net wrote: > > > > Good Afternoon, > > > > I am currently trying to decrypt a file through an automated process > that is called by a webservice called BPEL. Now in my development > environment it works > > great but in my test enviroment I receive the following errors: > > > > Error string = gpg: failed to create temporary file > > `~/.gnupg/.#lk0x552ac57230.tst-dataexch.19415': No such file or directory > > > > > > > or > > > > Error string = gpg: failed to create temporary file > `~/.gnupg/.#lk0x552ac57230.tst-dataexch.19127': No such file or directory > gpg: fatal: ~/.gnupg: can't create directory: No such file or directory > secmem usage: > > 0/0 bytes in 0/0 blocks of pool 0/32768 > > > > > > My system admin and I did the following troublshooting steps: > The > application runs as the user oracle and in the oracle profile there > > /.gnupg does exist in its home directory > We open up permissions on the > /.gnupg directory to 777 but received the same > > issues. > > > We then found that my dev and test environment were different, Dev is > running > > red hat 5.0 and test red hat 4.7, so the gpg versions were different. On > the > > dev GPG version is 1.4.5 and the test is 1.2.6. > > > We've upgraded the version in the test environment to 1.4.5 the same as > Dev. > > But I produce the same results. > > > I am able to decrypt the file manually by typing in the command but not > > > throught the application. > > > We also added GNUPGHOME in the oracle user bash profile but still no > luck. > > > > What is GNUPGHOME set to? Is it fully qualified or is there a ~ in > > there? > > > > David > > > > _______________________________________________ > > Gnupg-users mailing list > > Gnupg-users at gnupg.org > > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- There's a box? -------------- next part -------------- An HTML attachment was scrubbed... URL: From yochanon at localnet.com Wed Feb 4 07:08:00 2009 From: yochanon at localnet.com (John B) Date: Wed, 4 Feb 2009 00:08:00 -0600 Subject: Keyserver question...again In-Reply-To: <200902030036.49581.yochanon@localnet.com> References: <200902030036.49581.yochanon@localnet.com> Message-ID: <200902040008.00209.yochanon@localnet.com> On 03 February 09, John B wrote: > Hiya gang, > > Sorry for being redundant, but what are some good keyservers to use? The > ones that are on a stock Kgpg setup don't seem to work too well. Thanks to everyone who contributed! It looks like it might have been a good thing the question was brought up, just to keep everyone 'updated' on things like that. -- "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." --Benjamin Franklin From lee_andre at bellsouth.net Wed Feb 4 20:55:32 2009 From: lee_andre at bellsouth.net (lee_andre at bellsouth.net) Date: Wed, 04 Feb 2009 19:55:32 +0000 Subject: gpg: failed to create temporary file In-Reply-To: <020320092223.22487.4988C3DC00039503000057D722230682229B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> References: <020320092028.14372.4988A901000C20EC0000382422243323629B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net><20090203215823.GA35846@jabberwocky.com> <020320092223.22487.4988C3DC00039503000057D722230682229B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> Message-ID: <020420091955.27945.4989F2B4000C365D00006D2922243322829B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> Here is the bash_profile for oracle -bash-3.00$ more .bash_profile export GNUPGHOME=/opt/oracle/.gnupg export ORACLE_BASE=/opt/oracle export ORACLE_HOME=/opt/oracle/product/10.1.3.1/OracleAS_1 PATH=$PATH:$HOME/bin export PATH=$PATH:$ORACLE_HOME/bin:$ORACLE_HOME/opmn/bin:/usr/sbin:/usr/local/bi n:/usr/bin PATH=/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/opt/oracle/bin:/usr/sbin; e xport PATH unset USERNAME umask 022 -------------- next part -------------- An HTML attachment was scrubbed... URL: From jbruni at me.com Wed Feb 4 21:11:05 2009 From: jbruni at me.com (Joseph Oreste Bruni) Date: Wed, 04 Feb 2009 13:11:05 -0700 Subject: gpg: failed to create temporary file In-Reply-To: <020420091955.27945.4989F2B4000C365D00006D2922243322829B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> References: <020320092028.14372.4988A901000C20EC0000382422243323629B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> <20090203215823.GA35846@jabberwocky.com> <020320092223.22487.4988C3DC00039503000057D722230682229B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> <020420091955.27945.4989F2B4000C365D00006D2922243322829B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> Message-ID: <77FD4CC2-AB2C-4E8C-A26B-14AD8D3D8F10@me.com> Hi Lee, I'm not that familiar with BPEL, so perhaps you can elaborate on it. When it starts a shell to execute commands as a user (oracle in this case), does it always launch the shell specified in the user's /etc/ passwd (/bin/bash) or does it simply start a POSIX shell (/bin/sh). If BPEL only starts a POSIX shell, then you will not pick up anything from .bash_profile. Indeed, unless the shell is started as a "login" shell, you might not even get .profile. If BPEL avoids starting any sort of shell and simply runs the programs directly (via fork() and exec()), then you may not even get $HOME depending on what environment variables BPEL passes in to the exec() call. Try running the "env" command from BPEL and review the results. Pay particular attention to the contents of $SHELL, $HOME, and look to see if $GNUPGHOME is present and set as expected. Regards, Joe On Feb 4, 2009, at 12:55 PM, lee_andre at bellsouth.net wrote: > Here is the bash_profile for oracle > > > -bash-3.00$ more .bash_profile > > export GNUPGHOME=/opt/oracle/.gnupg > > export ORACLE_BASE=/opt/oracle > > export ORACLE_HOME=/opt/oracle/product/10.1.3.1/OracleAS_1 > > PATH=$PATH:$HOME/bin > > export PATH=$PATH:$ORACLE_HOME/bin:$ORACLE_HOME/opmn/bin:/usr/sbin:/ > usr/local/bi > > n:/usr/bin > > > > PATH=/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/opt/oracle/bin:/ > usr/sbin; e > > xport PATH > > unset USERNAME > > umask 022 > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From faramir.cl at gmail.com Wed Feb 4 22:22:05 2009 From: faramir.cl at gmail.com (Faramir) Date: Wed, 04 Feb 2009 18:22:05 -0300 Subject: Question about how to secure the signing key Message-ID: <498A06FD.7050603@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Well, I was reading some old messages of this list (from 2004), and saw something about it would be possible to steal the public part of a signing subkey... the solution was: "The fix is fairly simple conceptually. Just have the signing subkey issue a signature on the primary key." And, since I made a signing subkey, I'd like to know if I need to do something to issue that signature, or if it was done automatically by gpg. The key was created using gpg 1.4.9, so maybe that problem was solved a lot of time ago... or maybe it still require some user action... Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJigb9AAoJEMV4f6PvczxAQq0IAIiq8vjSRGXsMQqOwkyzbDqS LVq6ba5YNofclgF6xD6sYZR8WnQ1VIyQoNY4Gszpmm1dup+V/8LGk+Q9dGTANLFV 7Zhfptcb9/7mNByNZoEtQKm+LMaDshta857z/1qfYtXb4S3OF75BQU3JycBMLVhA rkx9L+0ZlRxY2NkyPWJzZ91l0gOshqldYw9AKP6qxRtWvqPnDOB6YsmGDbTvuN0U pq7okl2LyhIzoSGeSPB2ZXWO/NgPaRegl8fmSQYm+2AS4N3XUhLPZ2QazO0EfIHY YMkFQzS7O0WzcuTCY9J/BFkwNddbkKzt7DCd+kwBVN2MtHFIEexnzsJS+2YMX/4= =cP15 -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Wed Feb 4 22:35:11 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 4 Feb 2009 16:35:11 -0500 Subject: Question about how to secure the signing key In-Reply-To: <498A06FD.7050603@gmail.com> References: <498A06FD.7050603@gmail.com> Message-ID: <20090204213511.GA58332@jabberwocky.com> On Wed, Feb 04, 2009 at 06:22:05PM -0300, Faramir wrote: > Well, I was reading some old messages of this list (from 2004), and saw > something about it would be possible to steal the public part of a > signing subkey... the solution was: > > "The fix is fairly simple conceptually. Just have the signing subkey > issue a signature on the primary key." > > And, since I made a signing subkey, I'd like to know if I need to do > something to issue that signature, or if it was done automatically by > gpg. The key was created using gpg 1.4.9, so maybe that problem was > solved a lot of time ago... or maybe it still require some user > action... If the key was created with 1.4.9, the problem is already solved. As of 1.4.3 (2006-04-03), GPG supports the necessary cross-certification. You'd know if you had the problem - every time you verify a signature from an unfixed key, you'll get a warning about a missing cross-certification. David From faramir.cl at gmail.com Wed Feb 4 23:09:36 2009 From: faramir.cl at gmail.com (Faramir) Date: Wed, 04 Feb 2009 19:09:36 -0300 Subject: Question about how to secure the signing key In-Reply-To: <20090204213511.GA58332@jabberwocky.com> References: <498A06FD.7050603@gmail.com> <20090204213511.GA58332@jabberwocky.com> Message-ID: <498A1220.5010507@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 David Shaw escribi?: ... >> "The fix is fairly simple conceptually. Just have the signing subkey >> issue a signature on the primary key." > If the key was created with 1.4.9, the problem is already solved. As > of 1.4.3 (2006-04-03), GPG supports the necessary cross-certification. Ok, my keys were cross-certified by default, at creation time... Thanks, I supposed probably I didn't need to worry about it, but it was better to ask and be sure. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJihIgAAoJEMV4f6PvczxA7CkH/RsauM78UmJBM4P/pVZxMw7L 3eEbN80FAy/I10I23ZGTafis7JglGNVb+m2tFUEGfZ+cPT+wiYxDQyUpcvy4NO+1 31kXl+n3ltdt7yPEkghjfe9lA3HUPgfnSqi/8zhOw3eglBKkIY4M2S4L061vQYqj DlvDZKLl1ivHMPYmynscppSY7pNTkeP//3wXqhULDhnq6SYy05AFYreYlpIk+4a9 rB8jqYzFDIZv5FB4jsmP+J4GO5exMOS+jkhHC0WRJ2UwVwsylFdGB8igzrkIZ1OG 4YxEj1svN7Bx8wgjEdXrizxRH2yzgXNv08IDRI9OAsckhC/Xc3F6reqRWtosb04= =cfcF -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Wed Feb 4 23:16:22 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 4 Feb 2009 17:16:22 -0500 Subject: Question about how to secure the signing key In-Reply-To: <498A1220.5010507@gmail.com> References: <498A06FD.7050603@gmail.com> <20090204213511.GA58332@jabberwocky.com> <498A1220.5010507@gmail.com> Message-ID: <20090204221622.GA58391@jabberwocky.com> On Wed, Feb 04, 2009 at 07:09:36PM -0300, Faramir wrote: > David Shaw escribi??: > ... > >> "The fix is fairly simple conceptually. Just have the signing subkey > >> issue a signature on the primary key." > > > If the key was created with 1.4.9, the problem is already solved. As > > of 1.4.3 (2006-04-03), GPG supports the necessary cross-certification. > > Ok, my keys were cross-certified by default, at creation time... > > Thanks, I supposed probably I didn't need to worry about it, but it > was better to ask and be sure. Definitely. Plus, now it is in the archives, so if someone was wondering they'll see it. David From roam at ringlet.net Thu Feb 5 12:45:29 2009 From: roam at ringlet.net (Peter Pentchev) Date: Thu, 5 Feb 2009 13:45:29 +0200 Subject: gpg: failed to create temporary file In-Reply-To: <77FD4CC2-AB2C-4E8C-A26B-14AD8D3D8F10@me.com> References: <020320092028.14372.4988A901000C20EC0000382422243323629B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> <20090203215823.GA35846@jabberwocky.com> <020320092223.22487.4988C3DC00039503000057D722230682229B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> <020420091955.27945.4989F2B4000C365D00006D2922243322829B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> <77FD4CC2-AB2C-4E8C-A26B-14AD8D3D8F10@me.com> Message-ID: <20090205114529.GA1173@straylight.m.ringlet.net> On Wed, Feb 04, 2009 at 01:11:05PM -0700, Joseph Oreste Bruni wrote: > On Feb 4, 2009, at 12:55 PM, lee_andre at bellsouth.net wrote: > > Here is the bash_profile for oracle > > > > > > -bash-3.00$ more .bash_profile > > export GNUPGHOME=/opt/oracle/.gnupg > > export ORACLE_BASE=/opt/oracle > > export ORACLE_HOME=/opt/oracle/product/10.1.3.1/OracleAS_1 [snip] > > Hi Lee, > > I'm not that familiar with BPEL, so perhaps you can elaborate on it. > When it starts a shell to execute commands as a user (oracle in this > case), does it always launch the shell specified in the user's /etc/ > passwd (/bin/bash) or does it simply start a POSIX shell (/bin/sh). If > BPEL only starts a POSIX shell, then you will not pick up anything > from .bash_profile. Indeed, unless the shell is started as a "login" > shell, you might not even get .profile. And then, of course, it's possible that this is a Linux system which has bash installed as /bin/sh :) And then, of course, it's possible that this is a *reasonable* Linux system with something else, e.g. dash or ash or something, installed as /bin/sh, in which case Joseph's recommendation holds. > If BPEL avoids starting any sort of shell and simply runs the programs > directly (via fork() and exec()), then you may not even get $HOME > depending on what environment variables BPEL passes in to the exec() > call. This is also true. > Try running the "env" command from BPEL and review the results. Pay > particular attention to the contents of $SHELL, $HOME, and look to see > if $GNUPGHOME is present and set as expected. Yep, this is the only way to be sure. G'luck, Peter -- Peter Pentchev roam at ringlet.net roam at space.bg roam at FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 You have, of course, just begun reading the sentence that you have just finished reading. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available URL: From db111 at freemail.hu Thu Feb 5 18:35:12 2009 From: db111 at freemail.hu (Csabi) Date: Thu, 5 Feb 2009 18:35:12 +0100 (CET) Subject: GNUPG and PKI compatibility (?) Message-ID: Hello, Is it possible that GNUPG compatible with PKI (Public Key Infrastructure)? I would like to use PKI with GNUPG but i failed :((( If GNUPG is not compatible with it, do you know a great PKI freeware program? I didnt find a good program. Excuse me if it is offtopic in this list, i am a beginner. Sincerely, Csabi From christoph.anton.mitterer at physik.uni-muenchen.de Thu Feb 5 21:19:03 2009 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Thu, 05 Feb 2009 21:19:03 +0100 Subject: GNUPG and PKI compatibility (?) In-Reply-To: References: Message-ID: <1233865143.5776.2.camel@fermat.scientia.net> On Thu, 2009-02-05 at 18:35 +0100, Csabi wrote: > Is it possible that GNUPG compatible with PKI (Public Key > Infrastructure)? gpg is a PKI, or better said, it's a client to be used with an PKI (the OpenPGP PKI, Web of Trust, or however you call it) > I would like to use PKI with GNUPG but i failed :((( You probably mean the X.509 PKI. OpenPGP and X.509 are incompatible, but I'd suggest you to use OpenPGP, as it's more secure. > If GNUPG is not compatible with it, do you know a great PKI > freeware program? Depending on whether you mean X.509 you could use gpgsm, which is also part of GnuPG. gpg/gpg2 -> OpenPGP gpgsm -> X.509 Regards, -- Christoph Anton Mitterer Ludwig-Maximilians-Universit?t M?nchen christoph.anton.mitterer at physik.uni-muenchen.de mail at christoph.anton.mitterer.name -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3375 bytes Desc: not available URL: From decouk at gmail.com Thu Feb 5 21:56:02 2009 From: decouk at gmail.com (Andre Amorim) Date: Thu, 5 Feb 2009 20:56:02 +0000 Subject: GNUPG and PKI compatibility (?) In-Reply-To: <1233865143.5776.2.camel@fermat.scientia.net> References: <1233865143.5776.2.camel@fermat.scientia.net> Message-ID: By the way. Where I can find a PKS (public key server) and tools to build a PKI web of trust model. Because I want do make a chats, etc. any tool that you guys know to do things Like this: http://www.phillylinux.org/keys/historical.html [s] Andre Amorim GnuPG KEY ID: 0x587B1970 FingerPrint: 42AE C929 4D91 4591 4E75 430F 78D9 53B4 587B 1970 Download: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x587B1970 2009/2/5 Christoph Anton Mitterer : > On Thu, 2009-02-05 at 18:35 +0100, Csabi wrote: >> Is it possible that GNUPG compatible with PKI (Public Key >> Infrastructure)? > gpg is a PKI, or better said, it's a client to be used with an PKI (the > OpenPGP PKI, Web of Trust, or however you call it) > > >> I would like to use PKI with GNUPG but i failed :((( > You probably mean the X.509 PKI. OpenPGP and X.509 are incompatible, but > I'd suggest you to use OpenPGP, as it's more secure. > > >> If GNUPG is not compatible with it, do you know a great PKI >> freeware program? > Depending on whether you mean X.509 you could use gpgsm, which is also > part of GnuPG. > > gpg/gpg2 -> OpenPGP > gpgsm -> X.509 > > > Regards, > -- > Christoph Anton Mitterer > Ludwig-Maximilians-Universit?t M?nchen > > christoph.anton.mitterer at physik.uni-muenchen.de > mail at christoph.anton.mitterer.name > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- Andre Amorim GnuPG KEY ID: 0x587B1970 FingerPrint: 42AE C929 4D91 4591 4E75 430F 78D9 53B4 587B 1970 Download: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x587B1970 From malte.gell at gmx.de Thu Feb 5 22:33:23 2009 From: malte.gell at gmx.de (Malte Gell) Date: Thu, 5 Feb 2009 22:33:23 +0100 Subject: OpenPGP card not accessible Message-ID: <200902052233.32496.malte.gell@gmx.de> Hello, i made some progress with my new OpenPGP card. I can access it with gpg --card-edit but i cannot do anything, because GnuPG immediately exists and says there was no card.... gpg --card-edit first detectd the card and then suddenly says "OpenPGP card is not available", though it is still in the card reader.... I use gpg 2.0.9 and the Reiner SCT ctapi-driver, scdaemon.conf looks like this: ctapi-driver libctapi-cyberjack.so reader-port 1 The ctapi driver seem to be the only way to access the card a little bit, but it still does not work correctly... If someone have some experience about these issues, let me know Malte Application ID ...: D2760001240101010001000015CB0000 Version ..........: 1.1 Manufacturer .....: PPC Card Systems Serial number ....: 000015CB Name of cardholder: [not set] Language prefs ...: de Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Max. PIN lengths .: 254 254 254 PIN retry counter : 3 3 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] Command> scdaemon[19663]: updating status of slot 0 to 0x0007 scdaemon[19663]: client pid is 19662, sending signal 12 scdaemon[19663.0] DBG: <- [EOF] scdaemon[19663]: handler for fd -1 terminated scdaemon[19663]: scdaemon (GnuPG) 2.0.9 stopped gpg: OpenPGP card not available: IPC write error From wolfgang at rosenauer.org Thu Feb 5 23:13:08 2009 From: wolfgang at rosenauer.org (Wolfgang Rosenauer) Date: Thu, 05 Feb 2009 23:13:08 +0100 Subject: OpenPGP card not accessible In-Reply-To: <200902052233.32496.malte.gell@gmx.de> References: <200902052233.32496.malte.gell@gmx.de> Message-ID: <498B6474.8010600@rosenauer.org> Hi, Malte Gell schrieb: > i made some progress with my new OpenPGP card. I can access it with > > gpg --card-edit but i cannot do anything, because GnuPG immediately exists and > says there was no card.... > > gpg --card-edit first detectd the card and then suddenly says "OpenPGP card is > not available", though it is still in the card reader.... > > I use gpg 2.0.9 and the Reiner SCT ctapi-driver, scdaemon.conf looks like > this: > > ctapi-driver libctapi-cyberjack.so > reader-port 1 > > The ctapi driver seem to be the only way to access the card a little bit, but > it still does not work correctly... > > If someone have some experience about these issues, let me know I've just changed my config from using pcsc-lite to the cyberjack ctapi driver and it works for me. I'm using gpg 2.0.10 though since I had other issues when accessing the card a few days ago. I have gpg 2.0.10 in my OBS repository built for openSUSE 11.1: http://download.opensuse.org/repositories/home:/wrosenauer/openSUSE_11.1/ Feel free to try that. Wolfgang From gerry.lowry at abilitybusinesscomputerservices.com Thu Feb 5 23:35:40 2009 From: gerry.lowry at abilitybusinesscomputerservices.com (gerry_lowry (alliston ontario canada)) Date: Thu, 5 Feb 2009 17:35:40 -0500 Subject: GNUPG and PKI compatibility (?) References: <1233865143.5776.2.camel@fermat.scientia.net> Message-ID: <15E113BA7F99429EA0E93125F14801ED@zentrumvegan> These may be some keyservers to use for looking up keys with "gpg --recv-key" keyserver hkp://subkeys.pgp.net keyserver hkp://pgp.mit.edu keyserver hkp://pool.sks-keyservers.net (random server) keyserver hkp://keys.nayr.net Not all of the above may be up. Here's a place to build trust: http://www.biglumber.com/ "This site is designed to help expand webs of trust by coordinating key signings". Regards, Gerry (Lowry) From malte.gell at gmx.de Fri Feb 6 00:46:27 2009 From: malte.gell at gmx.de (Malte Gell) Date: Fri, 6 Feb 2009 00:46:27 +0100 Subject: OpenPGP card not accessible In-Reply-To: <498B6474.8010600@rosenauer.org> References: <200902052233.32496.malte.gell@gmx.de> <498B6474.8010600@rosenauer.org> Message-ID: <200902060046.30428.malte.gell@gmx.de> On Thursday 05 February 2009 23:13:08 Wolfgang Rosenauer wrote the following: > Malte Gell schrieb: > > gpg --card-edit first detectd the card and then suddenly says "OpenPGP > > card is not available", though it is still in the card reader.... > > I've just changed my config from using pcsc-lite to the cyberjack ctapi > driver and it works for me. > I'm using gpg 2.0.10 though since I had other issues when accessing the > card a few days ago. > > I have gpg 2.0.10 in my OBS repository built for openSUSE 11.1: > http://download.opensuse.org/repositories/home:/wrosenauer/openSUSE_11.1/ Thanx, I tried the updated GnuPG, but it still does not work, see below. You use the same driver, just a different Cyberjack reader, so my guess is, it is the reader that makes trouble. It is a Cyberjack Secoder, released in 2008, maybe it is too new to work correctly with the delivered ctapi driver. Since your Cyberjack and the ctapi driver works it may be more likely it is the Secoder that is not properly supported by the current ctapi driver... Malte 1[root at linux-61r3]4877-00:34~> gpg --card-edit can't connect to `/root/.gnupg/S.gpg-agent': Connection refused scdaemon[7910]: listening on socket `/tmp/gpg-PdOdAU/S.scdaemon' scdaemon[7910]: handler for fd -1 started scdaemon[7910]: reader slot 0: Processor ICC present scdaemon[7910]: slot 0: ATR=3B FA 13 00 FF 81 31 80 45 00 31 C1 73 C0 01 00 00 90 00 B1 scdaemon[7910.0] DBG: -> OK GNU Privacy Guard's Smartcard server ready scdaemon[7910.0] DBG: <- GETINFO socket_name scdaemon[7910.0] DBG: -> D /tmp/gpg-PdOdAU/S.scdaemon scdaemon[7910.0] DBG: -> OK scdaemon[7910.0] DBG: <- OPTION event-signal=12 scdaemon[7910.0] DBG: -> OK scdaemon[7910.0] DBG: <- SERIALNO scdaemon[7910]: AID: D2 76 00 01 24 01 01 01 00 01 00 00 15 CB 00 00 scdaemon[7910]: Version-2 ......: no scdaemon[7910]: Get-Challenge ..: yes (0 bytes max) scdaemon[7910]: Key-Import .....: yes scdaemon[7910]: Change-Force-PW1: yes scdaemon[7910]: Private-DOs ....: yes scdaemon[7910]: Algo-Attr-Change: no scdaemon[7910]: SM-Support .....: no scdaemon[7910]: Max-Cert3-Len ..: 0 scdaemon[7910]: Max-Cmd-Data ...: 0 scdaemon[7910]: Max-Rsp-Data ...: 0 scdaemon[7910]: Cmd-Chaining ...: no scdaemon[7910]: Ext-Lc-Le ......: no scdaemon[7910]: Status Indicator: 00 scdaemon[7910]: GnuPG-No-Sync ..: no scdaemon[7910]: GnuPG-Def-PW2 ..: no scdaemon[7910]: Key-Attr-sign ..: RSA, n=1024, e=32, fmt=std scdaemon[7910]: Key-Attr-encr ..: RSA, n=1024, e=32, fmt=std scdaemon[7910]: Key-Attr-auth ..: RSA, n=1024, e=32, fmt=std scdaemon[7910]: DBG: USING application context (refcount=1) (new) scdaemon[7910.0] DBG: -> S SERIALNO XXXXXXXXXXXXXXXXXXXX scdaemon[7910.0] DBG: -> OK scdaemon[7910]: updating slot 0 status: 0x0000->0x0007 (0->1) scdaemon[7910]: sending signal 12 to client 7909 scdaemon[7910.0] DBG: <- [EOF] scdaemon[7910]: handler for fd -1 terminated gpg: OpenPGP card not available: End of file Command> scdaemon[7910]: scdaemon (GnuPG) 2.0.10 stopped gpg: OpenPGP card not available: IPC write error Command> quit From malte.gell at gmx.de Fri Feb 6 01:41:41 2009 From: malte.gell at gmx.de (Malte Gell) Date: Fri, 6 Feb 2009 01:41:41 +0100 Subject: OpenPGP card not accessible In-Reply-To: <498B6474.8010600@rosenauer.org> References: <200902052233.32496.malte.gell@gmx.de> <498B6474.8010600@rosenauer.org> Message-ID: <200902060141.43447.malte.gell@gmx.de> Am Donnerstag, 5. Februar 2009 23:13:08 schrieb Wolfgang Rosenauer: > Malte Gell schrieb: > > gpg --card-edit first detectd the card and then suddenly says "OpenPGP > > card is not available", though it is still in the card reader.... > I have gpg 2.0.10 in my OBS repository built for openSUSE 11.1: > http://download.opensuse.org/repositories/home:/wrosenauer/openSUSE_11.1/ As written previously, it has not helped, I have now tried to use the pc/sc driver and pcsc daemon, to no avail, output below..... 1[root at linux-61r3]4937-01:39~> gpg --card-edit can't connect to `/root/.gnupg/S.gpg-agent': Connection refused scdaemon[20981]: listening on socket `/tmp/gpg-lPsvco/S.scdaemon' scdaemon[20981]: handler for fd -1 started scdaemon[20981]: reader slot 0: not connected scdaemon[20981]: slot 0: ATR=3B FA 13 00 FF 81 31 80 45 00 31 C1 73 C0 01 00 00 90 00 B1 scdaemon[20981.0] DBG: -> OK GNU Privacy Guard's Smartcard server ready scdaemon[20981.0] DBG: <- GETINFO socket_name scdaemon[20981.0] DBG: -> D /tmp/gpg-lPsvco/S.scdaemon scdaemon[20981.0] DBG: -> OK scdaemon[20981.0] DBG: <- OPTION event-signal=12 scdaemon[20981.0] DBG: -> OK scdaemon[20981.0] DBG: <- SERIALNO scdaemon[20981]: AID: D2 76 00 01 24 01 01 01 00 01 00 00 15 CB 00 00 scdaemon[20981]: Version-2 ......: no scdaemon[20981]: Get-Challenge ..: yes (0 bytes max) scdaemon[20981]: Key-Import .....: yes scdaemon[20981]: Change-Force-PW1: yes scdaemon[20981]: Private-DOs ....: yes scdaemon[20981]: Algo-Attr-Change: no scdaemon[20981]: SM-Support .....: no scdaemon[20981]: Max-Cert3-Len ..: 0 scdaemon[20981]: Max-Cmd-Data ...: 0 scdaemon[20981]: Max-Rsp-Data ...: 0 scdaemon[20981]: Cmd-Chaining ...: no scdaemon[20981]: Ext-Lc-Le ......: no scdaemon[20981]: Status Indicator: 00 scdaemon[20981]: GnuPG-No-Sync ..: no scdaemon[20981]: GnuPG-Def-PW2 ..: no scdaemon[20981]: Key-Attr-sign ..: RSA, n=1024, e=32, fmt=std scdaemon[20981]: Key-Attr-encr ..: RSA, n=1024, e=32, fmt=std scdaemon[20981]: Key-Attr-auth ..: RSA, n=1024, e=32, fmt=std scdaemon[20981]: DBG: USING application context (refcount=1) (new) scdaemon[20981.0] DBG: -> S SERIALNO xxxx scdaemon[20981.0] DBG: -> OK scdaemon[20981.0] DBG: <- LEARN --force scdaemon[20981.0] DBG: -> S SERIALNO xxxx scdaemon[20981.0] DBG: -> S APPTYPE OPENPGP scdaemon[20981.0] DBG: -> S EXTCAP gc=1+ki=1+fc=1+pd=1+mcl3=0 scdaemon[20981.0] DBG: -> S DISP-NAME scdaemon[20981.0] DBG: -> S DISP-LANG de scdaemon[20981.0] DBG: -> S DISP-SEX 9 scdaemon[20981.0] DBG: -> S PUBKEY-URL scdaemon[20981.0] DBG: -> S CHV-STATUS +0+254+254+254+3+3+3 scdaemon[20981.0] DBG: -> S SIG-COUNTER 0 scdaemon[20981.0] DBG: -> S PRIVATE-DO-1 scdaemon[20981.0] DBG: -> S PRIVATE-DO-2 scdaemon[20981]: reading public key failed: Missing item in object scdaemon[20981]: reading public key failed: Missing item in object scdaemon[20981]: reading public key failed: Missing item in object scdaemon[20981.0] DBG: -> OK gpg-agent[20980]: card has S/N: (XXXXXXed by me) Application ID ...: XXXXXX Version ..........: 1.1 Manufacturer .....: PPC Card Systems Serial number ....: 000015CB Name of cardholder: [not set] Language prefs ...: de Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Max. PIN lengths .: 254 254 254 PIN retry counter : 3 3 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] Command> scdaemon[20981]: updating slot 0 status: 0x0000->0x0007 (0->1) scdaemon[20981]: sending signal 12 to client 20980 scdaemon[20981.0] DBG: <- [EOF] scdaemon[20981]: handler for fd -1 terminated scdaemon[20981]: scdaemon (GnuPG) 2.0.10 stopped gpg: OpenPGP card not available: IPC write error From John at Mozilla-Enigmail.org Fri Feb 6 02:20:02 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Thu, 05 Feb 2009 19:20:02 -0600 Subject: GNUPG and PKI compatibility (?) In-Reply-To: <15E113BA7F99429EA0E93125F14801ED@zentrumvegan> References: <1233865143.5776.2.camel@fermat.scientia.net> <15E113BA7F99429EA0E93125F14801ED@zentrumvegan> Message-ID: <498B9042.2040904@Mozilla-Enigmail.org> gerry_lowry (alliston ontario canada) wrote: > These may be some keyservers to use for looking up keys with "gpg --recv-key" > keyserver hkp://subkeys.pgp.net > keyserver hkp://pgp.mit.edu > keyserver hkp://pool.sks-keyservers.net (random server) > keyserver hkp://keys.nayr.net An "interesting" assortment, but the only one I'd keep is pool.sks-keyservers.net. Here's why: subkeys.pgp.net: The original purpose of subkeys.pgp.net was to be a set of subkey safe keyservers, PKS servers that were patched to not mangle V4 keys and a few of the new SKS servers. Most all maintained PKS boxes have converted to SKS. The current collection is a subset of the SKS network: sks.gpg.cz, keys.nayr.net, keyserver.ganneff.de, keyserver.maluska.de, keys.cardboard.net, and keys.keysigning.org. pool.sks-keyservers.net gives me all of these servers and more. BTW, this is also a DNS round robin... you get a random server of the six. Any of these are likely to be included in pool.sks-keyservers.net. keys.nayr.net: It is, in general, very poor netiquette to steer traffic to a single server when load-balancing mechanisms are well-known and available. The more widely distributed that traffic balancing is, the better for all concerned. If, for some reason, that single server is down, a user's keyserver operation will fail. The pooled round-robins minimize this risk. This server is also part of subkeys.pgp.net and ~50% likely to be part of pool.sks-keyservers.net. pool.sks-keyservers.net: The *BEST*CHOICE* of this bunch. it is a DNS round-robin consisting of 20 SKS servers that a) are up, and b) are synchronized with the rest of the SKS network. 20 randomly chosen from 40-50 that normally make up the greater pool of SKS servers and the list is updated twice per day. The win is the b) part - because of the manner changes are distributed in the SKS network, all servers have nearly or soon to be (within minutes) identical copies of the entire database. I find that most times, my keyserver's 25+ recon partners have zero differences from my copy of the database. Said another way, outside of networking issues such as RTT (round trip time), NO SKS SERVER IS ANY BETTER THAN ANOTHER. Sharing the load among all servers is the best approach for all - server operators and users. pgp.mit.edu: Bad, Bad, Bad, Bad idea. Perennial favorite for worst recommendation of keyserver. As a friend of mine said on this list two days ago, "Friends don't let friends use pgp.mit.edu. It is irreparably broken for modern OpenPGP keys." "How is it broken?" you may ask. PKS does not handle V4 key features well. Notable examples of mangled features are multiple subkeys, a revoked subkey (tag 0x28), duplicate keyids, direct key signatures (tag 0x1F), revocation signatures on userids (tag 0x30), or photo IDs. There is also no development or maintenance being done on the PKS platform. Please do not recommend this server. > Not all of the above may be up. Your chances of a server not being up increase as the size of your pool of servers decrease. Single server -> greatest odds of hitting a failure. If they're listed as part of pool.sks-keyservers.net, they will most likely be up (or were up within the last 12 hours or so) Note: this list looks like a selection of keyserver directives from a GnuPG configuration file, gpg.conf. Unless David or Werner changed the logic and I missed the commit, only the last uncommented keyserver directive will be used by GnuPG. There is no iteration over a list of keyservers al? PGP. You get one active keyserver statement, hence pool.sks-keyservers.net being the best recommendation. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 680 bytes Desc: OpenPGP digital signature URL: From gerry.lowry at abilitybusinesscomputerservices.com Fri Feb 6 03:04:37 2009 From: gerry.lowry at abilitybusinesscomputerservices.com (gerry_lowry (alliston ontario canada)) Date: Thu, 5 Feb 2009 21:04:37 -0500 Subject: GNUPG and PKI compatibility (?) References: <1233865143.5776.2.camel@fermat.scientia.net> <15E113BA7F99429EA0E93125F14801ED@zentrumvegan> <498B9042.2040904@Mozilla-Enigmail.org> Message-ID: <3C19E49549D04BBC81CACDD409B67621@zentrumvegan> John / thank you for your insights; like your haiku ----- Original Message ----- From: "John Clizbe" To: "GnuPG Users" Cc: "Gerry Lowry" Sent: Thursday, February 05, 2009 8:20 PM Subject: Re: GNUPG and PKI compatibility (?) From kayraj1 at yahoo.com Wed Feb 4 15:11:32 2009 From: kayraj1 at yahoo.com (raj raj) Date: Wed, 4 Feb 2009 06:11:32 -0800 (PST) Subject: Need a command to suppress Message-ID: <180130.89878.qm@web33102.mail.mud.yahoo.com> Hi, I introduce myself as Raj. I need help in resolving one problem in using GPG for me. Is there are command to supress these 2 lines. gpg: Signature made using DSA key ID gpg: Good signature xxxxxx.com Thanks for your help in advance. Raj. From er.rahulkausik at gmail.com Thu Feb 5 09:55:19 2009 From: er.rahulkausik at gmail.com (rahul kaushik) Date: Thu, 5 Feb 2009 00:55:19 -0800 (PST) Subject: compatibility of Gnupg-1.4.9 to Gnupg-1.0.6 In-Reply-To: <20090129205643.GC16331@jabberwocky.com> References: <21621863.post@talk.nabble.com> <21663800.post@talk.nabble.com> <20090129205643.GC16331@jabberwocky.com> Message-ID: <21847480.post@talk.nabble.com> David Shaw wrote: > > On Mon, Jan 26, 2009 at 03:16:07AM -0800, rahul kaushik wrote: >> >> Hi All, >> Thanks for your attention towards my problem. >> One thing that i still would like to know about gpg is >> Is it possible for me to use keyring and trustdb of Gnupg-1.4.9 while >> using >> Gnupg-1.0.6. can keyring generated ( using --gen-key ) by Gnupg-1.4.9 be >> used with gnupg-1.0.6. >> >> >> What i think, it may not be possible to convert keyring or trustdb from >> upper version ( 1.4.9 ) >> to keyring of lower version ( 1.0.6 ). > > That is correct. The file conversion from 1.0.6 to 1.4.9 is one way. > > If you want to go back to 1.0.6, you need to export your keyrings from > 1.4.9 and then re-import them to 1.0.6. You cannot simply use the > same files. > > David > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- View this message in context: http://www.nabble.com/compatibility-of-Gnupg-1.4.9-to-Gnupg-1.0.6-tp21621863p21847480.html Sent from the GnuPG - User mailing list archive at Nabble.com. From er.rahulkausik at gmail.com Thu Feb 5 10:05:18 2009 From: er.rahulkausik at gmail.com (rahul kaushik) Date: Thu, 5 Feb 2009 01:05:18 -0800 (PST) Subject: compatibility of Gnupg-1.4.9 to Gnupg-1.0.6 In-Reply-To: <20090129205643.GC16331@jabberwocky.com> References: <21621863.post@talk.nabble.com> <21663800.post@talk.nabble.com> <20090129205643.GC16331@jabberwocky.com> Message-ID: <21847624.post@talk.nabble.com> Hi all, Thanks for your suggestion that helped me lot. one question i would like to test: I created a key ( using gpg --gen-key from gnupg-1.0.6 ) after that i exported that key as gpg --output customer.asc --armor --export # used gnupg-1.0.6 now i took that customer key where my gnupg-1.4.9 running. and inport that key and also signed that using --edit-key. now i was able to encrypt the file ( for example test.txt ) using that key id ( which i have imported ) but there is some problem that i am facing while decryping the same message. >: gpg -d test.txt.gpg gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: encrypted with 1024-bit ELG-E key, ID 8BF79D26, created 2009-02-05 "rahul_kaushik (user1.0.6) " gpg: decryption failed: secret key not availabl Please help me in sorting out this problem............... Regards, Rahul Kaushik David Shaw wrote: > > On Mon, Jan 26, 2009 at 03:16:07AM -0800, rahul kaushik wrote: >> >> Hi All, >> Thanks for your attention towards my problem. >> One thing that i still would like to know about gpg is >> Is it possible for me to use keyring and trustdb of Gnupg-1.4.9 while >> using >> Gnupg-1.0.6. can keyring generated ( using --gen-key ) by Gnupg-1.4.9 be >> used with gnupg-1.0.6. >> >> >> What i think, it may not be possible to convert keyring or trustdb from >> upper version ( 1.4.9 ) >> to keyring of lower version ( 1.0.6 ). > > That is correct. The file conversion from 1.0.6 to 1.4.9 is one way. > > If you want to go back to 1.0.6, you need to export your keyrings from > 1.4.9 and then re-import them to 1.0.6. You cannot simply use the > same files. > > David > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- View this message in context: http://www.nabble.com/compatibility-of-Gnupg-1.4.9-to-Gnupg-1.0.6-tp21621863p21847624.html Sent from the GnuPG - User mailing list archive at Nabble.com. From cbabcock at kolonelpanic.com Fri Feb 6 12:57:15 2009 From: cbabcock at kolonelpanic.com (Chris Babcock) Date: Fri, 6 Feb 2009 04:57:15 -0700 Subject: Need a command to suppress In-Reply-To: <180130.89878.qm@web33102.mail.mud.yahoo.com> References: <180130.89878.qm@web33102.mail.mud.yahoo.com> Message-ID: <20090206045715.09cf4d44@mail.asciiking.com> On Wed, 4 Feb 2009 06:11:32 -0800 (PST) raj raj wrote: > Is there are command to supress these 2 lines. > gpg: Signature made using DSA key ID > gpg: Good signature xxxxxx.com Add "'" | grep -v "Signature made" | grep -v "Good signature" "'" to the end of the command. Using "grep -v" inverts the match so only lines that do *not* contain the matching text are passed to stdout. Of course that's no help for Windows, but... Chris -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 489 bytes Desc: not available URL: From donrhummy at yahoo.com Fri Feb 6 15:05:50 2009 From: donrhummy at yahoo.com (don rhummy) Date: Fri, 6 Feb 2009 06:05:50 -0800 (PST) Subject: What do if forgot password? Message-ID: <738094.15039.qm@web57806.mail.re3.yahoo.com> What does GPG have to recover my data if i forgot my password? From John at Mozilla-Enigmail.org Fri Feb 6 16:19:20 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Fri, 06 Feb 2009 09:19:20 -0600 Subject: What do if forgot password? In-Reply-To: <738094.15039.qm@web57806.mail.re3.yahoo.com> References: <738094.15039.qm@web57806.mail.re3.yahoo.com> Message-ID: <498C54F8.4000704@Mozilla-Enigmail.org> don rhummy wrote: > What does GPG have to recover my data if i forgot my password? Lots of folks who'll tell you that you are S-O-L. Big Time. The passphrase is the defense to keep a secret key safe. There are no recovery mechanisms absent brute force. This is by design. It's been said on this list countless times, there is _absolutely_ no way to recover anything in OpenPGP without the passphrase. I hope this isn't the situation you are in, because there is nothing that can be done short of remembering the passphrase. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 680 bytes Desc: OpenPGP digital signature URL: From gerry.lowry at abilitybusinesscomputerservices.com Fri Feb 6 17:10:09 2009 From: gerry.lowry at abilitybusinesscomputerservices.com (gerry_lowry (alliston ontario canada)) Date: Fri, 6 Feb 2009 11:10:09 -0500 Subject: What do if forgot password? References: <738094.15039.qm@web57806.mail.re3.yahoo.com> <498C54F8.4000704@Mozilla-Enigmail.org> Message-ID: even if the rumours are true that "the government" may have such an ability, we'd never know. If you still know your passphrase, and have not done so, create a revocation certificate. Keep both the revocation certificate and your passphrase in a secure and secret (to you) place (but remember where you put them). Anyone who has your passphrase and your private key can decrypt things encrypted for you. Anyone who has your revocation certificate can revoke your key. g. From donrhummy at yahoo.com Fri Feb 6 18:24:28 2009 From: donrhummy at yahoo.com (don rhummy) Date: Fri, 6 Feb 2009 09:24:28 -0800 (PST) Subject: What do if forgot password? In-Reply-To: Message-ID: <114238.59266.qm@web57807.mail.re3.yahoo.com> thanks. One question on the revocation certificate: If I use it to "revoke" the key, does that mean i cna then create a new key and thus retrieve everything stored under the previous password/key with the new one? What does revoking it do? --- On Fri, 2/6/09, gerry_lowry (alliston ontario canada) wrote: > From: gerry_lowry (alliston ontario canada) > Subject: Re: What do if forgot password? > To: "GnuPG Users" > Date: Friday, February 6, 2009, 11:10 AM > even if the rumours are true that "the government" > may have such an ability, we'd never know. > > If you still know your passphrase, and have not done so, > create a revocation certificate. > Keep both the revocation certificate and your passphrase in > a secure and secret (to you) > place (but remember where you put them). > > Anyone who has your passphrase and your private key can > decrypt > things encrypted for you. Anyone who has your revocation > certificate > can revoke your key. > > g. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From John at Mozilla-Enigmail.org Fri Feb 6 18:48:10 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Fri, 06 Feb 2009 11:48:10 -0600 Subject: What do if forgot password? In-Reply-To: <114238.59266.qm@web57807.mail.re3.yahoo.com> References: <114238.59266.qm@web57807.mail.re3.yahoo.com> Message-ID: <498C77DA.6010909@Mozilla-Enigmail.org> don rhummy wrote: > thanks. One question on the revocation certificate: > > If I use it to "revoke" the key, does that mean i can then create a new key > and thus retrieve everything stored under the previous password/key with the > new one? What does revoking it do? Generate new key? Yes. Retrieve anything encrypted to old key? NO. Everything encrypted to the old key is _ONLY_ retrievable with the old key (or any other key it may be encrypted to) Revoking a key flags it to others as no longer valid. If you do not have the passphrase, you cannot revoke a key unless a revocation certificate was previously generated and stored away in the event of a mishap such as this. Sorry, but the revocation certificate suggestion does nothing to help you retrieve things encrypted to the key with the lost passphrase. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 680 bytes Desc: OpenPGP digital signature URL: From david at miradoiro.com Fri Feb 6 16:48:30 2009 From: david at miradoiro.com (=?iso-8859-1?Q?David_Pic=F3n_=C1lvarez?=) Date: Fri, 6 Feb 2009 16:48:30 +0100 Subject: What do if forgot password? References: <738094.15039.qm@web57806.mail.re3.yahoo.com> Message-ID: <7E8CD4F0EEAA4765A4FDB1A59B5C3D03@Nautilus> From: "don rhummy" > What does GPG have to recover my data if i forgot my password? The same it has if someone wants to recover your data claiming to be you and that they forgot your password: nothing. I suppose you could print out your unencrypted private key and keep it somewhere very, very safe. Or your password. --David. From m.mansfeld at mansfeld-elektronik.de Fri Feb 6 19:16:45 2009 From: m.mansfeld at mansfeld-elektronik.de (Matthias Mansfeld) Date: Fri, 06 Feb 2009 19:16:45 +0100 Subject: What do if forgot password? In-Reply-To: References: <738094.15039.qm@web57806.mail.re3.yahoo.com>, Message-ID: <498C8C9D.28739.66BA4E3@m.mansfeld.mansfeld-elektronik.de> On 6 Feb 2009 at 11:10, gerry_lowry (alliston ontario canada) wrote: > even if the rumours are true that "the government" may have such an > ability, we'd never know. Then they would need brute force against key AND password or they know about weaknesses in algorithms which nobody else knows. At least concerning GnuPG or other open source encryption, there cannot be any hidden backdoor by design.. Regards Matthias From rjh at sixdemonbag.org Fri Feb 6 19:19:31 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 06 Feb 2009 13:19:31 -0500 Subject: What do if forgot password? In-Reply-To: References: <738094.15039.qm@web57806.mail.re3.yahoo.com> <498C54F8.4000704@Mozilla-Enigmail.org> Message-ID: <498C7F33.9090105@sixdemonbag.org> gerry_lowry (alliston ontario canada) wrote: > even if the rumours are true that "the government" may have such an > ability, we'd never know. http://sixdemonbag.org/cryptofaq.xhtml#agencies > If you still know your passphrase The original poster made it clear he has forgotten his passphrase. > Keep both the revocation certificate and your passphrase in a secure > and secret (to you) place (but remember where you put them). When people are asked to find a "secure and secret" place, they typically do it very badly due to a lack of experience. When an investigator looks for your "secure and secret" place, the investigator typically does fairly well due to having a lot of experience. You have much better options available to you. For instance, put it in a sealed envelope and give it to your lawyer. Tell your lawyer, "this is a very important document and must be kept safe." It is very likely that your lawyer will have lots of experience at this and be much better at it than you are. From email at sven-radde.de Fri Feb 6 20:18:05 2009 From: email at sven-radde.de (Sven Radde) Date: Fri, 06 Feb 2009 20:18:05 +0100 Subject: What do if forgot password? In-Reply-To: <498C8C9D.28739.66BA4E3@m.mansfeld.mansfeld-elektronik.de> References: <738094.15039.qm@web57806.mail.re3.yahoo.com> , <498C8C9D.28739.66BA4E3@m.mansfeld.mansfeld-elektronik.de> Message-ID: <1233947885.6897.7.camel@carbon> Hi! Am Freitag, den 06.02.2009, 19:16 +0100 schrieb Matthias Mansfeld: > > even if the rumours are true that "the government" may have such an > > ability, we'd never know. > > Then they would need brute force against key AND password or they > know about weaknesses in algorithms which nobody else knows. Let me clarify this a bit: Whoever wants to break your key needs to do "only" one of the following: 1) Retrieve your public key and break the RSA/... key. -OR- 2) Get access to your secret keyring file and then break the passphrase. NB: Having one's public key and knowing his/her passphrase does not compromise the key. cu, Sven From gerry.lowry at abilitybusinesscomputerservices.com Fri Feb 6 22:08:33 2009 From: gerry.lowry at abilitybusinesscomputerservices.com (gerry_lowry (alliston ontario canada)) Date: Fri, 6 Feb 2009 16:08:33 -0500 Subject: What do if forgot password? References: <738094.15039.qm@web57806.mail.re3.yahoo.com> <498C54F8.4000704@Mozilla-Enigmail.org> <498C7F33.9090105@sixdemonbag.org> Message-ID: <6C12F1FFCDA04CFCBB772392F4F679EA@zentrumvegan> Hello Robert ... the original poster, Don Rhummy, did NOT make it clear, you missed his "if": "What does GPG have to recover my data if i forgot my password?". Thank you for your excellent advice about using a lawyer ... my safe and secure places tend to be so secure that even I can not find them. B-) http://sixdemonbag.org/cryptofaq.xhtml#agencies does not like my IE7. Your link takes me to http://www.secret-alchemy.com/why_xhtml.html and explains how this occurs. Fortunately, I also have Safari installed and have read your fine article. You may enjoy "The Last Theorem", a science fiction novel, Arthur C. Clarke's last AFAIK, in collaboration with Frederik Pohl, published by Ballantine Books/DEL REY/Random House. regards ~~ gerry From ml at mareichelt.de Fri Feb 6 22:09:00 2009 From: ml at mareichelt.de (markus reichelt) Date: Fri, 06 Feb 2009 22:09:00 +0100 Subject: What do if forgot password? In-Reply-To: <738094.15039.qm@web57806.mail.re3.yahoo.com> References: <738094.15039.qm@web57806.mail.re3.yahoo.com> Message-ID: <20090206210900.GE4952@tatooine.rebelbase.local> * don rhummy wrote: > What does GPG have to recover my data if i forgot my password? Your last chance is a tool like nasty, check it before you do anything stupid in a rush @ http://www.vanheusden.com/nasty/ -- left blank, right bald -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From ml at mareichelt.de Fri Feb 6 22:10:55 2009 From: ml at mareichelt.de (markus reichelt) Date: Fri, 06 Feb 2009 22:10:55 +0100 Subject: What do if forgot password? In-Reply-To: <1233947885.6897.7.camel@carbon> References: <738094.15039.qm@web57806.mail.re3.yahoo.com> <498C8C9D.28739.66BA4E3@m.mansfeld.mansfeld-elektronik.de> <1233947885.6897.7.camel@carbon> Message-ID: <20090206211055.GF4952@tatooine.rebelbase.local> * Sven Radde wrote: > > Then they would need brute force against key AND password or they > > know about weaknesses in algorithms which nobody else knows. > > Let me clarify this a bit: > > Whoever wants to break your key needs to do "only" one of the following: > 1) Retrieve your public key and break the RSA/... key. -OR- > 2) Get access to your secret keyring file and then break the passphrase. Don't forget the silver bullet: http://www.xkcd.com/538/ -- left blank, right bald -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From faramir.cl at gmail.com Fri Feb 6 23:15:19 2009 From: faramir.cl at gmail.com (Faramir) Date: Fri, 06 Feb 2009 19:15:19 -0300 Subject: What do if forgot password? In-Reply-To: <738094.15039.qm@web57806.mail.re3.yahoo.com> References: <738094.15039.qm@web57806.mail.re3.yahoo.com> Message-ID: <498CB677.7020308@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 don rhummy escribi?: > What does GPG have to recover my data if i forgot my password? Absolutely nothing. Assuming you are making your question to know what preventive measures to take, maybe you can store _in a safe place_ a backup of your key without a passphrase... but that would mean that anybody having access to that backup can steal your key. Another option could be to remove the passphrase, print the key with paperkey, store the printed backup in a safe place (and don't forget some insects can eat paper). And set again the passphrase of your key. The printed backup has some advantages: 1.- If stored in a dry and dark place, safe from fungus or insects, it can last for a really long time. 2.- It is stored "off-line" (of course, it's a printed sheet of paper), so no trojan can steal it. 3.- Probably, anybody that finds it, won't have any idea about what are those funny numbers (of course, if "somebody" means "NSA expert" he would probably recognise what the paper is, and would get an _unprotected copy of your key!_) Since my concern is about being "hacked", but not about being investigated by government, I don't need to hide my backups under a stone in the middle of a forest... any backup safe from a computer trojan, or a fire affecting my house is good enough for me. But maybe that is not your case. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJjLZ3AAoJEMV4f6PvczxAvkkH/2FHUdn/JAj/nc20I1J3EPAY 0f9vuOr4vz15J704Xe218QbuRi/s3k63IQyNFd+d7OI61WvpxAft/AUxEUwz1CUp zVEnvnrno/b5IbOPzccke3sviKNlQihsCjMa+epmLDYPgAxXmK2XXlCDCIjauMbg 8kIjim8GyWgOHKoqzvGWyJrZaRqhXXGjmufzhxYUg9C0D33jp8sot5Od1Atf98qP d9RRbFJ0MFKBRn4JseUpiim25eMdciWY30AqMo7Bww+PcNYU8CfHv95HbK9i0+GW vWmCeAaLCJBg1oxKngzOWCAjlNa2arypVKGraLK/JxCe1RpN8wdmWYQtjRKyOZk= =rR8x -----END PGP SIGNATURE----- From faramir.cl at gmail.com Fri Feb 6 23:40:35 2009 From: faramir.cl at gmail.com (Faramir) Date: Fri, 06 Feb 2009 19:40:35 -0300 Subject: What do if forgot password? In-Reply-To: <6C12F1FFCDA04CFCBB772392F4F679EA@zentrumvegan> References: <738094.15039.qm@web57806.mail.re3.yahoo.com> <498C54F8.4000704@Mozilla-Enigmail.org> <498C7F33.9090105@sixdemonbag.org> <6C12F1FFCDA04CFCBB772392F4F679EA@zentrumvegan> Message-ID: <498CBC63.7060803@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 gerry_lowry (alliston ontario canada) escribi?: ... > http://sixdemonbag.org/cryptofaq.xhtml#agencies does not like my IE7. He already knows that... while I can't be sure, I'd bet Robert doesn't like IE7 too ;-) Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJjLxjAAoJEMV4f6PvczxAp/QH/1Zxx8DqgjmQ8U3DJl65v4j7 DvXIXyh29DgYtia1zFO/5Ka4YGW/1qSOZ+b6Bnkd5nJeaftVNe6Kf/Zgen0DVZj1 hLGnxA6yoyfmmXqETFyQYG/JE4imo6yyS7ThsUkjtnjBugS4fH8KyThqVexbeWnQ IetqrTL0+gjPAwLYwoDiydj0yuT2yGc4dHMy49l6SYwMo4xmLI8b1t1CsVLnWiP6 WE3OthLG4jIGM5L4By0deJpOhtQgr5NOhfvZ7j2Z1t6FnfXfM3/SOOqyuihrijIv S+237D0mUrBgsieZir6dKh9dizDdd3wbGppW9wH3mTP9vJb9W12pA5tatevSEiM= =aMJu -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Sat Feb 7 00:30:16 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 06 Feb 2009 18:30:16 -0500 Subject: What do if forgot password? In-Reply-To: <498CBC63.7060803@gmail.com> References: <738094.15039.qm@web57806.mail.re3.yahoo.com> <498C54F8.4000704@Mozilla-Enigmail.org> <498C7F33.9090105@sixdemonbag.org> <6C12F1FFCDA04CFCBB772392F4F679EA@zentrumvegan> <498CBC63.7060803@gmail.com> Message-ID: <498CC808.1040901@sixdemonbag.org> Faramir wrote: > He already knows that... while I can't be sure, I'd bet Robert doesn't > like IE7 too ;-) I try not to join Windows-bashing, IE-bashing, or whatever else. I'd much rather stand for something than tear something down. Standards are good for the internet. GnuPG and PGP interoperate as well as they do because of the OpenPGP standard. Windows and Linux machines can interoperate on the same network because they each conform to the TCP/IP standard. And so on, and so on, and so on. Standards are good for the internet. My web pages strictly conform to a nearly ten-year-old W3C standard. I don't care what browser you use to read them. Often on this list we get questions about how to make PGP 6.5.8 interoperate with GnuPG. The usual -- and good -- answer is, "PGP 6.5.8 isn't standards conformant, encourage them to get a better application." Likewise, if your browser isn't standards conformant, you may want to get a better browser. :) From joel_rees at sannet.ne.jp Sat Feb 7 09:35:51 2009 From: joel_rees at sannet.ne.jp (Joel Rees) Date: Sat, 7 Feb 2009 17:35:51 +0900 Subject: No subject Message-ID: <6CFF9747-CD3A-48DE-93BC-94AF8FF95C8F@sannet.ne.jp> Anybody got any idea why my non-root admin user's ~/.gnupg directory is or should be owned by root? This is on a Mac, where root logins are generally disabled, so that, for instance, we install with "sudo make install". From mlisten at hammernoch.net Sat Feb 7 12:32:35 2009 From: mlisten at hammernoch.net (=?ISO-8859-1?Q?Ludwig_H=FCgelsch=E4fer?=) Date: Sat, 07 Feb 2009 12:32:35 +0100 Subject: acl on .gnupg directory on mac In-Reply-To: <6CFF9747-CD3A-48DE-93BC-94AF8FF95C8F@sannet.ne.jp> References: <6CFF9747-CD3A-48DE-93BC-94AF8FF95C8F@sannet.ne.jp> Message-ID: <498D7153.7010001@hammernoch.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, Joel Rees wrote on 07.02.2009 9:35 Uhr: > Anybody got any idea why my non-root admin user's ~/.gnupg directory is > or should be owned by root? No idea. This is what I have: drwx------ 85 luddwich staff 2890 7 Feb 12:27 .gnupg > This is on a Mac, where root logins are > generally disabled, so that, for instance, we install with "sudo make > install". That's common practice. Do you have any new $Phantastic-tool installed or used? Ludwig -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBSY1xUlYnpxVXVowdAQoOawgApuPmCf2WbmyYSa9j/5+bPKBjoi6c46JG Efjq6MNDPf3Yjl8HtakG00Igu1VrmLqmokSFYVefTl1pz0zhPCA4s/zs34LuJyh5 CwvkJOZ2TZjbUUyU5DW88xaQyI2o0NvhbgH0McRk2bqXm7/pDAOz8g9U9+GnCPUa g/iMDNyN7c12cpCZIMg4drvFFBtMyJRU4vin6xixRB9cAovMNOqHS5gyOtaM/B5f Sjs9I7l1FN4J2LQyjx1OFqwiK8WNoY8QBOEROGpahYZCPVLwc2WmkT/ZxNADunsc m6350SNlI3sb7vs1gcs/NIU2/fSvtU5S0TF09359aaTB7KtNAeP1Ag== =vY4v -----END PGP SIGNATURE----- From thomas at bohnomat.de Sat Feb 7 12:53:50 2009 From: thomas at bohnomat.de (thomas at bohnomat.de) Date: Sat, 7 Feb 2009 12:53:50 +0100 Subject: ~/.gnupg owned by root In-Reply-To: <6CFF9747-CD3A-48DE-93BC-94AF8FF95C8F@sannet.ne.jp> References: <6CFF9747-CD3A-48DE-93BC-94AF8FF95C8F@sannet.ne.jp> Message-ID: <20090207115350.GA490@proton.bohnomat.de> On 17:35, Sat 07 Feb 09, Joel Rees wrote: > Anybody got any idea why my non-root admin user's ~/.gnupg directory is > or should be owned by root? Maybe you did use gpg via sudo. It shouldn't be owned by root. Thomas From kloecker at kde.org Sat Feb 7 13:21:23 2009 From: kloecker at kde.org (Ingo =?iso-8859-15?q?Kl=F6cker?=) Date: Sat, 07 Feb 2009 13:21:23 +0100 Subject: Need a command to suppress In-Reply-To: <20090206045715.09cf4d44@mail.asciiking.com> References: <180130.89878.qm@web33102.mail.mud.yahoo.com> <20090206045715.09cf4d44@mail.asciiking.com> Message-ID: <200902071321.27847@thufir.ingo-kloecker.de> On Friday 06 February 2009, Chris Babcock wrote: > On Wed, 4 Feb 2009 06:11:32 -0800 (PST) > > raj raj wrote: > > Is there are command to supress these 2 lines. > > gpg: Signature made using DSA key ID > > gpg: Good signature xxxxxx.com It would help if you'd tell us why you want to suppress those 2 lines. > Add "'" | grep -v "Signature made" | grep -v "Good signature" "'" to > the end of the command. Using "grep -v" inverts the match so only > lines that do *not* contain the matching text are passed to stdout. > > Of course that's no help for Windows, but... It's also no help on other OS because those grep's would also eliminate the two above lines. I think a much better solution is usage of --status-fd or --status-file (--status-file /dev/null ?). Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: From joel_rees at sannet.ne.jp Sat Feb 7 15:26:51 2009 From: joel_rees at sannet.ne.jp (Joel Rees) Date: Sat, 7 Feb 2009 23:26:51 +0900 Subject: ~/.gnupg owned by root In-Reply-To: <20090207115350.GA490@proton.bohnomat.de> References: <6CFF9747-CD3A-48DE-93BC-94AF8FF95C8F@sannet.ne.jp> <20090207115350.GA490@proton.bohnomat.de> Message-ID: <66F995A8-047F-4EF1-BC7C-0CA4A29FD309@sannet.ne.jp> On ?? 21/02/07, at 20:53, thomas at bohnomat.de wrote: > On 17:35, Sat 07 Feb 09, Joel Rees wrote: > >> Anybody got any idea why my non-root admin user's ~/.gnupg >> directory is >> or should be owned by root? > > Maybe you did use gpg via sudo. It shouldn't be owned by root. I think my first use was as my admin login. I don't think I did the make check via sudo, but I might have. I chown-ed it to the user. I suppose I should look inside and see if I can tell what I did from what's there. Thanks. From cbabcock at kolonelpanic.com Sat Feb 7 15:46:41 2009 From: cbabcock at kolonelpanic.com (Chris Babcock) Date: Sat, 7 Feb 2009 07:46:41 -0700 Subject: Need a command to suppress In-Reply-To: <200902071321.27847@thufir.ingo-kloecker.de> References: <180130.89878.qm@web33102.mail.mud.yahoo.com> <20090206045715.09cf4d44@mail.asciiking.com> <200902071321.27847@thufir.ingo-kloecker.de> Message-ID: <20090207074641.4ee00076@mail.asciiking.com> On Sat, 07 Feb 2009 13:21:23 +0100 Ingo Kl?cker wrote: > > > Is there are command to supress these 2 lines. > > > gpg: Signature made using DSA key ID > > > gpg: Good signature xxxxxx.com > > It would help if you'd tell us why you want to suppress those 2 lines. > > > Add "'" | grep -v "Signature made" | grep -v "Good signature" "'" to > > the end of the command. Using "grep -v" inverts the match so only > > lines that do *not* contain the matching text are passed to stdout. > > > > Of course that's no help for Windows, but... > > It's also no help on other OS because those grep's would also > eliminate the two above lines. I think you missed the meaning of suppress and/or invert. Might be a language issue. Don't trust me. Test it on some text with a known good signature and fix the targets if you get any unwanted matches. Best, Chris -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 489 bytes Desc: not available URL: From roam at ringlet.net Sat Feb 7 16:34:34 2009 From: roam at ringlet.net (Peter Pentchev) Date: Sat, 7 Feb 2009 17:34:34 +0200 Subject: Need a command to suppress In-Reply-To: <20090207074641.4ee00076@mail.asciiking.com> References: <180130.89878.qm@web33102.mail.mud.yahoo.com> <20090206045715.09cf4d44@mail.asciiking.com> <200902071321.27847@thufir.ingo-kloecker.de> <20090207074641.4ee00076@mail.asciiking.com> Message-ID: <20090207153434.GA93514@straylight.m.ringlet.net> On Sat, Feb 07, 2009 at 07:46:41AM -0700, Chris Babcock wrote: > On Sat, 07 Feb 2009 13:21:23 +0100 > Ingo Kl??cker wrote: > > > > > Is there are command to supress these 2 lines. > > > > gpg: Signature made using DSA key ID > > > > gpg: Good signature xxxxxx.com > > > > It would help if you'd tell us why you want to suppress those 2 lines. > > > > > Add "'" | grep -v "Signature made" | grep -v "Good signature" "'" to > > > the end of the command. Using "grep -v" inverts the match so only > > > lines that do *not* contain the matching text are passed to stdout. > > > > > > Of course that's no help for Windows, but... > > > > It's also no help on other OS because those grep's would also > > eliminate the two above lines. > > I think you missed the meaning of suppress and/or invert. Might be a > language issue. > > Don't trust me. Test it on some text with a known good signature and > fix the targets if you get any unwanted matches. I think what Ingo meant was that these greps might do both more and less than you actually intend them to. More: if those grep's are done on the full output of, say, gpg --decrypt or something similar, then they could also remove *actual text*, not just gpg's status output. This could be... well, let's just say "bad" :) Less: have you actually bothered to check the result of either "gpg --verify ... | grep -v" or "gpg --decrypt ... | grep -v" ? In both cases, gpg sends the status information to the standard error stream, NOT the standard output stream, so "grep" does, erm, nothing with it :) Both of those issues are addressed by Ingo's idea of using --status-fd or, even better, --status-file instead. G'luck, Peter -- Peter Pentchev roam at ringlet.net roam at space.bg roam at FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 The rest of this sentence is written in Thailand, on -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available URL: From ian at ushills.co.uk Sat Feb 7 18:11:56 2009 From: ian at ushills.co.uk (Ian Hill) Date: Sat, 07 Feb 2009 17:11:56 +0000 Subject: Copy subkeys to primary key Message-ID: <498DC0DC.50904@ushills.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 For whatever reason I now have two versions of my private key one without the ELG encryption key and primary key, the other without the RSA signing key. How can I combine them so I have one secret key with both the ELG and RSA subkeys under the primary key. This is my new key sec# 1024D/BE7E87FD 2007-03-14 uid ushills (Secure email to ushills.co.uk) uid Ian Hill (Work Email) uid Web Ushills uid Ian Hill uid Ian Hill uid Ian Hill ssb 2048R/4436432A 2009-02-06 This is my old key sec 1024D/BE7E87FD 2007-03-14 uid ushills (Secure email to ushills.co.uk) uid Web Ushills uid Ian Hill ssb 2048g/3173413E 2007-03-14 How do I copy the key 4436432A to my primary key BE7E87FD, as my new key lacks the primary key and the encryption key 3173413E. Thanks -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJJjcDSAAoJEGMUgg1EN0MqT/gH/2M9Km4HpV51kypdV3g+/U6t 8Fe8cqvi9w25s+diCBKhB2Sz1aWlQc/wO76vrYx3b6AK2fyChE25UbQkimr+RJwX oUVRmbcf3Xqb3dGDLnk2SJBLFrxFHM1tXLd9y+JcAWjr8ye+NL7bgBiFIFuqpXTh ghQzbTH+rkYAO8FGzICqA26rf0r0/vSkC4AFvOjKYuLikEWIZq6ou8DZDdHJXBPT dTBWCuLtC8uxXKktUrN95z6/IqA+wDJg+DYdD71HIWd9jDtkJZk5KOE5ON01J7aq Q9kVmsX3XwDENusuU1Za3VBO/oUJ9LNbKxJ9wI30VUpnkzC2MWmy8ZnxbygP3cg= =T+f4 -----END PGP SIGNATURE----- From faramir.cl at gmail.com Sat Feb 7 21:25:24 2009 From: faramir.cl at gmail.com (Faramir) Date: Sat, 07 Feb 2009 17:25:24 -0300 Subject: Copy subkeys to primary key In-Reply-To: <498DC0DC.50904@ushills.co.uk> References: <498DC0DC.50904@ushills.co.uk> Message-ID: <498DEE34.7030701@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Ian Hill escribi?: > For whatever reason I now have two versions of my private key one > without the ELG encryption key and primary key, the other without the > RSA signing key. I have another idea to try... you have been trying to import the subkeys into the key that has the primary key... What about importing the main key (and it's subkeys) into a keyring containing the subkeys? I would: 1.- Make a backup of my keyrings and trustdb. 2.- Export my main key with all it's stuff. 3.- Delete my main key (and subkeys). 4.- Import the subkeys. 5.- Import the main key. If everything goes well, and you finally have all the stuff together, I would: 6.- Export the mainkey and subkeys. 7.- Restore the backed up secring.gpg, pubring.gpg and trustdb.gpg 8.- Import the whole key (main with all the subkeys). And in future, I'd try to don't do different edit operations to my key in different machines... just in case. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJje40AAoJEMV4f6PvczxAyoYH/2KY8vAVdg0JyMdoAydXCibx yHrr6YpPHBl5ESrnO0fY1Geo44bt22p3YytNMcJncUOezc2YFTzMVRSTl/39gBhp MKmDIWexGbFfHjNHEkWbGjRGilreeUtiIEBt2JGPk5jkD87FCBYTewvjoje4715S 2gKyXsArAhNcZQnfXumOTbYYlij2NqVcsDW310B6WSWsa7qn57qHACHYEZgkxvBN BnsNG5ckI10dsFQG5rGbvNZWLdyBbs/d+sYsCfO1n8VmwFakIczQbXCgRb/5mFl5 bFR9fBARch2oTmdo4IriU0Tup44RF06wos0QyzHWkmp/Mye1rHXBKsY3/OM5+io= =ZM1Y -----END PGP SIGNATURE----- From malte.gell at gmx.de Sat Feb 7 21:33:04 2009 From: malte.gell at gmx.de (Malte Gell) Date: Sat, 7 Feb 2009 21:33:04 +0100 Subject: (SOLVED) Re: OpenPGP card not accessible In-Reply-To: <200902052233.32496.malte.gell@gmx.de> References: <200902052233.32496.malte.gell@gmx.de> Message-ID: <200902072133.25665.malte.gell@gmx.de> For whom it may concern and Google cache: I found the source of trouble. I had to give one additional parameter to gpg- agent: --scdaemon-program /usr/bin/scdaemon After specifying this parameter I was able to successfully access the openPGP card with pcsc drivers and a Reiner SCT e-com. On e.g. openSUSE open /etc/X11/xdm/sys.xsession and look for the line that starts with "set -- $gpgagent --sh --daemon.........." add to this line: --scdaemon-program /usr/bin/scdaemon and the error described below is gone. Am Donnerstag, 5. Februar 2009 22:33:23 schrieb Malte Gell: > gpg --card-edit but i cannot do anything, because GnuPG immediately exists > and says there was no card.... > > gpg --card-edit first detectd the card and then suddenly says "OpenPGP > card is not available", though it is still in the card reader.... > > I use gpg 2.0.9 and the Reiner SCT ctapi-driver, scdaemon.conf looks like > this: > > ctapi-driver libctapi-cyberjack.so > reader-port 1 > > The ctapi driver seem to be the only way to access the card a little bit, > but it still does not work correctly... > > If someone have some experience about these issues, let me know > > Malte > > > > Application ID ...: D2760001240101010001000015CB0000 > Version ..........: 1.1 > Manufacturer .....: PPC Card Systems > Serial number ....: 000015CB > Name of cardholder: [not set] > Language prefs ...: de > Sex ..............: unspecified > URL of public key : [not set] > Login data .......: [not set] > Signature PIN ....: forced > Max. PIN lengths .: 254 254 254 > PIN retry counter : 3 3 3 > Signature counter : 0 > Signature key ....: [none] > Encryption key....: [none] > Authentication key: [none] > General key info..: [none] > > Command> scdaemon[19663]: updating status of slot 0 to 0x0007 > scdaemon[19663]: client pid is 19662, sending signal 12 > scdaemon[19663.0] DBG: <- [EOF] > scdaemon[19663]: handler for fd -1 terminated > scdaemon[19663]: scdaemon (GnuPG) 2.0.9 stopped > > > gpg: OpenPGP card not available: IPC write error > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From malte.gell at gmx.de Sat Feb 7 21:50:20 2009 From: malte.gell at gmx.de (Malte Gell) Date: Sat, 7 Feb 2009 21:50:20 +0100 Subject: openPGP card, cant change admin pin Message-ID: <200902072150.23688.malte.gell@gmx.de> Hi there, i wanted to change the pins of my new card and invoked gpg --change-pin I was able to select point one, was asked for the old pin and entered the new one and affirmed. Then I chose point three "change Admin PIN", but gpg said "no permission"!? How can I now change the admin pin and why did gpg not allow to change it? By the way, does gpg explicitly say when it needs the "normal" pin and the admin pin? Does th card become useless after three times wrong pin? Malte -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From db111 at freemail.hu Sat Feb 7 21:51:13 2009 From: db111 at freemail.hu (Csabi) Date: Sat, 7 Feb 2009 21:51:13 +0100 (CET) Subject: GPG - how to update keys to a new format? Message-ID: Hello! I imported my old keys (made with PGP 2.6.3I and PGP 5.0) to my GPG keyring, but GPG didnt ask me that i want to update my old keys to a new DSA key... What can i do to convert my old keys? Sincerely, Csabi From gerry.lowry at abilitybusinesscomputerservices.com Sat Feb 7 22:30:31 2009 From: gerry.lowry at abilitybusinesscomputerservices.com (gerry_lowry (alliston ontario canada)) Date: Sat, 7 Feb 2009 16:30:31 -0500 Subject: GPG - how to update keys to a new format? References: Message-ID: I'm just guessing but I doubt you can do that; I think you need to generate new keys and revoke your old keys. Keys are cast to be impregnable which is why I suspect that the keys are not updateable. You can AFAIK add and change information; e.g., add a picture but I would be surprised if you can actually tamper with the actual generated keys. regards, gerry (lowry) From malte.gell at gmx.de Sun Feb 8 00:12:16 2009 From: malte.gell at gmx.de (Malte Gell) Date: Sun, 8 Feb 2009 00:12:16 +0100 Subject: openPGP card, cant change admin pin In-Reply-To: <200902072150.23688.malte.gell@gmx.de> References: <200902072150.23688.malte.gell@gmx.de> Message-ID: <200902080012.19493.malte.gell@gmx.de> Am Samstag, 7. Februar 2009 21:50:20 schrieb Malte Gell: > Hi there, > > i wanted to change the pins of my new card and invoked gpg --change-pin I > was able to select point one, was asked for the old pin and entered the new > one and affirmed. Then I chose point three "change Admin PIN", but gpg said > "no permission"!? How can I now change the admin pin and why did gpg not > allow to change it? gpg --card-edit passwd then asked for the PIN, default pin "123456" entered asked for the new pin, new pin entered twice and then this "Error changing the PIN: Conditions of use not satisfied" When I try to change the admin pin something similar, "permission denied". What is wrong, why can't I change the pins? From rjh at sixdemonbag.org Sun Feb 8 00:21:59 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 07 Feb 2009 18:21:59 -0500 Subject: GPG - how to update keys to a new format? In-Reply-To: References: Message-ID: <498E1797.4050505@sixdemonbag.org> Csabi wrote: > What can i do to convert my old keys? You are going to be better served by generating a new keypair. From malte.gell at gmx.de Sun Feb 8 09:29:38 2009 From: malte.gell at gmx.de (Malte Gell) Date: Sun, 8 Feb 2009 09:29:38 +0100 Subject: openPGP card, cant change admin pin, can't change name In-Reply-To: <200902080012.19493.malte.gell@gmx.de> References: <200902072150.23688.malte.gell@gmx.de> <200902080012.19493.malte.gell@gmx.de> Message-ID: <200902080929.45798.malte.gell@gmx.de> Am Sonntag, 8. Februar 2009 00:12:16 schrieb Malte Gell: > gpg --card-edit > passwd > then asked for the PIN, default pin "123456" entered > asked for the new pin, new pin entered twice > and then this > "Error changing the PIN: Conditions of use not satisfied" Too stupid, the pin needs to be 6 digits of course.. > When I try to change the admin pin something similar, "permission denied". > What is wrong, why can't I change the pins? does still now work, what is wrong there, why don't I have the permission to change the admin pin? 2[malte_gell at linux-61r3]4867 09:25~> gpg --change-pin gpg: OpenPGP card no. XXXXX detected 1 - change PIN 2 - unblock PIN 3 - change Admin PIN 4 - set the Reset Code Q - quit Your selection? 3 Error changing the PIN: Permission denied The same happens when trying to change the name: Command> name Cardholder's surname: Gell Cardholder's given name: Malte gpg: error setting Name: Permission denied From benjamin at py-soft.co.uk Sun Feb 8 10:26:24 2009 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sun, 8 Feb 2009 09:26:24 +0000 Subject: openPGP card, cant change admin pin, can't change name In-Reply-To: <200902080929.45798.malte.gell@gmx.de> References: <200902072150.23688.malte.gell@gmx.de> <200902080012.19493.malte.gell@gmx.de> <200902080929.45798.malte.gell@gmx.de> Message-ID: <732076a80902080126j69dbff01l68aea4880e21feb1@mail.gmail.com> 2009/2/8 Malte Gell : > does still now work, what is wrong there, why don't I have the permission to > change the admin pin? It's all covered in the list archives and in the manpages: SCDAEMON: --allow-admin --deny-admin This enables the use of Admin class commands for card applica- tions where this is supported. Currently we support it for the OpenPGP card. Deny is the default. This commands is useful to inhibit accidental access to admin class command which could ultimately lock the card through wrong PIN numbers. So, edit ~/.gnupg/scdaemon.conf and add the line "allow-admin". Ben From ian at ushills.co.uk Sun Feb 8 11:06:13 2009 From: ian at ushills.co.uk (Ian Hill) Date: Sun, 08 Feb 2009 10:06:13 +0000 Subject: Copy subkeys to primary key In-Reply-To: <498DEE34.7030701@gmail.com> References: <498DC0DC.50904@ushills.co.uk> <498DEE34.7030701@gmail.com> Message-ID: <498EAE95.1030303@ushills.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks for trying this did not work either, however, I managed to expire the signing keys and create a new one. I now have my primary, encryption and signing key that work! Faramir wrote: > Ian Hill escribi?: >> For whatever reason I now have two versions of my private key one >> without the ELG encryption key and primary key, the other without the >> RSA signing key. > > I have another idea to try... you have been trying to import the > subkeys into the key that has the primary key... What about importing > the main key (and it's subkeys) into a keyring containing the subkeys? > > I would: > > 1.- Make a backup of my keyrings and trustdb. > 2.- Export my main key with all it's stuff. > 3.- Delete my main key (and subkeys). > 4.- Import the subkeys. > 5.- Import the main key. > > If everything goes well, and you finally have all the stuff together, > I would: > > 6.- Export the mainkey and subkeys. > 7.- Restore the backed up secring.gpg, pubring.gpg and trustdb.gpg > 8.- Import the whole key (main with all the subkeys). > > And in future, I'd try to don't do different edit operations to my > key in different machines... just in case. > > Best Regards _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJJjq6VAAoJEKedYJYX5A4s10gH/AwDafJLkGWAy4yEoPsUhIh1 eStpXlVKIFp9BJRpe3wYJz/Tl0b2no3TWYeISe5dPp3LxlFV5kny1ny+pHFfDyP1 b4+LarEGkVdjhJzKO7LY5d/REBuXAcJYW8hAsL99RCYfgYvjSO7FgkPRIcmiXzbS YSnxMPVcL++evD8C2Y4tplQB8WMuWu3oB1rJartoWRtvX2nqKFMBdQeBN5hwJ6l1 EGnrJLA5WRqSksX7TKE0YYSC82eYM5A1ppanJwg9+aUHOZAg7uZ+Jt+eD8C1aq5A JlNREpsC0lyAWePbLNsZ8ZmgZeBErToojT1NtYCzjpQUqpl/3uXKpcDf0zDZaTc= =R+XN -----END PGP SIGNATURE----- From ian at ushills.co.uk Sun Feb 8 11:48:53 2009 From: ian at ushills.co.uk (Ian Hill) Date: Sun, 08 Feb 2009 10:48:53 +0000 Subject: Paperkey question Message-ID: <498EB895.7090904@ushills.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have a question about paperkey, bearing in mind that this application may not always be available can one restore the secret key just using the printed paperkey and the public key from keyservers manually. Otherwise if I know I can always get a copy of the application from a cd or usb isn't that the same a keeping my secret key on cd or usb. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJJjriVAAoJEKedYJYX5A4sQn4H/1Eaox4C7lNp+xBwEJIZuabF AUyj++F/j7WNMIoiBUsK+SH+Nk608Sw/nJMwDNFgbx2WgoSWJUM2mvgAh/xeDZKl GCDfk29S0CGmVh3aJuPVJDLbIlHoGZHaGvAlhdmdtQua39ozMSOzkEhDyTec7GD6 Jsil2f6pdwUdVqzLKgxvjrc2Qotmb8qYOPjTtgRL2vLaRsf+vl6KyVdXFsjofbOL neFqFWjIbzt4viblIlbhSI9MWPDjhczxSPWBxbrRRSVVYitaXnF34OIIcBmlFivZ XAN6k6W5RS3B2p/rGkIh0gPXWqqgxaxqioIISG33isaP9uYIPIe67O+XVnvz6Ps= =cNld -----END PGP SIGNATURE----- From faramir.cl at gmail.com Sun Feb 8 12:06:58 2009 From: faramir.cl at gmail.com (Faramir) Date: Sun, 08 Feb 2009 08:06:58 -0300 Subject: Paperkey question In-Reply-To: <498EB895.7090904@ushills.co.uk> References: <498EB895.7090904@ushills.co.uk> Message-ID: <498EBCD2.9060405@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Ian Hill escribi?: > I have a question about paperkey, bearing in mind that this application > may not always be available can one restore the secret key just using > the printed paperkey and the public key from keyservers manually. I know David Shaw considered that possibility, however, I didn't understood the solution in case paperkey is not available... So I'll take a look at answers to that question... > Otherwise if I know I can always get a copy of the application from a cd > or usb isn't that the same a keeping my secret key on cd or usb. Right, I sent myself a copy of paperkey, to my e-mail account at gmail and yahoo... one of them should survive... and if the program can't run on the operating systems available at the time when it is needed, I suppose there will still be virtual machines or emulators capable of making it run... if not, probably it will also be the time to make new keys. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJjrzSAAoJEMV4f6PvczxAEjcIAKpLKKQhFNDVSKwsYZ5xTqXX IFqY6of22/f7ZvdkCuuTvHkjLZJcMwaXr/UlU8xtxHRnD0cIxNW5GVGdHBTsXCbq LgVTCHtnSN0HNFIAGZN0sgvcI9SLn5BXO8640qG+Zpw8MIlBj/bcGSalb/1/joLR VPV2EYc4NI/wdQRlRkoR4sz9RDbR9ZF7ebzHZg7wlBnz4qENXAZyEaqBlkc7VE52 l0Uvs8O3vC7ZeQ0Xaw/NOTjYEnSapLuw05G0cziB+rXcP+LJ3F03ejR+uVxbbDjG vPwaxZQ1No2jfsz0dB9LrN4Abxw1CZgXedwkpuPFGSXdMkcat05NIEeKNGdozp0= =1PEg -----END PGP SIGNATURE----- From benjamin at py-soft.co.uk Sun Feb 8 12:17:10 2009 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sun, 8 Feb 2009 11:17:10 +0000 Subject: Paperkey question In-Reply-To: <498EBCD2.9060405@gmail.com> References: <498EB895.7090904@ushills.co.uk> <498EBCD2.9060405@gmail.com> Message-ID: <732076a80902080317k3ff52cd9n7f27f3985c3256ef@mail.gmail.com> 2009/2/8 Faramir : > Right, I sent myself a copy of paperkey, to my e-mail account at gmail > and yahoo... one of them should survive... and if the program can't run > on the operating systems available at the time when it is needed, I > suppose there will still be virtual machines or emulators capable of > making it run... if not, probably it will also be the time to make new keys. I thought the idea was to print it out and either enter it by hand or use OCR? Ben From benjamin at py-soft.co.uk Sun Feb 8 12:36:21 2009 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sun, 8 Feb 2009 11:36:21 +0000 Subject: Paperkey question In-Reply-To: <498EC2DF.70803@ushills.co.uk> References: <498EB895.7090904@ushills.co.uk> <498EBCD2.9060405@gmail.com> <732076a80902080317k3ff52cd9n7f27f3985c3256ef@mail.gmail.com> <498EC2DF.70803@ushills.co.uk> Message-ID: <732076a80902080336m9bfa660ya7b8bfcc7e77a6c@mail.gmail.com> 2009/2/8 Ian Hill : > Correct you print it out, but I cannot find how to re-compile the key > manually from the paperkey and the public key. If you can do this > without the paperkey programme this seems a good solution, otherwise why > not keep an e-copy of your secret key as this is likely to survive just > as well as the paperkey program. Because media degrades and unlikely that the media of today will be readable in the future. For example, you can't get 8" or 5.25" floppies for love nor money these days and 3.5' floppies are likely to go the same way. However, paper lasts a very long time. It's your call and depends how much your key means to you. Personally, I reckon that your key is more likely to become useless in the future. Ben From dshaw at jabberwocky.com Sun Feb 8 16:25:54 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 8 Feb 2009 10:25:54 -0500 Subject: Paperkey question In-Reply-To: <498EB895.7090904@ushills.co.uk> References: <498EB895.7090904@ushills.co.uk> Message-ID: <04C0CA7E-51C1-44BE-9B7A-5CAB2F80F05B@jabberwocky.com> On Feb 8, 2009, at 5:48 AM, Ian Hill wrote: > I have a question about paperkey, bearing in mind that this > application > may not always be available can one restore the secret key just using > the printed paperkey and the public key from keyservers manually. Yes, you can. That was one of the design goals in paperkey. I wanted to avoid the need for a program that may not be readily available when you need it. Paperkey automatically prints out instructions on how to restore the key. It's easier, of course, to use paperkey to do the work, but in a pinch you can do it by hand. David From kloecker at kde.org Sun Feb 8 16:36:48 2009 From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Sun, 08 Feb 2009 16:36:48 +0100 Subject: Paperkey question In-Reply-To: <498EB895.7090904@ushills.co.uk> References: <498EB895.7090904@ushills.co.uk> Message-ID: <200902081636.53181@thufir.ingo-kloecker.de> On Sunday 08 February 2009, Ian Hill wrote: > I have a question about paperkey, bearing in mind that this > application may not always be available can one restore the secret > key just using the printed paperkey and the public key from > keyservers manually. Yes. All you need to know is the format used by paperkey, the format of OpenPGP keys and a good hex editor. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: From alex at amiryan.org Sun Feb 8 16:44:51 2009 From: alex at amiryan.org (Alex Amiryan) Date: Sun, 08 Feb 2009 19:44:51 +0400 Subject: Paperkey question In-Reply-To: <732076a80902080336m9bfa660ya7b8bfcc7e77a6c@mail.gmail.com> References: <498EB895.7090904@ushills.co.uk> <498EBCD2.9060405@gmail.com> <732076a80902080317k3ff52cd9n7f27f3985c3256ef@mail.gmail.com> <498EC2DF.70803@ushills.co.uk> <732076a80902080336m9bfa660ya7b8bfcc7e77a6c@mail.gmail.com> Message-ID: <498EFDF3.3040406@amiryan.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've printed out my paperkey and keeping it in my home. I am not making any illegal things, so police will not come to investigate my house one day :). So it is secure for me in case that one day my home and work computers explode at the same time :) Benjamin Donnachie wrote: > 2009/2/8 Ian Hill : >> Correct you print it out, but I cannot find how to re-compile the key >> manually from the paperkey and the public key. If you can do this >> without the paperkey programme this seems a good solution, otherwise why >> not keep an e-copy of your secret key as this is likely to survive just >> as well as the paperkey program. > > Because media degrades and unlikely that the media of today will be > readable in the future. For example, you can't get 8" or 5.25" > floppies for love nor money these days and 3.5' floppies are likely to > go the same way. > > However, paper lasts a very long time. It's your call and depends how > much your key means to you. Personally, I reckon that your key is > more likely to become useless in the future. > > Ben > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users - -- Alex Amiryan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFJjv3r1KOfm1RDUTERApWTAJ4wwOqOf8xqZaQDYox4EHECHC7r0wCgnqQ5 y9M0Ag1/iV+y2Q6FiLyXAjg= =TWLK -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3579 bytes Desc: S/MIME Cryptographic Signature URL: From ian at ushills.co.uk Sun Feb 8 16:59:49 2009 From: ian at ushills.co.uk (Ian Hill) Date: Sun, 08 Feb 2009 15:59:49 +0000 Subject: Paperkey question In-Reply-To: <04C0CA7E-51C1-44BE-9B7A-5CAB2F80F05B@jabberwocky.com> References: <498EB895.7090904@ushills.co.uk> <04C0CA7E-51C1-44BE-9B7A-5CAB2F80F05B@jabberwocky.com> Message-ID: <498F0175.2030701@ushills.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Can you explain the instructions, do you just add the octets to the end of the public key. Is this the same with multiple subkeys. David Shaw wrote: > On Feb 8, 2009, at 5:48 AM, Ian Hill wrote: > >> I have a question about paperkey, bearing in mind that this application >> may not always be available can one restore the secret key just using >> the printed paperkey and the public key from keyservers manually. > > Yes, you can. That was one of the design goals in paperkey. I wanted > to avoid the need for a program that may not be readily available when > you need it. Paperkey automatically prints out instructions on how to > restore the key. It's easier, of course, to use paperkey to do the > work, but in a pinch you can do it by hand. > > David > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJJjwF1AAoJEKedYJYX5A4sgKIH/0oXLALtU0ty8BTnMC1sFoX2 oWKXJlb1g2N4xlcFp6l6nBstqrjNv81GwDejone85PHCC2h+dQV7Hj2mX+F8Xnpg 9mzAkZhgv2kKl6l1DMonHWVSe+nBzWSU0b1oXZpJFGLCJxakAhqaJBLaFnAZXOsl XLbU2ADQCMJr9KsGDA+WMZnf5GekwKN+XKdq/gHh2JsYzGmGZPk0xjr5l7SVHY8B Nc92DFFZ1dSaK03/nQMA4pyrJlBHZEJpkdDJYqL6qtxC1Zrtp8RK2k49zhEWSone iNOkgaaEJK2FBkZyRynbLYsH9lpNlp9rl3oceLAQIns7Cz5YadRCYREQjVpmO+E= =4vwC -----END PGP SIGNATURE----- From kloecker at kde.org Sun Feb 8 17:40:52 2009 From: kloecker at kde.org (Ingo =?iso-8859-15?q?Kl=F6cker?=) Date: Sun, 08 Feb 2009 17:40:52 +0100 Subject: Paperkey question In-Reply-To: <498EFDF3.3040406@amiryan.org> References: <498EB895.7090904@ushills.co.uk> <732076a80902080336m9bfa660ya7b8bfcc7e77a6c@mail.gmail.com> <498EFDF3.3040406@amiryan.org> Message-ID: <200902081740.53943@thufir.ingo-kloecker.de> On Sunday 08 February 2009, Alex Amiryan wrote: > I've printed out my paperkey and keeping it in my home. I am not > making any illegal things, so police will not come to investigate my > house one day :). You are using GnuPG. Unfortunately, this makes you suspicious in the eyes of lots of people. > So it is secure for me in case that one day my home > and work computers explode at the same time :) But it's gone if your home and your work place explode at the same time. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: From lists_de at zemisch.de Sun Feb 8 17:00:38 2009 From: lists_de at zemisch.de (Dirk Zemisch) Date: Sun, 8 Feb 2009 17:00:38 +0100 Subject: Paperkey question In-Reply-To: <200902081636.53181@thufir.ingo-kloecker.de> References: <498EB895.7090904@ushills.co.uk> <200902081636.53181@thufir.ingo-kloecker.de> Message-ID: <20090208170038.00006118@unknown> Hello Ingo, hello GnuPG Users, On Sun, 08 Feb 2009 16:36:48 +0100 Ingo Kl?cker wrote: > On Sunday 08 February 2009, Ian Hill wrote: > > I have a question about paperkey, bearing in mind that this > > application may not always be available can one restore the secret > > key just using the printed paperkey and the public key from > > keyservers manually. > > Yes. All you need to know is the format used by paperkey, the format > of OpenPGP keys and a good hex editor. Does it mean, that anybody who gets the papekey printout can restore my private key - even if he doesn't know my passphrase? Sure? Regards Dirk -- From benjamin at py-soft.co.uk Sun Feb 8 17:46:43 2009 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sun, 8 Feb 2009 16:46:43 +0000 Subject: Paperkey question In-Reply-To: <200902081740.53943@thufir.ingo-kloecker.de> References: <498EB895.7090904@ushills.co.uk> <732076a80902080336m9bfa660ya7b8bfcc7e77a6c@mail.gmail.com> <498EFDF3.3040406@amiryan.org> <200902081740.53943@thufir.ingo-kloecker.de> Message-ID: <732076a80902080846p405dd2aanf8f9350ffb1d680a@mail.gmail.com> 2009/2/8 Ingo Kl?cker : > But it's gone if your home and your work place explode at the same time. I think my key would be the last of my worries in such circumstances. Ben From dshaw at jabberwocky.com Sun Feb 8 17:55:38 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 8 Feb 2009 11:55:38 -0500 Subject: Paperkey question In-Reply-To: <20090208170038.00006118@unknown> References: <498EB895.7090904@ushills.co.uk> <200902081636.53181@thufir.ingo-kloecker.de> <20090208170038.00006118@unknown> Message-ID: <75C23EB5-5481-4487-B6C1-6A79D4E007E0@jabberwocky.com> On Feb 8, 2009, at 11:00 AM, Dirk Zemisch wrote: > Hello Ingo, hello GnuPG Users, > > On Sun, 08 Feb 2009 16:36:48 +0100 > Ingo Kl?cker wrote: > >> On Sunday 08 February 2009, Ian Hill wrote: >>> I have a question about paperkey, bearing in mind that this >>> application may not always be available can one restore the secret >>> key just using the printed paperkey and the public key from >>> keyservers manually. >> >> Yes. All you need to know is the format used by paperkey, the format >> of OpenPGP keys and a good hex editor. > > Does it mean, that anybody who gets the papekey printout can restore > my > private key - even if he doesn't know my passphrase? Sure? Yes and no. Someone could restore your private key in the sense that they could recreate the same secret key file that you have. However, they could not use it as the paper key has the same passphrase as your secret key. You should protect the paper the same way you protect your electronic secret key. David From bahamutzero8825 at gmail.com Sun Feb 8 17:47:48 2009 From: bahamutzero8825 at gmail.com (Andrew Berg) Date: Sun, 08 Feb 2009 10:47:48 -0600 Subject: What do if forgot password? Message-ID: <498F0CB4.2070608@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 don rhummy wrote: > What does GPG have to recover my data if i forgot my password? Well, it won't stop you from trying to brute-force guess your password until you get it right. Of course, depending on what you do remember about your passphrase, how long it is, how strong it is, and what tools you use, it could take anywhere from a few minutes to a few millenia. Other than that, nothing. There are no back doors, no type of "magic" to get your data back to its original form, nothing. Would you really want to use a program that would allow for such capabilities, though? After all, no software is going to be perfect and definitively know who wants to recover that data. gerry_lowry (alliston ontario canada) wrote: > http://sixdemonbag.org/cryptofaq.xhtml#agencies does not like my IE7. The feeling is mutual. Microsoft doesn't feel it's necessary to follow web standards, likely because they want to impose their own proprietary standards. Thankfully, they have not had much success (we have the late Netscape to thank for this). Robert J. Hansen wrote: > I try not to join ... IE-bashing ... More torches and pitchforks for the rest of us, then. - -- Key ID: 0xF88E034060A78FCB Fingerprint: 4A84 CAE2 A0D3 2AEB 71F6 07FD F88E 0340 60A7 8FCB Windows NT 6.0.6001.18145 | GPG 1.4.9 | Thunderbird 2.0.0.17 | Enigmail 0.95.7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAwAGBQJJjwy0AAoJEPiOA0Bgp4/LxPsIANgT111x/xJFfiKBX53f2yOC d/yTq3Pn7QZX7YtoVDXTdHGZQFPqz46QJimz0AQewmjsm0yGFaUE6Oo3WDOBI003 eMRIdejw5teS6HdLYNx3PH//KKJxuirmecI5xGCbBKYLrkB/teOu4TIyhRbkrtdU UToCpUzNppIt7Qa7p6l9uKduokj3O3eYK+VKq135Q2UGkadlmkdf+HjopWQJhONz QPxIrUR3Iq0A6ZF2SC+HZnVRk9XowWYqBxwwxP59FSymut75XAwQj7UXvhmhzsdx uZPmp86yqfP7FnAE8LLrbpLPcyC092PWvHsLRW9kTawH2kqGPT3W4X7F2pSZf/0= =5wjv -----END PGP SIGNATURE----- From malte.gell at gmx.de Sun Feb 8 18:25:42 2009 From: malte.gell at gmx.de (Malte Gell) Date: Sun, 8 Feb 2009 18:25:42 +0100 Subject: openPGP card, cant change admin pin, can't change name In-Reply-To: <732076a80902080126j69dbff01l68aea4880e21feb1@mail.gmail.com> References: <200902072150.23688.malte.gell@gmx.de> <200902080929.45798.malte.gell@gmx.de> <732076a80902080126j69dbff01l68aea4880e21feb1@mail.gmail.com> Message-ID: <200902081825.44329.malte.gell@gmx.de> Hello, Am Sonntag, 8. Februar 2009 10:26:24 schrieb Benjamin Donnachie: > 2009/2/8 Malte Gell : > > does still now work, what is wrong there, why don't I have the permission > > to change the admin pin? > So, edit ~/.gnupg/scdaemon.conf and add the line "allow-admin". Thanx for that hint, actually, I do read manpages and I knew that option before and played with it, I don't know why it has not worked before, I put it in scdaemon.conf and it works now. Fine :-) Malte From lists_de at zemisch.de Sun Feb 8 19:12:10 2009 From: lists_de at zemisch.de (Dirk Zemisch) Date: Sun, 8 Feb 2009 19:12:10 +0100 Subject: Fw: Paperkey question Message-ID: <20090208191210.000031ab@unknown> Hello, I'Ve got some answers as PM, maybe they are interesting also for other list members... My question was: >> Does it mean, that anybody who gets the papekey printout can >> restore my private key - even if he doesn't know my passphrase? Sure? From David Shaw came the following: > Yes and no. Someone could restore your private key in the sense > that they could recreate the same secret key file that you have. > However, they could not use it as the paper key has the same > passphrase as your secret key. > You should protect the paper the same way you protect your > electronic secret key. And from Ian: > No the paperkey is encrypted with your passphrase as well. They > could restore your secret key but would not know but would need your > passphrase to use it. Thanks for the answers. I always was ready to burn my paperkey print. Now I don't need to do so. ;-) Regards, Dirk From alex at amiryan.org Sun Feb 8 19:56:27 2009 From: alex at amiryan.org (Alex Amiryan) Date: Sun, 08 Feb 2009 22:56:27 +0400 Subject: Paperkey question In-Reply-To: <200902081740.53943@thufir.ingo-kloecker.de> References: <498EB895.7090904@ushills.co.uk> <732076a80902080336m9bfa660ya7b8bfcc7e77a6c@mail.gmail.com> <498EFDF3.3040406@amiryan.org> <200902081740.53943@thufir.ingo-kloecker.de> Message-ID: <498F2ADB.5000900@amiryan.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ingo Kl?cker wrote: > On Sunday 08 February 2009, Alex Amiryan wrote: >> I've printed out my paperkey and keeping it in my home. I am not >> making any illegal things, so police will not come to investigate my >> house one day :). > > You are using GnuPG. Unfortunately, this makes you suspicious in the > eyes of lots of people. > No, I don't agree with that. For example I am using GnuPG to send sensitive information, such as monthly invoices to tax service. I don't want somebody to intercept these documents, thats why I am using GnuPG. Using GnuPG is not meaning that I am hiding illegal things. Just I am using my right of privacy. For example if I am saying something quietly to my friend, it is not meaning that I am saying bad things about somebody. > >> So it is secure for me in case that one day my home >> and work computers explode at the same time :) > > But it's gone if your home and your work place explode at the same time. I wrote, if my home and work COMPUTERS explode at the same time. For example because of electric shock (It happened to me twice in my life :)). > > Regards, > Ingo > > > ------------------------------------------------------------------------ > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users - -- Alex Amiryan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFJjyrT1KOfm1RDUTERAkKtAKDJFo7e7X/ke0VhqLV5WH+P6w0qzwCfZtUQ qfP/LAVCslCi1ZbFLLcm++8= =ZM/S -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3579 bytes Desc: S/MIME Cryptographic Signature URL: From dshaw at jabberwocky.com Sun Feb 8 20:25:01 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 8 Feb 2009 14:25:01 -0500 Subject: GPG - how to update keys to a new format? In-Reply-To: References: Message-ID: <636BC288-A95D-46ED-B834-70C132B3ECF6@jabberwocky.com> On Feb 7, 2009, at 3:51 PM, Csabi wrote: > Hello! > > I imported my old keys (made with PGP 2.6.3I and PGP 5.0) to my GPG > keyring, but GPG didnt ask me that i want to update my old keys to a > new DSA key... You can't convert a PGP 2.6 key. GPG will happily use it (within some limits, notably the IDEA cipher), but there is no way to convert it into another sort of key. I'd recommend revoking any key that was generated with PGP 5.0. There were problems with the random number generator in that version: http://www.cert.org/advisories/CA-2000-09.html David From kloecker at kde.org Sun Feb 8 21:30:25 2009 From: kloecker at kde.org (Ingo =?iso-8859-15?q?Kl=F6cker?=) Date: Sun, 08 Feb 2009 21:30:25 +0100 Subject: Paperkey question In-Reply-To: <498F2ADB.5000900@amiryan.org> References: <498EB895.7090904@ushills.co.uk> <200902081740.53943@thufir.ingo-kloecker.de> <498F2ADB.5000900@amiryan.org> Message-ID: <200902082130.40052@thufir.ingo-kloecker.de> On Sunday 08 February 2009, Alex Amiryan wrote: > Ingo Kl?cker wrote: > > On Sunday 08 February 2009, Alex Amiryan wrote: > >> I've printed out my paperkey and keeping it in my home. I am not > >> making any illegal things, so police will not come to investigate > >> my house one day :). > > > > You are using GnuPG. Unfortunately, this makes you suspicious in > > the eyes of lots of people. > > No, I don't agree with that. That's irrelevant. It doesn't matter what _you_ think. What matters is what police and intelligence agencies think about you using GnuPG. I'm probably exaggerating. OTOH, intelligence agencies are convinced (or at least they "say" so) that terrorists use encryption. > For example I am using GnuPG to send > sensitive information, such as monthly invoices to tax service. I > don't want somebody to intercept these documents, thats why I am > using GnuPG. Using GnuPG is not meaning that I am hiding illegal > things. Just I am using my right of privacy. I guess the same is true for all members of this mailing list. > For example if I am > saying something quietly to my friend, it is not meaning that I am > saying bad things about somebody. But you might give the impression of saying bad things about somebody. > >> So it is secure for me in case that one day my home > >> and work computers explode at the same time :) > > > > But it's gone if your home and your work place explode at the same > > time. > > I wrote, if my home and work COMPUTERS explode at the same time. For > example because of electric shock (It happened to me twice in my life > :)). Yes, I know what you wrote. I just wanted to point out that it might make sense to store a copy of your paperkey outside of your home and work place. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: From dshaw at jabberwocky.com Sun Feb 8 22:41:10 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 8 Feb 2009 16:41:10 -0500 Subject: Paperkey question In-Reply-To: <498F0175.2030701@ushills.co.uk> References: <498EB895.7090904@ushills.co.uk> <04C0CA7E-51C1-44BE-9B7A-5CAB2F80F05B@jabberwocky.com> <498F0175.2030701@ushills.co.uk> Message-ID: <5A6ED3A1-9750-4BEE-926A-734086AC75A5@jabberwocky.com> On Feb 8, 2009, at 10:59 AM, Ian Hill wrote: > > Can you explain the instructions, do you just add the octets to the > end > of the public key. Is this the same with multiple subkeys. Yes, and yes. In OpenPGP, a secret key is just a public key with some extra stuff (the secret numbers) tacked on to the end. That's how paperkey makes the keys so small - it can safely leave off all the public key information. David From toothache200873 at yahoo.com Mon Feb 9 05:06:32 2009 From: toothache200873 at yahoo.com (Condor Kim) Date: Sun, 8 Feb 2009 20:06:32 -0800 (PST) Subject: enigmail and gnupg on linux xandros Message-ID: <806732.21227.qm@web46113.mail.sp1.yahoo.com> i have a question about using enigmail on linux. ? i recently bought an eee pc 901 with linux xandros on it. i added debian repo and i wanted to install enigmail on my thunderbird. but when i do a search on my synaptic i get a response that i need to install icedove together with enigmail. i looked up icedove and learned that it's something very similar to thunderbird. i don't know if the thunderbird on my eeepc is in fact the same as icedove, and so i went ahead to install icedove and enigmail on my eeepc. but then i got the errors: e:icedove: subprocess post-installation script returned error exit status 1 e: enigmail: dependency problem -- leaving unconfigured e: dpkg was interrupted, you must manually run 'dpkg --configure - a' to correct the problem and then my eeepc crashed that night and i have to reinstall the OS can anyone tell me what's going on? and how do i install enigmail on linux xandros with thunderbird? is icedove the same as the thunderbird that came with eeepc 901? ? and what about gnupg itself? i saw in the synaptic that it's already installed. can it be used with thunderbird? how to use it on linux? is there a site that gives instruction??is there something on linux similar to gpg4win? thanks so much -------------- next part -------------- An HTML attachment was scrubbed... URL: From faramir.cl at gmail.com Mon Feb 9 06:56:40 2009 From: faramir.cl at gmail.com (Faramir) Date: Mon, 09 Feb 2009 02:56:40 -0300 Subject: Fw: Paperkey question In-Reply-To: <20090208191210.000031ab@unknown> References: <20090208191210.000031ab@unknown> Message-ID: <498FC598.8080103@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dirk Zemisch escribi?: ... >>From David Shaw came the following: > >> Yes and no. Someone could restore your private key in the sense >> that they could recreate the same secret key file that you have. >> However, they could not use it as the paper key has the same >> passphrase as your secret key. ... > And from Ian: > >> No the paperkey is encrypted with your passphrase as well. They >> could restore your secret key but would not know but would need your >> passphrase to use it. > > Thanks for the answers. I always was ready to burn my paperkey > print. Now I don't need to do so. ;-) But don't forget it also means if you forget your passphrase, you are toasted... or if your passphrase is too easy, it could be broken... Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJj8WYAAoJEMV4f6PvczxA0GAIAIlTuzlSsq7OijLYMHzEBH/O aY84JSqjsAnV7IwFktpqfvqTziSwCjbA9gThujMaC9LoO7HLv4xzETh2bt2FOhUN V37msXV80gCrfnhfgl4SCJvhVlRwOyXgUdL6a4R/nnTLUMoCnmmgn9+SkUCatXch zFLlmv5Ez189v8fDhCTiavNQAh31mQMFGbOJNiVRvsLJlY2Ch8wnxLbLxdokRyAX v25Ne4k6Cg+cylVFsZ8zbaQ1X+qo3yfdTC2zu/DBXWrMknrTmudI/GBQ0xYPMnX/ lrGs0NpGJ6UprOxtolYr+plDTY6e7zgEq8eqN8NlVRkRgtp3ferenPS1Ocmqiqk= =e7Be -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Mon Feb 9 07:07:51 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 09 Feb 2009 01:07:51 -0500 Subject: enigmail and gnupg on linux xandros In-Reply-To: <806732.21227.qm@web46113.mail.sp1.yahoo.com> References: <806732.21227.qm@web46113.mail.sp1.yahoo.com> Message-ID: <498FC837.5090704@sixdemonbag.org> Condor Kim wrote: > e:icedove: subprocess post-installation script returned error exit status 1 > e: enigmail: dependency problem -- leaving unconfigured > e: dpkg was interrupted, you must manually run 'dpkg --configure - a' to > correct the problem This is an Icedove and/or Xandros error. It is not an Enigmail error. For that reason, we're not able to help you out very much with it. We wish you luck with the reinstallation. A lot of people report excellent success installing plain-vanilla Ubuntu on netbooks; it might be worth a shot as opposed to the highly customized Xandros you're currently running . > and what about gnupg itself? i saw in the synaptic that it's already > installed. can it be used with thunderbird? how to use it on linux? We recommend reading the Enigmail Quick Start Guide. From lists_de at zemisch.de Mon Feb 9 08:03:50 2009 From: lists_de at zemisch.de (Dirk Zemisch) Date: Mon, 9 Feb 2009 08:03:50 +0100 Subject: Fw: Paperkey question In-Reply-To: <498FC598.8080103@gmail.com> References: <20090208191210.000031ab@unknown> <498FC598.8080103@gmail.com> Message-ID: <20090209080350.00005c65@unknown> Hello Faramir, hello GnuPG users, On Mon, 09 Feb 2009 02:56:40 -0300 Faramir wrote: >> Thanks for the answers. I always was ready to burn my paperkey >> print. Now I don't need to do so. ;-) > But don't forget it also means if you forget your passphrase, you > are toasted... or if your passphrase is too easy, it could be > broken... But this is the same as when I lose my secret key on a USB Stick or CD or SD-Card or ... Of course one need to choose a good passphrase, but from the first statements in the actual thread it seemed to me, that the paperkey is not protected at all. But now I know that it is as good protected as my electronical key is. Have a nice day! Dirk -- From shavital at mac.com Mon Feb 9 09:15:13 2009 From: shavital at mac.com (Charly Avital) Date: Mon, 09 Feb 2009 03:15:13 -0500 Subject: enigmail and gnupg on linux xandros In-Reply-To: <498FC837.5090704@sixdemonbag.org> References: <806732.21227.qm@web46113.mail.sp1.yahoo.com> <498FC837.5090704@sixdemonbag.org> Message-ID: <498FE611.7080001@mac.com> Robert J. Hansen wrote the following on 2/9/09 1:07 AM: > Condor Kim wrote: >> e:icedove: subprocess post-installation script returned error exit status 1 >> e: enigmail: dependency problem -- leaving unconfigured >> e: dpkg was interrupted, you must manually run 'dpkg --configure - a' to >> correct the problem > > This is an Icedove and/or Xandros error. It is not an Enigmail error. > For that reason, we're not able to help you out very much with it. We > wish you luck with the reinstallation. A lot of people report excellent > success installing plain-vanilla Ubuntu on netbooks; it might be worth a > shot as opposed to the highly customized Xandros you're currently running I can "bear testimony" to running Ubuntu 8.10-64bits under VMware Fusion, on an Apple MacBook Intel Core 2 Duo. > . >> and what about gnupg itself? i saw in the synaptic that it's already >> installed. can it be used with thunderbird? how to use it on linux? The original distro (downloaded disk image) came with gpg 1.4.7 or 1.4.8 (I can't remember) which I updated to 1.4.9 by compiling the source code. I also compiled gpg 2.0.10rc1 and later 2.0.10 (with gpg-agent and pinentry). All run fine. GnuPG, whether gpg or gpg2 interacts very well with Thunderbird+Enigmail, thanks to the work of the Enigmail team. I have found that it is easier to install Thunderbird using Ubuntuzilla , but it's all a matter of user's choice. > > We recommend reading the Enigmail Quick Start Guide. Definitely. Charly From faramir.cl at gmail.com Mon Feb 9 09:51:57 2009 From: faramir.cl at gmail.com (Faramir) Date: Mon, 09 Feb 2009 05:51:57 -0300 Subject: enigmail and gnupg on linux xandros In-Reply-To: <806732.21227.qm@web46113.mail.sp1.yahoo.com> References: <806732.21227.qm@web46113.mail.sp1.yahoo.com> Message-ID: <498FEEAD.4050205@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Condor Kim escribi?: ... > and what about gnupg itself? i saw in the synaptic that it's already > installed. can it be used with thunderbird? how to use it on linux? is > there a site that gives instruction? is there something on linux similar > to gpg4win? Well, I have big problems trying to use ubuntu (maybe because I have never taken the time to start learning how to use it), but gpg4win is GnuPG compiled to run on windows. So gnupg on linux, depending on what version of gnupg it installed, should be exactly the same thing than gpg4win, except that it has been compiled for linux instead of windows. GnuPG comes in 2 flavours, there can be some differences. GPG1 is... well, the "traditional" version, while GPG2 includes GPG1, plus GPG2 and some tools. AFAIK, gpg4win implements GPG2, but you can ask the installer to install just gpg1 (and to don't install gpg2.exe and the tools). In any event, your linux should have at least gpg1, so probably enigmail can use it (I don't know if there is a minimal version required). I use GnuPG 1.4.9 on windows, and it works fine. On Ubuntu 8.10, I have GnuPG 1.4.6 (installed by default) and works perfectly with Thunderbird and Enigmail. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJj+6tAAoJEMV4f6PvczxA/S8H/3B+Kf48zxajEV89HuKd3DLA MnCmAPO88XdSbVViNy1Uwp7q8/qwsAJG+E0M2kUKV9STLrB+Ih+cApsmhP9lWvil NBXTxEf9ePaOyUD4c5uo1FvXP1OAhoIqYwtFmmCShaH+QDs08d8HGRcc6f2my+wO +H1ShY4ZxE/tyWAMQnKt3QzJVFRwZYM0gwlp8I5N5ZulS8PjuWeYoX/ZmYfKvNf2 AI6jCsy1kbZKQoo5HVxaamfEb74tLxsJqqvyU1lrOTfNxR0QFxmPWiV3eE2fQP/j pqYkLjQ4wz0fMGgaunzB3+UXYqR6sCFucJfvOJQp55pxNvuz8mQOMhG9SWewWB4= =OwU0 -----END PGP SIGNATURE----- From faramir.cl at gmail.com Mon Feb 9 10:31:16 2009 From: faramir.cl at gmail.com (Faramir) Date: Mon, 09 Feb 2009 06:31:16 -0300 Subject: Paperkey question In-Reply-To: <732076a80902080336m9bfa660ya7b8bfcc7e77a6c@mail.gmail.com> References: <498EB895.7090904@ushills.co.uk> <498EBCD2.9060405@gmail.com> <732076a80902080317k3ff52cd9n7f27f3985c3256ef@mail.gmail.com> <498EC2DF.70803@ushills.co.uk> <732076a80902080336m9bfa660ya7b8bfcc7e77a6c@mail.gmail.com> Message-ID: <498FF7E4.2030906@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Benjamin Donnachie escribi?: ... > Because media degrades and unlikely that the media of today will be > readable in the future. For example, you can't get 8" or 5.25" > floppies for love nor money these days and 3.5' floppies are likely to > go the same way. > > However, paper lasts a very long time. It's your call and depends how > much your key means to you. Personally, I reckon that your key is > more likely to become useless in the future. Yes, but, IMHO, the main advantage of having a paper backup, is it is unlikely you would have a nasty surprise when you need the backup... a CD can get damaged from one year to the next one... Maybe the room will be too warm for them, or anything like that. I lost 10 CDs that where stored in their boxes, and the individual boxes stored inside the cardboard box (a 10 CDs package). They looked fine, but when I tried to read the CDs, they where unreadable. And they where not exposed to direct sun light. But a paper, maybe ink will turn grey instead of black, but it would still be readable... and probably, if the paper itself starts rooting or something, you will notice it before it's too late (or at least, you have a good chance to notice it and be able to make a new backup). Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJj/fjAAoJEMV4f6PvczxAfm0H/Rzyu4iuCkB5Ye41H6mNOawy +USAqZQ9cvMoAXdpnD911ByP09R6EDZJnIT93IOdbAzQLRMReNEJCWoPSixCrFCP Lo3qFoEhPKfH96j9iHeKAu/7SRECffx+YWmPvebZ6Q9FxpHn5LDzuJojLODbLVGU 6agMI/uhTzIHe5b+bCEC+8n9pgHEQfI8e2eTNySI9CGFIIwBxaF+F0Ns4p5G42LQ eMT+Q8ggvM6A8C2XKVL9c6b/OgtL+MF5SmPCXjq1rNR/FMAbFFuz2Vy0CfamRsXm 8rzOeeSh6rRaSqL6JsJXeBAdgB60S7ml4R05+Sx3AtP7N884pSY9sd0RmZz5Zag= =4hH4 -----END PGP SIGNATURE----- From wk at gnupg.org Mon Feb 9 10:36:11 2009 From: wk at gnupg.org (Werner Koch) Date: Mon, 09 Feb 2009 10:36:11 +0100 Subject: openPGP card, cant change admin pin, can't change name In-Reply-To: <732076a80902080126j69dbff01l68aea4880e21feb1@mail.gmail.com> (Benjamin Donnachie's message of "Sun, 8 Feb 2009 09:26:24 +0000") References: <200902072150.23688.malte.gell@gmx.de> <200902080012.19493.malte.gell@gmx.de> <200902080929.45798.malte.gell@gmx.de> <732076a80902080126j69dbff01l68aea4880e21feb1@mail.gmail.com> Message-ID: <878wogt0j8.fsf@wheatstone.g10code.de> On Sun, 8 Feb 2009 10:26, benjamin at py-soft.co.uk said: > SCDAEMON: > --allow-admin > > --deny-admin The current default of --deny-admin is not worth all the trouble, thus the next version of gnupg will default to --allow-admin. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From ian at ushills.co.uk Mon Feb 9 13:07:49 2009 From: ian at ushills.co.uk (Ian Hill) Date: Mon, 09 Feb 2009 12:07:49 +0000 Subject: Paperkey question In-Reply-To: <5A6ED3A1-9750-4BEE-926A-734086AC75A5@jabberwocky.com> References: <498EB895.7090904@ushills.co.uk> <04C0CA7E-51C1-44BE-9B7A-5CAB2F80F05B@jabberwocky.com> <498F0175.2030701@ushills.co.uk> <5A6ED3A1-9750-4BEE-926A-734086AC75A5@jabberwocky.com> Message-ID: <49901C95.4050104@ushills.co.uk> David I seem to be having some problems using the papertest key provided with the application (attached) and the associated key to create a paperkey I have extracted the following octets for each key and subkey. Key 1 FE 03 03 02 56 AC A0 3D F2 14 48 D2 60 22 90 E7 0A 58 94 51 F7 3D 5B 2A 4D 9C 26 B9 C1 AF 27 34 D3 D0 95 FE 69 9A C8 7D A4 E8 00 4E 9A 52 11 E9 C3 68 E4 BC E7 0E B2 15 D8 47 8A 6A 19 95 A6 Key 2 FE 03 03 02 56 AC A0 3D F2 14 48 D2 60 91 84 44 F2 DB A1 1A E8 0E D4 72 82 18 FB E6 B6 85 6A 32 F6 15 E9 89 1C 7F 55 DD D5 45 EE 11 E7 DE 44 4C 2B 5B EB 2C 30 91 1E 1F F0 03 6A 2C 30 AD 55 90 6C D0 9F 39 7C E7 53 06 F2 BE F7 AE 1B A1 DE A2 1A 58 8A C5 2C Key 3 FE 03 03 02 33 E6 5A 12 FA 15 D4 24 60 91 E7 D2 F8 74 2D DB 04 38 78 DC 6B C8 A2 AC 25 6D 5D 6B DE E5 01 F8 12 19 D5 DB 33 16 2E A5 C2 AA 9E AA 72 AB 8B 3B 4D D1 9D B5 6C EF E1 31 BF 99 19 Using a hex-editor I have then appended these octets to the public key to give me the attached file. This is not the same as the secret key and cannot be imported as a secret key. What is wrong with this process. David Shaw wrote: > On Feb 8, 2009, at 10:59 AM, Ian Hill wrote: >> >> Can you explain the instructions, do you just add the octets to the end >> of the public key. Is this the same with multiple subkeys. > > Yes, and yes. In OpenPGP, a secret key is just a public key with some > extra stuff (the secret numbers) tacked on to the end. That's how > paperkey makes the keys so small - it can safely leave off all the > public key information. > > David > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: papertestsec.sec Type: application/octet-stream Size: 1912 bytes Desc: not available URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: paperkeyteststripped.txt URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: papertest.pub Type: application/octet-stream Size: 1700 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: papertestcompiled.sec Type: application/octet-stream Size: 1912 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature URL: From dshaw at jabberwocky.com Mon Feb 9 14:46:27 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 9 Feb 2009 08:46:27 -0500 Subject: Paperkey question In-Reply-To: <49901C95.4050104@ushills.co.uk> References: <498EB895.7090904@ushills.co.uk> <04C0CA7E-51C1-44BE-9B7A-5CAB2F80F05B@jabberwocky.com> <498F0175.2030701@ushills.co.uk> <5A6ED3A1-9750-4BEE-926A-734086AC75A5@jabberwocky.com> <49901C95.4050104@ushills.co.uk> Message-ID: <59F90108-4FFA-4569-A657-D40D48642705@jabberwocky.com> On Feb 9, 2009, at 7:07 AM, Ian Hill wrote: > > David > > I seem to be having some problems using the papertest key provided > with > the application (attached) and the associated key to create a > paperkey I > have extracted the following octets for each key and subkey. > > Key 1 > FE 03 03 02 56 AC A0 3D F2 14 48 D2 60 22 90 E7 0A 58 94 51 F7 3D > 5B 2A 4D 9C 26 B9 C1 AF 27 34 D3 D0 95 FE 69 9A C8 7D A4 E8 00 4E > 9A 52 11 E9 C3 68 E4 BC E7 0E B2 15 D8 47 8A 6A 19 95 A6 > > Key 2 > FE 03 03 02 56 AC A0 3D F2 14 48 D2 60 91 84 44 F2 DB A1 1A E8 0E > D4 72 82 18 FB E6 B6 85 6A 32 F6 15 E9 89 1C 7F 55 DD D5 45 EE 11 > E7 DE 44 4C 2B 5B EB 2C 30 91 1E 1F F0 03 6A 2C 30 AD 55 90 6C D0 > 9F 39 7C E7 53 06 F2 BE F7 AE 1B A1 DE A2 1A 58 8A C5 2C > > Key 3 > FE 03 03 02 33 E6 5A 12 FA 15 D4 24 60 91 E7 D2 F8 74 2D DB 04 38 > 78 DC 6B C8 A2 AC 25 6D 5D 6B DE E5 01 F8 12 19 D5 DB 33 16 2E A5 > C2 AA 9E AA 72 AB 8B 3B 4D D1 9D B5 6C EF E1 31 BF 99 19 > > Using a hex-editor I have then appended these octets to the public key > to give me the attached file. This is not the same as the secret key > and cannot be imported as a secret key. You can't take a public key and just attach the blob to the end. A secret key is made up of secret key packets. You need to convert your individual public key packets to secret key packets. Split the public key into packets, convert the individual packets, then reassemble the key. Run "paperkey --file-format" and it will print out some pointers on how to do this. David From ian at ushills.co.uk Mon Feb 9 15:44:13 2009 From: ian at ushills.co.uk (ian at ushills.co.uk) Date: Mon, 9 Feb 2009 06:44:13 -0800 (PST) Subject: Paperkey question Message-ID: <19486860.2280.1234190656900.JavaMail.seven@ap1.trial.red.7sys.net> One you have split your key with gpgsplit do you just then add the relevant secret key packets to each key part and then cat them back together. -----Original Message----- From: David Shaw Sent: 09 February 2009 13:46 To: Ian Hill Cc: gnupg-users at gnupg.org List Subject: Re: Paperkey question On Feb 9, 2009, at 7:07 AM, Ian Hill wrote: > > David > > I seem to be having some problems using the papertest key provided > with > the application (attached) and the associated key to create a > paperkey I > have extracted the following octets for each key and subkey. > > Key 1 > FE 03 03 02 56 AC A0 3D F2 14 48 D2 60 22 90 E7 0A 58 94 51 F7 3D > 5B 2A 4D 9C 26 B9 C1 AF 27 34 D3 D0 95 FE 69 9A C8 7D A4 E8 00 4E > 9A 52 11 E9 C3 68 E4 BC E7 0E B2 15 D8 47 8A 6A 19 95 A6 > > Key 2 > FE 03 03 02 56 AC A0 3D F2 14 48 D2 60 91 84 44 F2 DB A1 1A E8 0E > D4 72 82 18 FB E6 B6 85 6A 32 F6 15 E9 89 1C 7F 55 DD D5 45 EE 11 > E7 DE 44 4C 2B 5B EB 2C 30 91 1E 1F F0 03 6A 2C 30 AD 55 90 6C D0 > 9F 39 7C E7 53 06 F2 BE F7 AE 1B A1 DE A2 1A 58 8A C5 2C > > Key 3 > FE 03 03 02 33 E6 5A 12 FA 15 D4 24 60 91 E7 D2 F8 74 2D DB 04 38 > 78 DC 6B C8 A2 AC 25 6D 5D 6B DE E5 01 F8 12 19 D5 DB 33 16 2E A5 > C2 AA 9E AA 72 AB 8B 3B 4D D1 9D B5 6C EF E1 31 BF 99 19 > > Using a hex-editor I have then appended these octets to the public key > to give me the attached file. This is not the same as the secret key > and cannot be imported as a secret key. You can't take a public key and just attach the blob to the end. A secret key is made up of secret key packets. You need to convert your individual public key packets to secret key packets. Split the public key into packets, convert the individual packets, then reassemble the key. Run "paperkey --file-format" and it will print out some pointers on how to do this. David From dshaw at jabberwocky.com Mon Feb 9 16:26:09 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 9 Feb 2009 10:26:09 -0500 Subject: Paperkey question In-Reply-To: <19486860.2280.1234190656900.JavaMail.seven@ap1.trial.red.7sys.net> References: <19486860.2280.1234190656900.JavaMail.seven@ap1.trial.red.7sys.net> Message-ID: <42F5E232-1A80-4F41-A46E-C2A9138C1FE8@jabberwocky.com> > You can't take a public key and just attach the blob to the end. A > secret key is made up of secret key packets. You need to convert your > individual public key packets to secret key packets. Split the public > key into packets, convert the individual packets, then reassemble the > key. > > Run "paperkey --file-format" and it will print out some pointers on > how to do this. On Feb 9, 2009, at 9:44 AM, ian at ushills.co.uk wrote: > One you have split your key with gpgsplit do you just then add the > relevant secret key packets to each key part and then cat them back > together. Please stop top-posting. Next, you switch the type of each packet from public to secret (i.e. change tag 6 to 5, or 14 to 7 for subkeys). Then cat them all back together again. David From lee_andre at bellsouth.net Mon Feb 9 21:40:04 2009 From: lee_andre at bellsouth.net (lee_andre at bellsouth.net) Date: Mon, 09 Feb 2009 20:40:04 +0000 Subject: gpg: failed to create temporary file In-Reply-To: <35804647624611707661994589731901527846-Webmail@me.com> References: <020620091517.18135.498C54760007D1BE000046D722230647629B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> <35804647624611707661994589731901527846-Webmail@me.com> Message-ID: <020920092040.2623.499094A40002FFC400000A3F22243323629B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> Okay I decided to take a different route. I decided to create a directory and put the files from ~/.gnupg to /opt/oracle/gpgfiles, my admin edited the .bash_profile to have GNUPGHOME = /opt/oracle/gpgfiles. When I run my process I still get gpg: failed to create temporary file `~/.gnupg/.#lk0x552ac57230.tst-dataexch.30375': No such file or directory gpg: fatal: ~/.gnupg: can't create directory: No such file or directory secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768. This leads me to believe GNUPGHOME is not setting the path to look into this directory. Not sure what else I'm missing. Any suggestions??? I'm wide open. -------------- Original message from Joseph Oreste Bruni : -------------- > Hi Lee, > > I'm at a complete loss of what else could be the problem. Sorry. > > Joe > > > On Friday, February 06, 2009, at 08:17AM, wrote: > >oh sorry my linux admin informed me what is SE Linux. > >We dont have SE running on our servers >-------------- Original message from Joseph Oreste Bruni : > -------------- > > > > > >> How about the SE Linux setting? SE Linux, when enabled, activates > >> mandatory access controls that go beyond the traditional owner/group/ > >> other Unix permissions. It has bitten me before. > >> > >> > >> On Feb 5, 2009, at 3:12 PM, lee_andre at bellsouth.net wrote: > >> > >> > My linux admin added $HOME in the bash_profile and fix the $PATH and > >> > still receive the same problem. > >> > Also I ran my utility in the DEV environment and the result were the > >> > read out as in my TEST env, but yet the DEV env works >> > -------------- Original message from Joseph Oreste Bruni > > >: > -------------- > >> > > >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lopaki at gmail.com Mon Feb 9 22:01:51 2009 From: lopaki at gmail.com (Scott Lambdin) Date: Mon, 9 Feb 2009 16:01:51 -0500 Subject: gpg: failed to create temporary file In-Reply-To: <020920092040.2623.499094A40002FFC400000A3F22243323629B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> References: <020620091517.18135.498C54760007D1BE000046D722230647629B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> <35804647624611707661994589731901527846-Webmail@me.com> <020920092040.2623.499094A40002FFC400000A3F22243323629B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> Message-ID: <529e76830902091301v7a36712y5d4ea3c92bd031a6@mail.gmail.com> Did you verify that the BPEL thing starts a bash shell? --Scott On 2/9/09, lee_andre at bellsouth.net wrote: > > Okay I decided to take a different route. > I decided to create a directory and put the files from ~/.gnupg to > /opt/oracle/gpgfiles, my admin edited the .bash_profile to have GNUPGHOME = > /opt/oracle/gpgfiles. When I run my process I still get gpg: failed to > create temporary file `~/.gnupg/.#lk0x552ac57230.tst-dataexch.30375': No > such file or directory gpg: fatal: ~/.gnupg: can't create directory: No such > file or directory secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768. > > This leads me to believe GNUPGHOME is not setting the path to look into > this directory. Not sure what else I'm missing. > > Any suggestions??? I'm wide open. > > -------------- Original message from Joseph Oreste Bruni : > -------------- > > > > Hi Lee, > > > > I'm at a complete loss of what else could be the problem. Sorry. > > > > Joe > > > > > > On Friday, February 06, 2009, at 08:17AM, wrote: > > >oh sorry my linux admin informed me what is SE Linux. > > >We dont have SE running on our servers >-------------- Original message > from Joseph Oreste Bruni : > > -------------- > > > > > > > > >> How about the SE Linux setting? SE Linux, when enabled, activates > > >> mandatory access controls that go beyond the traditional owner/group/ > > >> other Unix permissions. It has bitten me before. > > >> > > >> > > >> On Feb 5, 2009, at 3:12 PM, lee_andre at bellsouth.net wrote: > > >> > > >> > My linux admin added $HOME in the bash_profile and fix the $PATH and > > > >> > still receive the same problem. > > >> > Also I ran my utility in the DEV environment and the result were the > > > >> > read out as in my TEST env, but yet the DEV env works >> > > -------------- Original message from Joseph Oreste Bruni > > >: > > -------------- > > >> > > > >> > > > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- There's a box? -------------- next part -------------- An HTML attachment was scrubbed... URL: From jbruni at me.com Mon Feb 9 22:37:21 2009 From: jbruni at me.com (Joseph Oreste Bruni) Date: Mon, 09 Feb 2009 14:37:21 -0700 Subject: gpg: failed to create temporary file In-Reply-To: <020920092040.2623.499094A40002FFC400000A3F22243323629B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> References: <020620091517.18135.498C54760007D1BE000046D722230647629B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> <35804647624611707661994589731901527846-Webmail@me.com> <020920092040.2623.499094A40002FFC400000A3F22243323629B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> Message-ID: <135090458836317296588991473612723973098-Webmail@me.com> One last test: Rather than having BPEL run "gpg" directly, perhaps you could have it run a shell script that in turn runs "gpg". You should then be able to set whatever variables you need prior to the call of gpg from within the shell script. You can also enable tracing (set -o xtrace) to help with script debugging. Joe On Monday, February 09, 2009, at 01:40PM, wrote: >Okay I decided to take a different route. >I decided to create a directory and put the files from ~/.gnupg to /opt/oracle/gpgfiles, my admin edited the .bash_profile to have GNUPGHOME = /opt/oracle/gpgfiles. When I run my process I still get gpg: failed to create temporary file `~/.gnupg/.#lk0x552ac57230.tst-dataexch.30375': No such file or directory gpg: fatal: ~/.gnupg: can't create directory: No such file or directory secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768. > >This leads me to believe GNUPGHOME is not setting the path to look into this directory. Not sure what else I'm missing. > >Any suggestions??? I'm wide open. >-------------- Original message from Joseph Oreste Bruni : -------------- > > >> Hi Lee, >> >> I'm at a complete loss of what else could be the problem. Sorry. >> >> Joe >> >> >> On Friday, February 06, 2009, at 08:17AM, wrote: >> >oh sorry my linux admin informed me what is SE Linux. >> >We dont have SE running on our servers >-------------- Original message from Joseph Oreste Bruni : >> -------------- >> > >> > >> >> How about the SE Linux setting? SE Linux, when enabled, activates >> >> mandatory access controls that go beyond the traditional owner/group/ >> >> other Unix permissions. It has bitten me before. >> >> >> >> >> >> On Feb 5, 2009, at 3:12 PM, lee_andre at bellsouth.net wrote: >> >> >> >> > My linux admin added $HOME in the bash_profile and fix the $PATH and >> >> > still receive the same problem. >> >> > Also I ran my utility in the DEV environment and the result were the >> >> > read out as in my TEST env, but yet the DEV env works >> > -------------- Original message from Joseph Oreste Bruni > > >: >> -------------- >> >> > >> >> >> > > From stefantomatobanana3131 at gmail.com Tue Feb 10 04:37:22 2009 From: stefantomatobanana3131 at gmail.com (Stefan W) Date: Mon, 9 Feb 2009 19:37:22 -0800 Subject: DirMngr Abend Message-ID: <3df45f8b0902091937n2464ed3fi1022139638ce160f@mail.gmail.com> Hi All, I've installed GnuPG on Win XP with the GPG4Win package. Seems to be mostly working. But I've found that the DirMngr service fails to run. The System Event Log shows: "The DirMngr service hung on starting." "The DirMngr service terminated unexpectedly." I have no further info so far. A google of the error found one other user posting the problem, but no answers to date. Anyone know how I would proceed to track down this problem? Thanks, Stefan Welch -------------- next part -------------- An HTML attachment was scrubbed... URL: From malte.gell at gmx.de Tue Feb 10 08:34:58 2009 From: malte.gell at gmx.de (Malte Gell) Date: Tue, 10 Feb 2009 08:34:58 +0100 Subject: (SOLVED) Re: OpenPGP card not accessible In-Reply-To: <200902072133.25665.malte.gell@gmx.de> References: <200902052233.32496.malte.gell@gmx.de> <200902072133.25665.malte.gell@gmx.de> Message-ID: <200902100835.01163.malte.gell@gmx.de> Am Samstag, 7. Februar 2009 21:33:04 schrieb Malte Gell: > For whom it may concern and Google cache: > > I found the source of trouble. I had to give one additional parameter to > gpg- agent: --scdaemon-program /usr/bin/scdaemon > > After specifying this parameter I was able to successfully access the > openPGP card with pcsc drivers and a Reiner SCT e-com. > > On e.g. openSUSE open /etc/X11/xdm/sys.xsession and look for the line that > starts with "set -- $gpgagent --sh --daemon.........." add to this line: > > --scdaemon-program /usr/bin/scdaemon > > and the error described below is gone. Further investigation showed, this did not help, but something different has helped finally: 1. killing running gpg-agent /sbin/killproc /usr/bin/gpg-agent 2. starting gpg-agent again eval $(gpg-agent --daemon) And now, gpg --card-edit works and the "missing card" error disappeared. From malte.gell at gmx.de Tue Feb 10 09:51:03 2009 From: malte.gell at gmx.de (Malte Gell) Date: Tue, 10 Feb 2009 09:51:03 +0100 Subject: More than one key on openPGP card? Message-ID: <200902100951.09186.malte.gell@gmx.de> Hello, can the openPGP card store more than one key? If yes, how many can be stored? Will the forthcoming cards version 2.0 differ from 1.1 in that aspect? Malte -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From wk at gnupg.org Tue Feb 10 11:34:03 2009 From: wk at gnupg.org (Werner Koch) Date: Tue, 10 Feb 2009 11:34:03 +0100 Subject: (SOLVED) Re: OpenPGP card not accessible In-Reply-To: <200902100835.01163.malte.gell@gmx.de> (Malte Gell's message of "Tue, 10 Feb 2009 08:34:58 +0100") References: <200902052233.32496.malte.gell@gmx.de> <200902072133.25665.malte.gell@gmx.de> <200902100835.01163.malte.gell@gmx.de> Message-ID: <87zlgur36s.fsf@wheatstone.g10code.de> On Tue, 10 Feb 2009 08:34, malte.gell at gmx.de said: > 1. killing running gpg-agent That is not necessarry. You can simply give it a HUP (pkill -HUP gpg-agent). This will reload most of the config options including --scdaemon-program. Now you kill scdaemon (may need up to 3 SIGINT) and gpg-agent will restart it on demand. > 2. starting gpg-agent again Not required because you only raised a SIGHUP and gpg-agent keeps on running. Your problem is probably another version of gpg-agent or scdaemon somewhere in your PATH. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Tue Feb 10 11:35:13 2009 From: wk at gnupg.org (Werner Koch) Date: Tue, 10 Feb 2009 11:35:13 +0100 Subject: More than one key on openPGP card? In-Reply-To: <200902100951.09186.malte.gell@gmx.de> (Malte Gell's message of "Tue, 10 Feb 2009 09:51:03 +0100") References: <200902100951.09186.malte.gell@gmx.de> Message-ID: <87vdrir34u.fsf@wheatstone.g10code.de> On Tue, 10 Feb 2009 09:51, malte.gell at gmx.de said: > can the openPGP card store more than one key? If yes, how many can be stored? > Will the forthcoming cards version 2.0 differ from 1.1 in that aspect? 3 keys: One for signing, one fro decryption and one for authentication. The authentication key can be used for signing as well. The v2 cards will be identical in this aspect. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Tue Feb 10 12:37:43 2009 From: wk at gnupg.org (Werner Koch) Date: Tue, 10 Feb 2009 12:37:43 +0100 Subject: Release candidate for 1.1.4 Message-ID: <87bptar08o.fsf@wheatstone.g10code.de> Hi! Due to problems with GnuPG 1.4.7 as included in Gpg4win 1.1.3 on Windows Vista we are about to do a new Gpg4win release 1.1.4. Because there has been no release for a long time I created a release candidate first. Please report all regressions against 1.1.3 to this mailing list or gnupg-users. The installer and its signature is at: ftp://ftp.gpg4win.org/gpg4win/Beta/gpg4win-1.1.4rc1.exe (9.7M) ftp://ftp.gpg4win.org/gpg4win/Beta/gpg4win-1.1.4rc1.exe.sig or: http://ftp.gpg4win.org/Beta/gpg4win-1.1.4rc1.exe http://ftp.gpg4win.org/Beta/gpg4win-1.1.4rc1.exe.sig All the source files are in the source installer: ftp://ftp.gpg4win.org/gpg4win/Beta/gpg4win-src-1.1.4rc1.exe (59M) ftp://ftp.gpg4win.org/gpg4win/Beta/gpg4win-src-1.1.4rc1.exe.sig Originally it was not planned to do such a release because we hoped that Gpg4win/2 (current version is 1.9.13) would become stable much earlier to fully replace the .1.3. Obviously we did not achieved this and thus this update of the old stable gpg4win. There is not much new in this installer: GnuPG has been updated from 1.4.7 to 1.4.9 and GPA to version 0.8.0. The included GnuPG-2 has also been updated to the latest version. There is no update for Claws-Mail because that would have required too many changes nor an update of WinPT because it does no longer support cross-building. As a little benefit the Paperkey tool and the Scute pkcs#11 DLL are automatically installed. The final release shall follow in a week. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 205 bytes Desc: not available URL: From lee_andre at bellsouth.net Tue Feb 10 14:34:35 2009 From: lee_andre at bellsouth.net (lee_andre at bellsouth.net) Date: Tue, 10 Feb 2009 13:34:35 +0000 Subject: gpg: failed to create temporary file In-Reply-To: <135090458836317296588991473612723973098-Webmail@me.com> References: <020620091517.18135.498C54760007D1BE000046D722230647629B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net><35804647624611707661994589731901527846-Webmail@me.com><020920092040.2623.499094A40002FFC400000A3F22243323629B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> <135090458836317296588991473612723973098-Webmail@me.com> Message-ID: <021020091334.16787.4991826B0007D2B60000419322218865869B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> I will create a shell script and see what happens. -------------- Original message from Joseph Oreste Bruni : -------------- One last test: Rather than having BPEL run "gpg" directly, perhaps you could have it run a shell script that in turn runs "gpg". You should then be able to set whatever variables you need prior to the call of gpg from within the shell script. You can also enable tracing (set -o xtrace) to help with script > debugging. > > Joe > > > > On Monday, February 09, 2009, at 01:40PM, wrote: > >Okay I decided to take a different route. >I decided to create a directory and put the files from ~/.gnupg to /opt/oracle/gpgfiles, my admin edited the .bash_profile to have GNUPGHOME = /opt/oracle/gpgfiles. When I run my process I still get gpg: failed to create temporary file `~/.gnupg/.#lk0x552ac57230.tst-dataexch.30375': No such file or directory gpg: fatal: ~/.gnupg: can't create directory: No such file or > directory secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768. > > >This leads me to believe GNUPGHOME is not setting the path to look into this > directory. Not sure what else I'm missing. > > > >Any suggestions??? I'm wide open. > >-------------- Original message from Joseph Oreste Bruni : > -------------- > > > > > >> Hi Lee, > >> > >> I'm at a complete loss of what else could be the problem. Sorry. > >> > >> Joe > >> > >> > >> On Friday, February 06, 2009, at 08:17AM, wrote: > >> >oh sorry my linux admin informed me what is SE Linux. > >> >We dont have SE running on our servers >-------------- Original message from > Joseph Oreste Bruni : > >> -------------- > >> > > >> > > >> >> How about the SE Linux setting? SE Linux, when enabled, activates > >> >> mandatory access controls that go beyond the traditional owner/group/ > >> >> other Unix permissions. It has bitten me before. > >> >> > >> >> > >> >> On Feb 5, 2009, at 3:12 PM, lee_andre at bellsouth.net wrote: > >> >> > >> >> > My linux admin added $HOME in the bash_profile and fix the $PATH and > >> >> > still receive the same problem. > >> >> > Also I ran my utility in the DEV environment and the result were the > >> >> > read out as in my TEST env, but yet the DEV env works >> > > -------------- Original message from Joseph Oreste Bruni > > >: > >> -------------- > >> >> > > >> >> > >> > > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From christoph.anton.mitterer at physik.uni-muenchen.de Tue Feb 10 15:07:21 2009 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Tue, 10 Feb 2009 15:07:21 +0100 Subject: gnupg on celeron and atom cpus Message-ID: <1234274841.9532.4.camel@fermat.scientia.net> Hi. Does anyone of you have an idea whether it could make problems to use gnupg on Celeron or Atom CPUs? I mean could this have an effect on the PRNG, e.g. that the entropy is worse? Or something similar? Regards, Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3387 bytes Desc: not available URL: From BruderB at cation.de Tue Feb 10 15:34:46 2009 From: BruderB at cation.de (B) Date: Tue, 10 Feb 2009 15:34:46 +0100 Subject: gnupg on celeron and atom cpus In-Reply-To: <1234274841.9532.4.camel@fermat.scientia.net> References: <1234274841.9532.4.camel@fermat.scientia.net> Message-ID: <49919086.9090404@cation.de> Christoph Anton Mitterer schrieb: > Hi. > > Does anyone of you have an idea whether it could make problems to use > gnupg on Celeron or Atom CPUs? > > I mean could this have an effect on the PRNG, e.g. that the entropy is > worse? Or something similar? > > Hej Chris, I cannot imagine why the kind of CPU should provide any matter to gnupg. Me myself I'm using gnupg on my eeePC1000 very comfortable since it is a part of enigmail which is a plugin for Mozilla Thunderbird. I use it on Debian Linux (Lenny). Boris From dshaw at jabberwocky.com Tue Feb 10 15:35:17 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 10 Feb 2009 09:35:17 -0500 Subject: gnupg on celeron and atom cpus In-Reply-To: <1234274841.9532.4.camel@fermat.scientia.net> References: <1234274841.9532.4.camel@fermat.scientia.net> Message-ID: <8E478B28-2544-468E-870D-F8CB59395ABF@jabberwocky.com> On Feb 10, 2009, at 9:07 AM, Christoph Anton Mitterer wrote: > Hi. > > Does anyone of you have an idea whether it could make problems to use > gnupg on Celeron or Atom CPUs? > > I mean could this have an effect on the PRNG, e.g. that the entropy is > worse? Or something similar? The PRNG is generally a function of the platform, not of the CPU. If, for example, you were running Linux on a Celeron or Atom, you'd have the same PRNG as someone running Linux on any other CPU. There is some fuzziness here - some CPUs may provide a PRNG, and there are userspace entropy gathers like egd, but in general, use whatever CPU you like. GPG doesn't care. David From christoph.anton.mitterer at physik.uni-muenchen.de Tue Feb 10 15:55:43 2009 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Tue, 10 Feb 2009 15:55:43 +0100 Subject: gnupg on celeron and atom cpus In-Reply-To: <8E478B28-2544-468E-870D-F8CB59395ABF@jabberwocky.com> References: <1234274841.9532.4.camel@fermat.scientia.net> <8E478B28-2544-468E-870D-F8CB59395ABF@jabberwocky.com> Message-ID: <1234277743.9532.31.camel@fermat.scientia.net> Thanks for your info :-) Best wishes, Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3387 bytes Desc: not available URL: From malte.gell at gmx.de Tue Feb 10 16:14:54 2009 From: malte.gell at gmx.de (Malte Gell) Date: Tue, 10 Feb 2009 16:14:54 +0100 Subject: (SOLVED) Re: OpenPGP card not accessible In-Reply-To: <87zlgur36s.fsf@wheatstone.g10code.de> References: <200902052233.32496.malte.gell@gmx.de> <200902100835.01163.malte.gell@gmx.de> <87zlgur36s.fsf@wheatstone.g10code.de> Message-ID: <200902101614.57145.malte.gell@gmx.de> Am Dienstag, 10. Februar 2009 11:34:03 schrieb Werner Koch: > On Tue, 10 Feb 2009 08:34, malte.gell at gmx.de said: > > 1. killing running gpg-agent > > That is not necessarry. You can simply give it a HUP (pkill -HUP > gpg-agent). This will reload most of the config options including > --scdaemon-program. Now you kill scdaemon (may need up to 3 SIGINT) and > gpg-agent will restart it on demand. > > > 2. starting gpg-agent again > > Not required because you only raised a SIGHUP and gpg-agent keeps on > running. Ok. I put that in a script, may need from time to time... > Your problem is probably another version of gpg-agent or scdaemon > somewhere in your PATH. Well, I have only one version installed, not parallel installation or other strange things... tia Malte From lists at michel-messerschmidt.de Tue Feb 10 16:19:42 2009 From: lists at michel-messerschmidt.de (Michel Messerschmidt) Date: Tue, 10 Feb 2009 16:19:42 +0100 (CET) Subject: gpg: failed to create temporary file In-Reply-To: <021020091334.16787.4991826B0007D2B60000419322218865869B0A02D2089B9A01 9C04040A0DBF0A9D0B020EA10A0A04@att.net> References: <020620091517.18135.498C54760007D1BE000046D722230647629B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net><35804647624611707661994589731901527846-Webmail@me.com><020920092040.2623.499094A40002FFC400000A3F22243323629B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net><135090458836317296588991473612723973098-Webmail@me.com> <021020091334.16787.4991826B0007D2B60000419322218865869B0A02D2089B9A019C04040A0DBF0A9D0B020EA10A0A04@att.net> Message-ID: <49839.195.124.114.37.1234279182.squirrel@webmail.artfiles.de> > One last test: Rather than having BPEL run "gpg" directly, perhaps you > could have it run a shell script that in turn runs "gpg". You should then > be able to set whatever variables you need prior to the call of gpg from > within the shell script. You can also enable tracing (set -o xtrace) to > help with script > debugging. Or try to debug your oracle environment with env_audit (http://www.web-insights.net/env_audit/) From vedaal at hush.com Tue Feb 10 16:49:40 2009 From: vedaal at hush.com (vedaal at hush.com) Date: Tue, 10 Feb 2009 10:49:40 -0500 Subject: paperkey // ? feature request Message-ID: <20090210154940.23250158045@smtp.hushmail.com> David Shaw dshaw at jabberwocky.com wrote on Sun Feb 8 22:41:10 CET 2009 : >In OpenPGP, a secret key is just a public key with some >extra stuff (the secret numbers) tacked on to the end. That's how >paperkey makes the keys so small - it can safely leave off all the >public key information. well, speaking for the very small contingent of the occasionally maybe-too-secretive ;-) would ask to consider the following scenario, and if there is a possible paper key solution: for those extremely private secrets where one prefers to hide even the public key that a file is encrypted to, and uses the 'throw-keyid' option, and also uses a public key generated for only this purpose, not put up on any keyserver, and not kept on any of the other keyrings, (and therefore much easier to lose ... ;-) ) is there a way to get paperkey to reconstruct both the public and secret keys, given the secret key ? tia, vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Need cash? Click to get an emergency loan, bad credit ok http://tagline.hushmail.com/fc/PnY6qxsmmu5OZiJnelXLqMehzTGAlwhiNa1GxR4EWRNHLiPMeouYH/ From dragonseattle at gmx.net Tue Feb 10 16:39:27 2009 From: dragonseattle at gmx.net (Sidney Kenson) Date: Tue, 10 Feb 2009 16:39:27 +0100 Subject: Howto import more than one key from a keyserver at a time Message-ID: <49919FAF.7040901@gmx.net> Hey list, was wondering if it was possible to import many keys at the same time from a keyserver. Had imported a key with a lot of sigs and most of them can't be checked as I don't have the keys the key was signed with. So my question is to import all the signing keys at once, perhaps even with the keys which I don't have signing *these* keys. Thanks for reading and your answers. Sidney Kenson -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x9E36254C.asc Type: application/pgp-keys Size: 3630 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature URL: From dshaw at jabberwocky.com Tue Feb 10 17:30:07 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 10 Feb 2009 11:30:07 -0500 Subject: paperkey // ? feature request In-Reply-To: <20090210154940.23250158045@smtp.hushmail.com> References: <20090210154940.23250158045@smtp.hushmail.com> Message-ID: <4D33F7D7-D227-4324-9228-75166B1673B8@jabberwocky.com> On Feb 10, 2009, at 10:49 AM, vedaal at hush.com wrote: > is there a way to get paperkey to reconstruct both the public and > secret keys, given the secret key ? You don't need paperkey to do this. Just use GPG. If you import a secret key and you don't have the matching public key, GPG will automatically create a public key from the secret key. David From malte.gell at gmx.de Tue Feb 10 17:38:41 2009 From: malte.gell at gmx.de (Malte Gell) Date: Tue, 10 Feb 2009 17:38:41 +0100 Subject: OpenPGP card not accessible In-Reply-To: <87zlgur36s.fsf@wheatstone.g10code.de> References: <200902052233.32496.malte.gell@gmx.de> <200902100835.01163.malte.gell@gmx.de> <87zlgur36s.fsf@wheatstone.g10code.de> Message-ID: <200902101738.44084.malte.gell@gmx.de> Hello, Am Dienstag, 10. Februar 2009 11:34:03 schrieb Werner Koch: > (...) > Your problem is probably another version of gpg-agent or scdaemon > somewhere in your PATH. Hm, I don't buy it...... I continued to try things, the strange behaviour continues, now my openPGP card is shown as empty: 2[malte_gell at linux-61r3]5438 17:34~> gpg --card-status Application ID ...: D2760001240101010001000015CB0000 Version ..........: 1.1 Manufacturer .....: PPC Card Systems Serial number ....: 000015CB Name of cardholder: [nicht gesetzt] Language prefs ...: [nicht gesetzt] Sex ..............: unbestimmt URL of public key : [nicht gesetzt] Login data .......: [nicht gesetzt] Signature PIN ....: zwingend Max. PIN lengths .: 0 0 0 PIN retry counter : 0 0 0 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] I DO have keys on this card, minutes ago everything worked fine, now the card is shown like it was empty... Doesn't look this strange behaviour like a bug? It does not see my key on the card sometimes. Malte From wk at gnupg.org Tue Feb 10 18:09:58 2009 From: wk at gnupg.org (Werner Koch) Date: Tue, 10 Feb 2009 18:09:58 +0100 Subject: OpenPGP card not accessible In-Reply-To: <200902101738.44084.malte.gell@gmx.de> (Malte Gell's message of "Tue, 10 Feb 2009 17:38:41 +0100") References: <200902052233.32496.malte.gell@gmx.de> <200902100835.01163.malte.gell@gmx.de> <87zlgur36s.fsf@wheatstone.g10code.de> <200902101738.44084.malte.gell@gmx.de> Message-ID: <87prhqp6ah.fsf@wheatstone.g10code.de> On Tue, 10 Feb 2009 17:38, malte.gell at gmx.de said: > Hm, I don't buy it...... I continued to try things, the strange behaviour > continues, now my openPGP card is shown as empty: I have noticed such a behaviour sporadically but I was not abale to reliable replicate it. Which reader are you using and is pcscd running? Which OS and libusb version? Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From John at Mozilla-Enigmail.org Tue Feb 10 18:29:15 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Tue, 10 Feb 2009 11:29:15 -0600 Subject: Howto import more than one key from a keyserver at a time In-Reply-To: <49919FAF.7040901@gmx.net> References: <49919FAF.7040901@gmx.net> Message-ID: <4991B96B.9060707@Mozilla-Enigmail.org> Sidney Kenson wrote: > Hey list, > was wondering if it was possible to import many keys at the same time from a > keyserver. Had imported a key with a lot of sigs and most of them can't be > checked as I don't have the keys the key was signed with. So my question is to > import all the signing keys at once, perhaps even with the keys which I don't > have signing *these* keys. OK, You look to be on Windows. You'll need some sort of POSIX environment on Windows to pull this off, eg Cygwin, SFU, MSYS, UWin,... To process entire keyring, something like this may be what you're looking for (single line): gpg --check-sigs| grep "User ID not found"|cut -b 14-21| sort -u| xargs gpg --recv-keys To do a single or several keys, list the key IDs as part of the first gpg command: gpg --check-sigs 0xdeadbeef 0xdecafbad It won't check the keys that it needs to fetch, you'll need to run the commands again. Note, this can get you a LOT of keys that you may have little interest in. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 677 bytes Desc: OpenPGP digital signature URL: From vedaal at hush.com Tue Feb 10 18:41:12 2009 From: vedaal at hush.com (vedaal at hush.com) Date: Tue, 10 Feb 2009 12:41:12 -0500 Subject: paperkey // ? feature request Message-ID: <20090210174112.21F5820040@smtp.hushmail.com> On Tue, 10 Feb 2009 11:30:07 -0500 David Shaw wrote: >You don't need paperkey to do this. Just use GPG. If you import >a >secret key and you don't have the matching public key, GPG will >automatically create a public key from the secret key. but i need paperkey to store the 'whole' secret key with the public key part, not only the secret parts added to the public kry ... :-) i understand that there is not much point to the request if it's too much work so that there is nothing gained by just preserving a paper copy of the secret key block (i.e., the paperkey typing might need to be as much as just re-typing the secret key) vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Free information - Learn about IRS Tax Solutions. Click now! http://tagline.hushmail.com/fc/PnY6qxt7zYKiddgCtAMZ96fKBFTB8vV1idZoukFmwCgG6b1LFfaiT/ From dshaw at jabberwocky.com Tue Feb 10 18:57:07 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 10 Feb 2009 12:57:07 -0500 Subject: paperkey // ? feature request In-Reply-To: <20090210174112.21F5820040@smtp.hushmail.com> References: <20090210174112.21F5820040@smtp.hushmail.com> Message-ID: <20090210175706.GA24905@jabberwocky.com> On Tue, Feb 10, 2009 at 12:41:12PM -0500, vedaal at hush.com wrote: > On Tue, 10 Feb 2009 11:30:07 -0500 David Shaw > wrote: > > >You don't need paperkey to do this. Just use GPG. If you import > >a > >secret key and you don't have the matching public key, GPG will > >automatically create a public key from the secret key. > > > but i need paperkey to store the 'whole' secret key with the public > key part, > not only the secret parts added to the public kry ... :-) Then that's just storing a secret key. Paperkey works by removing the redundant part of a secret key (i.e. the embedded public key, the user IDs, signatures, etc). When you restore the secret key, you need to provide a copy of the public key so that paperkey can restore the secret key (putting back the redundant parts). If you can't remove the redundant parts, then you're basically storing a secret key, unchanged. David From dragonseattle at gmx.net Tue Feb 10 19:06:12 2009 From: dragonseattle at gmx.net (Sidney Kenson) Date: Tue, 10 Feb 2009 19:06:12 +0100 Subject: Howto import more than one key from a keyserver at a time In-Reply-To: <4991B96B.9060707@Mozilla-Enigmail.org> References: <49919FAF.7040901@gmx.net> <4991B96B.9060707@Mozilla-Enigmail.org> Message-ID: <4991C214.1080908@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John Clizbe wrote: > OK, You look to be on Windows. You'll need some sort of POSIX environment on > Windows to pull this off, eg Cygwin, SFU, MSYS, UWin,... Or I just export my keyrings from my WinPT and import it in my gpg under Ubuntu and it'll work. > gpg --check-sigs| grep "User ID not found"|cut -b 14-21| sort -u| xargs gpg > --recv-keys This will check all sigs of all keys in my ring, doesn't it? > To do a single or several keys, list the key IDs as part of the first gpg command: > gpg --check-sigs 0xdeadbeef 0xdecafbad The keys would be the last thing befor the |? > It won't check the keys that it needs to fetch, you'll need to run the commands > again. Note, this can get you a LOT of keys that you may have little interest in. Somehow this is what i wanted... Sidney Kenson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJkcIT7aUnyZNAq3IRAs/1AJ9ZaZp3fV0OsbWEI8jyC/oXWU+cwgCdGbds MgEWmdDRLVcWGUWJjNXTXjk= =amyO -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Tue Feb 10 19:18:22 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 10 Feb 2009 13:18:22 -0500 Subject: paperkey // ? feature request In-Reply-To: <20090210154940.23250158045@smtp.hushmail.com> References: <20090210154940.23250158045@smtp.hushmail.com> Message-ID: <4991C4EE.50001@sixdemonbag.org> vedaal at hush.com wrote: > uses a public key generated for only this purpose, > not put up on any keyserver, This seems to be a misapplication of asymmetric crypto. Asymmetric crypto is generally inappropriate for session keys. > is there a way to get paperkey to reconstruct both the public and > secret keys, given the secret key ? Given the secret key, the public key can always be reconstructed. From email at sven-radde.de Tue Feb 10 19:27:44 2009 From: email at sven-radde.de (Sven Radde) Date: Tue, 10 Feb 2009 19:27:44 +0100 Subject: paperkey // ? feature request In-Reply-To: <20090210175706.GA24905@jabberwocky.com> References: <20090210174112.21F5820040@smtp.hushmail.com> <20090210175706.GA24905@jabberwocky.com> Message-ID: <4991C720.10000@sven-radde.de> Hi! David Shaw schrieb: > If you can't remove the redundant parts, then you're basically storing > a secret key, unchanged. Apart from the encoding and line-wise checksums which paperkey adds, that is... Maybe this posting from a thread when I asked to extend paperkey for use with revocation certificates is also useful for Vedaal: http://lists.gnupg.org/pipermail/gnupg-users/2008-October/034741.html It seems like your nice tool has a greater potential than initially conceived ;-) cu, Sven From malte.gell at gmx.de Tue Feb 10 20:14:28 2009 From: malte.gell at gmx.de (Malte Gell) Date: Tue, 10 Feb 2009 20:14:28 +0100 Subject: OpenPGP card not accessible In-Reply-To: <87prhqp6ah.fsf@wheatstone.g10code.de> References: <200902052233.32496.malte.gell@gmx.de> <200902101738.44084.malte.gell@gmx.de> <87prhqp6ah.fsf@wheatstone.g10code.de> Message-ID: <200902102014.36605.malte.gell@gmx.de> Am Dienstag, 10. Februar 2009 18:09:58 schrieb Werner Koch: > On Tue, 10 Feb 2009 17:38, malte.gell at gmx.de said: > > Hm, I don't buy it...... I continued to try things, the strange behaviour > > continues, now my openPGP card is shown as empty: > > I have noticed such a behaviour sporadically but I was not abale to > reliable replicate it. Which reader are you using and is pcscd running? > Which OS and libusb version? Yes, I use pcscd, but it also occurs with only ctapi drivers. I use a Reiner SCT cyberjack ecom (class 3 with display and pinpad). OS is openSUSE 11.1 32bit. One way to try to trigger this odd behaviour was to e.g. sign something, remove the card, stop and start again pcscd daemon, or remove the card, or stop pcscd daemon and play with onlinebanking (=ctapi), start pcscd again and trying to use the openPGPcard again, it always was triggered after the card was used and some change happened, be it to remove the card use a totally different card, change driver etc. libusb: [malte_gell at linux-61r3]5520 20:08~> rpm -qa | grep libusb libusb-0_1-4-0.1.12-136.10 libusb-devel-0.1.12-136.10 libusbpp-0_1-4-0.1.12-136.10 libusb-1_0-0-0.9.3-4.20 Interesting: I added "card-timeout 0" to scdaemon.conf and the last couple hours everything was fine... now I can remove the card, sign something, move the card back into the reader and it is readable, maybe found the cure... Is card-timeout 0 harmful as the manpage suggests? Thanx Malte -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From JPClizbe at tx.rr.com Tue Feb 10 20:26:33 2009 From: JPClizbe at tx.rr.com (John Clizbe) Date: Tue, 10 Feb 2009 13:26:33 -0600 Subject: Howto import more than one key from a keyserver at a time In-Reply-To: <4991C214.1080908@gmx.net> References: <49919FAF.7040901@gmx.net> <4991B96B.9060707@Mozilla-Enigmail.org> <4991C214.1080908@gmx.net> Message-ID: <4991D4E9.4060405@tx.rr.com> Sidney Kenson wrote: > John Clizbe wrote: > >> OK, You look to be on Windows. You'll need some sort of POSIX environment on >> Windows to pull this off, eg Cygwin, SFU, MSYS, UWin,... > > Or I just export my keyrings from my WinPT and import it in my gpg under > Ubuntu and it'll work. Yes, That's the canonical way. The files are binary compatible. If your Windows keyrings are on NTFS and both OSes are on the same machine, you could mount the NTFS partition read-only on Ubuntu and just give the keyring file itself to import: $ # Merge secret keyrings $ gpg --import \ #line continued to avoid wrapping file path > /mnt/Documents\ and\ Settings/username/Application\ Data\secring.gpg $ $ # Merge public keyrings $ gpg --import \ #line continued to avoid wrapping file path > /mnt/Documents\ and\ Settings/username/Application\ Data\pubring.gpg Copying the keyring files to portable media also works. Copy --> Import on Ubuntu. Do maintenance. Copy back to media --> Import on Windows >> gpg --check-sigs| grep "User ID not found"|cut -b 14-21| sort -u| xargs gpg >> --recv-keys > > This will check all sigs of all keys in my ring, doesn't it? Yes, that's why the line above it began, "To process entire keyring,..." 8-) > >> To do a single or several keys, list the key IDs as part of the first gpg command: >> gpg --check-sigs 0xdeadbeef 0xdecafbad > > The keys would be the last thing before the |? Yep. gpg --check-sigs ... | grep...... >> It won't check the keys that it needs to fetch, you'll need to run the commands >> again. Note, this can get you a LOT of keys that you may have little interest in. > > Somehow this is what i wanted... > > Sidney Kenson _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 677 bytes Desc: OpenPGP digital signature URL: From vedaal at hush.com Tue Feb 10 20:31:19 2009 From: vedaal at hush.com (vedaal at hush.com) Date: Tue, 10 Feb 2009 14:31:19 -0500 Subject: paperkey // ? feature request Message-ID: <20090210193120.23AAE20044@smtp.hushmail.com> Robert J. Hansen rjh at sixdemonbag.org wrote on Tue Feb 10 19:18:22 CET 2009 : >>uses a public key generated for only this purpose, >> not put up on any keyserver, >This seems to be a misapplication of asymmetric crypto. Asymmetric >crypto is generally inappropriate for session keys. the situation i was describing is something like this: [1] 'very-important-secret' encrypted in ascii armored form to unpublished public key using throw-keyid option [2] above mentioned message posted anonymously to newsgroup like comp.security.pgp.test from internet cafe, (pre-paid in cash, using new usb drive with nothing else on it) [3] plausible deniability is maintained, even if entire secret keyring have to be given up, with all passphrases Sven Radde email at sven-radde.de wrote on Tue Feb 10 19:27:44 CET 2009 : >Maybe this posting from a thread when I asked to extend paperkey for use >with revocation certificates is also useful for Vedaal: >http://lists.gnupg.org/pipermail/gnupg-users/2008- October/034741.html Yes, Thanks! i really like the idea of hexadecimal encoding line by line with checksums it's a very useful and do-able way to print out a secret key block with the plan of later having it be re-digitalized using OCR (and even do-able if necessary to type it in line by line) Thanks! vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Click to learn about options trading and get the latest information. http://tagline.hushmail.com/fc/PnY6qxtXbfHA0WEXqWVU4NVaqhYNQjY60C5jfc5xRA7NWFFbU6Q7V/ From ian at ushills.co.uk Tue Feb 10 20:59:54 2009 From: ian at ushills.co.uk (ian at ushills.co.uk) Date: Tue, 10 Feb 2009 11:59:54 -0800 (PST) Subject: paperkey // ? feature request Message-ID: <27777471.2236.1234295996975.JavaMail.seven@ap1.trial.red.7sys.net> The hexidecimal approach works well for a whole secret key. I tried this with the OCRA font and appears to work very well and means that you do not need to get the public key from keyservers. Using this method my secret key printed comes to two sides of A4. Hex is easier to re-enter and this way can recreate your public key. From rjh at sixdemonbag.org Tue Feb 10 22:44:01 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 10 Feb 2009 16:44:01 -0500 Subject: paperkey // ? feature request In-Reply-To: <20090210193120.23AAE20044@smtp.hushmail.com> References: <20090210193120.23AAE20044@smtp.hushmail.com> Message-ID: <4991F521.3090605@sixdemonbag.org> vedaal at hush.com wrote: > the situation i was describing is something like this: Right. This is a use case for symmetric crypto. > [1] 'very-important-secret' encrypted in ascii armored form to > unpublished public key using throw-keyid option So only someone with the private key can decrypt it. Okay. How do you communicate the private key with your intended recipients? And how is communicating the private key with your intended recipients different from the key distribution problem when using symmetric crypto? > [2] above mentioned message posted anonymously to newsgroup like > comp.security.pgp.test > from internet cafe, > (pre-paid in cash, using new usb drive with nothing else on it) USB tokens have GUIDs, Globally Unique Identifiers. Computers keep track of what GUIDs they've seen. If the secret police get access to the PC, then they know "ah, someone used GnuPG on a USB token, with a GUID of...", etc. That USB token can now be connected to you. Okay, so the obvious tactic is to dispose of it. But how? Losing and/or destroying things reliably is pretty hard.[1] If you lose track of your car keys for thirty seconds you'll spend a week finding them; if you flush a USB token down the toilet a plumber will be called out five minutes later to find out what's causing the clog. Call it the spy's version of Murphy's Law. Digital forensics is the field which concerns itself with pulling information you didn't believe existed out of places you didn't believe it could be found. Digital forensicists run the gamut from rank amateurs to hardcore professionals who can recover a CD-R that's been put through a crosscut shredder.[2] DF is interesting stuff. If you're serious about wanting to come up with effective spy-versus-spy techniques, then I'd strongly recommend reading up on DF. The more you know about the capabilities of the people who are trying to recover your secrets, the more you'll know about how to make life difficult on them. [1] I was recently told of a case where a mobster swallowed a micro-SD card. The mobster thought the stomach acids would destroy it. The authorities held onto him a few days, extracted the evidence when it made its appearance, and discovered it worked just fine. [2] I had sushi with a colleague of the guy who recovered the crosscut CD-R. They gave that task to him person specifically because of his severe OCD. The guy later said it was the happiest month he'd ever worked: he was allowed to indulge his OCD for 16 hours a day and everybody left him alone. From lopaki at gmail.com Tue Feb 10 23:33:05 2009 From: lopaki at gmail.com (Scott Lambdin) Date: Tue, 10 Feb 2009 17:33:05 -0500 Subject: Paperkey question In-Reply-To: <42F5E232-1A80-4F41-A46E-C2A9138C1FE8@jabberwocky.com> References: <19486860.2280.1234190656900.JavaMail.seven@ap1.trial.red.7sys.net> <42F5E232-1A80-4F41-A46E-C2A9138C1FE8@jabberwocky.com> Message-ID: <529e76830902101433w7d0fb491p307826866c93788f@mail.gmail.com> The black helicopters can read the paper copies in your house with microwaves. On 2/9/09, David Shaw wrote: > > You can't take a public key and just attach the blob to the end. A >> secret key is made up of secret key packets. You need to convert your >> individual public key packets to secret key packets. Split the public >> key into packets, convert the individual packets, then reassemble the >> key. >> >> Run "paperkey --file-format" and it will print out some pointers on >> how to do this. >> > > On Feb 9, 2009, at 9:44 AM, ian at ushills.co.uk wrote: > > One you have split your key with gpgsplit do you just then add the relevant >> secret key packets to each key part and then cat them back together. >> > > Please stop top-posting. > > Next, you switch the type of each packet from public to secret (i.e. change > tag 6 to 5, or 14 to 7 for subkeys). Then cat them all back together again. > > > David > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- There's a box? -------------- next part -------------- An HTML attachment was scrubbed... URL: From vedaal at hush.com Wed Feb 11 00:19:11 2009 From: vedaal at hush.com (vedaal at hush.com) Date: Tue, 10 Feb 2009 18:19:11 -0500 Subject: paperkey // ? feature request Message-ID: <20090210231912.26565118040@smtp.hushmail.com> >Message: 8 >Date: Tue, 10 Feb 2009 16:44:01 -0500 >From: "Robert J. Hansen" >Subject: Re: paperkey // ? feature request >> [1] 'very-important-secret' encrypted in ascii armored form to >> unpublished public key using throw-keyid option > >So only someone with the private key can decrypt it. Okay. How >do you >communicate the private key with your intended recipients? And >how is >communicating the private key with your intended recipients >different >from the key distribution problem when using symmetric crypto? no different, but unless you choose a sufficiently long and random passphrase, symmetric crypto with a passphrase string-2-key is much less protected than when the session key is encrypted to an unknown asymmetric key the former is attackable by attacking the passphrase, the latter cannot be attacked without the keypair and the passphrase, (and not vulnerable to any symmetric decryption 'shortcuts' like the pgp vulnerability described a few years ago) >USB tokens have GUIDs, Globally Unique Identifiers. Computers >keep >track of what GUIDs they've seen. If the secret police get access >to >the PC, then they know "ah, someone used GnuPG on a USB token, >with a >GUID of...", etc. That USB token can now be connected to you. > >Okay, so the obvious tactic is to dispose of it. > But how? there are probably many effective ways, the first one that comes to mind: burn it and dump the residue in a sewer >Digital forensics is the field which concerns itself with pulling >information you didn't believe existed out of places you didn't >believe >it could be found. Digital forensicists run the gamut from rank >amateurs to hardcore professionals who can recover a CD-R that's >been >put through a crosscut shredder.[2] > >DF is interesting stuff. If you're serious about wanting to come >up >with effective spy-versus-spy techniques, then I'd strongly >recommend >reading up on DF. The more you know about the capabilities of the >people who are trying to recover your secrets, the more you'll >know >about how to make life difficult on them. ok, sounds interesting what sources do you recommend reading ? vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Click here for free information on starting a business from your home. http://tagline.hushmail.com/fc/PnY6qxsXeyw2Yp1NS3ZvscqyI0wbyV70zrXUph7MCtlIltJuFZSv9/ From faramir.cl at gmail.com Wed Feb 11 00:21:35 2009 From: faramir.cl at gmail.com (Faramir) Date: Tue, 10 Feb 2009 20:21:35 -0300 Subject: paperkey // ? feature request In-Reply-To: <4991F521.3090605@sixdemonbag.org> References: <20090210193120.23AAE20044@smtp.hushmail.com> <4991F521.3090605@sixdemonbag.org> Message-ID: <49920BFF.8070509@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Robert J. Hansen escribi?: ... > So only someone with the private key can decrypt it. Okay. How do you > communicate the private key with your intended recipients? And how is > communicating the private key with your intended recipients different > from the key distribution problem when using symmetric crypto? IMHO, the difference is the recipients can send it's public to me by some way, and check the fingerprint by telephone... of course, I would need to be able to recognise the recipient's voice. Also, the encrypted files in transit don't require a very good passphrase in order to be hard to bruteforce (or whatever), as symmetric crypto would require... I don't need to exchange communicate any "secret" passphrase at all. > USB tokens have GUIDs, Globally Unique Identifiers. Computers keep > track of what GUIDs they've seen. If the secret police get access to > the PC, then they know "ah, someone used GnuPG on a USB token, with a > GUID of...", etc. That USB token can now be connected to you. But how? There is still the chance to buy things with effective, not with credit or debit cards, and USB Flash Drives are cheap enough and easy to find at stores to make it very hard to trace... > Okay, so the obvious tactic is to dispose of it. But how? Losing > and/or destroying things reliably is pretty hard.[1] If you lose track > of your car keys for thirty seconds you'll spend a week finding them; if > you flush a USB token down the toilet a plumber will be called out five > minutes later to find out what's causing the clog. Call it the spy's > version of Murphy's Law. Certainly... probably a big river would be a better place than a toilet... Another option would be the use of a hammer, previous to dispose the artifact... they are plastic stuff, very different from an hdd, so probably the only surviving part would be the USB connector. > DF is interesting stuff. If you're serious about wanting to come up > with effective spy-versus-spy techniques, then I'd strongly recommend > reading up on DF. The more you know about the capabilities of the > people who are trying to recover your secrets, the more you'll know > about how to make life difficult on them. And I probably will also thanks God for not having to do it for real... I mean, probably there is enough information to make anybody a bit paranoid... even if they don't have "anything to hide". But I think it is an interesting subject... after all, any advice about how to recover damaged info is potentially useful... I have heard a lot more times the question "how do I recover my lost file" than "how do I not recover...". Where do you suggest searching? In addition to looking in google, of course... > [2] I had sushi with a colleague of the guy who recovered the crosscut > CD-R. They gave that task to him person specifically because of his > severe OCD. The guy later said it was the happiest month he'd ever > worked: he was allowed to indulge his OCD for 16 hours a day and > everybody left him alone. We are talking about something between 320 and 480 hours of work, the info on that CD must have been (or they suspected it to be) of high importance... Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJkgv/AAoJEMV4f6PvczxAIi4H/RIbtZMeXOfiaMnDsgA0cH6z r6Mm8YktgCNVPjlvBy3aXUMpK2+9kxVuQjSxHfssBwHzlr1b4C5xR30vwb9dOcUj Kh1mVektIY6T81V7gISTgYDuHNUui9zUsoO+T3bfIxGFzuKOLq54g3t/ombi7IRl oZUu6zZe4byEiVADFJHbZPCd6mXuXdFxND+04T3yqXHuPPF4DfGq74d5uze1QeUw KvHe11Xn98sf443TsUi+8ISYsbUBQEsUWP9iHbYxf/1JCyZC+ysGZ8x10vVW2Tc+ MOMjsesfl3GPoPU14rS7EYZ7GaCprf2pKBoIpTDocbPgWtM0EwDCVQtDefCc3CQ= =+JDy -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Wed Feb 11 00:57:33 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 10 Feb 2009 18:57:33 -0500 Subject: paperkey // ? feature request In-Reply-To: <20090210231912.26565118040@smtp.hushmail.com> References: <20090210231912.26565118040@smtp.hushmail.com> Message-ID: <4992146D.30005@sixdemonbag.org> vedaal at hush.com wrote: > but unless you choose a sufficiently long and random passphrase, > symmetric crypto with a passphrase string-2-key is much less > protected than when the session key is encrypted to an unknown > asymmetric key The moral of the story is to (a) use the right tool for the job, and (b) use the tool correctly. I don't see how you can on the one hand assume that the person is going to be technologically savvy enough to do all of this, and at the same time dumb enough to use his mother's maiden name as a passphrase. You may say "I'm not assuming he'll be dumb, I'm just allowing for the possibility he will be" -- which is good, and it's a good maxim for system design. But making the system more complex (asymmetric crypto is infamously complicated) in order to make the human factor simpler is a bad tradeoff. It's not a choice of system complexity or human complexity. Good protocol design reduces both; buying one at the expense of the other is a bad idea. > the first one that comes to mind: burn it and dump the residue in a > sewer "??????, ?????????. The security footage says you were in this internet cafe when this treasonous message was sent. You were at the affected PC. You used a USB token. And shortly afterwards your neighbors saw you burning something in your backyard, but you didn't put the remains in the trash. We know, because we checked. Would you come with us, please?" Present them with a fake USB token -- "We're sorry. The GUID is different. Would you care to revise your story, or shall we just send you to the gulag now for lying to investigators?" If you're taking heat from serious opponents, you need to drop any pretense about technology being your friend. It's not. If you're in a serious heat situation, run away from anything with a battery. > ok, sounds interesting what sources do you recommend reading ? The Digital Forensics Research Workshop has some great articles. The latest fad is memory analysis: subvert someone's laptop for 30 seconds to make a dump of memory, then snarf it up and parse through the memory image at your leisure. Or consider a hibernation file. When your laptop goes into hibernation mode, your laptop copies its entire internal state to disk so that when you open your laptop again it can pick up right where it left off. That hibernation file doesn't get deleted once the laptop is done with it. Let's say you're storing data on a TrueCrypt container. The police grab your laptop. They're foiled -- they don't have the password! But then they look through your hibernation file and find your password hiding there in cleartext. Yes, it's kind of impressive seeing this stuff done. It's also disturbing and frightening. If you're interested in hibernation file analysis, the current hot guy is a French college student named Matthieu Suiche. He's done a lot of great work and he's only something like 20 years old. It's a very new field and there's a lot of room for dedicated amateurs to make an impression. Read his papers -- they're very eye-opening. From mo at g10code.com Wed Feb 11 00:36:08 2009 From: mo at g10code.com (Moritz Schulte) Date: 11 Feb 2009 00:36:08 +0100 Subject: paperkey // ? feature request In-Reply-To: <20090210231912.26565118040@smtp.hushmail.com> References: <20090210231912.26565118040@smtp.hushmail.com> Message-ID: <49920F68.1060207@g10code.com> > the latter cannot be attacked without the keypair and the > passphrase, Keep in mind that we are talking about a hybrid crypto system. Your hidden assumption seems to be that the session key which is generated during encryption to a public key is not worth attacking. Then, nothing prevents you from using that session key together with a symmetric crypto system directly. In a way, the public-key crypto system is a layer on top of a symmetric crypto system, which tries to solve the key distribution problem. When you don't want to distribute keys -- and that's how I understand you -- it doesn't make much sense to use it. mo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 260 bytes Desc: OpenPGP digital signature URL: From rjh at sixdemonbag.org Wed Feb 11 01:25:55 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 10 Feb 2009 19:25:55 -0500 Subject: paperkey // ? feature request In-Reply-To: <49920BFF.8070509@gmail.com> References: <20090210193120.23AAE20044@smtp.hushmail.com> <4991F521.3090605@sixdemonbag.org> <49920BFF.8070509@gmail.com> Message-ID: <49921B13.2060501@sixdemonbag.org> Faramir wrote: > IMHO, the difference is the recipients can send it's public to me by > some way, and check the fingerprint by telephone... It's not a disposable session key if the recipients need to contact the sender afterwards. If you're assuming a high threat environment, you kind of need to assume the sender got flipped right after sending the message. > But how? There is still the chance to buy things with effective, not > with credit or debit cards, and USB Flash Drives are cheap enough and > easy to find at stores to make it very hard to trace... Timothy McVeigh was tracked through his use of a prepaid calling card... which he paid for with cash. I don't know how the FBI and ATF did it, but I'm willing to bet they've already taught an improved version of the technique to the next generation of agents. > We are talking about something between 320 and 480 hours of work, the > info on that CD must have been (or they suspected it to be) of high > importance... [shrugs] Not really. Consider the cost-benefit ratio for two common things: military campaigns and child pornography. Assume lab time costs $100/hr., which pays the DF's salary and equipment costs. We're looking at about $50,000 for 500 hours of work. One soldier being grievously injured on the battlefield can cost the Army easily $5 million in lifetime medical care. $5 million versus $50,000 is a 100:1 cost savings. Consider child porn. How much is it worth to take a child pornographer off the street before he or she can exploit another kid? $100,000? 2:1 cost savings. How much is it worth to... etc., etc. Divorce lawyers are getting into the swing of things, too. I was once paid to do some data recovery on a hard drive that was an issue in a lawsuit. The lawyer was laughing all the way to the bank: my fee paid for itself many, _many_ times over. From dshaw at jabberwocky.com Wed Feb 11 01:46:25 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 10 Feb 2009 19:46:25 -0500 Subject: paperkey // ? feature request In-Reply-To: <4991F521.3090605@sixdemonbag.org> References: <20090210193120.23AAE20044@smtp.hushmail.com> <4991F521.3090605@sixdemonbag.org> Message-ID: <20090211004625.GA29502@jabberwocky.com> On Tue, Feb 10, 2009 at 04:44:01PM -0500, Robert J. Hansen wrote: > > [2] above mentioned message posted anonymously to newsgroup like > > comp.security.pgp.test > > from internet cafe, > > (pre-paid in cash, using new usb drive with nothing else on it) > > USB tokens have GUIDs, Globally Unique Identifiers. Computers keep > track of what GUIDs they've seen. If the secret police get access to > the PC, then they know "ah, someone used GnuPG on a USB token, with a > GUID of...", etc. That USB token can now be connected to you. This isn't completely true. The USB protocol does have the concept of a per-device serial number. I don't know if I'd go so far as to call it a GUID as it is only unique relative to the vendor and device type, but in any event, it isn't always used by the manufacturer. For example, I have three USB drives on my desk at the moment. One of them has an actual (presumably unique) serial number, one has a serial number of "FFFFFFFF", and the last has a serial number of "0". There is also no guarantee that the host computer will log the device serial number (modern Linux does, but you're more likely to find some flavor of Windows in an internet cafe). There is also no guarantee that the secret police will know what was run from the USB drive (the converse is true as well, of course). I can imagine the movie plot, though. :) > [2] I had sushi with a colleague of the guy who recovered the crosscut > CD-R. They gave that task to him person specifically because of his > severe OCD. The guy later said it was the happiest month he'd ever > worked: he was allowed to indulge his OCD for 16 hours a day and > everybody left him alone. Do you have a cite on this recovery beyond that story? I have not heard of such a thing, and Google came up blank. I wonder if your sushi companion was pulling your leg. David From dshaw at jabberwocky.com Wed Feb 11 01:58:41 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 10 Feb 2009 19:58:41 -0500 Subject: paperkey // ? feature request In-Reply-To: <49921B13.2060501@sixdemonbag.org> References: <20090210193120.23AAE20044@smtp.hushmail.com> <4991F521.3090605@sixdemonbag.org> <49920BFF.8070509@gmail.com> <49921B13.2060501@sixdemonbag.org> Message-ID: On Feb 10, 2009, at 7:25 PM, Robert J. Hansen wrote: > Faramir wrote: >> IMHO, the difference is the recipients can send it's public to me by >> some way, and check the fingerprint by telephone... > > It's not a disposable session key if the recipients need to contact > the > sender afterwards. If you're assuming a high threat environment, you > kind of need to assume the sender got flipped right after sending the > message. > >> But how? There is still the chance to buy things with effective, not >> with credit or debit cards, and USB Flash Drives are cheap enough and >> easy to find at stores to make it very hard to trace... > > Timothy McVeigh was tracked through his use of a prepaid calling > card... > which he paid for with cash. Not exactly: http://www.wpi.edu/News/Journal/Summer98/secured_opus.html But still, I can imagine several ways USB drive can be traced - even if it has a non-unique serial number and paid for with cash. Most of them sound somewhat silly outside of a movie (which doesn't make them impossible - just amusing). David From dshaw at jabberwocky.com Wed Feb 11 02:17:17 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 10 Feb 2009 20:17:17 -0500 Subject: Hibernation and secret keys In-Reply-To: <4992146D.30005@sixdemonbag.org> References: <20090210231912.26565118040@smtp.hushmail.com> <4992146D.30005@sixdemonbag.org> Message-ID: <20090211011717.GA29960@jabberwocky.com> On Tue, Feb 10, 2009 at 06:57:33PM -0500, Robert J. Hansen wrote: > Or consider a hibernation file. When your laptop goes into hibernation > mode, your laptop copies its entire internal state to disk so that when > you open your laptop again it can pick up right where it left off. That > hibernation file doesn't get deleted once the laptop is done with it. > Let's say you're storing data on a TrueCrypt container. The police grab > your laptop. They're foiled -- they don't have the password! But then > they look through your hibernation file and find your password hiding > there in cleartext. This is very true, and I wonder how many people carefully make sure the GPG is using secure (unswappable) memory and then happily close their laptop lids... The GPG manual says this, but I don't expect many people read down that far: Note also that some systems (especially laptops) have the ability to "suspend to disk" (also known as "safe sleep" or "hibernate"). This writes all memory to disk before going into a low power or even powered off mode. Unless measures are taken in the operating system to protect the saved memory, passphrases or other sensitive material may be recoverable from it later. GPG does have some countermeasures against this sort of thing, but given the nature of the problem, they are far from infallible. These days, I pretty much assume that any storage device that I have used has bits and pieces of sensitive stuff on it, and deal with that accordingly. David From rjh at sixdemonbag.org Wed Feb 11 03:40:22 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 10 Feb 2009 21:40:22 -0500 Subject: paperkey // ? feature request In-Reply-To: References: <20090210193120.23AAE20044@smtp.hushmail.com> <4991F521.3090605@sixdemonbag.org> <49920BFF.8070509@gmail.com> <49921B13.2060501@sixdemonbag.org> Message-ID: <49923A96.4060606@sixdemonbag.org> David Shaw wrote: > Not exactly: http://www.wpi.edu/News/Journal/Summer98/secured_opus.html Thank you for the link -- I was going by my recollection of journalistic coverage after the attack, but apparently either it or my memory was in error. From rjh at sixdemonbag.org Wed Feb 11 03:51:15 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 10 Feb 2009 21:51:15 -0500 Subject: paperkey // ? feature request In-Reply-To: <20090211004625.GA29502@jabberwocky.com> References: <20090210193120.23AAE20044@smtp.hushmail.com> <4991F521.3090605@sixdemonbag.org> <20090211004625.GA29502@jabberwocky.com> Message-ID: <49923D23.7020101@sixdemonbag.org> David Shaw wrote: > I don't know if I'd go so far as to call it a GUID as it is only > unique relative to the vendor and device type Must be my luck, then -- the ones I've looked at have all had per-device serial #s. > There is also no guarantee that the host computer will log the device > serial number (modern Linux does, but you're more likely to find some > flavor of Windows in an internet cafe). Yes and no, I think. E.g., China's internet cafes are being pressured heavily to use the government-approved Red Flag Linux. There's also been talk in the press about the Russian government pressuring internet cafes to give "more complete cooperation with law enforcement", which sounds like it could cover a whole host of badness. On the other hand, you have the very lax regulatory situation of the United States, where that sort of pre-existing relationship is hard to imagine. > Do you have a cite on this recovery beyond that story? I have not > heard of such a thing, and Google came up blank. I wonder if your > sushi companion was pulling your leg. I'll ask about it shortly. It's possible I'll get an answer of "yes, I was there, I saw it, and no, I can't talk about it," though, in which case I can't fault anyone for incredulity. From dshaw at jabberwocky.com Wed Feb 11 04:58:37 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 10 Feb 2009 22:58:37 -0500 Subject: paperkey // ? feature request In-Reply-To: <49923D23.7020101@sixdemonbag.org> References: <20090210193120.23AAE20044@smtp.hushmail.com> <4991F521.3090605@sixdemonbag.org> <20090211004625.GA29502@jabberwocky.com> <49923D23.7020101@sixdemonbag.org> Message-ID: On Feb 10, 2009, at 9:51 PM, Robert J. Hansen wrote: > David Shaw wrote: >> I don't know if I'd go so far as to call it a GUID as it is only >> unique relative to the vendor and device type > > Must be my luck, then -- the ones I've looked at have all had per- > device > serial #s. I suspect the better-quality or brand named ones are more likely to have real serial numbers. The ones that I have without serial numbers are very much "no name brand". >> There is also no guarantee that the host computer will log the device >> serial number (modern Linux does, but you're more likely to find some >> flavor of Windows in an internet cafe). > > Yes and no, I think. E.g., China's internet cafes are being pressured > heavily to use the government-approved Red Flag Linux. There's also > been talk in the press about the Russian government pressuring > internet > cafes to give "more complete cooperation with law enforcement", which > sounds like it could cover a whole host of badness. On the other > hand, > you have the very lax regulatory situation of the United States, where > that sort of pre-existing relationship is hard to imagine. Indeed. Of course, even if the host does log the serial number, the log is less useful if the serial number is "FFFFFF" or the like. Not that the lack of a serial number really changes the equation all that much. There are half a dozen or more ways for someone to be traced through an internet cafe if the person doing the tracing is sufficiently motivated and capable. The Timothy McVeigh example from earlier is particularly good here: the US government really, really wanted to find him, and fast. That is certainly "sufficiently motivated and capable". David From faramir.cl at gmail.com Wed Feb 11 05:21:09 2009 From: faramir.cl at gmail.com (Faramir) Date: Wed, 11 Feb 2009 01:21:09 -0300 Subject: paperkey // ? feature request In-Reply-To: <49923D23.7020101@sixdemonbag.org> References: <20090210193120.23AAE20044@smtp.hushmail.com> <4991F521.3090605@sixdemonbag.org> <20090211004625.GA29502@jabberwocky.com> <49923D23.7020101@sixdemonbag.org> Message-ID: <49925235.8020704@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Robert J. Hansen escribi?: > David Shaw wrote: >> I don't know if I'd go so far as to call it a GUID as it is only >> unique relative to the vendor and device type > > Must be my luck, then -- the ones I've looked at have all had per-device > serial #s. How can I check my flash drives? Unfortunately I'm using Windows XP, which I suppose neither of you use... I searched a bit, but couldn't find anything. I am talking about a USB Flash drive Kingston DataTraveler... it doesn't have any encryption or intelligent capability (other than balancing the usage of memory sectors, in order to make file shredders useless... I mean, in order to increase the lifespawn of the drive). Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJklI1AAoJEMV4f6PvczxAKNYIAKDDWzFm3ng2wzJ3Dgyob12e 1CrxL72TFXM5QkFiU6p5g7BJDsqmYrKtaFnfC5ZCfpyasAi6c30vnBpfMLRFu/Qu 11xBnOV2wm+pSEnJXCXuBw7ikWflv/lvlmFcFIlrlWe/aKLMFtV5hpXAP8twZ0xr 0WuDzHcDgXWF1JBRkU+8XffE/xNS2/E2PrFqP+qaE9dSJiQhC70S2ylOdEc41KGX mWuV+mHZUBzfpEURDppdTjikRY0WG+i79VOu1O5iFoIa+o5ZVJFFgBj478Z9SXDM iZWyK6AapsAisMyXYctCI+DeFcpV99szSax7BgdGl/bcY9TgPZQLZElRvREFknQ= =wdWC -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Wed Feb 11 05:42:31 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 10 Feb 2009 23:42:31 -0500 Subject: paperkey // ? feature request In-Reply-To: <49925235.8020704@gmail.com> References: <20090210193120.23AAE20044@smtp.hushmail.com> <4991F521.3090605@sixdemonbag.org> <20090211004625.GA29502@jabberwocky.com> <49923D23.7020101@sixdemonbag.org> <49925235.8020704@gmail.com> Message-ID: On Feb 10, 2009, at 11:21 PM, Faramir wrote: > Robert J. Hansen escribi?: >> David Shaw wrote: >>> I don't know if I'd go so far as to call it a GUID as it is only >>> unique relative to the vendor and device type >> >> Must be my luck, then -- the ones I've looked at have all had per- >> device >> serial #s. > > How can I check my flash drives? Unfortunately I'm using Windows XP, > which I suppose neither of you use... I searched a bit, but couldn't > find anything. I am talking about a USB Flash drive Kingston > DataTraveler... it doesn't have any encryption or intelligent > capability > (other than balancing the usage of memory sectors, in order to make > file > shredders useless... I mean, in order to increase the lifespawn of the > drive). Look for a program called "USB View". I haven't used it myself, but it is described as being able to print the entire USB tree. Once you're running look for the "iSerial" field. Kingston DataTravelers do have serial numbers though. I have one. David From scott at fyrenice.com Wed Feb 11 06:13:38 2009 From: scott at fyrenice.com (Dr. Scott S. Jones) Date: Tue, 10 Feb 2009 22:13:38 -0700 Subject: where to start? Message-ID: <20090211051338.GA11649@comcast.net> I run both Win xp and ubuntu 8.10. My wife runs win xp on her laptop. We are at the point now where we both want to enable encrypted emailing AND we want to find a nice way of educating those we email to often, or with whom we exchange sensitive information, in how to use gnupg to encrypt email back and forth. Where should I start? -- "Outside of a dog a book is a man's best friend. Inside of a dog it's too dark to read." - Groucho Sandy Chiropractic Office Dr. Scott S. Jones V: 801.566.5428 MAILING ADDRESS F: 801.858.9300 PO Box 1154 E: scott at fyrenice.com Sandy, Utah 84091-1154 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From rjh at sixdemonbag.org Wed Feb 11 06:33:53 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 11 Feb 2009 00:33:53 -0500 Subject: where to start? In-Reply-To: <20090211051338.GA11649@comcast.net> References: <20090211051338.GA11649@comcast.net> Message-ID: <49926341.7000500@sixdemonbag.org> Dr. Scott S. Jones wrote: > I run both Win xp and ubuntu 8.10. My wife runs win xp on her laptop. We are > at the point now where we both want to enable encrypted emailing AND we want > to find a nice way of educating those we email to often, or with whom we > exchange sensitive information, in how to use gnupg to encrypt email back > and forth. Where should I start? You've already done it. :) Welcome to the community! You'll find we're a pretty friendly bunch here. I would start by asking whether you want things to "just work" or whether you want to take a more direct hand in things. The former will... well... just work. The latter will require a lot more work, but I personally find it more rewarding. That choice is the first fork in the road. If you want to go down "just work," the best thing for you to do is use S/MIME, the Secure Multipurpose Internet Mail Extensions. If you want to go down "learn a lot and have control," then I would suggest OpenPGP. GnuPG supports both S/MIME and OpenPGP, so both are on-topic for this mailing list. Let us know what you want, and we'll be in a much better position to offer you help. :) From faramir.cl at gmail.com Wed Feb 11 06:35:18 2009 From: faramir.cl at gmail.com (Faramir) Date: Wed, 11 Feb 2009 02:35:18 -0300 Subject: paperkey // ? feature request In-Reply-To: References: <20090210193120.23AAE20044@smtp.hushmail.com> <4991F521.3090605@sixdemonbag.org> <20090211004625.GA29502@jabberwocky.com> <49923D23.7020101@sixdemonbag.org> Message-ID: <49926396.7040809@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 David Shaw escribi?: ... > and capable. The Timothy McVeigh example from earlier is particularly > good here: the US government really, really wanted to find him, and > fast. That is certainly "sufficiently motivated and capable". Right, but if I understood it well, he had done more than 700 calls from a rechargeable prepaid card... that is not a disposable card... if he had used some sort of disposable prepaid cards (the only kind that exist here), it would have been a lot harder to track him by it... But, IMHO, his worst mistake was to don't be smoking while he prepared the bomb... Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJkmOWAAoJEMV4f6PvczxAvNgH/jS4ZiM61sCbRk0VnfLIClfb EK23uecxKIBPtDJuK46jZbNiaW4lWYWvy53VMm6SYlvJyOAbYKfbNrCh68UGQB4a I7EBF6W5Pm4Ng9gkF7SiTOlAmPrQNYpweZKBIJbaMXLemy4EL3HiSqCQPk1WfsMh z/xJGPAgna9dkXnn8FRku5beiYiilhKXmjXkQ8ShJhGYDcMXrQ8VaPqeWpJml5Xz Ng/WzzTubcS9nXq+kLWgT/2qxYuYfo8SCv/cyavElsmwG2n7oSflt8LfVeKXTCGZ FQ3qF1HwZUYRVVuQ2Rxs8wDMQ1AwvWhkI45SaWgkU8yE2565orqGo69hKI2J2t0= =P7Eu -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Wed Feb 11 06:49:56 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 11 Feb 2009 00:49:56 -0500 Subject: paperkey // ? feature request In-Reply-To: <49926396.7040809@gmail.com> References: <20090210193120.23AAE20044@smtp.hushmail.com> <4991F521.3090605@sixdemonbag.org> <20090211004625.GA29502@jabberwocky.com> <49923D23.7020101@sixdemonbag.org> <49926396.7040809@gmail.com> Message-ID: <49926704.8090602@sixdemonbag.org> Faramir wrote: > Right, but if I understood it well, he had done more than 700 calls > from a rechargeable prepaid card... that is not a disposable card. That wasn't his problem. That was, honestly, mostly irrelevant. This was his problem: when you're trying to cover your tracks, there are literally hundreds, if not thousands, of ways you can screw up. You have to cover up all of them. The people hunting you only have to uncover one. McVeigh was also undone by the Ryder truck itself. He thought the truck would be destroyed in the explosion and not provide any links to him. Within hours of the blast, though, they found one of the truck's axles... and it still had a serial number legible on it. They called the axle manufacturer and found out what that axle had been put on; they called up that truck's VIN number and tracked to whom it had been sold. Within a day they were serving the rental facility with a ton of subpoenas and FBI forensic accountants. If it hadn't been the phone card, it would've been the axle. If it hadn't have been the axle, it would've been the enormous ammonium nitrate purchases he made. If it hadn't have been the enormous ammonium nitrate purchases, then the police would've followed up on a neighbor's complaint about an awful diesel stink by Terry Nichols' home. If it hadn't... etc., etc. There's a lesson in this for anyone who's thinking of ways to be one step ahead of the secret police. You'll get tripped up by things you never thought of, or things you wrote off as being impossible. From faramir.cl at gmail.com Wed Feb 11 07:54:22 2009 From: faramir.cl at gmail.com (Faramir) Date: Wed, 11 Feb 2009 03:54:22 -0300 Subject: paperkey // ? feature request In-Reply-To: <49926704.8090602@sixdemonbag.org> References: <20090210193120.23AAE20044@smtp.hushmail.com> <4991F521.3090605@sixdemonbag.org> <20090211004625.GA29502@jabberwocky.com> <49923D23.7020101@sixdemonbag.org> <49926396.7040809@gmail.com> <49926704.8090602@sixdemonbag.org> Message-ID: <4992761E.7030808@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Robert J. Hansen escribi?: > Faramir wrote: >> Right, but if I understood it well, he had done more than 700 calls >> from a rechargeable prepaid card... that is not a disposable card. > > That wasn't his problem. That was, honestly, mostly irrelevant. > > This was his problem: when you're trying to cover your tracks, there are > literally hundreds, if not thousands, of ways you can screw up. You > have to cover up all of them. The people hunting you only have to > uncover one. Well, some time ago I realized if I were a spy, I would already be a dead spy... And by the way, I already checked my USB flash drives (thanks for the advice, David), and it's right, DataTravelers have serial numbers, and surprisingly, Microlab devices also have serial numbers... I thought maybe these were generic enough to don't have them... Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJknYeAAoJEMV4f6PvczxAx88H/RJinbFD8m3QFnNJra4zmLtH URcttsTurN/8xClPLsDABAb21wESHxL0VrgApcAiKUe2rM2MJIUPbrhgwpbekh2c lGAVtdhHBOKNdhidkmPZHBT9Am86k/94j1p5Wbj/tveIG3UrFwivQVDpMdrjGLB8 snxHMTPSRc9WRRLTXQDMHM7CgQlyIWhn18+jJJt5Mo5TQJ4nBOq4mMjaCoELY9XQ p7K612wGRUZ6aRlbwas5SdBYAWdZsbZWadkloTBDN3QxqLecS/5jfzBUrGSwgRn8 l+qb4aQYw+cfLGNbnFrhm/SWThBEv1oOHNlnycbcuCkCaCSPaOSD7YV69PyKRgw= =6ir/ -----END PGP SIGNATURE----- From benjamin at py-soft.co.uk Wed Feb 11 09:00:37 2009 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Wed, 11 Feb 2009 08:00:37 +0000 Subject: paperkey // ? feature request In-Reply-To: <4992761E.7030808@gmail.com> References: <20090210193120.23AAE20044@smtp.hushmail.com> <4991F521.3090605@sixdemonbag.org> <20090211004625.GA29502@jabberwocky.com> <49923D23.7020101@sixdemonbag.org> <49926396.7040809@gmail.com> <49926704.8090602@sixdemonbag.org> <4992761E.7030808@gmail.com> Message-ID: <732076a80902110000v46a4747ane440161da8211df2@mail.gmail.com> This thread reminded me of the attached... Ben -------------- next part -------------- A non-text attachment was scrubbed... Name: security.png Type: image/png Size: 26341 bytes Desc: not available URL: From faramir.cl at gmail.com Wed Feb 11 09:52:36 2009 From: faramir.cl at gmail.com (Faramir) Date: Wed, 11 Feb 2009 05:52:36 -0300 Subject: paperkey // ? feature request In-Reply-To: <732076a80902110000v46a4747ane440161da8211df2@mail.gmail.com> References: <20090210193120.23AAE20044@smtp.hushmail.com> <4991F521.3090605@sixdemonbag.org> <20090211004625.GA29502@jabberwocky.com> <49923D23.7020101@sixdemonbag.org> <49926396.7040809@gmail.com> <49926704.8090602@sixdemonbag.org> <4992761E.7030808@gmail.com> <732076a80902110000v46a4747ane440161da8211df2@mail.gmail.com> Message-ID: <499291D4.7030807@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Benjamin Donnachie escribi?: > This thread reminded me of the attached... LOL, right... but it could be even worst... a few drops of Scopolamine (prepared as Burundanga) in your beer, and the attacker would be able to make you tell him your passphrases and other stuff, just by asking you to tell that info. And an overdose would be fatal. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJkpHUAAoJEMV4f6PvczxA15cH/1EV7TLrI7XPHoVzEL5f1c0f tJXDL1mR0RW5QrxwhwOwScBaRsXtu4mCYwZNA04wO0K3p8ZBP0p3ur13VibyvvEV L50oQtUdDVuhudfzB2g+b3IMbpPXmwLbLWoyF8d6FDuSwnm9YyNXqhZhmr1vbc4R s/x6+pGSmzs9aEeUGgri4wJEaOFjxIfWbFvhKXwjm/p5O/QXPAMHX8eKvb3KFI6Z 8FTFNQXBjTWNAw9pJNP907qB3FExp88sac6OiJl6yxguKi8GUTDrVm18TS1M6SMT LT97jsT5gt+I7qsi+fT7M+V0SL5j3IJLDH6y9m0+PGpNH7fHX3ZmEkA5YcvoYPM= =8VNm -----END PGP SIGNATURE----- From wk at gnupg.org Wed Feb 11 12:18:20 2009 From: wk at gnupg.org (Werner Koch) Date: Wed, 11 Feb 2009 12:18:20 +0100 Subject: Hibernation and secret keys In-Reply-To: <20090211011717.GA29960@jabberwocky.com> (David Shaw's message of "Tue, 10 Feb 2009 20:17:17 -0500") References: <20090210231912.26565118040@smtp.hushmail.com> <4992146D.30005@sixdemonbag.org> <20090211011717.GA29960@jabberwocky.com> Message-ID: <87prhpnrwj.fsf@wheatstone.g10code.de> On Wed, 11 Feb 2009 02:17, dshaw at jabberwocky.com said: > GPG does have some countermeasures against this sort of thing, but > given the nature of the problem, they are far from infallible. For example you can send a HUP to gpg-agent from a suspend event script. This makes sure that gpg-agent clears its passphrase cache. It doesn't help if session keys are still in memory. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From christoph.anton.mitterer at physik.uni-muenchen.de Wed Feb 11 12:59:48 2009 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Wed, 11 Feb 2009 12:59:48 +0100 Subject: Hibernation and secret keys In-Reply-To: <87prhpnrwj.fsf@wheatstone.g10code.de> References: <20090210231912.26565118040@smtp.hushmail.com> <4992146D.30005@sixdemonbag.org> <20090211011717.GA29960@jabberwocky.com> <87prhpnrwj.fsf@wheatstone.g10code.de> Message-ID: <1234353588.10774.4.camel@etppc03> A good workaround is to use disk encryption (dm-crypt or similar things). Best wishes, Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3387 bytes Desc: not available URL: From ian at ushills.co.uk Sat Feb 7 10:40:08 2009 From: ian at ushills.co.uk (Ian Hill) Date: Sat, 07 Feb 2009 09:40:08 +0000 Subject: Copy subkeys to primary key Message-ID: <498D56F8.8090603@ushills.co.uk> For whatever reason I now have two versions of my private key one without the ELG encryption key and primary key, the other without the RSA signing key. How can I combine them so I have one secret key with both the ELG and RSA subkeys under the primary key. This is my new key sec# 1024D/BE7E87FD 2007-03-14 uid ushills (Secure email to ushills.co.uk) uid Ian Hill (Work Email) uid Web Ushills uid Ian Hill uid Ian Hill uid Ian Hill ssb 2048R/4436432A 2009-02-06 This is my old key sec 1024D/BE7E87FD 2007-03-14 uid ushills (Secure email to ushills.co.uk) uid Web Ushills uid Ian Hill ssb 2048g/3173413E 2007-03-14 How do I copy the key 4436432A to my primary key BE7E87FD, as my new key lacks the primary key and the encryption key 3173413E. Thanks From enrico at enricozini.org Mon Feb 9 15:21:23 2009 From: enrico at enricozini.org (Enrico Zini) Date: Mon, 9 Feb 2009 14:21:23 +0000 Subject: Using a smart card with revoked keys Message-ID: <20090209142123.GA24597@enricozini.org> Hello, some time ago I lost my card reader, so I revoked the keys on the smart card because I wouldn't have been able to use them for quite some time, until I got a new one. Now I managed to get a new card reader, and I discovered that gpg doesn't want to use those subkeys: if I try to decode some old data that was encoded with the smart card key, I get "secret key not available", without even being asked the pin. Is that because they are revoked? Is there a way to use the smart card anyway? Additional details: gpg --list-secret-keys doesn't show the keys that are on the smart card, although gpg --edit-key lists them as revoked. Ciao, Enrico -- GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: Digital signature URL: From calestyo at scientia.net Tue Feb 10 14:50:27 2009 From: calestyo at scientia.net (Christoph Anton Mitterer) Date: Tue, 10 Feb 2009 14:50:27 +0100 Subject: gnupg on celeron and atom cpus Message-ID: <1234273827.9532.1.camel@fermat.scientia.net> Hi. Does anyone of you have an idea whether it could make problems to use gnupg on Celeron or Atom CPUs? I mean could this have an effect on the PRNG, e.g. that the entropy is worse? Or something similar? Regards, Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5108 bytes Desc: not available URL: From xri at abwesend.de Wed Feb 11 13:05:37 2009 From: xri at abwesend.de (pheaneas) Date: Wed, 11 Feb 2009 13:05:37 +0100 Subject: OpenPGP card not accessible; ctapi-driver option in gpg.conf does the job for me (with cyberjack reader) Message-ID: <4992BF11.3050602@abwesend.de> Hi there, I hope I can forward an argument for not dropping (direct?) support for CT/API readers in GnuPG too soon, as Werner often states (and as the ctapi-driver option is also marked as deprecated in the gpg man page). Quite recently I dug out my old OpenPGP card again, which I had bought in 2005 but had no luck with getting it to work under Linux since that time. Now, finally it's working like a charm by using the reader's CT/API driver. It took me quite a while and a lot of "trial an error" (as usual?) to figure out which settings are working and which ones don't. My first attempt was that with pcscd and the following settings: * gnupg 1.4.9, gpg-agent 2.0.9 (+ scdaemon from gpgsm-package) * old Reiner SCT pinpad USB (lsusb says 0c4b:0100 Reiner SCT Kartensysteme GmbH cyberJack e-com/pinpad) * recent driver packages for Debian from Reiner SCT homepage (libctapi-cyberjack2_3.3.0-1stable_i386.deb and ifd-cyberjack2_3.3.0-1stable_i386.deb) * libpcsclite1 and pcscd (+ libccid, but I don't think it is needed in my case - just a dependency) * lsmod says that "cyberjack" and "usbserial" are also there * gpg.conf: use-agent It worked more or less, but a big drawback, which I experienced, was that for some reason pcscd doesn't detect the card reader when it's pulled out and plugged in again. Pcscd also never releases the connection to the reader, which makes it impossible for other applications, e.g. libchipcard-tools, to access the card reader while pcscd is running. I have to manually restart or rather stop pcscd as root before trying this. After reading what Malte wrote earlier on this topic I also tried the "ctapi-driver" option, at first in scdaemon.conf: * scdaemon.conf: ctapi-driver libctapi-cyberjack.so reader-port 32768 * gpg.conf: use-agent This led to the strange behaviour with every card operation, except "list" or rather "--card-status", which Malte also described, that is the card is suddenly shown as blank and gnupg comes up with an error message like this: "gpg: sending command 'SCD CHECKPIN' to agent failed ec=6.32817" So, finally I ended up with this, which solves the described problem for me (even with gpg-agent invoking pinentry for card pin): * gpg-agent.conf: disable-scdaemon <--- !! * gpg.conf: ctapi-driver libctapi-cyberjack.so reader-port 32768 * gpg.conf: use-agent Maybe this can contribute to solve this kind of problem, which other users might have experienced, too - especially with their Reiner-SCT reader. Regards, pheaneas From dshaw at jabberwocky.com Wed Feb 11 15:41:12 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 11 Feb 2009 09:41:12 -0500 Subject: paperkey // ? feature request In-Reply-To: <732076a80902110000v46a4747ane440161da8211df2@mail.gmail.com> References: <20090210193120.23AAE20044@smtp.hushmail.com> <4991F521.3090605@sixdemonbag.org> <20090211004625.GA29502@jabberwocky.com> <49923D23.7020101@sixdemonbag.org> <49926396.7040809@gmail.com> <49926704.8090602@sixdemonbag.org> <4992761E.7030808@gmail.com> <732076a80902110000v46a4747ane440161da8211df2@mail.gmail.com> Message-ID: <751CF2C7-49DD-4BE0-B301-07E3EB4DA592@jabberwocky.com> On Feb 11, 2009, at 3:00 AM, Benjamin Donnachie wrote: > This thread reminded me of the attached... Even more amusing (and accurate) is the ALT text you can see when you mouse over the picture. David From guxiaobo1982 at hotmail.com Wed Feb 11 16:10:52 2009 From: guxiaobo1982 at hotmail.com (=?gb2312?B?0KGyqCC5yw==?=) Date: Wed, 11 Feb 2009 23:10:52 +0800 Subject: Are GNUPG Keyservers ordinary LDAP Servers? Message-ID: From: guxiaobo1982 at hotmail.comTo: gnupg-users at gnu.orgSubject: Are GNUPG Keyservers ordinary LDAP Servers?Date: Wed, 11 Feb 2009 23:09:22 +0800 What can you do with the new Windows Live? Find out _________________________________________________________________ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us -------------- next part -------------- An HTML attachment was scrubbed... URL: From dshaw at jabberwocky.com Wed Feb 11 16:36:15 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 11 Feb 2009 10:36:15 -0500 Subject: Are GNUPG Keyservers ordinary LDAP Servers? In-Reply-To: References: Message-ID: <8C7E01C5-C402-4A3F-84F3-1C6AD0901612@jabberwocky.com> On Feb 11, 2009, at 10:10 AM, ?? ? wrote: > From: guxiaobo1982 at hotmail.com > To: gnupg-users at gnu.org > Subject: Are GNUPG Keyservers ordinary LDAP Servers? Some of them are, yes. Some of them are SKS: http://www.nongnu.org/sks/ GPG speaks several keyserver protocols, including LDAP, HKP (what SKS speaks), plain old HTTP, DNS CERT, etc. David From kloecker at kde.org Wed Feb 11 20:57:30 2009 From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Wed, 11 Feb 2009 20:57:30 +0100 Subject: where to start? In-Reply-To: <49926341.7000500@sixdemonbag.org> References: <20090211051338.GA11649@comcast.net> <49926341.7000500@sixdemonbag.org> Message-ID: <200902112057.30847@thufir.ingo-kloecker.de> On Wednesday 11 February 2009, Robert J. Hansen wrote: > Dr. Scott S. Jones wrote: > > I run both Win xp and ubuntu 8.10. My wife runs win xp on her > > laptop. We are at the point now where we both want to enable > > encrypted emailing AND we want to find a nice way of educating > > those we email to often, or with whom we exchange sensitive > > information, in how to use gnupg to encrypt email back and forth. > > Where should I start? > > You've already done it. :) Welcome to the community! You'll find > we're a pretty friendly bunch here. > > I would start by asking whether you want things to "just work" or > whether you want to take a more direct hand in things. The former > will... well... just work. The latter will require a lot more work, > but I personally find it more rewarding. > > That choice is the first fork in the road. > > If you want to go down "just work," the best thing for you to do is > use S/MIME, the Secure Multipurpose Internet Mail Extensions. If you > want to go down "learn a lot and have control," then I would suggest > OpenPGP. > > GnuPG supports both S/MIME and OpenPGP, so both are on-topic for this > mailing list. Let us know what you want, and we'll be in a much > better position to offer you help. :) Out of curiosity: Is S/MIME a good solution in a heterogenous environment, i.e. different mail clients? The German BSI performs extensive and expensive tests to ensure the compatibility of the different S/MIME implementations approved for usage by them. [1] Regards, Ingo [1] http://www.it-grundschutzhandbuch.de/english/gshb/manual/s/s05110.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: From dshaw at jabberwocky.com Wed Feb 11 21:52:00 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 11 Feb 2009 15:52:00 -0500 Subject: Hibernation and secret keys In-Reply-To: <1234353588.10774.4.camel@etppc03> References: <20090210231912.26565118040@smtp.hushmail.com> <4992146D.30005@sixdemonbag.org> <20090211011717.GA29960@jabberwocky.com> <87prhpnrwj.fsf@wheatstone.g10code.de> <1234353588.10774.4.camel@etppc03> Message-ID: <20090211205200.GA45639@jabberwocky.com> On Wed, Feb 11, 2009 at 12:59:48PM +0100, Christoph Anton Mitterer wrote: > A good workaround is to use disk encryption (dm-crypt or similar things). Encrypted disks don't help without serious OS support around suspend. Your machine suspends, and writes a snapshot of its memory to disk. Sure, let's say it's even encrypted. When you wake the machine, is the encrypted disk still mounted? If so, then why would I care if it's encrypted or not? David From amrobinson at gmail.com Wed Feb 11 21:48:34 2009 From: amrobinson at gmail.com (Andrew Robinson) Date: Wed, 11 Feb 2009 20:48:34 +0000 Subject: Importing RSA Private Keys into GPG 2.0.10 Message-ID: <957F63A4-EC9D-486C-A35A-5DD08F102B1C@gmail.com> I'm trying to find a method to import an RSA Private Key into GPG, i've already god a generated RSA Private Key but when ever I try the import I get: gpg: no valid OpenPGP data found. gpg: Total number processed: 0 Which makes sense as it's not OpenPGP data thats in the file! Is there any way of doing this or am I going slowly mad?! Thanks, Andrew From kloecker at kde.org Wed Feb 11 22:37:43 2009 From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Wed, 11 Feb 2009 22:37:43 +0100 Subject: Hibernation and secret keys In-Reply-To: <20090211205200.GA45639@jabberwocky.com> References: <20090210231912.26565118040@smtp.hushmail.com> <1234353588.10774.4.camel@etppc03> <20090211205200.GA45639@jabberwocky.com> Message-ID: <200902112237.47940@thufir.ingo-kloecker.de> On Wednesday 11 February 2009, David Shaw wrote: > On Wed, Feb 11, 2009 at 12:59:48PM +0100, Christoph Anton Mitterer wrote: > > A good workaround is to use disk encryption (dm-crypt or similar > > things). > > Encrypted disks don't help without serious OS support around suspend. Obviously. > Your machine suspends, and writes a snapshot of its memory to disk. > Sure, let's say it's even encrypted. When you wake the machine, is > the encrypted disk still mounted? Obviously not. Usually your messages are very helpful. Unfortunately, this particular message is the exact opposite. Googling for "encryption suspend to disk linux" I found many websites explaining how this works with most common distributions (mostly out-of-the box, i.e. without compiling a kernel). Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: From dshaw at jabberwocky.com Wed Feb 11 23:00:46 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 11 Feb 2009 17:00:46 -0500 Subject: Hibernation and secret keys In-Reply-To: <200902112237.47940@thufir.ingo-kloecker.de> References: <20090210231912.26565118040@smtp.hushmail.com> <1234353588.10774.4.camel@etppc03> <20090211205200.GA45639@jabberwocky.com> <200902112237.47940@thufir.ingo-kloecker.de> Message-ID: <20090211220046.GA45760@jabberwocky.com> On Wed, Feb 11, 2009 at 10:37:43PM +0100, Ingo Kl?cker wrote: > On Wednesday 11 February 2009, David Shaw wrote: > > On Wed, Feb 11, 2009 at 12:59:48PM +0100, Christoph Anton Mitterer > wrote: > > > A good workaround is to use disk encryption (dm-crypt or similar > > > things). > > > > Encrypted disks don't help without serious OS support around suspend. > > Obviously. > > > > Your machine suspends, and writes a snapshot of its memory to disk. > > Sure, let's say it's even encrypted. When you wake the machine, is > > the encrypted disk still mounted? > > Obviously not. > > Usually your messages are very helpful. Unfortunately, this particular > message is the exact opposite. Googling for "encryption suspend to disk > linux" I found many websites explaining how this works with most common > distributions (mostly out-of-the box, i.e. without compiling a kernel). Clearly you missed the point. I've seen various cookbook sites on how to do this, and some of them get it dramatically wrong. Hence the question: "When you wake the machine, is the encrypted disk still mounted?" If the answer is "Yes", then you're not protecting very much. You did not succeed in doing what you were trying to do. If the answer is "No", you at least avoided the usual pitfalls. David From christoph.anton.mitterer at physik.uni-muenchen.de Wed Feb 11 23:02:35 2009 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Wed, 11 Feb 2009 23:02:35 +0100 Subject: Hibernation and secret keys In-Reply-To: <200902112237.47940@thufir.ingo-kloecker.de> References: <20090210231912.26565118040@smtp.hushmail.com> <1234353588.10774.4.camel@etppc03> <20090211205200.GA45639@jabberwocky.com> <200902112237.47940@thufir.ingo-kloecker.de> Message-ID: <1234389755.12781.1.camel@fermat.scientia.net> On Wed, 2009-02-11 at 22:37 +0100, Ingo Kl?cker wrote: > > Your machine suspends, and writes a snapshot of its memory to disk. > > Sure, let's say it's even encrypted. When you wake the machine, is > > the encrypted disk still mounted? > > Obviously not. Why? This IS of course possible... Of course you need something secure (e.g. an USB stick) to boot from. And one should prevent Suspend to RAM, due to well known colling attacks... Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3387 bytes Desc: not available URL: From christoph.anton.mitterer at physik.uni-muenchen.de Wed Feb 11 23:04:56 2009 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Wed, 11 Feb 2009 23:04:56 +0100 Subject: Hibernation and secret keys In-Reply-To: <20090211220046.GA45760@jabberwocky.com> References: <20090210231912.26565118040@smtp.hushmail.com> <1234353588.10774.4.camel@etppc03> <20090211205200.GA45639@jabberwocky.com> <200902112237.47940@thufir.ingo-kloecker.de> <20090211220046.GA45760@jabberwocky.com> Message-ID: <1234389896.12781.4.camel@fermat.scientia.net> On Wed, 2009-02-11 at 17:00 -0500, David Shaw wrote: > If the answer is "Yes", then you're not protecting very much. You did > not succeed in doing what you were trying to do. If the answer is > "No", you at least avoided the usual pitfalls. Yep,... you're right =) It should be really possibly to make this very secure, but one has to know what one does. (As always ^^) Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3387 bytes Desc: not available URL: From dshaw at jabberwocky.com Wed Feb 11 23:22:23 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 11 Feb 2009 17:22:23 -0500 Subject: Howto import more than one key from a keyserver at a time In-Reply-To: <4991B96B.9060707@Mozilla-Enigmail.org> References: <49919FAF.7040901@gmx.net> <4991B96B.9060707@Mozilla-Enigmail.org> Message-ID: <20090211222222.GA45944@jabberwocky.com> On Tue, Feb 10, 2009 at 11:29:15AM -0600, John Clizbe wrote: > It won't check the keys that it needs to fetch, you'll need to run > the commands again. Note, this can get you a LOT of keys that you > may have little interest in. Indeed, a whole lot of keys. It might be more useful to pick a person you are trying to make a connection to and just fetch the keys along that path. I've often thought that a clever keyserver could do that (i.e. download the keys that form the shortest trust path between two keys). Wotsap and http://pgp.cs.uu.nl are 80% of the way there already. David From CollingsDH at worldkitchen.com Wed Feb 11 23:21:00 2009 From: CollingsDH at worldkitchen.com (Collings, David H.) Date: Wed, 11 Feb 2009 17:21:00 -0500 Subject: decryption failed: secret key not available Message-ID: Hello, I've seen similar issues in some other posts, but still am unclear as to how to resolve my issue. I am trying to run a script to decrypt a file automatically from our job scheduler (UC4). I am able to run the script from the command prompt or by executing the .bat file from the server. I've used a number of variations to pass in the passphrase from a file, etc and they all work fine from the command prompt. However when I attempt to run the script from the scheduler I get an error that the secret key is not available: gpg: encrypted with ELG-E key, ID 5D969323 gpg: decryption failed: secret key not available I am able to encrypt files using a script from the job scheduler, but apparently running in this way the secret key can be located for decrypting. In another similar posting I found the response: "It's not a question of the passphrase; rather, the key isn't there. If it works from the command line but not from the scheduled job, then I'd check for differences in the environment. Possibly you have two different GPG home directories when run in your two different ways. Check for different GNUPGHOME variables as well as different home directories for your different run methods." This was the end of the post, so I'm not sure of the resolution to it. I googled how to check the home variable and I don't see that any are set up on the server, other than the PATH location. This appears to be an environmental issue, but not sure how to proceed towards a fix at this point. Thanks for any help, Dave Collings -------------- next part -------------- An HTML attachment was scrubbed... URL: From kloecker at kde.org Thu Feb 12 00:09:55 2009 From: kloecker at kde.org (Ingo =?iso-8859-15?q?Kl=F6cker?=) Date: Thu, 12 Feb 2009 00:09:55 +0100 Subject: Hibernation and secret keys In-Reply-To: <1234389755.12781.1.camel@fermat.scientia.net> References: <20090210231912.26565118040@smtp.hushmail.com> <200902112237.47940@thufir.ingo-kloecker.de> <1234389755.12781.1.camel@fermat.scientia.net> Message-ID: <200902120009.55568@thufir.ingo-kloecker.de> On Wednesday 11 February 2009, Christoph Anton Mitterer wrote: > On Wed, 2009-02-11 at 22:37 +0100, Ingo Kl?cker wrote: > > > Your machine suspends, and writes a snapshot of its memory to > > > disk. Sure, let's say it's even encrypted. When you wake the > > > machine, is the encrypted disk still mounted? > > > > Obviously not. > > Why? This IS of course possible... Do you mean in a secure way? If yes, then that's not what I understood that David meant. > Of course you need something secure (e.g. an USB stick) to boot from. USB stick and secure? :-) > And one should prevent Suspend to RAM, due to well known colling > attacks... Of course. Another "obviously" that might be necessary to state explicitly because it might not be obvious to everybody. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: From kloecker at kde.org Thu Feb 12 00:21:42 2009 From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Thu, 12 Feb 2009 00:21:42 +0100 Subject: Hibernation and secret keys In-Reply-To: <20090211220046.GA45760@jabberwocky.com> References: <20090210231912.26565118040@smtp.hushmail.com> <200902112237.47940@thufir.ingo-kloecker.de> <20090211220046.GA45760@jabberwocky.com> Message-ID: <200902120021.42737@thufir.ingo-kloecker.de> On Wednesday 11 February 2009, David Shaw wrote: > On Wed, Feb 11, 2009 at 10:37:43PM +0100, Ingo Kl?cker wrote: > > On Wednesday 11 February 2009, David Shaw wrote: > > > On Wed, Feb 11, 2009 at 12:59:48PM +0100, Christoph Anton > > > Mitterer > > > > wrote: > > > > A good workaround is to use disk encryption (dm-crypt or > > > > similar things). > > > > > > Encrypted disks don't help without serious OS support around > > > suspend. > > > > Obviously. > > > > > Your machine suspends, and writes a snapshot of its memory to > > > disk. Sure, let's say it's even encrypted. When you wake the > > > machine, is the encrypted disk still mounted? > > > > Obviously not. > > > > Usually your messages are very helpful. Unfortunately, this > > particular message is the exact opposite. Googling for "encryption > > suspend to disk linux" I found many websites explaining how this > > works with most common distributions (mostly out-of-the box, i.e. > > without compiling a kernel). > > Clearly you missed the point. I don't think so. :-) > I've seen various cookbook sites on > how to do this, and some of them get it dramatically wrong. Hence > the question: "When you wake the machine, is the encrypted disk still > mounted?" In this context your question makes sense. Without the context it sounded like a rhetorical question to me. > If the answer is "Yes", then you're not protecting very much. You > did not succeed in doing what you were trying to do. If the answer > is "No", you at least avoided the usual pitfalls. I missed this last sentence in the message I replied to. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: From faramir.cl at gmail.com Thu Feb 12 00:55:01 2009 From: faramir.cl at gmail.com (Faramir) Date: Wed, 11 Feb 2009 20:55:01 -0300 Subject: where to start? In-Reply-To: <20090211051338.GA11649@comcast.net> References: <20090211051338.GA11649@comcast.net> Message-ID: <49936555.2050107@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dr. Scott S. Jones escribi?: > I run both Win xp and ubuntu 8.10. My wife runs win xp on her laptop. We are > at the point now where we both want to enable encrypted emailing AND we want > to find a nice way of educating those we email to often, or with whom we > exchange sensitive information, in how to use gnupg to encrypt email back > and forth. Where should I start? Well, as Robert J. Hansen already said, you must chose between 2 different standards: S/Mime and OpenPGP. Personally, I would rather use OpenPGP, since I think it is more flexible, I can encrypt/decrypt text in the clipboard, encrypt files before uploading them to an ftp... But not every email client supports OpenPGP. Most people I know (including me), use Mozilla Thunderbird with Enigmail addon to provide support of GnuPG. Other people is using FireGPG, an addon that allows them to compose encrypted messages using webmail interfaces (like Gmail). But if you use FireGPG, beware of auto saving of draft messages, there is no warranty they will really be deleted after sending the message. On windows, I would install GnuPG 1.4.9 for windows (available at GnuPG website), or GPG4Win, which is GPG2 compiled for Windows (includes GnuPG 1.4.x as its core files, plus GPG2.exe which is the one capable of using S/Mime, _if I am not wrong_ about GPG2). Recently, gpg4win-1.1.4rc1.exe was released, and if everything goes right, in less than a week we should have the updated version, which includes gpg 1.4.9 as the core files, the most recent version of GPG2, and some useful tools. The advantage gpg4win has, is it include a lot more things than gpgp 1.4.9, but doesn't force you to install these things. Also, it will include gpg in the windows path global environment variable, something the user has to do manually with gpg 1.4.9. I would also install GPGShell GUI tool for gpg, it is awesome, and let you to perform easily a lot of task, as encrypting/decrypting the content of the clipboard, etc. About a good way to learn about OpenPGP (in special, GnuPG) is the GnuPG Privacy Handbook, it is not hard to understand, and if somebody has any question, they can ask here about it. http://www.gnupg.org/gph/en/manual.html By the way, do you have the chance to do face to face or telephonic meetings with the people with whom you exchange sensitive information? If you do, you can easily exchange OpenPGP keys fingerprints. If not, maybe you would be interested in getting a digital certificate signed by a trusted CA, and use it with S/MIME standard (it's a centralized system, so you won't need to arrange face to face meetings). Or you can do as I did, first I got a certificate from CAcert.org, and then used it to prove my identity and exchange OpenPGP fingerprints (also, CAcert signed my keys, which made thing easier). Also, that way, you would be capable of using both standards. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJk2VVAAoJEMV4f6PvczxAZdkIAIlA3JZ1A5TpDUyY5oggFHbH vLaQzFXZ0zBVH1ZfPPqaXtd5Hk2R6gMsAKutUCjtAf8sx2oWk2L64GXEhvtggGM6 4xc9jZWyxw9zfBjHaCJg3COss3LPiQ4MT5RomTUZRwvEgsBwetKekgxULbnF6J1Q RL2Pvs05MGLPVKJyn4vBUxVkxVNifFDfKUb5JSzxb82dPbT/GbmD15BjiE/azoPU EtP8FfFNICffB7oE0QV5KnmTYRtTTFb7JBYrT5IpD0Bt8YFqbyMkXF6aAyBhABM6 /1GapYiWWmgStWqK081yHhEUS3Uk0IHKboL5KK63TscSvH3bHRUDRYPF5nTEcRo= =0gh6 -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Thu Feb 12 01:18:14 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 11 Feb 2009 19:18:14 -0500 Subject: where to start? In-Reply-To: <49936555.2050107@gmail.com> References: <20090211051338.GA11649@comcast.net> <49936555.2050107@gmail.com> Message-ID: <49936AC6.6010200@sixdemonbag.org> Faramir wrote: > Well, as Robert J. Hansen already said Please -- just Rob. I go by "Robert J. Hansen" professionally, to reduce confusion with some other people in the security community who are named Robert Hansen. But everybody just calls me Rob. > But if you use FireGPG, beware of auto saving of draft messages, > there is no warranty they will really be deleted after sending the > message. Faramir, while I don't disagree with anything you're saying, I think it might be a good idea to let the new guy drink at his own pace instead of hitting him with the fire hose. :) (Yeah, yeah. The irony. _Me_ saying this. I plead guilty to hypocrisy and hope that the next time I do the same, people will remind me.) (Idiom note: in American English, "drinking from the fire hose" means "being given information more quickly than you can understand it.") From rjh at sixdemonbag.org Thu Feb 12 01:51:49 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 11 Feb 2009 19:51:49 -0500 Subject: Update Message-ID: <499372A5.4070509@sixdemonbag.org> Regarding the shredded CD-R: I talked to my source and reminded him of our 2005 conversation. It became clear that further details are not available for public release. In light of this, I have to withdraw my statement. I can't back it up; and that means regardless of whether it's true or false, it has to be withdrawn. However, my source did point me to the 2006 Defense CyberCrime Center Forensics Challenge, which involved recovering data off a CD which had been sliced in two. While a much weaker challenge than reassembling a shredded CD-R, it is in the same neighborhood, and it's reasonable to believe that specialist outfits will have better tools available to them than the DC3 participants had. From malte.gell at gmx.de Thu Feb 12 09:46:23 2009 From: malte.gell at gmx.de (Malte Gell) Date: Thu, 12 Feb 2009 09:46:23 +0100 Subject: openPGP card: using a readers keypad instead of pinentry-qt Message-ID: <200902120946.29949.malte.gell@gmx.de> Hello, being a class 3 reader, my cardreader has a keypad and a display, but gpg- agent still invokes pinentry-qt to enter the pin. How can I change this to use the cardreader's keypad? I have not set "--disable-keypad" in scdaemon.conf thanx Malte -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From sven at radde.name Thu Feb 12 00:32:59 2009 From: sven at radde.name (Sven Radde) Date: Thu, 12 Feb 2009 00:32:59 +0100 Subject: Hibernation and secret keys In-Reply-To: <20090211220046.GA45760@jabberwocky.com> References: <20090210231912.26565118040@smtp.hushmail.com> <1234353588.10774.4.camel@etppc03> <20090211205200.GA45639@jabberwocky.com> <200902112237.47940@thufir.ingo-kloecker.de> <20090211220046.GA45760@jabberwocky.com> Message-ID: <4993602B.4050205@radde.name> Hi! David Shaw schrieb: > Hence the > question: "When you wake the machine, is the encrypted disk still > mounted?" See the last paragraph of : "Finished. During boot the system will ask two times for a LUKS passphrase, first for the root devcie and second for the swap device. During resuming from suspend to disk the system will also ask for the two LUKS passphrases." I haven't tried this particular configuration myself, but from how the setup is done in that howto (particularly setting up the swap partition), it appears to be plausible. cu, Sven From wk at gnupg.org Thu Feb 12 12:41:45 2009 From: wk at gnupg.org (Werner Koch) Date: Thu, 12 Feb 2009 12:41:45 +0100 Subject: openPGP card: using a readers keypad instead of pinentry-qt In-Reply-To: <200902120946.29949.malte.gell@gmx.de> (Malte Gell's message of "Thu, 12 Feb 2009 09:46:23 +0100") References: <200902120946.29949.malte.gell@gmx.de> Message-ID: <87ljsbzxty.fsf@wheatstone.g10code.de> On Thu, 12 Feb 2009 09:46, malte.gell at gmx.de said: > being a class 3 reader, my cardreader has a keypad and a display, but gpg- > agent still invokes pinentry-qt to enter the pin. How can I change this to use > the cardreader's keypad? Your card reader's keypad is not supported. See this comment: /* We have only tested a few readers so better don't risk anything and do not allow the use with other readers. */ switch (handle->id_vendor) { case VENDOR_SCM: /* Tested with SPR 532. */ case VENDOR_KAAN: /* Tested with KAAN Advanced (1.02). */ break; case VENDOR_CHERRY: /* The CHERRY XX44 keyboard echos an asterisk for each entered character on the keyboard channel. We use a special variant of PC_to_RDR_Secure which directs these characters to the smart card's bulk-in channel. We also need to append a zero Lc byte to the APDU. It seems that it will be replaced with the actual length instead of being appended before the APDU is send to the card. */ cherry_mode = 1; break; default: return CCID_DRIVER_ERR_NOT_SUPPORTED; } You also need to use the internal ccid driver. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From malte.gell at gmx.de Thu Feb 12 14:45:26 2009 From: malte.gell at gmx.de (Malte Gell) Date: Thu, 12 Feb 2009 14:45:26 +0100 Subject: openPGP card: using a readers keypad instead of pinentry-qt In-Reply-To: <87ljsbzxty.fsf@wheatstone.g10code.de> References: <200902120946.29949.malte.gell@gmx.de> <87ljsbzxty.fsf@wheatstone.g10code.de> Message-ID: <200902121445.34191.malte.gell@gmx.de> Am Donnerstag, 12. Februar 2009 12:41:45 schrieb Werner Koch: > On Thu, 12 Feb 2009 09:46, malte.gell at gmx.de said: > > being a class 3 reader, my cardreader has a keypad and a display, but > > gpg- agent still invokes pinentry-qt to enter the pin. How can I change > > this to use the cardreader's keypad? > > Your card reader's keypad is not supported. See this comment: > > /* We have only tested a few readers so better don't risk anything > and do not allow the use with other readers. */ > switch (handle->id_vendor) I see. Are there such specific requirements by different card readers that you are forced to individually test them for keypad support? Could someone who owns such a not yet supported reader help you? > You also need to use the internal ccid driver. ...in order to get keypad support? PCSC has proven to be most reliable to me... I have not been able to get the CCID running. Does GnuPGs internal CCID driver run with *any* CCID cardreader? Thanx Malte -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From faramir.cl at gmail.com Thu Feb 12 16:26:22 2009 From: faramir.cl at gmail.com (Faramir) Date: Thu, 12 Feb 2009 12:26:22 -0300 Subject: General Error while checking message signature (Maybe I should has at Enigmail list) In-Reply-To: <200902120946.29949.malte.gell@gmx.de> References: <200902120946.29949.malte.gell@gmx.de> Message-ID: <49943F9E.2090004@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello: Well, recently, I have noticed some signed messages fail to verify the signature due to General Error... while maybe it has been happening for a long time, I "feel" this error didn't happen before, or at least, not so often as I am seeing it now. What I mean is, while it is not new to see signatures that doesn't verify (from time to time), I vaguely remember it used to be due to other kinds of errors. The error message is the following one (I use Spanish version of Thunderbird, so I translated to English where I felt it was not so clear the meaning of the phrase, between parentheses): "gpg l?nea de comandos y salida: (gpg command line and output) C:\\Archivos de programa\\GNU\\GnuPG\\gpg.exe --charset utf8 --batch - --no-tty --status-fd 2 --verify gpg: Firmado el 02/12/09 05:46:23 (gpg: Signed on 02/12/09 05:46:23) gpg: usando RSA clave 0x0F278D6D gpg: AVISO: conflicto con el resumen de la firma del mensaje (gpg: WARNING: conflict with the hash of the signature of the message) gpg: Imposible comprobar la firma: Error general (gpg: Unable to check signaturer: General error)." Last error message happened when reading Malte Gell's message about "openPGP card: using a readers keypad instead of pinentry-qt" All the messages that caused this error had attached a signature.asc file. While I have modified my gpg default preferences, I did that some months ago, so I think this is not related to recent changes (I have not done any changes recently). Any idea about what could be causing this error? Best Regards P.S: I'm running Windows XP SP3, Thunderbird 2.0.0.19, GnuPG 1.4.9, and Enigmail 0.95.7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJlD+eAAoJEMV4f6PvczxA7IEH/iYJmlicN1QivL0LkJJ9XSgO 9QNhFUw2EFgbzOzYBMsO6fO1VgOrNMc2sINSs32ilgrQmEtUUw08Wc5TlA99t24Z c/DXAN9nywYzyrbEHh7uoTDPUSXRoq4OsAmPj00CoMKR04t+CEW1oikOCs7XNQHX 6APORPThCIcfeSLwdUKQM6o8pgnLX7Qr45QUtUHZT6nwRBVX4DtPEGqNNU8pHGhD mn728I9OIq6YHWrzQq/M7xzAuIU35jFMzYCtfuhjE8FModF9UV5pz7VZ57xsHxCV eEmrEmvL5BwE1xc8/RjrjQFzCbZSGafjsRhSQIDmtLPqX2O7oJqwUGjKwWCg9mg= =NYlP -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Thu Feb 12 17:03:04 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 12 Feb 2009 11:03:04 -0500 Subject: General Error while checking message signature (Maybe I should has at Enigmail list) In-Reply-To: <49943F9E.2090004@gmail.com> References: <200902120946.29949.malte.gell@gmx.de> <49943F9E.2090004@gmail.com> Message-ID: <49944838.8020208@sixdemonbag.org> Faramir wrote: > Any idea about what could be causing this error? Yes; it's possible (even likely) Malte's setup is misconfigured. He's been using PGP/MIME for his signatures, which requires that the hash algorithm be included in the MIME header. I've seen this error occur before when the algorithm used in the signature is not the same as the one declared in the MIME header. I haven't done any checking into the matter, so please consider this only a possibility. From rjh at sixdemonbag.org Thu Feb 12 17:09:59 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 12 Feb 2009 11:09:59 -0500 Subject: General Error while checking message signature (Maybe I should has at Enigmail list) In-Reply-To: <49944838.8020208@sixdemonbag.org> References: <200902120946.29949.malte.gell@gmx.de> <49943F9E.2090004@gmail.com> <49944838.8020208@sixdemonbag.org> Message-ID: <499449D7.1020207@sixdemonbag.org> Robert J. Hansen wrote: > I haven't done any checking into the matter, so please consider this > only a possibility. A follow-up: gpg: using character set `utf-8' gpg: armor: BEGIN PGP SIGNATURE gpg: armor header: Version: GnuPG v2.0.10 (GNU/Linux) :signature packet: algo 1, keyid CA3CCC060F278D6D version 4, created 1234446326, md5len 0, sigclass 0x00 digest algo 3, begin of digest 15 10 hashed subpkt 2 len 4 (sig created 2009-02-12) subpkt 16 len 8 (issuer key ID CA3CCC060F278D6D) data: [1023 bits] Detached signature. Please enter name of data file: Desktop/malte.eml gpg: Signature made Thu Feb 12 08:45:26 2009 EST using RSA key ID 0F278D6D gpg: BAD signature from "Malte Gell " gpg: binary signature, digest algorithm RIPEMD160 ... So according to GnuPG, the sig is using RIPEMD160. But ta-da, look at the message header (slightly edited for readability): Content-Type: multipart/signed; ... protocol="application/pgp-signature"; micalg=pgp-sha1 The message declares it's using SHA1, the message actually uses RIPEMD160. Presto, instant conflict. GnuPG correctly flags the message as being suspect, since the message is inconsistent. From John at Mozilla-Enigmail.org Thu Feb 12 17:23:19 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Thu, 12 Feb 2009 10:23:19 -0600 Subject: General Error while checking message signature (Maybe I should has at Enigmail list) In-Reply-To: <49943F9E.2090004@gmail.com> References: <200902120946.29949.malte.gell@gmx.de> <49943F9E.2090004@gmail.com> Message-ID: <49944CF7.4070902@Mozilla-Enigmail.org> Faramir wrote: > All the messages that caused this error had attached a signature.asc file. That's a sign of a PGP/MIME message. The signature is put into another chunk of the email than the message. > While I have modified my gpg default preferences, I did that some > months ago, so I think this is not related to recent changes (I have not > done any changes recently). > > > Any idea about what could be causing this error? Misconfiguration on his end. PGP/MIME requires that the hash algorithm be included in the MIME header. His message header specifies: Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1 SHA-1 Looking at the signature: $ gpg --list-packets < malte-sig :signature packet: algo 1, keyid CA3CCC060F278D6D version 4, created 1234428383, md5len 0, sigclass 0x00 digest algo 3, begin of digest 7d 03 hashed subpkt 2 len 4 (sig created 2009-02-12) subpkt 16 len 8 (issuer key ID CA3CCC060F278D6D) data: [1024 bits] Digest algo 3 ==> RIPEMD160 His client says, "I'm signing with SHA-1," but then appends a RIPEMD160 signature. That's what's causing this error. Saludos -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 677 bytes Desc: OpenPGP digital signature URL: From christoph.anton.mitterer at physik.uni-muenchen.de Thu Feb 12 18:40:22 2009 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Thu, 12 Feb 2009 18:40:22 +0100 Subject: Hibernation and secret keys In-Reply-To: <200902120009.55568@thufir.ingo-kloecker.de> References: <20090210231912.26565118040@smtp.hushmail.com> <200902112237.47940@thufir.ingo-kloecker.de> <1234389755.12781.1.camel@fermat.scientia.net> <200902120009.55568@thufir.ingo-kloecker.de> Message-ID: <1234460422.4248.13.camel@fermat.scientia.net> On Thu, 2009-02-12 at 00:09 +0100, Ingo Kl?cker wrote: > On Wednesday 11 February 2009, Christoph Anton Mitterer wrote: > > On Wed, 2009-02-11 at 22:37 +0100, Ingo Kl?cker wrote: > > > > Your machine suspends, and writes a snapshot of its memory to > > > > disk. Sure, let's say it's even encrypted. When you wake the > > > > machine, is the encrypted disk still mounted? > > > > > > Obviously not. > > > > Why? This IS of course possible... > > Do you mean in a secure way? If yes, then that's not what I understood > that David meant. He just meant that one has to now what one does in order to do it really secure, if I understood him correctly. > USB stick and secure? :-) Of course. The idea is that you can encrypt everything but the kernel +initrd, which is needed in order to decrypt the partition (better said, to set up the dm-crypt mapping). And an USB stick could be always with you. Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3387 bytes Desc: not available URL: From wk at gnupg.org Thu Feb 12 18:41:47 2009 From: wk at gnupg.org (Werner Koch) Date: Thu, 12 Feb 2009 18:41:47 +0100 Subject: openPGP card: using a readers keypad instead of pinentry-qt In-Reply-To: <200902121445.34191.malte.gell@gmx.de> (Malte Gell's message of "Thu, 12 Feb 2009 14:45:26 +0100") References: <200902120946.29949.malte.gell@gmx.de> <87ljsbzxty.fsf@wheatstone.g10code.de> <200902121445.34191.malte.gell@gmx.de> Message-ID: <87zlgry2lg.fsf@wheatstone.g10code.de> On Thu, 12 Feb 2009 14:45, malte.gell at gmx.de said: > I see. Are there such specific requirements by different card readers that you > are forced to individually test them for keypad support? Could someone who > owns such a not yet supported reader help you? Yes, just try it out. Changing the check in gnupg/scd/ccid-driver.c should be easy enough. > ...in order to get keypad support? PCSC has proven to be most reliable to > me... I have not been able to get the CCID running. Does GnuPGs internal CCID Right. At the time I implemeted keypad support, tehre was no PC/SC standard on how to do this. IIRC, this changed recently but I have no time to test and implement this. > driver run with *any* CCID cardreader? Yes, any modern CCID driver which does automatic protocol negotiation and provides at least TPDU level exchange. Everything else is not worth the trouble and you can resort to pcscd. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From faramir.cl at gmail.com Thu Feb 12 19:26:20 2009 From: faramir.cl at gmail.com (Faramir) Date: Thu, 12 Feb 2009 15:26:20 -0300 Subject: where to start? In-Reply-To: <49936AC6.6010200@sixdemonbag.org> References: <20090211051338.GA11649@comcast.net> <49936555.2050107@gmail.com> <49936AC6.6010200@sixdemonbag.org> Message-ID: <499469CC.5000802@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Robert J. Hansen escribi?: ... > Please -- just Rob. I go by "Robert J. Hansen" professionally, to > reduce confusion with some other people in the security community who > are named Robert Hansen. But everybody just calls me Rob. Ok Rob, I'll remember that ;) ... > Faramir, while I don't disagree with anything you're saying, I think it > might be a good idea to let the new guy drink at his own pace instead of > hitting him with the fire hose. :) Yes, you are right... I was intending to provide a few hints about what to install, and what to read in order to be able to "start playing" with gpg... and before I realized, I had written a long and confusing message... I think this could be related to the fact most of my friends have refused to even think about using gpg... probably I scared them to death when I talked about it... (sigh). By the way, when you said GPG supports both OpenPGP and S/MIME, you was talking about GPG2, right? (I mean, for the S/MIME part). Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJlGnMAAoJEMV4f6PvczxAoV4H/jV3wviwsNIF8V6/rxFMBF76 VFwV7ETgHNd28BcxTjDL2qBfkK7t8ibV9EbMJZpm3xrVMUKDjR15+97eIDmRlyZr OJ5n/ZNA+HSfH1XMB/h2snObcKUZPfI8WN7L37nnwt5pNHzmYWtZAD4N4ykVDJ17 4C8Y6YAfPFEuttmtUWetqoCBGnKhJs58tua9LuXqLTNVhwt7RWSLq+hWceGCBzCB qStP9KMAJFudlnOTOPchCiaY+CGy4c3cn8qSl4E65673zMJy9YG0yLXZYGhSM0aq RbeAV9b1eNnxKoQ2/JCGLQg2Qt8zTL5aVLE8WBiJAC+rE0aJ0f9a98Rt5zOvtPc= =A7RC -----END PGP SIGNATURE----- From faramir.cl at gmail.com Thu Feb 12 20:05:14 2009 From: faramir.cl at gmail.com (Faramir) Date: Thu, 12 Feb 2009 16:05:14 -0300 Subject: General Error while checking message signature (Maybe I should has at Enigmail list) In-Reply-To: <499449D7.1020207@sixdemonbag.org> References: <200902120946.29949.malte.gell@gmx.de> <49943F9E.2090004@gmail.com> <49944838.8020208@sixdemonbag.org> <499449D7.1020207@sixdemonbag.org> Message-ID: <499472EA.4060001@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Robert J. Hansen escribi?: ... > A follow-up: ... > ... So according to GnuPG, the sig is using RIPEMD160. But ta-da, look > at the message header (slightly edited for readability): ... > > Content-Type: multipart/signed; ... > protocol="application/pgp-signature"; micalg=pgp-sha1 ... > The message declares it's using SHA1, the message actually uses > RIPEMD160. Presto, instant conflict. GnuPG correctly flags the message > as being suspect, since the message is inconsistent. Thanks, next time I'll know where to look to know if the problem is in my side or at the sender's side... And thanks to John P. Clizbe, I also read your message ;) Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJlHLqAAoJEMV4f6PvczxAa7cIAJlQOFUx0KHWZyfZfS02RN01 LslwMZcRjutarG4QYJkMb3NvuwBUmw1sq96bzIEbrED8a5n4MsUr8Hk2f6ah6xZw ICAzF5uPzfaGkBoByb94GiyABmApy68ljq2vbsKiDRY75uaPDJJUWgprhW3Nc3M2 5BfwTGGT9MZT3w7BlHH9Bs87+icBxKQRZC+VyixBhXIlr3AlD+mV8R0Pnn+wSuSR J+GnKFyPdYJe59nQW4HYBh/mQ3SHgVZvK/1ni5txgIHOSJBCnFFHqhhEqwZsQzbO mDqjYNLKyOCglwgnLRs9EZPf5YvoARPD5cHylr0lQmXCvQCj79HGJHXuhg+OwGk= =xIR3 -----END PGP SIGNATURE----- From wk at gnupg.org Fri Feb 13 11:18:33 2009 From: wk at gnupg.org (Werner Koch) Date: Fri, 13 Feb 2009 11:18:33 +0100 Subject: Importing RSA Private Keys into GPG 2.0.10 In-Reply-To: <957F63A4-EC9D-486C-A35A-5DD08F102B1C@gmail.com> (Andrew Robinson's message of "Wed, 11 Feb 2009 20:48:34 +0000") References: <957F63A4-EC9D-486C-A35A-5DD08F102B1C@gmail.com> Message-ID: <87ocx6y70m.fsf@wheatstone.g10code.de> On Wed, 11 Feb 2009 21:48, amrobinson at gmail.com said: > I'm trying to find a method to import an RSA Private Key into GPG, > i've already god a generated RSA Private Key but when ever I try the > import I get: > gpg: no valid OpenPGP data found. What kind of private key is that? Obviously gpg expects an OpenPGP formated private key. If you try to import a pkcs#12 encoded key, chances are high that you try to import a key from or with an X.509 certificate. gpg's cousin gpgsm works with X.509 certificates and you import a pkcs#12 private key as you would expect: gpgsm --import foo.p12 Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From db111 at freemail.hu Fri Feb 13 15:11:37 2009 From: db111 at freemail.hu (Csabi) Date: Fri, 13 Feb 2009 15:11:37 +0100 (CET) Subject: GPGSM how to set key to "alwais trust"? Message-ID: Hi all, Thx to help in my last question. I would like to get help. Can somebody send me an example gpgsm.conf? I would like to set "fully trusted" a certificate. I imported my friend certificate but GPGSM cant encrypt the message because "Missing certificate. Can somebody help me how do i set the "alwais trust" mode? Thx. Best wishes, Csabi From wk at gnupg.org Fri Feb 13 16:41:42 2009 From: wk at gnupg.org (Werner Koch) Date: Fri, 13 Feb 2009 16:41:42 +0100 Subject: GPGSM how to set key to "alwais trust"? In-Reply-To: (db111@freemail.hu's message of "Fri, 13 Feb 2009 15:11:37 +0100 (CET)") References: Message-ID: <87ljsawdhl.fsf@wheatstone.g10code.de> On Fri, 13 Feb 2009 15:11, db111 at freemail.hu said: > I would like to set "fully trusted" a certificate. I imported my > friend certificate but GPGSM cant encrypt the message because "Missing > certificate. Can somebody help me how do i set the "alwais trust" mode? There is nothing like this with X.509 (i.e. gpgsm). You need to trust the Root CA's certificate and then all certificates issue from the CA or its Intermediate CAs are all trusted and usable. This is much the same as with Web browsers, where you can add other Root CA certificates (or better remove a whole bunch of them). With GPGSM there is a distinction between having a certificate in your local ~/.gnupg/keyring.kbx file and marking it as trusted. To make it work you need to do both: Import the Root certificate and mark it trusted. Import is done using something like "gpgsm --import rootca.der". Marking it has trusted can be done by manually editing the file ~/.gnupg/trustlist.txt (there are instructions on the top) or by putting a line "allow-mark-trusted" into ~/.gnupg/gpg-agent.conf" and giving gpg-agent a HUP. With allow-mark-trusted active, gpg-agent will ask you whether you trust that root certificate and insert it for you into the trustlist.txt. Note that you need to import intermediate certificates as well in case you don't have them. That might be the reason for a "Missing certificate" error too. See the log file should show you information about the required certificates (try GPGSM's --verbose option). Also note that GPGSM asks the Dirmngr to check the CRL and Dirmngr also needs a set of certificates. The Dirmngr manuals tells how to install them. The latest version of the Dirmngr is a bit more relaxed in this regard and able to ask gpgsm for missing certificates and whether a root certificate is trusted. You may use the GPGSM option --disable-crl-checks of course. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From tanuja.sarraju at gmail.com Thu Feb 12 20:57:03 2009 From: tanuja.sarraju at gmail.com (Tanu) Date: Thu, 12 Feb 2009 11:57:03 -0800 (PST) Subject: JAVA Standard API for GnuPG v1.80? Message-ID: <21983715.post@talk.nabble.com> Hi, Is there any Standard JAVA API from SUN or Apache for GnuPG v1.80? Any inputs on this will be highly appreciated. Thank you & Best Regards, Tanuja Sarraju -- View this message in context: http://www.nabble.com/JAVA-Standard-API-for-GnuPG-v1.80--tp21983715p21983715.html Sent from the GnuPG - User mailing list archive at Nabble.com. From uavle at hotmail.com Fri Feb 13 06:52:16 2009 From: uavle at hotmail.com (doesntmatter) Date: Thu, 12 Feb 2009 21:52:16 -0800 (PST) Subject: how to unrevoke a key Message-ID: <21990805.post@talk.nabble.com> I revoked a key on accident, or rather the wrong key and sent to key server. and of course now it says *** key revoked ***, Can this be undone? -- View this message in context: http://www.nabble.com/how-to-unrevoke-a-key-tp21990805p21990805.html Sent from the GnuPG - User mailing list archive at Nabble.com. From mkesper at schokokeks.org Fri Feb 13 10:58:48 2009 From: mkesper at schokokeks.org (Michael Kesper) Date: Fri, 13 Feb 2009 10:58:48 +0100 Subject: Hibernation and secret keys In-Reply-To: <1234460422.4248.13.camel@fermat.scientia.net> References: <20090210231912.26565118040@smtp.hushmail.com> <200902112237.47940@thufir.ingo-kloecker.de> <1234389755.12781.1.camel@fermat.scientia.net> <200902120009.55568@thufir.ingo-kloecker.de> <1234460422.4248.13.camel@fermat.scientia.net> Message-ID: <20090213095848.GB3498@kol06wsthv-it22.kaufhof.net> Hi, On Thu, Feb 12, 2009 at 06:40:22PM +0100, Christoph Anton Mitterer wrote: > On Thu, 2009-02-12 at 00:09 +0100, Ingo Kl?cker wrote: > > USB stick and secure? :-) > > Of course. The idea is that you can encrypt everything but the kernel > +initrd, which is needed in order to decrypt the partition (better said, > to set up the dm-crypt mapping). > And an USB stick could be always with you. What is the additional gain to having an unencrypted /boot partition on the same device? As I see it, only "boring" data gets ever written in cleartext to the harddrive then. And if the customs clone my harddrive, they can just try to bruteforce the passphrase, whether the boot partition is encrypted or not. Ah, wait, they can ask me to decrypt the data, so we have to upload those sensitive documents to Google Docs (!) [1]... Best wishes Michael [1] http://www.mobilecomputermag.co.uk/20080805775/how-to-prevent-us-customs-from-peeking-at-your-private-data.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 315 bytes Desc: Digital signature URL: From ian at ushills.co.uk Fri Feb 13 16:52:15 2009 From: ian at ushills.co.uk (Ian Hill) Date: Fri, 13 Feb 2009 15:52:15 +0000 Subject: how to unrevoke a key In-Reply-To: <21990805.post@talk.nabble.com> References: <21990805.post@talk.nabble.com> Message-ID: <4995972F.6020508@ushills.co.uk> Unfortunately if you uploaded it to the keyservers then no it can't be undone. doesntmatter wrote: > I revoked a key on accident, or rather the wrong key and sent to key server. > and of course now it says *** key revoked ***, Can this be undone? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 552 bytes Desc: OpenPGP digital signature URL: From christoph.anton.mitterer at physik.uni-muenchen.de Fri Feb 13 16:54:58 2009 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Fri, 13 Feb 2009 16:54:58 +0100 Subject: how to unrevoke a key In-Reply-To: <21990805.post@talk.nabble.com> References: <21990805.post@talk.nabble.com> Message-ID: <1234540498.9767.2.camel@fermat.scientia.net> On Thu, 2009-02-12 at 21:52 -0800, doesntmatter wrote: > Can this be undone? Of course not. Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3387 bytes Desc: not available URL: From christoph.anton.mitterer at physik.uni-muenchen.de Fri Feb 13 17:00:06 2009 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Fri, 13 Feb 2009 17:00:06 +0100 Subject: Hibernation and secret keys In-Reply-To: <20090213095848.GB3498@kol06wsthv-it22.kaufhof.net> References: <20090210231912.26565118040@smtp.hushmail.com> <200902112237.47940@thufir.ingo-kloecker.de> <1234389755.12781.1.camel@fermat.scientia.net> <200902120009.55568@thufir.ingo-kloecker.de> <1234460422.4248.13.camel@fermat.scientia.net> <20090213095848.GB3498@kol06wsthv-it22.kaufhof.net> Message-ID: <1234540806.9767.5.camel@fermat.scientia.net> On Fri, 2009-02-13 at 10:58 +0100, Michael Kesper wrote: > What is the additional gain to having an unencrypted /boot partition on > the same device? What do you mean? > As I see it, only "boring" data gets ever written in > cleartext to the harddrive then. But even this data is sensitive, as one could attack you if he replaces your kernel with a hacked one. Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3387 bytes Desc: not available URL: From dshaw at jabberwocky.com Fri Feb 13 17:01:05 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 13 Feb 2009 11:01:05 -0500 Subject: how to unrevoke a key In-Reply-To: <21990805.post@talk.nabble.com> References: <21990805.post@talk.nabble.com> Message-ID: <20090213160105.GA2052@jabberwocky.com> On Thu, Feb 12, 2009 at 09:52:16PM -0800, doesntmatter wrote: > > I revoked a key on accident, or rather the wrong key and sent to key server. > and of course now it says *** key revoked ***, Can this be undone? Actually, keys can be unrevoked. The catch is that you can't have distributed the revocation for this to work. Since you've sent it to the keyserver, there isn't much you can do, sorry. David From rjh at sixdemonbag.org Fri Feb 13 18:20:23 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 13 Feb 2009 12:20:23 -0500 Subject: JAVA Standard API for GnuPG v1.80? In-Reply-To: <21983715.post@talk.nabble.com> References: <21983715.post@talk.nabble.com> Message-ID: <4995ABD7.4090801@sixdemonbag.org> Tanu wrote: > Is there any Standard JAVA API from SUN or Apache for GnuPG v1.80? There is no standard Java interface, nor is there a GnuPG 1.8, nor would either Sun or Apache be likely to make it even if the preceding two were true. From John at Mozilla-Enigmail.org Fri Feb 13 19:23:50 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Fri, 13 Feb 2009 12:23:50 -0600 Subject: JAVA Standard API for GnuPG v1.80? In-Reply-To: <21983715.post@talk.nabble.com> References: <21983715.post@talk.nabble.com> Message-ID: <4995BAB6.6000508@Mozilla-Enigmail.org> Tanu wrote: > Is there any Standard JAVA API from SUN or Apache for GnuPG v1.80? You probably want to look at http://www.bouncycastle.org/java.html Not sure where v1.8 comes from; doesn't sound like a Java version to me and I'm pretty sure there wasn't a GnuPG 1.8. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 677 bytes Desc: OpenPGP digital signature URL: From email at sven-radde.de Fri Feb 13 19:30:59 2009 From: email at sven-radde.de (Sven Radde) Date: Fri, 13 Feb 2009 19:30:59 +0100 Subject: Hibernation and secret keys In-Reply-To: <20090213095848.GB3498@kol06wsthv-it22.kaufhof.net> References: <20090210231912.26565118040@smtp.hushmail.com> <200902112237.47940@thufir.ingo-kloecker.de> <1234389755.12781.1.camel@fermat.scientia.net> <200902120009.55568@thufir.ingo-kloecker.de> <1234460422.4248.13.camel@fermat.scientia.net> <20090213095848.GB3498@kol06wsthv-it22.kaufhof.net> Message-ID: <4995BC63.4030007@sven-radde.de> Hi! Michael Kesper schrieb: >> Of course. The idea is that you can encrypt everything but the kernel >> +initrd, which is needed in order to decrypt the partition (better said, >> to set up the dm-crypt mapping). >> And an USB stick could be always with you. > > What is the additional gain to having an unencrypted /boot partition on > the same device? "They" will have difficulties installing a keylogger if the unencrypted /boot is always in your pocket and the HDD contains just encrypted gibberish. I wonder when Linux will be able to utilize a TPM to integrity-protect /boot. cu, Sven From email at sven-radde.de Fri Feb 13 19:34:45 2009 From: email at sven-radde.de (Sven Radde) Date: Fri, 13 Feb 2009 19:34:45 +0100 Subject: JAVA Standard API for GnuPG v1.80? In-Reply-To: <21983715.post@talk.nabble.com> References: <21983715.post@talk.nabble.com> Message-ID: <4995BD45.4030504@sven-radde.de> Hi! Tanu schrieb: > Is there any Standard JAVA API from SUN or Apache for GnuPG v1.80? > > Any inputs on this will be highly appreciated. This might not be exactly what you want, but have a look at bouncycastle.org. They do not utilize GnuPG, but rather implement OpenPGP (RFC2440) in Java. cu, Sven From faramir.cl at gmail.com Fri Feb 13 19:34:50 2009 From: faramir.cl at gmail.com (Faramir) Date: Fri, 13 Feb 2009 15:34:50 -0300 Subject: how to unrevoke a key In-Reply-To: <21990805.post@talk.nabble.com> References: <21990805.post@talk.nabble.com> Message-ID: <4995BD4A.4020909@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 doesntmatter escribi?: > I revoked a key on accident, or rather the wrong key and sent to key server. > and of course now it says *** key revoked ***, Can this be undone? No, once it arrived to the keyserver and started propagating to other keyservers, you can't do anything about it. Most accidents can be fixed, provided you have a backup, _AND_ you have not uploaded the modified key to a keyserver. Better luck next time. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJlb1KAAoJEMV4f6PvczxAeFQH/ivPyOlBtMJc3uaKcHUxbRlX FKV7MpsVtaWVzwJL4uFipQB+9BWRETmGUYq07crwqz9ze5AEg6UHHExIDYZWoefD 198E8PN3vBObAe+7S3oq+gv96jigQJWN8qJwsQQxWTtcthaOHE+ok/YeV0+IDNC0 btGmFtJe0N/u7pMfjjc5UubIWLJ1AhRe25DMUktyO6v4x69Qq4jkJbbWFrrRADsC ihaH8GKK3enSGNh+RBTxDBguSK/qXqIktxyTbQO7bMY4jplRoASwDxgxuHYeeqYY vBbO6XtjXcQJPTQabQxMyFvcvnaPqi4ImSll39rTEQWe7O8W5CS1lhrhHONByMY= =qem/ -----END PGP SIGNATURE----- From christoph.anton.mitterer at physik.uni-muenchen.de Fri Feb 13 19:37:25 2009 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Fri, 13 Feb 2009 19:37:25 +0100 Subject: Hibernation and secret keys In-Reply-To: <4995BC63.4030007@sven-radde.de> References: <20090210231912.26565118040@smtp.hushmail.com> <200902112237.47940@thufir.ingo-kloecker.de> <1234389755.12781.1.camel@fermat.scientia.net> <200902120009.55568@thufir.ingo-kloecker.de> <1234460422.4248.13.camel@fermat.scientia.net> <20090213095848.GB3498@kol06wsthv-it22.kaufhof.net> <4995BC63.4030007@sven-radde.de> Message-ID: <1234550245.9767.9.camel@fermat.scientia.net> On Fri, 2009-02-13 at 19:30 +0100, Sven Radde wrote: > "They" will have difficulties installing a keylogger if the unencrypted > /boot is always in your pocket and the HDD contains just encrypted > gibberish. Correct :-) > I wonder when Linux will be able to utilize a TPM to integrity-protect > /boot. You'd trust TPM?!?! :-O ;P Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3387 bytes Desc: not available URL: From decouk at gmail.com Fri Feb 13 20:05:59 2009 From: decouk at gmail.com (Andre Amorim) Date: Fri, 13 Feb 2009 19:05:59 +0000 Subject: Graphing Web of Trust Message-ID: Hello List, I've been playing with sig2dot to draw graph from the keys stored in my own keyring but, How can I do a graph from diferents key sign parties? Example: Party 1 (A to Z members) A1,B1,C1 ... Z1 Party 2 (AZ) A2,B2,C2 ... Z2 Party 3 (AZ) A3,B3,C3 ... Z3 Now some members of Party1, Party2 and Party3 had sign each other keys. How can I draw a graph global of it (including Party1, Party2 and Party3) ? and If all members of all parties had send they keys to same server is possible draw a graph from the server files as a source..??? Thanks, -- Andre Amorim GnuPG KEY ID: 0x587B1970 FingerPrint: 42AE C929 4D91 4591 4E75 430F 78D9 53B4 587B 1970 Download: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x587B1970 From dshaw at jabberwocky.com Fri Feb 13 20:44:22 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 13 Feb 2009 14:44:22 -0500 Subject: GMail PGP verification? Message-ID: <20090213194422.GA2481@jabberwocky.com> Interesting. http://googlesystem.blogspot.com/2009/02/gmail-tests-pgp-signature-verification.html David From dominik at d-paulus.de Fri Feb 13 20:25:05 2009 From: dominik at d-paulus.de (Dominik Paulus) Date: Fri, 13 Feb 2009 20:25:05 +0100 Subject: ReinerSCT e-com: CCID-driver? Message-ID: <4995C911.8010403@d-paulus.de> Hi, I recently bought a ReinerSCT e-com cardreader and an OpenPGP smartcard. The reader works well using the vendor's driver and pcsc-lite 1.4.102, however, I would like to use the reader's keypad. Unfortunately, GnuPG doesn't detect it when using the integrated CCID driver. I tried the ports 0, 1 (which works with CT-API and GnuPG 1.x) and 32768 to 32780. The 'parse' tool from the libccid distribution outputs: Parsing USB bus/device: 001/005 idVendor: 0x0C4B iManufacturer: Reiner-SCT idProduct: 0x0400 iProduct: cyberJack e-com(a) Found a CCID/ICCD device idVendor: 0x0C4B iManufacturer: Reiner-SCT idProduct: 0x0400 iProduct: cyberJack e-com(a) bcdDevice: 0.01 (firmware release?) bLength: 9 bDescriptorType: 4 bInterfaceNumber: 0 bAlternateSetting: 0 bNumEndpoints: 3 bulk-IN, bulk-OUT and Interrupt-IN bInterfaceClass: 0xFF NOT A CCID DEVICE Class is 0xFF (proprietary) bInterfaceSubClass: 0 bInterfaceProtocol: 0 bulk transfer, optional interrupt-IN (CCID) iInterface: 0 USB extra length is too short: 0 NOT A CCID DEVICE However, according to ReinerSCT, this reader should be CCID-compliant. The GnuPG version I used is 1.4.9. Thanks for your help, Dominik Paulus From dominik at d-paulus.de Fri Feb 13 20:28:29 2009 From: dominik at d-paulus.de (Dominik Paulus) Date: Fri, 13 Feb 2009 20:28:29 +0100 Subject: ReinerSCT e-com: CCID-driver? Message-ID: <4995C9DD.5020402@d-paulus.de> Hi, I recently bought a ReinerSCT e-com cardreader and an OpenPGP smartcard. The reader works well using the vendor's driver and pcsc-lite 1.4.102, however, I would like to use the reader's keypad. Unfortunately, GnuPG doesn't detect it when using the integrated CCID driver. I tried the ports 0, 1 (which works with CT-API and GnuPG 1.x) and 32768 to 32780. The 'parse' tool from the libccid distribution outputs: Parsing USB bus/device: 001/005 idVendor: 0x0C4B iManufacturer: Reiner-SCT idProduct: 0x0400 iProduct: cyberJack e-com(a) Found a CCID/ICCD device idVendor: 0x0C4B iManufacturer: Reiner-SCT idProduct: 0x0400 iProduct: cyberJack e-com(a) bcdDevice: 0.01 (firmware release?) bLength: 9 bDescriptorType: 4 bInterfaceNumber: 0 bAlternateSetting: 0 bNumEndpoints: 3 bulk-IN, bulk-OUT and Interrupt-IN bInterfaceClass: 0xFF NOT A CCID DEVICE Class is 0xFF (proprietary) bInterfaceSubClass: 0 bInterfaceProtocol: 0 bulk transfer, optional interrupt-IN (CCID) iInterface: 0 USB extra length is too short: 0 NOT A CCID DEVICE However, according to ReinerSCT, this reader should be CCID-compliant. The GnuPG version I used is 1.4.9. Thanks for your help, Dominik Paulus From jbruni at me.com Fri Feb 13 21:25:33 2009 From: jbruni at me.com (Joseph Oreste Bruni) Date: Fri, 13 Feb 2009 13:25:33 -0700 Subject: GMail PGP verification? In-Reply-To: <20090213194422.GA2481@jabberwocky.com> References: <20090213194422.GA2481@jabberwocky.com> Message-ID: <112854348435167361031545330575521082984-Webmail@me.com> On Friday, February 13, 2009, at 12:44PM, "David Shaw" wrote: >Interesting. > >http://googlesystem.blogspot.com/2009/02/gmail-tests-pgp-signature-verification.html > >David I like the idea of signature validation, but I'm not so sure I would like the idea of uploading my private key to Google's servers in order to actually sign an email or to perform decryption. From dshaw at jabberwocky.com Fri Feb 13 21:42:06 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 13 Feb 2009 15:42:06 -0500 Subject: GMail PGP verification? In-Reply-To: <112854348435167361031545330575521082984-Webmail@me.com> References: <20090213194422.GA2481@jabberwocky.com> <112854348435167361031545330575521082984-Webmail@me.com> Message-ID: <20090213204206.GC2481@jabberwocky.com> On Fri, Feb 13, 2009 at 01:25:33PM -0700, Joseph Oreste Bruni wrote: > > On Friday, February 13, 2009, at 12:44PM, "David Shaw" wrote: > >Interesting. > > > >http://googlesystem.blogspot.com/2009/02/gmail-tests-pgp-signature-verification.html > > > >David > > > I like the idea of signature validation, but I'm not so sure I would > like the idea of uploading my private key to Google's servers in > order to actually sign an email or to perform decryption. Yes. It's not clear exactly how they're going about this (and of course, nobody has seen signing or encryption yet). They could possibly be heading towards a Hushmail type of system, where the key activity can be done on your local system. Even if they just do signing and sig verification, that would be a huge boost in the number of signed messages out there on the net. It would certainly change the spoofed user equation, despite the various drawbacks. David From faramir.cl at gmail.com Fri Feb 13 21:51:13 2009 From: faramir.cl at gmail.com (Faramir) Date: Fri, 13 Feb 2009 17:51:13 -0300 Subject: GMail PGP verification? In-Reply-To: <112854348435167361031545330575521082984-Webmail@me.com> References: <20090213194422.GA2481@jabberwocky.com> <112854348435167361031545330575521082984-Webmail@me.com> Message-ID: <4995DD41.3090906@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Joseph Oreste Bruni escribi?: > On Friday, February 13, 2009, at 12:44PM, "David Shaw" wrote: >> Interesting. >> >> http://googlesystem.blogspot.com/2009/02/gmail-tests-pgp-signature-verification.html ... > I like the idea of signature validation, but I'm not so sure I would like the idea of uploading my private key to Google's servers in order to actually sign an email or to perform decryption. I think the same, validation would be awesome, and harmless. But if google "host" the private key of an user, probably there will be ways to force them to decrypt messages sent by the users... I mean, if I am the only one with access to my secret key, google can say "sorry, there is nothing I can do to decrypt that message". And while we all expect google should try to protect our privacy (which is very different from trusting they are doing that), nobody can expect them to become a martyr of customers privacy, by refusing to obey a legal order... Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJld1BAAoJEMV4f6PvczxAvd4H/j5ESfO178oW0lDvfZbwguq1 lIYV1EDlgr9vAOakYe0t8ytwE2rlmUq6AY0++uV6x5CqrEuwGYhMC91vZUv/8wLi 4Xa2nosse0rETy8d18uWs0ZsOPTbPt5s07HmbYzfEAvQGnp6V6YaAMjQ4znzoOWz 82AS3Y1F40C1a1mNfSrG9V0wd/LDWrJOBWEojVUQ/r0+PCagU39vVRQfYyRII1xD MO334Iq6V3i/N6ohfEQqptWUFWjqOOjuT3EOWRBZpPrB9rmQxHwF9joMpQDY05gg ASK2pZTwoGgenWKs1vMtmfqaca8+QfV1MY0JVs174VRYdsGERXdPzdL9ev86Pxc= =FKWu -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Fri Feb 13 22:05:43 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 13 Feb 2009 16:05:43 -0500 Subject: GMail PGP verification? In-Reply-To: <4995DD41.3090906@gmail.com> References: <20090213194422.GA2481@jabberwocky.com> <112854348435167361031545330575521082984-Webmail@me.com> <4995DD41.3090906@gmail.com> Message-ID: <20090213210543.GD2481@jabberwocky.com> On Fri, Feb 13, 2009 at 05:51:13PM -0300, Faramir wrote: > Joseph Oreste Bruni escribi??: > > On Friday, February 13, 2009, at 12:44PM, "David Shaw" wrote: > >> Interesting. > >> > >> http://googlesystem.blogspot.com/2009/02/gmail-tests-pgp-signature-verification.html > ... > > > I like the idea of signature validation, but I'm not so sure I would like the idea of uploading my private key to Google's servers in order to actually sign an email or to perform decryption. > > I think the same, validation would be awesome, and harmless. But if > google "host" the private key of an user, probably there will be ways to > force them to decrypt messages sent by the users... I mean, if I am the > only one with access to my secret key, google can say "sorry, there is > nothing I can do to decrypt that message". And while we all expect > google should try to protect our privacy (which is very different from > trusting they are doing that), nobody can expect them to become a martyr > of customers privacy, by refusing to obey a legal order... Yes, exactly. This is more or less how Hushmail works, and we've seen Hushmail give up cleartext under subpoena. I'm not all that perturbed by Hushmail's activity (which they were pretty clear about): it just means that if your threat model includes such things as a legal order, then you don't use the system. I suspect the vast majority of people wouldn't care very much if Google held keys for them - they're already trusting in Google for many other things. David From wk at gnupg.org Mon Feb 16 09:19:42 2009 From: wk at gnupg.org (Werner Koch) Date: Mon, 16 Feb 2009 09:19:42 +0100 Subject: Hibernation and secret keys In-Reply-To: <4995BC63.4030007@sven-radde.de> (Sven Radde's message of "Fri, 13 Feb 2009 19:30:59 +0100") References: <20090210231912.26565118040@smtp.hushmail.com> <200902112237.47940@thufir.ingo-kloecker.de> <1234389755.12781.1.camel@fermat.scientia.net> <200902120009.55568@thufir.ingo-kloecker.de> <1234460422.4248.13.camel@fermat.scientia.net> <20090213095848.GB3498@kol06wsthv-it22.kaufhof.net> <4995BC63.4030007@sven-radde.de> Message-ID: <87bpt2vlnl.fsf@wheatstone.g10code.de> On Fri, 13 Feb 2009 19:30, email at sven-radde.de said: > "They" will have difficulties installing a keylogger if the unencrypted > /boot is always in your pocket and the HDD contains just encrypted > gibberish. They will use a hardware logger and don't care about any encrypted stuff in your pocket. Anyway, for your example: Who will execute the code to decrypt boot? What about another boot manager or a rogue BIOS or a complete virtualized machine? Please repeat with me: There is no way to avoid or detect backdoors if physical access to the machine has ever been granted. Well, in theory you can detect a backdoor, but you need quite some equipment which certainly won't fit into a small pocket. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From shahbaz.bhat at transcore.com Sun Feb 15 13:47:57 2009 From: shahbaz.bhat at transcore.com (syousuf) Date: Sun, 15 Feb 2009 04:47:57 -0800 (PST) Subject: Decryption in .NET application,automate passPhrase Message-ID: <22022257.post@talk.nabble.com> Hi, I am working on decryting a pgp file using GnuPG.I want to do the same in a .NET C# Console Application.I want to send the passPhrase from the application itself,& don't want it to prompt. I tried to passing the Passphrase from the application but its not working. Finally,I want to decrypt the file,stream the dataout.My code is below.If you can kindly help me on this. Here i have to manually put the passphrase & then i get the data stream in the Temp string variable. ??????- using System; using System.Collections.Generic; using System.Text; using System.Diagnostics; using System.IO; using System.Threading; // for Thread class namespace ConsoleApplication3 { class Program { static void Main(string[] args) { string passphrase = ?$Trans at RtA09?; Process myProcess = new Process(); StreamWriter sw; StreamReader sr; StreamReader err; ProcessStartInfo myProcessStartInfo = new ProcessStartInfo(@?C:\gnupg\gpg.exe?); myProcessStartInfo.Arguments = ??decrypt C:/Transfer/test.gpg?; myProcessStartInfo.RedirectStandardError = true; myProcessStartInfo.RedirectStandardInput = true; myProcessStartInfo.RedirectStandardOutput = true; myProcessStartInfo.UseShellExecute = false; myProcess.StartInfo = myProcessStartInfo; myProcess.Start(); sw = myProcess.StandardInput; sr = myProcess.StandardOutput; err = myProcess.StandardError; sw.AutoFlush = true; if (passphrase != null && passphrase != ??)// { //Here i am passing the passphrase,but it doesnot write in sw.WriteLine(passphrase); // } // sw.Close(); String Temp = sr.ReadToEnd(); Temp += err.ReadToEnd(); } } ------------------------------------------------------------------ Any help,will be highly appreciated. Kind regards. -- View this message in context: http://www.nabble.com/Decryption-in-.NET-application%2Cautomate-passPhrase-tp22022257p22022257.html Sent from the GnuPG - User mailing list archive at Nabble.com. From m534c.subscribe at gmail.com Mon Feb 16 12:10:32 2009 From: m534c.subscribe at gmail.com (Jonas Islander) Date: Mon, 16 Feb 2009 12:10:32 +0100 Subject: Transferring identity to a new public key Message-ID: When you suspect your private key may be compromised, it's obvious that you should revoke the key pair, upload your revocation to the key servers, and generate a new pair. But what is "best practice" for telling people about your new public key - transferring your identity to it, so to speak? Is there any point in adding a self-signed ID saying "Key compromised - please use key with fingerprint xxxxxxxxx instead" before revoking? I'm thinking it's pointless, since an attacker could do the same, and use it to transfer someone's identity to a new public key, which the rightful owner cannot revoke. Am I right in thinking that anyone seeing a user ID of the form "Please use key with fingerprint xxxxxxxxx instead" should ignore it (since it may be an attempt to permanently steal someone's identity)? Am I right in thinking that someone whose key may be compromised, should simply revoke it and start over from scratch with a new key pair, proving their identity to each and every person signing it? Similarly, if you believe your private key may be compromised, is there any point in sending signed messages to everyone who has signed your old public key, asking them to also sign your new one? I believe it's pointless, since the message could just as well be from an attacker, and that anyone receiving such a message should refuse to sign the new keys (and insist the sender prove their identity another way). Am I right in thinking this? I've looked for answers to these questions, but most discussions about transferring identity to new keys seem to deal with the situation where someone has accidentally deleted their private key or forgotten their passphrase, not the situation where the private key is still accessible. From christoph.anton.mitterer at physik.uni-muenchen.de Mon Feb 16 12:47:11 2009 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Mon, 16 Feb 2009 12:47:11 +0100 Subject: Hibernation and secret keys In-Reply-To: <87bpt2vlnl.fsf@wheatstone.g10code.de> References: <20090210231912.26565118040@smtp.hushmail.com> <200902112237.47940@thufir.ingo-kloecker.de> <1234389755.12781.1.camel@fermat.scientia.net> <200902120009.55568@thufir.ingo-kloecker.de> <1234460422.4248.13.camel@fermat.scientia.net> <20090213095848.GB3498@kol06wsthv-it22.kaufhof.net> <4995BC63.4030007@sven-radde.de> <87bpt2vlnl.fsf@wheatstone.g10code.de> Message-ID: <1234784831.4224.5.camel@fermat.scientia.net> On Mon, 2009-02-16 at 09:19 +0100, Werner Koch wrote: > They will use a hardware logger and don't care about any encrypted > stuff > in your pocket. Of course this is possible,.. but perhaps only for someone more powerful. (NSA could perhaps even replace your CPU with one that has an additional OS in it with wimax or s ;). But anyway, I think it tightens security a bit more,... as "normal" attackers, like Mr. Mehdorn probably have only access to normal keyloggers. > Anyway, for your example: Who will execute the code to decrypt boot? > What about another boot manager or a rogue BIOS or a complete > virtualized machine? Please repeat with me: The boot manager would also be on the USB stick. But of course you're right one cannot prevent attacks,... Anyway,.. I think it still improves security, for "normal" attacks. I mean we're trusting this security by obscurity in so many areas? e.g. OpenPGPs private key encryption. Who prevents the friendly NSA worker from torturing you to death in order to get you passphrase? It's always a matter of how much "effort" an attacker puts into his attack. Best wishes, Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3387 bytes Desc: not available URL: From ramon.loureiro at upf.edu Mon Feb 16 13:22:29 2009 From: ramon.loureiro at upf.edu (Ramon Loureiro) Date: Mon, 16 Feb 2009 13:22:29 +0100 Subject: Graphing Web of Trust In-Reply-To: References: Message-ID: <49995A85.7040503@upf.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andre Amorim wrote: > Hello List, > I've been playing with sig2dot to draw graph from the keys stored in > my own keyring but, > > How can I do a graph from diferents key sign parties? Hi Andre! Do you know sims? http://tokkee.org/sims/ You can edit the line (perl) if (! -p STDIN) { close(STDIN); open(STDIN, "gpg --list-sigs |"); } and tell it to use different keyrings if (! -p STDIN) { close(STDIN); open(STDIN, "gpg --list-sigs --home myKeyringA |"); } Hope it helps! - -- Ramon Loureiro -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJJmVqFAAoJEMVZKsuAx9ZHZikH/05OKw1OVwwc4eQ7+VigkoJL bAFurEuFbBAMToFjdaFn5pHWYuLFqwJTtuRlFj9Lec1Zp6gG+0vswwze9rXMhe55 IaaqurRHeSVhk+fZ1LkE4lb9R00O9b0V+KWe6Uz5V4oFJqoTt0xPGAQBoQuirkEt Yr5wZHB5ZUpW+QihMi/nYD34n5fFVdliH38/vp6W2S8GSh6tq51nBFdtjvVehw+o 7QNZS+oGtFcvQjSLwDWmKSGUMcrKYQF+XETTeAcZ/YG7/fCLX+RFMVsJmm3mKIWf nqBW6PRCvWqOUXrFsNboMXRnsxBZCVMZPp8Fxgdz6BPoibYH3HUMQOYIxaqbyy8= =20M0 -----END PGP SIGNATURE----- From wk at gnupg.org Mon Feb 16 15:51:04 2009 From: wk at gnupg.org (Werner Koch) Date: Mon, 16 Feb 2009 15:51:04 +0100 Subject: Graphing Web of Trust In-Reply-To: <49995A85.7040503@upf.edu> (Ramon Loureiro's message of "Mon, 16 Feb 2009 13:22:29 +0100") References: <49995A85.7040503@upf.edu> Message-ID: <87ocx2saef.fsf@wheatstone.g10code.de> On Mon, 16 Feb 2009 13:22, ramon.loureiro at upf.edu said: > if (! -p STDIN) { > close(STDIN); > open(STDIN, "gpg --list-sigs |"); Do not use this command for scripts. It may break with the next gpg version. Always use the --with-colons option. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From avi.wiki at gmail.com Mon Feb 16 16:28:42 2009 From: avi.wiki at gmail.com (Avi) Date: Mon, 16 Feb 2009 10:28:42 -0500 Subject: Transferring identity to a new public key Message-ID: <27ee9bfb0902160728s417b0560m40d84ad4dca79d47@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 If I recall correctly, when generating the revocation certificate, you have an option to choose why the certificate is being generated, and one choice is "key compromised". - --Avi -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.71 iF4EAREKAAYFAkmZhiEACgkQDWKwGfgOKfmcEQD/TSf6qX4hdnh7M+P2xQswvGfb IjLrq5KuJOeSztcjSJYA/AnoeBZE/zI8HnbM7R23miBMuzk5KU4Oh6KmTyBCSzJB =Gt1V -----END PGP SIGNATURE----- ---- en:User:Avraham pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key) Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019 F80E 29F9 ---------- Forwarded message ---------- > From: Jonas Islander > To: gnupg-users at gnupg.org > Date: Mon, 16 Feb 2009 12:10:32 +0100 > Subject: Transferring identity to a new public key > When you suspect your private key may be compromised, it's obvious > that you should revoke the key pair, upload your revocation to the key > servers, and generate a new pair. But what is "best practice" for > telling people about your new public key - transferring your identity > to it, so to speak? > > Is there any point in adding a self-signed ID saying "Key compromised > - please use key with fingerprint xxxxxxxxx instead" before revoking? > > I'm thinking it's pointless, since an attacker could do the same, and > use it to transfer someone's identity to a new public key, which the > rightful owner cannot revoke. > > Am I right in thinking that anyone seeing a user ID of the form > "Please use key with fingerprint xxxxxxxxx instead" should ignore it > (since it may be an attempt to permanently steal someone's identity)? > > Am I right in thinking that someone whose key may be compromised, > should simply revoke it and start over from scratch with a new key > pair, proving their identity to each and every person signing it? > > > Similarly, if you believe your private key may be compromised, is > there any point in sending signed messages to everyone who has signed > your old public key, asking them to also sign your new one? > > I believe it's pointless, since the message could just as well be from > an attacker, and that anyone receiving such a message should refuse to > sign the new keys (and insist the sender prove their identity another > way). Am I right in thinking this? > > I've looked for answers to these questions, but most discussions about > transferring identity to new keys seem to deal with the situation > where someone has accidentally deleted their private key or forgotten > their passphrase, not the situation where the private key is still > accessible. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From faramir.cl at gmail.com Mon Feb 16 18:48:11 2009 From: faramir.cl at gmail.com (Faramir) Date: Mon, 16 Feb 2009 14:48:11 -0300 Subject: FW from PGP-Basis: newbie question about bad keys In-Reply-To: <497F0B1A.4010605@nc.rr.com> References: <497F0B1A.4010605@nc.rr.com> Message-ID: <4999A6DB.3020101@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 paramouse escribi?: > I am new to using GnuPG and hoping this is the the correct place to post > questions. > > For practice, I imported some public keys to my keyring. I ran a > > gpg --check-sig > > After listing the signatures of the public keys I've imported, there's > the statement: > > 46 bad signatures > 5133 signatures not checked due to missing keys > > The "signatures not checked" seems pretty self explanatory. What does > the bad signatures mean? Since I never saw an answer about the meaning of those bad signatures, I am forwarding the question to GnuPG-Users list... I ran that command too, and got: 186 firmas incorrectas (186 bad signatures) 19112 firmas no comprobadas por falta de clave (19112 signatures not checked due to missing keys) 2 firmas no comprobadas por errores (2 signatures not checked due to errors). What kind of errors could it be? Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJmabbAAoJEMV4f6PvczxAgP8IAJIon5OZ/2J+JFOKhCUYm2hy 8Vsh0Z0HIak9PGThB3zD2hhislejl6pBtm0A5cDFBBat73Yni6M2SIq4R16ZXiEL GQG92xCEHVm4vGXbBY9gd9s+ixkpJjOWwjTXzk2zjc5a+W693TV502I37wa8EhHJ klpvUg1CPiRAEO6VL2Wvg4fcElK3Wy13So/haoAoKikOG4f6FeoIWj0dxot/DN1V 9Hym/cJxbucO0uQKT6hwhiVwl30V/VacgPXnGnPd84i+aCM5rhwrpv9jYOow++Sv fZnvxa1wjTu078vf3hrlQfU2SNrqgJ55a1IiJQA40JxZiST23ZPj6n+EygTK4Oo= =W2p9 -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Mon Feb 16 19:05:39 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 16 Feb 2009 13:05:39 -0500 Subject: Transferring identity to a new public key In-Reply-To: References: Message-ID: <20090216180538.GA20201@jabberwocky.com> On Mon, Feb 16, 2009 at 12:10:32PM +0100, Jonas Islander wrote: > When you suspect your private key may be compromised, it's obvious > that you should revoke the key pair, upload your revocation to the key > servers, and generate a new pair. But what is "best practice" for > telling people about your new public key - transferring your identity > to it, so to speak? > > Is there any point in adding a self-signed ID saying "Key compromised > - please use key with fingerprint xxxxxxxxx instead" before revoking? > > I'm thinking it's pointless, since an attacker could do the same, and > use it to transfer someone's identity to a new public key, which the > rightful owner cannot revoke. Yes and no. Such a message is okay so long as the person seeing it treats it as a hint - that is, to go and fetch the new key, and then build a brand new trust path to this new key. As you note above, it is pointless to assume the new key is good just because the old key tells you. > Am I right in thinking that anyone seeing a user ID of the form > "Please use key with fingerprint xxxxxxxxx instead" should ignore it > (since it may be an attempt to permanently steal someone's identity)? They should ignore it (or more likely try and contact the keyholder and figure out what is going on) if they cannot build a valid trust path to the new key that does not go through the old key. > Am I right in thinking that someone whose key may be compromised, > should simply revoke it and start over from scratch with a new key > pair, proving their identity to each and every person signing it? Yes. It is bad practice to sign a key just because they signed a previous key owned by the same person. You should check each time. David From dshaw at jabberwocky.com Mon Feb 16 19:16:36 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 16 Feb 2009 13:16:36 -0500 Subject: FW from PGP-Basis: newbie question about bad keys In-Reply-To: <4999A6DB.3020101@gmail.com> References: <497F0B1A.4010605@nc.rr.com> <4999A6DB.3020101@gmail.com> Message-ID: <20090216181636.GA20369@jabberwocky.com> On Mon, Feb 16, 2009 at 02:48:11PM -0300, Faramir wrote: > paramouse escribi??: > > I am new to using GnuPG and hoping this is the the correct place to post > > questions. > > > > For practice, I imported some public keys to my keyring. I ran a > > > > gpg --check-sig > > > > After listing the signatures of the public keys I've imported, there's > > the statement: > > > > 46 bad signatures > > 5133 signatures not checked due to missing keys > > > > The "signatures not checked" seems pretty self explanatory. What does > > the bad signatures mean? > > Since I never saw an answer about the meaning of those bad signatures, > I am forwarding the question to GnuPG-Users list... > > I ran that command too, and got: > > 186 firmas incorrectas > (186 bad signatures) > 19112 firmas no comprobadas por falta de clave > (19112 signatures not checked due to missing keys) > 2 firmas no comprobadas por errores > (2 signatures not checked due to errors). > > What kind of errors could it be? "signatures not checked" means just what you guessed - the keys aren't there, so GPG couldn't check them. "bad signatures" means the signature was checked, but it turned out to be invalid. "not checked due to errors" is a grab bag for everything else. A common reason for something to show up in this group is a timestamp conflict (for example, the signature is older than the key that issued it). When you do a --check-sig, some sigs are tagged with "sig%". Look for those and you can usually read the reason for the error. David From wk at gnupg.org Mon Feb 16 19:20:55 2009 From: wk at gnupg.org (Werner Koch) Date: Mon, 16 Feb 2009 19:20:55 +0100 Subject: FW from PGP-Basis: newbie question about bad keys In-Reply-To: <4999A6DB.3020101@gmail.com> (faramir.cl@gmail.com's message of "Mon, 16 Feb 2009 14:48:11 -0300") References: <497F0B1A.4010605@nc.rr.com> <4999A6DB.3020101@gmail.com> Message-ID: <87iqnas0oo.fsf@wheatstone.g10code.de> On Mon, 16 Feb 2009 18:48, faramir.cl at gmail.com said: >> The "signatures not checked" seems pretty self explanatory. What does >> the bad signatures mean? The signed data does not match the signature. That is the signed data or the signature has been modified or the signature was not correctly created initially. > 2 firmas no comprobadas por errores > (2 signatures not checked due to errors). All kind of error, like out of memory or file read error. But most likely it is bad signature class or a corrupted keyblock (signatures swapped). Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From yalla at fsfe.org Mon Feb 16 21:05:30 2009 From: yalla at fsfe.org (Alexander W. Janssen) Date: Mon, 16 Feb 2009 21:05:30 +0100 Subject: PGP/X.509 roundup Message-ID: <4999C70A.5050003@fsfe.org> Hi! My boss just asked me to make up some ideas about implementations of X.509 and OpenPGP - which should be introduced in our company later then. I'm just hacking together a presentation and I'm looking for ideas. Have you seen a comparison of several implementations for different MUAs yet? Any help's welcome. I'm not lazy, I'm doing my own work but yet I'm open for insight. I'll be sharing my presentation later as soon as I'm finished. Cheers, Alex. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 307 bytes Desc: OpenPGP digital signature URL: From kloecker at kde.org Mon Feb 16 22:45:17 2009 From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Mon, 16 Feb 2009 22:45:17 +0100 Subject: FW from PGP-Basis: newbie question about bad keys In-Reply-To: <87iqnas0oo.fsf@wheatstone.g10code.de> References: <497F0B1A.4010605@nc.rr.com> <4999A6DB.3020101@gmail.com> <87iqnas0oo.fsf@wheatstone.g10code.de> Message-ID: <200902162245.17596@thufir.ingo-kloecker.de> On Monday 16 February 2009, Werner Koch wrote: > On Mon, 16 Feb 2009 18:48, faramir.cl at gmail.com said: > >> The "signatures not checked" seems pretty self explanatory. What > >> does the bad signatures mean? > > The signed data does not match the signature. That is the signed > data or the signature has been modified or the signature was not > correctly created initially. What if the signing key is expired or has been revoked? Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: From wk at gnupg.org Tue Feb 17 09:23:04 2009 From: wk at gnupg.org (Werner Koch) Date: Tue, 17 Feb 2009 09:23:04 +0100 Subject: FW from PGP-Basis: newbie question about bad keys In-Reply-To: <200902162245.17596@thufir.ingo-kloecker.de> ("Ingo =?utf-8?Q?Kl=C3=B6cker=22's?= message of "Mon, 16 Feb 2009 22:45:17 +0100") References: <497F0B1A.4010605@nc.rr.com> <4999A6DB.3020101@gmail.com> <87iqnas0oo.fsf@wheatstone.g10code.de> <200902162245.17596@thufir.ingo-kloecker.de> Message-ID: <8763j9sc9j.fsf@wheatstone.g10code.de> On Mon, 16 Feb 2009 22:45, kloecker at kde.org said: > What if the signing key is expired or has been revoked? Unless you use "--list-options show-unusable-uids" those signatures are not shown. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From ml at mareichelt.de Tue Feb 17 15:18:05 2009 From: ml at mareichelt.de (markus reichelt) Date: Tue, 17 Feb 2009 15:18:05 +0100 Subject: FYI: Keysigning events at FOSDEM (Feb 8th) and Chemnitzer Linux-Tage (March 14th) In-Reply-To: <20090108131359.GD5981@tatooine.rebelbase.local> References: <20090108131359.GD5981@tatooine.rebelbase.local> Message-ID: <20090217141805.GC4738@tatooine.rebelbase.local> * markus reichelt wrote: > PGP/GPG Keysigning event on Saturday March 14th 18:00h at Chemnitz > Linux Days in ... Chemnitz. > > Deadline for key submission: *Monday March 9th* This is just a friendly (and last) reminder that you can still participate, just honour the deadline. More info (in German & English) is available at http://chemnitzer.linux-tage.de/2009/service/pgp_en.html Hope to see you there. -- left blank, right bald -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From chris at chrispoole.com Tue Feb 17 16:15:35 2009 From: chris at chrispoole.com (Chris Poole) Date: Tue, 17 Feb 2009 15:15:35 +0000 Subject: How secure asymmetric encryption to yourself? Message-ID: <4C688D30-54BE-4A7B-8F3A-EAA0BE26996E@chrispoole.com> Hi, I am using GnuPG to encrypt a plain text file of my passwords. How secure is it to use my own public key as the encryption method (rather than symmetric), given that the password file is stored on the same drive as my public and private keys? Thanks. From dshaw at jabberwocky.com Tue Feb 17 17:43:37 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 17 Feb 2009 11:43:37 -0500 Subject: How secure asymmetric encryption to yourself? In-Reply-To: <4C688D30-54BE-4A7B-8F3A-EAA0BE26996E@chrispoole.com> References: <4C688D30-54BE-4A7B-8F3A-EAA0BE26996E@chrispoole.com> Message-ID: On Feb 17, 2009, at 10:15 AM, Chris Poole wrote: > Hi, > I am using GnuPG to encrypt a plain text file of my passwords. > > How secure is it to use my own public key as the encryption method > (rather than symmetric), given that the password file is stored on > the same drive as my public and private keys? Let me make sure I understand the question - you are storing the (encrypted) password file on the same drive as your public and secret keys and you want to know if it makes a difference whether you you use public key or symmetric encryption for encrypting that password file? No, it doesn't matter either way. If you use symmetric encryption, you are relying on a passphrase to keep your encrypted password file safe. If you use public key (asymmetric) encryption, you are relying on your secret key to keep your encrypted password file safe.... but you are relying on a passphrase to keep your secret key safe. Either way, you have a passphrase to protect. David From wk at gnupg.org Wed Feb 18 15:09:26 2009 From: wk at gnupg.org (Werner Koch) Date: Wed, 18 Feb 2009 15:09:26 +0100 Subject: [Announce] Gpg4win 1.1.4 released Message-ID: <87hc2rq1k9.fsf@wheatstone.g10code.de> Hi! We are pleased to announce the availability of a new stable Gpg4win release: Version 1.1.4. This is a maintenance release; if you don't have any problems there is no need for an update. It mainly fixes problem using GnuPG on Windows Vista by updating to a newer version of the included GnuPG. About Gpg4win ------------- The Gpg4win project aims at updating the Gpg4win Windows installation package with GnuPG encryption tool, associated applications and documentation on a regular basis. Especially the documentation (handbooks "Novices", "Einsteiger" and "Durchblicker") are directly maintained as part of the gpg4win project. It is an international project. Due to the origin of the project the German language is fully supported. People helping with translations are very welcome! The main difference compared to all other similar approaches (mainly GnuPP, GnuPT, Windows Privacy Tools and GnuPG-Basics) is that the first thing developed was the Gpg4win-Builder. This builder allows to easily create new gpg4win.exe installers with updated components. The builder runs on any decent Unix system, preferable Debian GNU/Linux. Almost all products are automatically cross-compiled for integration into the installer. With this concept it is hoped to prevent quick aging of the installer package. This is due to easier updating and less dependency on single developers. Noteworthy changes in version 1.1.4 (2009-02-17) ------------------------------------------------ * Updated GnuPG to 1.4.9 to solve problems on Windows Vista. * Updated the optional GnuPG-2 components. * Included the small Paperkey and Scute utilities. * Included components are: GnuPG: 1.4.9 [*] GnuPG2: 2.0.10 [*] DirMngr: 1.0.3-svn310 [*] GPA: 0.8.0 [*] GPGol: 0.9.92 GPGee: 1.3.1 WinPT: 1.2.0 Claws-Mail: 3.0.0-rc2 Novices: 1.0.0 Einsteiger: 2.0.2 Durchblicker: 2.0.2 (Marked packages are updated since the last release) Incompatibilities ----------------- The Dirmngr, which is used by GnuPG-2, uses another location for its configuration files. It is not anymore below the installation directory put at the proper place for data files. This ensures that they will persist over updates and allows to use a network share for the program files. Gpg4win 1.1.4 deletes those old configuration files it knows about but keeps those not installed by Gpg4win. However, the left over files are not anymore used and need to be copied to the new location manually if this is desired. Given that GnuPG-2 and Dirmngr are not used by the other tools, we believe that this is not a hard problem. Current Work ------------ We are still working towards Gpg4win 2.0, featuring a completely new architecture. The currently available Beta version (available through http://www.gpg4win.org/download.html) is almost usable. However there are a couple of problems we need to solve before we are able to release a stable Gpg4win 2.0. Due to these problems we decided to release 1.1.4 as an update for 1.1.3 first. Using GPG via %PATH% -------------------- As of version 1.1.0, Gpg4win updates the PATH variable to include a new public directory containing the command line tools of Gpg4win. To avoid having a bunch of DLLs in the PATH a special wrapper is used to access these tools. With this release the wrapper should actually work and allows access to gpg, gpgsm and gpg-connect-agent from anywhere in the system without the need to know where Gpg4win has been installed. Developers of frontends making use of Gpg4win might want to avoid the use of these wrappers. A hidden option in the wrapper makes the actual used binary available. For example, running "gpg --version --version" will print the following to stdout if the wrapper is being used: gpgwrap (Gpg4win) 1.1.4 ;C:\Programme\GNU\GnuPG\gpg.exe gpg (GnuPG) 1.4.9 (Gpg4win 1.1.4) .... The string after the semicolon up to the end of the first line may be used for future invocations of gpg.exe. Installation ------------ For installation instructions, please visit http://www.gpg4win.org or read on. Developers who want to *build an installer* need to get the following files from http://wald.intevation.org/projects/gpg4win/ : gpg4win-1.1.4.tar.bz2 (4.3M) gpg4win-1.1.4.tar.bz2.sig The second file is a digital signature of the the first file. Either check that this signature is fine or compare with the checksums given below. (see also http://www.gnupg.org/download/integrity_check.html) The *ready to use installer* is available at: http://ftp.gpg4win.org/gpg4win-1.1.4.exe (9.6M) http://ftp.gpg4win.org/gpg4win-1.1.4.exe.sig Or using the ftp protocol at: ftp://ftp.gpg4win.org/gpg4win/gpg4win-1.1.4.exe (9.6M) ftp://ftp.gpg4win.org/gpg4win/gpg4win-1.1.4.exe.sig SHA1 and MD5 checksums for these files are given below. If you don't need the manuals or the GnuPG2 command line tools for S/MIME, you might alternatively download the "light" version of the installer: http://ftp.gpg4win.org/gpg4win-light-1.1.4.exe (5.9M) http://ftp.gpg4win.org/gpg4win-light-1.1.4.exe.sig or using FTP at: ftp://ftp.gpg4win.org/gpg4win/gpg4win-1.1.4.exe (5.9M) ftp://ftp.gpg4win.org/gpg4win/gpg4win-1.1.4.exe.sig A separate installer with the source files used to build the above installer is available at: ftp://ftp.gpg4win.org/gpg4win/gpg4win-src-1.1.4.exe (60M) ftp://ftp.gpg4win.org/gpg4win/gpg4win-src-1.1.4.exe.sig Most people don't need this source installer; it is merely stored on that server to satisfy the conditions of the GPL. In general it is better to get the gpg4win builder tarball (see above) and follow the instructions in the README to build new installers; building the installer is not possible on Windows machines and works best on current Debian GNU/Linux systems (we currently use the mingw32 package from Etch). SHA1 checksums are: e1c41605b0a359759059e4e2f527055b0f4036d5 gpg4win-1.1.4.exe 6ae2b32ec97801543e954fd23888fa10a9a1781a gpg4win-light-1.1.4.exe 08c585347750e8345d964afa73aff7d455c81f39 gpg4win-src-1.1.4.exe 6a3ec8f7cb5a4252b3b93f49b733bcb5e344eb06 gpg4win-1.1.4.tar.bz2 MD5 checksums are: b2e18fd37a14b065a8361f5348c83f72 gpg4win-1.1.4.exe bb3bee4d8c30f5376d532c7135b17045 gpg4win-light-1.1.4.exe 2efc36781e7b3f463064129d6819fe4d gpg4win-src-1.1.4.exe 2b1ac6dbc4d4fe3e710348b7a671b102 gpg4win-1.1.4.tar.bz2 If you have problems downloading the above files, you may try the mirror servers listed at the download page. We like to thank the authors of the included packages, the NSIS authors, all other contributors and first of all, those folks who stayed with us and helped testing Gpg4win. To help furthering this project, please consider to sponsor the development. See http://www.gpg4win.org . Happy hacking, The Gpg4win hackers -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 205 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From petr.uzel at suse.cz Thu Feb 19 18:01:41 2009 From: petr.uzel at suse.cz (Petr Uzel) Date: Thu, 19 Feb 2009 18:01:41 +0100 Subject: gpg-agent does not know --homedir, --batch and --lc-type options Message-ID: <20090219170141.GE16630@localhost> Hi, although documented in its manpage, gpg-agent does not know following options: --homedir --batch --lc-type puzel at foxbat:~> gpg-agent --batch gpg-agent[11116]: invalid option "--batch" puzel at foxbat:~> gpg-agent --lc-type gpg-agent[11119]: invalid option "--lc-type" puzel at foxbat:~> gpg-agent --homedir gpg-agent[11128]: invalid option "--homedir" puzel at foxbat:~> gpg-agent --version gpg-agent (GnuPG) 2.0.10 libgcrypt 1.4.1 Is this a bug in GnuPG, documentation, both, or did I miss something? Thanks in advance, -- Best regards / s pozdravem Petr Uzel, Packages maintainer --------------------------------------------------------------------- SUSE LINUX, s.r.o. e-mail: puzel at suse.cz Lihovarsk? 1060/12 tel: +420 284 028 964 190 00 Prague 9 fax: +420 284 028 951 Czech Republic http://www.suse.cz From karadenizi at earthlink.net Fri Feb 20 15:31:11 2009 From: karadenizi at earthlink.net (Kara) Date: Fri, 20 Feb 2009 09:31:11 -0500 Subject: Command Line Use of GPG Message-ID: <499EBEAF.20506@earthlink.net> ==== *Using*: Using Windows XP with SP3, Thunderbird 2.0.0.17, GPG 1.49, and Enigmail 0.95.7. No problems. *Question*: How -- independent of Enigmail or any other GUI -- can I use GPG via the command line procedure (e.g., to sign someone's key with a "trust" signature)? ==== For some reason the following approach won't let me access GPG: 1. "Start | Run" gpg --edit-key deadbeef. 2. C:\Documents and Settings\Kara> gpg --edit-key deadbeef 3. C:\> gpg --edit-key deadbeef In each of the above attempts, the resulting error message is: 'gpg' is not recognized as an internal or external command, operable program or batch file." Once I can access GPG via the command line, I know what to do from that point on. ==== Timestamp: Fri 20 Feb 2009, 0931 Local (UTC -0500) ==== From laurent.jumet at skynet.be Fri Feb 20 15:59:50 2009 From: laurent.jumet at skynet.be (Laurent Jumet) Date: Fri, 20 Feb 2009 15:59:50 +0100 Subject: Command Line Use of GPG In-Reply-To: <499EBEAF.20506@earthlink.net> Message-ID: Hello Kara ! Kara wrote: > *Using*: Using Windows XP with SP3, Thunderbird 2.0.0.17, > GPG 1.49, and Enigmail 0.95.7. No problems. > *Question*: How -- independent of Enigmail or any other GUI -- can I > use GPG via the command line procedure (e.g., to sign > someone's key with a "trust" signature)? > For some reason the following approach won't let me access GPG: > 1. "Start | Run" gpg --edit-key deadbeef. > 2. C:\Documents and Settings\Kara> gpg --edit-key deadbeef > 3. C:\> gpg --edit-key deadbeef > In each of the above attempts, the resulting error message is: > 'gpg' is not recognized as an internal or external command, operable > program or batch file." Seems that the \GnuPG directory is not in the path. Add it, or use a batch to first jump to it. -- Laurent Jumet KeyID: 0xCFAF704C From John at Mozilla-Enigmail.org Fri Feb 20 16:07:54 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Fri, 20 Feb 2009 09:07:54 -0600 Subject: Command Line Use of GPG In-Reply-To: <499EBEAF.20506@earthlink.net> References: <499EBEAF.20506@earthlink.net> Message-ID: <499EC74A.6000504@Mozilla-Enigmail.org> Kara wrote: > For some reason the following approach won't let me access GPG: > > 1. "Start | Run" gpg --edit-key deadbeef. > > 2. C:\Documents and Settings\Kara> gpg --edit-key deadbeef > > 3. C:\> gpg --edit-key deadbeef > > In each of the above attempts, the resulting error message is: > 'gpg' is not recognized as an internal or external command, operable > program or batch file." > > Once I can access GPG via the command line, I know what to do from > that point on. At a command prompt, use the command PATH to verify the directory containing gpg.exe is part of the search path. The default is C:\Program Files\Gnu\GnuPG. If not, you may add it in Control Panel --> System --> Advanced --> Environment Variables. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 680 bytes Desc: OpenPGP digital signature URL: From chris at chrispoole.com Fri Feb 20 16:28:23 2009 From: chris at chrispoole.com (Chris Poole) Date: Fri, 20 Feb 2009 15:28:23 +0000 Subject: How secure asymmetric encryption to yourself? In-Reply-To: References: <4C688D30-54BE-4A7B-8F3A-EAA0BE26996E@chrispoole.com> Message-ID: <3817A8AF-5904-4A17-97EF-C41632F11E0A@chrispoole.com> Yes, this is correct, and what I thought would be the answer. I was just concerned that an attacker (say, a thief that steals my laptop), would have both my secret key and something encrypted with that secret key. I wasn't sure if this would somehow reduce the effectiveness of the encryption (even though I use a good passphrase). From gerry.lowry at abilitybusinesscomputerservices.com Sat Feb 21 23:45:44 2009 From: gerry.lowry at abilitybusinesscomputerservices.com (gerry_lowry (alliston ontario canada)) Date: Sat, 21 Feb 2009 17:45:44 -0500 Subject: Command Line Use of GPG References: <499EBEAF.20506@earthlink.net> Message-ID: <660ED9E490814441B5783C49A15445E2@zentrumvegan> Kara, It sounds like gpg.exe is not in your path. you can get around this by adding the directory where gpg.exe exists or by using a fully qualified path. I prefer the latter. Example: assume I've installed GnuPG to c:\topsecret\spytools (btw, I have not) Open a Windows command prompt, a.k.a. a "DOS window". [note: before you get in too deep, you might want to read a book like "PGP & GPG", Michael W. Lucas. It's not perfect but it got me restarted. No Starch Press, 2006. Try your local library.] [if your GnuPG folder is not in your path, then, in the following, type, for example, >c:\topsecret\spytools\gpg instead of just >gpg ] At your Command prompt, usually ">", type commands like these: >gpg --gen-key [creates a GnuPG keypair] [the following is a one line command to generate a revocation certificate in case you ever need it] >gpg --verbose --armor --output you at yourplace.com.asc.revoke.txt --gen-revoke you at yourplace.com >gpg --verbose --listkeys >gpg --verbose --listsecretkeys use Google to locate useful articles on GnuPG, example, GnuPG tutorial regards, gerry (lowry) ______________________________________________________________________________ Gerry Lowry, Principal Ability Business Computer Services ~~ Because it's your Business, our Experience Counts! 68 John W. Taylor Avenue Alliston ? Ontario ? Canada ? L9R 0E1 gerry.lowry at abilitybusinesscomputerservices.com From rjh at sixdemonbag.org Sun Feb 22 00:13:48 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 21 Feb 2009 18:13:48 -0500 Subject: Command Line Use of GPG In-Reply-To: <660ED9E490814441B5783C49A15445E2@zentrumvegan> References: <499EBEAF.20506@earthlink.net> <660ED9E490814441B5783C49A15445E2@zentrumvegan> Message-ID: > assume I've installed GnuPG to c:\topsecret\spytools (btw, I have > not) Why does this matter? Either you have control of your system, in which case you're not giving away anything by saying where GnuPG is -- or you don't, in which case not saying where GnuPG is doesn't help you recover. Paranoia is great. Carefully reasoned paranoia is even better. From gerry.lowry at abilitybusinesscomputerservices.com Sun Feb 22 00:38:51 2009 From: gerry.lowry at abilitybusinesscomputerservices.com (gerry_lowry (alliston ontario canada)) Date: Sat, 21 Feb 2009 18:38:51 -0500 Subject: Command Line Use of GPG References: <499EBEAF.20506@earthlink.net> <660ED9E490814441B5783C49A15445E2@zentrumvegan> Message-ID: <0439DDE2045B48EBA416567380717261@zentrumvegan> Hello Robert ... what, me paranoid? Okay, I admit maybe a little. Likely a lot. You're not with the CIA, are you? Do I have control of my system? I hope so. It's almost impossible to know. Perhaps Bill Gates has control of my system. That's unlikely but not impossible. I used to work for Microsoft. Perhaps I have control of your system. Likely not. Is your name really Robert? B-) From gerry.lowry at abilitybusinesscomputerservices.com Sun Feb 22 01:16:45 2009 From: gerry.lowry at abilitybusinesscomputerservices.com (gerry_lowry (alliston ontario canada)) Date: Sat, 21 Feb 2009 19:16:45 -0500 Subject: multiple e-mail addresses: what are the solutions? Message-ID: Hello, in my first attempts at PGP, I had only one e-mail at time, occasionally two or three. Now I have many different e-mail addresses that I use on a regular basis for various purposes, none of them illegal. Some web sites force users to have addresses like me at theirdomain.com for reasons such as attempting to control spam. Examples: I have a gmail account for communication with my IPP if my site is down. If my IPP is also down, I'm out of luck. I have an e-mail address from a customer who prefers that his customers contact me via gerry at hiscompany.com. et cetera, et cetera, et cetera Please note: I'm for all intents and purposes new to PGP/GPG. It seems that for any e-mail address that I have, I need a key pair that corresponds to each e-mail address. Is there a better strategy? Regards, Gerry From John at Mozilla-Enigmail.org Sun Feb 22 02:45:37 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Sat, 21 Feb 2009 19:45:37 -0600 Subject: multiple e-mail addresses: what are the solutions? In-Reply-To: References: Message-ID: <49A0AE41.8020304@Mozilla-Enigmail.org> gerry_lowry (alliston ontario canada) wrote: > > It seems that for any e-mail address that I have, I need a key pair that > corresponds to each e-mail address. > > Is there a better strategy? A key with multiple email addresses (userIDs) per identity/personae? -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 680 bytes Desc: OpenPGP digital signature URL: From dshaw at jabberwocky.com Sun Feb 22 02:49:35 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Sat, 21 Feb 2009 20:49:35 -0500 Subject: multiple e-mail addresses: what are the solutions? In-Reply-To: References: Message-ID: On Feb 21, 2009, at 7:16 PM, gerry_lowry (alliston ontario canada) wrote: > Hello, > > in my first attempts at PGP, I had only one e-mail at time, > occasionally > two or three. > > Now I have many different e-mail addresses that I use on a regular > basis > for various purposes, none of them illegal. Some web sites force > users > to have addresses like me at theirdomain.com for reasons such as > attempting to control spam. > > Examples: > > I have a gmail account for communication with my IPP if my site is > down. > If my IPP is also down, I'm out of luck. > > I have an e-mail address from a customer who prefers that his > customers contact me via gerry at hiscompany.com. > > et cetera, et cetera, et cetera > > Please note: I'm for all intents and purposes new to PGP/GPG. > > It seems that for any e-mail address that I have, I need a key pair > that > corresponds to each e-mail address. That is one way to do it. The other way is to have a single keypair with multiple email addresses on it (using the --edit-key menu and "adduid" you can add as many addresses are you like to a key). And then there is a blend of the two methods where you have more than one keypair, each with some of the email addresses on it. Which method you want to do with depends on what you're trying to accomplish, and how you like to manage keys. There is no one right answer here - it's very much a matter of taste. Personally, I like to use a different key for each overall purpose (i.e. one key for $day_job, one key for personal and open-source work), but again this is just what I like. David From John at Mozilla-Enigmail.org Sun Feb 22 03:24:29 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Sat, 21 Feb 2009 20:24:29 -0600 Subject: Command Line Use of GPG In-Reply-To: <0439DDE2045B48EBA416567380717261@zentrumvegan> References: <499EBEAF.20506@earthlink.net> <660ED9E490814441B5783C49A15445E2@zentrumvegan> <0439DDE2045B48EBA416567380717261@zentrumvegan> Message-ID: <49A0B75D.7070807@Mozilla-Enigmail.org> gerry_lowry (alliston ontario canada) wrote: > Hello Robert ... what, me paranoid? Okay, I admit maybe a little. > Likely a lot. You're not with the CIA, are you? Probably not. The TLA folks who ARE on this list (and others) are much more likely to be lurkers than to draw attention to themselves by posting. > Do I have control of my system? I hope so. It's almost impossible to know. Sorry, but it's quite easy to know. Competent system and network administrators do it every day /for systems under their control/. > Perhaps Bill Gates has control of my system. That's unlikely but not impossible. > I used to work for Microsoft. Perhaps I have control of your system. Likely not. Those arguments all seem to have a dependency on running Microsoft's software... > Is your name really Robert? Yeah, it ("/most likely/") is. There are elements of Rob's identity that I know which would be _quite_ difficult to manufacture. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 680 bytes Desc: OpenPGP digital signature URL: From rjh at sixdemonbag.org Sun Feb 22 04:30:33 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 21 Feb 2009 22:30:33 -0500 Subject: Command Line Use of GPG In-Reply-To: <49A0B75D.7070807@Mozilla-Enigmail.org> References: <499EBEAF.20506@earthlink.net> <660ED9E490814441B5783C49A15445E2@zentrumvegan> <0439DDE2045B48EBA416567380717261@zentrumvegan> <49A0B75D.7070807@Mozilla-Enigmail.org> Message-ID: > Probably not. The TLA folks who ARE on this list (and others) are > much more > likely to be lurkers than to draw attention to themselves by posting. I agree with John. This is further explanation, not a disagreement. A couple of years ago, in response to something I posted on this list, I had an unhinged list member fill my inbox with wild claims that I was obviously either an FBI informant or a psychiatrist -- and if I was either he was going to hunt me down and murder me with an axe. I didn't take it seriously until he cited my street address and phone number. Making things worse, my father is a federal judge. Given how tight this guy's tinfoil hat was wound, I thought he might not draw that much of a distinction between "son of a federal judge" and "FBI informant." It was a pretty stressful period for me for a while. Moral of the story: some people are lurkers not because they're up to skulduggery, but because they're scared of the fringe element. And really, if you're related to interesting people, or if you have an interesting job... then who can fault you for wanting to keep a low profile? From gerry.lowry at abilitybusinesscomputerservices.com Sun Feb 22 23:20:46 2009 From: gerry.lowry at abilitybusinesscomputerservices.com (gerry_lowry (alliston ontario canada)) Date: Sun, 22 Feb 2009 17:20:46 -0500 Subject: multiple e-mail addresses: what are the solutions? References: <49A0AE41.8020304@Mozilla-Enigmail.org> Message-ID: <75E2BA3E13D24BC8A1507D9AFE698CA1@zentrumvegan> Thank you John and David. John Clizbe has suggested a "key with multiple email addresses (userIDs) per identity/personae" as one strategy. David Shaw has mentioned a strategy of separate keys for different purposes. My question: if I go with separate keys, as in e-mail_address_1 public_key_1 private_key_1 e-mail_address_2 public_key_2 private_key_2 e-mail_address_3 public_key_3 private_key_3 then, is it permissible to have all of my public keys together on the same pubring.gpg file and all of my private keys together on the same secring.gpg file? is it even architecturally possible to have all of my public keys together on the same pubring.gpg file and all of my private keys together on the same secring.gpg file? Also, if it is possible, what are the advantages and the disadvantages? Thank you. Regards, Gerry (Lowry) From gerry.lowry at abilitybusinesscomputerservices.com Mon Feb 23 00:54:08 2009 From: gerry.lowry at abilitybusinesscomputerservices.com (gerry_lowry (alliston ontario canada)) Date: Sun, 22 Feb 2009 18:54:08 -0500 Subject: "Please select what kind of key you want" Message-ID: <6E0FA7A9924A4067898F76BE16671424@zentrumvegan> Preamble ---------- Michael W. Lucas on page 73 in Chapter 4 of "PGP & GPG: Email for the Practical Paranoid", No Starch Press, (c) 2006, shows the following choices for "Please select what kind of key you want": (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) Michael recommends choosing "5" which turns out to be a disadvantage that one might not discover until the first time that she/he attempts to encrypt something. AFAIK, other people can still encrypt for the user who has selected "5" above. And the user can decrypt whatever she/he receives. I do not recall Michael discussing the solution to the problems caused by selecting just "(5) RSA (sign only)", although, since his book is written for a beginner audience, I do think he should have addressed this problem. Nevertheless, I found his book still quite helpful. QUESTIONS ----------------- Especially because of my experience mentioned above, I tend to pay attention to the text that follows "Please select what kind of key you want". The Windows' version that I used matches Michael's text: >gpg --gen-key gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) >From "gpg --edit-key ID addkey", I also get (2) DSA (sign only) (4) Elgamal (encrypt only) (5) RSA (sign only) (6) RSA (encrypt only) ---------------------------------- where's (3) (3) ?????????????? Why is there no "(3)" in the above two lists [gen-key list, addkey list]? Why are choices "(4) Elgamal (encrypt only)" and "(6) RSA (encrypt only)" not present in the "gen-key" list? Why is choices "(1) DSA and Elgamal (default)" not present in the "addkey" list? ============ http://www.netbsd.org/developers/pgp.html ============== shows different choices for "gpg --gen-key": (1) DSA and ElGamal (default) (2) DSA (sign only) (4) ElGamal (sign and encrypt) (5) RSA (sign only) Exploring further "Please select what kind of key you want" via Google, I get the impression that there's potentially a standard that might read something like: position (1) should always be __________; position (2) should always be __________; position (3) should always be __________; et cetera and for any position, you can offer nothing, sign only, encrypt only, or sign and encrypt together. Is that the case with regards to developer guidelines? Also, I'm guessing that although a developer might opt out of creating a key of type X, regardless, the developer must presumably support a complete set of encryption/decryption choices for the purpose of processing public and private keys properly. Is this the case? Thank you. Regards, Gerry (Lowry) From rjh at sixdemonbag.org Mon Feb 23 01:07:03 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 22 Feb 2009 19:07:03 -0500 Subject: "Please select what kind of key you want" In-Reply-To: <6E0FA7A9924A4067898F76BE16671424@zentrumvegan> References: <6E0FA7A9924A4067898F76BE16671424@zentrumvegan> Message-ID: > Michael W. Lucas on page 73 in Chapter 4 of "PGP & GPG: Email for > the Practical Paranoid", > No Starch Press, (c) 2006, shows the following choices for > "Please select what kind of key you want": > (1) DSA and Elgamal (default) > (2) DSA (sign only) > (5) RSA (sign only) > > Michael recommends choosing "5" which turns out to be a disadvantage > that one might not discover until the first time that she/he > attempts to > encrypt something. In 2006, Lucas's advice was pretty solid. In 2009, not so much. The introduction of DSA2 has resolved most -- if not all -- of the reasons that motivated him and others to suggest RSA. > AFAIK, other people can still encrypt for the user who has selected > "5" > above. And the user can decrypt whatever she/he receives. Not with a sign-only key. A sign-only key is only usable for signing; other people cannot encrypt to a sign-only key. > Why is there no "(3)" in the above two lists [gen-key list, addkey > list]? Elgamal signing keys were #3, IIRC. They were removed years ago due to some catastrophic bugs and the community's near-total abjuration of Elgamal signing keys. (IIRC, the total number of Elgamal signing keys on the keyserver network was in the neighborhood of 10.) > Why are choices "(4) Elgamal (encrypt only)" and "(6) RSA (encrypt > only)" > not present in the "gen-key" list? Because when you generate a new key you /must/ generate a signing key. #s 4 and 6 are encryption-only keys, which means they can only be added to an already-existing signing key. > Why is choices "(1) DSA and Elgamal (default)" not present in the > "addkey" list? Why should they be? If you want to add a new DSA signing key, you can do that. If you want to add a new Elgamal encryption key, you can do that. Where's the problem? > Also, I'm guessing that although a developer might opt out of > creating a key of type X, > regardless, the developer must presumably support a complete set of > encryption/decryption > choices for the purpose of processing public and private keys > properly. Is this the case? Nope. An OpenPGP implementation is not required to support most of those algorithms. You can have a perfectly well conforming OpenPGP implementation which only supports SHA-1, DSA, Elgamal and 3DES. From dshaw at jabberwocky.com Mon Feb 23 01:48:42 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 22 Feb 2009 19:48:42 -0500 Subject: "Please select what kind of key you want" In-Reply-To: <6E0FA7A9924A4067898F76BE16671424@zentrumvegan> References: <6E0FA7A9924A4067898F76BE16671424@zentrumvegan> Message-ID: <9D856D3A-4A6D-4B25-907C-00A182D0454B@jabberwocky.com> On Feb 22, 2009, at 6:54 PM, gerry_lowry (alliston ontario canada) wrote: > Preamble > ---------- > Michael W. Lucas on page 73 in Chapter 4 of "PGP & GPG: Email for > the Practical Paranoid", > No Starch Press, (c) 2006, shows the following choices for > "Please select what kind of key you want": > (1) DSA and Elgamal (default) > (2) DSA (sign only) > (5) RSA (sign only) > > Michael recommends choosing "5" which turns out to be a disadvantage > that one might not discover until the first time that she/he > attempts to > encrypt something. He recommends a RSA signing key and later adding a subkey for encryption. This is only a problem if someone does part 1 (the signing key) of his recommendation and skips part 2 (the encryption subkey) > AFAIK, other people can still encrypt for the user who has selected > "5" > above. And the user can decrypt whatever she/he receives. This is not correct. A sign only key means sign only. It has no encryption capability. That's why you need a subkey to handle the encryption. > I do not recall Michael discussing the solution to the problems > caused by selecting just "(5) RSA (sign only)", although, since his > book is written for a beginner audience, I do think he should > have addressed this problem. Nevertheless, I found his book > still quite helpful. > > > QUESTIONS > ----------------- > Especially because of my experience mentioned above, I tend to pay > attention > to the text that follows "Please select what kind of key you want". > > The Windows' version that I used matches Michael's text: >> gpg --gen-key > gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software > Foundation, Inc. > > Please select what kind of key you want: > (1) DSA and Elgamal (default) > (2) DSA (sign only) > (5) RSA (sign only) > >> From "gpg --edit-key ID addkey", I also get > (2) DSA (sign only) > (4) Elgamal (encrypt only) > (5) RSA (sign only) > (6) RSA (encrypt only) > ---------------------------------- where's (3) > (3) ?????????????? > > Why is there no "(3)" in the above two lists [gen-key list, addkey > list]? (3) and (7) are special cases for advanced users. They do not show up in the menu unless the "--expert" flag is given. They let you create a key with any features that you want (for example, you could create a RSA key that can sign and encrypt with a single key and not need subkeys at all). This is for advanced use only. > Why are choices "(4) Elgamal (encrypt only)" and "(6) RSA (encrypt > only)" > not present in the "gen-key" list? They are not meaningful there. gen-key creates a primary key, and as per the OpenPGP standard, a primary key must be able to issue certification signatures. An encrypt only key, by definition, cannot issue signatures. > Why is choices "(1) DSA and Elgamal (default)" not present in the > "addkey" list? Again, not meaningful there. addkey creates subkeys. DSA+Elgamal is not a subkey (it's a shortcut for specifying a DSA primary and an Elgamal subkey). > ============ http://www.netbsd.org/developers/pgp.html > ============== > shows different choices for "gpg --gen-key": > (1) DSA and ElGamal (default) > (2) DSA (sign only) > (4) ElGamal (sign and encrypt) > (5) RSA (sign only) > > Exploring further "Please select what kind of key you want" via > Google, > I get the impression that there's potentially a standard that might > read something like: > position (1) should always be __________; > position (2) should always be __________; > position (3) should always be __________; et cetera > and for any position, you can offer nothing, sign only, encrypt > only, or sign and encrypt together. > > Is that the case with regards to developer guidelines? No. The numbers have changed in the past, and may well change in the future. > Also, I'm guessing that although a developer might opt out of > creating a key of type X, > regardless, the developer must presumably support a complete set of > encryption/decryption > choices for the purpose of processing public and private keys > properly. Is this the case? Not really. It is true that the developer can choose to not allow creating certain key types in their OpenPGP program. It is also true, though, that the developer can choose to not support an algorithm at all. The only algorithms that are required to be supported are DSA for signing, Elgamal for encryption, 3DES as a symmetric cipher, and SHA-1 as a hash. Strictly speaking, everything else is optional. Of course, most programs support a good chunk of the optional algorithms. David From dougb at dougbarton.us Mon Feb 23 07:46:24 2009 From: dougb at dougbarton.us (Doug Barton) Date: Sun, 22 Feb 2009 22:46:24 -0800 Subject: multiple e-mail addresses: what are the solutions? In-Reply-To: <75E2BA3E13D24BC8A1507D9AFE698CA1@zentrumvegan> References: <49A0AE41.8020304@Mozilla-Enigmail.org> <75E2BA3E13D24BC8A1507D9AFE698CA1@zentrumvegan> Message-ID: <49A24640.3030402@dougbarton.us> gerry_lowry (alliston ontario canada) wrote: > Thank you John and David. > > John Clizbe has suggested a "key with multiple email addresses > (userIDs) per identity/personae" as one strategy. David Shaw has > mentioned a strategy of separate keys for different purposes. FWIW, I use a blend of these two strategies. I have a personal key that has my main personal e-mail address, my @freebsd.org e-mail address, and my old e-mail address (which was the first uid to gather signatures so has more than the new e-mail address). In my former position I needed a PGP key for my e-mail so I generated a new one that was specific to that position. It had several e-mail addresses (uids) attached to it (for various uninteresting reasons). > My question: if I go with separate keys, as in > > e-mail_address_1 public_key_1 private_key_1 ... > then, is it permissible to have all of my public keys together on > the same pubring.gpg file and all of my private keys together on > the same secring.gpg file? Yes, and I still have both keys on my keyring(s). Because I like to keep things separated I actually have a my-pub-keys.gpg keyring (as well as other rings with keys dedicated to other purposes). > Also, if it is possible, what are the advantages and the > disadvantages? The only disadvantage I've run into was very minor, asking people at key signing events to sign both keys. Now that people with multiple keys are more common, that's hardly an issue any longer. The advantages for me were clear separation between my "work" and "personal" identities; which was primarily a benefit when it came to e-mail (both signing and encryption) but there a few people who were comfortable signing one key, but not the other. The other advantage (now that I've left that employer) is that when attending key signing parties now I don't have to worry about asking people to sign a key with e-mail addresses I no longer have access to. hope this helps, Doug From chris at chrispoole.com Mon Feb 16 16:09:49 2009 From: chris at chrispoole.com (Chris Poole) Date: Mon, 16 Feb 2009 15:09:49 +0000 Subject: How secure asymmetric encryption to yourself? Message-ID: <2D6C3A31-65A8-4F33-A1B2-C26DA7E9DC5B@chrispoole.com> Hi, I am using GnuPG to encrypt a plain text file of my passwords. How secure is it to use my own public key as the encryption method (rather than symmetric), given that the password file is stored on the same drive as my public and private keys? Thanks. From tanuja.sarraju at gmail.com Tue Feb 17 18:26:26 2009 From: tanuja.sarraju at gmail.com (Tanu) Date: Tue, 17 Feb 2009 09:26:26 -0800 (PST) Subject: JAVA Standard API for GnuPG v1.80? In-Reply-To: <4995BD45.4030504@sven-radde.de> References: <21983715.post@talk.nabble.com> <4995BD45.4030504@sven-radde.de> Message-ID: <22062153.post@talk.nabble.com> Thanks a lot Steve. I've checked out - http://www.java2s.com/Open-Source/Java-Document/Security/Bouncy-Castle/org/bouncycastle/openpgp/examples/ByteArrayHandler.java.htm Would this Open PGP work for GnuPG? Sven Radde-3 wrote: > > Hi! > > Tanu schrieb: >> Is there any Standard JAVA API from SUN or Apache for GnuPG v1.80? >> >> Any inputs on this will be highly appreciated. > > This might not be exactly what you want, but have a look at > bouncycastle.org. > > They do not utilize GnuPG, but rather implement OpenPGP (RFC2440) in Java. > > cu, Sven > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- View this message in context: http://www.nabble.com/JAVA-Standard-API-for-GnuPG-v1.80--tp21983715p22062153.html Sent from the GnuPG - User mailing list archive at Nabble.com. From RMundkowsky at employers.com Wed Feb 18 20:33:59 2009 From: RMundkowsky at employers.com (Robert Mundkowsky) Date: Wed, 18 Feb 2009 11:33:59 -0800 Subject: GPG Decryption of a PGP encrypted zip file resulting in garbled zip file Message-ID: Did you ever get a solution to your problem decompressing ZIP.PGP files? I think someone I am working with is having a similar problem. Robert Mundkowsky Employers Sr. Applications Developer 500 N. Brand Blvd Glendale, Ca 91203 rmundkowsky at eig.com Tel: (818) 549-4559 Fax: (818) 552-4844 --------------------------------------------------------------------- ********************************************************************************************* Notice: This e-mail, including any attachment(s), is confidential and intended solely for the above named individual(s). It constitutes non-public information and may contain information subject to certain legal privileges. If you are the intended recipient, your use of any confidential or personal information may be restricted by federal and state privacy laws. Any use of this communication by others is strictly prohibited and may be unlawful. If you have received this e-mail in error, please notify me immediately by replying to sender and delete this e-mail and any attachment(s). Thank you. ********************************************************************************************* --------------------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: From gerry.lowry at abilitybusinesscomputerservices.com Mon Feb 23 16:49:18 2009 From: gerry.lowry at abilitybusinesscomputerservices.com (gerry_lowry (alliston ontario canada)) Date: Mon, 23 Feb 2009 10:49:18 -0500 Subject: How to use the Apple Product Security PGP Key + Protecting Security Information ~~ F.Y.I. Message-ID: <8F537BB6A11A44B38F6FA79EC8E2A1A5@zentrumvegan> http://support.apple.com/kb/HT1620 How to use the Apple Product Security PGP Key http://www.apple.com/support/security/pgp/ Protecting Security Information F.Y.I.: I've not noticed anything similar from Microsoft and other software companies. Most seem to be happy with MD5 and SHA1 for files and nothing else. Also, Apple even provides links to PGP Corporation and GnuPG plus its key and key ID. This is our PGP key which is valid until May 15, 2010 Key ID: 0x8A648901 Key Type: RSA Expires: 5/15/10 Key Size: 2048/2048 Fingerprint: 39EC C76A 3D62 7062 C321 10B2 7928 75E8 8A64 8901 UserID: Apple Product Security This from Apple is like an endorsement of PGP/GPG technology. So few people use PGP/GPG technology openly. The Internet took off when Microsoft, for better or worse, included and promoted Internet Explorer in Windows 95, thus beginning the so called browser wars. I would be surprised and also happy to see Microsoft promote PGP/GPG technology. I do not actually expect that to happen. If it did, it would be good if Microsoft could stimulate PGP/GPG technology with more user friendliness since at the moment there's much to learn to understand and begin using PGP/GPG technology. Regards, Gerry (Lowry) From jbruni at me.com Mon Feb 23 17:09:41 2009 From: jbruni at me.com (Joseph Oreste Bruni) Date: Mon, 23 Feb 2009 09:09:41 -0700 Subject: How to use the Apple Product Security PGP Key + Protecting Security Information ~~ F.Y.I. In-Reply-To: <8F537BB6A11A44B38F6FA79EC8E2A1A5@zentrumvegan> References: <8F537BB6A11A44B38F6FA79EC8E2A1A5@zentrumvegan> Message-ID: <4DFE4896-773D-478A-ADCA-3864C903BF72@me.com> On Feb 23, 2009, at 8:49 AM, gerry_lowry (alliston ontario canada) wrote: > http://support.apple.com/kb/HT1620 > How to use the Apple Product Security PGP Key > > http://www.apple.com/support/security/pgp/ > Protecting Security Information > > F.Y.I.: I've not noticed anything similar from Microsoft and other > software companies. > > Most seem to be happy with MD5 and SHA1 for files and nothing else. > > Also, Apple even provides links to PGP Corporation and GnuPG plus > its key and key ID. > > This is our PGP key which is valid until May 15, 2010 > Key ID: 0x8A648901 Key Type: RSA Expires: 5/15/10 Key Size: > 2048/2048 > Fingerprint: 39EC C76A 3D62 7062 C321 10B2 7928 75E8 8A64 8901 > UserID: Apple Product Security > > This from Apple is like an endorsement of PGP/GPG technology. > One of the bugs I filed with Apple is how their Product Security group uses PGP signatures for the advisories, but their own Mail application only supports S/MIME and certificates. This is fine, but I'd like to see them be a bit consistent. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2557 bytes Desc: not available URL: From gerry.lowry at abilitybusinesscomputerservices.com Mon Feb 23 17:36:49 2009 From: gerry.lowry at abilitybusinesscomputerservices.com (gerry_lowry (alliston ontario canada)) Date: Mon, 23 Feb 2009 11:36:49 -0500 Subject: How secure asymmetric encryption to yourself? References: <2D6C3A31-65A8-4F33-A1B2-C26DA7E9DC5B@chrispoole.com> Message-ID: <7AB9B76440E14B8880ED39966BCC70C2@zentrumvegan> a paranoid's answer to your question: your passphrase is also required ... so my best guess is that you are more or less safe; others on this list would know better than myself. Here's the paranoid part: if your system became compromised with a keylogger, you could be vunerable to having your passphrase stolen. More paranoia: when you're viewing your file as plain text which you must do to read its contents (unless you're superhuman), your text is at least temporarilly vunerable. a paranoid's solution: have a second computer, even a small pocket something or other that supports PGP/GPG technology and also is NEVER connected to the rest of the connected world; keep your secured information on the second computer only; external backups excluded (you can never have too much backup; some backup is better than none). Regards, Gerry (Lowry) From gerry.lowry at abilitybusinesscomputerservices.com Mon Feb 23 17:39:10 2009 From: gerry.lowry at abilitybusinesscomputerservices.com (gerry_lowry (alliston ontario canada)) Date: Mon, 23 Feb 2009 11:39:10 -0500 Subject: "Please select what kind of key you want" References: <6E0FA7A9924A4067898F76BE16671424@zentrumvegan> <9D856D3A-4A6D-4B25-907C-00A182D0454B@jabberwocky.com> Message-ID: Robert and David, thank you for increasing my understanding and pointing out the errors I made. g. From gerry.lowry at abilitybusinesscomputerservices.com Mon Feb 23 17:55:51 2009 From: gerry.lowry at abilitybusinesscomputerservices.com (gerry_lowry (alliston ontario canada)) Date: Mon, 23 Feb 2009 11:55:51 -0500 Subject: "Please select what kind of key you want" ~~ suggestion to developers Message-ID: <9AE8F60A1D1049A1B84AFDC91C7C4F86@zentrumvegan> The easier it is for beginners to understand PGP/GPG technology, the faster its adoption into general use by the public will occur. Suggestion: add help as an option to gpg --gen-key and gpg --edit-key [ ID ] addkey Example: Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) (h) help on the above choices ------------------------------------ Sample help: Choice/Description -------------------- If you choose a sign only key, you may also need to .... (1) DSA and Elgamal (default) Phasellus interdum nunc eget libero. In ante dui, ... (2) DSA (sign only) Vivamus ut libero eget tortor lobortis ... (5) RSA (sign only) Aliquam sit amet risus auctor felis ... Real and useful text should replace the random lorem ipsum* used in the above example. B-) Additionally, build more help/guidance text into PGP/GPG technology. Users are more likely to implement technologies that they understand once they have achieved a level of comfort with those technologies. Regards, Gerry (Lowry) * source: http://www.lipsum.com/. From vedaal at hush.com Mon Feb 23 18:07:00 2009 From: vedaal at hush.com (vedaal at hush.com) Date: Mon, 23 Feb 2009 12:07:00 -0500 Subject: How secure asymmetric encryption to yourself? Message-ID: <20090223170700.31D02118040@smtp.hushmail.com> >Date: Mon, 23 Feb 2009 11:36:49 -0500 >From: "gerry_lowry \(alliston ontario canada\)" > >Subject: Re: How secure asymmetric encryption to yourself? >a paranoid's answer to your question: >More paranoia: when you're viewing your file as plain text which >you must do to read its contents >(unless you're superhuman), well, in case anyone is paranoid about superhumans, here is a spoof i wrote about clairvoyancy decryption of pgp messages ;-)) http://www.angelfire.com/pr/pgpf/fdca.pdf vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Jumpstart your career with Six Sigma certification from top programs. http://tagline.hushmail.com/fc/BLSrjkqmwwv0BdNEqt8zY788jcfxH8eSipk15FYq2yJvJlOK7nNVVI2fDiM/ From email at sven-radde.de Mon Feb 23 18:29:11 2009 From: email at sven-radde.de (Sven Radde) Date: Mon, 23 Feb 2009 18:29:11 +0100 Subject: How secure asymmetric encryption to yourself? In-Reply-To: <2D6C3A31-65A8-4F33-A1B2-C26DA7E9DC5B@chrispoole.com> References: <2D6C3A31-65A8-4F33-A1B2-C26DA7E9DC5B@chrispoole.com> Message-ID: <49A2DCE7.1040905@sven-radde.de> Hi! Chris Poole schrieb: > How secure is it to use my own public key as the encryption method > (rather than symmetric), given that the password file is stored on the > same drive as my public and private keys? The simple answer is: It doesn't matter, both methods are equally secure (with the security determined primarily by the strength of your passphrase). The asymmetric approach could have its advantages, because I can imagine some scenarios where an attacker might obtain the encrypted data and the passphrase but would be unable to get access to the secret key file (e.g., because it is not a file but rather in a smartcard or because the private key is on offline media at the time of compromise of the data). Not having the private key leaves an attacker with the requirement to either brute-force the symmetric session key or crack the public key to obtain the secret key. Both things are supposed to be infeasible given GnuPG's algorithms/keylengths and the current state of cryptanalysis. However, there is the risk that a cryptanalytical advancement would allow easy breaking of asymmetric keys which could enable an attacker to fully bypass your passphrase by cracking the public key (thereby getting the private key and thereby decrypting the data). IMHO, this risk is negligible and if it happens anyway, people would probably have nastier things to do than cracking specifically *your* key (e.g. forging SSL certificates of banks etc)... On the other hand, asymmetric has one disadvantage: The private key file is something that must be stored as safe as the encrypted data. (I mean backups etc.) No matter whether you know the passphrase, if the private key file is deleted, you won't get your data back! As a sidenote: Is it possible to find out a public key just from looking at data encrypted to that public key?(Assume the key is not on a keyserver, of course.) If the public key could also be hidden from an attacker (e.g. the attacker has just the encrypted data file and the passphrase), it would leave brute-forcing of the symmetric algorithm as the only attack option... Plausible scenarios for this are more difficult to imagine, though. cu, Sven PS: IMHO there are more usable ways of managing one's passwords than storing them in a GnuPG file (although much can be accomplished by wrapping access to that file through a number of shell scripts, I assume). From gerry.lowry at abilitybusinesscomputerservices.com Mon Feb 23 19:15:58 2009 From: gerry.lowry at abilitybusinesscomputerservices.com (gerry_lowry (alliston ontario canada)) Date: Mon, 23 Feb 2009 13:15:58 -0500 Subject: How secure asymmetric encryption to yourself? References: <2D6C3A31-65A8-4F33-A1B2-C26DA7E9DC5B@chrispoole.com> <49A2DCE7.1040905@sven-radde.de> Message-ID: <571DBDF810764C7793C27E2DFCBE2572@zentrumvegan> Sven Radde wrote, in part: "... there are more usable ways of managing one's passwords than storing them in a GnuPG file". I'm curious what "more usable ways" there are that Sven and others can recommend. I'm also unsure what Sven apparently means by "more usable"? (While they need to be decrypted, one would only occasionally need to decrypt them because for most of the time, until forgotten, those passwords that one uses frequently reside in one's biological memory.) I guess one downside of the GnuPG file is that if one loses her/his private key or forgets her/his passphrase, then the passwords in the GnuPG file will be secure forever or at least until she/he acquires her/his quantum computer in the future. regards, gerry From rjh at sixdemonbag.org Mon Feb 23 19:42:32 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 23 Feb 2009 13:42:32 -0500 Subject: How secure asymmetric encryption to yourself? In-Reply-To: <571DBDF810764C7793C27E2DFCBE2572@zentrumvegan> References: <2D6C3A31-65A8-4F33-A1B2-C26DA7E9DC5B@chrispoole.com> <49A2DCE7.1040905@sven-radde.de> <571DBDF810764C7793C27E2DFCBE2572@zentrumvegan> Message-ID: <431F81F1-95DB-4FC7-BF12-155D9BD4197A@sixdemonbag.org> > I'm curious what "more usable ways" there are that Sven and others > can recommend. I'm fond of writing down my passwords on the back of a business card and keeping it in my wallet. For the overwhelming majority of these passwords, the site's most confidential information of mine they possess is my credit card number. But if my wallet gets stolen or goes missing, I'm going to cancel my credit cards anyway. Likewise, you can say, "but you might leave your wallet on your desk, and a co-worker could steal those passwords." Sure. They could also steal my credit card number, driver's license information, voter registration ID, or all manner of other things more important than my passwords. This takes care of >90% of all my logins, meaning I can much more easily memorize those few high-value, high-secrecy passwords. Memorizing three unique passwords is doable; memorizing thirty unique ones isn't. > I'm also unsure what Sven apparently means by "more usable"? Unlike your solution, my solution works when I'm on the road and logging on from a coffeeshop's web kiosk. I don't need to install anything. Open up my wallet, fish out the list, and there it is. The moral of this story is simple -- don't make things more complicated than you have to. From rjh at sixdemonbag.org Mon Feb 23 20:52:13 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 23 Feb 2009 14:52:13 -0500 Subject: "Please select what kind of key you want" ~~ suggestion to developers In-Reply-To: <9AE8F60A1D1049A1B84AFDC91C7C4F86@zentrumvegan> References: <9AE8F60A1D1049A1B84AFDC91C7C4F86@zentrumvegan> Message-ID: <7BD21481-01BC-4B03-B5FF-564535AEA1FC@sixdemonbag.org> > The easier it is for beginners to understand PGP/GPG technology, > the faster its adoption into general use by the public will occur. There's a discipline in computer science called human-computer interaction (HCI). I took two courses in this in grad school: not enough to make me an expert, but definitely enough to open my eyes. One of the things my instructor, Juan-Pablo Hourcade, drilled into us is that we genuinely don't know what will speed adoption of new technologies. All we know is what successful technologies look like. Imagine there's a new hotness in IT. (IT: Information Technology.) This new hotness has the potential to change the world in ways that can barely even be explained to people who don't already have the technology. Everyone you meet who has this new technology -- let's call it "flerbage" -- they've got this magical ability to /know things/. Know things they can't possibly know, that they couldn't possibly have learned. Flerbage is where it's /at/. The only problem is that flerbage is ridiculously user-unfriendly. Most people who use flerbage, this smoking-hot new thing in IT, say it took them between ten and fifteen years to really learn it. The learning curve looks like the freaking Matterhorn. Also, flerbage can't be made "easy for beginners to understand." You want flerbage, you're looking at a decade or more of serious, concentrated study. Sure, it's cool, but ... is it worth it? Would you say flerbage was a successful technology? Do you think flerbage will ever catch on? Flerbage is real, by the by. You're using it right now, this very instant. Scroll down and I'll tell you what it is. Literacy. Literacy is the original information technology. People who are literate have an enormous advantage over those who aren't. Wherever you look today you see signs, posters, advertisements, menus, whiteboards, warnings, labels and every other thing imaginable that's written down. Literacy gets taken for granted by almost everyone -- despite the fact that it takes most of your childhood and teenage years to get good at it. So no, I don't agree with your proposition. OpenPGP doesn't need to get easy for beginners to use. If it was that simple, we'd be there already. What needs to happen is the populace needs to understand the risks of electronic communication, and needs to become committed to doing something about it. If you can achieve that, then you will have done something great for humanity. But the world doesn't need another "easy to use GnuPG interface." You're essentially saying, "what the world needs is a really good book!" What I'm saying is, "the world first needs to learn to read." From shavital at mac.com Mon Feb 23 21:02:01 2009 From: shavital at mac.com (Charly Avital) Date: Mon, 23 Feb 2009 15:02:01 -0500 Subject: How secure asymmetric encryption to yourself? In-Reply-To: <431F81F1-95DB-4FC7-BF12-155D9BD4197A@sixdemonbag.org> References: <2D6C3A31-65A8-4F33-A1B2-C26DA7E9DC5B@chrispoole.com> <49A2DCE7.1040905@sven-radde.de> <571DBDF810764C7793C27E2DFCBE2572@zentrumvegan> <431F81F1-95DB-4FC7-BF12-155D9BD4197A@sixdemonbag.org> Message-ID: <49A300B9.3050508@mac.com> Robert J. Hansen wrote the following on 2/23/09 1:42 PM: [...] > Open up my wallet, fish out the list, and there it is. > > The moral of this story is simple -- don't make things more > complicated than you have to. Robert, from the bottom of my heart, thank you! Charly From gerry.lowry at abilitybusinesscomputerservices.com Mon Feb 23 21:22:34 2009 From: gerry.lowry at abilitybusinesscomputerservices.com (gerry_lowry (alliston ontario canada)) Date: Mon, 23 Feb 2009 15:22:34 -0500 Subject: "Please select what kind of key you want" ~~ suggestion to developers References: <9AE8F60A1D1049A1B84AFDC91C7C4F86@zentrumvegan> <7BD21481-01BC-4B03-B5FF-564535AEA1FC@sixdemonbag.org> Message-ID: <0A38C3DB9164415B9EA5BAE5806D4684@zentrumvegan> Robert, yes, literacy is important, too. Your counter proposition also has validity. I point out, however, that by the time one is looking at Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) (h) help on the above choices she/he has likely already proceeded far enough along to have achieved some degree of literacy. Having reached that point, with regards to understanding PGP/GPG technology, she/he may still be a novice. Of course, had Michael W. Lucas been a bit clearer in his book, the "(h) help on the above choices" might not have been of benefit to myself. OTOH, it would nevertheless benefit many of those beginners who might not be aware of MWL's book and who might not have access to anything else written for novices. One problem is that many writers write for an audience that has already achieved domain erudition. Fortunately, for the rest of us, there are authors of "______ for Dummies", et cetera. (where ______ represents some subject of interest to the reader). So, Robert, I restate my proposition as The easier it is for informed, literate beginners to understand the need for PGP/GPG technology, and the easier it is for them to become aware of the existence of PGP/GPG technology, the faster the adoption of PGP/GPG technology into broad general use by the public will likely occur. Regards, Gerry P.S.: I finished high school in 1965 and went straight into working. In 1967, I became a programmer. Long before "user friendliness" was a broadly known and often abused concept, I was writing software that truly qualified as "user friendly". From shavital at mac.com Mon Feb 23 21:25:02 2009 From: shavital at mac.com (Charly Avital) Date: Mon, 23 Feb 2009 15:25:02 -0500 Subject: "Please select what kind of key you want" ~~ suggestion to developers In-Reply-To: <7BD21481-01BC-4B03-B5FF-564535AEA1FC@sixdemonbag.org> References: <9AE8F60A1D1049A1B84AFDC91C7C4F86@zentrumvegan> <7BD21481-01BC-4B03-B5FF-564535AEA1FC@sixdemonbag.org> Message-ID: <49A3061E.1040206@mac.com> Robert J. Hansen wrote the following on 2/23/09 2:52 PM: [...] > What I'm saying is, "the world first needs to learn to read." As far as I am concerned, this sentence is a most gratifying conclusion to this thread. I am not suggesting to close the thread, on the contrary, keep them coming. Charly From rjh at sixdemonbag.org Mon Feb 23 21:56:56 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 23 Feb 2009 15:56:56 -0500 Subject: "Please select what kind of key you want" ~~ suggestion to developers In-Reply-To: <0A38C3DB9164415B9EA5BAE5806D4684@zentrumvegan> References: <9AE8F60A1D1049A1B84AFDC91C7C4F86@zentrumvegan> <7BD21481-01BC-4B03-B5FF-564535AEA1FC@sixdemonbag.org> <0A38C3DB9164415B9EA5BAE5806D4684@zentrumvegan> Message-ID: <2314A789-57AE-4259-B476-69B8EDDC6ABF@sixdemonbag.org> > Robert, yes, literacy is important, too. Your counter proposition > also has validity. You missed the point. Refer to my last three sentences. The world doesn't need another "easy to use GnuPG interface." You're essentially saying, "what the world needs is a really good book!" What I'm saying is, "the world first needs to learn to read." With respect to claims of experience, I don't put any stock in them, really. Or, as Rodney Whitaker wrote, "do not fall into the error of the artisan who boasts of twenty years experience in his craft while in fact he has only one year of experience -- twenty times." As near as I can see, the principal problems are: 1. Gross ignorance 2. Fear of social disapproval With respect to #1... one of the most prestigious crypto conferences out there is called Financial Cryptography. A few years ago some enterprising grad students asked each FC attendee to fill out a very short questionnaire as part of their sign-in process. The results were astonishing: 60% of FC attendees did not know if their email client supported crypto, period -- even fewer knew if it supported OpenPGP or S/MIME. Only 50% were interested in switching to email clients with better crypto support. If only 40% of FC attendees know if their email client supports crypto, and only 50% care enough about crypto to consider changing their email clients, do you really think the general public will jump on board OpenPGP just if we create a snazzy interface with a lot of chrome? That's delusional. With respect to #2... Ed Felten has a really good sociological paper out on the intersection of computer security and the workplace. He and some of his grad students interviewed people at a politically- active nongovernmental organization (NGO) with an awful lot of enemies. Many (most) of the employees had been trained with PGP and found it reasonably easy to use. Despite that, they still didn't use it for email. Felten and his grad students wanted to find out why. It turns out that social disapproval played a very heavy role. There were a couple of people in the NGO who were privacy enthusiasts and active PGP users, and they were considered "paranoids" by the other workers in the office. Employees said things to the effect of "yeah, I know email is dangerous, but I don't want to turn into, you know, one of _those_ guys." ... the general public does not know what email crypto is, does not want to know what email crypto is, does not want to care about email crypto. They just want to send email. Making GnuPG "easier to use" is a fine goal and worth pursuing in its own right, but it's not going to substantially improve GnuPG's adoption in the world. Saying "the world needs a good book, that's why book sales are down!" may be a true statement, and may be worth pursuing in its own right. However, the real problem is "first we need to learn to read." "GnuPG needs a good interface, that'll improve its usage numbers!" may be a true statement, and may be worth pursuing in its own right. (In fact, I think it is.) But the real problem is that people don't know, don't want to know, and to the extent they do know they really don't care. From gerry.lowry at abilitybusinesscomputerservices.com Mon Feb 23 22:11:53 2009 From: gerry.lowry at abilitybusinesscomputerservices.com (gerry_lowry (alliston ontario canada)) Date: Mon, 23 Feb 2009 16:11:53 -0500 Subject: "Please select what kind of key you want" ~~ suggestion to developers References: <9AE8F60A1D1049A1B84AFDC91C7C4F86@zentrumvegan> <7BD21481-01BC-4B03-B5FF-564535AEA1FC@sixdemonbag.org> <0A38C3DB9164415B9EA5BAE5806D4684@zentrumvegan> <2314A789-57AE-4259-B476-69B8EDDC6ABF@sixdemonbag.org> Message-ID: <55C0947EC9454F35AC69B1FDD40C5810@zentrumvegan> Robert, excellent points. I shall return to my thinking board. Amazing that, in today's world, with events like the infamous 9/11, identity theft, debit and credit card fraud, a plethora of Bernhard Madoffs making Carlo Ponzi sit up in his grave and take notice, and jobs going down the toilet daily, it surprises me that there is so little paranoia. I'm willing to share my paranoia. I've got enough for everybody. Perhaps it can be made into a vaccine. B-) I appreciate your always interesting, knowledgeable, and thoughtful ideas. Regards, Gerry From dshaw at jabberwocky.com Mon Feb 23 22:19:53 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 23 Feb 2009 16:19:53 -0500 Subject: "Please select what kind of key you want" ~~ suggestion to developers In-Reply-To: <9AE8F60A1D1049A1B84AFDC91C7C4F86@zentrumvegan> References: <9AE8F60A1D1049A1B84AFDC91C7C4F86@zentrumvegan> Message-ID: <20090223211952.GA2973@jabberwocky.com> On Mon, Feb 23, 2009 at 11:55:51AM -0500, gerry_lowry (alliston ontario canada) wrote: > The easier it is for beginners to understand PGP/GPG technology, > the faster its adoption into general use by the public will occur. > > Suggestion: add help as an option to > gpg --gen-key > and gpg --edit-key [ ID ] addkey > > Example: > > Please select what kind of key you want: > (1) DSA and Elgamal (default) > (2) DSA (sign only) > (5) RSA (sign only) > (h) help on the above choices While I more or less agree with Robert, and would note that the GPG built-in help is more intended as a reminder for those who already have some understanding of the concepts (you're not going to learn to code in C from the man pages), try typing a '?' here. David From rjh at sixdemonbag.org Mon Feb 23 22:24:51 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 23 Feb 2009 16:24:51 -0500 Subject: "Please select what kind of key you want" ~~ suggestion to developers In-Reply-To: <62B4A5C197A640C2867C1C88DB83B9B3@zentrumvegan> References: <9AE8F60A1D1049A1B84AFDC91C7C4F86@zentrumvegan> <7BD21481-01BC-4B03-B5FF-564535AEA1FC@sixdemonbag.org> <62B4A5C197A640C2867C1C88DB83B9B3@zentrumvegan> Message-ID: <9D3CA1D9-E4CD-47F9-9D38-8E230C5DA550@sixdemonbag.org> Required reading: Garfinkel, S. L., Margrave, D., Schiller, J. I., Nordlander, E., and Miller, R. C. 2005. How to make secure email easier to use. In _Proceedings of the SIGCHI Conference on Human Factors in Computing Systems_ (Portland, Oregon, USA, April 02 - 07, 2005). CHI '05. ACM, New York, NY, 701-710. DOI= http://doi.acm.org/10.1145/1054972.1055069 Some results from this paper were presented at FC2005, but is not the survey I mentioned in my previous message. That said, the results are substantially similar. The following is excerpted from the paper. If possible, though, I highly recommend you read the entire paper; it's an excellent overview of why secure email has failed to take off. Our survey consisted of 40 questions on 5 web pages. Respondents were recruited through a set of notices placed by Amazon's employees in the Amazon Seller's Forum. Participation was voluntary and all respondents were anonymous. ... A total of 1083 respondents [participated], with 417 of those respondents completing all five pages. ... Average age of our respondents was 41.5. Respondents were highly educated, with more than half claiming an advanced or college degree. Most described themselves as "very sophisticated" (18.0%) or "comfortable" (63.7%) using computers and the Internet. Roughly half the correspondents had obtained their first email account in the 1990s. The majority of respondents (94.4%) used computers running Microsoft Windows for email. The two other leading platforms were Apple Macintosh (8.5%) and some kind of mobile computing device such as a cell phone (5.8%). ... A majority (54%) of respondents understood the difference between digital signatures and sealing with encryption; that prior receipt of digitally signed mail significantly increased understanding of that difference; and that having previously received digitally signed email from Amazon increased respondents' overall trust in email. ... The majority (59%) didn't know [if their email client supported encryption], while another 9% chose the answer, "what's encryption?" ... Respondents with S/MIME-capable mail readers were more than twice as likely to know that their programs were capable of encryption, and half as likely to select the answer "What's encryption?" Nevertheless, the majority of [S/MIME-enabled] correspondents (54%) did not know the cryptographic capabilities of the software they were using. Almost half of our respondents (44.9%) indicated that they would be willing to upgrade their client in order to "get more protection" for their email... ... Although roughly half of our respondents indicated that they didn't use cryptography because they didn't know how, the free- response answers from the more knowledgeable respondents indicated that they either didn't think that encryption was necessary or else that the effort, if made, would be wasted. * "I don't because I don't care." * "I doubt any of my usual recipients would understand the significance of the signature." * "Never had the need to send these kinds of emails." * "I don't think it's necessary to encrypt my email & frankly it's just another step & something else I don't have time for!" From email at sven-radde.de Mon Feb 23 23:14:08 2009 From: email at sven-radde.de (Sven Radde) Date: Mon, 23 Feb 2009 23:14:08 +0100 Subject: How secure asymmetric encryption to yourself? In-Reply-To: <571DBDF810764C7793C27E2DFCBE2572@zentrumvegan> References: <2D6C3A31-65A8-4F33-A1B2-C26DA7E9DC5B@chrispoole.com> <49A2DCE7.1040905@sven-radde.de> <571DBDF810764C7793C27E2DFCBE2572@zentrumvegan> Message-ID: <49A31FB0.9050401@sven-radde.de> Hi! gerry_lowry (alliston ontario canada) schrieb: > Sven Radde wrote, in part: > > "... there are more usable ways of managing one's passwords > than storing them in a GnuPG file". > > I'm curious what "more usable ways" there are that Sven and others > can recommend. /First of all, @Listowner: Let me know if this should be taken off-list because it's too OT.../ I mean tools like Keepass/KeepassX, PasswordSafe, or similar (even the Firefox password manager can encrypt stored passwords with 3DES and a master password). I also mean a Truecrypt volume or loopback container for storing the password file. For Linux, encfs or ecryptfs come to mind, too. The reasons are as follows: With GnuPG, you have encrypted one file. To be secure, you must now delete the original copy, which is not easy in itself, although recent research [1] seems to show that a single overwrite is sufficient for secure wiping. Didn't we have a discussion about secure deletion not too long ago? Now, to access your encrypted passwords, you need to decrypt the file, resulting in an unencrypted version of it on your drive. When you are done, you have to securely delete it again. If you have modified the file, you have to remember to encrypt it between having saved the changes and deleting it. Of course, you can set the thing up in a way that the unencrypted file is written to a RAM-only disk, but keep hibernation and swapfile issues in mind. You can also have GnuPG output the data to the console only, if you just have to read a password (I have no idea if there are possibilities that console output find its way into logfiles or similar, though). Depending on the size of your password file, you have quite a number of lines written to the console where you have to find the password that you need for the moment. If you'd format the file like: purpose1 -> password1 purpose2 -> password2 you could do something like "gpg passwords.gpg | grep purpose2" to find the password you need. As mentioned, some shellscripts could automate the process (create a ramfs mountpoint, decrypt the password file to there, grep it to find a desired password, or launch a text editor, re-encrypt the file after the editor closes, unmount the ramfs). KeepassX, e.g., supports organizing your password file into groups, adding metadata such as URLs to the passwords, comfortable hotkeys, integrated random password generator, password entropy estimation etc. The main difference, though is the transparent way to access your passwords (this is also true for Truecrypt and the other mentioned encrypting filesystems): Enter the master-password, work with the password file(s), lock the storage again. Done. No unencrypted copy on disk, ever (apart from the abovementioned swapfile and hibernation). Given these tools I also disagree with the notion that "frequently used passwords reside in one's memory" (although I remember quite some passwords, myself). Password-reuse is one of the greatest problems with passwords (and, btw, becomes quite infeasible once you have to deal with varying complexity-policies, different expiration-intervals etc) and passwords you have to remember tend, in general, to be weaker than those that you don't have to remember. With Keepass, you can have a different 20-character pseudo-random password for every stupid web forum (not to mention the more important things). It just doesn't matter whether your password is "123" or "las2ieu7hxalm5iuemalie" if it's just pressing "Ctrl-Shift-A" to auto-type username and password into the login form. I do not mean to endorse specific pieces of software here, nor do I mean to belittle GnuPG. But I think you need the right tool for right task. And GnuPG IMHO has its strengths not in providing protection to frequently accessed (and modified) files. If you need to archive a backup copy of your passwords on a remote server, that's a wholly different issue, though. GnuPG will do an excellent job there and digital signatures are even a bonus. cu, Sven [1] http://www.springerlink.com/content/408263ql11460147/ -- unfortunately only the abstract is free for general access From lists at michel-messerschmidt.de Mon Feb 23 23:24:46 2009 From: lists at michel-messerschmidt.de (Michel Messerschmidt) Date: Mon, 23 Feb 2009 23:24:46 +0100 Subject: How secure asymmetric encryption to yourself? In-Reply-To: <431F81F1-95DB-4FC7-BF12-155D9BD4197A@sixdemonbag.org> References: <2D6C3A31-65A8-4F33-A1B2-C26DA7E9DC5B@chrispoole.com> <49A2DCE7.1040905@sven-radde.de> <571DBDF810764C7793C27E2DFCBE2572@zentrumvegan> <431F81F1-95DB-4FC7-BF12-155D9BD4197A@sixdemonbag.org> Message-ID: <20090223222445.GB9703@koshi.matrix> On Mon, Feb 23, 2009 at 01:42:32PM -0500, Robert J. Hansen wrote: > Open up my wallet, fish out the list, and there it is. Although I think this one of the most secure but usable places, what if a real life phisher gets your wallet? No problem to cancel credit cards. But are you able to reset all those login passwords? Probably by using answers that either anybody knows or that you can't remember? Will you even remember all your logins? Before they are abused? > The moral of this story is simple -- don't make things more complicated > than you have to. But don't forget the backup. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 315 bytes Desc: Digital signature URL: From rjh at sixdemonbag.org Mon Feb 23 23:25:14 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 23 Feb 2009 17:25:14 -0500 Subject: "Please select what kind of key you want" ~~ suggestion to developers In-Reply-To: <9D3CA1D9-E4CD-47F9-9D38-8E230C5DA550@sixdemonbag.org> References: <9AE8F60A1D1049A1B84AFDC91C7C4F86@zentrumvegan> <7BD21481-01BC-4B03-B5FF-564535AEA1FC@sixdemonbag.org> <62B4A5C197A640C2867C1C88DB83B9B3@zentrumvegan> <9D3CA1D9-E4CD-47F9-9D38-8E230C5DA550@sixdemonbag.org> Message-ID: <49A3224A.7060803@sixdemonbag.org> Robert J. Hansen wrote: > Required reading: And let's add to that: Gaw, S., Felten, E. W., and Fernandez-Kelly, P. 2006. Secrecy, flagging, and paranoia: adoption criteria in encrypted email. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montr?al, Qu?bec, Canada, April 22 - 27, 2006). R. Grinter, T. Rodden, P. Aoki, E. Cutrell, R. Jeffries, and G. Olson, Eds. CHI '06. ACM, New York, NY, 591-600. DOI= http://doi.acm.org/10.1145/1124772.1124862 Again, read the entire thing. Email crypto is seen as the mark of a fearful or paranoid mind. The excerpt here should give you an idea of the paper, and will hopefully inspire you to read it for yourself. Abe worked in development. ... Because he handled financial data, Abe used encryption frequently, particularly when he received records from online donations ("I tend to try and be sure I PGP everything that has a credit card number on it"). He also communicated with an external vendor for recruitment. They used encryption to protect financial data when they synchronized their copies. Abe believed this setup was simple; he also thought some people ... needed to be more vigilant. He described how he tried to convince the head of campaigns in his home country to use encryption: "Why? Because it was just good. If the ... police ever come and bust into the office, you shouldn't have a document saying, 'hey, I'm discussing how I'm going to campaign against [a controversial issue].' It's not the kind of information you want them to have." Despite his reasoned argument, his colleagues were uncooperative: "most people see this as more work and want things simpler." ... Many of the employees interviewed ... had limits to their willingness to be more secure. In fact, moving beyond that limit was seen as abnormal or paranoid. ... Abe explained how someone could "go overboard" when he described how a representative of the PGP Corporation visited [the NGO]. Instead of a typical password authentication, the representative took off his necklace and used a removable flash drive that held his private key. The demonstration discouraged Abe: "It was too over-the-top and definitely too complicated. It was like a movie. ... Yeah, I admire him because he comes in and puts his passphrase every single day, three times a day, so that's very dedicated to his stuff. He must either be very scared or very motivated." He was not sure whether this vigilance was justified. In fact, he associated it with being fearful, perhaps irrationally fearful. Abe reiterated this when asked to speculate on why a colleague sent every e-mail message encrypted. He figured this man has an automated system for encrypting e-mail "or else he's nuts." ... [big snip here, switching to a different employee, 'Jenny', who has used PGP in the past and understands its use in contexts where secrecy is essential:] ... Jenny also thought it was abnormal to encrypt non-secret information. When the interviewer abstractly explained that people in security suggest all users encrypt all messages, Jenny was baffled: "So you're saying that ... people should just -- even _normal_ people? That ... you're sending email to ... your mom, like, 'hey, things are going [pause]'? That you should encrypt your e-mail. That people should do all that." Jenny emphasizes "normal people." _Normal_ people wouldn't encrypt normal messages. From dshaw at jabberwocky.com Mon Feb 23 23:43:41 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 23 Feb 2009 17:43:41 -0500 Subject: How secure asymmetric encryption to yourself? In-Reply-To: <571DBDF810764C7793C27E2DFCBE2572@zentrumvegan> References: <2D6C3A31-65A8-4F33-A1B2-C26DA7E9DC5B@chrispoole.com> <49A2DCE7.1040905@sven-radde.de> <571DBDF810764C7793C27E2DFCBE2572@zentrumvegan> Message-ID: <20090223224341.GB2973@jabberwocky.com> On Mon, Feb 23, 2009 at 01:15:58PM -0500, gerry_lowry (alliston ontario canada) wrote: > Sven Radde wrote, in part: > > "... there are more usable ways of managing one's passwords > than storing them in a GnuPG file". > > I'm curious what "more usable ways" there are that Sven and others > can recommend. If you're already carrying around a PDA or smartphone, try: http://linkesoft.com/secret/palm.html http://agilewebsolutions.com/products/iphone (etc - there are at least half a dozen others depending on what PDA or smartphone you have) These are more usable as you always (as per the first statement) have your PDA/smartphone with you, so you don't need access to any other hardware or software to get your passwords. They're searchable, and can be backed up. It's a reasonable question, of course, how secure these are. Obviously their authors claim they are very secure. Neither publish source, but the 1Password people have a design document which (assuming they followed it) shows them avoiding a lot of the common mistakes people make when implementing this sort of thing (notably, they were smart enough to not write their own crypto). In practice, for me, it doesn't matter all that much. Certainly they are at least secure against casual snooping, which is all I need them for. David From tmz at pobox.com Tue Feb 24 05:01:20 2009 From: tmz at pobox.com (Todd Zullinger) Date: Mon, 23 Feb 2009 23:01:20 -0500 Subject: How to use the Apple Product Security PGP Key + Protecting Security Information ~~ F.Y.I. In-Reply-To: <8F537BB6A11A44B38F6FA79EC8E2A1A5@zentrumvegan> References: <8F537BB6A11A44B38F6FA79EC8E2A1A5@zentrumvegan> Message-ID: <20090224040120.GE4505@inocybe.teonanacatl.org> gerry_lowry (alliston ontario canada) wrote: > The Internet took off when Microsoft, for better or worse, included > and promoted Internet Explorer in Windows 95, thus beginning the so > called browser wars. That's quite arguable. Why do you assume that MS introducing IE *cause* the internet to take off instead of being their (delayed) reaction to the internet taking off without them? :) > I would be surprised and also happy to see Microsoft promote PGP/GPG > technology. I do not actually expect that to happen. If it did, it > would be good if Microsoft could stimulate PGP/GPG technology with > more user friendliness since at the moment there's much to learn to > understand and begin using PGP/GPG technology. Not that I care whether MS uses, promotes, or maligns PGP/GnuPG, but: https://www.microsoft.com/technet/security/bulletin/pgp.mspx (Personally, I find that MS using PGP to sign their security notices amusing. That must be the most secure thing about their OS. :-) -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Truth is like a well-known whore. Everybody knows her but it's embarrassing to meet her in the street. -- Wolfgang Borchert -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 542 bytes Desc: not available URL: From felipe.alvarez at gmail.com Tue Feb 24 04:47:17 2009 From: felipe.alvarez at gmail.com (Felipe Alvarez) Date: Tue, 24 Feb 2009 13:47:17 +1000 Subject: encrypt and detached signature Message-ID: opensuse 11.0 and 11.1 gpg2 -r -be Creates a detached signature file, but does not encrypt the . I could do it in two steps (gpg2 -e ; gpg2 -b ) but can it be done in one? Felipe -------------- next part -------------- An HTML attachment was scrubbed... URL: From dougb at dougbarton.us Tue Feb 24 07:24:56 2009 From: dougb at dougbarton.us (Doug Barton) Date: Mon, 23 Feb 2009 22:24:56 -0800 Subject: "Please select what kind of key you want" ~~ suggestion to developers In-Reply-To: <9D3CA1D9-E4CD-47F9-9D38-8E230C5DA550@sixdemonbag.org> References: <9AE8F60A1D1049A1B84AFDC91C7C4F86@zentrumvegan> <7BD21481-01BC-4B03-B5FF-564535AEA1FC@sixdemonbag.org> <62B4A5C197A640C2867C1C88DB83B9B3@zentrumvegan> <9D3CA1D9-E4CD-47F9-9D38-8E230C5DA550@sixdemonbag.org> Message-ID: <49A392B8.4040808@dougbarton.us> While in general I agree with what you've said in this thread Robert, I do want to present one small ray of hope. At my last job we dealt with a great deal of "sensitive" information (usually time sensitive, i.e., it would be released eventually but needed to be "just right" first) and being the dreaded "technologist in a managerial role" I strongly advocated the use of PGP in preference to other methods of "secure" communication for the obvious reasons (availability, cost, etc.). Once the IT department signed off, I actually started sitting with my colleagues and walking them through the process of generating keys, integrating with outlook, etc. Then the fun part, I started sending people encrypted stuff. This often required another round of walking people through the process, but eventually it became sort of accepted, and generally (although sometimes grudgingly) acknowledged as a Good Idea. When I got my first unsolicited encrypted item in the mail, I knew I that progress was being made. :) It's probably worth noting that this was a technology-friendly workplace, and before I arrived there was already a culture of acceptance for things like encrypted chat, etc. But my point is, it's not all bad news "out there." hope this helps, Doug From chris at chrispoole.com Tue Feb 24 11:28:44 2009 From: chris at chrispoole.com (Chris Poole) Date: Tue, 24 Feb 2009 10:28:44 +0000 Subject: How secure asymmetric encryption to yourself? In-Reply-To: <49A2DCE7.1040905@sven-radde.de> References: <2D6C3A31-65A8-4F33-A1B2-C26DA7E9DC5B@chrispoole.com> <49A2DCE7.1040905@sven-radde.de> Message-ID: <466E8A10-FA98-44FD-8C0F-53DB9748000B@chrispoole.com> Thanks for the reply. I now feel a little safer doing what I'm doing :) > PS: IMHO there are more usable ways of managing one's passwords than > storing them in a GnuPG file (although much can be accomplished by > wrapping access to that file through a number of shell scripts, I > assume). Yes, I wrote some quick scripts to move the encrypted file to a tmpfs are (i.e., stored in RAM), then unencrypted. So the actual passwords should be in RAM only, not on disk. I then remove with secure rm, just incase. I have looked for free software password managers (that are ideally cross platform as I use Mac OS X as well as Linux), but can't find one that is used enough for me to think it safe. Some of them just get in my way too; I store my passwords as a CSV file, so it's easy to import to a new password manager too if I want to try something new. From ian at ushills.co.uk Tue Feb 24 13:02:10 2009 From: ian at ushills.co.uk (ian at ushills.co.uk) Date: Tue, 24 Feb 2009 04:02:10 -0800 (PST) Subject: How secure asymmetric encryption to yourself? Message-ID: <21119514.1801.1235476935461.JavaMail.seven@ap0.trial.red.7sys.net> Consider keepassx from www.keepassx.org, it is cross platform mac, win and linux and opensource. Fully compatible with www.keepass.info I have used it for a few years and it is also available on WM5 and as a portable app for use when out and about. From chris at chrispoole.com Tue Feb 24 13:21:57 2009 From: chris at chrispoole.com (Chris Poole) Date: Tue, 24 Feb 2009 12:21:57 +0000 Subject: How secure asymmetric encryption to yourself? In-Reply-To: <21119514.1801.1235476935461.JavaMail.seven@ap0.trial.red.7sys.net> References: <21119514.1801.1235476935461.JavaMail.seven@ap0.trial.red.7sys.net> Message-ID: <583A4D69-973D-48E7-A454-849D9C6FA673@chrispoole.com> > Consider keepassx Yes I have used this before; I may give it another go. Thanks. From mwood at IUPUI.Edu Tue Feb 24 16:55:31 2009 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Tue, 24 Feb 2009 10:55:31 -0500 Subject: "Please select what kind of key you want" ~~ suggestion to developers In-Reply-To: <49A3061E.1040206@mac.com> References: <9AE8F60A1D1049A1B84AFDC91C7C4F86@zentrumvegan> <7BD21481-01BC-4B03-B5FF-564535AEA1FC@sixdemonbag.org> <49A3061E.1040206@mac.com> Message-ID: <20090224155531.GC21102@IUPUI.Edu> On Mon, Feb 23, 2009 at 03:25:02PM -0500, Charly Avital wrote: > Robert J. Hansen wrote the following on 2/23/09 2:52 PM: > [...] > > > > What I'm saying is, "the world first needs to learn to read." > > > As far as I am concerned, this sentence is a most gratifying conclusion > to this thread. Well, I would suggest that it goes deeper than that. The world first needs to learn to *want* literacy. There is no demand for a thing, no matter its excellence, until people see why they ought to want it. We're at a disadvantage here, compared to the benefits of reading, because successful use of crypto usually goes unnoticed. The most one can hope for is that an attacker will have more persistence than sense, and become intrusive enough to be detected by the wary before he succeeds. The smart ones will either succeed quickly and quietly, or walk away. *Are* there any success stories more compelling than, "no compromises that we know of so far"? -- Mark H. Wood, Lead System Programmer mwood at IUPUI.Edu Friends don't let friends publish revisable-form documents. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From faramir.cl at gmail.com Wed Feb 25 07:03:35 2009 From: faramir.cl at gmail.com (Faramir) Date: Wed, 25 Feb 2009 03:03:35 -0300 Subject: multiple e-mail addresses: what are the solutions? In-Reply-To: <75E2BA3E13D24BC8A1507D9AFE698CA1@zentrumvegan> References: <49A0AE41.8020304@Mozilla-Enigmail.org> <75E2BA3E13D24BC8A1507D9AFE698CA1@zentrumvegan> Message-ID: <49A4DF37.3060904@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 gerry_lowry (alliston ontario canada) escribi?: ... > My question: if I go with separate keys, as in > > e-mail_address_1 public_key_1 private_key_1 > > e-mail_address_2 public_key_2 private_key_2 > > e-mail_address_3 public_key_3 private_key_3 > > then, is it permissible to have > all of my public keys together on the same pubring.gpg file and > all of my private keys together on the same secring.gpg file? Yes, it's very possible, and each private key can have it's own different passphrase. GnuPG knows what key to use to decrypt each message. ... > Also, if it is possible, what are the advantages and the disadvantages? Well, the advantage is you can decrypt all the messages encrypted to your different keys without having to switch from one keyring to another. The disadvantage is if your hdd crashes, all your keys crash together. Of course, the idea is to have a backup. I started making 1 different key pair for each one of my email accounts. But at some point, I added more UIDs, so currently 2 of my email accounts can use either 1 key or another one. The remaining email addresses are still "isolated". And I keep all those keys in the same keyrings, and I manage all the email accounts from the same email client (Mozilla Thunderbird). My TB is configured to use 1 key when composing messages from 1 email account, and other key for the other account, and so on. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJpN83AAoJEMV4f6PvczxAbKkIAIrAA8NPNLmOloZ8E/CDSHPM mJe7F8a4NIJ+zpUcbgdfrNno7qKUSvp0zj2lpsI4JItA8WQbMVyEdyI4stuXzwhZ 7ctvjAOguNn7yGR2/w41P3Nx/lejRzT8ctjAA/6/sSarfQpq76P6CIwtr5xBZGu/ 9eITjasl9wu3VmV75Zk3SpcC4wL/SsZLrjpwgqVY2nnnUtcuj10sc5mDI3cPOeWi GeJCJ15qLvtLHTb7nZDkyueqh5W2vkE85x/X/JBGjOFu49Pmi6ILWe7yE/KrYTMh RbDf56FO+NvyxYI3Vl+PdtII4KEzVxp9vmhI5KiYvruDmAVGu7Kd4oLEhMxzXZw= =UTUC -----END PGP SIGNATURE----- From faramir.cl at gmail.com Wed Feb 25 07:53:53 2009 From: faramir.cl at gmail.com (Faramir) Date: Wed, 25 Feb 2009 03:53:53 -0300 Subject: multiple e-mail addresses: what are the solutions? In-Reply-To: <49A24640.3030402@dougbarton.us> References: <49A0AE41.8020304@Mozilla-Enigmail.org> <75E2BA3E13D24BC8A1507D9AFE698CA1@zentrumvegan> <49A24640.3030402@dougbarton.us> Message-ID: <49A4EB01.9000206@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Doug Barton escribi?: ... > comfortable signing one key, but not the other. The other advantage > (now that I've left that employer) is that when attending key signing > parties now I don't have to worry about asking people to sign a key > with e-mail addresses I no longer have access to. You can solve that problem by adding a freeform UID to the key (an UID with your name on it, but without any email address). If people sign it, you can revoke the UIDs bound to email addresses, and add new UIDs for new email addresses, without losing the old signatures (as long as you don't revoke the freeform UID). But sometimes people will refuse to sign an UID without an email address. Anyway, most of time, people won't even know they can chose what UIDs to sign... Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJpOsBAAoJEMV4f6PvczxA0mYH/3qdpQK6OD1V2y+9ORMTddH/ lEHIl4UOlSBnVcBecLxqbdXFin6Ilf98ezy7xVApNijAmKn1PwNO78Asogf4fILL dtrOf5lhtYb1N4tdg7Gwz1Y9jBtWpxMMGJpZd7C+BiI4ebNlzSGYNE5N8eSDH/WX WWNiszd/N6KagyouWlKo+xoyw9rpzP2/pJyWecIGfShyYni01K74OIt1ctO+Bi7O oEpO7rNieNaEia/xE9/5NUprLD9pxQEnw3ORoAxAJQYauMmO8NTiwLqLengr+T+G 7gskZ8B2ii8Tw5pPhMEVtVCu+NugQqVr/bW6YHlyv6HDjqVsGJ8ckOw+G4fJpsg= =C8gd -----END PGP SIGNATURE----- From p at sabuleti.net Thu Feb 26 12:24:13 2009 From: p at sabuleti.net (peter) Date: Thu, 26 Feb 2009 11:24:13 +0000 Subject: future proof file encryption Message-ID: <49A67BDD.90107@sabuleti.net> Hi, I back-up my photos to remote storage. At the moment I don't encrypt them - I don't understand encryption and I'm nervous of using something I don't understand. They're just family snaps, but I'd prefer they stayed private. Symmetric encryption seems a good route - all I have to remember is a single password (the only risk seems to be senility). However, who knows what OS or tools I'll be using in the future? I ran a few tests encrypting and decrypting using the same algorithm/password but different tools (gpg, openssl, mcrypt). They were unsuccessful. My question is do I always have to use the same tool to decrypt as I used to encrypt? Are the file formats tool specific? Is the way the tool derives a key from the "key" I input variable? Probably there are other issues I'm unaware of. I'd feel more comfortable knowing that recovery of my data wasn't dependent on the availability of a specific tool (or even worse a specific version of a tool). Hope this is clear, Thanks From sk at intertivity.com Thu Feb 26 13:54:44 2009 From: sk at intertivity.com (Sascha Kiefer) Date: Thu, 26 Feb 2009 16:54:44 +0400 Subject: future proof file encryption In-Reply-To: <49A67BDD.90107@sabuleti.net> References: <49A67BDD.90107@sabuleti.net> Message-ID: <009201c99811$67580ee0$36082ca0$@com> Hi peter, i'm not aware of all file formats but you should stick with PKCS#12 format for symmetric encryption. It's an open standard, so I'm sure openssl and windows encryption can handle it. Gnugp uses OpenPGP file formats. Cheers, Sascha -----Original Message----- From: gnupg-users-bounces at gnupg.org [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of peter Sent: Donnerstag, 26. Februar 2009 15:24 To: gnupg-users at gnupg.org Subject: future proof file encryption Hi, I back-up my photos to remote storage. At the moment I don't encrypt them - I don't understand encryption and I'm nervous of using something I don't understand. They're just family snaps, but I'd prefer they stayed private. Symmetric encryption seems a good route - all I have to remember is a single password (the only risk seems to be senility). However, who knows what OS or tools I'll be using in the future? I ran a few tests encrypting and decrypting using the same algorithm/password but different tools (gpg, openssl, mcrypt). They were unsuccessful. My question is do I always have to use the same tool to decrypt as I used to encrypt? Are the file formats tool specific? Is the way the tool derives a key from the "key" I input variable? Probably there are other issues I'm unaware of. I'd feel more comfortable knowing that recovery of my data wasn't dependent on the availability of a specific tool (or even worse a specific version of a tool). Hope this is clear, Thanks _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From gerry.lowry at abilitybusinesscomputerservices.com Thu Feb 26 15:04:34 2009 From: gerry.lowry at abilitybusinesscomputerservices.com (gerry_lowry (alliston ontario canada)) Date: Thu, 26 Feb 2009 09:04:34 -0500 Subject: future proof file encryption References: <49A67BDD.90107@sabuleti.net> Message-ID: <22682AA7189340E4ABB3C465AD8F2FD4@zentrumvegan> Encryption is unnecessary with this low tech solution: burn them to DVDs, make at least two copies, put one copy in a safe deposit box at your bank. Perhaps give the other in a do not open envelope to your lawyer or someone that you can trust 100%. This is still a problem because who knows if DVDs will be available in the future. Solution to changing technology is to remember to recreate your backup in the new technoligies of the future during the brief transition periods while both technologies still exist. Regards, Gerry (Lowry) From wk at gnupg.org Thu Feb 26 15:34:51 2009 From: wk at gnupg.org (Werner Koch) Date: Thu, 26 Feb 2009 15:34:51 +0100 Subject: future proof file encryption In-Reply-To: <009201c99811$67580ee0$36082ca0$@com> (Sascha Kiefer's message of "Thu, 26 Feb 2009 16:54:44 +0400") References: <49A67BDD.90107@sabuleti.net> <009201c99811$67580ee0$36082ca0$@com> Message-ID: <8763ixl110.fsf@wheatstone.g10code.de> On Thu, 26 Feb 2009 13:54, sk at intertivity.com said: > i'm not aware of all file formats but you should stick with PKCS#12 format > for symmetric encryption. > It's an open standard, so I'm sure openssl and windows encryption can handle Well kind of. PKCS#12 is likely the most ugly encryption standard ever written (or actually not written as it used to be an ad-hoc format). Better stick with OpenPGP which dates back to the ~18 years old PGP2. There are several OpenPGP implementations available and if you use GnuPG you can always copy the sources onto the backup medium as well. GnuPG 1.4 is highly portable and it is more likely that you won't be able to read your backup medium in 10 or 20 years than you won't be able to build GnuPG then. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From mwood at IUPUI.Edu Thu Feb 26 17:32:51 2009 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Thu, 26 Feb 2009 11:32:51 -0500 Subject: future proof file encryption In-Reply-To: <8763ixl110.fsf@wheatstone.g10code.de> References: <49A67BDD.90107@sabuleti.net> <009201c99811$67580ee0$36082ca0$@com> <8763ixl110.fsf@wheatstone.g10code.de> Message-ID: <20090226163251.GD29319@IUPUI.Edu> Staggering off-topic a bit, this also points out that, for a variety of reasons, if you want to store data for the long term, you need to establish a periodic review of every single item in your archive. You need to be aware of obsolescent medium types and file formats and suchlike, and recode at-risk items using then-current best practice. You need to be aware of media volumes that are degrading, and copy at-risk items to fresh volumes before they become unrecoverable. You should copy older volumes from time to time anyway, at intervals appropriate to the medium, to evade trouble before it starts. This is a good opportunity to switch to a newer medium if there is one you like. You also need to archive things you might need to recover your items. File format documentation, useful software, and the like. If you do all that, your archive should be usable in toto for hundreds of years, which is probably longer than you need. Much of it can be automated, requiring your attention only briefly. Or you can stash it all in an old shoebox, like the rest of us do. :-/ -- Mark H. Wood, Lead System Programmer mwood at IUPUI.Edu Friends don't let friends publish revisable-form documents. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From p at sabuleti.net Fri Feb 27 12:04:00 2009 From: p at sabuleti.net (peter) Date: Fri, 27 Feb 2009 11:04:00 +0000 Subject: future proof file encryption In-Reply-To: <20090226163251.GD29319@IUPUI.Edu> References: <49A67BDD.90107@sabuleti.net> <009201c99811$67580ee0$36082ca0$@com> <8763ixl110.fsf@wheatstone.g10code.de> <20090226163251.GD29319@IUPUI.Edu> Message-ID: <49A7C8A0.5070300@sabuleti.net> Thanks for all your responses - and the speed of them. The shoe box works fine for my pre-digital snaps - not so good for the post digital ones! Currently, I dump my camera into my computer, sort out the interesting images, archive them and dump the archive into Amazon's S3. Then I feel safe from my own stupidity, hardware failures or whatever - I can always get back to the image as it came out of the camera. I'm going to add encryption using GPG to the mix. I don't expect to fully understand cryptography - but I should have an "operational" understanding. I feel a bit closer to that. Is it true to say then, that if you wanted someone to be able to decrypt a (symmetrically encrypted) file, they'd need to know the algorithm used, the key and they'd also have to use the same program to decrypt as used to encrypt the file? Thanks again Mark H. Wood wrote: > Staggering off-topic a bit, this also points out that, for a variety > of reasons, if you want to store data for the long term, you need to > establish a periodic review of every single item in your archive. > > You need to be aware of obsolescent medium types and file formats and > suchlike, and recode at-risk items using then-current best practice. > > You need to be aware of media volumes that are degrading, and copy > at-risk items to fresh volumes before they become unrecoverable. You > should copy older volumes from time to time anyway, at intervals > appropriate to the medium, to evade trouble before it starts. This is > a good opportunity to switch to a newer medium if there is one you like. > > You also need to archive things you might need to recover your items. > File format documentation, useful software, and the like. > > If you do all that, your archive should be usable in toto for hundreds > of years, which is probably longer than you need. Much of it can be > automated, requiring your attention only briefly. > > Or you can stash it all in an old shoebox, like the rest of us do. :-/ > > From mo at g10code.com Fri Feb 27 12:35:16 2009 From: mo at g10code.com (Moritz Schulte) Date: 27 Feb 2009 12:35:16 +0100 Subject: future proof file encryption In-Reply-To: <49A7C8A0.5070300@sabuleti.net> References: <49A67BDD.90107@sabuleti.net> <009201c99811$67580ee0$36082ca0$@com> <8763ixl110.fsf@wheatstone.g10code.de> <20090226163251.GD29319@IUPUI.Edu> <49A7C8A0.5070300@sabuleti.net> Message-ID: <49A7CFF4.2050001@g10code.com> > Is it true to say then, > that if you wanted someone to be able to decrypt a > (symmetrically encrypted) file, they'd need to know the algorithm used, > the key and they'd also have to use the same program to decrypt as used > to encrypt the file? Not quite. In general: you shouldn't base the security on the secrecy of the methods used (algorithm, implementation, ...). Besides, when using a program which implements a documented standard, it doesn't matter what actual implementation of the standard you (or the attacker) use(s). The security should depend on the secrecy of your key. mo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 260 bytes Desc: OpenPGP digital signature URL: From rjh at sixdemonbag.org Fri Feb 27 13:53:18 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 27 Feb 2009 07:53:18 -0500 Subject: future proof file encryption In-Reply-To: <49A7C8A0.5070300@sabuleti.net> References: <49A67BDD.90107@sabuleti.net> <009201c99811$67580ee0$36082ca0$@com> <8763ixl110.fsf@wheatstone.g10code.de> <20090226163251.GD29319@IUPUI.Edu> <49A7C8A0.5070300@sabuleti.net> Message-ID: <49A7E23E.8040507@sixdemonbag.org> peter wrote: > Is it true to say then, that if you wanted someone to be able to > decrypt a (symmetrically encrypted) file, they'd need to know the > algorithm used, the key and they'd also have to use the same program > to decrypt as used to encrypt the file? Let's not use words like "algorithm" and "program", since they have fairly precise technical meanings and I don't think you want to get bogged down in jargon. You need to know the key, and you need a decrypter that's compatible with whatever you used to encrypt. GnuPG conforms to the OpenPGP standard for cryptography. That means there are ... what ... 14 or so compatible implementations. You don't have to rely on GnuPG; there are a lot of other options out there. This is very good for purposes of long-term storage. From email at sven-radde.de Fri Feb 27 14:55:39 2009 From: email at sven-radde.de (Sven Radde) Date: Fri, 27 Feb 2009 14:55:39 +0100 Subject: future proof file encryption In-Reply-To: <49A7E23E.8040507@sixdemonbag.org> References: <49A67BDD.90107@sabuleti.net> <009201c99811$67580ee0$36082ca0$@com> <8763ixl110.fsf@wheatstone.g10code.de> <20090226163251.GD29319@IUPUI.Edu> <49A7C8A0.5070300@sabuleti.net> <49A7E23E.8040507@sixdemonbag.org> Message-ID: <49A7F0DB.9030300@sven-radde.de> Hi! Robert J. Hansen schrieb: > GnuPG conforms to the OpenPGP standard for cryptography. That means > there are ... what ... 14 or so compatible implementations. You don't > have to rely on GnuPG; there are a lot of other options out there. This > is very good for purposes of long-term storage. It is probably one of the best choices for the purpose, however, in general, long-term archival and encryption don't go together nicely. Neither does compression or similar. Many algorithms or encryption modes are rather 'sensitive' to single bit-errors, lost bits and the like. Imagine the session-key part of an OpenPGP message be destroyed. Commonly, this will be far less than 1% of the actual data, but even with 99% intact, you won't have a chance of recovering *anything* from it. When using encrypted backups, 100% data integrity plays a much greater role than when just storing unencrypted data. With a directory full of .bmp files, you have a fair chance not to notice a bit flip at all or you might notice a single out-of-color pixel. With a directory of .jpgs, you might notice a corrupted 8x8 pixels block or, worst case, have one unusable image. With a single images.zip.gpg file, a bit flip may mean that the whole archive is unreadable (which is the worst case... no idea what an average case might look like). cu, Sven From vedaal at hush.com Fri Feb 27 16:06:35 2009 From: vedaal at hush.com (vedaal at hush.com) Date: Fri, 27 Feb 2009 10:06:35 -0500 Subject: future proof file encryption Message-ID: <20090227150635.EF35F28042@smtp.hushmail.com> Sven Radde email at sven-radde.de wrote on Fri Feb 27 14:55:39 CET 2009 : >When using encrypted backups, 100% data integrity plays a much greater >role than when just storing unencrypted data. for really long term encryption, would guess that it is more likely that there would be a problem with the durability of the storage medium, than with the availability of gnupg and the platforms and hardware to run it ;-) fwiw, my $0.02 suggestion : [1] armor encrypt the files so that it can be published in text form [2] hash the final encrypted .asc text with 2 (or as many more as you wish) different hash algorithms, and append the hashes, also in text form, to the end of the encrypted .asc text [3] put the whole thing on microfilm (don't know which specific type of microfilm. but this can be researched by finding out which ones are most preferred by libraries, museums, govt. archivals, etc.) [4] retrieve it from the microfilm and check that the hashes verify and that the file decrypts [5] (weakest point of this scheme ;-) ) make sure your really secure passphrase is somehow remembered in the future when it is time to decrypt ... ;-)) vedaal any ads or links below this message are added by hushmail without my endorsement or awareness of the nature of the link -- Become a Medical Transcriptionist. Click here to find schedules designed to fit your life. http://tagline.hushmail.com/fc/BLSrjkqfMmfY78QCiStowDKIGBJhRTxgAJUymH13l1pdyqILz0dL2ERXhK4/ From rjh at sixdemonbag.org Fri Feb 27 16:24:32 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 27 Feb 2009 10:24:32 -0500 Subject: future proof file encryption In-Reply-To: <49A7F0DB.9030300@sven-radde.de> References: <49A67BDD.90107@sabuleti.net> <009201c99811$67580ee0$36082ca0$@com> <8763ixl110.fsf@wheatstone.g10code.de> <20090226163251.GD29319@IUPUI.Edu> <49A7C8A0.5070300@sabuleti.net> <49A7E23E.8040507@sixdemonbag.org> <49A7F0DB.9030300@sven-radde.de> Message-ID: <49A805B0.5060407@sixdemonbag.org> Sven Radde wrote: > Imagine the session-key part of an OpenPGP message be destroyed. > Commonly, this will be far less than 1% of the actual data, but even > with 99% intact, you won't have a chance of recovering *anything* from it. Err. What? With a 256-bit cipher, if you're missing 3 bits, there are only eight possible keys. This is not an obstacle. > With a single images.zip.gpg file, a bit flip may mean that the whole > archive is unreadable (which is the worst case... no idea what an > average case might look like). The moral of the story is not to avoid encrypting your backups, but to keep multiple copies of your backed-up data. From hxzeng at gmail.com Tue Feb 24 08:33:02 2009 From: hxzeng at gmail.com (hxzeng) Date: Mon, 23 Feb 2009 23:33:02 -0800 (PST) Subject: Error on gpg encription using perl cgi Message-ID: <22177190.post@talk.nabble.com> Dear all, I would like to write a cgi using perl to encrypt some text files in Windows, the following is my program test.cgi. in the $cmd, Henry is a public key generated by gpg, and 451080.txt is the files I would like to encrypt. #!c:/Perl/bin/perl.exe print "Content-type: text/html\n\n"; $cmd = "\"C:\\Program Files\\GNU\\GnuPG\\gpg.exe\" -e --no-secmem-warning --always-trust -a -r Henry C:\\apache\\cgi-bin\\451080.txt"; print $cmd."\n\n"; system($cmd); The question is that if I enter the following command in commander: "C:\Program Files\GNU\GnuPG\gpg.exe" -e --no-secmem-warning --always-trust -a -r Henry C:\apache\cgi-bin\451080.txt The file 451080.txt will successfully be encrypted and new file 451080.txt.asc will be generated. But when I deployed first.cgi in apache and run it using: http://localhost/cgi-bin/test.cgi The file cannot be successfully encrypted and also in error.log there has such errors: [Tue Feb 24 15:01:40 2009] [error] [client 127.0.0.1] gpg: Henry: skipped: public key not found\r [Tue Feb 24 15:01:40 2009] [error] [client 127.0.0.1] gpg: C:\\apache\\cgi-bin\\451080.txt: encryption failed: public key not found\r Does anybody know how to fix this problem? Why commander can successfully execute the command but the apache cannot find the public key? Thanks very much. Henry -- View this message in context: http://www.nabble.com/Error-on-gpg-encription-using-perl-cgi-tp22177190p22177190.html Sent from the GnuPG - User mailing list archive at Nabble.com. From rjh at sixdemonbag.org Fri Feb 27 17:25:56 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 27 Feb 2009 11:25:56 -0500 Subject: future proof file encryption In-Reply-To: <49A805B0.5060407@sixdemonbag.org> References: <49A67BDD.90107@sabuleti.net> <009201c99811$67580ee0$36082ca0$@com> <8763ixl110.fsf@wheatstone.g10code.de> <20090226163251.GD29319@IUPUI.Edu> <49A7C8A0.5070300@sabuleti.net> <49A7E23E.8040507@sixdemonbag.org> <49A7F0DB.9030300@sven-radde.de> <49A805B0.5060407@sixdemonbag.org> Message-ID: <49A81414.40509@sixdemonbag.org> Robert J. Hansen wrote: > With a 256-bit cipher, if you're missing 3 bits, there are only eight > possible keys. This is not an obstacle. After a little thought, it occurred to me that perhaps Sven meant there are three errors and it's not known where. This turns into a slightly more complex case, but still within the realm of possibility: just over twenty-two million possible combinations (2.7 million combinations, with each set of three bits possessing eight possible states). From eh1474 at att.com Fri Feb 27 19:47:16 2009 From: eh1474 at att.com (HORNBOSTEL, LIBBY A (ATTSI)) Date: Fri, 27 Feb 2009 13:47:16 -0500 Subject: GPG Shell works but GnuPG commands fail Message-ID: <17C7468560D4B341BC8C89114FE479E4C8CC67@misout7msgusr83.ITServices.sbc.com> I have been tasked with installing GnuPG and GPG Shell onto Windows XP (then onto Windows Vista) to decrypt data files currently using PGP Command-Line software. I have installed GnuPG for Windows (version Version 1.1.4 ) from the http://gpg4win.org/ website. It appears to load successfully, but GPA throws a fatal error "Fatal Error in GPGME Library. (invoked from file /home/wk/src/gpg4win11/build/gpg4win-1.1.4/ src/playground/build/gpa-0.8.0/src/confdialog.c, line 1447) Unsupported protocol The application will be terminated" So, I continued on and installed the GPG Shell product from http://www.jumaros.de/rsoft/index.html. I loaded some public and secret keys that were created from the PGP Command-Line software successfully. I can decrypt a file using the GPG Tools function. But when I try to use the PGP commands with options from a DOS prompt (or command prompt) gpg --decrypt C\DATA\CD.txt --output C:\DATA\CD.icf --passphrase my_pass I get the following: Usage: gpg [options] --decrypt [filename] If I evoke gpg first, I get: gpg: Go ahead and type your message . . . Then enter: gpg --decrypt C\DATA\CD.txt --output C:\DATA\CD.icf --passphrase my_pass The command prompt hangs. I would think it is a problem with the GnuPG installation, but would the GPG Shell work? Thanks in advance for any assistance you can provide. Libby H From cwal989 at comcast.net Fri Feb 27 23:26:29 2009 From: cwal989 at comcast.net (Christopher J. Walters) Date: Fri, 27 Feb 2009 17:26:29 -0500 Subject: future proof file encryption In-Reply-To: <49A7F0DB.9030300@sven-radde.de> References: <49A67BDD.90107@sabuleti.net> <009201c99811$67580ee0$36082ca0$@com> <8763ixl110.fsf@wheatstone.g10code.de> <20090226163251.GD29319@IUPUI.Edu> <49A7C8A0.5070300@sabuleti.net> <49A7E23E.8040507@sixdemonbag.org> <49A7F0DB.9030300@sven-radde.de> Message-ID: <49A86895.9030508@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Sven Radde wrote: > Hi! > > It is probably one of the best choices for the purpose, however, in > general, long-term archival and encryption don't go together nicely. > Neither does compression or similar. Many algorithms or encryption modes > are rather 'sensitive' to single bit-errors, lost bits and the like. > Imagine the session-key part of an OpenPGP message be destroyed. > Commonly, this will be far less than 1% of the actual data, but even > with 99% intact, you won't have a chance of recovering *anything* from it. > When using encrypted backups, 100% data integrity plays a much greater > role than when just storing unencrypted data. > > With a directory full of .bmp files, you have a fair chance not to > notice a bit flip at all or you might notice a single out-of-color pixel. > With a directory of .jpgs, you might notice a corrupted 8x8 pixels block > or, worst case, have one unusable image. > With a single images.zip.gpg file, a bit flip may mean that the whole > archive is unreadable (which is the worst case... no idea what an > average case might look like). > > cu, Sven Hi Sven, I agree with you, especially with cryptography, but with compression, as well. I am assuming that you are talking about filesystem errors and the degradation of data on magnetic media. This can mess a person up with image files - especially compressed formats like JPEG and PNG, even without encryption added to the mix. That's why it would be a good idea, in my opinion, to use a public key pair, and a weaker cipher than AES to encrypt data like family photos. I would also hash every file using a good hash algorithm, like SHA2, RIPEMD160, etc. Additionally, I would keep at least 3 copies on HDD media, and replace your HDD every 2 years or so, and copy everything to the new one (after testing it for bad blocks, etc.), as well as storing it on optical media. A good backup schedule is essential for all data. One last thing, I would recommend against compressing the image files into .ZIP, or other archives - for JPG and PNG files, they are already compressed and compression will likely only make them larger. For BMP files, I would suggest compressing each one separately with a RAR format, with a recovery record. If you use GnuPG, it will compress by default and with the key pair suggestion, you can encrypt+sign each one separately, so at most, you'll lose one or two files, rather than all of them. Personally, I'd just keep them on removable media (like ZipDisks, CD/DVD+-R, USB port hard disk drives, etc.), and view them from there. It is not like we're talking about information vital to national security, here... I only encrypt things I absolutely don't want others to see (personal financial, medical, etc. information). As for your worst case, you can end up with a file you cannot decrypt, if the first part of the encrypted file is destroyed. If the error is in the data packet, most of the time, it will be detected, especially so if you sign it with a your secret key. In that case, the normal or average case will be that you'll either lose one or more files, or they will be corrupted - possibly still readable. You would have to run some form of zipfix on the archive to read it, though. Regards, Chris -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJJqGiNAAoJEE8J0h3nbis2JeoQAJ64Lvp0iboOUmWAlypNJTC/ UWIcfmbQ+KpnfXjQnjpPW10ggRbegG3648/f1xMsWAoyUWdYJ4LBMb1KvnrOR+Hi ABV8DD3ImXcCZ8/+/20wdcAJqH6Z2lpiIJY240ppQmN3Jr7tBhz/+kt6tvvcRrIB VwcOxMeNrYFGAmIDulreaKEEyG4CefK1CJiY7DH5R11fRoukkF1HSRVTIMNcTV/v 4YqWTWD+y6wPq4KcCyNRAMvGCW597ZekjYaS0wUtxjZvo64L0X3KFY52hk9f+B7l kX07gMP9p7K0zy+HCav+PRCaK2Q4yQED0iKk6SUrENsxZCRWa5hUHGF/f94mSbvK qyaXFEiA8NehVOK1IQTdREvCmmqUbmgwy0Y3+7qeeTx49POtCSe1UJWZJ5x+nW+l aeNsnLVuqLUv9Kp2ZVXLoNxd/ehiXCeRueW396Vhd+8p1MRdcHLDGt6uN/mCaq7t 4VN5B1Le7KyEP2dwCgEzowNykkefugUPMpIFhsG3MYDHnR0IMT9lT9QGx+A4w1Cj 6UuavG1JKM1SwFZXJGf1oQgJRXjg/AwCHa0ByosnU7g6MjZ9nFsRkPM67X6sXEFM YyB7A8WG3vqeE1+xri2pm5k5u4q3DVZWxkb34ZnzGku7/wh/f5vwHqKc/Dtew68a m+2AdycB9EOBIQ5crIk4 =avn5 -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Fri Feb 27 23:56:53 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 27 Feb 2009 17:56:53 -0500 Subject: future proof file encryption In-Reply-To: <49A86895.9030508@comcast.net> References: <49A67BDD.90107@sabuleti.net> <009201c99811$67580ee0$36082ca0$@com> <8763ixl110.fsf@wheatstone.g10code.de> <20090226163251.GD29319@IUPUI.Edu> <49A7C8A0.5070300@sabuleti.net> <49A7E23E.8040507@sixdemonbag.org> <49A7F0DB.9030300@sven-radde.de> <49A86895.9030508@comcast.net> Message-ID: <49A86FB5.8000100@sixdemonbag.org> Christopher J. Walters wrote: > That's why it would be a good idea, in my opinion, to use a public > key pair, and a weaker cipher than AES to encrypt data like family > photos. I cannot for the life of me see what's leading you to give this counsel. Would you care to share your reasoning? > I would also hash every file using a good hash algorithm, like SHA2, > RIPEMD160, etc. Why? A good archiver will keep a running CRC, allowing you to identify which files are good and/or bad. Fuzzy hashing will potentially narrow it down to a few bytes within the file, making it possible for a good archivist to recover/restore most of the damaged area. > Additionally, I would keep at least 3 copies on HDD media, and > replace your HDD every 2 years or so, and copy everything to the new > one (after testing it for bad blocks, etc.), as well as storing it on > optical media. Needless overkill for most purposes. The lifespan of HD media is surprisingly long: you can fairly easily recover data off a 30-year-old hard drive. You might have trouble finding an MFM or RLL bus, but once you find it you're in pretty good shape -- especially if basic archival protections were taken. (For instance, don't vacuum-seal hard drives. Put them in heavy-duty antistatic bags, purge with very dry nitrogen, and seal it up. You could now store the hard drive underwater for years and still expect it to work when you hooked it up. Imagine how much better it will work kept in a safe deposit box.) Optical media can also be high reliability. I'm not sure I'd trust a CD that had been sitting on my dashboard for six weeks, but a CD stored in a lightproof envelope kept in a dry nitrogen environment will be good for decades. > One last thing, I would recommend against compressing the image files > into .ZIP, or other archives - for JPG and PNG files, they are > already compressed and compression will likely only make them larger. Yes, no -- it certainly can't hurt them. Also, image formats are usually about ten years in the past -- it's the nature of the beast, the image industry wants very stable formats -- which means they're also generally behind the curve on compression. Compare this to compression software, which is getting better by the day. From jbruni at me.com Sat Feb 28 00:25:52 2009 From: jbruni at me.com (Joseph Oreste Bruni) Date: Fri, 27 Feb 2009 16:25:52 -0700 Subject: future proof file encryption In-Reply-To: <49A86FB5.8000100@sixdemonbag.org> References: <49A67BDD.90107@sabuleti.net> <009201c99811$67580ee0$36082ca0$@com> <8763ixl110.fsf@wheatstone.g10code.de> <20090226163251.GD29319@IUPUI.Edu> <49A7C8A0.5070300@sabuleti.net> <49A7E23E.8040507@sixdemonbag.org> <49A7F0DB.9030300@sven-radde.de> <49A86895.9030508@comcast.net> <49A86FB5.8000100@sixdemonbag.org> Message-ID: <61679285041107454815460995173835335060-Webmail@me.com> Okay, I've resisted getting into this discussion long enough, and I can't stands no more! Since we're talking about photos, what would be wrong with PRINTING them? I think a printed photo would last a lot longer than any computer-based technology. And, you could store them in shoeboxes. From cwal989 at comcast.net Sat Feb 28 01:03:18 2009 From: cwal989 at comcast.net (Christopher J. Walters) Date: Fri, 27 Feb 2009 19:03:18 -0500 Subject: future proof file encryption In-Reply-To: <49A86FB5.8000100@sixdemonbag.org> References: <49A67BDD.90107@sabuleti.net> <009201c99811$67580ee0$36082ca0$@com> <8763ixl110.fsf@wheatstone.g10code.de> <20090226163251.GD29319@IUPUI.Edu> <49A7C8A0.5070300@sabuleti.net> <49A7E23E.8040507@sixdemonbag.org> <49A7F0DB.9030300@sven-radde.de> <49A86895.9030508@comcast.net> <49A86FB5.8000100@sixdemonbag.org> Message-ID: <49A87F46.20002@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Robert J. Hansen wrote: > Christopher J. Walters wrote: >> That's why it would be a good idea, in my opinion, to use a public >> key pair, and a weaker cipher than AES to encrypt data like family >> photos. > > I cannot for the life of me see what's leading you to give this counsel. > Would you care to share your reasoning? I did, later in my message. >> I would also hash every file using a good hash algorithm, like SHA2, >> RIPEMD160, etc. > > Why? A good archiver will keep a running CRC, allowing you to identify > which files are good and/or bad. Fuzzy hashing will potentially narrow > it down to a few bytes within the file, making it possible for a good > archivist to recover/restore most of the damaged area. I come from the early days of Fidonet, and BBS's. It is possible for a CRC32c checksum to show "OK" when there have been changes. Has always been this way. If you use an archiver to "archive" 200 files around 2 mb in length, then encrypt the archive, you could easily lose all 200 files, if the session key is lost. Keeping the files separate and hashing them, would be a way to tell if there are any problems. >> Additionally, I would keep at least 3 copies on HDD media, and >> replace your HDD every 2 years or so, and copy everything to the new >> one (after testing it for bad blocks, etc.), as well as storing it on >> optical media. > > Needless overkill for most purposes. The lifespan of HD media is > surprisingly long: you can fairly easily recover data off a 30-year-old > hard drive. You might have trouble finding an MFM or RLL bus, but once > you find it you're in pretty good shape -- especially if basic archival > protections were taken. The F.B.I. could recover data from your hard drive, as well - even if it crashes. Hard drive can crash within 1 or 2 years, especially if they get too hot. And just why is it overkill? With the costs of hard drives coming down, as they are, you can call it an upgrade. [snip] >> One last thing, I would recommend against compressing the image files >> into .ZIP, or other archives - for JPG and PNG files, they are >> already compressed and compression will likely only make them larger. > > Yes, no -- it certainly can't hurt them. Also, image formats are > usually about ten years in the past -- it's the nature of the beast, the > image industry wants very stable formats -- which means they're also > generally behind the curve on compression. Compare this to compression > software, which is getting better by the day. Actually JPEG is older than 10 years, IIRC, but it is still lossy compression followed by lossless compression. ZIP is much older than 10 years old, and offers far from the best compression. JPEG-2000 is newer and can have better compression than the original... So far, even using experimental archivers, I have not been able to reduce the size of a raw image file or raw music file to the size of a JPEG (even set to almost no compression at all), or MP3 (set to the highest bit rate). So tell me, what compression software are *you* talking about? Regards, Chris -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJJqH9EAAoJEE8J0h3nbis21eIQALDtUVLuR+mISWrY+GNomryO wf7wyl2Pa1VRGqNc3CJXm1FCF/xI1kMurLI4/qnjoYrZwWybbb4KLz+fBSwYIlad R9UjxbQuDVT+110ealM/4m9TutY/WZTEP0Y0b/RUnhtzEC2/Q6nkONM29grgvvx/ r91NKs762ggevVeNVTbjUmQN79NZJJa5EpQ1iQofQstpgAzeT+KRgLMySrSM6THf yo0vDZInECr384LCMhxrNp7zvDrwws2k0NyIaKHYkYyQhaZb4SdEWDyhpW11SOD6 ohG/ejLfKmaaXHmhOxtia7ku15qGoEC0X5EqNRRf+m/6kdyzVkLv8W7hZ+yJA9km 1xlH/GWXROfUILbDSM5GW/fyzRsd0jsyxIj3iFOpJVM7435/uKcnuSu4GYd6b32P dwWp9b1HHGxb8SjKNEh+7b4FmDrrQwgqLsNvMwoTz3aIqH887ca2uYm212O7Ezni ZEdZNsF5716+gL85x/bGmSo+DCsnpSBixaY/C73/hm5IhhCFJCJI6wVjEJ5RI+GQ LhQL6TOjEs7wChlTYHApghq8rZCvEB0UzOgYy2fuCqaMRPCpmndHwvXGEcnPYnXX eVpPphtmbKUygxSql7sbgPjamQNp4HDYcI0aY6Y/jopnZvbRneLEgvtYticVDM/U AKmsrwHF2MSW/ckqkuzr =UKKZ -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Sat Feb 28 01:22:56 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 27 Feb 2009 19:22:56 -0500 Subject: future proof file encryption In-Reply-To: <49A87F46.20002@comcast.net> References: <49A67BDD.90107@sabuleti.net> <009201c99811$67580ee0$36082ca0$@com> <8763ixl110.fsf@wheatstone.g10code.de> <20090226163251.GD29319@IUPUI.Edu> <49A7C8A0.5070300@sabuleti.net> <49A7E23E.8040507@sixdemonbag.org> <49A7F0DB.9030300@sven-radde.de> <49A86895.9030508@comcast.net> <49A86FB5.8000100@sixdemonbag.org> <49A87F46.20002@comcast.net> Message-ID: <49A883E0.3070606@sixdemonbag.org> Christopher J. Walters wrote: > I did, later in my message. I didn't see it. Looking over it, I still don't. > I come from the early days of Fidonet, and BBS's. It is possible for > a CRC32c checksum to show "OK" when there have been changes. Has > always been this way. If you use an archiver to "archive" 200 files > around 2 mb in length, then encrypt the archive, you could easily > lose all 200 files, if the session key is lost. Keeping the files > separate and hashing them, would be a way to tell if there are any > problems. There are a lot of different kinds of CRC32 -- some designed in an ad hoc manner and others designed to the standards of engineering. You're using one right now, probably: Ethernet frames incorporate a CRC32. If it's good enough for Ethernet, it's good enough for me. You're also missing the part about how GnuPG includes a hash of the data in its symmetric encryption. You don't need public key encryption to get a hash on the data. > The F.B.I. could recover data from your hard drive, as well - even if > it crashes. Hard drive can crash within 1 or 2 years, especially if > they get too hot. Hard drives tend not to crash or overheat when they're powered down, properly mothballed, and put in long-term storage. > And just why is it overkill? With the costs of hard drives coming > down, as they are, you can call it an upgrade. If you're seriously advocating spending $300 for hard drives alone to back up your data, then you've just priced your scheme beyond the reach of most people. I make good money at my day job and let me tell you, I wouldn't /think/ of spending $300 on backups. What happens in two years? You think I should be out another $300 in backups alone? An amortized cost of $150/year for backups is probably about 150 times too much. My suggestion is, IMO, at the edge of practicability -- and it costs under $100 of outlay for enough equipment to do about 100 long-term nitrogen-purged backups. ($50 for a 10 cu. ft. cylinder of argon, $20 for 100 antistat heat-sealable bags, $20 for a big stack of DVD-Rs.) As a rule of thumb, the more complex and expensive your backup system becomes, the less likely it is that anyone will actually follow the protocol. > Actually JPEG is older than 10 years, IIRC I said 'about'. JPEG was standardized in 1994; PNG in 1996; SVG in 2001. > So tell me, what compression software are *you* talking about? Wavelets. Fractals. Arithmetic coding. The data compression field is alive and well and constantly getting better. Check out the literature. Some of these have already been incorporated into newer graphics standards. E.g., JPEG has no support for wavelet encoding, but JPEG2000 does. From cwal989 at comcast.net Sat Feb 28 01:42:02 2009 From: cwal989 at comcast.net (Christopher J. Walters) Date: Fri, 27 Feb 2009 19:42:02 -0500 Subject: future proof file encryption In-Reply-To: <49A883E0.3070606@sixdemonbag.org> References: <49A67BDD.90107@sabuleti.net> <009201c99811$67580ee0$36082ca0$@com> <8763ixl110.fsf@wheatstone.g10code.de> <20090226163251.GD29319@IUPUI.Edu> <49A7C8A0.5070300@sabuleti.net> <49A7E23E.8040507@sixdemonbag.org> <49A7F0DB.9030300@sven-radde.de> <49A86895.9030508@comcast.net> <49A86FB5.8000100@sixdemonbag.org> <49A87F46.20002@comcast.net> <49A883E0.3070606@sixdemonbag.org> Message-ID: <49A8885A.4090802@comcast.net> Robert J. Hansen wrote: > I said 'about'. JPEG was standardized in 1994; PNG in 1996; SVG in 2001. > >> So tell me, what compression software are *you* talking about? > > Wavelets. Fractals. Arithmetic coding. The data compression field is > alive and well and constantly getting better. Check out the literature. > > Some of these have already been incorporated into newer graphics > standards. E.g., JPEG has no support for wavelet encoding, but JPEG2000 > does. I know quite enough about the field without your snide and foolish remarks. I refuse to engage in a battle of wits with an unarmed opponent. From John at Mozilla-Enigmail.org Sat Feb 28 02:09:05 2009 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Fri, 27 Feb 2009 19:09:05 -0600 Subject: future proof file encryption In-Reply-To: <49A8885A.4090802@comcast.net> References: <49A67BDD.90107@sabuleti.net> <009201c99811$67580ee0$36082ca0$@com> <8763ixl110.fsf@wheatstone.g10code.de> <20090226163251.GD29319@IUPUI.Edu> <49A7C8A0.5070300@sabuleti.net> <49A7E23E.8040507@sixdemonbag.org> <49A7F0DB.9030300@sven-radde.de> <49A86895.9030508@comcast.net> <49A86FB5.8000100@sixdemonbag.org> <49A87F46.20002@comcast.net> <49A883E0.3070606@sixdemonbag.org> <49A8885A.4090802@comcast.net> Message-ID: <49A88EB1.1050907@Mozilla-Enigmail.org> Christopher J. Walters wrote: > I know quite enough about the field without your snide and foolish remarks. I > refuse to engage in a battle of wits with an unarmed opponent. Statement one: I'll ignore as other readers may make their own opinions as to the quality of knowledge demonstrated. All too often we see folks too overly invested in a creation to accept objective criticism of the idea. statement two: Rob seems actually quite well-armed to discuss these topics, wit capacity being left unjudged. But then, I know about his PhD study concentration and work in the security field from our mutual Enigmail work: Black Hat 2005 on SQL injection; DEF CON 2006 on electronic voting security; CodeCon 2006 and OSCON 2006 on non-security topics. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 680 bytes Desc: OpenPGP digital signature URL: From lists at michel-messerschmidt.de Sat Feb 28 02:14:18 2009 From: lists at michel-messerschmidt.de (Michel Messerschmidt) Date: Sat, 28 Feb 2009 02:14:18 +0100 Subject: future proof file encryption In-Reply-To: <49A883E0.3070606@sixdemonbag.org> References: <009201c99811$67580ee0$36082ca0$@com> <8763ixl110.fsf@wheatstone.g10code.de> <20090226163251.GD29319@IUPUI.Edu> <49A7C8A0.5070300@sabuleti.net> <49A7E23E.8040507@sixdemonbag.org> <49A7F0DB.9030300@sven-radde.de> <49A86895.9030508@comcast.net> <49A86FB5.8000100@sixdemonbag.org> <49A87F46.20002@comcast.net> <49A883E0.3070606@sixdemonbag.org> Message-ID: <20090228011418.GA17825@koshi.matrix> On Fri, Feb 27, 2009 at 07:22:56PM -0500, Robert J. Hansen wrote: > Hard drives tend not to crash or overheat when they're powered down, > properly mothballed, and put in long-term storage. Unless your photos are made for your grandchildren only, I don't believe in a personal "dead" long-term storage. Most people I know just want to keep files that they use at least occasionally. While I like your proposal for long-term storage, I rather stick with harddisks or flash drives for personal data. That way the files remain usable while being archived. But I wouldn't recommend more than two harddrives. With current hardrives I regard it as sufficient to use just one dedicated backup disk or even two copies on different computers. As long as the backups are verified, the probability of two simultaneous drive failures is low enough to make the risk acceptable. And if the house burns down ...the shoebox wasn't fireproof either. Back to encryption, I see no problem to simply use crypto filesystems with this scenario. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 315 bytes Desc: Digital signature URL: From dshaw at jabberwocky.com Sat Feb 28 02:27:14 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 27 Feb 2009 20:27:14 -0500 Subject: future proof file encryption In-Reply-To: <61679285041107454815460995173835335060-Webmail@me.com> References: <49A67BDD.90107@sabuleti.net> <009201c99811$67580ee0$36082ca0$@com> <8763ixl110.fsf@wheatstone.g10code.de> <20090226163251.GD29319@IUPUI.Edu> <49A7C8A0.5070300@sabuleti.net> <49A7E23E.8040507@sixdemonbag.org> <49A7F0DB.9030300@sven-radde.de> <49A86895.9030508@comcast.net> <49A86FB5.8000100@sixdemonbag.org> <61679285041107454815460995173835335060-Webmail@me.com> Message-ID: <7090B60F-6548-4AC2-871B-2F07F6C394FE@jabberwocky.com> On Feb 27, 2009, at 6:25 PM, Joseph Oreste Bruni wrote: > Okay, I've resisted getting into this discussion long enough, and I > can't stands no more! > > Since we're talking about photos, what would be wrong with PRINTING > them? I think a printed photo would last a lot longer than any > computer-based technology. And, you could store them in shoeboxes. Obviously, I'm a big fan of paper (exhibit A: http://www.jabberwocky.com/software/paperkey/ ), but the problem with prints is that you lose something when/if you scan them back into the digital space. It's a bit like a lossy compression. That said, I'd take a somewhat-degraded image over no image at all. It's not completely relevant to your example, but speaking of recovery from paper: a lot of the early cinema was thought to be gone forever because the negatives and all prints were lost or had decayed over the years (early film was printed on a guncotton base - needless to say it was highly flammable and degraded quickly). It turns out that for copyright reasons, some of the film companies had deposited paper copies (essentially a photo print of each film frame) of the films with the US Library of Congress. The archivists re-photographed these paper prints back onto film, and managed to reconstruct the original movies. See, for example, http://rs6.loc.gov/papr/nychome.html David From rjh at sixdemonbag.org Sat Feb 28 02:31:25 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 27 Feb 2009 20:31:25 -0500 Subject: future proof file encryption In-Reply-To: <49A88EB1.1050907@Mozilla-Enigmail.org> References: <49A67BDD.90107@sabuleti.net> <009201c99811$67580ee0$36082ca0$@com> <8763ixl110.fsf@wheatstone.g10code.de> <20090226163251.GD29319@IUPUI.Edu> <49A7C8A0.5070300@sabuleti.net> <49A7E23E.8040507@sixdemonbag.org> <49A7F0DB.9030300@sven-radde.de> <49A86895.9030508@comcast.net> <49A86FB5.8000100@sixdemonbag.org> <49A87F46.20002@comcast.net> <49A883E0.3070606@sixdemonbag.org> <49A8885A.4090802@comcast.net> <49A88EB1.1050907@Mozilla-Enigmail.org> Message-ID: <49A893ED.5070904@sixdemonbag.org> John Clizbe wrote: > All too often we see folks too overly invested in a creation to accept > objective criticism of the idea. There also seems to be a tendency to misread what I think are very neutral statements as being very dry snark. E.g., when I said I didn't see the reasoning, and having reread it I still didn't, it wasn't meant to be insulting: it was meant quite literally. If there was a line of reasoning there, I missed it on both the first and second reads-through. Maybe that means there was no reasoning, maybe that means I wasn't astute enough to read it. With all that said, I have discovered it is generally best to read people's statements in a way that gives them the benefit of the doubt. W.r.t. my experiences, I'll just quote Rodney Whitaker again: "Do not fall into the error of the artisan who boasts of twenty years experience in his craft while in fact he has only one year of experience -- twenty times." I make errors as easily as anyone else. E.g., I was wrong a couple of weeks ago about why there was no choice #3 in the subkey generation menu; I said that if memory served it belonged to Elgamal signing keys, which have since been removed -- bzzt, wrong. A couple of months ago David Shaw and I had a very vigorous argument about some of the engineering choices in the OpenPGP specification. After mulling it over for a couple of weeks, I've come around: David's arguments were more persuasive than mine. I'm not sure if I was wrong, per se -- we were arguing about a matter of personal opinion -- but I certainly had the weaker arguments. Beware of all experts. Experts are wrong as much as anybody else. Experts are just wrong with much greater authority. From rjh at sixdemonbag.org Sat Feb 28 02:37:53 2009 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 27 Feb 2009 20:37:53 -0500 Subject: future proof file encryption In-Reply-To: <7090B60F-6548-4AC2-871B-2F07F6C394FE@jabberwocky.com> References: <49A67BDD.90107@sabuleti.net> <009201c99811$67580ee0$36082ca0$@com> <8763ixl110.fsf@wheatstone.g10code.de> <20090226163251.GD29319@IUPUI.Edu> <49A7C8A0.5070300@sabuleti.net> <49A7E23E.8040507@sixdemonbag.org> <49A7F0DB.9030300@sven-radde.de> <49A86895.9030508@comcast.net> <49A86FB5.8000100@sixdemonbag.org> <61679285041107454815460995173835335060-Webmail@me.com> <7090B60F-6548-4AC2-871B-2F07F6C394FE@jabberwocky.com> Message-ID: <49A89571.2070105@sixdemonbag.org> (Replying to David, but it's really for Joseph) David Shaw wrote: > On Feb 27, 2009, at 6:25 PM, Joseph Oreste Bruni wrote: > >> Since we're talking about photos, what would be wrong with PRINTING >> them? I think a printed photo would last a lot longer than any >> computer-based technology. And, you could store them in shoeboxes. Depends a lot on the paper and dye you use. Most consumer-grade inkjet prints will begin fading after only a few years. Even if they don't, they react with the atmosphere and their color palette changes. If you've ever seen an old Polaroid that makes you think the 1970s were an era of muddy-looking colors, well -- that's what's happened to it. The original photo was vibrant, but light and atmospheric oxygen has changed it. For long-term photographic storage, make a print from photographic film on archival-quality print stock. Also, I'm given to understand that black and white photographs survive the aging process much better than color. From cwal989 at comcast.net Sat Feb 28 03:24:27 2009 From: cwal989 at comcast.net (Christopher J. Walters) Date: Fri, 27 Feb 2009 21:24:27 -0500 Subject: [OT]future proof file encryption In-Reply-To: <49A88EB1.1050907@Mozilla-Enigmail.org> References: <49A67BDD.90107@sabuleti.net> <009201c99811$67580ee0$36082ca0$@com> <8763ixl110.fsf@wheatstone.g10code.de> <20090226163251.GD29319@IUPUI.Edu> <49A7C8A0.5070300@sabuleti.net> <49A7E23E.8040507@sixdemonbag.org> <49A7F0DB.9030300@sven-radde.de> <49A86895.9030508@comcast.net> <49A86FB5.8000100@sixdemonbag.org> <49A87F46.20002@comcast.net> <49A883E0.3070606@sixdemonbag.org> <49A8885A.4090802@comcast.net> <49A88EB1.1050907@Mozilla-Enigmail.org> Message-ID: <49A8A05B.5000704@comcast.net> John Clizbe wrote: > Christopher J. Walters wrote: >> I know quite enough about the field without your snide and foolish remarks. I >> refuse to engage in a battle of wits with an unarmed opponent. > > Statement one: I'll ignore as other readers may make their own opinions > as to the quality of knowledge demonstrated. > > All too often we see folks too overly invested in a creation to accept > objective criticism of the idea. > > statement two: Rob seems actually quite well-armed to discuss these > topics, wit capacity being left unjudged. But then, I know about his PhD > study concentration and work in the security field from our mutual > Enigmail work: Black Hat 2005 on SQL injection; DEF CON 2006 on > electronic voting security; CodeCon 2006 and OSCON 2006 on non-security > topics. Statement one, and all of its children, I shall ignore, since they are only ignorance masked as arrogance and "superior knowledge and intellect". You don't know me well enough to judge either, so do this list and yourself a favor and stay out of it. It reeks of Ad Hominum, without quite getting there. I am sure others will. Statement two, two words: Straw man. Statement three: Faulty use of (assumed) Authority, Post Hoc. Therefore, ignored. From dshaw at jabberwocky.com Sat Feb 28 07:40:29 2009 From: dshaw at jabberwocky.com (David Shaw) Date: Sat, 28 Feb 2009 01:40:29 -0500 Subject: future proof file encryption In-Reply-To: <49A89571.2070105@sixdemonbag.org> References: <49A67BDD.90107@sabuleti.net> <009201c99811$67580ee0$36082ca0$@com> <8763ixl110.fsf@wheatstone.g10code.de> <20090226163251.GD29319@IUPUI.Edu> <49A7C8A0.5070300@sabuleti.net> <49A7E23E.8040507@sixdemonbag.org> <49A7F0DB.9030300@sven-radde.de> <49A86895.9030508@comcast.net> <49A86FB5.8000100@sixdemonbag.org> <61679285041107454815460995173835335060-Webmail@me.com> <7090B60F-6548-4AC2-871B-2F07F6C394FE@jabberwocky.com> <49A89571.2070105@sixdemonbag.org> Message-ID: On Feb 27, 2009, at 8:37 PM, Robert J. Hansen wrote: > For long-term photographic storage, make a print from photographic > film > on archival-quality print stock. Also, I'm given to understand that > black and white photographs survive the aging process much better than > color. It's because black and white photographs and negatives contain actual silver (another reason why old films are lost - they were melted down for their silver content to make more film). Color photographs and negatives contain inks and dyes which can be very long lasting, but still don't have the longevity and environmental resistance of the silver. For very long term storage, store it in the cold and in the dark. Don't display your only copy on the wall, or at least pay the extra bit for UV blocking glass. Really, though, if you have color film you want to preserve "indefinitely", scan the negative to digital and keep both the original negative in dark storage *and* the digital copy (remastering it as needed). If your color photos were shot on Kodachrome, incidentally, you're in luck. It has dark-storage capabilities that are vastly better than any color negative film. Drifting a bit from crypto here, I'm afraid. We should wind this subthread up. David From email at sven-radde.de Sat Feb 28 08:39:42 2009 From: email at sven-radde.de (Sven Radde) Date: Sat, 28 Feb 2009 08:39:42 +0100 Subject: future proof file encryption In-Reply-To: <49A81414.40509@sixdemonbag.org> References: <49A67BDD.90107@sabuleti.net> <009201c99811$67580ee0$36082ca0$@com> <8763ixl110.fsf@wheatstone.g10code.de> <20090226163251.GD29319@IUPUI.Edu> <49A7C8A0.5070300@sabuleti.net> <49A7E23E.8040507@sixdemonbag.org> <49A7F0DB.9030300@sven-radde.de> <49A805B0.5060407@sixdemonbag.org> <49A81414.40509@sixdemonbag.org> Message-ID: <49A8EA3E.9060200@sven-radde.de> Hi! Robert J. Hansen schrieb: > After a little thought, it occurred to me that perhaps Sven meant there > are three errors and it's not known where. I also meant something like some 512 bytes of the file being unreadable because of failure of the corresponding disc sector. But I agree that single or few bit errors are probably not as catastrophic as I first thought. cu, Sven From wk at gnupg.org Sat Feb 28 12:33:37 2009 From: wk at gnupg.org (Werner Koch) Date: Sat, 28 Feb 2009 12:33:37 +0100 Subject: future proof file encryption In-Reply-To: <49A81414.40509@sixdemonbag.org> (Robert J. Hansen's message of "Fri, 27 Feb 2009 11:25:56 -0500") References: <49A67BDD.90107@sabuleti.net> <009201c99811$67580ee0$36082ca0$@com> <8763ixl110.fsf@wheatstone.g10code.de> <20090226163251.GD29319@IUPUI.Edu> <49A7C8A0.5070300@sabuleti.net> <49A7E23E.8040507@sixdemonbag.org> <49A7F0DB.9030300@sven-radde.de> <49A805B0.5060407@sixdemonbag.org> <49A81414.40509@sixdemonbag.org> Message-ID: <877i3aiyni.fsf@wheatstone.g10code.de> On Fri, 27 Feb 2009 17:25, rjh at sixdemonbag.org said: > After a little thought, it occurred to me that perhaps Sven meant there > are three errors and it's not known where. This turns into a slightly > more complex case, but still within the realm of possibility: just over > twenty-two million possible combinations (2.7 million combinations, with I would simply go and store several copies of the first, say, 4k of the encrypted archive on the backup media. This allows to recover the encrypted session key with a high probability. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From cwal989 at comcast.net Sat Feb 28 15:16:22 2009 From: cwal989 at comcast.net (Christopher J. Walters) Date: Sat, 28 Feb 2009 09:16:22 -0500 Subject: Hard Drive Prices... Message-ID: <49A94736.8050103@comcast.net> Just an FYI for the interested. You can get USB/Firewire external hard disk drives for between $60 and $90 US depending on where you go. You can get internal ones (EIDE or SATA) for $30 and up (I found a 500 GB HDD for $75 with less than 2 minutes of searching online). You can buy a case or converter to use your internal HDD with USB or Firewire (this would make them cheaper). I saw some nice RAID arrays for $300 and up, but no real hard disk drives. The cost would really depend on your storage needs (the fewer the GB and RPM, the lower the price). If you follow Werner's advice, you could reasonably store that data on a thumb drive (or several of them, if you are paranoid). C. PS: I still recommend at least one for backup, because hard disk drives can crash - I had it happen to me, and both times it happened in less than 2 years. From quick at sparq.org Sat Feb 28 18:43:53 2009 From: quick at sparq.org (quick at sparq.org) Date: Sat, 28 Feb 2009 11:43:53 -0600 Subject: text pinentry Message-ID: <1235843033.49a977d981665@webmail.sparq.org> Is there any way to get the direct inline text method of passphrase query/ response for GnuPG 2.x like there was in GnuPG 1.4.9. In other words, no popup dialog boxes and no curses? -KQ ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/