From email at sven-radde.de Sat Jan 2 14:09:34 2010 From: email at sven-radde.de (Sven Radde) Date: Sat, 02 Jan 2010 14:09:34 +0100 Subject: How to use an "offline" primary key Message-ID: <4B3F458E.4050004@sven-radde.de> Hello GnuPG-Users! With a new year comes a new keypair and this time I tried to use subkeys to separate my secret primary key from the "day-to-day" encryption/signing keys. Using options "--no-default-keyrings --secret-keyring secring2.gpg --public-keyring pubring2.gpg" I generated the primary key, added UIDs, subkeys etc and then I used "--export-secret-subkeys" and "--import" to import it into the default keyrings. Normal signing and decryption work fine, however I cannot get an operation to work that requires the primary key, such as re-setting an expiry date or signing someone else's key. I thought that I would simply 'include' the primary key by adding "--secret-keyring secring2.gpg" whenever I need it for these kinds of operations, but GnuPG complains about missing parts of the secret key regardless of whether this option is present of not. It seems I am missing something here, but I don't quite know how to proceed. Thanks for any insights, Sven From allen.schultz at gmail.com Sat Jan 2 23:40:06 2010 From: allen.schultz at gmail.com (Allen Schultz) Date: Sun, 3 Jan 2010 03:10:06 +0430 Subject: Encrypting with an message expiration date Message-ID: <3f34f8421001021440r549b7d5x1b885d637024282b@mail.gmail.com> GnuPG-Users: Is there a way to force an expiration date when encrypting a message for additional security. I have a friend who is inquiring. I've already informed him of the "for his/her eyes only" option. -- Allen Schultz pub 3072R/DAD4736B 2009-05-20 Key fingerprint = 16AD EFE1 D68F C8A8 B086 68CD 1A35 85C7 DAD4 736B uid Allen Schultz (aldaek) uid [jpeg image of size 6128] sub 2048R/F55651E0 2009-05-20 [expires: 2010-05-20] sub 2048R/5687B83E 2009-05-20 [expires: 2010-05-20] From dshaw at jabberwocky.com Sun Jan 3 01:45:15 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Sat, 2 Jan 2010 19:45:15 -0500 Subject: Encrypting with an message expiration date In-Reply-To: <3f34f8421001021440r549b7d5x1b885d637024282b@mail.gmail.com> References: <3f34f8421001021440r549b7d5x1b885d637024282b@mail.gmail.com> Message-ID: <873D4E37-9FE1-48ED-849D-98CD82D5AAD8@jabberwocky.com> On Jan 2, 2010, at 5:40 PM, Allen Schultz wrote: > GnuPG-Users: > > Is there a way to force an expiration date when encrypting a message > for additional security. I have a friend who is inquiring. I've > already informed him of the "for his/her eyes only" option. No, there isn't. The basic problem here is that you rely on someone to honor your request to kill a message after the expiration date. They can just ignore your request, and do what they like. Even if there was some means to do this, it's easy to foil - Alice sends a self-destructing message to Baker, but before it expires, Baker reads it and copies the contents into an unencrypted file. Incidentally, the "For Your Eyes Only" option in OpenPGP is also not particularly secure, for these same reasons. It's possible to imagine a mail system that enforces this sort of thing (not the crypto itself, but as part of the whole mail system of which the crypto is only a part), but that's not a very strong protection - and even then suffers from the copy-to-an-unencrypted- file problem. David From faramir.cl at gmail.com Sun Jan 3 05:10:01 2010 From: faramir.cl at gmail.com (Faramir) Date: Sun, 03 Jan 2010 01:10:01 -0300 Subject: Encrypting with an message expiration date In-Reply-To: <3f34f8421001021440r549b7d5x1b885d637024282b@mail.gmail.com> References: <3f34f8421001021440r549b7d5x1b885d637024282b@mail.gmail.com> Message-ID: <4B401899.70304@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Allen Schultz escribi?: > GnuPG-Users: > > Is there a way to force an expiration date when encrypting a message > for additional security. I have a friend who is inquiring. I've > already informed him of the "for his/her eyes only" option. What is that option? (sorry, no idea about forcing an expiration date). Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJLQBiZAAoJEMV4f6PvczxAarwIAKSyvk37zmGt83qt0b2fxY5p /6OQiljAUAi2QxvKOd2NKGdhv2+4qyFJ2AyuwEP0MAL1oai8d4rVO++SpeaPqb3m aITa5zcsz2LS5+87x1M6kMUfxyPyUw1W+zOHvQCnOzcpugoiMKqxWKzL4dPRBW6M fiYA44vZfI3757wihCZQzHWn5zsNRbrgWJD5Nv+9F7hVMF2ujfojjVbV+OK2sUrs VSAC3wO+MGxR9brT0JPuc/zBiEr4KZkp9QCSv35Pcesm7BxPbguBueYcMrhzUOk2 RJps4TwARlTPe5n32gtR3ZcInIfMFFbi96mEff0L77sMIFzRmdxhUsbrMTYABjE= =BZtV -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Sun Jan 3 05:54:20 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Sat, 2 Jan 2010 23:54:20 -0500 Subject: Encrypting with an message expiration date In-Reply-To: <4B401899.70304@gmail.com> References: <3f34f8421001021440r549b7d5x1b885d637024282b@mail.gmail.com> <4B401899.70304@gmail.com> Message-ID: On Jan 2, 2010, at 11:10 PM, Faramir wrote: > Allen Schultz escribi?: >> GnuPG-Users: >> >> Is there a way to force an expiration date when encrypting a message >> for additional security. I have a friend who is inquiring. I've >> already informed him of the "for his/her eyes only" option. > > What is that option? --for-your-eyes-only But don't think it adds real security. In OpenPGP, the FYEO option just sets a flag in the message that means (in effect), "Pretty please, with sugar on top, treat this as for your eyes only". The recipient is free to ignore the flag and do whatever they like. David From danm at prime.gushi.org Sun Jan 3 06:01:34 2010 From: danm at prime.gushi.org (Dan Mahoney, System Admin) Date: Sun, 3 Jan 2010 00:01:34 -0500 (EST) Subject: Encrypting with an message expiration date In-Reply-To: References: <3f34f8421001021440r549b7d5x1b885d637024282b@mail.gmail.com> <4B401899.70304@gmail.com> Message-ID: On Sat, 2 Jan 2010, David Shaw wrote: > On Jan 2, 2010, at 11:10 PM, Faramir wrote: > >> Allen Schultz escribi?: >>> GnuPG-Users: >>> >>> Is there a way to force an expiration date when encrypting a message >>> for additional security. I have a friend who is inquiring. I've >>> already informed him of the "for his/her eyes only" option. >> >> What is that option? > > --for-your-eyes-only > > But don't think it adds real security. In OpenPGP, the FYEO option just sets > a flag in the message that means (in effect), "Pretty please, with sugar on > top, treat this as for your eyes only". The recipient is free to ignore the > flag and do whatever they like. Is that analagous to the flag in older versions of PGP that would cause a message to be displayed in a non-printable/non-copyable format? -Dan -- I want to see how you see. -SK, 6/2/99, 4:30 AM --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --------------------------- From dshaw at jabberwocky.com Sun Jan 3 06:12:00 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 3 Jan 2010 00:12:00 -0500 Subject: Encrypting with an message expiration date In-Reply-To: References: <3f34f8421001021440r549b7d5x1b885d637024282b@mail.gmail.com> <4B401899.70304@gmail.com> Message-ID: <0516E698-B00C-4E7D-8011-E8E05522E3EB@jabberwocky.com> On Jan 3, 2010, at 12:01 AM, Dan Mahoney, System Admin wrote: > On Sat, 2 Jan 2010, David Shaw wrote: > >> On Jan 2, 2010, at 11:10 PM, Faramir wrote: >> >>> Allen Schultz escribi?: >>>> GnuPG-Users: >>>> Is there a way to force an expiration date when encrypting a >>>> message >>>> for additional security. I have a friend who is inquiring. I've >>>> already informed him of the "for his/her eyes only" option. >>> What is that option? >> >> --for-your-eyes-only >> >> But don't think it adds real security. In OpenPGP, the FYEO option >> just sets a flag in the message that means (in effect), "Pretty >> please, with sugar on top, treat this as for your eyes only". The >> recipient is free to ignore the flag and do whatever they like. > > Is that analagous to the flag in older versions of PGP that would > cause a message to be displayed in a non-printable/non-copyable > format? It is more than analogous - it is that exact flag. Even in old PGP, the flag was really just advisory. David From classpath at arcor.de Sun Jan 3 13:41:46 2010 From: classpath at arcor.de (Morten Gulbrandsen) Date: Sun, 03 Jan 2010 13:41:46 +0100 Subject: Encrypting with an message expiration date In-Reply-To: <3f34f8421001021440r549b7d5x1b885d637024282b@mail.gmail.com> References: <3f34f8421001021440r549b7d5x1b885d637024282b@mail.gmail.com> Message-ID: <4B40908A.6060901@arcor.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Allen Schultz wrote: > GnuPG-Users: > > Is there a way to force an expiration date when encrypting a message > for additional security. I have a friend who is inquiring. I've > already informed him of the "for his/her eyes only" option. > sure http://vanish.cs.washington.edu/ the message looks like begin PGP message; but it has the tags - -----BEGIN VANISH MESSAGE----- - -----END VANISH MESSAGE----- http://vanish.cs.washington.edu/concepts.html - -----BEGIN VANISH MESSAGE----- This message will self-destruct by 04:14 on 07/05/09. Use http://vanish.cs.washington.edu to read this message. AKztAAVzcgBGZWR1Lndhc2hpbmd0b24uY3MudmFuaXNoLmludGVybmFsLm1ldGFkYXRhLmltcGwuRXBvY2hBd2FyZU1ldGFkYXRhSW1wbE1yi FVDGn2bAgACSgAMZXBvY2hfbGVuZ3RoTAAIbWV0YWRhdGF0ADVMZWR1L3dhc2hpbmd0b24vY3MvdmFuaXNoL2ludGVybmFsL21ldGFkYXRhL0 1ldGFkYXRhO3hwAAAAAAG3dABzcgBHZWR1Lndhc2hpbmd0b24uY3MudmFuaXNoLmludGVybmFsLm1ldGFkYXRhLmltcGwuSW5kaXJlY3RLZXl NZXRhZGF0YUltcGw6bcmI6fsf7QIAAlsAEmVuY3J5cHRlZF9kYXRhX2tleXQAAltCTAAIbWV0YWRhdGFxAH4AAXhwcHNyAEFlZHUud2FzaGlu Z3Rvbi5jcy52YW5pc2guaW50ZXJuYWwubWV0YWRhdGEuaW1wbC5CYXNpY01ldGFkYXRhSW1wbNgVQUjt/E3XAgACSgANbG9jYXRpb25fc2VlZ EwABnBhcmFtc3QANkxlZHUvd2FzaGluZ3Rvbi9jcy92YW5pc2gvaW50ZXJuYWwvbWV0YWRhdGEvVkRPUGFyYW1zO3hwI0GX1yE7og9zcgA0ZW R1Lndhc2hpbmd0b24uY3MudmFuaXNoLmludGVybmFsLm1ldGFkYXRhLlZET1BhcmFtc7292Mmleh6MAgAISgALY3JlYXRpb25fdHNJABVlbmN yeXB0aW9uX2tleV9sZW5ndGhJAApudW1fc2hhcmVzSQAJdGhyZXNob2xkSQAJdGltZW91dF9oSgAGdmRvX2lkTAAUZW5jcnlwdGlvbl9hbGdv cml0aG10ABJMamF2YS9sYW5nL1N0cmluZztMAA9lbmNyeXB0aW9uX21vZGVxAH4ACnhwAAABIkcjCoUAAACAAAAACgAAAAcAAAAITEjPY9yDp sh0AANBRVN0AANDQkPaxwpTkdhvG0nYDtLWr2PF - -----END VANISH MESSAGE----- Sincerely yours, Morten Gulbrandsen ????????????? _____________________________________________________________________ Java programmer, C++ programmer CAcert Assurer, GSWoT introducer, Gossamer Spider Web of Trust http://www.gswot.org Please consider the environment before printing this e-mail! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (SunOS) Comment: For keyID and its URL see the OpenPGP message header iEYEAREIAAYFAktAkIoACgkQ9ymv2YGAKVSj4ACg0pFzVHwxEUffjZniq45yTxxo cMoAoLW9MJkrPBuN1JNrrnRsPhfuSwAK =9+ZI -----END PGP SIGNATURE----- From mariocastelancastro at gmail.com Sun Jan 3 20:55:37 2010 From: mariocastelancastro at gmail.com (=?ISO-8859-1?Q?Mario_Castel=E1n_Castro?=) Date: Sun, 3 Jan 2010 13:55:37 -0600 Subject: Encrypting with an message expiration date In-Reply-To: <4B40908A.6060901@arcor.de> References: <3f34f8421001021440r549b7d5x1b885d637024282b@mail.gmail.com> <4B40908A.6060901@arcor.de> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Januarty 3rd 2010 in gnupg-users at gnupg.org thread "Encrypting with an message expiration date" "self-destructing data" is a big fallacy, is almost the same issue as computer "virus". There is no data/software (Software is data) that act by itself, it should be interpreted to take an effect. A "computer virus" is a malware that you run accidentally. From my old days with Windows I remember those malware in CD-ROMs with an run.ini inside (Or something similar) that tells W to run the malware. That virus is not self acting, just that operating system is designed to interpret those run.ini. Not even the Operating System is self acting, you instructed the CPU to run it!. > GnuPG-Users: > > Is there a way to force an expiration date when encrypting a message > for additional security. I have a friend who is inquiring. I've > already informed him of the "for his/her eyes only" option. There is no real way to *enforce* an expiration data. In the same manner virusses don't act by itself, data don't self destructs, just the user runs the program to enforce the expiration date without ever notice. They user may simply chose to not run the program or to copy the data and put in a safe place like an DVD before it gets deleted. There are of course, methods that make this much more hard, and almost impossible, like the ones currently used for DRM. The only kinda effective way I see to efectiveley enforce data deletion are IC with a storage of energy inside (Say, supercapacitor) that destroys the data (Ethier by zeroizing it or to detonate an small explosion to destroy the internal of the IC) when ethier the energy is too low, someone try to open the IC or too many bad keys are entered. This IC would be self acting of course, as it is a phisical object but it would be very very expensive or maybe impossible to build and no one warranty they can be found methods to deactivate the protection methods without delete the data. DRM-like software wouldn't be usefull at all as software can be run in simulated enviroments and removed, and it may be morally unaceptable but that depends on the exact use I think. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEAREIAAYFAktA8pcACgkQZ4DA0TLic4jWAwCdFV1sfexBOYUwIvYkeDZlySgm l8gAn2vsJr/ln7sP4Ch1ySuSMZlgztLG =gBku -----END PGP SIGNATURE----- From chd at chud.net Mon Jan 4 05:58:38 2010 From: chd at chud.net (Chris De Young) Date: Sun, 03 Jan 2010 21:58:38 -0700 Subject: Encrypting with an message expiration date In-Reply-To: <4B40908A.6060901@arcor.de> References: <3f34f8421001021440r549b7d5x1b885d637024282b@mail.gmail.com> <4B40908A.6060901@arcor.de> Message-ID: <4B41757E.5060102@chud.net> Morten Gulbrandsen wrote: > Allen Schultz wrote: > >> Is there a way to force an expiration date when encrypting a message >> for additional security. [...] > > sure > > http://vanish.cs.washington.edu/ > Although I think systems like this do have utility, I don't think it really solves this problem. In order to enforce an expiration date against a user who knows the data will expire, you must present the data in some uncopyable way. I can think of no practical way to do that (though of course people smarter than I might :) ). If nothing else, there's nothing to stop me from pointing my camera at my monitor and capturing everything displayed there - stripping off any inconvenient meta-data in the process. -Chris -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 251 bytes Desc: OpenPGP digital signature URL: From rjh at sixdemonbag.org Mon Jan 4 07:17:06 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 04 Jan 2010 01:17:06 -0500 Subject: Encrypting with an message expiration date In-Reply-To: <4B41757E.5060102@chud.net> References: <3f34f8421001021440r549b7d5x1b885d637024282b@mail.gmail.com> <4B40908A.6060901@arcor.de> <4B41757E.5060102@chud.net> Message-ID: <4B4187E2.7040402@sixdemonbag.org> > Morten Gulbrandsen wrote: >> Allen Schultz wrote: >> >>> Is there a way to force an expiration date when encrypting a message >>> for additional security. > > [...] > >> >> sure >> >> http://vanish.cs.washington.edu/ There are, as near as I can tell, only three options: either (a) you trust the sender's clock, (b) you trust the recipient's clock, or (c) you trust a third-party clock. Once you know which clock the system is trusting, attack the clock. Subvert and/or impersonate it, rewind time back, and view the message again. Every time-based security scheme I've found has had this failure mode. It seems to be impossible to avoid. From peter at digitalbrains.com Mon Jan 4 12:53:21 2010 From: peter at digitalbrains.com (Peter Lebbing) Date: Mon, 04 Jan 2010 12:53:21 +0100 Subject: How to use an "offline" primary key In-Reply-To: <4B3F458E.4050004@sven-radde.de> References: <4B3F458E.4050004@sven-radde.de> Message-ID: <4B41D6B1.3070807@digitalbrains.com> Sven Radde wrote: > I thought that I would simply 'include' the primary key by adding > "--secret-keyring secring2.gpg" whenever I need it for these kinds of > operations, but GnuPG complains about missing parts of the secret key > regardless of whether this option is present of not. AFAIK, GnuPG will take the first version of the key it finds. The first version of the key (primary and subkeys) is in your default keyring, with only a stub primary. You could try something like --no-default-keyrings --secret-keyring secring2.gpg --public-keyring pubring2.gpg --secret-keyring secring.gpg --public-keyring pubring.gpg where secring.gpg/pubring.gpg are your default keyrings. By exchanging the order of the keyrings, hopefully this will mean it looks for the key in secring2.gpg first, where the primary key is included too. I haven't tried it myself, though. Good luck, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt (new, larger key created on Nov 12, 2009) From marcio.barbado at gmail.com Mon Jan 4 17:17:04 2010 From: marcio.barbado at gmail.com (M.B.Jr.) Date: Mon, 4 Jan 2010 14:17:04 -0200 Subject: How to use an "offline" primary key In-Reply-To: <4B3F458E.4050004@sven-radde.de> References: <4B3F458E.4050004@sven-radde.de> Message-ID: <2df3b0cb1001040817h72e28c77xefd5d560b29a1d95@mail.gmail.com> Hi list, I wish a great 2010 year for everybody! On Sat, Jan 2, 2010 at 11:09 AM, Sven Radde wrote: > Hello GnuPG-Users! > > With a new year comes a new keypair and this time I tried to use subkeys > to separate my secret primary key from the "day-to-day" > encryption/signing keys. Concerning Sven's statement about his primary key's secrecy, and something David Shaw explained to me a while ago, I ask you: is it possible to have a totally secret digital signature primary key? I mean, part of it will be inevitably public, won't it? Regards, Marcio Barbado, Jr. From email at sven-radde.de Mon Jan 4 17:44:29 2010 From: email at sven-radde.de (Sven Radde) Date: Mon, 04 Jan 2010 17:44:29 +0100 Subject: How to use an "offline" primary key In-Reply-To: <4B41D6B1.3070807@digitalbrains.com> References: <4B3F458E.4050004@sven-radde.de> <4B41D6B1.3070807@digitalbrains.com> Message-ID: <4B421AED.5010406@sven-radde.de> Hi! Peter Lebbing schrieb: > By exchanging the order of the keyrings, hopefully this will mean it looks for > the key in secring2.gpg first, where the primary key is included too. Works fine for certifying other people's keys, thank you! However, since all updates to the my key would be done to "secring2" and "pubring2" in this case, I think I would have to re-export/import from the "offline" keyring to the "online" keyring every time I do things like changing preferences, setting expiry dates, adding new subkeys etc. But this is really just a very minor inconvenience and I will see whether I can do with "secring", "secring2" and a single shared "pubring"... cu, Sven From dshaw at jabberwocky.com Mon Jan 4 18:53:08 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 4 Jan 2010 12:53:08 -0500 Subject: Encrypting with an message expiration date In-Reply-To: <4B4187E2.7040402@sixdemonbag.org> References: <3f34f8421001021440r549b7d5x1b885d637024282b@mail.gmail.com> <4B40908A.6060901@arcor.de> <4B41757E.5060102@chud.net> <4B4187E2.7040402@sixdemonbag.org> Message-ID: <4532A03B-F97D-4808-AF6F-BABDF4C76011@jabberwocky.com> On Jan 4, 2010, at 1:17 AM, Robert J. Hansen wrote: >> Morten Gulbrandsen wrote: >>> Allen Schultz wrote: >>> >>>> Is there a way to force an expiration date when encrypting a message >>>> for additional security. >> >> [...] >> >>> >>> sure >>> >>> http://vanish.cs.washington.edu/ > > There are, as near as I can tell, only three options: either (a) you > trust the sender's clock, (b) you trust the recipient's clock, or (c) > you trust a third-party clock. > > Once you know which clock the system is trusting, attack the clock. > Subvert and/or impersonate it, rewind time back, and view the message again. Did you read the Vanish paper? That's not how it works - there isn't some piece of code that says "if (not_yet_expired) { show_data }". Rolling the clock back has little effect. In Vanish, the key is broken into multiple key shares (a la Shamir), and spread out over many machines in a large pool. At expiration time (a regular occurrence on the node, and not specific to the message), the key share is simply dropped. Eventually, enough shares are gone that the key cannot be recovered. One could conjecture some master of the universe attack against all of the nodes, but it's a very different trick to subvert one machine than it is to subvert over a million of them (Vanish runs over Vuze). Plus the attack would have to be mounted before the message expires. Of course, see http://z.cs.utexas.edu/users/osa/unvanish/ ;) To be sure, Vanish doesn't solve the problem we're talking about here, but I can't really hold that against it since that's not the problem it was designed to solve. David From Robert.Stringer at tdassurance.com Mon Jan 4 16:02:31 2010 From: Robert.Stringer at tdassurance.com (Stringer, Robert) Date: Mon, 4 Jan 2010 10:02:31 -0500 Subject: Compatibility version between version 1.2 and 1.4.10 Message-ID: Hi We just downloaded the latest version of GNuPg, version 1.4.10. Questions: Can we reuse the same keys to encrypt the data? Can we use the 1.4.10 version without any modifications on our systems? Is there any issues we must be aware regarding the new version? PS: GNUPG runs on WINDOWS 2003 server. Thx Robert TD Assurance r?f?re collectivement ? toutes les entit?s et activit?s Canadiennes d'assurance des particuliers au sein de TDBFG. TD Insurance refers collectively to all of the Canadian personal lines insurance entities and activities within TDBFG. ------------------------------------------------- AVIS DE CONFIDENTIALITE. Ce courriel, ainsi que tout renseignement ci-inclus, destin? uniquement au(x) destinataire(s) susmentionn?(s), est confidentiel. Si vous n'?tes pas le destinataire pr?vu ou un agent responsable de la livraison de ce courriel, tout examen, divulgation, copie, impression, reproduction, distribution ou autre utilisation de toute partie de ce courriel est strictement interdit de m?me que toute action ou manquement ? l'?gard de celui-ci. Si vous avez re?u ce message par erreur ou sans autorisation, veuillez en aviser imm?diatement l'exp?diteur par retour de courriel ou par un autre moyen et supprimez imm?diatement et enti?rement cette communication de tout syst?me ?lectronique. NOTICE OF CONFIDENTIALITY. This communication, including any information transmitted with it, is intended only for the use of the addressee(s) and is confidential. If you are not an intended recipient or responsible for delivering the message to an intended recipient, any review, disclosure, conversion to hard copy, dissemination, reproduction or other use of any part of this communication is strictly prohibited, as is the taking or omitting of any action in reliance upon this communication. If you received this communication in error or without authorization please notify us immediately by return e-mail or otherwise and permanently delete the entire communication from any computer, disk drive, or other storage medium. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dshaw at jabberwocky.com Mon Jan 4 20:16:11 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 4 Jan 2010 14:16:11 -0500 Subject: Compatibility version between version 1.2 and 1.4.10 In-Reply-To: References: Message-ID: On Jan 4, 2010, at 10:02 AM, Stringer, Robert wrote: > Hi > > We just downloaded the latest version of GNuPg, version 1.4.10. > > Questions: > > Can we reuse the same keys to encrypt the data? Impossible to say without knowing how you are using GPG. I can say "almost certainly", though. > Can we use the 1.4.10 version without any modifications on our systems? Impossible to say without knowing how you are using GPG. I can say "probably", though. > Is there any issues we must be aware regarding the new version? Read the NEWS file that comes with every version of GPG. The file is updated for every release. In your case, you should read the sections between 1.4.10 and 1.2. David From silly8888 at gmail.com Tue Jan 5 07:18:11 2010 From: silly8888 at gmail.com (silly8888) Date: Tue, 5 Jan 2010 01:18:11 -0500 Subject: how to find the keygrip of a key Message-ID: <3c8f9f941001042218g106fe135i15f945519bcf917f@mail.gmail.com> Hi all, I have a gpg key that I would like to add to gpg-agent using the gpg-preset-passphrase. I understand that gpg-preset-passphrase expects me to provide the keygrip the key but I cannot see how to find it. The key is an ordinary gpg key, nothing to do with gpgsm. Any help would be appreciated. From wk at gnupg.org Tue Jan 5 08:51:22 2010 From: wk at gnupg.org (Werner Koch) Date: Tue, 05 Jan 2010 08:51:22 +0100 Subject: how to find the keygrip of a key In-Reply-To: <3c8f9f941001042218g106fe135i15f945519bcf917f@mail.gmail.com> References: <3c8f9f941001042218g106fe135i15f945519bcf917f@mail.gmail.com> Message-ID: <877hrx2dmt.fsf@vigenere.g10code.de> On Tue, 5 Jan 2010 01:18:11 -0500, silly8888 wrote: > I have a gpg key that I would like to add to gpg-agent using the > gpg-preset-passphrase. I understand that gpg-preset-passphrase expects > me to provide the keygrip the key but I cannot see how to find it. The > key is an ordinary gpg key, nothing to do with gpgsm. Any help would As of now gpg uses the gpg-agent only for passphrase caching. That does also mean that there is no keygrip. Instead you use the fingerprint of the key. Usually the fingerprint of the primary key is sufficient for almost all gpg actions. However here we need to use the fingerprint of the actual subkey; use this command to show it: $ gpg2 --fingerprint --fingerprint alpha at example.net pub 1024D/68697734 1999-03-08 Key fingerprint = A0FF 4590 BB61 22ED EF6E 3C54 2D72 7CC7 6869 7734 uid Alfa Test (demo key) uid Alpha Test (demo key) uid Alice (demo key) sub 1024g/46A871F8 1999-03-08 Key fingerprint = 3B3F BC94 8FE5 9301 ED62 9EFB 6AE6 D7EE 46A8 71F8 Thus for the decryption key you would use $ echo abc | gpg-preset-passphrase \ --preset 3B3FBC948FE59301ED629EFB6AE6D7EE46A871F8 Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From taurus366 at gmail.com Wed Jan 6 02:13:38 2010 From: taurus366 at gmail.com (taurus) Date: Wed, 6 Jan 2010 01:13:38 +0000 Subject: Changing expiration time of subkeys Message-ID: <7C216019-CDE0-4C73-B4B7-05765DF818F1@gmail.com> Hi all, I am trying to change the expiration time of 2 sub-keys with no success. I edit the main key and with command expire I selected the uid(s) and the result is this: Secret key is available. pub 4096R/C9CFBFA0 created: 2008-12-31 expires: never usage: SC trust: ultimate validity: ultimate sub 4096R/F2A8860E created: 2008-12-31 expired: 2009-12-31 usage: E ^^^^^^^^^^^ ^^^^^^^^^^^^^^ sub 1024R/ED88A3D8 created: 2009-01-13 expires: 2010-01-13 usage: S ^^^^^^^^^^^^ ^^^^^^^^^^^^^^ [ultimate] (1). N1 [ultimate] (2) N2 [ultimate] (3) [jpeg image of size 10211] Command> check uid N1 sig!3 C9CFBFA0 2010-01-05 [self-signature] uid N2 sig!3 C9CFBFA0 2010-01-05 [self-signature] uid [jpeg image of size 10211] sig!3 C9CFBFA0 2010-01-05 [self-signature] Command> toggle sec 4096R/C9CFBFA0 created: 2008-12-31 expires: never ssb 4096R/F2A8860E created: 2008-12-31 expires: never ^^^^^^^^^ ssb 1024R/ED88A3D8 created: 2009-01-13 expires: never ^^^^^^^^^ (1) N1 (2) N2 (3) [jpeg image of size 10211] And this key continues unavailable for signing or encrypting in Mail application. I can't figure what I'm doing wrong, any help is welcome. TIA, taur. From dkg at fifthhorseman.net Wed Jan 6 06:34:42 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 06 Jan 2010 00:34:42 -0500 Subject: Changing expiration time of subkeys In-Reply-To: <7C216019-CDE0-4C73-B4B7-05765DF818F1@gmail.com> References: <7C216019-CDE0-4C73-B4B7-05765DF818F1@gmail.com> Message-ID: <4B4420F2.2090201@fifthhorseman.net> Hi taurus-- On 01/05/2010 08:13 PM, taurus wrote: > I am trying to change the expiration time of 2 sub-keys with no success. > I edit the main key and with command expire I selected the uid(s) sub-keys are not bound to any particular uid ("user id"), but rather to the primary key itself. selecting any particular uid shouldn't have any effect on any particular subkey. > the result is this: > > Secret key is available. > > pub 4096R/C9CFBFA0 created: 2008-12-31 expires: never usage: SC > trust: ultimate validity: ultimate > sub 4096R/F2A8860E created: 2008-12-31 expired: 2009-12-31 usage: E > ^^^^^^^^^^^ ^^^^^^^^^^^^^^ > sub 1024R/ED88A3D8 created: 2009-01-13 expires: 2010-01-13 usage: S > ^^^^^^^^^^^^ ^^^^^^^^^^^^^^ The things you're underlining here (it's not really aligned using a monospace font, so i'm not sure) appears to be the "created" field, not the "expires" field. this is confusing. Looking at C9CFBFA0 on the public keyservers, i don't see your signing subkey (ED88A3D8) on it at all. is it possible that has not been published? (your jpeg UAT is also not published, afaict) > And this key continues unavailable for signing or encrypting in Mail > application. > I can't figure what I'm doing wrong, any help is welcome. i think the usual recommendation is to not bother updating expiration dates on subkeys; just make a new subkey with the intended usage flags, and set a new expiration date. This should work fine for both signing- and encryption-capable subkeys as long as you re-publish your entire OpenPGP cert to the keyservers after adding the subkey, and your correspondents know how to update their keyrings. is there a reason that you need to keep any particular subkey in use? hth, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 891 bytes Desc: OpenPGP digital signature URL: From taurus366 at gmail.com Wed Jan 6 06:59:12 2010 From: taurus366 at gmail.com (taurus) Date: Wed, 6 Jan 2010 05:59:12 +0000 Subject: Changing expiration time of subkeys In-Reply-To: <4B4420F2.2090201@fifthhorseman.net> References: <7C216019-CDE0-4C73-B4B7-05765DF818F1@gmail.com> <4B4420F2.2090201@fifthhorseman.net> Message-ID: <3E562803-1925-49D2-9ABE-715ED54DEF8B@gmail.com> Hi, On 6 January 2010, at 05:34, Daniel Kahn Gillmor wrote: > Hi taurus-- > > On 01/05/2010 08:13 PM, taurus wrote: >> I am trying to change the expiration time of 2 sub-keys with no >> success. >> I edit the main key and with command expire I selected the uid(s) > > sub-keys are not bound to any particular uid ("user id"), but rather > to > the primary key itself. selecting any particular uid shouldn't have > any > effect on any particular subkey. That was my mistake, I selected uid's and not the key. I succeed to change the expiration date of the subkeys when I use the 'key 1' and 'key 2' command. Before I was using only 1,..2,... > > i think the usual recommendation is to not bother updating expiration > dates on subkeys; just make a new subkey with the intended usage > flags, > and set a new expiration date. This should work fine for both > signing- > and encryption-capable subkeys as long as you re-publish your entire > OpenPGP cert to the keyservers after adding the subkey, and your > correspondents know how to update their keyrings. I understand this. > > is there a reason that you need to keep any particular subkey in use? This key I use in private and mostly with family. > hth, > Thank you very much. From dkg at fifthhorseman.net Wed Jan 6 07:17:08 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 06 Jan 2010 01:17:08 -0500 Subject: Changing expiration time of subkeys In-Reply-To: <3E562803-1925-49D2-9ABE-715ED54DEF8B@gmail.com> References: <7C216019-CDE0-4C73-B4B7-05765DF818F1@gmail.com> <4B4420F2.2090201@fifthhorseman.net> <3E562803-1925-49D2-9ABE-715ED54DEF8B@gmail.com> Message-ID: <4B442AE4.4080208@fifthhorseman.net> On 01/06/2010 12:59 AM, taurus wrote: > I succeed to change the expiration date of the subkeys when I use the > 'key 1' and 'key 2' command. Before I was using only 1,..2,... great! > On 6 January 2010, at 05:34, Daniel Kahn Gillmor wrote: >> is there a reason that you need to keep any particular subkey in use? > > This key I use in private and mostly with family. I think the argument goes like this: do you have a way of getting updates about your key to your family? If you do, then you should be able to get them updates about new subkeys. So you don't need to update the expiration date of the old subkeys. If you don't have a way to get updates about your key to your family, then updating the expiration dates of the old subkeys is irrelevant, because they'll never get the updated expiration dates anyway, so they won't know about them. Anyway, it's up to you, of course, but i don't think the key being private or certain other people using it are terribly strong arguments for keeping a particular subkey instead of just creating a new one (though i do think that stronger arguments exist for doing this in some circumstances). Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 891 bytes Desc: OpenPGP digital signature URL: From andre at amorim.me Wed Jan 6 22:16:49 2010 From: andre at amorim.me (Andre Amorim) Date: Wed, 6 Jan 2010 21:16:49 +0000 Subject: Formalizing the Facebook Web of Trust Message-ID: Hi guys, What are your thoughts about that ? http://www.cs.rice.edu/~mtd3/comp527/comp527presentation.pdf Thanks -- Andre Amorim GnuPG KEY ID: 0x587B1970 FingerPrint: 42AE C929 4D91 4591 4E75 430F 78D9 53B4 587B 1970 Download: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x587B1970 From lee_andre at bellsouth.net Wed Jan 6 22:15:17 2010 From: lee_andre at bellsouth.net (Andre Lee) Date: Wed, 6 Jan 2010 13:15:17 -0800 (PST) Subject: Passphrase error Message-ID: <655693.37259.qm@web180712.mail.sp1.yahoo.com> Hey Guys, I'm back again with another crazy GPG issue:? I receive the following error when I run my decryption process through the Oracle BPEL process: -------------- next part -------------- An HTML attachment was scrubbed... URL: From lee_andre at bellsouth.net Wed Jan 6 22:20:11 2010 From: lee_andre at bellsouth.net (Andre Lee) Date: Wed, 6 Jan 2010 13:20:11 -0800 (PST) Subject: Passphrase error Message-ID: <30631.78864.qm@web180710.mail.sp1.yahoo.com> Hey Guys, I'm back again with another crazy GPG issue:? I receive the following error when I run my decryption process through the Oracle BPEL process: gpg: public key is E3328CE0 gpg: using secondary key E3328CE0 instead of primary key 26C55D64 gpg: using secondary key E3328CE0 instead of primary key 26C55D64 gpg: encrypted with 2048-bit ELG-E key, ID E3328CE0, created 2003-05-13 ????? "SmartMail Services " gpg: public key decryption failed: bad passphrase gpg: decryption failed: secret key not available I've had an issue with running gpg commands via Oracle BPEL before but the change to the new server fixed it in the TEST.? Now I have this new issues on another server in the BAT environment.? When the passphrase is passed via BPEL process I get the error above but when I pass the same error via command line, it decrypts the files just fine.? Some how I think this is a configuration issue what are your thoughts. -------------- next part -------------- An HTML attachment was scrubbed... URL: From John at Mozilla-Enigmail.org Wed Jan 6 23:54:19 2010 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Wed, 06 Jan 2010 16:54:19 -0600 Subject: Passphrase error In-Reply-To: <30631.78864.qm@web180710.mail.sp1.yahoo.com> References: <30631.78864.qm@web180710.mail.sp1.yahoo.com> Message-ID: <4B45149B.1010803@Mozilla-Enigmail.org> Andre Lee wrote: > gpg: public key decryption failed: bad passphrase > gpg: decryption failed: secret key not available > > I've had an issue with running gpg commands via Oracle BPEL before but > the change to the new server fixed it in the TEST. Now I have this new > issues on another server in the BAT environment. When the passphrase is > passed via BPEL process I get the error above but when I pass the same > error via command line, it decrypts the files just fine. Some how I > think this is a configuration issue what are your thoughts. It's more likely a programming error with how the passphrase is being passed than a "configuration" error. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" From dkg at fifthhorseman.net Thu Jan 7 02:39:53 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 06 Jan 2010 20:39:53 -0500 Subject: Formalizing the Facebook Web of Trust In-Reply-To: References: Message-ID: <4B453B69.9000900@fifthhorseman.net> On 01/06/2010 04:16 PM, Andre Amorim wrote: > What are your thoughts about that ? > > http://www.cs.rice.edu/~mtd3/comp527/comp527presentation.pdf Interesting! thanks for pointing it out. I like the idea of using Facebook as a transport/distribution mechanism. I'm less confident in their use of Facebook to encourage keysigning. For example, i'm not even sure i understand the part here where they talk about "photos of Devin taken by his friends": from the facebook app on page 7 of the presentation: >> Make sure you fully trust Devin's public key. You can do this by >> verifying the photos of Devin taken by his friends and/or verifying the >> public key fingerprint with an out of band communication method (in >> person, over the phone, etc) Also, the authors of the presentation seem to have gotten the semantics of keysigning confused with ownertrust. Standard OpenPGP key signatures certify *nothing* about the issuer's belief in the subject's capacity as a keysigner, but their facebook app suggests otherwise (also on page 7): >> By signing Devin's public key, you vouch for the validity of that key >> and your trust that Devin will exercise good judgement when signing >> other public keys These concepts (the difference between key/uid validity and ownertrust) are already pretty confusing; it would be a shame if facebook users were introduced to the OpenPGP concepts by this sort of a mixed message. That said, OpenPGP does have many of the properties that make social networking appealing. it'd be a Good Thing to use existing social networks to bring people into the Web of Trust online, if done carefully. --dkg PS their pidgin work is unclear from the paper, so i don't really know how to evaluate it. if all they did was fetch keys from facebook, that's a little weird (since they could already fetch keys from the hkp network). i'm also not convinced that OpenPGP messages are the best technological choice (without *significant* extra thought and UI work) for instant messaging. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 891 bytes Desc: OpenPGP digital signature URL: From jarif at iki.fi Thu Jan 7 07:36:46 2010 From: jarif at iki.fi (Jari Fredriksson) Date: Thu, 07 Jan 2010 08:36:46 +0200 Subject: How to make GnuPG 1.4.10b binary work on Windows 7? In-Reply-To: <4B3445F2.3080704@iki.fi> References: <87bcf3800910291851k5f6b1d8by587269a2463c39da@mail.gmail.com> <4B3445F2.3080704@iki.fi> Message-ID: <4B4580FE.2040509@iki.fi> On 25.12.2009 6:56, Jari Fredriksson wrote: > On 30.10.2009 3:51, Moses wrote: >> Hi, >> >> GPG 1.4.10b does not work on Windows 7, does anyone know how to make it >> work? > > +1 > I got GnuPG working with downloading PGP4Win. I has GnuPG 2.0 and works fine with Enigmail too. -- http://www.iki.fi/jarif/ So she went into the garden to cut a cabbage leaf to make an apple pie; and at the same time a great she-bear, coming up the street pops its head into the shop. "What! no soap?" So he died, and she very imprudently married the barber; and there were present the Picninnies, and the Grand Panjandrum himself, with the little round button at top, and they all fell to playing the game of catch as catch can, till the gunpowder ran out at the heels of their boots. -- Samuel Foote -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 260 bytes Desc: OpenPGP digital signature URL: From danm at prime.gushi.org Thu Jan 7 08:37:20 2010 From: danm at prime.gushi.org (Dan Mahoney, System Admin) Date: Thu, 7 Jan 2010 02:37:20 -0500 (EST) Subject: Howto For DNS Key publishing. In-Reply-To: References: Message-ID: On Thu, 29 Oct 2009, Dan Mahoney, System Admin wrote: > All, > > I've written a pretty conclusive howto on how to publish keys in DNS, > including detailing the advantages and disadvantages of each method, with > full examples, details on testing, and real-world output. > > I've also re-implemented make-dns-cert as a shell script, so that it's more > easily available to people who don't have the source, but who installed via a > binary package (that's most people), including comments, cleaner record > handling, auto-fingerprinting, etc. One command, three arguments, and you > get all three record types. David, Would it be possible to include my make-dns-cert.sh shell script with GPG? It solves both the problems of the existing tool being a not-built-by-default binary, as well as modernizes the DNS record formats used, heavily, and is easily used by people who have installed GPG via a package. -Dan Mahoney -- --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --------------------------- From stefanxe at gmx.net Thu Jan 7 09:10:11 2010 From: stefanxe at gmx.net (Stefan Xenon) Date: Thu, 07 Jan 2010 09:10:11 +0100 Subject: GPG4Win for OpenPGP Card 2 ? Message-ID: <4B4596E3.3050900@gmx.net> Hi! GPG4Win is a great package but unfortunately the included GnuPG 2.0.12 does not support the OpenPGP Card v2. Is there a schedule when a new release of GPG4Win will be released? This would be great! Regards Stefan From olav at mozilla-enigmail.org Thu Jan 7 10:16:35 2010 From: olav at mozilla-enigmail.org (Olav Seyfarth) Date: Thu, 07 Jan 2010 10:16:35 +0100 Subject: GPG4Win for OpenPGP Card 2 ? In-Reply-To: <4B4596E3.3050900@gmx.net> References: <4B4596E3.3050900@gmx.net> Message-ID: <4B45A673.1000301@mozilla-enigmail.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hi Stefan, > GPG4Win is a great package but unfortunately the included GnuPG 2.0.12 > does not support the OpenPGP Card v2. Is there a schedule when a new > release of GPG4Win will be released? This would be great! GPG4Win 2.0.1 / GnuPG 2.0.12 does support the OpenPGP card v2. In fact, this Email is signed by TB3.0/EM1.0/GPG4Win2.0.1. Olav - -- The Enigmail Project - OpenPGP Email Security For Mozilla Applications -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (MingW32) Comment: Diese Email ist digital signiert/verschl?sselt Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQGcBAEBAwAGBQJLRaZqAAoJEKGX32tq4e9WPxUL/1x6EEP+O/1yK2LMpUWBQ+Fp Pa7rPBh+idW1GJEGFm2xUr0g+R4Qr0xp1hUul4LCE/ne4fIsuWk5nh0RxiVoqkOZ rZ6W6FJdsstdpyZ+Z0Ts31g4fnL76zruplFk6+i8jO2niWutjRLVko1K/yjTbPIV hIX2n239wNoua9twc9HzUzwzcxqY4GM/3G1VdHxMthaK3ofBvvX03IQiNDec7d+2 iyvIBbfi1V1lDlsVMNzkFYxzERP0BFx+Ebquj+vnjB+2O3e2bqNx2bLUqjSAeLEg ErRA0yyARgYrfQCsQLw+vl9L4Ywhl3CXqETWIPVymtbxJydhM7c1tLDPfZiZyFWI mhyvER7OR/76wdW1PwHz8PRYa4HUbV9oXcdKZTOMgBLUB+OJAwSoOT8ANuElxDSa tzchMMLuWQ1U+zBjTrH9+0aXtW12JqzCzmElT19F8+eISuCn6d2ETQjGS/zm728y MEptNcHfTPpB2J4UhS3jjaavoUQ53qSSGOI3jxoTig== =09gj -----END PGP SIGNATURE----- From makrober at gmail.com Thu Jan 7 10:36:26 2010 From: makrober at gmail.com (makrober) Date: Thu, 07 Jan 2010 09:36:26 +0000 Subject: Web of Trust itself is the problem In-Reply-To: References: Message-ID: <4B45AB1A.3030500@gmail.com> Andre Amorim wrote: > What are your thoughts about that ? > http://www.cs.rice.edu/~mtd3/comp527/comp527presentation.pdf Well, here are some thoughts: The presentations starts with: "Why isn?t PGP widely used?" The first point ("Designed around the E-mail") is absolutely correct. E-mail is not the only communication channel that needs protection now, and I strongly suggest that it will be less and less prominent in the future. There is an awful lot of crud in g/pgp that complicates the use in contexts other than e-mail. But the rest of the "Why isn't [it] used" is plain wrong. G/PGP isn't widely used because it does not address adequately the real-life operational circumstances of the potential user, and Web of Trust is the main culprit. It brings an enormous burden to the development and - consequently - to the daily use of the system. This burden is of such magnitude that it prevents all but technically very competent computer users from adopting the system. Yet it addresses the need that is present, I propose, only for a very minor segment of users: those that would like to communicate in secrecy but have not had a previous trusted relationship. *Most individuals will rarely, if ever, be motivated to communicate in secrecy with someone they don't already have a trusted relationship with*. This simple fact seems to me to be an issue that goes to the core of the design synopsis of a system such as g/pgp. On the other hand, the inverse of it has been built so deep into the system that somehow it appears impossible to discuss it "sine ira et studio". On the other hand, WoT brings with it an immense problem for a large number of those that need to communicate in secrecy: it is providing an adversary with a traffic analysis tool that he can only wish for. To state - as those who promote the system in its present shape do - that they should not worry about this fact is naive. The current change of legal landscape is undeniable: not only can various magistrates force the user to reveal his cryptographic key, but it has become common that such keys must be produced, often years after the fact, in civil litigations. In this combination of technical characteristics of the product and wider environment in which it is used, we simply must ask ourselves: Just who is left to use the system and why would he or she want to do it? Or - Web of Trust isn't the solution, Web of Trust is the problem. Consequently, a WoT "improvement mechanism" such as outlined in the presentation is, unfortunately, extremely unlikely to advance the adoption of g/pgp. MacRober From wk at gnupg.org Thu Jan 7 12:40:33 2010 From: wk at gnupg.org (Werner Koch) Date: Thu, 07 Jan 2010 12:40:33 +0100 Subject: Web of Trust itself is the problem In-Reply-To: <4B45AB1A.3030500@gmail.com> References: <4B45AB1A.3030500@gmail.com> Message-ID: <87my0q16tq.fsf@vigenere.g10code.de> On Thu, 07 Jan 2010 09:36:26 +0000, makrober wrote: > G/PGP isn't widely used because it does not address adequately the > real-life operational circumstances of the potential user, and I still believe that OpenPGP along with PGP 2.1 is the most used data protection scheme for plain data and email. We don't have any hard facts except for problem reports we have seen over more than a decade. There must be a reason why OpenPGP application are even sold for mainframes; they need to exchange data with Unix and PC users. > On the other hand, WoT brings with it an immense problem for a > large number of those that need to communicate in secrecy: it is > providing an adversary with a traffic analysis tool that he can > only wish for. To state - as those who promote the system in its That is simply not true. The only fact you can read from the WoT is that two person have met around some date. That is in most circumstances not a secret fact; you merely have to look at the list of attendees of conferences. The WoT can give you only a clue if you have only a few signatures on your key. You can get a better set of data for traffic analysis by monitoring the keyservers. However this has nothing to do with the WoT. > Or - Web of Trust isn't the solution, Web of Trust is the problem. > Consequently, a WoT "improvement mechanism" such as outlined in > the presentation is, unfortunately, extremely unlikely to advance > the adoption of g/pgp. Until recently almost every mail client simply ignored the key validity and encrypted anyway. Yes, that is not as one should do it but it shows that the WoT is not really used. The majority of people don't care. For example. my key is around for many years now and for quite some time it has been one of the top connected keys. Despite that I only recently could find a trust path to the keys used to sign the linux kernel. They Linux hackers obviously didn't care about getting involved into the WoT. (I am not sure whether this is pro or contra to your statement ;-) Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From makrober at gmail.com Thu Jan 7 13:35:47 2010 From: makrober at gmail.com (makrober) Date: Thu, 07 Jan 2010 12:35:47 +0000 Subject: Web of Trust itself is the problem In-Reply-To: <87my0q16tq.fsf@vigenere.g10code.de> References: <4B45AB1A.3030500@gmail.com> <87my0q16tq.fsf@vigenere.g10code.de> Message-ID: <4B45D523.60905@gmail.com> Thanks for your comments Werner; Werner Koch wrote: > On Thu, 07 Jan 2010 09:36:26 +0000, makrober wrote: > >> G/PGP isn't widely used because it does not address adequately the >> real-life operational circumstances of the potential user, and > > I still believe that OpenPGP along with PGP 2.1 is the most used data > protection scheme for plain data and email. Correct, but still there is no doubt that only a very small fraction of what I would call "qualified e-mail" is encrypted. (In this context, let's agree that "qualified" is mail between two parties that have a trust relationship and a real need for secrecy (from whatever adversary!) as opposed to those that would just encrypt the mail out of style or principle. We probably agree at least that that the adoption of encryption in computer communication, both "general" and "qualified" communication is surprisingly low, and that it is worth examining why is this the case and what should or could be done to change that. I offered one view of the reasons, but in the following I would also suggest what would be worth undertaking: Using the excellent crypto-code base of GnuPG, a derivative public key encryption/decryption product with the following characteristics should be created: 1) it should be communication channel and protocol agnostic. 2) its operational components should be self-contained; i.e., it should assume it is running on a stand-alone computer. It should require no tight integration with the operating system of the computer it is running on. 4) until successfully decrypted, none of the data it operates on should be distinguishable from a random stream. 5) it assumes that someone or something outside of the system guarantees the authenticity of fingerprint of the public key of the corresponding party. 6) it can be both shell-driven and provide an API for the inclusion into a variety of software products that manage the variety of constantly evolving communication channels and protocols. MacRober From greg at turnstep.com Thu Jan 7 12:43:13 2010 From: greg at turnstep.com (Greg Sabino Mullane) Date: Thu, 7 Jan 2010 11:43:13 -0000 Subject: Web of Trust itself is the problem In-Reply-To: <4B45AB1A.3030500@gmail.com> Message-ID: <807e6c68c1ddbea3c5deb9d25f55b622@biglumber.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 > But the rest of the "Why isn't [it] used" is plain wrong. > > G/PGP isn't widely used because it does not address adequately the > real-life operational circumstances of the potential user, and > Web of Trust is the main culprit. It brings an enormous burden to > the development and - consequently - to the daily use of the system. > This burden is of such magnitude that it prevents all but technically > very competent computer users from adopting the system. > Yet it addresses the need that is present, I propose, only for a very minor > segment of users: those that would like to communicate in secrecy > but have not had a previous trusted relationship. You're disregarding the other major use of the WoT, which is authentication. - -- Greg Sabino Mullane greg at turnstep.com PGP Key: 0x14964AC8 201001070642 http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8 -----BEGIN PGP SIGNATURE----- iEYEAREDAAYFAktFyLsACgkQvJuQZxSWSsi0GwCgqVZUBcfl0EcLiJ/JHm1GuYWL xZsAnRNRWjQDCN+KMLl4C/W0ei+0A/Ad =yPv+ -----END PGP SIGNATURE----- From makrober at gmail.com Thu Jan 7 14:30:28 2010 From: makrober at gmail.com (makrober) Date: Thu, 07 Jan 2010 13:30:28 +0000 Subject: Web of Trust itself is the problem In-Reply-To: <807e6c68c1ddbea3c5deb9d25f55b622@biglumber.com> References: <807e6c68c1ddbea3c5deb9d25f55b622@biglumber.com> Message-ID: <4B45E1F4.8030505@gmail.com> Greg Sabino Mullane wrote: >> But the rest of the "Why isn't [it] used" is plain wrong. >> >> G/PGP isn't widely used because it does not address adequately the >> real-life operational circumstances of the potential user, and >> Web of Trust is the main culprit. It brings an enormous burden... > > You're disregarding the other major use of the WoT, which is > authentication. A public key communication system such as gnupg can have three, somewhat related but to the user very distinct purposes: 1) secrecy of communication 2) authentication of the public key of message recipient. 3) non-repudiation of the content by it's sender. To a cryptographer, all three may seem equally important. In practice, they are not: the first one is of extreme importance and can not be substituted by any means outside of the system. The second not only can be achieved by methods that operate in addition to or outside of the system, but it is, for varios reasons I outlined before, sometimes (or perhaps even often?) desirable to do so. Finally, the third (I believe this is what you refer to above?) is, in practical terms, an extremely rare requirement when compared to the first one. If the above is the case, making a system very hard to use because of secondary objectives which are either hardly ever of real use (non-repudiation) or likely/preferably achieved by other means better, can't be conducive to the wide adoption of such system. MacRober From dkg at fifthhorseman.net Thu Jan 7 16:45:04 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 07 Jan 2010 10:45:04 -0500 Subject: Web of Trust itself is the problem In-Reply-To: <4B45AB1A.3030500@gmail.com> References: <4B45AB1A.3030500@gmail.com> Message-ID: <4B460180.8050302@fifthhorseman.net> On 01/07/2010 04:36 AM, makrober wrote: > *Most individuals will rarely, if ever, be motivated to communicate > in secrecy with someone they don't already have a trusted > relationship with*. I beg to differ. anyone who has ever conducted online business has a strong incentive for communications secrecy with a remote party with whom they do not yet have a trusted relationship. At the very least, the transfer of payment credential information is something most people would prefer was only seen by the other party in the transaction. The fact that most online transactions like this happen through the world wide web these days, and not e-mail, is perhaps a reason that the WoT does not have wider adoption, since the WoT is not used for the www (yet -- some of us are working on that). Online transactions are only one of many examples, but probably the one that people are most familiar with. The WoT also provides a method to handle situations like key loss or revocation, and subsequent new keys without forcing the keyholder to meet up in-person (or otherwise secured out-of-band) with every one of their contacts. Why is this all relevant? There are good reasons why you might be interested in knowing that someone specific signed something public , of course (e.g. software signatures, advice on mailing lists or other fora, etc). But for non-public communications: you *must* know who the remote endpoint is in order to have truly secret communications. Without that knowledge, you are communicating with an unknown party, so who are you keeping things secret from? "secret" communications with an unknown remote party over a trivially-compromised communications medium are anything but secret. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 891 bytes Desc: OpenPGP digital signature URL: From lee_andre at bellsouth.net Thu Jan 7 17:38:06 2010 From: lee_andre at bellsouth.net (Andre Lee) Date: Thu, 7 Jan 2010 08:38:06 -0800 (PST) Subject: Passphrase error Message-ID: <595325.30046.qm@web180715.mail.sp1.yahoo.com> Hey John, Same code that was deployed on this server has worked on 2 other servers, my dev and test servers.? The code has not been altered in anyway.? I've found that?the linux admin?had to tweek the new test server to get it working like the dev server.? After that tweet was made the code started to work just fine.? The tweet that was made was updating gpg to 1.4.2 as the my dev server.? We did the same to my BAT server but that didn't work. Andre -------------- next part -------------- An HTML attachment was scrubbed... URL: From hawke at hawkesnest.net Thu Jan 7 17:50:35 2010 From: hawke at hawkesnest.net (Alex Mauer) Date: Thu, 07 Jan 2010 10:50:35 -0600 Subject: Web of Trust itself is the problem In-Reply-To: <4B460180.8050302__21446.0286465057$1262879275$gmane$org@fifthhorseman.net> References: <4B45AB1A.3030500@gmail.com> <4B460180.8050302__21446.0286465057$1262879275$gmane$org@fifthhorseman.net> Message-ID: On 01/07/2010 09:45 AM, Daniel Kahn Gillmor wrote: > Why is this all relevant? There are good reasons why you might be > interested in knowing that someone specific signed something public , of > course (e.g. software signatures, advice on mailing lists or other fora, > etc). But for non-public communications: you *must* know who the remote > endpoint is in order to have truly secret communications. Without that > knowledge, you are communicating with an unknown party, so who are you > keeping things secret from? > > "secret" communications with an unknown remote party over a > trivially-compromised communications medium are anything but secret. They?re only unknown the first time you contact them. It is useful to know that the second time you contact foo at example.com it?s the same party you contacted the first time. Or that the phishing email you received from bar at example.com didn?t actually come from the same party you corresponded with last week. Many people have correspondence with people they never have and never will meet in person, and knowing that it?s always the same person is still helpful. -Alex Mauer ?hawke? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: From dkg at fifthhorseman.net Thu Jan 7 18:02:45 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 07 Jan 2010 12:02:45 -0500 Subject: Web of Trust itself is the problem In-Reply-To: References: <4B45AB1A.3030500@gmail.com> <4B460180.8050302__21446.0286465057$1262879275$gmane$org@fifthhorseman.net> Message-ID: <4B4613B5.3030902@fifthhorseman.net> On 01/07/2010 11:50 AM, Alex Mauer wrote: > Many people have correspondence with people they never have and never > will meet in person, and knowing that it?s always the same person is > still helpful. agreed, key continuity checking is itself a useful tool, and maybe more OpenPGP implementations should provide ways to facilitate that for keys that *aren't* well-bound to the Web of Trust by the user's current trust database. Key continuity checking doesn't solve the problem of initial contact, though. And it doesn't cope well with re-keying in the event of a compromise. So having functional, cryptographically-valid infrastructure available to handle those important cases is a good thing. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 891 bytes Desc: OpenPGP digital signature URL: From mariocastelancastro at gmail.com Thu Jan 7 18:08:33 2010 From: mariocastelancastro at gmail.com (=?ISO-8859-1?Q?Mario_Castel=E1n_Castro?=) Date: Thu, 7 Jan 2010 11:08:33 -0600 Subject: Web of Trust itself is the problem In-Reply-To: <4B4613B5.3030902@fifthhorseman.net> References: <4B45AB1A.3030500@gmail.com> <4B460180.8050302__21446.0286465057$1262879275$gmane$org@fifthhorseman.net> <4B4613B5.3030902@fifthhorseman.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Januery 7th 2010 in gnupg-users at gnupg.org thread "Web of Trust itself is the problem" I think the WoT and in general the cryptography is not widely used because few people really care about their privacity. Is about the same issue as free software, there is possible to use only free software but most people don't aim at a fully free enviroment because they are really careless about freedom, same with cryprography, very few really care about their privacity. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEAREIAAYFAktGFP0ACgkQZ4DA0TLic4gCXQCcC9FG2pHxXhaR6s3d7FDdMei7 QAYAniu/3K//BJrSzrBw/FZHxZwy8uhL =oU8P -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Thu Jan 7 18:23:55 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 07 Jan 2010 12:23:55 -0500 Subject: Web of Trust itself is the problem In-Reply-To: References: <4B45AB1A.3030500@gmail.com> <4B460180.8050302__21446.0286465057$1262879275$gmane$org@fifthhorseman.net> <4B4613B5.3030902@fifthhorseman.net> Message-ID: <4B4618AB.3000708@sixdemonbag.org> On 1/7/10 12:08 PM, Mario Castel?n Castro wrote: > very few really care about their privacity. The fact that "free credit reporting services" are making a ton of money, as are services like LifeLock and whatnot, plus the huge media impact of identity theft, etc., all points to people knowing their privacy is at risk and feeling stressed out about it. However, most people lack the skills necessary to do anything about their privacy, and lack the inclination (time, energy, or even self-confidence) to do anything about their lack of skills. From wk at gnupg.org Thu Jan 7 19:30:57 2010 From: wk at gnupg.org (Werner Koch) Date: Thu, 07 Jan 2010 19:30:57 +0100 Subject: Web of Trust itself is the problem In-Reply-To: References: <4B45AB1A.3030500@gmail.com> <4B460180.8050302__21446.0286465057$1262879275$gmane$org@fifthhorseman.net> Message-ID: <87iqbd22e6.fsf@vigenere.g10code.de> On Thu, 07 Jan 2010 10:50:35 -0600, Alex Mauer wrote: > They?re only unknown the first time you contact them. It is useful to > know that the second time you contact foo at example.com it?s the same > party you contacted the first time. Or that the phishing email you MUA authors should really add a feature supporting this. In particular storing the fingerprint of a key in the address book. We are talking about this for years but to my knowledge it has never been implemented. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From mwood at IUPUI.Edu Thu Jan 7 19:27:16 2010 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Thu, 7 Jan 2010 13:27:16 -0500 Subject: Web of Trust itself is the problem In-Reply-To: <4B4618AB.3000708@sixdemonbag.org> References: <4B45AB1A.3030500@gmail.com> <4B460180.8050302__21446.0286465057$1262879275$gmane$org@fifthhorseman.net> <4B4613B5.3030902@fifthhorseman.net> <4B4618AB.3000708@sixdemonbag.org> Message-ID: <20100107182716.GB4667@IUPUI.Edu> On Thu, Jan 07, 2010 at 12:23:55PM -0500, Robert J. Hansen wrote: > On 1/7/10 12:08 PM, Mario Castel?n Castro wrote: > > very few really care about their privacity. > > The fact that "free credit reporting services" are making a ton of > money, as are services like LifeLock and whatnot, plus the huge media > impact of identity theft, etc., all points to people knowing their > privacy is at risk and feeling stressed out about it. > > However, most people lack the skills necessary to do anything about > their privacy, and lack the inclination (time, energy, or even > self-confidence) to do anything about their lack of skills. I think this hits way below the level of technology. We haven't been taught useful ways of thinking about our security and identity w.r.t. the world we now live in. When concepts like "authentication" and "trust" are seriously discussed in grade school (perhaps in smaller words :-) then we'll begin to build a society (as opposed to a few experts and enthusiasts) which is prepared to use these tools effectively. As it is, few know *how* to care about their privacy. -- Mark H. Wood, Lead System Programmer, enthusiast mwood at IUPUI.Edu Friends don't let friends publish revisable-form documents. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From stefanxe at gmx.net Thu Jan 7 22:04:55 2010 From: stefanxe at gmx.net (Stefan Xenon) Date: Thu, 07 Jan 2010 22:04:55 +0100 Subject: GPG4Win for OpenPGP Card 2 ? In-Reply-To: <4B45A673.1000301@mozilla-enigmail.org> References: <4B4596E3.3050900@gmx.net> <4B45A673.1000301@mozilla-enigmail.org> Message-ID: <4B464C77.6090203@gmx.net> Unfortunately it does not work for me (Thus I thought it wouldn't work in general). When generating new keys I get the following error: ?ndern: (N)ame, (K)ommentar, (E)-Mail oder (F)ertig/(B)eenden? f gpg: Pr?fung der erstellten Unterschrift ist fehlgeschlagen: Bad signature gpg: Beglaubigung fehlgeschlagen: Bad signature gpg: make_keysig_packet failed: Bad signature Schl?sselerzeugung fehlgeschlagen: Bad signature Any idea? Am 07.01.2010 10:16, schrieb Olav Seyfarth: > Hi Stefan, > >> GPG4Win is a great package but unfortunately the included GnuPG 2.0.12 >> does not support the OpenPGP Card v2. Is there a schedule when a new >> release of GPG4Win will be released? This would be great! > > GPG4Win 2.0.1 / GnuPG 2.0.12 does support the OpenPGP card v2. In fact, > this Email is signed by TB3.0/EM1.0/GPG4Win2.0.1. > > Olav From marcus.brinkmann at ruhr-uni-bochum.de Fri Jan 8 02:44:50 2010 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: 8 Jan 2010 02:44:50 +0100 Subject: [Announce] libassuan 2.0.0 released Message-ID: <4B468E12.7050500@ruhr-uni-bochum.de> Hi, libassuan 2.0.0 is a new branch of libassuan development. It provides a shared library which is a dependency of of the upcoming versions of GPGME, GnupG 2.1.x and others. Note that this version of libassuan is incompatible with previous versions of libassuan, and can not be installed side-by-side with libassuan 1.0.x. ftp://ftp.gnupg.org/gcrypt/libassuan/libassuan-2.0.0.tar.bz2 ftp://ftp.gnupg.org/gcrypt/libassuan/libassuan-2.0.0.tar.bz2.sig The sha1sums of these files are: b03c586a4eefdfc0bb1ec65ecf958b9890d429f7 libassuan-2.0.0.tar.bz2 6880f16b5e3af442b457a86637caa6411b73b677 libassuan-2.0.0.tar.bz2.sig Because this is the first version of libassuan providing a shared library, a lot of effort was spent into making the API/ABI of libassuan extensible and future-proof. Please see below, the file NEWS and the file doc/README.apichanges for details. Noteworthy changes in version 2.0.0 (2009-01-08) ------------------------------------------------ * Now using libtool and builds a DSO. * Lots of interface cleanups. See below for details of the most important changes. Here is a quick note on how to upgrade: For each invocation of the connect or server functions, allocate a context with assuan_new and use that. Instead of assuan_disconnect or assuan_deinit_server, call assuan_release. Use assuan_set_gpg_err_source instead of assuan_set_assuan_err_source. If you use assuan_pipe_connect with NAME of NULL, you have to provide a non-NULL ARGV argument and check that against "server" or "client" to determine which end you got after fork(). If you use the assuan sock interface, you must call assuan_sock_init after setting global context defaults. Add a NULL as the last arg to assuan_register_command. * Pth support has changed. This now follows the same style as libgcrypt by setting system hook callbacks. * Interface changes relative to the 1.0.5 release: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _ASSUAN_ONLY_GPG_ERRORS REMOVED assuan_set_assuan_err_source REMOVED: Use assuan_set_gpg_err_source. assuan_set_gpg_err_source NEW assuan_get_gpg_err_source NEW assuan_strerror REMOVED ASSUAN_* Error values removed. assuan_error_t REMOVED AssuanError REMOVED assuan_init_connected_socket_server REMOVED assuan_pipe_connect2 REMOVED AssuanCommand REMOVED assuan_flag_t CHANGED: From enum to unsigned int. ASSUAN_CONTENT REMOVED assuan_disconnect REMOVED: Use assuan_release. assuan_deinit_server REMOVED: Use assuan_release. assuan_get_malloc_hooks NEW assuan_set_log_cb NEW assuan_get_log_cb NEW assuan_new_ext NEW assuan_new NEW assuan_release NEW assuan_init_socket_server CHANGED: Take ctx arg instead of pointer to ctx. CHANGED: As assuan_init_socket_server_ext was. assuan_init_socket_server_ext REMOVED assuan_socket_connect CHANGED: Take ctx arg instead of pointer to ctx. CHANGED: Is what assuan_socket_connect_ext was. assuan_socket_connect_ext REMOVED assuan_pipe_connect CHANGED: Take ctx arg instead of pointer to ctx. If NAME is NULL, ARGV will contain fork result. CHANGED: Is now what assuan_pipe_connect_ext was. CHANGED: Child fds are now assuan_fd_t. assuan_pipe_connect_ext REMOVED assuan_init_pipe_server CHANGED: Take ctx arg instead of pointer to ctx. CHANGED: Swallows fds (are closed at end). CHANGED: Take assuan_fd_t. assuan_fdopen NEW assuan_set_io_hooks REMOVED: Use assuan_system_hooks interface. assuan_io_hooks_t REMOVED: Use assuan_system_hooks interface. assuan_io_monitor_t CHANGED: Add a hook data argument. assuan_get_command_name NEW assuan_msghdr_t NEW ASSUAN_INVALID_PID NEW ASSUAN_NO_FIXSIGNALS NEW ASSUAN_SYSTEM_HOOKS_VERSION NEW assuan_system_hooks_t NEW assuan_set_system_hooks NEW assuan_ctx_set_system_hooks NEW ASSUAN_SYSTEM_PTH_IMPL NEW ASSUAN_SYSTEM_PTH_DECL NEW ASSUAN_SYSTEM_PTH NEW assuan_sock_init NEW assuan_sock_deinit NEW assuan_handler_t NEW assuan_register_command CHANGED: Add arg HELP_STRING. assuan_register_bye_notify CHANGED: Handler gets line and returns err now. assuan_register_reset_notify CHANGED: Handler gets line and returns err now. assuan_register_cancel_notify CHANGED: Handler gets line and returns err now. assuan_register_input_notify CHANGED: Handler returns error now. assuan_register_output_notify CHANGED: Handler returns error now. assuan_process_next CHANGED: New DONE argument instead EOF return. ASSUAN_PIPE_CONNECT_FDPASSING NEW ASSUAN_PIPE_CONNECT_DETACHED NEW ASSUAN_SOCKET_SERVER_FDPASSING NEW ASSUAN_SOCKET_SERVER_ACCEPTED NEW ASSUAN_SOCKET_CONNECT_FDPASSING NEW assuan_peercred_t NEW assuan_get_peercred CHANGED: Return assuan_peercred_t. assuan_client_read_response NEW assuan_client_parse_response NEW assuan_fd_from_posix_fd NEW ASSUAN_SPAWN_DETACHED NEW ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- g10 Code GmbH http://g10code.com AmtsGer. Wuppertal HRB 14459 H?ttenstr. 61 Gesch?ftsf?hrung Werner Koch D-40699 Erkrath -=- The GnuPG Experts -=- USt-Id DE215605608 _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From dshaw at jabberwocky.com Fri Jan 8 05:20:52 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 7 Jan 2010 23:20:52 -0500 Subject: 768-bit RSA factored Message-ID: <6CAC6B07-896D-4657-851A-CE83DA4D2C42@jabberwocky.com> No terrible shock - we knew this was coming, but still, how wonderfully neat, and a new factoring record, too. http://eprint.iacr.org/2010/006 Note that 1024-bit RSA has not yet been factored, but if you haven't phased it out yet, it's really time to get started. It's supposed to be completely phased out by this year anyway, at least by those following NIST and a few other guidelines. David From faramir.cl at gmail.com Fri Jan 8 06:29:04 2010 From: faramir.cl at gmail.com (Faramir) Date: Fri, 08 Jan 2010 02:29:04 -0300 Subject: Web of Trust itself is the problem In-Reply-To: References: <4B45AB1A.3030500@gmail.com> <4B460180.8050302__21446.0286465057$1262879275$gmane$org@fifthhorseman.net> <4B4613B5.3030902@fifthhorseman.net> Message-ID: <4B46C2A0.2080903@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mario Castel?n Castro escribi?: ... > I think the WoT and in general the cryptography is not widely used > because few people really care about their privacity. I agree... one of my friends seem to think cryptography is useful for mafia and pedophiles. Other friends just say "interesting" and try to change the subject. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJLRsKgAAoJEMV4f6PvczxAaXMIAKFoxaTBnHJgCWO+G7CiziW1 h+DIrO7oRn5n47xUmnDh/HorSov3QyWTFDQ5ejSwpsMPYkJslMdWIDBova/Ezkwk g3dFfHf0/EHEBnhUNbAeLuuxMWoBRDXJgyc590vka3bZ/OZw0d/94rF4nVdQbcmW AeWZ1/jCLecoDPdkWD/LArCbmbQWbSXL9cEHPSYv4NXK//np9bHfFSMm0A5CM2vs F349iqY8M/cVDcdUY2dqDnLg+ftZUOYM1pTN33Vxm4RelteMsv8Q8hmt+RB0F24K d7WNx7s/q6tZv5PlVz06wUarB/4Fkh46Z4MbNGeFZmjvhyu6vez6y9nbTh1LPUg= =rE+O -----END PGP SIGNATURE----- From minaev at gmail.com Fri Jan 8 11:01:22 2010 From: minaev at gmail.com (Dmitri Minaev) Date: Fri, 8 Jan 2010 14:01:22 +0400 Subject: Web of Trust itself is the problem In-Reply-To: References: <4B45AB1A.3030500@gmail.com> <4B460180.8050302__21446.0286465057$1262879275$gmane$org@fifthhorseman.net> <4B4613B5.3030902@fifthhorseman.net> Message-ID: On Thu, Jan 7, 2010 at 9:08 PM, Mario Castel?n Castro wrote: > I think the WoT and in general the cryptography is not widely used > because few people really care about their privacity. IMHO, there's another problem, an entry barrier to the WoT. The practice of key exchange is widespread in very close circles of geeks, Linux developers and, to a certain degree, scientists. For someone who does not belong to these categories and does not attend any conferences, the web of trust is hardly reachable. Unfortunately, I know no solutions besides commercial CAs. -- With best regards, Dmitri Minaev Russian history blog: http://minaev.blogspot.com From simon at josefsson.org Fri Jan 8 14:16:45 2010 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 08 Jan 2010 14:16:45 +0100 Subject: Web of Trust itself is the problem In-Reply-To: (Dmitri Minaev's message of "Fri, 8 Jan 2010 14:01:22 +0400") References: <4B45AB1A.3030500@gmail.com> <4B460180.8050302__21446.0286465057$1262879275$gmane$org@fifthhorseman.net> <4B4613B5.3030902@fifthhorseman.net> Message-ID: <87wrzs3feq.fsf@mocca.josefsson.org> Dmitri Minaev writes: > On Thu, Jan 7, 2010 at 9:08 PM, Mario Castel?n Castro > wrote: > >> I think the WoT and in general the cryptography is not widely used >> because few people really care about their privacity. > > IMHO, there's another problem, an entry barrier to the WoT. The > practice of key exchange is widespread in very close circles of geeks, > Linux developers and, to a certain degree, scientists. For someone who > does not belong to these categories and does not attend any > conferences, the web of trust is hardly reachable. Unfortunately, I > know no solutions besides commercial CAs. Sites such as http://biglumber.com/x/web can help with this. My perception of it is that it does not exclude non-geeky people. /Simon From pl at ninthfloor.org Fri Jan 8 13:56:33 2010 From: pl at ninthfloor.org (Paride Legovini) Date: Fri, 8 Jan 2010 12:56:33 +0000 Subject: ElGamal key results revoked on keyserver but not locally Message-ID: <20100108125633.GD528@ninthfloor.org> Hello gnupg-users, some time ago I messed up a keypair I use, see: http://pgpkeys.pca.dfn.de/pks/lookup?search=torn%40autistici.org&op=vindex There's a double selfsig on the main uid. I don't know/remember why, but this isn't the real problem. Then there's a secondary uid, revoked. Everything seems OK here. Then we find the 1024g/6AFBDDF2 ElGamal key, revoked. Finally, there'a second ElGamal key (1024g/71D7872E), with two `sbind' entries that I can't explain. This key seems revoked too, however, when I import all this stuff to my local keyring, the 71D7872E key does not result revoked (the 6AFBDDF2 does). I can't find what's wrong. I'd prefer to see both the ElGamal keys revoked as the keyserver says, and then generate a new, clean ElGamal key to use for encryption, without this strange mess. Any clue? Thank you! Paride From wk at gnupg.org Fri Jan 8 16:54:20 2010 From: wk at gnupg.org (Werner Koch) Date: Fri, 08 Jan 2010 16:54:20 +0100 Subject: ElGamal key results revoked on keyserver but not locally In-Reply-To: <20100108125633.GD528@ninthfloor.org> References: <20100108125633.GD528@ninthfloor.org> Message-ID: <87637c1tjn.fsf@vigenere.g10code.de> On Fri, 8 Jan 2010 12:56:33 +0000, Paride Legovini wrote: > Finally, there'a second ElGamal key (1024g/71D7872E), with two `sbind' > entries that I can't explain. This key seems revoked too, however, when > I import all this stuff to my local keyring, the 71D7872E key does not > result revoked (the 6AFBDDF2 does). While importing this key I get these warnings: gpg: key 6E2D5847: no subkey for subkey revocation signature gpg: key 6E2D5847: no subkey for key revocation gpg: key 6E2D5847: invalid subkey binding gpg: key 6E2D5847: invalid subkey revocation gpg: key 6E2D5847: subkey signature in wrong place - skipped Thus gpg detected the bad or misplaced signatures and removed them. Leading to a valid key: pub 1024D/6E2D5847 2003-09-14 uid torn (main key) References: <4B45AB1A.3030500@gmail.com> <4B460180.8050302__21446.0286465057$1262879275$gmane$org@fifthhorseman.net> <4B4613B5.3030902@fifthhorseman.net> <87wrzs3feq.fsf@mocca.josefsson.org> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Januery 8th 2010 in gnupg-users at gnupg.org thread "Web of Trust itself is the problem" >However, most people lack the skills necessary to do anything about >their privacy, and lack the inclination (time, energy, or even >self-confidence) to do anything about their lack of skills. Of course, no one borns knowing how to use GNU PG but the one with true interest in privacity will learn, that is my point. >>I think the WoT and in general the cryptography is not widely used >>because few people really care about their privacity. >IMHO, there's another problem, an entry barrier to the WoT. The >practice of key exchange is widespread in very close circles of >geeks, Linux developers and, to a certain degree, scientists. For >someone who does not belong to these categories and does not attend >any conferences, the web of trust is hardly reachable. Unfortunately, >I know no solutions besides commercial CAs. Well, you really don't *need* to be within WoT to use crypto, the confidence level will be less but for most people it is enougth. >Sites such as http://biglumber.com/x/web can help with this. My >perception of it is that it does not exclude non-geeky people. Did you count the citys in the list, they are just 11 of thoustands and thoustands around the world; it helps of course, but very little. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEAREIAAYFAktHW5IACgkQZ4DA0TLic4h4QwCdEtH6FPmP3EkzcaMqCobMN+WE VaIAn1pS4xFUODB3jNe4gjyz7X2gFIQN =3mrx -----END PGP SIGNATURE----- From minaev at gmail.com Fri Jan 8 17:58:09 2010 From: minaev at gmail.com (Dmitri Minaev) Date: Fri, 8 Jan 2010 20:58:09 +0400 Subject: Web of Trust itself is the problem In-Reply-To: References: <4B45AB1A.3030500@gmail.com> <4B460180.8050302__21446.0286465057$1262879275$gmane$org@fifthhorseman.net> <4B4613B5.3030902@fifthhorseman.net> <87wrzs3feq.fsf@mocca.josefsson.org> Message-ID: On Fri, Jan 8, 2010 at 8:21 PM, Mario Castel?n Castro wrote: >>IMHO, there's another problem, an entry barrier to the WoT. The >>practice of key exchange is widespread in very close circles of >>geeks, Linux developers and, to a certain degree, scientists. For >>someone who does not belong to these categories and does not attend >>any conferences, the web of trust is hardly reachable. Unfortunately, >>I know no solutions besides commercial CAs. > > Well, you really don't *need* to be within WoT to use crypto, the > confidence level will be less but for most people it is enougth. Actually, you don't really *need* to use crypto in email, the confidence level will be less, but to most people it is enough :) -- With best regards, Dmitri Minaev Russian history blog: http://minaev.blogspot.com From vedaal at hush.com Fri Jan 8 18:41:37 2010 From: vedaal at hush.com (vedaal at hush.com) Date: Fri, 08 Jan 2010 12:41:37 -0500 Subject: very short plaintexts symmetrically encrypted Message-ID: <20100108174137.CE56311803D@smtp.hushmail.com> have been playing around with symmetrical encryption, and noticed something potentially concerning. Here are 6 symmetrically encrypted short plaintexts: -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.9 (MingW32) Comment: passphrase sss jA0ECgMIml0qMoARY01g0kUBK8nPnLhmkn4QbxiOvxyn9eqhkzr5mNIwcsw6VBZ1 NN7uq1nmgognD0kmJgkGDNU4oz/vV+ejeWLVO3SmcHUy6u6w+Ms= =XWY4 -----END PGP MESSAGE----- -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.9 (MingW32) Comment: passphrase sss jA0ECgMIOndbAQsuZBZg0kUBK3MlS0cZpFiAOxryAQxURcemcoUU1rnXMWM4xKi0 W/uV+hvidvaT2TvSA/2xIbySxm73TXyls+bDlhD8MbZgtry6c9s= =gedo -----END PGP MESSAGE----- -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.9 (MingW32) Comment: passphrase sss jA0ECgMI/nsO48zBbAFg0kUBq5wMSDD10nk1pVWEEBpvqwGz7WJhJ7IeM8C98p9G Yt5MC9ttIMAkPiBZCngeGdj8nPGb4euDc1zd+7kma6vOJ8O1REM= =pCzG -----END PGP MESSAGE----- -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.9 (MingW32) Comment: passphrase sss jA0ECgMIPXDKy8Ndvc1g0kYBknfVVdjMwW+69k1zvJ1r5UAh9RpGglqqhBTDx2t7 VUGkCEzvbvg4JgaPji7yxtV+/YWKDq3vNCryVvWgTqjvP72VdJcr =mJ2N -----END PGP MESSAGE----- -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.9 (MingW32) Comment: passphrase sss jA0ECgMIYMx0p8nncL1g0kYByHXygeoyXbZfxf5ePIYlXqxVfqthNhw62xjx7tFQ VwzfcRlmL1ngUHs0LBPT5Ze/eBOOqIGc2DJKUlzJYy3dxBrEbiZ0 =3xs4 -----END PGP MESSAGE----- Version: GnuPG v1.4.10 (MingW32) Comment: passphrase sss jA0ECgMIJ3YsA8JXXAZg0kYBvvU4H/c+d/D+nu8Dbc4WM9fRdKuzu/MVBFOGeq/f Z+pQA6buwnRzlvXsliFZkt1GHCDuxWKaqtR7RBzL6U8G4hUfJINx =+8HY -----END PGP MESSAGE----- The first 3 encryptions are of the word 'no', while the second 3 are of the word 'yes'. All 6 are with the same passphrase 'sss' and the same algorithm, twofish. For the first 3, where only 2 letters of plaintext are encrypted, the pgp encryption (before the checksum), ends in the '=' padding character. For the second 3, where 3 letters are encrypted, the message ends in a different character (no padding). Should it be 'this easy' to distinguish the relative lengths of plaintexts just by looking at the ascii armor?? Obviously, encryptions of much longer plaintexts can't be expected to be the same size as that of a 2 character plaintext, and I haven't taken a long careful look at this, but I suspect that by increasing the plaintext one character at a time, and looking at the encrypted outputs, it should be possible to detect 'ranges' of plaintext length that correspond to a particular ciphertext length for symmetrically encrypted unsigned messages. At any rate, it seems disturbingly easy to distinguish between symmetrically encrypted messages having only the word 'yes' or 'no' just by 'looking' at the ciphertext. --vedaal From gnupg-users at chaos.demon.nl Fri Jan 8 19:04:53 2010 From: gnupg-users at chaos.demon.nl (Pepijn Schmitz) Date: Fri, 08 Jan 2010 19:04:53 +0100 Subject: Inhibit pgp-agent warning? Message-ID: <1262973893.3553.450.camel@peregrin> Hi everyone, I have a backup script which uses gpg to encrypt the backup, and is executed every night by cron (both by root as by an admin user). This is gpg 1.4.6 on Ubuntu Hardy LTS. My problem is that gpg insists on printing a "gpg: gpg-agent is not available in this session" warning every time, causing unnecessary emails from cron even when the backup is entirely successful. I tried adding the -q option to the command line, but that doesn't seem to make a difference. I don't want to run gpg-agent (since it is not needed), or redirect all output to /dev/null or a file (since I do want emails on genuine warnings). Is there any way I can prevent this warning? Kind regards, Pepijn Schmitz -------------- next part -------------- An HTML attachment was scrubbed... URL: From holtzm at cox.net Fri Jan 8 19:39:35 2010 From: holtzm at cox.net (Robert Holtzman) Date: Fri, 8 Jan 2010 11:39:35 -0700 Subject: Web of Trust itself is the problem In-Reply-To: References: <4B45AB1A.3030500@gmail.com> <4B460180.8050302__21446.0286465057$1262879275$gmane$org@fifthhorseman.net> <4B4613B5.3030902@fifthhorseman.net> <87wrzs3feq.fsf@mocca.josefsson.org> Message-ID: <20100108183935.GB19375@cox.net> On Fri, Jan 08, 2010 at 10:21:51AM -0600, Mario Castel?n Castro wrote: > > Did you count the citys in the list, they are just 11 of thoustands > and thoustands around the world; it helps of course, but very little. You obviously didn't try to use the search box to find more cities. -- Bob Holtzman Key ID: 8D549279 "If you think you're getting free lunch, check the price of the beer" -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From htd at fritha.org Fri Jan 8 19:46:28 2010 From: htd at fritha.org (Heinz Diehl) Date: Fri, 8 Jan 2010 19:46:28 +0100 Subject: Web of Trust itself is the problem In-Reply-To: References: <4B45AB1A.3030500@gmail.com> <4B460180.8050302__21446.0286465057$1262879275$gmane$org@fifthhorseman.net> <4B4613B5.3030902@fifthhorseman.net> Message-ID: <20100108184628.GA10874@fritha.org> On 07.01.2010, Mario Castel?n Castro wrote: > I think the WoT and in general the cryptography is not widely used > because few people really care about their privacity. I think the overall stats for people using cryptography is that low because it is or seems too complicated for them. A lot of people in the world do not even know how to install Windows, and a whole lot of people even can't install programs on their computers properly. This is not meant in a discriminating way at all, this is the real life. Personally I think a lot of people care about privacy, but are just not able and/or frightened to install something complex on their machines. From christoph.anton.mitterer at physik.uni-muenchen.de Fri Jan 8 20:34:04 2010 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Fri, 08 Jan 2010 20:34:04 +0100 Subject: 768-bit RSA factored In-Reply-To: <6CAC6B07-896D-4657-851A-CE83DA4D2C42@jabberwocky.com> References: <6CAC6B07-896D-4657-851A-CE83DA4D2C42@jabberwocky.com> Message-ID: <1262979244.3095.45.camel@fermat.scientia.net> So let's hope the ECC draft makes it soon to be finished :) ... and implemented in gpg ;) Cheers, Chris. From benjamin at py-soft.co.uk Fri Jan 8 21:03:53 2010 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Fri, 8 Jan 2010 20:03:53 +0000 Subject: very short plaintexts symmetrically encrypted In-Reply-To: <20100108174137.CE56311803D@smtp.hushmail.com> References: <20100108174137.CE56311803D@smtp.hushmail.com> Message-ID: <732076a81001081203p2150cf65i5157bf1cdd6bee22@mail.gmail.com> 2010/1/8 : > At any rate, it seems disturbingly easy to distinguish between > symmetrically encrypted messages having only the word 'yes' or 'no' > just by 'looking' at the ciphertext. i. Don't send such short messages ii. Don't use symmetric encryption. Ben From olav at mozilla-enigmail.org Fri Jan 8 23:26:35 2010 From: olav at mozilla-enigmail.org (Olav Seyfarth) Date: Fri, 08 Jan 2010 23:26:35 +0100 Subject: GPG4Win for OpenPGP Card 2 ? In-Reply-To: <4B464C77.6090203@gmx.net> References: <4B4596E3.3050900@gmx.net> <4B45A673.1000301@mozilla-enigmail.org> <4B464C77.6090203@gmx.net> Message-ID: <4B47B11B.1090604@mozilla-enigmail.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hi Stefan, > gpg: Pr?fung der erstellten Unterschrift ist fehlgeschlagen: Bad signature > gpg: Beglaubigung fehlgeschlagen: Bad signature > gpg: make_keysig_packet failed: Bad signature > Schl?sselerzeugung fehlgeschlagen: Bad signature No, I don't know what's causing it. But before examining further, I recommend to follow these steps to avoid any user settings to influence the test: Backup and/or move your GnuPG settings aside (homedir: keyrings, gpg.conf etc.) Uninstall all GnuPG and GPG4Win versions and wipe what's left in the program directory. Make *sure* you only have one gpg.exe on your system. Check by searching your system drive / PATH. Install GPG4Win Reset your card* to factory presets Retry using CLI to create a card key using defaults and an empty keyring If that doesn't succeed, try to provide a more detailled error description (-v). =============================================================== * How to reset a OpenPGP Card v2: 1. Create a FILE with this content: _______________________________________________________________ /hex scd serialno scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 e6 00 00 scd apdu 00 44 00 00 /echo card has been reset to factory defaults _______________________________________________________________ 2. Issue the command gpg-connect-agent < FILE =============================================================== Olav - -- The Enigmail Project - OpenPGP Email Security For Mozilla Applications -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (MingW32) Comment: Diese Email ist digital signiert/verschl?sselt Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQGcBAEBAwAGBQJLR7EYAAoJEKGX32tq4e9WqCML/22Gw30qNPTYjJ4fxRDEmNYt +HZ0mdpYnECwZ6VxNuYU8arDgUUIAsE/iVRotBZZUvVWvpebmf+4+h1V3S17FV17 OIkqnDg+2GQEZZUOYtzhMGhh222o5W70l8E7K1KmnpScejRrV1yNJ7Fmp2/XufXG WPiiPJkrxlwhNxtrXtcJwieH0XSw2IAnY3optPnEEcvtHRIAk5ONoPtw81nritzY s301TWuj9uE7jedLmifKe74w1tGC3MAqIWmNfjefZeI1q3a3yZqoE1lbAMcqj4lq C21UVMdqw0KZRDpPeiAf4HlvaFkYJnqUlzhYFAQFsIfJB8jA2R1fDiTE3/HiisH/ XZWtWeRAaGLBRn4kCB0vg/MFWjt9L98YxDFmGEIxkLBaZXcfmKNFxAxZlYacKY79 wfLiHrPv0owpKKtEniuJK7oCPJ+sbcokVi5PGjF4CRXaXdHoMJJqzzPinZwtWcr4 y8kZzduzjz8D/u1vAyk5aDfLIY3Ssp53Tb+dC7/vkw== =h5Ld -----END PGP SIGNATURE----- From bernhard.kleine at gmx.net Fri Jan 8 23:08:30 2010 From: bernhard.kleine at gmx.net (Bernhard) Date: Fri, 08 Jan 2010 23:08:30 +0100 Subject: Import of old keys Message-ID: <1262988510.3805.6.camel@bernhard-desktop> Hallo, For a long time I have used debian sid and gnupg with three keys for different purposes. After moving to Ubuntu (OT: for multimedia reasons) I fail to use these keys with the newly created account. I have access to all the old files and directories and would like to get some help for the incorporation of the old keys into the new system. Thanks a lot! Bernhard From olav at mozilla-enigmail.org Sat Jan 9 00:21:12 2010 From: olav at mozilla-enigmail.org (Olav Seyfarth) Date: Sat, 09 Jan 2010 00:21:12 +0100 Subject: Import of old keys In-Reply-To: <1262988510.3805.6.camel@bernhard-desktop> References: <1262988510.3805.6.camel@bernhard-desktop> Message-ID: <4B47BDE8.70006@mozilla-enigmail.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hi Bernhard, > After moving to Ubuntu (OT: for multimedia reasons) I fail to use these > keys with the newly created account. I have access to all the old files > and directories and would like to get some help for the incorporation of > the old keys into the new system. GnuPG uses ~/.gnupg as homedir. It should be sufficient to move the content of your old homedir to the new one. Alternatively, you may let GnuPG import your keys and/or keyrings by using gpg --import . What issues do you encounter? Olav - -- The Enigmail Project - OpenPGP Email Security For Mozilla Applications -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (MingW32) Comment: Diese Email ist digital signiert/verschl?sselt Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQGcBAEBAwAGBQJLR73kAAoJEKGX32tq4e9W+ksL/12hhLjOj0g8N7DVE945PhVt DhDVDASjR4tpaj+d3Uivz/FHhDwomxn8JW46rEJT8Bk91ezKFp7W3579F3tZjlIE MFhOaH07pjFinLJIWMFOKFiNGmj7CVFe0yTQaeCRDttJhhO3C+4pmqxXlkplFJJ/ Ar5z6hQbSIAW9r7E4iXGwuLX9AH0HOpI2juANtGeHHJlVlO9PZZ3ZnJuY1yFaumR sZueqB/XbzkypsOhTLA/UHanGZxcmEvB9gDs9MGNaEfCjLm4cEAM7LQBB1EbIFBn g7Qwqbq/kCtU3PQHOw18bsVls4M7bY8vnwZIvCHsHkXu51EdG/6inGir+HSJyVSk HhgCtrZN6YywRgIZ4pAe6kgIJkVOo7GBu1U54gM9ftOwyxPERAgUVQiRVvROYyE5 n/WAURq8rFQ8SMRT1lPuuhkXhsYU+eCTkDj1Xzlpi9ncufvZv1dxKt+MoDcrJ6Bu 9xZnN6gEVWWjNLSQkCIPxvQWbGB6okMW+tnrX5W80Q== =+zRn -----END PGP SIGNATURE----- From holtzm at cox.net Sat Jan 9 07:51:25 2010 From: holtzm at cox.net (RobertHoltzman) Date: Fri, 8 Jan 2010 23:51:25 -0700 Subject: Web of Trust itself is the problem In-Reply-To: <20100108184628.GA10874@fritha.org> References: <4B45AB1A.3030500@gmail.com> <4B460180.8050302__21446.0286465057$1262879275$gmane$org@fifthhorseman.net> <4B4613B5.3030902@fifthhorseman.net> <20100108184628.GA10874@fritha.org> Message-ID: <20100109065125.GA30406@cox.net> On Fri, Jan 08, 2010 at 07:46:28PM +0100, Heinz Diehl wrote: > > Personally I think a lot of people care about privacy, but are just not > able and/or frightened to install something complex on their machines. Then you get the contingent that sats "I have nothing to hide". -- Bob Holtzman GPG key ID = 8D549279 If you think you're getting free lunch check the price of the beer. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From htd at fritha.org Sat Jan 9 14:49:13 2010 From: htd at fritha.org (Heinz Diehl) Date: Sat, 9 Jan 2010 14:49:13 +0100 Subject: Web of Trust itself is the problem In-Reply-To: <20100109065125.GA30406@cox.net> References: <4B45AB1A.3030500@gmail.com> <4B460180.8050302__21446.0286465057$1262879275$gmane$org@fifthhorseman.net> <4B4613B5.3030902@fifthhorseman.net> <20100108184628.GA10874@fritha.org> <20100109065125.GA30406@cox.net> Message-ID: <20100109134913.GC8009@fritha.org> On 09.01.2010, RobertHoltzman wrote: > > Personally I think a lot of people care about privacy, but are just not > > able and/or frightened to install something complex on their machines. > Then you get the contingent that sats "I have nothing to hide". What I've encountered is that lots of people answering that way do not actually mean what these words say, but use them as a way to avoid saying the truth: "I'm not able to install such software, I can not understand how this works at all, it seems way too complicated to me, and I do not want you to know that I do not even understand the slightest bit at all of what you're talking about" :-) http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565 From gnupg at rimertis.ch Mon Jan 4 20:49:31 2010 From: gnupg at rimertis.ch (fava64) Date: Mon, 4 Jan 2010 11:49:31 -0800 (PST) Subject: Use DINSIG SmartCard Message-ID: <27018282.post@talk.nabble.com> Hi, I'm the "prowed" owner of a DINSIG SmartCard (due to professional reasons), and I'd like to use it on my Linux Ubuntu 9.10 System with a Cherry ST-2000 USB card-reader. OpenGPG cards are well recognized by gpg and gpg2. In contrast, the commandline tool gpg says: fava at desk:~$ gpg --card-status gpg: detected reader `Cherry SmartTerminal ST-2XXX (000065e9) 00 00' gpg: pcsc_connect failed: sharing violation (0x8010000b) gpg: Kartenleser ist nicht vorhanden gpg: OpenPGP Karte ist nicht vorhanden: Allgemeiner Fehler With gpg2, its better: fava at desk:~$ gpg2 --card-status Application ID ...: FF7F00 gpg: this is a DINSIG compliant card gpg: not an OpenPGP card But still, no operation does work: ava at desk:~$ gpg2 --card-edit Application ID ...: FF7F00 gpg: this is a DINSIG compliant card gpg: not an OpenPGP card Befehl> passwd gpg: OpenPGP Karte Nr. FF7F00 erkannt Error changing the PIN: Nicht unterst?tzte Verarbeitungsaufgabe Is there a way to use the SmartCard? Thank you for your interest Fabio -- View this message in context: http://old.nabble.com/Use-DINSIG-SmartCard-tp27018282p27018282.html Sent from the GnuPG - User mailing list archive at Nabble.com. From M8R-a49tw11 at mailinator.com Mon Jan 4 22:38:27 2010 From: M8R-a49tw11 at mailinator.com (impaled) Date: Mon, 4 Jan 2010 13:38:27 -0800 (PST) Subject: GPG batch Vista command line Message-ID: <27019753.post@talk.nabble.com> Hi, I am trying to automate symmetric decryption in a batch. I'm a newb both to pgp and to the command line :) %pass% has been set earlier for /r %%g in (*.*) do ( echo %pass%|gpg --batch -q --passphrase-fd 0 -c "%%g" ) Instead of producing a decrypted file, it just prints the plaintext in the command line box. If I specify a -o output for /r %%g in (*.*) do ( echo %pass%|gpg --batch -q -o "%%g"--passphrase-fd 0 -c "%%g" ) I get the error "handle plaintext failed: General error" I guess this is because it's trying to decrypt %%g to %%g I'd appreciate any suggestions on how to make this work, my encryption is going fine! :) Thanks. -- View this message in context: http://old.nabble.com/GPG-batch-Vista-command-line-tp27019753p27019753.html Sent from the GnuPG - User mailing list archive at Nabble.com. From frenchja at gmail.com Tue Jan 5 21:45:35 2010 From: frenchja at gmail.com (Jason French) Date: Tue, 05 Jan 2010 14:45:35 -0600 Subject: Multiple Instances of gpg-agent Message-ID: <4B43A4EF.10604@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Despite having near identical configurations between my work and home iMacs, I've noticed that at home it's not unusual to see 15 to 30 instances of gpg-agent processes open. I've been unable to remedy the situation, probably caused by my home iMac being around longer and suffering from multiple installs of GPGMail , MacGPG, MacGPG2, and Enigmail. My understanding is that it retains secret keys. Is there anyway to find out what keeps invoking so many instances of gpg-agent? I was unable to find anything in the email archives. I'm on OS X 10.5.8 running Thunderbird 3.0 with Enigmail 1.0. Thanks in advance. Best, Jason -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.12 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktDpO4ACgkQnz4f35d7IIlh2ACeJtBFptdE+bY+yr9evALdni/I KIcAn3Z6qlQkt/T0YVvZwQmnQNqUk7nm =mN6I -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From benjamin at py-soft.co.uk Sat Jan 9 20:30:16 2010 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sat, 9 Jan 2010 19:30:16 +0000 Subject: Multiple Instances of gpg-agent In-Reply-To: <4B43A4EF.10604@gmail.com> References: <4B43A4EF.10604@gmail.com> Message-ID: <732076a81001091130k6473b459web73dd7fc3727da7@mail.gmail.com> 2010/1/5 Jason French : > I'm on OS X 10.5.8 running Thunderbird 3.0 with Enigmail 1.0. Thanks > in advance. I recommend upgrading to MacGPG2 v2.0.14-RC2 - see http://macgpg2.sourceforge.net/ Ben From wk at gnupg.org Sat Jan 9 20:45:10 2010 From: wk at gnupg.org (Werner Koch) Date: Sat, 09 Jan 2010 20:45:10 +0100 Subject: Use DINSIG SmartCard In-Reply-To: <27018282.post@talk.nabble.com> References: <27018282.post@talk.nabble.com> Message-ID: <873a2f12rd.fsf@vigenere.g10code.de> On Mon, 4 Jan 2010 11:49:31 -0800 (PST), fava64 wrote: > fava at desk:~$ gpg2 --card-status > Application ID ...: FF7F00 > gpg: this is a DINSIG compliant card > gpg: not an OpenPGP card Right. You need to use gpgsm for the X.509 keys as used with these cards: gpgsm --learn-card to read the certificates from the card and from then on it should just work - well in theory. The current signature cards may not work anymore; for example TCOS 3 requires secure messaging which is not yet implemented. If you run into problems you could try this: $ gpg-connect-agent scd serialno dinsig scd learn --force and if should return some infos. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From gnupg at rimertis.ch Sat Jan 9 21:24:16 2010 From: gnupg at rimertis.ch (fava64) Date: Sat, 9 Jan 2010 12:24:16 -0800 (PST) Subject: Use DINSIG SmartCard In-Reply-To: <873a2f12rd.fsf@vigenere.g10code.de> References: <27018282.post@talk.nabble.com> <873a2f12rd.fsf@vigenere.g10code.de> Message-ID: <27092467.post@talk.nabble.com> Hello Werner, Thank you for your help. Here is what I got: fava at desk:~$ gpgsm --learn-card gpgsm: DBG: connection to agent established secmem usage: 0/16384 bytes in 0 blocks fava at desk:~$ gpg-connect-agent > scd serialno dinsig S SERIALNO FF7F00 0 OK > scd learn --force S SERIALNO FF7F00 0 S APPTYPE DINSIG OK > I could not see any key appear in Kleopatra (Ubuntu 9.10, KDE4) or somewhere else (gpg2 --list-keys) Does this mean it doesn't work or does this mean that I did not understand anything? Fabio -- View this message in context: http://old.nabble.com/Use-DINSIG-SmartCard-tp27018282p27092467.html Sent from the GnuPG - User mailing list archive at Nabble.com. From mlisten at hammernoch.net Sat Jan 9 20:38:49 2010 From: mlisten at hammernoch.net (=?ISO-8859-1?Q?Ludwig_H=FCgelsch=E4fer?=) Date: Sat, 09 Jan 2010 20:38:49 +0100 Subject: Multiple Instances of gpg-agent In-Reply-To: <4B43A4EF.10604@gmail.com> References: <4B43A4EF.10604@gmail.com> Message-ID: <4B48DB49.1030603@hammernoch.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Jason French wrote on 05.01.10 21:45: > Despite having near identical configurations between my work and home > iMacs, I've noticed that at home it's not unusual to see 15 to 30 > instances of gpg-agent processes open. I've been unable to remedy the > situation, probably caused by my home iMac being around longer and > suffering from multiple installs of GPGMail > , > MacGPG, MacGPG2, and Enigmail. > > My understanding is that it retains secret keys. Is there anyway to > find out what keeps invoking so many instances of gpg-agent? I was > unable to find anything in the email archives. First, please have a look in /Library/LaunchAgents/com.sourceforge.macgpg2.gpg-agent.plist Is there more multiple entries? Remove all but one, if yes. Second, have a look into your Start Objects (which are opened at login). Are there multiple entries for "start-gpg-agent"? Remove all but one. This should get your gpg installation working again. Ludwig -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCgAGBQJLSNtJAAoJEA52XAUJWdLjL8QIAKENdHPvnyAVvt2zeQf5EADV x/47jqgECBvtEs10qaKqX4uvEnqiqdNJk34Q8w51xwvKUV9KrMfzXHQvOFUVzkUL QI9pthJ0yrOVc17EQGXgTWk/7mstYl1Er6Xk4M8QgXoDQHclE3RZWNl8OBZaYGT7 gMAnBVK5yAZuQ23Cw3FIVMNJNVag4xFNw4GMVOgloTUBV/mfPI6Z+xElUNmHmIXw eb8IeQEi4ktzI5ZH48jTZN3LkdYiAheOh7yVJ1BuNE6KTm9uouImoagRnwgITSwK 7PLFUAZ60WB2SjQLSzsoHW4Py0fpZkY6S7jh/oimH1pudEXSZ469lUtw1qBVQWo= =J69J -----END PGP SIGNATURE----- From benjamin at py-soft.co.uk Sat Jan 9 21:38:12 2010 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Sat, 9 Jan 2010 20:38:12 +0000 Subject: Multiple Instances of gpg-agent In-Reply-To: <4B48DB49.1030603@hammernoch.net> References: <4B43A4EF.10604@gmail.com> <4B48DB49.1030603@hammernoch.net> Message-ID: <732076a81001091238u244496ecg96eef07f81d00c5d@mail.gmail.com> 2010/1/9 Ludwig H?gelsch?fer : > Second, have a look into your Start Objects (which are opened at login). > Are there multiple entries for "start-gpg-agent"? Remove all but one. start-gpg-agent will not start another copy if it can communicate with an already running instance of gpg-agent. Upgrade to the lastest version of MacGPG2 and then join the project mailing list - https://lists.sourceforge.net/mailman/listinfo/macgpg2-users Ben From bernhard.kleine at gmx.net Sat Jan 9 22:46:04 2010 From: bernhard.kleine at gmx.net (Bernhard) Date: Sat, 09 Jan 2010 22:46:04 +0100 Subject: Import of old keys In-Reply-To: <4B47BDE8.70006@mozilla-enigmail.org> References: <1262988510.3805.6.camel@bernhard-desktop> <4B47BDE8.70006@mozilla-enigmail.org> Message-ID: <1263073564.4711.3.camel@bernhard-desktop> Am Samstag, den 09.01.2010, 00:21 +0100 schrieb Olav Seyfarth: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > Hi Bernhard, > > > After moving to Ubuntu (OT: for multimedia reasons) I fail to use these > > keys with the newly created account. I have access to all the old files > > and directories and would like to get some help for the incorporation of > > the old keys into the new system. > > GnuPG uses ~/.gnupg as homedir. It should be sufficient to move the content > of your old homedir to the new one. Alternatively, you may let GnuPG import > your keys and/or keyrings by using gpg --import . What issues do you > encounter? > > Olav > - -- Hi Olav, thanks a lot! I did as you proposed and it worked flawlessly. The keys are now available. May I ask another question: Which gnome/kde program let me generate smime keys? Thanks again! Bernhard -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Dies ist ein digital signierter Nachrichtenteil URL: From bxstover at yahoo.co.uk Sat Jan 9 23:31:48 2010 From: bxstover at yahoo.co.uk (BenXS) Date: Sat, 9 Jan 2010 14:31:48 -0800 (PST) Subject: How to turn off mail delivery but NOT unsubscribe? Nabble forum instead. Message-ID: <27093491.post@talk.nabble.com> I would like to use this mailing-list through the forum emulation of Nabble at http://old.nabble.com/GnuPG---User-f959.html I don't need any posting delivery by email any more but would like to stay subscribed to be able to post questions. However when I go to http://lists.gnupg.org/mailman/listinfo/gnupg-users I don't find an option to turn off mail delivery. How can I achieve this? How can turn back on later? Thank you Ben -- View this message in context: http://old.nabble.com/How-to-turn-off-mail-delivery-but-NOT-unsubscribe--Nabble-forum-instead.-tp27093491p27093491.html Sent from the GnuPG - User mailing list archive at Nabble.com. From John at Mozilla-Enigmail.org Sat Jan 9 23:55:56 2010 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Sat, 09 Jan 2010 16:55:56 -0600 Subject: How to turn off mail delivery but NOT unsubscribe? Nabble forum instead. In-Reply-To: <27093491.post@talk.nabble.com> References: <27093491.post@talk.nabble.com> Message-ID: <4B49097C.7080900@Mozilla-Enigmail.org> BenXS wrote: > > I would like to use this mailing-list through the forum emulation of Nabble > at > > http://old.nabble.com/GnuPG---User-f959.html > > I don't need any posting delivery by email any more but would like to stay > subscribed to be able to post questions. > > However when I go to > > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > I don't find an option to turn off mail delivery. > > How can I achieve this? Go to the bottom of that page and enter your email address next to the "Unsubscribe or edit options" button. Click the button and you'll be taken to the login/unsubscribe/password page. Enter password and login. (Or get the reminder and login after receiving it) Scroll down to Subscription options, change Mail delivery to Disabled, finally scroll to the bottom of the page and click "Submit My Changes" > > How can turn back on later? Do the same, but set the Mail delivery to Enabled. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" From holtzm at cox.net Sun Jan 10 01:11:45 2010 From: holtzm at cox.net (RobertHoltzman) Date: Sat, 9 Jan 2010 17:11:45 -0700 Subject: Web of Trust itself is the problem In-Reply-To: <20100109134913.GC8009@fritha.org> References: <4B45AB1A.3030500@gmail.com> <4B460180.8050302__21446.0286465057$1262879275$gmane$org@fifthhorseman.net> <4B4613B5.3030902@fifthhorseman.net> <20100108184628.GA10874@fritha.org> <20100109065125.GA30406@cox.net> <20100109134913.GC8009@fritha.org> Message-ID: <20100110001145.GB8317@cox.net> On Sat, Jan 09, 2010 at 02:49:13PM +0100, Heinz Diehl wrote: > On 09.01.2010, RobertHoltzman wrote: > > > > Personally I think a lot of people care about privacy, but are just not > > > able and/or frightened to install something complex on their machines. > > > Then you get the contingent that sats "I have nothing to hide". > > What I've encountered is that lots of people answering that way do not > actually mean what these words say, but use them as a way to avoid saying > the truth: "I'm not able to install such software, I can not understand > how this works at all, it seems way too complicated to me, > and I do not want you to know that I do not even understand the slightest > bit at all of what you're talking about" :-) > > http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565 That is a great paper. I am keeping it for the next time I run into one of "them". -- Bob Holtzman GPG key ID = 8D549279 If you think you're getting free lunch check the price of the beer. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From vedaal at hush.com Sun Jan 10 10:44:35 2010 From: vedaal at hush.com (vedaal at hush.com) Date: Sun, 10 Jan 2010 04:44:35 -0500 Subject: very short plaintexts symmetrically encrypted Message-ID: <20100110094435.AF84CB00B5@smtp.hushmail.com> On Fri, 08 Jan 2010 15:03:53 -0500 Benjamin Donnachie wrote: >2010/1/8 : >> At any rate, it seems disturbingly easy to distinguish between >> symmetrically encrypted messages having only the word 'yes' or >'no' >> just by 'looking' at the ciphertext. > >i. Don't send such short messages >ii. Don't use symmetric encryption. i have no problem with this, there is a trivial workaround to make everybody happy: simply pad the plaintext manually to a total of eight characters (am assuming that the words 'yes' or 'no' are less than 8 characters in all languages using open-pgp ;-) ) i.e. 'no******' or 'yes*****' and then symmetrically encrypt. symmetrical encryption is a simple way to avoid signing, while still maintaining relative reliability of knowledge as to who sent the message (for a good passphrase, usually, only the person who knows the passphrase encrypted and sent it,) the issue is, that if people 'trust' open-pgp (and i do , and 'love' it, and am not trying to find fault with it) to symmetrically encrypt messages, then there should be some sort of alert or advisory that the plaintext should be a minimum length (whatever that minimum length or alert/advisory should be, i leave it up to the developers or the ietf open-pgp wg ;-) ) vedaal From wk at gnupg.org Sun Jan 10 14:02:15 2010 From: wk at gnupg.org (Werner Koch) Date: Sun, 10 Jan 2010 14:02:15 +0100 Subject: very short plaintexts symmetrically encrypted In-Reply-To: <20100110094435.AF84CB00B5@smtp.hushmail.com> References: <20100110094435.AF84CB00B5@smtp.hushmail.com> Message-ID: <87zl4myuy0.fsf@vigenere.g10code.de> On Sun, 10 Jan 2010 04:44:35 -0500, vedaal at hush.com wrote: > symmetrical encryption is a simple way to avoid signing, while > still maintaining relative reliability of knowledge as to who sent > the message That is not true. For example you can't detect a replay or MitM attack. Further even regular signing does not help you if the there is only a limited set of different message contents (i.e. only Yes or No messages). GnuPG is a tool and not a complete solution to all (crypto) use cases. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Sun Jan 10 14:05:51 2010 From: wk at gnupg.org (Werner Koch) Date: Sun, 10 Jan 2010 14:05:51 +0100 Subject: Import of old keys In-Reply-To: <1263073564.4711.3.camel@bernhard-desktop> References: <1262988510.3805.6.camel@bernhard-desktop> <4B47BDE8.70006@mozilla-enigmail.org> <1263073564.4711.3.camel@bernhard-desktop> Message-ID: <87y6k6yus0.fsf@vigenere.g10code.de> On Sat, 09 Jan 2010 22:46:04 +0100, Bernhard wrote: > May I ask another question: Which gnome/kde program let me generate > smime keys? You can't. What you can do is to create a certificate signing request and send that to a CA to send you back a certificate. If you want a GUI tool to create a certificate signing request, you can use KDE's Kmail or Kleopatra. On the command line you can use "gpgsm --gen-key". Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Sun Jan 10 14:12:10 2010 From: wk at gnupg.org (Werner Koch) Date: Sun, 10 Jan 2010 14:12:10 +0100 Subject: Use DINSIG SmartCard In-Reply-To: <27092467.post@talk.nabble.com> References: <27018282.post@talk.nabble.com> <873a2f12rd.fsf@vigenere.g10code.de> <27092467.post@talk.nabble.com> Message-ID: <87wrzqyuhh.fsf@vigenere.g10code.de> On Sat, 9 Jan 2010 12:24:16 -0800 (PST), fava64 wrote: > Does this mean it doesn't work or does this mean that I did not understand > anything? That probably means that your card does not follow the DIN V 66291-1 (aka DINSIG) as implemented by scdaemon. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From mariocastelancastro at gmail.com Sun Jan 10 17:30:17 2010 From: mariocastelancastro at gmail.com (=?ISO-8859-1?Q?Mario_Castel=E1n_Castro?=) Date: Sun, 10 Jan 2010 10:30:17 -0600 Subject: very short plaintexts symmetrically encrypted In-Reply-To: <87zl4myuy0.fsf@vigenere.g10code.de> References: <20100110094435.AF84CB00B5@smtp.hushmail.com> <87zl4myuy0.fsf@vigenere.g10code.de> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 January 10th 2010 in gnupg-users at gnupg.org thread "very short plaintexts symmetrically encrypted" >then there should be some sort of alert or advisory that the >plaintext should be a minimum length (whatever that minimum length or >alert/advisory should be, i leave it up to the developers or the ietf >open-pgp wg ;-) ) I don't think that the Open PGP standard should include alerts because that would unable non internative implementations to fully comply with the standard. IMO much beter would be the support for automatic padding, or maybe it is alredy in the standard but I dont ever noticed, I have really not readed at detail the RFC4880. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEAREIAAYFAktKAIMACgkQZ4DA0TLic4g6dgCgjzbbuTpcaKL6SqDJkVyzSCH+ u5YAmwSW/FDXUysU3sxjeuVjFVDin++G =0Kux -----END PGP SIGNATURE----- From yochanon at localnet.com Sun Jan 10 16:27:14 2010 From: yochanon at localnet.com (John B) Date: Sun, 10 Jan 2010 09:27:14 -0600 Subject: Web of Trust itself is the problem In-Reply-To: <20100109134913.GC8009@fritha.org> References: <20100109065125.GA30406@cox.net> <20100109134913.GC8009@fritha.org> Message-ID: <201001100927.14325.yochanon@localnet.com> On 09 January 10, Heinz Diehl wrote: > On 09.01.2010, RobertHoltzman wrote: > > > Personally I think a lot of people care about privacy, but are just not > > > able and/or frightened to install something complex on their machines. > > > > Then you get the contingent that sats "I have nothing to hide". > > What I've encountered is that lots of people answering that way do not > actually mean what these words say, but use them as a way to avoid saying > the truth: "I'm not able to install such software, I can not understand > how this works at all, it seems way too complicated to me, > and I do not want you to know that I do not even understand the slightest > bit at all of what you're talking about" :-) Then they need to learn it. It's not necessary to learn *how* it works completely, or know as much as someone who designs it - just enough to know how to use it correctly. It's not hard, it's simply laziness for the most part. -- Fight organized crime: Re-elect no one. From gnupg-users at chaos.demon.nl Sun Jan 10 18:28:45 2010 From: gnupg-users at chaos.demon.nl (Pepijn Schmitz) Date: Sun, 10 Jan 2010 18:28:45 +0100 Subject: Inhibit pgp-agent warning? In-Reply-To: <1262973893.3553.450.camel@peregrin> References: <1262973893.3553.450.camel@peregrin> Message-ID: <1263144525.3040.1.camel@peregrin> I know what was wrong now: Ubuntu puts a "use-agent" line in .gnupg/gpg.conf by default. I took it out and now the warnings are gone. Thanks to Olav Seyfarth! Kind regards, Pepijn Schmitz On vr, 2010-01-08 at 19:04 +0100, Pepijn Schmitz wrote: > Hi everyone, > > I have a backup script which uses gpg to encrypt the backup, and is > executed every night by cron (both by root as by an admin user). This > is gpg 1.4.6 on Ubuntu Hardy LTS. > > My problem is that gpg insists on printing a "gpg: gpg-agent is not > available in this session" warning every time, causing unnecessary > emails from cron even when the backup is entirely successful. I tried > adding the -q option to the command line, but that doesn't seem to > make a difference. I don't want to run gpg-agent (since it is not > needed), or redirect all output to /dev/null or a file (since I do > want emails on genuine warnings). > > Is there any way I can prevent this warning? > > Kind regards, > Pepijn Schmitz -------------- next part -------------- An HTML attachment was scrubbed... URL: From holtzm at cox.net Sun Jan 10 20:43:15 2010 From: holtzm at cox.net (RobertHoltzman) Date: Sun, 10 Jan 2010 12:43:15 -0700 Subject: Web of Trust itself is the problem In-Reply-To: <201001100927.14325.yochanon@localnet.com> References: <20100109065125.GA30406@cox.net> <20100109134913.GC8009@fritha.org> <201001100927.14325.yochanon@localnet.com> Message-ID: <20100110194315.GA7277@cox.net> On Sun, Jan 10, 2010 at 09:27:14AM -0600, John B wrote: > On 09 January 10, Heinz Diehl wrote: > > > What I've encountered is that lots of people answering that way do not > > actually mean what these words say, but use them as a way to avoid saying > > the truth: "I'm not able to install such software, I can not understand > > how this works at all, it seems way too complicated to me, > > and I do not want you to know that I do not even understand the slightest > > bit at all of what you're talking about" :-) > > Then they need to learn it. It's not necessary to learn *how* it works > completely, or know as much as someone who designs it - just enough to know > how to use it correctly. It's not hard, it's simply laziness for the most > part. I disagree. I get the impression that it's mostly a matter of their fear of not being able to comprehend it. After all, it is a "computer thing". -- Bob Holtzman GPG key ID = 8D549279 If you think you're getting free lunch check the price of the beer. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From mariocastelancastro at gmail.com Sun Jan 10 21:24:22 2010 From: mariocastelancastro at gmail.com (=?ISO-8859-1?Q?Mario_Castel=E1n_Castro?=) Date: Sun, 10 Jan 2010 14:24:22 -0600 Subject: Web of Trust itself is the problem In-Reply-To: <20100110194315.GA7277@cox.net> References: <20100109065125.GA30406@cox.net> <20100109134913.GC8009@fritha.org> <201001100927.14325.yochanon@localnet.com> <20100110194315.GA7277@cox.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 January 10th 2010 in gnupg-users at gnupg.org thread "Web of Trust itself is the problem" >I get the impression that it's mostly a matter of their fear of not >being able to comprehend it. After all, it is a "computer thing". Is not neseesary to comprehend cryptography to use it. In fact, the pknowledge of the use of one thing and the knowledge to use it are independient. I.e: don't know how to ride a bicicle, but I know how they work -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEAREIAAYFAktKN3cACgkQZ4DA0TLic4jjwwCgkFpwUb1NZ9j3DgExGIENCmhy ZwIAnA+vUYjGHtYkjhiwsj3UI5UMjU9L =hc9K -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Sun Jan 10 22:01:09 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 10 Jan 2010 16:01:09 -0500 Subject: Web of Trust itself is the problem In-Reply-To: References: <20100109065125.GA30406@cox.net> <20100109134913.GC8009@fritha.org> <201001100927.14325.yochanon@localnet.com> <20100110194315.GA7277@cox.net> Message-ID: <4B4A4015.2060603@sixdemonbag.org> On 01/10/2010 03:24 PM, Mario Castel?n Castro wrote: > Is not neseesary to comprehend cryptography to use it. In fact, the > pknowledge of the use of one thing and the knowledge to use it are > independient. I.e: don't know how to ride a bicicle, but I know how > they work Crypto is not like this. Sure, you don't need to understand Feistel networks or large number theory in order to use crypto, but look at what you *do* need to understand: * Identity verification * Document verification * What a hash is * How hashes are used * How hashes are misused and shouldn't be used * Out-of-band verification * Type I versus Type II error ... and so on, and so on, and so on. I stopped at seven; I could easily go on for another seven, or more. These are all things that are necessary to use GnuPG successfully. As an example, a fairly tech-savvy friend of mine made a habit of signing all her emails. Her reasoning was, "if people ever see a message that's not signed, they'll know it's not from me." This reasoning sounds good, and many people on this list would probably agree with it. The problem is that it's incorrect. If someone using her name were to post a racist, hate-filled screed on the internet, would she really be able to persuade people she didn't write it just by saying "look, I didn't sign it"? Or would her critics say, "of course you didn't sign it, you wanted to be able to deny writing it!"? Likewise: people tend to be interested in who has signed a given key... but why? Anyone can sign anything, regardless of whether the key owner consents. There are all kinds of credibility attacks you could do on someone by putting a fake "StormFront Identity Verification " signature on a key -- and thus, have people infer from that signature that the key owner is a member of a racist hate organization. Crypto is a /highly/ demanding field. The skills required to use it effectively, and avoid incorrect and/or dangerously false reasoning about documents, are far, far beyond the realm of most users. OpenPGP is in many ways a failed standard. It's big, it's complex, it has a lot of subtle edge cases, and so on. However, for all its faults, I think it is by far the best email encryption standard we have. From holtzm at cox.net Mon Jan 11 04:24:59 2010 From: holtzm at cox.net (RobertHoltzman) Date: Sun, 10 Jan 2010 20:24:59 -0700 Subject: Web of Trust itself is the problem In-Reply-To: References: <20100109065125.GA30406@cox.net> <20100109134913.GC8009@fritha.org> <201001100927.14325.yochanon@localnet.com> <20100110194315.GA7277@cox.net> Message-ID: <20100111032459.GB7129@cox.net> On Sun, Jan 10, 2010 at 02:24:22PM -0600, Mario Castel?n Castro wrote: > > Is not neseesary to comprehend cryptography to use it. In fact, the > pknowledge of the use of one thing and the knowledge to use it are > independient. I.e: don't know how to ride a bicicle, but I know how > they work Try telling this to a noob who is: a) convinced that only a nefarious low life has a use for encryption b) afraid of and distrusts computers c) convinced he/she is right and logic won't sway him/her. -- Bob Holtzman GPG key ID = 8D549279 If you think you're getting free lunch check the price of the beer. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From dshaw at jabberwocky.com Mon Jan 11 04:52:07 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 10 Jan 2010 22:52:07 -0500 Subject: Web of Trust itself is the problem In-Reply-To: <20100111032459.GB7129@cox.net> References: <20100109065125.GA30406@cox.net> <20100109134913.GC8009@fritha.org> <201001100927.14325.yochanon@localnet.com> <20100110194315.GA7277@cox.net> <20100111032459.GB7129@cox.net> Message-ID: <7D95E75E-A93B-431C-95FE-58F5F63C33EA@jabberwocky.com> On Jan 10, 2010, at 10:24 PM, RobertHoltzman wrote: > On Sun, Jan 10, 2010 at 02:24:22PM -0600, Mario Castel?n Castro > wrote: >> >> Is not neseesary to comprehend cryptography to use it. In fact, the >> pknowledge of the use of one thing and the knowledge to use it are >> independient. I.e: don't know how to ride a bicicle, but I know how >> they work > > Try telling this to a noob who is: > a) convinced that only a nefarious low life has a use for encryption > b) afraid of and distrusts computers > c) convinced he/she is right and logic won't sway him/her. While I do believe that there are a number of people in each of those categories (or combinations thereof), I strongly suspect that the largest category is: d) those people who are completely unaware of crypo: unaware that they might actually want it on occasion, and unaware that they don't have it. It's not that they gave it a bit of thought and decided against it for whatever reason - they never gave it even a moment of thought. The only crypto they use is the crypto that is invisible to them (usually https, which is pretty invisible). David From mariocastelancastro at gmail.com Mon Jan 11 05:01:38 2010 From: mariocastelancastro at gmail.com (=?ISO-8859-1?Q?Mario_Castel=E1n_Castro?=) Date: Sun, 10 Jan 2010 22:01:38 -0600 Subject: Web of Trust itself is the problem In-Reply-To: <7D95E75E-A93B-431C-95FE-58F5F63C33EA@jabberwocky.com> References: <20100109065125.GA30406@cox.net> <20100109134913.GC8009@fritha.org> <201001100927.14325.yochanon@localnet.com> <20100110194315.GA7277@cox.net> <20100111032459.GB7129@cox.net> <7D95E75E-A93B-431C-95FE-58F5F63C33EA@jabberwocky.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 January 10th 2010 in gnupg-users at gnupg.org thread "Web of Trust itself is the problem" >Crypto is not like this. Sure, you don't need to understand Feistel >networks or large number theory in order to use crypto, but look at >what you *do* need to understand: [...] Is good if you know that, you will use the crypto better but is not nessesary IMO. Can you explain why that things are *nessesary* in order to use crypto?, we have "user friendly" crypto programs like seahorse, I can't figure out someone is unable to use it with the available "user friendly" software like seahorse. >Try telling this to a noob who is: >a) convinced that only a nefarious low life has a use for encryption >b) afraid of and distrusts computers >c) convinced he/she is right and logic won't sway him/her.. What is your point Robert?. The same apply to planes, some people don't trust planes, some don't trust computers or cryptography or , but that don't mean the public in general is unable to fly in planes or to use cryptography ;). >The only crypto they use is the crypto that is invisible to them >(usually https, which is pretty invisible). HTTPS is not invisible, is transparent with most browers. Invisible is as example, the logs that your ISP, mine or google (likley) have of all our mail, because you don't see it, you even don't know if they really have such logs. Transparent is one thing that you can see if you want in the same manner you can ignore it, like the thoustands of instructions in machine code to run a software or the encryption in HTTPS. You can do "hexdump /usr/local/gpg", or click a button in FF that tellsyou the encryption information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEAREIAAYFAktKopsACgkQZ4DA0TLic4heGACfUf4UQOCoddJTgivgXXV/sBk0 q3wAn2wHgEuLEamep3xbx8XJb+7iezxo =kWGz -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Mon Jan 11 05:10:05 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 10 Jan 2010 23:10:05 -0500 Subject: Web of Trust itself is the problem In-Reply-To: References: <20100109065125.GA30406@cox.net> <20100109134913.GC8009@fritha.org> <201001100927.14325.yochanon@localnet.com> <20100110194315.GA7277@cox.net> <20100111032459.GB7129@cox.net> <7D95E75E-A93B-431C-95FE-58F5F63C33EA@jabberwocky.com> Message-ID: On Jan 10, 2010, at 11:01 PM, Mario Castel?n Castro wrote: >> The only crypto they use is the crypto that is invisible to them >> (usually https, which is pretty invisible). > > HTTPS is not invisible, is transparent with most browers. Invisible > is as example, the logs that your ISP, mine or google (likley) have of > all our mail, because you don't see it, you even don't know if they > really have such logs. We can argue the definition of "invisible" vs "transparent" for days and waste everyone's time. I use the term to mean "They don't see https. They don't really care about it, as evidenced by most just hitting the "continue" button when are told about a bad certificate, and have only the vaguest notion (if even that) that they might want it." David From rjh at sixdemonbag.org Mon Jan 11 05:37:12 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 10 Jan 2010 23:37:12 -0500 Subject: Web of Trust itself is the problem In-Reply-To: References: <20100109065125.GA30406@cox.net> <20100109134913.GC8009@fritha.org> <201001100927.14325.yochanon@localnet.com> <20100110194315.GA7277@cox.net> <20100111032459.GB7129@cox.net> <7D95E75E-A93B-431C-95FE-58F5F63C33EA@jabberwocky.com> Message-ID: <4B4AAAF8.9010805@sixdemonbag.org> On 01/10/2010 11:01 PM, Mario Castel?n Castro wrote: >> Crypto is not like this. Sure, you don't need to understand Feistel >> networks or large number theory in order to use crypto, but look at >> what you *do* need to understand: [...] > > Is good if you know that, you will use the crypto better but is not > nessesary IMO. Can you explain why that things are *nessesary* in > order to use crypto?, we have "user friendly" crypto programs like > seahorse, I can't figure out someone is unable to use it with the > available "user friendly" software like seahorse. Read this paper: Garfinkel, S. L., Margrave, D., Schiller, J. I., Nordlander, E., and Miller, R. C. 2005. How to make secure email easier to use. In _Proceedings of the SIGCHI Conference on Human Factors in Computing Systems_ (Portland, Oregon, USA, April 02 - 07, 2005). CHI '05. ACM, New York, NY, 701-710. DOI= http://doi.acm.org/10.1145/1054972.1055069 Also read this paper: Gaw, S., Felten, E. W., and Fernandez-Kelly, P. 2006. Secrecy, flagging, and paranoia: adoption criteria in encrypted email. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montreal, Quebec, Canada, April 22 - 27, 2006). R. Grinter, T. Rodden, P. Aoki, E. Cutrell, R. Jeffries, and G. Olson, Eds. CHI '06. ACM, New York, NY, 591-600. DOI= http://doi.acm.org/10.1145/1124772.1124862 Once you've read them, then let's have this conversation again. The obstacles we face in crypto adoption are not related to user interfaces. They're related to users. There's a lot of good papers in the literature covering this problem. Those two papers will helpfully point you in the right direction. >> Try telling this to a noob who is: >> a) convinced that only a nefarious low life has a use for encryption >> b) afraid of and distrusts computers >> c) convinced he/she is right and logic won't sway him/her.. > > What is your point Robert? I didn't write this; you're misquoting someone else's words and attributing them to me. >> The only crypto they use is the crypto that is invisible to them >> (usually https, which is pretty invisible). > > HTTPS is not invisible, is transparent with most browers. Likewise; David Shaw wrote this. That said, I agree with him, and HTTPS is /very/ invisible to most users. A few years ago a fellow grad student of mine, Peter Likarish, developed a really cool anti-phishing technology. (I don't know if it's been cleared for publication, or if he's still wrestling with it privately, so I can't talk about how it works.) It was a phenomenally effective phishing-detection engine. For testing purposes, he packaged it up into a Firefox plugin. When a user visited a phishing site, a small red bar would appear across the top of the screen. "Warning: this site appears to be impersonating another site," it would say. He figured users would see it. He recruited a number of normal, everyday users to test the plugin. He gave them a computer preinstalled with Firefox and the anti-phishing plugin. *Not one of them* saw the red bar across the top. They all considered it to be visual noise and filtered it out. Peter decided the solution was to make the bar grow steadily bigger over time. The user could click on the bar at any time to make it vanish; but if the user ignored the bar, the bar would grow and grow until it took over a third of the screen. He repeated the test, and this time videotaped people as they were interacting with the system. *Not one* saw the bar. According to Peter, when watching the videotape you could watch users' eyes scroll down the screen as the bar grew. There was no question that on some level they were seeing the bar, processing it. Peter's hypothesis was that Flash ads are to blame. Users have become conditioned to having Flash ads appear on the screen, take over real estate, and so on. Therefore, users were subconsciously filtering out this big red alert bar and it was never percolating up to the conscious level where users could make an informed decision about the risks. So. Yes. HTTPS is invisible. Users typically do not have anywhere near the visual recognition of web interface that people like to think they do. ObDisclaimer: Peter told me this about two years ago now. My memory is not perfect; I may be off on details. However, I am confident the salient parts of the story are correct. From jdever at triad.rr.com Mon Jan 11 06:35:45 2010 From: jdever at triad.rr.com (Jim Dever) Date: Mon, 11 Jan 2010 00:35:45 -0500 Subject: Web of Trust itself is the problem In-Reply-To: <4B4AAAF8.9010805@sixdemonbag.org> References: <20100109065125.GA30406@cox.net> <20100109134913.GC8009@fritha.org> <201001100927.14325.yochanon@localnet.com> <20100110194315.GA7277@cox.net> <20100111032459.GB7129@cox.net> <7D95E75E-A93B-431C-95FE-58F5F63C33EA@jabberwocky.com> <4B4AAAF8.9010805@sixdemonbag.org> Message-ID: <4B4AB8B1.10406@triad.rr.com> On 1/10/2010 11:37 PM, Robert J. Hansen wrote: >> >> What is your point Robert? > > I didn't write this; you're misquoting someone else's words and > attributing them to me. > I think he meant the other Robert in the discussion. -- Jim From faramir.cl at gmail.com Mon Jan 11 04:57:36 2010 From: faramir.cl at gmail.com (Faramir) Date: Mon, 11 Jan 2010 00:57:36 -0300 Subject: Web of Trust itself is the problem In-Reply-To: <4B4A4015.2060603@sixdemonbag.org> References: <20100109065125.GA30406@cox.net> <20100109134913.GC8009@fritha.org> <201001100927.14325.yochanon@localnet.com> <20100110194315.GA7277@cox.net> <4B4A4015.2060603@sixdemonbag.org> Message-ID: <4B4AA1B0.2020305@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Robert J. Hansen escribi?: ... > Crypto is not like this. Sure, you don't need to understand Feistel > networks or large number theory in order to use crypto, but look at what > you *do* need to understand: > > * Identity verification I think I understand it. > * Document verification I hope I understand it. > * What a hash is I understand it. > * How hashes are used I think I understand it. > * How hashes are misused and shouldn't be used Ehh... I've never thought about it. How they should not be used? > * Out-of-band verification I think I understand it... > * Type I versus Type II error I don't have any idea about this, can you please clarify it? ... > As an example, a fairly tech-savvy friend of mine made a habit of > signing all her emails. Her reasoning was, "if people ever see a > message that's not signed, they'll know it's not from me." This > reasoning sounds good, and many people on this list would probably agree > with it. The problem is that it's incorrect. > > If someone using her name were to post a racist, hate-filled screed on > the internet, would she really be able to persuade people she didn't > write it just by saying "look, I didn't sign it"? Or would her critics > say, "of course you didn't sign it, you wanted to be able to deny > writing it!"? I get your point. However, people should be considered innocent until proven guilty. Of course if we talk about racism, paedophilia or drugs traffic, people is guilty even if they have been dead for years before the incident. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJLSqGwAAoJEMV4f6PvczxAfckIAJqXGBlfoTd5Gq92/nFv63oZ qcD/3oHHTxxc7OfRHkiU+wOc0vscOcxnraIe+KPsdqexpiEou7Z0gI9QxwqMMJaF dXR13zqO6kKd687UINfiXurr2rEoT8u9EXpyW1me44yaIsXuyST/Apr2VhLBeomq sQg4nOUm4d8/zPl3HXq2siMAHLgjGM7RnaqoMOHfcDD6Yl/0UNesQ67RHMlktBGm DKfXDTztAyMec1GDnrkLTovER7wBwMRFPQPDZk+rzoy7zZXRvuUZSQ18WMDcDQEo DA7oSGED5PmKGl+70hUHcprYcszp6ditvnxe0cWEyZvnKgAJfCPSncNDTes+pPY= =zY0v -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Mon Jan 11 07:26:08 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 11 Jan 2010 01:26:08 -0500 Subject: Web of Trust itself is the problem In-Reply-To: <4B4AA1B0.2020305@gmail.com> References: <20100109065125.GA30406@cox.net> <20100109134913.GC8009@fritha.org> <201001100927.14325.yochanon@localnet.com> <20100110194315.GA7277@cox.net> <4B4A4015.2060603@sixdemonbag.org> <4B4AA1B0.2020305@gmail.com> Message-ID: <4B4AC480.1030502@sixdemonbag.org> On 01/10/2010 10:57 PM, Faramir wrote: >> * How hashes are misused and shouldn't be used > Ehh... I've never thought about it. How they should not be used? I've seen computerized votes authenticated by MD5 hash... sent over email... in the same message as the official vote record. As in, "the attachment has MD5 hash XXX, if your version hashes out to XXX then the vote record is authenticated." I just about had a heart attack. The voting authorities thought this was just fine, and a perfectly correct use of hashes. >> * Type I versus Type II error > I don't have any idea about this, can you please clarify it? False positive versus false negative. If there's a transmission error in the sigblock *but not in the source text*, you can have a bad signature with a completely intact message. Therefore, the fact a signature is bad doesn't automatically tell you the message was tampered with. If the message was altered somehow, the signature will be bad. However, if the signature is bad, that doesn't necessarily mean the message was altered somehow. A lot of people miss this point. It's kind of important. > I get your point. However, people should be considered innocent until > proven guilty. What should be true is a question for religion, philosophy and ethics. Engineering is about asking what *is* true. From jdever at triad.rr.com Mon Jan 11 08:49:20 2010 From: jdever at triad.rr.com (Jim Dever) Date: Mon, 11 Jan 2010 02:49:20 -0500 Subject: Web of Trust itself is the problem In-Reply-To: <4B4AC480.1030502@sixdemonbag.org> References: <20100109065125.GA30406@cox.net> <20100109134913.GC8009@fritha.org> <201001100927.14325.yochanon@localnet.com> <20100110194315.GA7277@cox.net> <4B4A4015.2060603@sixdemonbag.org> <4B4AA1B0.2020305@gmail.com> <4B4AC480.1030502@sixdemonbag.org> Message-ID: <4B4AD800.2060509@triad.rr.com> On 1/11/2010 1:26 AM, Robert J. Hansen wrote: > I've seen computerized votes authenticated by MD5 hash... sent over > email... in the same message as the official vote record. As in, "the > attachment has MD5 hash XXX, if your version hashes out to XXX then the > vote record is authenticated." I just about had a heart attack. The > voting authorities thought this was just fine, and a perfectly correct > use of hashes. Ekkkk... unbelievable! -- Jim From marcus.brinkmann at ruhr-uni-bochum.de Mon Jan 11 12:22:54 2010 From: marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) Date: 11 Jan 2010 12:22:54 +0100 Subject: [Announce] GPGME 1.3.0 released Message-ID: <4B4B0A0E.6010105@ruhr-uni-bochum.de> Hi, We are pleased to announce version 1.3.0 of GnuPG Made Easy, a library designed to make access to GnuPG easier for applications. It may be found in the file (about 1.2 MB/870 KB compressed) ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.3.0.tar.gz ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.3.0.tar.bz2 The following files are also available: ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.3.0.tar.gz.sig ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-1.3.0.tar.bz2.sig It should soon appear on the mirrors listed at: http://www.gnupg.org/mirrors.html Bug reports and requests for assistance should be sent to: gnupg-devel at gnupg.org The sha1sum checksums for this distibution are 0db69082abfbbbaf86c3ab0906f5137de900da73 gpgme-1.3.0.tar.bz2 5365180827aa67dede556594587ee770536021a2 gpgme-1.3.0.tar.bz2.sig c7d17b6451fb7770bee696a3fe359c7f6c1be12a gpgme-1.3.0.tar.gz 573a099bf996b03d0c91796a6a403133fab7798a gpgme-1.3.0.tar.sig Noteworthy changes in version 1.3.0 (2010-01-11) ------------------------------------------------ * GPGME does not come with an internal libassuan version anymore. The external libassuan 1.1.0 release or later is required. For application programmers on systems that can resolve inter-library dependencies at runtime, this is a transparent change. * New engine GPGME_PROTOCOL_G13 to support the new g13 tool. * New engine GPGME_PROTOCOL_UISERVER to support UI Servers. * New API to change the passpgrase of a key. * Interface changes relative to the 1.2.0 release: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ GPGME_STATUS_INV_SGNR NEW. GPGME_STATUS_NO_SGNR NEW. GPGME_PROTOCOL_G13 NEW. gpgme_op_g13_mount NEW. gpgme_g13_result_t NEW. GPGME_PK_ECDSA NEW. GPGME_PK_ECDH NEW. gpgme_op_passwd_start NEW. gpgme_op_passwd NEW. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Marcus Brinkmann mb at g10code.de -- g10 Code GmbH http://g10code.com AmtsGer. Wuppertal HRB 14459 H?ttenstr. 61 Gesch?ftsf?hrung Werner Koch D-40699 Erkrath -=- The GnuPG Experts -=- USt-Id DE215605608 _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From avi.wiki at gmail.com Mon Jan 11 17:49:00 2010 From: avi.wiki at gmail.com (Avi) Date: Mon, 11 Jan 2010 11:49:00 -0500 Subject: Gnupg-users Digest, Vol 76, Issue 11 In-Reply-To: References: Message-ID: <27ee9bfb1001110849r302363a4k20e37bb09ebf6dc5@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 For those of us without ACM access, these papers are freely available at: 1) http://simson.net/ref/2004/chi2005_smime_submitted.pdf 2) http://www.soe.ucsc.edu/classes/cmps223/Spring09/Gaw%2006.pdf Avi -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) - GPGshell v3.75 Comment: Most recent key: Click show in box @ http://is.gd/4xJrs iF4EAREKAAYFAktLVnQACgkQDWKwGfgOKfkAcwD+Ipg7IQboIQjrhlNiKxNDhY6E 7gO6w3hT2/bhjOe6b/wA/iT2O6lmOgfWmrxDpCT5qUQ5RR+KdYHN/ZM61dBYqkmM =tjCQ -----END PGP SIGNATURE----- ---- User:Avraham pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key) Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019 F80E 29F9 From: "Robert J. Hansen" > To: "Mario Castel?n Castro" > Date: Sun, 10 Jan 2010 23:37:12 -0500 > Subject: Re: Web of Trust itself is the problem > On 01/10/2010 11:01 PM, Mario Castel?n Castro wrote: > >> Crypto is not like this. Sure, you don't need to understand Feistel > >> networks or large number theory in order to use crypto, but look at > >> what you *do* need to understand: [...] > > > > Is good if you know that, you will use the crypto better but is not > > nessesary IMO. Can you explain why that things are *nessesary* in > > order to use crypto?, we have "user friendly" crypto programs like > > seahorse, I can't figure out someone is unable to use it with the > > available "user friendly" software like seahorse. > > Read this paper: > > Garfinkel, S. L., Margrave, D., Schiller, J. I., > Nordlander, E., and Miller, R. C. 2005. How to make secure > email easier to use. In _Proceedings of the SIGCHI Conference > on Human Factors in Computing Systems_ (Portland, Oregon, USA, > April 02 - 07, 2005). CHI '05. ACM, New York, NY, 701-710. > DOI= http://doi.acm.org/10.1145/1054972.1055069 > > Also read this paper: > > Gaw, S., Felten, E. W., and > Fernandez-Kelly, P. 2006. Secrecy, flagging, and > paranoia: adoption criteria in encrypted email. > In Proceedings of the SIGCHI Conference on Human > Factors in Computing Systems (Montreal, Quebec, > Canada, April 22 - 27, 2006). R. Grinter, > T. Rodden, P. Aoki, E. Cutrell, R. Jeffries, and > G. Olson, Eds. CHI '06. ACM, New York, NY, 591-600. > DOI= http://doi.acm.org/10.1145/1124772.1124862 > > > Once you've read them, then let's have this conversation again. The > obstacles we face in crypto adoption are not related to user interfaces. > They're related to users. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dan at geer.org Mon Jan 11 18:15:09 2010 From: dan at geer.org (dan at geer.org) Date: Mon, 11 Jan 2010 12:15:09 -0500 Subject: Web of Trust itself is the problem In-Reply-To: Your message of "Sun, 10 Jan 2010 22:52:07 EST." <7D95E75E-A93B-431C-95FE-58F5F63C33EA@jabberwocky.com> Message-ID: <20100111171509.442F333F48@absinthe.tinho.net> David Shaw writes, in part: -+------------------------- | It's not that they gave it a bit of thought and decided | against it for whatever reason - they never gave it even a | moment of thought. The only crypto they use is the crypto | that is invisible to them (usually https, which is pretty | invisible). I used to work at Verdasys. One of the strong selling points with its customers is as you say, for crypto to be in place but with no user the wiser nor need that they be. A piece of marketing material: http://www.verdasys.com/images/uploads/Encryption_DataSheet.pdf There are quite a few installations of the above at the >100,000 seats level (enterprise deployment). --dan From lists.gnupg-users at mephisto.fastmail.net Mon Jan 11 19:06:03 2010 From: lists.gnupg-users at mephisto.fastmail.net (lists.gnupg-users at mephisto.fastmail.net) Date: Mon, 11 Jan 2010 13:06:03 -0500 Subject: very short plaintexts symmetrically encrypted In-Reply-To: <87zl4myuy0.fsf@vigenere.g10code.de> References: <20100110094435.AF84CB00B5@smtp.hushmail.com> <87zl4myuy0.fsf@vigenere.g10code.de> Message-ID: <1263233163.32223.1354068889@webmail.messagingengine.com> On Sun, 10 Jan 2010 14:02 +0100, "Werner Koch" wrote: > On Sun, 10 Jan 2010 04:44:35 -0500, vedaal at hush.com wrote: > > > symmetrical encryption is a simple way to avoid signing, while > > still maintaining relative reliability of knowledge as to who sent > > the message > > That is not true. For example you can't detect a replay or MitM > attack. Forgive me, but how is a MitM attack possible against a symmetric cypher using a shared, secret key? A MitM attack is really an attack on key exchange, as it requires the MitM to intercept at least one public key, and substitute another (one of his own) for it. Using symmetric crpyto, however, the key must be prearranged, or exchanged by some other trusted means. Assuming only the sender and receiver of the message know the secret key, I fail to see what a MitM can accomplish. Of course, if we just broadcast the secret key on the Internet, or something, then it's not much good--but anyone using symmetric crypto should know better. From bernhard.kleine at gmx.net Mon Jan 11 21:16:36 2010 From: bernhard.kleine at gmx.net (Bernhard Kleine) Date: Mon, 11 Jan 2010 21:16:36 +0100 Subject: Web of Trust itself is the problem In-Reply-To: <4B4AC480.1030502@sixdemonbag.org> References: <20100109065125.GA30406@cox.net> <20100109134913.GC8009@fritha.org> <201001100927.14325.yochanon@localnet.com> <20100110194315.GA7277@cox.net> <4B4A4015.2060603@sixdemonbag.org> <4B4AA1B0.2020305@gmail.com> <4B4AC480.1030502@sixdemonbag.org> Message-ID: <1263240996.10024.4.camel@bernhard-desktop> Am Montag, den 11.01.2010, 01:26 -0500 schrieb Robert J. Hansen: > On 01/10/2010 10:57 PM, Faramir wrote: > ...I just about had a heart attack. The > voting authorities thought this was just fine... > > _ You are obviously not loved by the voting authorities :-) Greetings from the Black Forest! Bernhard > ______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: Dies ist ein digital signierter Nachrichtenteil URL: From wk at gnupg.org Tue Jan 12 09:35:17 2010 From: wk at gnupg.org (Werner Koch) Date: Tue, 12 Jan 2010 09:35:17 +0100 Subject: very short plaintexts symmetrically encrypted In-Reply-To: <1263233163.32223.1354068889@webmail.messagingengine.com> References: <20100110094435.AF84CB00B5@smtp.hushmail.com> <87zl4myuy0.fsf@vigenere.g10code.de> <1263233163.32223.1354068889@webmail.messagingengine.com> Message-ID: <87hbqrzpoa.fsf@vigenere.g10code.de> On Mon, 11 Jan 2010 13:06:03 -0500, lists.gnupg-users at mephisto.fastmail.net wrote: > Forgive me, but how is a MitM attack possible against a symmetric cypher > using a shared, secret key? For example by swapping messages. Two messages are sent on two out-of-band events one which says Yes and the other says No. If you can mount an active MitM attack you can revert the meaning. A MitM may also inject faults to make the received message look like a transmission error and thereby triggering another message. Right, you can counter such attacks by adding more information to the message. However, the original post was about two short messages. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From eocsor at gmail.com Tue Jan 12 09:15:50 2010 From: eocsor at gmail.com (Roscoe) Date: Tue, 12 Jan 2010 19:15:50 +1100 Subject: Web of Trust itself is the problem In-Reply-To: <4B45AB1A.3030500@gmail.com> References: <4B45AB1A.3030500@gmail.com> Message-ID: While the ontopicness of my comment is a bit questionable.... I don't think I've gotten an encrypted email in the last 12 months, but I still use gpg every day. All Debian and (I imagine, or at least hope) Debian derivatives such as Ubuntu incorporate digital signing of software. I think signing of software to be a pretty important thing, and represents a relatively large userbase that's not to be overlooked. Though, admittedly, some proportion of them are indifferent towards it. -- Roscoe From mwood at IUPUI.Edu Tue Jan 12 15:48:52 2010 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Tue, 12 Jan 2010 09:48:52 -0500 Subject: Web of Trust itself is the problem In-Reply-To: <4B4AAAF8.9010805@sixdemonbag.org> References: <20100109065125.GA30406@cox.net> <20100109134913.GC8009@fritha.org> <201001100927.14325.yochanon@localnet.com> <20100110194315.GA7277@cox.net> <20100111032459.GB7129@cox.net> <7D95E75E-A93B-431C-95FE-58F5F63C33EA@jabberwocky.com> <4B4AAAF8.9010805@sixdemonbag.org> Message-ID: <20100112144852.GC29394@IUPUI.Edu> On Sun, Jan 10, 2010 at 11:37:12PM -0500, Robert J. Hansen wrote: > A few years ago a fellow grad student of mine, Peter Likarish, developed > a really cool anti-phishing technology. [but test subjects didn't react to the warning] > Peter's hypothesis was that Flash ads are to blame. Users have become > conditioned to having Flash ads appear on the screen, take over real > estate, and so on. Therefore, users were subconsciously filtering out > this big red alert bar and it was never percolating up to the conscious > level where users could make an informed decision about the risks. Yes indeedy. Those ad.s appear at the top of the page (and elsewhere, but there's *always* one at the top). We're rigorously trained every day to ignore stuff at the top of the page that doesn't look like what we expected. Maybe he should try a bar across the *middle* of the window, or a diagonal, or alpha-blend a red overcast onto the entire page.... Still, it's another technology-intractable problem. If people cared, they would train themselves to look for trouble indicators, like scanning the dashboard from time to time for problems with speed, fuel, temperature, etc. We're trained to operate motor vehicles, but not to operate browsers or MUAs. ("It's intuitive!" Not.) And meanwhile the world is training us that it is vitally important to our sanity and the defense of our time to learn to detect and ignore things that we don't care about. I think that technology can't help this as much as would knowing why we want some technology. People who feel a need will look for tools to deal with it; people who feel no need will ignore the finest tools. -- Mark H. Wood, Lead System Programmer mwood at IUPUI.Edu Friends don't let friends publish revisable-form documents. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From jeandavid8 at verizon.net Tue Jan 12 16:13:37 2010 From: jeandavid8 at verizon.net (Jean-David Beyer) Date: Tue, 12 Jan 2010 10:13:37 -0500 Subject: Web of Trust itself is the problem In-Reply-To: <20100112144852.GC29394@IUPUI.Edu> References: <20100109065125.GA30406@cox.net> <20100109134913.GC8009@fritha.org> <201001100927.14325.yochanon@localnet.com> <20100110194315.GA7277@cox.net> <20100111032459.GB7129@cox.net> <7D95E75E-A93B-431C-95FE-58F5F63C33EA@jabberwocky.com> <4B4AAAF8.9010805@sixdemonbag.org> <20100112144852.GC29394@IUPUI.Edu> Message-ID: <4B4C91A1.7060302@verizon.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark H. Wood wrote: | | Still, it's another technology-intractable problem. If people cared, | they would train themselves to look for trouble indicators, like | scanning the dashboard from time to time for problems with speed, | fuel, temperature, etc. We're trained to operate motor vehicles, but | not to operate browsers or MUAs. ("It's intuitive!" Not.) I know drivers who have no clue about all those trouble indicators. I was a passenger with a friend and I noticed the engine temperature gauge was too high. I urged her to stop the car until it could cool down and we could see what the trouble was. She said she would do that after lunch, but she did not have time then. I told her to turn the heater on full, and since this was summer, she objected, but did it. When we got to the restaurant, she turned the motor off. After lunch it had cooled down some, so I looked into the radiator where there was no noticeable water. We got some from the restaurant. I forgot what the trouble was (defective radiator hose, loose clamp, etc.), but at least she did not need to get a new engine. People often drive for months with the "Check Engine" light on. When I ask about this, they say it is nothing: it is always on. They have seen it so long they have gotten used to it. They just do not care. I knew a guy who had a Pontiac station wagon he bought new. He never had it serviced or even checked the oil or the oil pressure light. Well one of those will go about 25,000 miles before seizing up. - -- ~ .~. Jean-David Beyer Registered Linux User 85642. ~ /V\ PGP-Key: 9A2FC99A Registered Machine 241939. ~ /( )\ Shrewsbury, New Jersey http://counter.li.org ~ ^^-^^ 10:05:01 up 4 days, 12:00, 3 users, load average: 4.56, 4.59, 4.68 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org/ iD8DBQFLTJGhPtu2XpovyZoRAoziAKCwQV3ZfYoLK3u/K5UUKMntfo4lpwCeNYcv 2OElW0+lwjTgll0fSK4a/8M= =4tgG -----END PGP SIGNATURE----- From gnupg at rimertis.ch Tue Jan 12 20:15:12 2010 From: gnupg at rimertis.ch (fava64) Date: Tue, 12 Jan 2010 11:15:12 -0800 (PST) Subject: Use DINSIG SmartCard In-Reply-To: <87wrzqyuhh.fsf@vigenere.g10code.de> References: <27018282.post@talk.nabble.com> <873a2f12rd.fsf@vigenere.g10code.de> <27092467.post@talk.nabble.com> <87wrzqyuhh.fsf@vigenere.g10code.de> Message-ID: <27131962.post@talk.nabble.com> Hello Werner, >That probably means that your card does not follow the DIN V 66291-1 >(aka DINSIG) as implemented by scdaemon. In fact, the customer support wrote me that mail: "We are not sure why this tool is recognizing the card as a DINSIG card, but we are quite sure the card is not a DINSIG card. Most likely the card is using a ECH0064 compliant structure..." Could this be helpfull and is there a solution to use this card with gnupg? Fabio -- View this message in context: http://old.nabble.com/Use-DINSIG-SmartCard-tp27018282p27131962.html Sent from the GnuPG - User mailing list archive at Nabble.com. From mariocastelancastro at gmail.com Tue Jan 12 22:04:20 2010 From: mariocastelancastro at gmail.com (=?ISO-8859-1?Q?Mario_Castel=E1n_Castro?=) Date: Tue, 12 Jan 2010 15:04:20 -0600 Subject: Web of Trust itself is the problem In-Reply-To: <4B4C91A1.7060302@verizon.net> References: <201001100927.14325.yochanon@localnet.com> <20100110194315.GA7277@cox.net> <20100111032459.GB7129@cox.net> <7D95E75E-A93B-431C-95FE-58F5F63C33EA@jabberwocky.com> <4B4AAAF8.9010805@sixdemonbag.org> <20100112144852.GC29394@IUPUI.Edu> <4B4C91A1.7060302@verizon.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 January 12th 2010 in gnupg-users at gnupg.org thread "Web of Trust itself is the problem" Actually I was quoting Robert Holtzman, not Robert J. Hansen, sorry for not including the full name. I have no time now to read those texts because my holidays ended alredy :(. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEAREIAAYFAktM48YACgkQZ4DA0TLic4j5CQCeOKzabnsWhEDJV9P6d4CoA8uW t3MAn26T7s6uB3GqQqThCj7oZw8F4XGG =6Jk1 -----END PGP SIGNATURE----- From stefanxe at gmx.net Tue Jan 12 23:18:29 2010 From: stefanxe at gmx.net (Stefan Xenon) Date: Tue, 12 Jan 2010 23:18:29 +0100 Subject: problem importing key to card Message-ID: <4B4CF535.9080009@gmx.net> Hi! Using an OpenPGP Card version 2 and importing a RSA 2048 bit key does not work for me. I followed the description at http://www.gnupg.org/howtos/card-howto/en/ch05.html#id2523191 moo:~ tk$ gpg2 --edit-key F1AE8111 gpg (GnuPG/MacGPG2) 2.0.12; Copyright (C) 2009 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. pub 2048R/F1AE8111 created: 2010-01-12 expires: 2010-02-11 usage: SC trust: ultimate validity: ultimate sub 2048R/DF0A4C81 created: 2010-01-12 expires: 2010-02-11 usage: E [ultimate] (1). test example (test01) Command> toggle sec 2048R/F1AE8111 created: 2010-01-12 expires: 2010-02-11 ssb 2048R/DF0A4C81 created: 2010-01-12 expires: never (1) test example (test01) Command> keytocard Really move the primary key? (y/N) y Signature key ....: FB25 39EC 8116 3712 0FFE 4995 9B67 98D0 0214 4B4B Encryption key....: 9BD4 36F2 C550 2565 43A6 AF45 E43A 0E62 1E52 E982 Authentication key: EC8F 47B5 2A4D 9DAF BB72 1DB8 16CB 79F9 1306 9CB9 You may only store a 1024 bit RSA key on the card Command> toggle pub 2048R/F1AE8111 created: 2010-01-12 expires: 2010-02-11 usage: SC trust: ultimate validity: ultimate sub 2048R/DF0A4C81 created: 2010-01-12 expires: 2010-02-11 usage: E [ultimate] (1). test example (test01) Command> showpref [ultimate] (1). test example (test01) Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA512, SHA384, SHA256, SHA224, SHA1 Compression: ZLIB, BZIP2, ZIP, Uncompressed Features: MDC, Keyserver no-modify Command> quit moo:~ tk$ gpg2 --version gpg (GnuPG/MacGPG2) 2.0.12 libgcrypt 1.4.4 Any idea how to get it working? Regards From pioterbrat at o2.pl Tue Jan 12 23:41:52 2010 From: pioterbrat at o2.pl (Piotr Bratkowski) Date: Tue, 12 Jan 2010 23:41:52 +0100 Subject: Changing trust in GPGME Message-ID: <4B4CFAB0.4020007@o2.pl> #ifdef HAVE_CONFIG_H #include #endif #include #include #include #include Hello, I have this code. And when I see output owner_trust = 4, but in gpg from system I get 0. Do I need to somehow save this changes?? #include "t-support.h" int main (int argc, char **argv) { gpgme_ctx_t ctx; gpgme_error_t err; gpgme_key_t key; const char* key_t; init_gpgme(GPGME_PROTOCOL_OpenPGP); err = gpgme_new(&ctx); err = gpgme_op_keylist_start(ctx,NULL,0); int i = 0; char *key_sig; while(!(err = gpgme_op_keylist_next (ctx,&key))) { if(key->owner_trust==0) { key->owner_trust=GPGME_VALIDITY_FULL; fprintf(stderr,"%i : Key owner= %s fingerprint= %s trust= %i\n",i,key->uids->name,key->subkeys->fpr,key->owner_trust); } } } Regards, Piotr Bratkowski From wk at gnupg.org Wed Jan 13 10:34:54 2010 From: wk at gnupg.org (Werner Koch) Date: Wed, 13 Jan 2010 10:34:54 +0100 Subject: problem importing key to card In-Reply-To: <4B4CF535.9080009@gmx.net> References: <4B4CF535.9080009@gmx.net> Message-ID: <876376z6td.fsf@vigenere.g10code.de> On Tue, 12 Jan 2010 23:18:29 +0100, Stefan Xenon wrote: > moo:~ tk$ gpg2 --edit-key F1AE8111 > gpg (GnuPG/MacGPG2) 2.0.12; Copyright (C) 2009 Free Software Foundation, > Inc. Get a more recent version of GnuPG. Although the NEWS entry for 2.01.2 claims that the OpenPGP card is supported we had to add some other things later, like: 2009-07-09 Werner Koch * card-util.c (card_store_subkey): Do not restrict to 1024 bit keys. Print an error message on write errors. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Wed Jan 13 10:39:28 2010 From: wk at gnupg.org (Werner Koch) Date: Wed, 13 Jan 2010 10:39:28 +0100 Subject: Changing trust in GPGME In-Reply-To: <4B4CFAB0.4020007@o2.pl> References: <4B4CFAB0.4020007@o2.pl> Message-ID: <874omqz6lr.fsf@vigenere.g10code.de> On Tue, 12 Jan 2010 23:41:52 +0100, Piotr Bratkowski wrote: > I have this code. And when I see output owner_trust = 4, but in gpg > from system I get 0. Do I need to somehow save this changes?? This is not directly supported by GPGME. You need to write an edit interactor to control the gpg --edit-key command. GPA has code which shows how to do it. > while(!(err = gpgme_op_keylist_next (ctx,&key))) { > if(key->owner_trust==0) > { > key->owner_trust=GPGME_VALIDITY_FULL; > fprintf(stderr,"%i : Key owner= %s fingerprint= %s trust= > %i\n",i,key->uids->name,key->subkeys->fpr,key->owner_trust); That is useless. You are changing a returned value for display. It does not make any sense to change it. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From pioterbrat at o2.pl Wed Jan 13 10:49:03 2010 From: pioterbrat at o2.pl (Piotr Bratkowski) Date: Wed, 13 Jan 2010 10:49:03 +0100 Subject: Changing trust in GPGME In-Reply-To: <874omqz6lr.fsf@vigenere.g10code.de> References: <4B4CFAB0.4020007@o2.pl> <874omqz6lr.fsf@vigenere.g10code.de> Message-ID: <4B4D970F.5060109@o2.pl> Hello, What is GPA?? Regards, Piotr Bratkowski Werner Koch pisze: > On Tue, 12 Jan 2010 23:41:52 +0100, Piotr Bratkowski wrote: > > >> I have this code. And when I see output owner_trust = 4, but in gpg >> from system I get 0. Do I need to somehow save this changes?? >> > > This is not directly supported by GPGME. You need to write an edit > interactor to control the gpg --edit-key command. GPA has code which > shows how to do it. > > >> while(!(err = gpgme_op_keylist_next (ctx,&key))) { >> if(key->owner_trust==0) >> { >> key->owner_trust=GPGME_VALIDITY_FULL; >> fprintf(stderr,"%i : Key owner= %s fingerprint= %s trust= >> %i\n",i,key->uids->name,key->subkeys->fpr,key->owner_trust); >> > > That is useless. You are changing a returned value for display. It > does not make any sense to change it. > > > Salam-Shalom, > > Werner > > From wk at gnupg.org Wed Jan 13 12:16:53 2010 From: wk at gnupg.org (Werner Koch) Date: Wed, 13 Jan 2010 12:16:53 +0100 Subject: Changing trust in GPGME In-Reply-To: <4B4D970F.5060109@o2.pl> References: <4B4CFAB0.4020007@o2.pl> <874omqz6lr.fsf@vigenere.g10code.de> <4B4D970F.5060109@o2.pl> Message-ID: <873a2az23e.fsf@vigenere.g10code.de> On Wed, 13 Jan 2010 10:49:03 +0100, Piotr Bratkowski wrote: > What is GPA?? http://www.gnupg.org/related_software/gpa/ The GNU Privacy Assistant (GPA) is a graphical user interface for the GnuPG (GNU Privacy Guard). GPA utilizes GTK (the GIMP Tool Kit) and compiles for various platforms. Actually GPA was the first GUI frontend for GPG. The development site is at: http://wald.intevation.org/projects/gpa/ Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From jrollins at finestructure.net Wed Jan 13 16:54:16 2010 From: jrollins at finestructure.net (Jameson Rollins) Date: Wed, 13 Jan 2010 10:54:16 -0500 Subject: fragility of --edit-key interface [was: Re: Changing trust in GPGME] In-Reply-To: <874omqz6lr.fsf@vigenere.g10code.de> References: <4B4CFAB0.4020007@o2.pl> <874omqz6lr.fsf@vigenere.g10code.de> Message-ID: <20100113155416.GA16077@finestructure.net> On Wed, Jan 13, 2010 at 10:39:28AM +0100, Werner Koch wrote: > On Tue, 12 Jan 2010 23:41:52 +0100, Piotr Bratkowski wrote: > > > I have this code. And when I see output owner_trust = 4, but in gpg > > from system I get 0. Do I need to somehow save this changes?? > > This is not directly supported by GPGME. You need to write an edit > interactor to control the gpg --edit-key command. GPA has code which > shows how to do it. Hello Werner et. al. My understanding is that one of the main advantages of GPGME is that it provides a stable API to gnupg functionality. I understand that GPGME doesn't yet provide all the functionality that a user might need, but I think that suggesting developers use "gpg --edit-key" to achieve their desired functionality should include a strong warning that the interface to "gpg --edit-key" is fragile and may change unexpectedly and without warning. For instance, as of v1.4.10 (and v2.0.13), the edit-key interface to generate a subkey on an existing key ('addkey') in expert mode changed such that the "RSA (set your own capabilities)" selection in the key type chooser moved from entry 7 to entry 8. As far as I can tell, this change was not documented, at least not in the any of the changelogs associated with recent gnupg releases. The Monkeysphere project [0] is using this capability and this undocumented change recently caused problems. Developers looking for the stable interface that GPGME is supposed to provide should be duly warned that the "gpg --edit-key" interface is not as stable, and that they should be on the look out for changes to that interface in the future. jamie. [0] http://web.monkeysphere.info/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: From wk at gnupg.org Wed Jan 13 21:05:05 2010 From: wk at gnupg.org (Werner Koch) Date: Wed, 13 Jan 2010 21:05:05 +0100 Subject: fragility of --edit-key interface In-Reply-To: <20100113155416.GA16077@finestructure.net> (Jameson Rollins's message of "Wed, 13 Jan 2010 10:54:16 -0500") References: <4B4CFAB0.4020007@o2.pl> <874omqz6lr.fsf@vigenere.g10code.de> <20100113155416.GA16077@finestructure.net> Message-ID: <87k4vl7oum.fsf@vigenere.g10code.de> On Wed, 13 Jan 2010 16:54, jrollins at finestructure.net said: > functionality that a user might need, but I think that suggesting > developers use "gpg --edit-key" to achieve their desired functionality > should include a strong warning that the interface to "gpg --edit-key" > is fragile and may change unexpectedly and without warning. We try to keep the interface as stable as possible. The caller should ignore unknown prompts by answerimg them with "default" (ie. an empty string). That works in most cases. An FSM should be used to implement such an edit interactor and should catch unknown transitions it can't handle. > For instance, as of v1.4.10 (and v2.0.13), the edit-key interface to > generate a subkey on an existing key ('addkey') in expert mode changed > such that the "RSA (set your own capabilities)" selection in the key > type chooser moved from entry 7 to entry 8. As far as I can tell, Right that is a bug. You are the first to report it; possible because no GUI made use of it. Unfortunately we can't fix that. > changelogs associated with recent gnupg releases. The Monkeysphere > project [0] is using this capability and this undocumented change > recently caused problems. We need to implement a stable and fixed way to select an algorithm. Please add an item to the bug tracker so that we don't forget about it. > Developers looking for the stable interface that GPGME is supposed to > provide should be duly warned that the "gpg --edit-key" interface is > not as stable, and that they should be on the look out for changes to It is really hard to come up with a high-level API for all the possible ways to change a key with --edit-key. That is the reason why we only have the simple gpgme_op_edit function to work with it. The idea is to add more gpgme interfaces if enough applications require advanced key edit features. The first one is the new gpgme_op_passwd API ;-). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Thu Jan 14 09:06:28 2010 From: wk at gnupg.org (Werner Koch) Date: Thu, 14 Jan 2010 09:06:28 +0100 Subject: Use DINSIG SmartCard In-Reply-To: <27131962.post@talk.nabble.com> (fava's message of "Tue, 12 Jan 2010 11:15:12 -0800 (PST)") References: <27018282.post@talk.nabble.com> <873a2f12rd.fsf@vigenere.g10code.de> <27092467.post@talk.nabble.com> <87wrzqyuhh.fsf@vigenere.g10code.de> <27131962.post@talk.nabble.com> Message-ID: <873a296rgb.fsf@vigenere.g10code.de> On Tue, 12 Jan 2010 20:15, gnupg at rimertis.ch said: > "We are not sure why this tool is recognizing the card as a DINSIG card, but > we are quite sure the card is not a DINSIG card. Because the card implements it. Selecting the DINSIG AID (D207600006601) succeeds and thus GnuPG must assume that the card implements that spec. > Could this be helpfull and is there a solution to use this card with gnupg? You are free to implement support for that card. I don't have any interest to do this. However you need to get the specs for that card and from my experience that is very very hard. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From cschattner at brightlineitv.com Wed Jan 13 16:23:49 2010 From: cschattner at brightlineitv.com (Cori Schattner) Date: Wed, 13 Jan 2010 10:23:49 -0500 Subject: Installing Software Message-ID: To Whom It May Concern: I've downloaded the gnupg installation package and I'm running into some trouble building it. When I go to configure, I receive an error that reads "no acceptable compiler found in $PATH." I appreciate any assistance as I'm not so familiar with building files of this type. Thanks, Cori -------------- next part -------------- An HTML attachment was scrubbed... URL: From dave.smith at st.com Thu Jan 14 12:03:41 2010 From: dave.smith at st.com (David SMITH) Date: Thu, 14 Jan 2010 11:03:41 +0000 Subject: Installing Software In-Reply-To: References: Message-ID: <20100114110341.GQ28469@bristol.st.com> On Wed, Jan 13, 2010 at 10:23:49AM -0500, Cori Schattner wrote: > I've downloaded the gnupg installation package and I'm running into some trouble building it. When I go to configure, I receive an error that reads "no acceptable compiler found in $PATH." I appreciate any assistance as I'm not so familiar with building files of this type. More information required... Which Operating System? Which package are you trying to install? Source or Binary? It sounds like you've got a source package, and you're trying to install on some kind of UNIX system. It sounds like the problem is that it's looking for a C compiler (e.g. gcc) and you haven't got one installed. -- David Smith | Tel: +44 (0)1454 462380 Home: +44 (0)1454 616963 STMicroelectronics | Fax: +44 (0)1454 462305 Mobile: +44 (0)7932 642724 1000 Aztec West | TINA: 065 2380 GPG Key: 0xF13192F2 Almondsbury | Work Email: Dave.Smith at st.com BRISTOL, BS32 4SQ | Home Email: David.Smith at ds-electronics.co.uk From bxstover at yahoo.co.uk Thu Jan 14 11:50:06 2010 From: bxstover at yahoo.co.uk (Ben Stover) Date: Thu, 14 Jan 2010 11:50:06 +0100 Subject: set delivery off Message-ID: <949137.47591.qm@smtp129.mail.ukl.yahoo.com> set delivery off From bxstover at yahoo.co.uk Thu Jan 14 11:57:58 2010 From: bxstover at yahoo.co.uk (Ben Stover) Date: Thu, 14 Jan 2010 11:57:58 +0100 Subject: set delivery off Message-ID: <789538.36443.qm@smtp141.mail.ukl.yahoo.com> set authenticate cvsx set delivery off From tkoeppen at gmail.com Thu Jan 14 23:21:48 2010 From: tkoeppen at gmail.com (Thomas Koeppen) Date: Thu, 14 Jan 2010 14:21:48 -0800 (PST) Subject: problem importing key to card In-Reply-To: <876376z6td.fsf@vigenere.g10code.de> References: <4B4CF535.9080009@gmx.net> <876376z6td.fsf@vigenere.g10code.de> Message-ID: <27169062.post@talk.nabble.com> Werner Koch wrote: > > Get a more recent version of GnuPG. Although the NEWS entry for > 2.01.2 claims that the OpenPGP card is supported we had to add some > other things later ... > Upgraded from MacGPG2 2.0.12 to 2.0.14RC2 (http://sourceforge.net/projects/macgpg2/files/). --edit-key / toggle / keytocard works now. Best Thomas -- View this message in context: http://old.nabble.com/problem-importing-key-to-card-tp27135917p27169062.html Sent from the GnuPG - User mailing list archive at Nabble.com. From caralus at gmx.de Fri Jan 15 10:24:30 2010 From: caralus at gmx.de (Tobias) Date: Fri, 15 Jan 2010 10:24:30 +0100 Subject: weird behavior of symmetrically encrypted file Message-ID: <4B50344E.9090504@gmx.de> Hi there, I have a symmetrically encrypted gpg file I want to decrypt. It seems I have forgotten the passphrase, because none of the ones I'd usually use for such a file will work. So I wrote a python script that tries to find the correct passphrase by brute force. I didn't put much hope in it, but hey, better to do something else other than agonize about the correct passphrase, right? So imagine my surprise when after only a couple of hours my script says it has found the correct passphrase. I try it and hooray, gpg doesn't throw the "decrpytion failed: bad key" message. Unfortunately, it still doesn't decrypt the file. It simply does nothing at all. . # gpg --no-use-agent --passphrase "3ity" usbkey-howto.txt.gpg gpg: CAST5 encrypted data gpg: encrypted with 1 passphrase gpg: WARNING: message was not integrity protected # ls usbkey-howto.txt ls: cannot access usbkey-howto.txt: No such file or directory Why do I get a passphrase ("3ity") which I can't remember having ever used in my life? Why does gpg regard it as correct but still not decrypt my file? And apart from these somewhat academical questions: Is there a way I can use the half-correct passphrase to refine (which means, speed up) my search for the truly correct one? If I can use it to significantly reduce the set of possible passphrases, it may save me some decades worth of blind guessing. I'm using GnuPG 1.4.9 on Ubuntu 9.04. The encrypted file is attached for reference. Glad for any help! -- Liebe Gr??e Tobias -------------- next part -------------- A non-text attachment was scrubbed... Name: usbkey-howto.txt.gpg Type: application/pgp-encrypted Size: 385 bytes Desc: not available URL: From dkg at fifthhorseman.net Fri Jan 15 20:55:50 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Fri, 15 Jan 2010 14:55:50 -0500 Subject: weird behavior of symmetrically encrypted file In-Reply-To: <4B50344E.9090504@gmx.de> References: <4B50344E.9090504@gmx.de> Message-ID: <4B50C846.6070300@fifthhorseman.net> Hi Tobias-- On 01/15/2010 04:24 AM, Tobias wrote: > Why do I get a passphrase ("3ity") which I can't remember having ever > used in my life? Why does gpg regard it as correct but still not decrypt > my file? And apart from these somewhat academical questions: Is there a > way I can use the half-correct passphrase to refine (which means, speed > up) my search for the truly correct one? If I can use it to > significantly reduce the set of possible passphrases, it may save me > some decades worth of blind guessing. I suspect what you're seeing is a function of the way the OpenPGP standard handles passphrase calculations for "Symmetrically Encrypted Data Packet" [0]. Basically, the data that is being symmetrically encrypted is prefixed with an IV that contains a duplicated chunk of 16 bits for a non-normative "quick check" that the session key was correct. This means that 1 out of 2^16 choices of session key will falsely pass the quick-check purely by chance, even though the material is actually not correctly decrypted. I don't know what brute force method you were using, but i suspect you had about 5 bits of entropy per character in your enumerations. For example, all lower-case letters plus numbers is a total of 36 possibilities, which is just about 5 bits (2^5 == 32). With 4-character passphrases at 5 bits per character, you would run through 2^20 passphrases. So it's likely that you exhausted 2^16 passphrases, and stumbled into one of the "quick check" false positives. This does *not* mean that your data is insecure. It means the quick check is advisory at best. (see also the security considerations related to this "quick check" [1]) hope this helps, --dkg [0] http://tools.ietf.org/html/rfc4880#section-5.7 [1] http://tools.ietf.org/html/rfc4880#page-84 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 891 bytes Desc: OpenPGP digital signature URL: From marco.maggi-ipsu at poste.it Fri Jan 15 21:08:00 2010 From: marco.maggi-ipsu at poste.it (Marco Maggi) Date: Fri, 15 Jan 2010 21:08:00 +0100 Subject: [admin] web pages not updated Message-ID: <87d41bku73.fsf@rapitore.luna> Ciao, I generate some noise here in the hope to reach the admins of www.gnupg.org; despite the recent releases of gpgme and libassuan, the page at: still proposes links to gpgme version 1.1.8 and libassuan version 1.0.5. TIA -- Marco Maggi From taurus366 at gmail.com Fri Jan 15 23:50:53 2010 From: taurus366 at gmail.com (taurus) Date: Fri, 15 Jan 2010 22:50:53 +0000 Subject: OpenPGP card not available- Card error Message-ID: <71493E49-3732-4F24-AB3D-B63888E24CCB@gmail.com> Hi list, Change to a new macbook pro and my card reader is not recognized by gpg2. In the old notebook is fine. OS is the same in both; Mac OSX 10.5.8 computer:~$ pcsctest MUSCLE PC/SC Lite Test Program Testing SCardEstablishContext : Command successful. Testing SCardGetStatusChange Please insert a working reader : Command successful. Testing SCardListReaders : Command successful. Reader 01: Gemplus GemPC Twin 00 00 Enter the reader number : 01 Waiting for card insertion : Command successful. Testing SCardConnect : Command successful. Testing SCardStatus : Command successful. Current Reader Name : Gemplus GemPC Twin 00 00 Current Reader State : 0x34 Current Reader Protocol : 0x1 Current Reader ATR Size : 20 (0x14) Current Reader ATR Value : 3B FA 13 00 FF 81 31 80 45 00 31 C1 73 C0 01 00 00 90 00 B1 Testing SCardDisconnect : Command successful. Testing SCardReleaseContext : Command successful. Testing SCardEstablishContext : Command successful. Testing SCardGetStatusChange Please insert a working reader : Command successful. Testing SCardListReaders : Command successful. Reader 01: Gemplus GemPC Twin 00 00 Enter the reader number : 01 Waiting for card insertion : Command successful. Testing SCardConnect : Command successful. Testing SCardStatus : Command successful. Current Reader Name : Gemplus GemPC Twin 00 00 Current Reader State : 0x34 Current Reader Protocol : 0x1 Current Reader ATR Size : 20 (0x14) Current Reader ATR Value : 3B FA 13 00 FF 81 31 80 45 00 31 C1 73 C0 01 00 00 90 00 B1 Testing SCardDisconnect : Command successful. Testing SCardReleaseContext : Command successful. PC/SC Test Completed Successfully ! ~$ gpg --card-status gpg: selecting openpgp failed: Card error gpg: OpenPGP card not available: Card error computer:~$ Any idea? TIA. From benjamin at py-soft.co.uk Sat Jan 16 00:59:19 2010 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Fri, 15 Jan 2010 23:59:19 +0000 Subject: OpenPGP card not available- Card error In-Reply-To: <71493E49-3732-4F24-AB3D-B63888E24CCB@gmail.com> References: <71493E49-3732-4F24-AB3D-B63888E24CCB@gmail.com> Message-ID: <732076a81001151559k5d39c0c0j60b8249e42a2b07e@mail.gmail.com> 2010/1/15 taurus : > Change to a new macbook pro and my card reader is not recognized by gpg2. > In the old notebook is fine. OS is the same in both; Mac OSX 10.5.8 Are you using MacGPG2, http://macgpg2.sourceforge.net/ ? Ben From taurus366 at gmail.com Sat Jan 16 01:48:07 2010 From: taurus366 at gmail.com (taurus) Date: Sat, 16 Jan 2010 00:48:07 +0000 Subject: OpenPGP card not available- Card error In-Reply-To: <732076a81001151639l5aab6276w98af2ad47313c638@mail.gmail.com> References: <71493E49-3732-4F24-AB3D-B63888E24CCB@gmail.com> <732076a81001151559k5d39c0c0j60b8249e42a2b07e@mail.gmail.com> <732076a81001151639l5aab6276w98af2ad47313c638@mail.gmail.com> Message-ID: <10FF550B-FF80-4190-A779-5C188BD72AD3@gmail.com> On 16 January 2010, at 00:39, Benjamin Donnachie wrote: > 2010/1/16 taurus : >>> Are you using MacGPG2, http://macgpg2.sourceforge.net/ ? >> Yes, and is working fine in both notebooks. > > But you're having trouble with the OpenPGP cards? Could it be related to the fact that in the new macbook I have installed the software for the ID card (pt)? Link: http://www.cartaodecidadao.pt/index.php?option=com_content&task=view&id=102&Itemid=44&lang=pt From caralus at gmx.de Sun Jan 17 03:03:34 2010 From: caralus at gmx.de (Tobias) Date: Sun, 17 Jan 2010 03:03:34 +0100 Subject: weird behavior of symmetrically encrypted file In-Reply-To: <4B50C846.6070300@fifthhorseman.net> References: <4B50344E.9090504@gmx.de> <4B50C846.6070300@fifthhorseman.net> Message-ID: <4B526FF6.4030905@gmx.de> Hi Daniel, thank you for your answer, it helped me a lot. The quick check does explain the behavior I described in my earlier mail. Your guess is also good: I have a 6 bit entropy per character. Therefore it is more than likely that I stumbled into a false positive passphrase within a four character range. The next question is whether I can use this to speed up my brute force attempt. Is it possible to utilize the false positive passphrase for finding other positives, false or not? My idea is not to try and decrypt the file with each new passphrase, but to perform the quick check on it and then compare the result with the result of the false positive. This way I should be able to rule out negatives fast - at least faster than by having gpg try every passphrase from scratch (although I'd still have to see whether it's fast enough to make the brute force attempt reasonable). The thing I'm unsure about is which parts of the decryption process I'd have to apply in order to safely discriminate positives from negatives. As far as I understand the RFC, it should suffice to compute the decryption key from the current passphrase and compare it to the key from my false positive. Is that correct, or am I missing a step here? -- Liebe Gr??e Tobias Daniel Kahn Gillmor wrote: > Hi Tobias-- > > On 01/15/2010 04:24 AM, Tobias wrote: >> Why do I get a passphrase ("3ity") which I can't remember having ever >> used in my life? Why does gpg regard it as correct but still not decrypt >> my file? And apart from these somewhat academical questions: Is there a >> way I can use the half-correct passphrase to refine (which means, speed >> up) my search for the truly correct one? If I can use it to >> significantly reduce the set of possible passphrases, it may save me >> some decades worth of blind guessing. > > I suspect what you're seeing is a function of the way the OpenPGP > standard handles passphrase calculations for "Symmetrically Encrypted > Data Packet" [0]. > > Basically, the data that is being symmetrically encrypted is prefixed > with an IV that contains a duplicated chunk of 16 bits for a > non-normative "quick check" that the session key was correct. This > means that 1 out of 2^16 choices of session key will falsely pass the > quick-check purely by chance, even though the material is actually not > correctly decrypted. > > I don't know what brute force method you were using, but i suspect you > had about 5 bits of entropy per character in your enumerations. For > example, all lower-case letters plus numbers is a total of 36 > possibilities, which is just about 5 bits (2^5 == 32). With 4-character > passphrases at 5 bits per character, you would run through 2^20 > passphrases. So it's likely that you exhausted 2^16 passphrases, and > stumbled into one of the "quick check" false positives. This does *not* > mean that your data is insecure. It means the quick check is advisory > at best. > > (see also the security considerations related to this "quick check" [1]) > > hope this helps, > > --dkg > > [0] http://tools.ietf.org/html/rfc4880#section-5.7 > [1] http://tools.ietf.org/html/rfc4880#page-84 > From cleardata at earthlink.net Sun Jan 17 08:11:06 2010 From: cleardata at earthlink.net (Dr. Blunt) Date: Sat, 16 Jan 2010 23:11:06 -0800 Subject: fatal: can't create directory `//.gnupg': Permission denied Message-ID: <6.1.2.0.2.20100116230848.01c75918@insurancecompany.com> I can manually run the php script but cannot run it as a cron. I am logged in as the owner of the script... Can you point in the right direction. Thanks This is the error: gpg: fatal: can't create directory `//.gnupg': Permission denied secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768 ..... From sean at srima.ie Sun Jan 17 18:23:31 2010 From: sean at srima.ie (Sean Rima) Date: Sun, 17 Jan 2010 17:23:31 +0000 Subject: Problem encrypting to a hushmail gpg key Message-ID: <4B534793.4090402@srima.ie> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi A friend on the pgpnet mailing list is using a hushmail.com gpg key but when I import it, I get: C:\Users\Sean Rima>gpg --import < test.txt gpg: key C4E23A82: accepted non self-signed user ID ""*********@hushmail.com" <---- at hushmail.com>" gpg: key C4E23A82: public key ""---- at hushmail.com" " imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) If I edit the key, I see: pub 0s/C4E23A82 created: 2010-01-07 expires: never usage: SC [ unknown] (1). "------ at hushmail.com" <------ at hushmail.com> I see there is no encrytion subkey. If I look at the key with --list-packets, I see C:\Users\Sean Rima>gpg --list-packets < test.txt :public key packet: version 4, algo 3, created 1262830845, expires 0 unknown algorithm 3 :user ID packet: ""------ at hushmail.com" <------ at hushmail.com>" :signature packet: algo 3, keyid 7853D9CDC4E23A82 version 4, created 1262830846, md5len 0, sigclass 0x10 digest algo 2, begin of digest cd b3 hashed subpkt 21 len 5 (pref-hash-algos: 8 9 10 3 2) hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 10 4) hashed subpkt 2 len 4 (sig created 2010-01-07) subpkt 16 len 8 (issuer key ID 7853D9CDC4E23A82) unknown algorithm 3 :signature packet: algo 1, keyid CE462071331D023F version 4, created 1262968405, md5len 0, sigclass 0x13 digest algo 2, begin of digest 1a d7 hashed subpkt 2 len 4 (sig created 2010-01-08) subpkt 16 len 8 (issuer key ID CE462071331D023F) data: [2047 bits] :public sub key packet: version 4, algo 2, created 1262830846, expires 0 unknown algorithm 2 :signature packet: algo 3, keyid 7853D9CDC4E23A82 version 4, created 1262830857, md5len 0, sigclass 0x18 digest algo 2, begin of digest 8b f2 hashed subpkt 2 len 4 (sig created 2010-01-07) subpkt 16 len 8 (issuer key ID 7853D9CDC4E23A82) unknown algorithm 3 Am i missing something here with this key? I am using gpg2.0.12 (waiting for gpg4win to be compiled to latest) Sean - -- GSWoT and CaCert WOT Assurer .tel http://rima.tel/ I believe that every human has a finite number of heartbeats. I don't intend to waste any of mine running around doing exercises. - Neil Armstrong -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (MingW32) Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: Contact Details http://rima.tel Comment: My GPG Key http://sl.srima.eu/sfr Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iHIEARECADIFAktTR5MrFIAAAAAAFQANcGthLWFkZHJlc3NAZ251cGcub3Jnc2Vh bkBzcmltYS5ldQAKCRDJ1+LfaIt9mASoAJ9riVre7EjokEO5AS6YvCgBhUlkswCf Y1zX6qC997k2ykaaevp8aGKEIME= =CbPV -----END PGP SIGNATURE----- From dkg at fifthhorseman.net Mon Jan 18 19:35:19 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 18 Jan 2010 13:35:19 -0500 Subject: weird behavior of symmetrically encrypted file In-Reply-To: <4B526FF6.4030905@gmx.de> References: <4B50344E.9090504@gmx.de> <4B50C846.6070300@fifthhorseman.net> <4B526FF6.4030905@gmx.de> Message-ID: <4B54A9E7.3040101@fifthhorseman.net> Hi Tobias-- On 01/16/2010 09:03 PM, Tobias wrote: > thank you for your answer, it helped me a lot. You're welcome! Glad to be helpful. > The thing I'm unsure about is which parts of the decryption process I'd > have to apply in order to safely discriminate positives from negatives. > As far as I understand the RFC, it should suffice to compute the > decryption key from the current passphrase and compare it to the key > from my false positive. Is that correct, or am I missing a step here? my understanding of the steps involved is slightly different -- i don't think you'll be able to speed things up much the way you describe. (if you could, it would certainly reflect poorly on the OpenPGP packaging format!) I think the steps needed are: * generate the key from the proposed passphrase, using whatever S2K technique is indicated by the file; you can get this from gpg --list-packets From dshaw at jabberwocky.com Tue Jan 19 23:18:55 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 19 Jan 2010 17:18:55 -0500 Subject: weird behavior of symmetrically encrypted file In-Reply-To: <4B54A9E7.3040101@fifthhorseman.net> References: <4B50344E.9090504@gmx.de> <4B50C846.6070300@fifthhorseman.net> <4B526FF6.4030905@gmx.de> <4B54A9E7.3040101@fifthhorseman.net> Message-ID: On Jan 18, 2010, at 1:35 PM, Daniel Kahn Gillmor wrote: > so basically, what i'm saying is that the speedup is that you get to > throw away (2^16-1) of every 2^16 possible passphrases, but you still > need to do a signficant amount of work to figure out if you can throw > them away. Exactly. The big speedup you get by using the quick check is that you don't discover that the key you have is wrong after you've gone and decrypted gigabytes of garbage. It does not improve your s2k performance at all, since as you point out, that would render the s2k count sort of meaningless. Incidentally, a few years ago there was an interesting attack against OpenPGP that used the quick check bytes as an oracle. See http://eprint.iacr.org/2005/033 for the paper. This is why the quick check isn't done for public key encryption (only conventional passphrase encryption). David From faramir.cl at gmail.com Wed Jan 20 00:03:39 2010 From: faramir.cl at gmail.com (Faramir) Date: Tue, 19 Jan 2010 20:03:39 -0300 Subject: weird behavior of symmetrically encrypted file In-Reply-To: <4B526FF6.4030905@gmx.de> References: <4B50344E.9090504@gmx.de> <4B50C846.6070300@fifthhorseman.net> <4B526FF6.4030905@gmx.de> Message-ID: <4B563A4B.7090502@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Tobias escribi?: ... > The next question is whether I can use this to speed up my brute force > attempt. Is it possible to utilize the false positive passphrase for Maybe you should try some dictionary attack, based in mutations of the password that should be the right one, probably you mistyped it when you encrypted the file... I don't know about a software capable of using dictionary attack against a file encrypted with GnuPG. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJLVjpLAAoJEMV4f6PvczxAhIAH/31Ysvy5EFAlvaLyrV5ZN627 ZFHtwnZU8vjmj+/Av2kLBBq4WVrz21rLREqY6GC+p2pVTniOR6cU80bhIeLlSBB1 xLxwApOlE5PZPaIssTaVnaA4+w7MSHe381P6tlzC3eAEeG+rWiYF5oKJm+9pBn4v Q99VrRRBED0A+Bdvlr9kx2VnzOHC8mk2NVCmX8ktEiGu8YbTi9tuyLyIaeJOtHEu Nw5fC2c8ejiEJQOHJnWZbig8muXt7L+LzH1GTD9I4BhUgys0P0GwD24Brrre3mkk MmYp7JQrII8sGf0u56BiDWuj3i2FTv6qdSqCfUPbqghpW0GcT9kEZiTgAO+v+kQ= =gt7W -----END PGP SIGNATURE----- From mkrotzer at fastmail.fm Wed Jan 20 05:46:56 2010 From: mkrotzer at fastmail.fm (Matthew Krotzer) Date: Tue, 19 Jan 2010 23:46:56 -0500 Subject: distributing ones public key (email) Message-ID: <20100120044655.GA29165@bebop> What is the best way to let people know you use gpg in an email signature? Any pitfalls to be concerned with? Matthew From rjh at sixdemonbag.org Wed Jan 20 07:11:04 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 20 Jan 2010 01:11:04 -0500 Subject: distributing ones public key (email) In-Reply-To: <20100120044655.GA29165@bebop> References: <20100120044655.GA29165@bebop> Message-ID: <4B569E78.2010800@sixdemonbag.org> On 1/19/10 11:46 PM, Matthew Krotzer wrote: > What is the best way to let people know you use gpg in an email > signature? Some email clients (Thunderbird+Enigmail, for instance) let you put a kind of note to other users hidden in the email headers. These things, called "kludges," are one of the preferred ways to do it. If you really want to do it in a signature block, I'd suggest adding something as simple as "OpenPGP: 0xDECAFBAD" or whatever the heck your key ID is. :) From John at Mozilla-Enigmail.org Wed Jan 20 08:06:27 2010 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Wed, 20 Jan 2010 01:06:27 -0600 Subject: distributing ones public key (email) In-Reply-To: <4B569E78.2010800@sixdemonbag.org> References: <20100120044655.GA29165@bebop> <4B569E78.2010800@sixdemonbag.org> Message-ID: <4B56AB73.4@Mozilla-Enigmail.org> Robert J. Hansen wrote: > On 1/19/10 11:46 PM, Matthew Krotzer wrote: >> What is the best way to let people know you use gpg in an email >> signature? > > Some email clients (Thunderbird+Enigmail, for instance) let you put a > kind of note to other users hidden in the email headers. These things, > called "kludges," are one of the preferred ways to do it. > > If you really want to do it in a signature block, I'd suggest adding > something as simple as "OpenPGP: 0xDECAFBAD" or whatever the heck your > key ID is. :) Or you may include a link to the key http://www.gingerbear.net/~jpclizbe/0x608D2A10.asc or a link to the key on the keyservers http://keyserver.gingerbear.net:11371/pks/lookup?search=0x1d04ac4a608d2a10& \ fingerprint=on&op=index Some folks attach their keys or even include it inline in the message, but there are much nicer and email-friendlier ways to accomplish it. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" From taurus366 at gmail.com Wed Jan 20 17:11:01 2010 From: taurus366 at gmail.com (taurus) Date: Wed, 20 Jan 2010 16:11:01 +0000 Subject: Gnupg doesn't recognize card. Message-ID: Hi list, I'm not an expert, and I need some help to solve this. Gpg does not recognize my fellowship card; ~ xxx$ gpg --card-status gpg: selecting openpgp failed: Card error gpg: OpenPGP card not available: Card error And pcsctest looks like this; ~ xxx$ pcsctest MUSCLE PC/SC Lite Test Program Testing SCardEstablishContext : Command successful. Testing SCardGetStatusChange Please insert a working reader : Command successful. Testing SCardListReaders : Command successful. Reader 01: Gemplus GemPC Twin 00 00 Enter the reader number : 01 Waiting for card insertion : Command successful. Testing SCardConnect : Command successful. Testing SCardStatus : Command successful. Current Reader Name : Gemplus GemPC Twin 00 00 Current Reader State : 0x34 Current Reader Protocol : 0x1 Current Reader ATR Size : 20 (0x14) Current Reader ATR Value : 3B FA 13 00 FF 81 31 80 45 00 31 C1 73 C0 01 00 00 90 00 B1 Testing SCardDisconnect : Command successful. Testing SCardReleaseContext : Command successful. Testing SCardEstablishContext : Command successful. Testing SCardGetStatusChange Please insert a working reader : Command successful. Testing SCardListReaders : Command successful. Reader 01: Gemplus GemPC Twin 00 00 Any library is missing or some? I can't figure out how to solve this, Mac OSX (10.5.8) gpg 2.0.14 Any help? TIA. From chd at chud.net Wed Jan 20 21:43:20 2010 From: chd at chud.net (Chris De Young) Date: Wed, 20 Jan 2010 13:43:20 -0700 Subject: distributing ones public key (email) In-Reply-To: <20100120044655.GA29165@bebop> References: <20100120044655.GA29165@bebop> Message-ID: <4B576AE8.1040501@chud.net> Matthew Krotzer wrote: > What is the best way to let people know you use gpg in an email signature? I usually just sign my messages and figure that's sufficient advertising. I'm sure that only a very small minority of my recipients bothers to validate the disgnature, so advertising is actually one of the main values in routine signing. (I know that's not exactly what you asked, but would it work for you?) The only problem I have run into with this is the occasional client that doesn't display the message body because, being a separate mime part, it thinks it's an attachment, and so the recipient thinks there is not text in the message. These seem to be fairly rare these days though - or maybe I just don't know many people who use clients like this. Cheers, -Chris -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: From josselin.jacquard at gmail.com Wed Jan 20 21:38:54 2010 From: josselin.jacquard at gmail.com (Josselin Jacquard) Date: Wed, 20 Jan 2010 21:38:54 +0100 Subject: gpgme_signature_t summary is 0 Message-ID: <8fc486711001201238p5f9b9c8bj7760d62a109287d6@mail.gmail.com> Hi everybody, On some keys, gpgme returns a 0 bytes for the signature summary, with no errors. The signs are ok in my tests Is it a bug ? It should return GPGME_SIGSUM_VALID = 0x0001 shouldn't it ? Does someone know why the flag hasn't been setted ? Thanks in advance, Joss -------------- next part -------------- An HTML attachment was scrubbed... URL: From rpnagendra at yahoo.com Wed Jan 20 22:41:48 2010 From: rpnagendra at yahoo.com (RP Nagendra Kumar) Date: Wed, 20 Jan 2010 13:41:48 -0800 (PST) Subject: public key already present Message-ID: <794638.79946.qm@web54208.mail.re2.yahoo.com> Hello All, Am getting below message while decrypting the file and its aborting without decrypting the file. gpg: : skipped: public key already present. This has happened due to deletion of a earlier public key with same name and importing new public key with same name. How can i make this work with new public key? Thanks for your help! Regards, Raj -------------- next part -------------- An HTML attachment was scrubbed... URL: From cleardata at earthlink.net Thu Jan 21 02:41:05 2010 From: cleardata at earthlink.net (Dr. Blunt) Date: Wed, 20 Jan 2010 17:41:05 -0800 Subject: Found the Problem: can't create directory `//.gnupg': Permission denied In-Reply-To: References: Message-ID: <6.1.2.0.2.20100120173856.01d0d158@earthlink.net> Found the problem -- I guess I need to run the cron in /var/spool/ it appears to be working now. ~~Thanks >Message: 1 >Date: Sat, 16 Jan 2010 23:11:06 -0800 >From: "Dr. Blunt" >Subject: fatal: can't create directory `//.gnupg': Permission denied >To: gnupg-users at gnupg.org >Message-ID: <6.1.2.0.2.20100116230848.01c75918 at insurancecompany.com> >Content-Type: text/plain; charset="us-ascii"; format=flowed > >I can manually run the php script but cannot run it as a cron. >I am logged in as the owner of the script... Can you point >in the right direction. Thanks > >This is the error: >gpg: fatal: can't create directory `//.gnupg': Permission denied >secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768 ..... From mohanr at fss.co.in Wed Jan 20 15:51:02 2010 From: mohanr at fss.co.in (Mohan Radhakrishnan) Date: Wed, 20 Jan 2010 20:21:02 +0530 Subject: Encrypting for multiple users Message-ID: <0EE14841E1FD8545B7E084F22AEF96810A58CD@fssbemail.fss.india> Hi, I am encrypting for multiple recipients. gpg -r -r -r -r --encrypt file.txt 3 users are able to decrypt the files. The 4th user though is getting this messsage. I am using GPG. All users use PGP to decrypt. Shouldn't make a difference ? "It is not possible to decrypt this message because your keyring does not contain usable private key(s) corresponding to any of the above public key(s)." It looks like the 4 th user is doing something wrong ? Thanks, Mohan -------------- next part -------------- An HTML attachment was scrubbed... URL: From rubinglen at yahoo.com Thu Jan 21 03:00:37 2010 From: rubinglen at yahoo.com (Glen Rubin) Date: Wed, 20 Jan 2010 18:00:37 -0800 (PST) Subject: error during build Message-ID: <653377.44715.qm@web63104.mail.re1.yahoo.com> Hey List! I am trying to build gnupg for my puppy linux box, but when I run make I get the following errors: status.c:25:26: error: status-codes.h: No such file or directory status.c: In function 'get_status_string': status.c:32: warning: implicit declaration of function 'statusstr_msgidxof' status.c:36: error: 'statusstr_msgstr' undeclared (first use in this function) status.c:36: error: (Each undeclared identifier is reported only once status.c:36: error: for each function it appears in.) status.c:36: error: 'statusstr_msgidx' undeclared (first use in this function) make[3]: *** [libcommon_a-status.o] Error 1 make[2]: *** [all] Error 2 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 Thx for your help!! Get your preferred Email name! Now you can @ymail.com and @rocketmail.com. http://mail.promotions.yahoo.com/newdomains/aa/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From f.schwind at chili-radiology.com Thu Jan 21 11:43:16 2010 From: f.schwind at chili-radiology.com (Florian Schwind) Date: Thu, 21 Jan 2010 11:43:16 +0100 Subject: gpeme_get_key returns a 'general error' after some time. Message-ID: <4B582FC4.20301@chili-radiology.com> Hello all, I have some strange problems using gpg (1.4.9) resp. gpgme (1.1.4) and hope someone can help me. I'm using gpgme to encrypt a lot of files and at some point the function "gpgme_get_key" returns a "General error" and all further encryptions fail until I restart the process. Sometimes the system runs for only a few minutes and sometimes it lasts for hours before the error occurs. My first thought was that there might be some problems with multi-threading so I synchronized all calls and took care of the encryption never running parallel. Does someone has any idea how to fix this? Thanks for your help! Regards Florian Schwind From laurent.jumet at skynet.be Thu Jan 21 11:24:06 2010 From: laurent.jumet at skynet.be (Laurent Jumet) Date: Thu, 21 Jan 2010 11:24:06 +0100 Subject: Encrypting for multiple users In-Reply-To: <0EE14841E1FD8545B7E084F22AEF96810A58CD@fssbemail.fss.india> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hello Mohan ! "Mohan Radhakrishnan" wrote: > I am encrypting for multiple recipients. > gpg -r -r -r -r --encrypt file.txt > 3 users are able to decrypt the files. The 4th user though is getting this > messsage. > I am using GPG. All users use PGP to decrypt. Shouldn't make a difference ? > "It is not possible to decrypt this message because your keyring does not > contain usable private key(s) corresponding to any of the above public > key(s)." > It looks like the 4 th user is doing something wrong ? ...it's the most probable option. - -- Laurent Jumet KeyID: 0xCFAF704C -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) iHEEAREDADEFAktYK54qGGh0dHA6Ly93d3cucG9pbnRkZWNoYXQubmV0LzB4Q0ZB RjcwNEMuYXNjAAoJEPUdbaDPr3BMVXMAoJQh2rKvmRfjSzdNo1FKp9VlIGvqAKCJ Nx69OaakyNAI6YfqMkt3unl1jA== =FVjq -----END PGP SIGNATURE----- From expires2010 at ymail.com Thu Jan 21 14:48:59 2010 From: expires2010 at ymail.com (MFPA) Date: Thu, 21 Jan 2010 13:48:59 +0000 Subject: distributing ones public key (email) In-Reply-To: <4B576AE8.1040501@chud.net> References: <20100120044655.GA29165@bebop> <4B576AE8.1040501@chud.net> Message-ID: <329323442.20100121134859@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Chris On Wednesday 20 January 2010 at 8:43:20 PM, you wrote: > Matthew Krotzer wrote: >> What is the best way to let people know you use gpg in an email signature? > I usually just sign my messages and figure that's sufficient advertising. I'm > sure that only a very small minority of my recipients bothers to validate the > disgnature, so advertising is actually one of the main values in routine > signing. (I know that's not exactly what you asked, but would it work for you?) I suspect most of the recipients don't even notice. It's a much more visible advert if you sign inline rather than PGP/MIME. > The only problem I have run into with this is the occasional client that > doesn't display the message body because, being a separate mime part, it > thinks it's an attachment, and so the recipient thinks there is not text in > the message. > These seem to be fairly rare these days though - or maybe I just don't know > many people who use clients like this. Outlook Express has that limitation (unless it was fixed in a late version). - -- Best regards MFPA mailto:expires2010 at ymail.com When you're caffeinated, all is right with the world -----BEGIN PGP SIGNATURE----- iQCVAwUBS1ebzaipC46tDG5pAQofDQQAlgXSrw5o2ujXN1IUOCChIdDtMS5ezPSs sLuJJIt0j7TXl9Vbfydl5etz+CBPHgqhTvhhTe8s+RsUJX4yC/UStVLu94j0R66C y0dfn1+HkYdjpDMFqgJYtxd70tjP5XoYgT6Ad5rGw5REZvdhNZenvEGSIetnj4nH /e/70/uJhAo= =HB4y -----END PGP SIGNATURE----- From mortenkjarulff at gmail.com Thu Jan 21 15:58:57 2010 From: mortenkjarulff at gmail.com (=?ISO-8859-1?Q?Morten_Kj=E6rulff?=) Date: Thu, 21 Jan 2010 15:58:57 +0100 Subject: Encrypting for multiple users In-Reply-To: <0EE14841E1FD8545B7E084F22AEF96810A58CD@fssbemail.fss.india> References: <0EE14841E1FD8545B7E084F22AEF96810A58CD@fssbemail.fss.india> Message-ID: Hi, Is it the 4th user or "user4" that has a problem? That is, who gets the problem with this: gpg -r -r -r -r --encrypt file.txt /Morten -- www.MortenKjarulff.dk On Wed, Jan 20, 2010 at 3:51 PM, Mohan Radhakrishnan wrote: > Hi, > > I am encrypting for multiple recipients. > > gpg -r -r -r ? -r ?--encrypt file.txt > > 3 users are able to decrypt the files. The 4th user though is getting this > messsage. > > I am using GPG. All users use PGP to decrypt. Shouldn't make a difference ? > > "It is not possible to decrypt this message because your keyring does not > ?contain usable private key(s) corresponding to any of the above public > key(s)." > > > It looks like the 4 th user is doing something wrong ? > > Thanks, > Mohan > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > From kalyana_sbs at infosys.com Fri Jan 22 06:43:59 2010 From: kalyana_sbs at infosys.com (Kalyana_SBS) Date: Fri, 22 Jan 2010 11:13:59 +0530 Subject: Installation of gnupg on Sun Solaris Message-ID: <08F7C44842CDD34DB86A4F919596ECC80F1A96A80F@PUNITPMBX01.ad.infosys.com> Hi, We are trying to install gnupg on Sun Solaris Box. We are trying to figure out which version of C compiler is most suitable for compiling the source code on Solaris box. The OS version is as follows:- SunOS 5.10 sun4v sparc SUNW,SPARC-Enterprise-T5220 The version of gnupg that we are trying to install is 1.4.10. Any inputs and pointers regarding the above will be highly appreciated. Thanks and Regards, Kalyan. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mohanr at fss.co.in Fri Jan 22 12:54:16 2010 From: mohanr at fss.co.in (Mohan Radhakrishnan) Date: Fri, 22 Jan 2010 17:24:16 +0530 Subject: Split key Message-ID: <0EE14841E1FD8545B7E084F22AEF96810143D6AD@fssbemail.fss.india> Hi, I came across a reference to paperkey in this forum which seems to be splitting a public key into two parts. Does this procedure look like a sensible thing to do ? 1. Generate key pair in keyring. 2. Encrypt symmetric key using this public key. 3. Remove public key from keyring. Is this possible 4. Separate a part of the public key and give it to a custodian. 1. Reconstruct it and import into the keyring. 2. Decrypt symmetric key using this public key. 3. Use decrypted symmetric key to encrypt whatever I want. I am just looking at a way to ensure that a key can be resconstructed from custody. The GPG keyring password can also be encrypted using the same public key. Just that there is a way to split and ensure that everything is not in one place so that security is enhanced. Thanks, Mohan -------------- next part -------------- An HTML attachment was scrubbed... URL: From mohanr at fss.co.in Thu Jan 21 12:03:27 2010 From: mohanr at fss.co.in (Mohan Radhakrishnan) Date: Thu, 21 Jan 2010 16:33:27 +0530 Subject: Storing password in keyring Message-ID: <0EE14841E1FD8545B7E084F22AEF96810143D239@fssbemail.fss.india> Hi, Question 1 : Is there any way to store a password in a keyring ? I don't have a database for this. I was just thinking that I can hash a password and use a keyring to store it to avoid the need for a database. Question 2 : Can I split a private(decrypting) key and rejoin it using GPG ? The split keys are given by two different people and rejoined. I want to use the bouncy castle GPG API. Thanks, Mohan -------------- next part -------------- An HTML attachment was scrubbed... URL: From mohanr at fss.co.in Thu Jan 21 14:15:56 2010 From: mohanr at fss.co.in (Mohan Radhakrishnan) Date: Thu, 21 Jan 2010 18:45:56 +0530 Subject: Split key Message-ID: <0EE14841E1FD8545B7E084F22AEF96810143D2F2@fssbemail.fss.india> Hi, I came across a reference to paperkey in this forum which seems to be splitting a public key into two parts. Does this procedure look like a sensible thing to do ? 1. Generate key pair in keyring. 2. Encrypt symmetric key using this public key. 3. Remove public key from keyring. Is this possible 4. Separate a part of the public key and give it to a custodian. 1. Reconstruct it and import into the keyring. 2. Decrypt symmetric key using this public key. 3. Use decrypted symmetric key to encrypt whatever I want. I am just looking at a way to ensure that a key can be resconstructed from custody. The GPG keyring password can also be encrypted using the same public key. Just that there is a way to split and ensure that everything is not in one place so that security is enhanced. Thanks, Mohan -------------- next part -------------- An HTML attachment was scrubbed... URL: From dshaw at jabberwocky.com Fri Jan 22 14:48:56 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 22 Jan 2010 08:48:56 -0500 Subject: Installation of gnupg on Sun Solaris In-Reply-To: <08F7C44842CDD34DB86A4F919596ECC80F1A96A80F@PUNITPMBX01.ad.infosys.com> References: <08F7C44842CDD34DB86A4F919596ECC80F1A96A80F@PUNITPMBX01.ad.infosys.com> Message-ID: <904F315D-438F-4DC1-A16D-82570D71DA0A@jabberwocky.com> On Jan 22, 2010, at 12:43 AM, Kalyana_SBS wrote: > Hi, > > We are trying to install gnupg on Sun Solaris Box. > > We are trying to figure out which version of C compiler is most > suitable for compiling the source code on Solaris box. > > The OS version is as follows:- > > SunOS 5.10 sun4v sparc SUNW,SPARC-Enterprise-T5220 > > The version of gnupg that we are trying to install is 1.4.10. > > Any inputs and pointers regarding the above will be highly > appreciated. It should "just work" with many compilers, but I'd recommend gcc if you have it installed. David From dshaw at jabberwocky.com Fri Jan 22 14:52:02 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 22 Jan 2010 08:52:02 -0500 Subject: Storing password in keyring In-Reply-To: <0EE14841E1FD8545B7E084F22AEF96810143D239@fssbemail.fss.india> References: <0EE14841E1FD8545B7E084F22AEF96810143D239@fssbemail.fss.india> Message-ID: On Jan 21, 2010, at 6:03 AM, Mohan Radhakrishnan wrote: > Hi, > > Question 1 : > > Is there any way to store a password in a keyring ? I > don't have a database for this. I was just thinking that I can hash > a password and use a keyring to store it to avoid the need for a > database. Not within GPG. GPG stores keys within keyrings. Passphrases are stored outside the system (but see the gpg-agent for a local passphrase cache). > Question 2 : > > Can I split a private(decrypting) key and rejoin it using > GPG ? The split keys are given by two different people and rejoined. Not using GPG, but there are several tools available for split keys on the net. For example: http://point-at-infinity.org/ssss/ > I want to use the bouncy castle GPG API. That is not GPG. That is a completely different implementation of the OpenPGP standard. You should ask on the Bouncy Castle forums. David From mkrotzer at fastmail.fm Fri Jan 22 16:04:26 2010 From: mkrotzer at fastmail.fm (Matthew Krotzer) Date: Fri, 22 Jan 2010 10:04:26 -0500 Subject: distributing ones public key (email) In-Reply-To: <4B576AE8.1040501@chud.net> References: <20100120044655.GA29165@bebop> <4B576AE8.1040501@chud.net> Message-ID: <20100122150426.GA1458@bebop> * Chris De Young [100120 15:47]: > Matthew Krotzer wrote: > > What is the best way to let people know you use gpg in an email signature? > > I usually just sign my messages and figure that's sufficient advertising. I'm > sure that only a very small minority of my recipients bothers to validate the > disgnature, so advertising is actually one of the main values in routine > signing. (I know that's not exactly what you asked, but would it work for you?) > > The only problem I have run into with this is the occasional client that > doesn't display the message body because, being a separate mime part, it > thinks it's an attachment, and so the recipient thinks there is not text in > the message. > > These seem to be fairly rare these days though - or maybe I just don't know > many people who use clients like this. > I've recieved enough replies of "can't open the attachment you sent" that made me stop signing all my emails. I'm looking for best policy to say "hey, see this gpg stuff? You should look into it so we assure some degree of privacy on the internet." Thanks for the help everyone. Matthew From mwood at IUPUI.Edu Fri Jan 22 17:17:24 2010 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Fri, 22 Jan 2010 11:17:24 -0500 Subject: distributing ones public key (email) In-Reply-To: <20100122150426.GA1458@bebop> References: <20100120044655.GA29165@bebop> <4B576AE8.1040501@chud.net> <20100122150426.GA1458@bebop> Message-ID: <20100122161724.GB21578@IUPUI.Edu> On Fri, Jan 22, 2010 at 10:04:26AM -0500, Matthew Krotzer wrote: > I've recieved enough replies of "can't open the attachment you sent" > that made me stop signing all my emails. I'm looking for best policy to > say "hey, see this gpg stuff? You should look into it so we assure some > degree of privacy on the internet." Oh, yes. My tongue is nearly bitten through from suppressing the urge to respond, "what did you think an 'application/pgp-signature' attachment is?" I too would like to find some way to get the word out about what it is and why my correspondent might find it desirable. -- Mark H. Wood, e-mail geek mwood at IUPUI.Edu Friends don't let friends publish revisable-form documents. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From classpath at arcor.de Fri Jan 22 17:33:08 2010 From: classpath at arcor.de (Morten Gulbrandsen) Date: Fri, 22 Jan 2010 17:33:08 +0100 Subject: Installation of gnupg on Sun Solaris In-Reply-To: <08F7C44842CDD34DB86A4F919596ECC80F1A96A80F@PUNITPMBX01.ad.infosys.com> References: <08F7C44842CDD34DB86A4F919596ECC80F1A96A80F@PUNITPMBX01.ad.infosys.com> Message-ID: <4B59D344.6020703@arcor.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Kalyana_SBS wrote: > Hi, > > > > We are trying to install gnupg on Sun Solaris Box. > > > > We are trying to figure out which version of C compiler is most suitable > for compiling the source code on Solaris box. > > I got mine from blastwave gpg --version gpg (GnuPG) 1.4.9 http://www.blastwave.org/jir/search.ftd?qs=gnupg Sincerely yours, Morten -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (SunOS) Comment: For keyID and its URL see the OpenPGP message header iEYEAREIAAYFAktZ00QACgkQ9ymv2YGAKVSCGQCgjldbCv2T0b+eSU62Yis0bKi2 1PAAoLImWkmTyz/27rpPQve3wZ47OFLl =zoPl -----END PGP SIGNATURE----- From chd at chud.net Fri Jan 22 18:27:39 2010 From: chd at chud.net (Chris De Young) Date: Fri, 22 Jan 2010 10:27:39 -0700 Subject: distributing ones public key (email) In-Reply-To: <20100122161724.GB21578@IUPUI.Edu> References: <20100120044655.GA29165@bebop> <4B576AE8.1040501@chud.net> <20100122150426.GA1458@bebop> <20100122161724.GB21578@IUPUI.Edu> Message-ID: <4B59E00B.6040205@chud.net> Mark H. Wood wrote: > Oh, yes. My tongue is nearly bitten through from suppressing the urge > to respond, "what did you think an 'application/pgp-signature' > attachment is?" I too would like to find some way to get the word > out about what it is and why my correspondent might find it desirable. I think we just need to be as patient and helpful as possible, and when someone complains that they can't open the attachment, this is a good time to give a quick, friendly explanation and offer to help them get started using it if they are interested. Of course, many people are just not going to be interested, or are going to think it's too much work or too cumbersome for what you get, and that's okay too. They may change their mind down the road as their needs or interests change, so a friendly introduction still has value. -C -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: From wk at gnupg.org Fri Jan 22 18:51:57 2010 From: wk at gnupg.org (Werner Koch) Date: Fri, 22 Jan 2010 18:51:57 +0100 Subject: gpeme_get_key returns a 'general error' after some time. In-Reply-To: <4B582FC4.20301@chili-radiology.com> (Florian Schwind's message of "Thu, 21 Jan 2010 11:43:16 +0100") References: <4B582FC4.20301@chili-radiology.com> Message-ID: <87iqauyqma.fsf@vigenere.g10code.de> On Thu, 21 Jan 2010 11:43, f.schwind at chili-radiology.com said: > I have some strange problems using gpg (1.4.9) resp. gpgme (1.1.4) and > hope someone can help me. Please update gpgme to 1.2.0; there a couple of minor bug fixes. Further GPGME has far better trace support which greatly helps to track down such problems: Run your application like this $ GPGME_DEBUG=9:/foo/gpgme.log ./foo On windows it works similar; you just need to use set and replace the colon by a semicolon. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Fri Jan 22 18:56:09 2010 From: wk at gnupg.org (Werner Koch) Date: Fri, 22 Jan 2010 18:56:09 +0100 Subject: Gnupg doesn't recognize card. In-Reply-To: (taurus's message of "Wed, 20 Jan 2010 16:11:01 +0000") References: Message-ID: <87eiliyqfa.fsf@vigenere.g10code.de> On Wed, 20 Jan 2010 17:11, taurus366 at gmail.com said: > Gpg does not recognize my fellowship card; > ~ xxx$ gpg --card-status > gpg: selecting openpgp failed: Card error > gpg: OpenPGP card not available: Card error > Reader 01: Gemplus GemPC Twin 00 00 Is that a new OpenPGP card (2.0)? If so you are out of luck on Unix systems: The Gemplus readers are buggy (they don't support extended length APDUs). You may try to use the workaround which is in the internal CCID driver of scdaemon (stop pcscd and make sure that you have permissions to write to the usb port). This workaround sometimes work. BTW, it works on Windows because the gemplus driver seems to have a workaround for it. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From gesbbb at yahoo.com Fri Jan 22 23:56:53 2010 From: gesbbb at yahoo.com (Jerry) Date: Fri, 22 Jan 2010 17:56:53 -0500 Subject: Unable to delete bogus keys Message-ID: <20100122175653.7c3a98cc@scorpio.seibercom.net> System Info: FreeBSD-7.2 gpg (GnuPG) 2.0.14 libgcrypt 1.4.4 gpa 0.9.0 I honestly have no idea what the problem is here. I am not even sure if this is the correct mail forum to ask this question in. I recently installed GnuPG on my system. Everything appeared to go fine. For some reason, I have numerous keys listed that I have no knowledge of. This URL shows the keys: http://seibercom.net/gnupg/KeyListing.png This is a screen shot when I attempt to delete a bogus key: http://seibercom.net/gnupg/Remove_Key.png This is the error message displayed when I click to delete the key: http://seibercom.net/gnupg/Remove_Key_Error.png I have tried deleting the ~/gnupg directory and starting over; however that does not correct the problem. I can delete keys I create though. Where are these other keys coming from and how do I remove them permanently? -- Jerry gesbbb at yahoo.com |::::======= |::::======= |=========== |=========== | Declared guilty... of displaying feelings of an almost human nature. Pink Floyd, "The Wall" From faramir.cl at gmail.com Sat Jan 23 01:54:17 2010 From: faramir.cl at gmail.com (Faramir) Date: Fri, 22 Jan 2010 21:54:17 -0300 Subject: Unable to delete bogus keys In-Reply-To: <20100122175653.7c3a98cc@scorpio.seibercom.net> References: <20100122175653.7c3a98cc@scorpio.seibercom.net> Message-ID: <4B5A48B9.1030605@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jerry escribi?: > System Info: > > FreeBSD-7.2 > > gpg (GnuPG) 2.0.14 > libgcrypt 1.4.4 > > gpa 0.9.0 > > I honestly have no idea what the problem is here. I am not even sure if > this is the correct mail forum to ask this question in. I recently > installed GnuPG on my system. Everything appeared to go fine. For some > reason, I have numerous keys listed that I have no knowledge of. > > This URL shows the keys: > > http://seibercom.net/gnupg/KeyListing.png These are not OpenPGP keys, but x.509 certificates (and that is a list of Certification Authorities. I identify CAcert among them). Somehow you entered into the PKI certificate manager, instead of your OpenPGP keyrings. Since I have never used GPG2 or FreeBSD, I can't tell you how to go to your keyring instead. > This is a screen shot when I attempt to delete a bogus key: > > http://seibercom.net/gnupg/Remove_Key.png Beware, if you delete the certificate of a CA from your list of trusted CAs, next time you go to a site using a certificate issued by the CA will show a scary warning. (I mean, if you go to an URL starting with https://). > Where are these other keys coming from and how do I remove them > permanently? Probably they come pre-loaded with your operating system. I repeat, these are not GPG keys, but the kind of certificates used for SSL. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJLWki5AAoJEMV4f6PvczxAIlUH/RfIsioVH3LLnXB2dyW3z+Ob t2aNdvrYpFPuZu+d9cNMoFGOkcTe3UcNCwHb5KWpmoHnfv9hnmGbA1E1F7PltgJv 8JTDw71++hT88b2Tr8lNERt4Oixt8E180eMuoRJDYQjcQP3JKpKry1tXPOobhIYQ ozqUItf5BhBlKHGeYdoBCBKlDZP30Q0nv/MnGXgVVEk5HE1yhHhQyAp2tVP6jayP 3D1OlD0nGw2hERma1Zx2LqRDucGq0do7lR4BMiiYKevdca7tpUbvVmmk2Bx/o7ih xiGT/+klSEIMmZbbQHBPknQ2bGfcAF+Dc9ILgU4FewIqRg1G0+D9AYPG/gy6agI= =ou2f -----END PGP SIGNATURE----- From ciprian.craciun at gmail.com Sat Jan 23 10:59:00 2010 From: ciprian.craciun at gmail.com (Ciprian Dorin, Craciun) Date: Sat, 23 Jan 2010 11:59:00 +0200 Subject: gpg-agent --daemon running in foreground In-Reply-To: <8e04b5820910120657i580249a9v2a46f7233be2738@mail.gmail.com> References: <8e04b5820910120458o10f91a2ex8ad0f1361b96dd9d@mail.gmail.com> <8e04b5820910120657i580249a9v2a46f7233be2738@mail.gmail.com> Message-ID: <8e04b5821001230159l24355cf4t7aeb3e7b23481f0@mail.gmail.com> On Mon, Oct 12, 2009 at 3:57 PM, Ciprian Dorin, Craciun wrote: > On Mon, Oct 12, 2009 at 4:08 PM, David Shaw wrote: >> On Oct 12, 2009, at 7:58 AM, Ciprian Dorin, Craciun wrote: >> >>> ? Hello all! >>> >>> ? I'm facing the following problem: I need to run gpg-agent, but >>> without him going into background. Is there any solution to this one? >> >> I'm not sure exactly what you're trying to do, but you can run gpg-agent >> without it backgrounding by leaving off the "--daemon" option. >> >> David > > ? ?So I have the following situation: I want to be able to run > gpg-agent inside a runsv process (part of runit package), that > monitors the process, and in case it breaks, it shall restart it. > Unfortunately gpg-agent forks into background, and thus I cannot > monitor if it's running from inside runsv. > > ? ?Thus I need to make gpg-agent behave just like `gpg-agent > --server` (not forking into background), but using the sockets (just > like --daemon). > > ? ?Anyway, I've modified the latest source code (2.0.13), file > agent/gpg-agent.c, to add another option --daemon-fg, that shall not > fork in background. (The patch is attached.) (I'm not very proud of > the patch but it does the job. Hope I've not broken anything... :) ) > > ? ?So I would like to ask the maintainer of gpg-agent to look upon > it, and either include it, either (if time allows him) provide such an > option. > > ? ?Thanks, > ? ?Ciprian. Sorry to bother you guys again. Have you looked at my patch (related with the my previous comments)? (It allows gnupg-agent to behave normally like a daemon, but not go into the background.) Is there something wrong with it? Thanks, Ciprian. From ciprian.craciun at gmail.com Sat Jan 23 11:07:45 2010 From: ciprian.craciun at gmail.com (Ciprian Dorin, Craciun) Date: Sat, 23 Jan 2010 12:07:45 +0200 Subject: gpg-agent --daemon running in foreground In-Reply-To: <8e04b5821001230159l24355cf4t7aeb3e7b23481f0@mail.gmail.com> References: <8e04b5820910120458o10f91a2ex8ad0f1361b96dd9d@mail.gmail.com> <8e04b5820910120657i580249a9v2a46f7233be2738@mail.gmail.com> <8e04b5821001230159l24355cf4t7aeb3e7b23481f0@mail.gmail.com> Message-ID: <8e04b5821001230207h69db80e6r57661e99e35b4095@mail.gmail.com> On Sat, Jan 23, 2010 at 11:59 AM, Ciprian Dorin, Craciun wrote: > On Mon, Oct 12, 2009 at 3:57 PM, Ciprian Dorin, Craciun > wrote: >> On Mon, Oct 12, 2009 at 4:08 PM, David Shaw wrote: >>> On Oct 12, 2009, at 7:58 AM, Ciprian Dorin, Craciun wrote: >>> >>>> ? Hello all! >>>> >>>> ? I'm facing the following problem: I need to run gpg-agent, but >>>> without him going into background. Is there any solution to this one? >>> >>> I'm not sure exactly what you're trying to do, but you can run gpg-agent >>> without it backgrounding by leaving off the "--daemon" option. >>> >>> David >> >> ? ?So I have the following situation: I want to be able to run >> gpg-agent inside a runsv process (part of runit package), that >> monitors the process, and in case it breaks, it shall restart it. >> Unfortunately gpg-agent forks into background, and thus I cannot >> monitor if it's running from inside runsv. >> >> ? ?Thus I need to make gpg-agent behave just like `gpg-agent >> --server` (not forking into background), but using the sockets (just >> like --daemon). >> >> ? ?Anyway, I've modified the latest source code (2.0.13), file >> agent/gpg-agent.c, to add another option --daemon-fg, that shall not >> fork in background. (The patch is attached.) (I'm not very proud of >> the patch but it does the job. Hope I've not broken anything... :) ) >> >> ? ?So I would like to ask the maintainer of gpg-agent to look upon >> it, and either include it, either (if time allows him) provide such an >> option. >> >> ? ?Thanks, >> ? ?Ciprian. > > > ? ?Sorry to bother you guys again. Have you looked at my patch > (related with the my previous comments)? > ? ?(It allows gnupg-agent to behave normally like a daemon, but not > go into the background.) > > ? ?Is there something wrong with it? > > ? ?Thanks, > ? ?Ciprian. Forgot to attach the patch again. :) -------------- next part -------------- diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c index 2e81567..ac2dfdb 100644 --- a/agent/gpg-agent.c +++ b/agent/gpg-agent.c @@ -74,6 +74,7 @@ enum cmd_and_opt_values oLogFile, oServer, oDaemon, + oDaemonFg, oBatch, oPinentryProgram, @@ -120,6 +121,7 @@ static ARGPARSE_OPTS opts[] = { { oServer, "server", 0, N_("run in server mode (foreground)") }, { oDaemon, "daemon", 0, N_("run in daemon mode (background)") }, + { oDaemonFg, "daemon-fg", 0, N_("run in daemon mode (foreground)") }, { oVerbose, "verbose", 0, N_("verbose") }, { oQuiet, "quiet", 0, N_("be somewhat more quiet") }, { oSh, "sh", 0, N_("sh-style command output") }, @@ -743,6 +745,7 @@ main (int argc, char **argv ) case oSh: csh_style = 0; break; case oServer: pipe_server = 1; break; case oDaemon: is_daemon = 1; break; + case oDaemonFg: is_daemon = 2; break; case oDisplay: default_display = xstrdup (pargs.r.ret_str); break; case oTTYname: default_ttyname = xstrdup (pargs.r.ret_str); break; @@ -996,7 +999,10 @@ main (int argc, char **argv ) pid = getpid (); printf ("set GPG_AGENT_INFO=%s;%lu;1\n", socket_name, (ulong)pid); #else /*!HAVE_W32_SYSTEM*/ - pid = fork (); + if (is_daemon == 1) + pid = fork (); + else + pid = getpid (); if (pid == (pid_t)-1) { log_fatal ("fork failed: %s\n", strerror (errno) ); @@ -1007,7 +1013,8 @@ main (int argc, char **argv ) char *infostr, *infostr_ssh_sock, *infostr_ssh_pid; /* Close the socket FD. */ - close (fd); + if (is_daemon == 1) + close (fd); /* Note that we used a standard fork so that Pth runs in both the parent and the child. The pth_fork would @@ -1019,18 +1026,21 @@ main (int argc, char **argv ) right now and thus we restore it. That is not strictly necessary but some programs falsely assume a cleared signal mask. */ - if ( !pth_kill () ) - log_error ("pth_kill failed in forked process\n"); + if (is_daemon == 1) + if ( !pth_kill () ) + log_error ("pth_kill failed in forked process\n"); #ifdef HAVE_SIGPROCMASK - if (startup_signal_mask_valid) - { - if (sigprocmask (SIG_SETMASK, &startup_signal_mask, NULL)) - log_error ("error restoring signal mask: %s\n", - strerror (errno)); - } - else - log_info ("no saved signal mask\n"); + if (is_daemon == 1) { + if (startup_signal_mask_valid) + { + if (sigprocmask (SIG_SETMASK, &startup_signal_mask, NULL)) + log_error ("error restoring signal mask: %s\n", + strerror (errno)); + } + else + log_info ("no saved signal mask\n"); + } #endif /*HAVE_SIGPROCMASK*/ /* Create the info string: :: */ @@ -1090,6 +1100,10 @@ main (int argc, char **argv ) if (argc) { /* Run the program given on the commandline. */ + if (is_daemon != 1) { + log_error ("no command expected.\n"); + exit (1); + } if (putenv (infostr)) { log_error ("failed to set environment: %s\n", @@ -1128,7 +1142,7 @@ main (int argc, char **argv ) { /* Print the environment string, so that the caller can use shell's eval to set it */ - if (csh_style) + if (is_daemon == 1 && csh_style) { *strchr (infostr, '=') = ' '; printf ("setenv %s\n", infostr); @@ -1140,7 +1154,7 @@ main (int argc, char **argv ) printf ("setenv %s\n", infostr_ssh_pid); } } - else + else if (is_daemon == 1) { printf ( "%s; export GPG_AGENT_INFO;\n", infostr); if (opt.ssh_support) @@ -1155,7 +1169,8 @@ main (int argc, char **argv ) xfree (infostr_ssh_sock); xfree (infostr_ssh_pid); } - exit (0); + if (is_daemon == 1) + exit (0); } /*NOTREACHED*/ } /* End parent */ @@ -1185,7 +1200,7 @@ main (int argc, char **argv ) } } } - if (setsid() == -1) + if (is_daemon == 1 && setsid() == -1) { log_error ("setsid() failed: %s\n", strerror(errno) ); cleanup (); From email at sven-radde.de Sat Jan 23 15:06:19 2010 From: email at sven-radde.de (Sven Radde) Date: Sat, 23 Jan 2010 15:06:19 +0100 Subject: distributing ones public key (email) In-Reply-To: <20100122161724.GB21578@IUPUI.Edu> References: <20100120044655.GA29165@bebop> <4B576AE8.1040501@chud.net> <20100122150426.GA1458@bebop> <20100122161724.GB21578@IUPUI.Edu> Message-ID: <4B5B025B.6050103@sven-radde.de> Hi! Mark H. Wood schrieb: > I too would like to find some way to get the word > out about what it is and why my correspondent might find it desirable. What about inline signatures when emailing people that do not yet use OpenPGP? Enigmail, for example, has per-recipient rules that are supposed to let you control its behaviour in a fine-grained way. cu, Sven From taurus366 at gmail.com Sat Jan 23 17:48:54 2010 From: taurus366 at gmail.com (taurus) Date: Sat, 23 Jan 2010 16:48:54 +0000 Subject: Gnupg doesn't recognize card. In-Reply-To: <87eiliyqfa.fsf@vigenere.g10code.de> References: <87eiliyqfa.fsf@vigenere.g10code.de> Message-ID: <3176C327-E742-489D-B90C-1A88EF47DEAA@gmail.com> On 22 January 2010, at 17:56, Werner Koch wrote: >> >> Gpg does not recognize my fellowship card; >> ~ xxx$ gpg --card-status >> gpg: selecting openpgp failed: Card error >> gpg: OpenPGP card not available: Card error >> Reader 01: Gemplus GemPC Twin 00 00 > > Is that a new OpenPGP card (2.0)? No, it is a v1.0 Fellowship card. Only the Macbook Pro is new. Thank you. From rjh at sixdemonbag.org Sat Jan 23 18:50:25 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 23 Jan 2010 12:50:25 -0500 Subject: Incomplete mailing list archives? Message-ID: <4B5B36E1.50204@sixdemonbag.org> A while ago I downloaded the entire archives of the GnuPG-Users mailing list, from the first message to the present. (Having this archive makes it a lot easier to refer people to older threads that addressed the same subject.) Strangely, though, it seems the list archives are incomplete. According to it, my first post to the list was on March 5, 2006 ("Questionnaire about GnuPG usage"). This seems strange, since I've been around for some years before that. Does anyone have any idea what's happening here? Please note that I'm not claiming the list archives have been edited, altered, or anything else like that. There is no Orwellian "memory hole" here. I'm sure there's a reasonable explanation. :) From chd at chud.net Sat Jan 23 20:27:40 2010 From: chd at chud.net (Chris De Young) Date: Sat, 23 Jan 2010 12:27:40 -0700 Subject: distributing ones public key (email) In-Reply-To: <4B5B025B.6050103@sven-radde.de> References: <20100120044655.GA29165@bebop> <4B576AE8.1040501@chud.net> <20100122150426.GA1458@bebop> <20100122161724.GB21578@IUPUI.Edu> <4B5B025B.6050103@sven-radde.de> Message-ID: <4B5B4DAC.3040109@chud.net> Sven Radde wrote: > Hi! > > Mark H. Wood schrieb: >> I too would like to find some way to get the word >> out about what it is and why my correspondent might find it desirable. > > What about inline signatures when emailing people that do not yet use > OpenPGP? Personally, and this is just my opinion, I don't care for this approach (I have considered it) for a couple of reasons. One, it may encourage use of inline signatures in general, which (IMO) is bad, and two, it makes the message itself a bit harder to read. Getting the word out in a way that's annoying to your correspondents is probably not going to have the desired effect. :-) -C -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 251 bytes Desc: OpenPGP digital signature URL: From kloecker at kde.org Sat Jan 23 21:57:14 2010 From: kloecker at kde.org (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Sat, 23 Jan 2010 21:57:14 +0100 Subject: Incomplete mailing list archives? In-Reply-To: <4B5B36E1.50204@sixdemonbag.org> References: <4B5B36E1.50204@sixdemonbag.org> Message-ID: <201001232157.22064@thufir.ingo-kloecker.de> On Saturday 23 January 2010, Robert J. Hansen wrote: > A while ago I downloaded the entire archives of the GnuPG-Users > mailing list, from the first message to the present. (Having this > archive makes it a lot easier to refer people to older threads that > addressed the same subject.) > > Strangely, though, it seems the list archives are incomplete. > According to it, my first post to the list was on March 5, 2006 > ("Questionnaire about GnuPG usage"). This seems strange, since I've > been around for some years before that. > > Does anyone have any idea what's happening here? > > Please note that I'm not claiming the list archives have been edited, > altered, or anything else like that. There is no Orwellian "memory > hole" here. I'm sure there's a reasonable explanation. :) Yes, there is. The (obvious) explanation is: You didn't post anything to this list before March 5, 2006. ;-) I'm subscribed since 2001 and my personal list archive (which lacks the period 2005-09-14 till 2006-02-20) doesn't contain any posts from you before March 5, 2006. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: From faramir.cl at gmail.com Sat Jan 23 23:34:06 2010 From: faramir.cl at gmail.com (Faramir) Date: Sat, 23 Jan 2010 19:34:06 -0300 Subject: distributing ones public key (email) In-Reply-To: <4B5B025B.6050103@sven-radde.de> References: <20100120044655.GA29165@bebop> <4B576AE8.1040501@chud.net> <20100122150426.GA1458@bebop> <20100122161724.GB21578@IUPUI.Edu> <4B5B025B.6050103@sven-radde.de> Message-ID: <4B5B795E.10901@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Sven Radde escribi?: > Hi! > > Mark H. Wood schrieb: >> I too would like to find some way to get the word >> out about what it is and why my correspondent might find it desirable. > > What about inline signatures when emailing people that do not yet use > OpenPGP? I have been doing that for a couple of years. So far, nobody has ever asked me about what does those weird blocks of characters mean... Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJLW3leAAoJEMV4f6PvczxAxUkH/3NfSXShT505GHr1odJtoVKo 9TADvj3FNBU4M06qpzgLvJt80aSiEk/Pu2gVqPew3f1bQZGeRgqmEovJaW3OCvo3 WQltPwrgoD8VAOT9a8tLdEkqlrOWhI/5klBG9PmKr3iTkq8y1FV5ubIbzIePfa2h E3ssFnZwpRRVlJUldlPeeK0XvX/KfjZzWmMtqDt1bMa67m2PuwW3jL3YKbM4bRo3 VPBM8hBx1/ovhkVR0eqmQcKUTd967b9ThsPVtIiBc3kMFhitoxvbvG0JmQvkeX1j 68VQehSzUtUSer1KnidLpen74+fszFdWK6ozAT/jYYinfPy2mng3+T5yHbj8A80= =IFiU -----END PGP SIGNATURE----- From makrober at gmail.com Sun Jan 24 00:55:23 2010 From: makrober at gmail.com (makrober) Date: Sat, 23 Jan 2010 23:55:23 +0000 Subject: distributing ones public key (email) In-Reply-To: <4B5B4DAC.3040109@chud.net> References: <20100120044655.GA29165@bebop> <4B576AE8.1040501@chud.net> <20100122150426.GA1458@bebop> <20100122161724.GB21578@IUPUI.Edu> <4B5B025B.6050103@sven-radde.de> <4B5B4DAC.3040109@chud.net> Message-ID: <4B5B8C6B.6070803@gmail.com> Chris De Young wrote: > > Personally, and this is just my opinion, I don't care for this approach (I have > considered it) for a couple of reasons. One, it may encourage use of inline > signatures in general... Unsolicited attachments are considered inappropriate by many. MacRober From rjh at sixdemonbag.org Sun Jan 24 01:28:56 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sat, 23 Jan 2010 19:28:56 -0500 Subject: Incomplete mailing list archives? In-Reply-To: <201001232157.22064@thufir.ingo-kloecker.de> References: <4B5B36E1.50204@sixdemonbag.org> <201001232157.22064@thufir.ingo-kloecker.de> Message-ID: <4B5B9448.7090604@sixdemonbag.org> On 01/23/2010 03:57 PM, Ingo Kl?cker wrote: > Yes, there is. The (obvious) explanation is: You didn't post anything to > this list before March 5, 2006. ;-) This seems ... strange. It does not jibe with my memory at all, not one bit. Then again, it wouldn't be impossible for my memory to be in error. From dougb at dougbarton.us Sun Jan 24 02:27:53 2010 From: dougb at dougbarton.us (Doug Barton) Date: Sat, 23 Jan 2010 17:27:53 -0800 Subject: Incomplete mailing list archives? In-Reply-To: <4B5B9448.7090604@sixdemonbag.org> References: <4B5B36E1.50204@sixdemonbag.org> <201001232157.22064@thufir.ingo-kloecker.de> <4B5B9448.7090604@sixdemonbag.org> Message-ID: <4B5BA219.2000409@dougbarton.us> On 01/23/10 16:28, Robert J. Hansen wrote: > On 01/23/2010 03:57 PM, Ingo Kl?cker wrote: >> Yes, there is. The (obvious) explanation is: You didn't post anything to >> this list before March 5, 2006. ;-) > > This seems ... strange. It does not jibe with my memory at all, not one > bit. Then again, it wouldn't be impossible for my memory to be in error. If you have a sent message in your own archive it would make it easier for people to try and cross reference it. If you don't, it would point to your own personal "orwellian memory hole." :) Doug -- Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso From dougb at dougbarton.us Sun Jan 24 02:40:08 2010 From: dougb at dougbarton.us (Doug Barton) Date: Sat, 23 Jan 2010 17:40:08 -0800 Subject: distributing ones public key (email) In-Reply-To: <329323442.20100121134859@my_localhost> References: <20100120044655.GA29165@bebop> <4B576AE8.1040501@chud.net> <329323442.20100121134859@my_localhost> Message-ID: <4B5BA4F8.9020804@dougbarton.us> On 01/21/10 05:48, MFPA wrote: >> These seem to be fairly rare these days though - or maybe I just don't know >> many people who use clients like this. > > Outlook Express has that limitation (unless it was fixed in a late > version). I just did a quick test using Thunderbird 3, enigmail 1, and PGP/MIME with both plain text and HTML mail. Using OE on an up to date version of windows XP the message body was not visible at all. hth, Doug -- Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso From dougb at dougbarton.us Sun Jan 24 02:55:59 2010 From: dougb at dougbarton.us (Doug Barton) Date: Sat, 23 Jan 2010 17:55:59 -0800 Subject: Encrypting for multiple users In-Reply-To: <0EE14841E1FD8545B7E084F22AEF96810A58CD@fssbemail.fss.india> References: <0EE14841E1FD8545B7E084F22AEF96810A58CD@fssbemail.fss.india> Message-ID: <4B5BA8AF.6040104@dougbarton.us> On 01/20/10 06:51, Mohan Radhakrishnan wrote: > Hi, > > I am encrypting for multiple recipients. > > gpg -r -r -r -r --encrypt file.txt > > 3 users are able to decrypt the files. The 4th user though is getting > this messsage. > > I am using GPG. All users use PGP to decrypt. Shouldn't make a difference ? > > "It is not possible to decrypt this message because your keyring does not > contain usable private key(s) corresponding to any of the above public > key(s)." > > > It looks like the 4 th user is doing something wrong ? Well that message is pretty self-explanatory. :) This commonly happens when someone is mistaken about which keys they have, and/or where those keys are located. This leads to you having the wrong public key. Have the person do whatever the PGP equivalent to 'gpg --list-keys' is and then you should be able to sort it out from there. hth, Doug -- Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso From kloecker at kde.org Sun Jan 24 11:14:54 2010 From: kloecker at kde.org (Ingo =?utf-8?q?Kl=C3=B6cker?=) Date: Sun, 24 Jan 2010 11:14:54 +0100 Subject: Incomplete mailing list archives? In-Reply-To: <4B5B9448.7090604@sixdemonbag.org> References: <4B5B36E1.50204@sixdemonbag.org> <201001232157.22064@thufir.ingo-kloecker.de> <4B5B9448.7090604@sixdemonbag.org> Message-ID: <201001241114.55290@thufir.ingo-kloecker.de> On Sunday 24 January 2010, Robert J. Hansen wrote: > On 01/23/2010 03:57 PM, Ingo Kl?cker wrote: > > Yes, there is. The (obvious) explanation is: You didn't post > > anything to this list before March 5, 2006. ;-) > > This seems ... strange. It does not jibe with my memory at all, not > one bit. Then again, it wouldn't be impossible for my memory to be > in error. You might be confusing gnupg-devel with gnupg-users: http://markmail.org/search/?q=gnupg+from%3A%22Robert+J.+Hansen%22+order%3Adate-forward Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: From kloecker at kde.org Sun Jan 24 11:53:21 2010 From: kloecker at kde.org (Ingo =?iso-8859-15?q?Kl=F6cker?=) Date: Sun, 24 Jan 2010 11:53:21 +0100 Subject: distributing ones public key (email) In-Reply-To: <4B5B4DAC.3040109@chud.net> References: <20100120044655.GA29165@bebop> <4B5B025B.6050103@sven-radde.de> <4B5B4DAC.3040109@chud.net> Message-ID: <201001241153.22299@thufir.ingo-kloecker.de> On Saturday 23 January 2010, Chris De Young wrote: > Sven Radde wrote: > > Hi! > > > > Mark H. Wood schrieb: > >> I too would like to find some way to get the word > >> out about what it is and why my correspondent might find it > >> desirable. > > > > What about inline signatures when emailing people that do not yet > > use OpenPGP? > > Personally, and this is just my opinion, I don't care for this > approach (I have considered it) for a couple of reasons. One, it may > encourage use of inline signatures in general, which (IMO) is bad, > and two, it makes the message itself a bit harder to read. Getting > the word out in a way that's annoying to your correspondents is > probably not going to have the desired effect. :-) Another serious problem of inline signatures is that they are likely to break when the recipient includes a full quote of the signed message in his reply (which is what basically everybody using Outlook, Lotus Notes, etc., does). Those bad signatures in the replies will desensitize those that use a mail client capable of verifying the signatures. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: From gesbbb at yahoo.com Sun Jan 24 13:53:38 2010 From: gesbbb at yahoo.com (Jerry) Date: Sun, 24 Jan 2010 07:53:38 -0500 Subject: distributing ones public key (email) In-Reply-To: <4B5B795E.10901@gmail.com> References: <20100120044655.GA29165@bebop> <4B576AE8.1040501@chud.net> <20100122150426.GA1458@bebop> <20100122161724.GB21578@IUPUI.Edu> <4B5B025B.6050103@sven-radde.de> <4B5B795E.10901@gmail.com> Message-ID: <20100124075338.10254cf1@scorpio.seibercom.net> On Sat, 23 Jan 2010 19:34:06 -0300 Faramir Faramir articulated: > Sven Radde escribi?: > > Hi! > > > > Mark H. Wood schrieb: > >> I too would like to find some way to get the word > >> out about what it is and why my correspondent might find it > >> desirable. > > > > What about inline signatures when emailing people that do not yet > > use OpenPGP? > > I have been doing that for a couple of years. So far, nobody has > ever asked me about what does those weird blocks of characters mean... Perhaps not; however, it really messes up replying to a message since all of that garbage should be removed prior to the transmission of the replied to document. -- Jerry gesbbb at yahoo.com |::::======= |::::======= |=========== |=========== | Armstrong's Collection Law: If the check is truly in the mail, it is surely made out to someone else. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: not available URL: From faramir.cl at gmail.com Sun Jan 24 21:13:14 2010 From: faramir.cl at gmail.com (Faramir) Date: Sun, 24 Jan 2010 17:13:14 -0300 Subject: Slightly OT: SSSS tool Message-ID: <4B5CA9DA.8070104@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello, A couple of days ago, in discussion "Storing password in keyring", David suggested the usage of tools to split secrets, and used as example the tool SSSS ( http://point-at-infinity.org/ssss/ ). Currently there is a discussion about splitting a password in another list, and I mentioned SSSS as a possible way to solve the problem, but there were questions about if it has been reviewed by the crypto community, and if it can be "broken". I have read the article at wikipedia that explains how (or why) it works (and it seems to be unbreakable), but I can't tell if the implementation is safe enough. I know this question is OT, but currently I don't know a better place to ask it: have somebody took a look at the code of that application? Does it seem to be safe? Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJLXKnaAAoJEMV4f6PvczxA19wH/3eMD93uC4LHkiTdiIcx4a4o odjCN9zlrivfY/iu36nLH8kbkmFbst7lHBh01D8hdfkYGHVgeZe+iKZUX6L3jOii O9F4E+RsE1jeEsqa/FGifomcM9brVzPJCwFAJLp8rdTIE8IuUiezPmZW62wF4P76 eY4anPsxCPkZOd8SFXJDJC/84zdX8iNKFSTvWLozAwl0rE8Jl0HFRBfPvUaso5X5 I/Mg1V97xc1/QZIxkxZpCGJmjaRvxyVl4p1sboZNc+WwRUu7Y9NWUimsdJ1ZAH53 hXDTRdK/ig5IdVUTKjqeKU2etinL6tH3xAtYMXhludsShGyxyXn5nW6+ltl3UX4= =MWdB -----END PGP SIGNATURE----- From tkoeppen.nospam at googlemail.com Sun Jan 24 21:35:32 2010 From: tkoeppen.nospam at googlemail.com (tkoeppen.nospam@gmail.com) Date: Sun, 24 Jan 2010 21:35:32 +0100 Subject: MacOS snow leopard problem with usb cryptostick Message-ID: <1d6423411001241235i7cacc714nff36c642af509342@mail.gmail.com> Hi all, i want to check out my brand new gpg smartcard from https://www.privacyfoundation.de/wiki/GPFCryptoStick On my first macbook (MacOS snow leopard) the stick is readable. On my brand new second macbook pro (cloned from my older macbook) i get an error after inserting the stick to any of both USB ports. Jan 24 18:25:41 box com.apple.securityd[26]: /SourceCache/SmartcardCCID/SmartcardCCID-35253/ccid/ccid/src/ifdhandler.c:1323:init_driver() Driver version: 1.3.8 Jan 24 18:25:41 box com.apple.securityd[26]: /SourceCache/SmartcardCCID/SmartcardCCID-35253/ccid/ccid/src/commands.c:203:CmdPowerOn error on byte 3 Jan 24 18:25:41 box com.apple.securityd[26]: /SourceCache/SmartcardCCID/SmartcardCCID-35253/ccid/ccid/src/ifdhandler.c:964:IFDHPowerICC() PowerUp failed Jan 24 18:25:42 box com.sourceforge.macgpg2.gpg-agent[1483]: gpg-agent[1483]: launchd only supported for real users - ie UID > 500 Jan 24 18:25:42 box com.apple.launchd.peruser.91[1481] (com.sourceforge.macgpg2.gpg-agent[1483]): Exited with exit code: 1 How can i debug or fix this error? Best Thomas -------------- next part -------------- An HTML attachment was scrubbed... URL: From dougb at dougbarton.us Mon Jan 25 07:39:57 2010 From: dougb at dougbarton.us (Doug Barton) Date: Sun, 24 Jan 2010 22:39:57 -0800 Subject: Formalizing the Facebook Web of Trust In-Reply-To: <4B453B69.9000900@fifthhorseman.net> References: <4B453B69.9000900@fifthhorseman.net> Message-ID: <4B5D3CBD.3090202@dougbarton.us> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 [ I realize this is an old thread, but AFAICT no one mentioned this and I think it's useful enough to add to the mix. ] On 01/06/10 17:39, Daniel Kahn Gillmor wrote: | PS their pidgin work is unclear from the paper, so i don't really know | how to evaluate it. if all they did was fetch keys from facebook, | that's a little weird (since they could already fetch keys from the hkp | network). i'm also not convinced that OpenPGP messages are the best | technological choice (without *significant* extra thought and UI work) | for instant messaging. I agree that PGP is not likely the best choice for IM. It's also important to define your goals. If your goals are merely to obscure your messages from casual observers a lot of IM services use SSL now. Several EFnet IRC servers are using it (http://www.efnet.org/?module=servers, although they tend to include it as an afterthought), AIM/ICQ has the option available, and of course there is Jabber/XMPP which has had it available for a long time. If your goal is something more robust that can encrypt the entire channel, even from the server operators, then the Trillian client has had this feature for at least 7 years, although last I checked it was only for Windows. If you want something that is cross-platform, able to encrypt the channel, AND able to do some cursory identity validation as well, "Off the record" messaging is the answer. http://www.cypherpunks.ca/otr/ It's available as a plugin for pidgin, and I'm given to understand is included in other clients by default as well (such as adium for mac). I've used it for years and have been very pleased with it. I'll restrain myself from commenting in detail on the other issues raised in this thread except to say that I agree with those who said that using crypto properly takes more dedication than the average user is willing (and no offense intended, able) to apply. As technologists I think it's incumbent on US to figure out a middle ground that allows people to use crypto in a way that is "good enough" for many purposes even if it is not what we would consider "robust" or "secure" by our definition(s). Of course then that opens up the can of worms that Robert H. mentioned in regards to "adding crypto to things can make them worse, not better ..." hth, Doug - -- Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEAREDAAYFAktdPL0ACgkQyIakK9Wy8Ps4xgCfXfrY9H3fbRO297Ws+zUtUnvD rdsAoN9P78+v6NRaQ6c9tFByeQnv8IpT =HvKU -----END PGP SIGNATURE----- From dougb at dougbarton.us Mon Jan 25 07:50:50 2010 From: dougb at dougbarton.us (Doug Barton) Date: Sun, 24 Jan 2010 22:50:50 -0800 Subject: Unable to delete bogus keys In-Reply-To: <20100122175653.7c3a98cc@scorpio.seibercom.net> References: <20100122175653.7c3a98cc@scorpio.seibercom.net> Message-ID: <4B5D3F4A.9090806@dougbarton.us> On 01/22/10 14:56, Jerry wrote: > System Info: > > FreeBSD-7.2 > > gpg (GnuPG) 2.0.14 > libgcrypt 1.4.4 > > gpa 0.9.0 > > I honestly have no idea what the problem is here. I am not even sure if > this is the correct mail forum to ask this question in. I recently > installed GnuPG on my system. Everything appeared to go fine. For some > reason, I have numerous keys listed that I have no knowledge of. I tried installing gpa and along with the keys that are actually on my gnupg keyring I also saw "keys" similar to the ones you have. Faramir was right in that these are NOT gnupg keys, they do seem to be X.509 certs. I'm not sure why gpa is picking them up, and while I'm mildly curious I haven't dug deeply into where they are located. I would not encourage you to use this tool, it's FAR better to learn the command line options. If you really feel that you need a graphical tool for key management the one included with enigmail (the thunderbird gnupg addon) is better than most, and has the advantage that you can use the same tool in FreeBSD and Windows. > This is a screen shot when I attempt to delete a bogus key: Rule number 1 of Information Technology, don't delete things if you don't know what they are. :) Ok, wait, actually that's rule number 2. Rule number 1 is "make good backups." But seriously, don't delete stuff you don't understand, unless you're prepared to spend a lot of time rebuilding/reinstalling things. Of course, that's also a good way to learn, but only if you have an effectively infinite supply of time on your hands. ;) hth, Doug -- Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso From f.schwind at chili-radiology.com Mon Jan 25 10:10:03 2010 From: f.schwind at chili-radiology.com (Florian Schwind) Date: Mon, 25 Jan 2010 10:10:03 +0100 Subject: gpeme_get_key returns a 'general error' after some time. In-Reply-To: <87iqauyqma.fsf@vigenere.g10code.de> References: <4B582FC4.20301@chili-radiology.com> <87iqauyqma.fsf@vigenere.g10code.de> Message-ID: <4B5D5FEB.50102@chili-radiology.com> Hi, On 22.01.2010 18:51, Werner Koch wrote: > On Thu, 21 Jan 2010 11:43, f.schwind at chili-radiology.com said: > >> I have some strange problems using gpg (1.4.9) resp. gpgme (1.1.4) and >> hope someone can help me. > > Please update gpgme to 1.2.0; there a couple of minor bug fixes. > Further GPGME has far better trace support which greatly helps to track > down such problems: Run your application like this > > $ GPGME_DEBUG=9:/foo/gpgme.log ./foo > > On windows it works similar; you just need to use set and replace the > colon by a semicolon. thanks for the tip with debuglog but this is not practical in my case because 2 minutes after starting the application I already have over 1GB of logdata, and the error might occur only after a few hours runtime... > Shalom-Salam, > > Werner Best Regards Florian From gesbbb at yahoo.com Mon Jan 25 12:24:37 2010 From: gesbbb at yahoo.com (Jerry) Date: Mon, 25 Jan 2010 06:24:37 -0500 Subject: Unable to delete bogus keys In-Reply-To: <4B5D3F4A.9090806@dougbarton.us> References: <20100122175653.7c3a98cc@scorpio.seibercom.net> <4B5D3F4A.9090806@dougbarton.us> Message-ID: <20100125062437.0247d2d3@scorpio.seibercom.net> On Sun, 24 Jan 2010 22:50:50 -0800 Doug Barton articulated: > On 01/22/10 14:56, Jerry wrote: > > System Info: > > > > FreeBSD-7.2 > > > > gpg (GnuPG) 2.0.14 > > libgcrypt 1.4.4 > > > > gpa 0.9.0 > > > > I honestly have no idea what the problem is here. I am not even > > sure if this is the correct mail forum to ask this question in. I > > recently installed GnuPG on my system. Everything appeared to go > > fine. For some reason, I have numerous keys listed that I have no > > knowledge of. > > I tried installing gpa and along with the keys that are actually on > my gnupg keyring I also saw "keys" similar to the ones you have. > Faramir was right in that these are NOT gnupg keys, they do seem to > be X.509 certs. I'm not sure why gpa is picking them up, and while > I'm mildly curious I haven't dug deeply into where they are located. > > I would not encourage you to use this tool, it's FAR better to learn > the command line options. If you really feel that you need a > graphical tool for key management the one included with enigmail (the > thunderbird gnupg addon) is better than most, and has the advantage > that you can use the same tool in FreeBSD and Windows. > > > This is a screen shot when I attempt to delete a bogus key: > > Rule number 1 of Information Technology, don't delete things if you > don't know what they are. :) Ok, wait, actually that's rule number > 2. Rule number 1 is "make good backups." But seriously, don't delete > stuff you don't understand, unless you're prepared to spend a lot of > time rebuilding/reinstalling things. Of course, that's also a good > way to learn, but only if you have an effectively infinite supply of > time on your hands. ;) OK, I found the source of those "unknown keys" /usr/local/share/gnupg -r--r--r-- 1 root wheel 27K Jan 20 22:43 com-certs.pem I renamed the file, deleted the "~/.gnupg/*.kbx" files and restarted GPA and the problem disappeared. I still don't know what those 'certs' are suppose to be for; however, the system seems to work fine without them. Furthermore, prior to updating my system, those files were either not available or not being loaded. I don't know which. If someone has a clue, I would enjoy hearing about it. -- Jerry gesbbb at yahoo.com |::::======= |::::======= |=========== |=========== | "Just saying "no" prevents teenage pregnancy the way "Have a nice day" cures chronic depression." Faye Wattleton http://en.wikipedia.org/wiki/Faye_Wattleton -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: not available URL: From wk at gnupg.org Mon Jan 25 13:41:39 2010 From: wk at gnupg.org (Werner Koch) Date: Mon, 25 Jan 2010 13:41:39 +0100 Subject: gpeme_get_key returns a 'general error' after some time. In-Reply-To: <4B5D5FEB.50102@chili-radiology.com> (Florian Schwind's message of "Mon, 25 Jan 2010 10:10:03 +0100") References: <4B582FC4.20301@chili-radiology.com> <87iqauyqma.fsf@vigenere.g10code.de> <4B5D5FEB.50102@chili-radiology.com> Message-ID: <87sk9uwe4c.fsf@vigenere.g10code.de> On Mon, 25 Jan 2010 10:10, f.schwind at chili-radiology.com said: > thanks for the tip with debuglog but this is not practical in my case > because 2 minutes after starting the application I already have over > 1GB of logdata, and the error might occur only after a few hours > runtime... Then you need to use finer grained debug control. Probably you need to modify something in gpgme. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From tkoeppen.nospam at googlemail.com Mon Jan 25 22:32:24 2010 From: tkoeppen.nospam at googlemail.com (Thomas Koeppen) Date: Mon, 25 Jan 2010 22:32:24 +0100 Subject: MacOS snow leopard problem with usb cryptostick In-Reply-To: <1d6423411001241235i7cacc714nff36c642af509342@mail.gmail.com> References: <1d6423411001241235i7cacc714nff36c642af509342@mail.gmail.com> Message-ID: <1d6423411001251332v25ce7fcfre31f3a021b56c346@mail.gmail.com> On Sun, Jan 24, 2010 at 9:35 PM, tkoeppen.nospam at gmail.com < tkoeppen.nospam at googlemail.com> wrote: > Jan 24 18:25:41 box com.apple.securityd[26]: > /SourceCache/SmartcardCCID/SmartcardCCID-35253/ccid/ccid/src/commands.c:203:CmdPowerOn > error on byte 3 > i run the pcscd in foreground (following http://pcsclite.alioth.debian.org/ccid.html#support) with the following output: bash-3.2# pcscd --foreground --debug --apdu ... /SourceCache/SmartcardCCID/SmartcardCCID-35253/ccid/ccid/src/ccid_usb.c:402:OpenUSBByName() Can't claim interface 001/004-08e6-3437-00-00: Unknown error: 0 /SourceCache/SmartcardCCID/SmartcardCCID-35253/ccid/ccid/src/ifdhandler.c:99:IFDHCreateChannelByName() failed /SourceCache/SmartCardServices/SmartCardServices-36160/src/PCSC/readerfactory.c:820:RFInitializeReader() Open Port 4300000 Failed (Gemplus GemPC Twin) ... /SourceCache/SmartCardServices/SmartCardServices-36160/src/PCSC/readerfactory.c:261:RFAddReader() RFAddReader: Gemplus GemPC Twin init failed: -2146435067 Maybe it the issue is related cloning my Macbook and reusing USB interfaceId? Best Thomas -------------- next part -------------- An HTML attachment was scrubbed... URL: From tkoeppen.nospam at googlemail.com Mon Jan 25 23:10:19 2010 From: tkoeppen.nospam at googlemail.com (Thomas Koeppen) Date: Mon, 25 Jan 2010 23:10:19 +0100 Subject: MacOS snow leopard problem with usb cryptostick In-Reply-To: <1d6423411001251332v25ce7fcfre31f3a021b56c346@mail.gmail.com> References: <1d6423411001241235i7cacc714nff36c642af509342@mail.gmail.com> <1d6423411001251332v25ce7fcfre31f3a021b56c346@mail.gmail.com> Message-ID: <1d6423411001251410j60b6cb40ta693d1be78b59af1@mail.gmail.com> On Mon, Jan 25, 2010 at 10:32 PM, Thomas Koeppen < tkoeppen.nospam at googlemail.com> wrote: > On Sun, Jan 24, 2010 at 9:35 PM, tkoeppen.nospam at gmail.com < > tkoeppen.nospam at googlemail.com> wrote: > >> Jan 24 18:25:41 box com.apple.securityd[26]: >> /SourceCache/SmartcardCCID/SmartcardCCID-35253/ccid/ccid/src/commands.c:203:CmdPowerOn >> error on byte 3 >> > > With debug enabled i get the following output: /SourceCache/SmartcardCCID/SmartcardCCID-35253/ccid/ccid/src/ifdhandler.c:924:IFDHPowerICC() lun: 0, action: PowerUp -> 000000 62 00 00 00 00 00 04 01 00 00 <- 000000 80 00 00 00 00 00 04 41 03 00 /SourceCache/SmartcardCCID/SmartcardCCID-35253/ccid/ccid/src/commands.c:203:CmdPowerOn error on byte 3 /SourceCache/SmartcardCCID/SmartcardCCID-35253/ccid/ccid/src/ifdhandler.c:964:IFDHPowerICC() PowerUp failed /SourceCache/SmartCardServices/SmartCardServices-36160/src/PCSC/eventhandler.cpp:314:EHStatusHandlerThread() Error powering up card: -2146435050 0x80100016 The full debug output can be found here: http://blog.steademy.com/2010/01/25/cryptostick-with-gnupg-under-macos-snow-leopard/ Best Thomas -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Tue Jan 26 15:36:06 2010 From: wk at gnupg.org (Werner Koch) Date: Tue, 26 Jan 2010 15:36:06 +0100 Subject: Passphrase problem in gpgsm 2.0.14 Message-ID: <874om9vsq1.fsf@vigenere.g10code.de> Hi! While preparing a new release of Gpg4win we found a regression in GnuPG 2.0.14. The problem is due to this change: * New and changed passphrases are now created with an iteration count requiring about 100ms of CPU work. I don't know how it slipped through my tests, but somehow it happend. The bug occurs in all cases where gpg-agent creates a new protected key or changes the protection. For example: - You import a new private key with GPGSM from a PKCSC#12 file. - You change the passphrase of a X.509 key (gpgsm --passwd) - You create or import a new on-disk Secure Shell key. It does not affect keys or passphrases related to GPG (OpenPGP keys). The bug is that the new iteration count is not encoded in the file. Instead the old constant value of 65536 (encoded as 96) is written to the file. If you now try to use the key and enter the passphrase, gpg-agent uses the wrong iteration count from the file (65536) and thus can't unprotect the key. A patch against 2.0.14 is attached. It is possible to fixup the wrong iteration counts but before I add such a feature, I would like to know whether this is really needed. - If you imported a p12 file you may simply re-import that file after deleting the old file. To find the respective file with the private key, you use this command gpgsm --dump-cert KEYID | grep keygrip: The hex-string you see is the basename of private key. For example: $ gpgsm --dump-cert 0x036A1456 | grep keygrip: keygrip: 25268070E915E1E3DCCBD9EBEF18BCEF9B0AB289 $ ls -l private-keys-v1.d/25268070E915E1E3DCCBD9EBEF18BCEF9B0AB289.key You better delete this file before importing the p12 file again: $ rm private-keys-v1.d/25268070E915E1E3DCCBD9EBEF18BCEF9B0AB289.key - If you changed the passphrase and you have a backup of the private key, it will be easier to use the backup. - If you did not changed the passphrase, you don't have any problem. - If there is no other way to restore it, please complain and I will write a tool to fixup the mess. I am sorry for the possible trouble. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: gnupg-2.0.14-encode-s2k.patch Type: text/x-patch Size: 1384 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 204 bytes Desc: not available URL: From jcruff at gmail.com Tue Jan 26 16:38:55 2010 From: jcruff at gmail.com (John Ruff) Date: Tue, 26 Jan 2010 10:38:55 -0500 Subject: OpenPGP SmartCard v2.0 w/OmniKey 6121 Message-ID: Hi, I've been researching the archives for the past week after receiving my OpenPGP v2.0 smartcard from Kernelconcepts. Problem seems to revolve around signing, but between by two systems OpenSUSE 11.2 (gnupg 2.0.13) and Mac OS X 10.5.8 (MacGPG/gnupg 2.0.14) I have slightly different results. First I was only able to create the 3 2048-bit keys on the linux laptop but would fail to create a 3072/2048/2048 set on the same system. On the Mac I couldn't create anything (tried all 1024 and 2048 keys). With the card now having 2048 keys I could successfully change all my card options (did this before key generation). On the linux system I could encrypt/decrypt but can not perform any signing/verify operation. On the Mac I can encrypt, but neither decrypt/sign/verify. Errors vary from "general signing error" to secret key not found (when trying to decrypt. I was unclear how to actually setup my new keys on the Mac so I performed an export and export/export-secret-keys over to the Mac from the linux system. Please let me know what types of debugs I can provide back for review or any other test information one would like performed or provided. Output of '--card-status' below. Thanks in advance. $ gpg --card-status Application ID ...: D2760001240102000005000003740000 Version ..........: 2.0 Manufacturer .....: ZeitControl Serial number ....: 00000374 Name of cardholder: John Ruff Language prefs ...: en Sex ..............: male URL of public key : [not set] Login data .......: techniq Signature PIN ....: forced Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 32 32 32 PIN retry counter : 3 0 3 Signature counter : 18 Signature key ....: 6530 8DA8 805C 707F 3611 9851 D057 FC41 052A 4FAD created ....: 2010-01-24 02:10:16 Encryption key....: 0A2B BBEE 4B0D C392 A4E6 3673 ECCF B9FB 1488 8977 created ....: 2010-01-24 02:10:16 Authentication key: 735C 977A DFBA 72B2 CDF0 D5D9 F9E8 742E FC34 E962 created ....: 2010-01-24 02:10:16 General key info..: pub 2048R/052A4FAD 2010-01-24 John C. Ruff (Techniq) sec> 2048R/052A4FAD created: 2010-01-24 expires: never card-no: 0005 00000374 ssb> 2048R/FC34E962 created: 2010-01-24 expires: never card-no: 0005 00000374 ssb> 2048R/14888977 created: 2010-01-24 expires: never card-no: 0005 00000374 -- Chris Ruff jcruff[at]gmail.com "No one can see past a choice they don't understand." --Oracle From vedaal at hush.com Tue Jan 26 19:52:15 2010 From: vedaal at hush.com (vedaal at hush.com) Date: Tue, 26 Jan 2010 13:52:15 -0500 Subject: Problem encrypting to a hushmail gpg key Message-ID: <20100126185215.4992711803D@smtp.hushmail.com> Sean Rima A friend on the pgpnet mailing list is using a hushmail.com gpg key >but when I import it, I get >gpg: key C4E23A82: public key ""---- at hushmail.com" " >imported >gpg: Total number processed: 1 >gpg: imported: 1 (RSA: 1) ... :public sub key packet: version 4, algo 2, created 1262830846, expires 0 unknown algorithm 2 ----- the above listed public subkey packet is the encryption key i imported it directly from hushmail (https://www.hushtools.com/hushtools2/index.php click on 'key management' then enter the hushmail email address and retrieve the key ) and encrypted to it without any problem. caveat: it is not a great idea to use hushmail keys for open pgp encryption or authentication (1) the keys are not updated, and can't be for the same email address, so, for example, i've been with hushmail since it started, and my key is a 1024 bit key and signs with SHA-1 (to be fair, i imagine that whenever this becomes a 'real' threat, hushmail will allow for modifications/new keys) (2) the hushmail user probably will not be able to decrypt a gnupg encrypted message in hushmail if the encryption algorithm chosen isn't currently being used by hushmail, which, depending on how old the key is, may not be the encryption algorithm listed on the key, and if the hushmail user uses gnupg (preferable ;-) ), then he/she would be better off generating a new key in gnupg, and just leave the hushmail key for hushmail users (i use my hushmail key only for hushmail/hushtools) vedaal From f.schwind at chili-radiology.com Wed Jan 27 10:47:56 2010 From: f.schwind at chili-radiology.com (Florian Schwind) Date: Wed, 27 Jan 2010 10:47:56 +0100 Subject: gpeme_get_key returns a 'general error' after some time. In-Reply-To: <87sk9uwe4c.fsf@vigenere.g10code.de> References: <4B582FC4.20301@chili-radiology.com> <87iqauyqma.fsf@vigenere.g10code.de> <4B5D5FEB.50102@chili-radiology.com> <87sk9uwe4c.fsf@vigenere.g10code.de> Message-ID: <4B600BCC.1070108@chili-radiology.com> On 25.01.2010 13:41, Werner Koch wrote: > On Mon, 25 Jan 2010 10:10, f.schwind at chili-radiology.com said: > >> thanks for the tip with debuglog but this is not practical in my case >> because 2 minutes after starting the application I already have over >> 1GB of logdata, and the error might occur only after a few hours >> runtime... Hi, > Then you need to use finer grained debug control. Probably you need to > modify something in gpgme. I updated to gpg 1.4.10 and gpgme 1.2.0 but this doesn't solve the problem. I will put more debug output in gpgme and try to identify where the error happens. > Salam-Shalom, > Werner Best Regards Florian Schwind From kuifje_007 at yahoo.com Wed Jan 27 13:10:07 2010 From: kuifje_007 at yahoo.com (Kuifje) Date: Wed, 27 Jan 2010 04:10:07 -0800 (PST) Subject: How to use password from the parameter Message-ID: <27338022.post@talk.nabble.com> I have a function from FoxPro. If you type Gpg( 'test.pgp', 'SecretPassword'), how can you make sure ShellExecute decrypt the pgp-file with the password? cParameters = [-d -o &sUitvoer &sInvoer ] works well but you have to give the password in a DOS-window and it seems some users doesn't know how because you cannot see the password. I tried everything something like cParameters = [--&sPassWord-fd 0 -d -o &sUitvoer &sInvoer ] but it doesn't work. Do you know how to use the password into ShellExecute? PROCEDURE Gpg( sInvoer, sPassWord) CLEAR IF EMPTY(sInvoer) CD aangeleverd sInvoer = GETFILE('pgp') CD .. ENDIF sUitvoer = SUBSTR(sInvoer, 1, LenTR(sInvoer) - 3) + 'zip' DECLARE INTEGER ShellExecute ; IN SHELL32.DLL ; INTEGER nWinHandle, ; STRING cOperation, ; STRING cFileName, ; STRING cParameters, ; STRING cDirectory, ; INTEGER nShowWindow nHwnd = 0 cOperation = 'open' cFileToExecute = 'gpg.exe' *cParameters = [-d -o &sUitvoer &sInvoer ] cParameters = [--&sPassWord-fd 0 -d -o &sUitvoer &sInvoer ] cDirectory = 'C:\Program Files\GNU\GnuPG\' nShowWindow = 3 nError = ShellExecute( nHwnd, ; m.cOperation, m.cFileToExecute, m.cParameters, m.cDirectory, m.nShowWindow ) WAIT "Druk op ENTER nadat je het wachtwoord hebt ingevoerd" RUN /N c:\program files\7-zip\7z.exe e &sUitvoer -o&sAangeleverdMap ENDPROC -- View this message in context: http://old.nabble.com/How-to-use-password-from-the-parameter-tp27338022p27338022.html Sent from the GnuPG - User mailing list archive at Nabble.com. From sean at srima.ie Thu Jan 28 06:51:33 2010 From: sean at srima.ie (Sean Rima) Date: Thu, 28 Jan 2010 05:51:33 +0000 Subject: Problem encrypting to a hushmail gpg key In-Reply-To: <20100126185215.4992711803D@smtp.hushmail.com> References: <20100126185215.4992711803D@smtp.hushmail.com> Message-ID: <4B6125E5.8060605@srima.ie> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On 26/01/2010 18:52, vedaal at hush.com wrote: > Sean Rima it is not a great idea to use hushmail keys for open pgp encryption > or authentication > > (1) the keys are not updated, and can't be for the same email > address, > so, for example, i've been with hushmail since it started, and my > key is a 1024 bit key and signs with SHA-1 > (to be fair, i imagine that whenever this becomes a 'real' threat, > hushmail will allow for modifications/new keys) > > (2) the hushmail user probably will not be able to decrypt a gnupg > encrypted message in hushmail if the encryption algorithm chosen > isn't currently being used by hushmail, which, depending on how old > the key is, may not be the encryption algorithm listed on the key, > > and if the hushmail user uses gnupg (preferable ;-) ), then he/she > would be better off generating a new key in gnupg, and just leave > the hushmail key for hushmail users > I will pass this info on, though how far we get is debatable :) Thanks for the info Sean - -- GSWoT and CaCert WOT Assurer .tel http://rima.tel/ I believe that every human has a finite number of heartbeats. I don't intend to waste any of mine running around doing exercises. - Neil Armstrong -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (MingW32) Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: Contact Details http://rima.tel Comment: My GPG Key http://sl.srima.eu/sfr Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEAREDAAYFAkthJeUACgkQydfi32iLfZj5AACfelzckOQnaIrvhnleZy6YCTeK QnMAoMnSmaJKx+ByaaxXSUwdDyIybOME =nDtd -----END PGP SIGNATURE----- From gesbbb at yahoo.com Thu Jan 28 12:13:29 2010 From: gesbbb at yahoo.com (Jerry) Date: Thu, 28 Jan 2010 06:13:29 -0500 Subject: OT: Gpg4Win - recompile for 64bit MS Outlook Message-ID: <20100128061329.1c188669@scorpio.seibercom.net> I realize that this is probably not the correct forum to post this in; however, I thought that perhaps someone here might have an answer. According to this site: http://msdn.microsoft.com/en-us/library/ee691831%28office.14%29.aspx old plug-ins will have to be recompiled for use in Windows-7 64-bit PC. I was using Gpg4Win with Outlook on one workstation. All of the PCs are going to be updated to Win-7 shortly, along with the installed software. I understand that they are simply waiting for the release of Office-10 to be released before the update. In any case, are their any plans to recompile the plug-ins so that they will work under the new OS? Thanks! -- Jerry gesbbb at yahoo.com |::::======= |::::======= |=========== |=========== | Some rise by sin and some by virtue fall. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: not available URL: From jcruff at gmail.com Fri Jan 29 01:22:25 2010 From: jcruff at gmail.com (Chris Ruff) Date: Thu, 28 Jan 2010 19:22:25 -0500 Subject: Gnupg doesn't recognize card. Message-ID: <4B622A41.7030304@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 >>> >>> Gpg does not recognize my fellowship card; >>> ~ xxx$ gpg --card-status >>> gpg: selecting openpgp failed: Card error >>> gpg: OpenPGP card not available: Card error >>> Reader 01: Gemplus GemPC Twin 00 00 >> >> Is that a new OpenPGP card (2.0)? > > >No, it is a v1.0 Fellowship card. > >Only the Macbook Pro is new. On the Mac (10.5.8) I've found that when I receive this error to kill the scdaemon and reinsert the reader/card. $ killall -u scdaemon #usually has to be entered 2-3x to kill it Then I'm able to reinsert and perform a 'gpg --card-status' Hope this helps. - -- __________________________________ Chris Ruff email: jcruff at gmail.com GPG Key: 0x307A351B4EC4B6A1 FGPR: BF2F 2497 22E7 FEB5 C805 075C 307A 351B 4EC4 B6A1 "No one can see past a choice they don't understand." --The Oracle -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: OpenPGP SmartCard v2.0 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJLYio+AAoJEDB6NRtOxLahgTwQAKVkK6bgglZZb3iTqTt682QM 2/QiB47yrQYcmkD0GxtVbqu/ZhOdR/vYnVzJUcPc+fs70xv44kHnqIFQfiQicmb6 PG5dd20GpWpKkr6A3mJrrxGLeezwFtKDxMUtuXryewYAn8ueSHmItgHLF5yLCbW0 H0u1qJ5yfCY+WkBW54aWDwA4Y2Dp7hQtC4TYVWIFqKbXsMcuK89mkgZepmHeqDrc hjZhcJq2duHDQtgUB4RhsuHaShBdy0Xr2quowHQUZkak1DT8qHM9WbDzXPKp+2dC Q8NLsv8ONSnJSH1dpa5ZU78wWj12TbbuJoGOr0jQJ3/YLtSKp/I3N3egga362DK4 LICWCmbfiQrYuMsxy+cP4CRqtvQsqU/aHTrAs7NNdM7pntZG/nLbZrtzq/YiFWe2 bT/uvS3PPLnkW12zkp4ytY1YB4TiV4G7zRm8sjP7KCU8dps8mjXq6vjF2RLmZ7FD AMG0aXzZbZsW/7gl0t5eBoPk4iIvudBzkIQlgCOB1HgozTRBF5+BGOmw6bF1uMIC 67Pni9zFtPfQt4TyMadKF+6tXfm67/mzmSi5SxKD4f6iVcE3YjLNBx2aq9OCLOgb LGjjThZl8WDJPEQf2I4Cw8LIDWNR5OKmPqOAB6BjCMcew+xOYTXvbUkIlLsZJxZO cuO6eDcJCuSUAHL+jr1v =LAbG -----END PGP SIGNATURE----- From rich.geddes at verizon.net Fri Jan 29 04:44:45 2010 From: rich.geddes at verizon.net (Richard Geddes) Date: Thu, 28 Jan 2010 22:44:45 -0500 Subject: Revocation certificates Message-ID: <4B6259AD.5020301@verizon.net> Generating a revocation certificate as soon as you generate your key pair is a wise thing to do, in case you lose control of your passphrase ... I did that. My question is, if I edit my key pair... let's say I add a new uid to my key pair... do I need to generate a new revocation certificate or will the original revocation certificate work on the modified key pair? Thanks Richard From rjh at sixdemonbag.org Fri Jan 29 06:35:38 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 29 Jan 2010 00:35:38 -0500 Subject: Revocation certificates In-Reply-To: <4B6259AD.5020301@verizon.net> References: <4B6259AD.5020301@verizon.net> Message-ID: <4B6273AA.3020209@sixdemonbag.org> On 01/28/2010 10:44 PM, Richard Geddes wrote: > Generating a revocation certificate as soon as you generate your key > pair is a wise thing to do, in case you lose control of your passphrase > ... I did that. Good! :) > My question is, if I edit my key pair... let's say I add a new uid to my > key pair... do I need to generate a new revocation certificate or will > the original revocation certificate work on the modified key pair? The original revocation certificate will work on the modified key pair. From simon at josefsson.org Fri Jan 29 14:03:06 2010 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 29 Jan 2010 14:03:06 +0100 Subject: GPG4Win: running gpg-agent with SSH agent support? Message-ID: <87k4v13vxx.fsf@mocca.josefsson.org> I've installed GPG4Win and it recognizes my OpenPGP smartcards without problem (via a gpg-agent process which appears to be auto-started somehow?). However, I'd like to enable SSH agent support in gpg-agent too, so that Cygwin ssh can make use of it. Is this possible, if so how? /Simon From wk at gnupg.org Fri Jan 29 14:12:16 2010 From: wk at gnupg.org (Werner Koch) Date: Fri, 29 Jan 2010 14:12:16 +0100 Subject: Gnupg doesn't recognize card. In-Reply-To: <4B622A41.7030304@gmail.com> (Chris Ruff's message of "Thu, 28 Jan 2010 19:22:25 -0500") References: <4B622A41.7030304@gmail.com> Message-ID: <87ljfht5qn.fsf@vigenere.g10code.de> On Fri, 29 Jan 2010 01:22, jcruff at gmail.com said: > $ killall -u scdaemon #usually has to be entered 2-3x to > kill it FWIW, gpgconf --reload scdaemon does the same in a well defined manner. Shalom-Salam, Werner ps. Please do not use killall but pkill which is a well defined command. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From jcruff at gmail.com Fri Jan 29 14:55:12 2010 From: jcruff at gmail.com (John Ruff) Date: Fri, 29 Jan 2010 08:55:12 -0500 Subject: Gnupg doesn't recognize card. In-Reply-To: <87ljfht5qn.fsf@vigenere.g10code.de> References: <4B622A41.7030304@gmail.com> <87ljfht5qn.fsf@vigenere.g10code.de> Message-ID: On Jan 29, 2010, at 8:12 AM, Werner Koch wrote: > On Fri, 29 Jan 2010 01:22, jcruff at gmail.com said: > >> $ killall -u scdaemon #usually has to be entered >> 2-3x to >> kill it > > FWIW, > > gpgconf --reload scdaemon > > does the same in a well defined manner. I will remember to use this in the future. > > > Shalom-Salam, > > Werner > > > ps. > Please do not use killall but pkill which is a well defined command. pkill is what I used (up until now) on Linux, but the command doesn't exist by default on OS X (at least not mine). Only killall. > > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > ___________________ Chris Ruff jcruff at gmail.com GPG Key: 0x307A351B4EC4B6A1 FGPR: BF2F 2497 22E7 FEB5 C805 075C 307A 351B 4EC4 B6A1 "No one can see past a choice they don't understand." --The Oracle -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 873 bytes Desc: This is a digitally signed message part URL: From sean at srima.ie Fri Jan 29 17:36:09 2010 From: sean at srima.ie (Sean Rima) Date: Fri, 29 Jan 2010 16:36:09 +0000 Subject: Problem encrypting to a hushmail gpg key In-Reply-To: <4B630D48.6050904@srima.ie> References: <20100126185215.4992711803D@smtp.hushmail.com> <4B6125E5.8060605@srima.ie> <4B630D48.6050904@srima.ie> Message-ID: <4B630E79.6000508@srima.ie> On 29/01/2010 16:31, Sean Rima wrote: {think I sent my last wrong} >> >>> it is not a great idea to use hushmail keys for open pgp encryption >>> or authentication >> >>> (1) the keys are not updated, and can't be for the same email >>> address, >>> so, for example, i've been with hushmail since it started, and my >>> key is a 1024 bit key and signs with SHA-1 >>> (to be fair, i imagine that whenever this becomes a 'real' threat, >>> hushmail will allow for modifications/new keys) >> >>> (2) the hushmail user probably will not be able to decrypt a gnupg >>> encrypted message in hushmail if the encryption algorithm chosen >>> isn't currently being used by hushmail, which, depending on how old >>> the key is, may not be the encryption algorithm listed on the key, >> >>> and if the hushmail user uses gnupg (preferable ;-) ), then he/she >>> would be better off generating a new key in gnupg, and just leave >>> the hushmail key for hushmail users >> >> >> I will pass this info on, though how far we get is debatable :) Thanks >> for the info >> > Ok, on this, I unstalled gpg 2.0.10 and installed 1.4.10b and I can import and encrypt to Hushmail keys. Does this mean that gpg 2.0.10 is broken or is it correctly handling the key where 1.4.10b is not Sean -- GSWoT and CaCert WOT Assurer My public GPG Key http://sl.srima.eu/sfr .tel http://rima.tel/ I believe that every human has a finite number of heartbeats. I don't intend to waste any of mine running around doing exercises. - Neil Armstrong -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 465 bytes Desc: OpenPGP digital signature URL: From dshaw at jabberwocky.com Fri Jan 29 19:43:43 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 29 Jan 2010 13:43:43 -0500 Subject: Problem encrypting to a hushmail gpg key In-Reply-To: <4B534793.4090402@srima.ie> References: <4B534793.4090402@srima.ie> Message-ID: <3703F18F-CE30-470D-BD04-F7836630D07A@jabberwocky.com> On Jan 17, 2010, at 12:23 PM, Sean Rima wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi > > A friend on the pgpnet mailing list is using a hushmail.com gpg key but > when I import it, I get: > > C:\Users\Sean Rima>gpg --import < test.txt > gpg: key C4E23A82: accepted non self-signed user ID > ""*********@hushmail.com" <---- at hushmail.com>" > gpg: key C4E23A82: public key ""---- at hushmail.com" " > imported > gpg: Total number processed: 1 > gpg: imported: 1 (RSA: 1) > > > If I edit the key, I see: > > pub 0s/C4E23A82 created: 2010-01-07 expires: never usage: SC > [ unknown] (1). "------ at hushmail.com" <------ at hushmail.com> > > > I see there is no encrytion subkey. > > If I look at the key with --list-packets, I see > > C:\Users\Sean Rima>gpg --list-packets < test.txt > :public key packet: > version 4, algo 3, created 1262830845, expires 0 > unknown algorithm 3 Algorithm 3 is "RSA Sign-Only". > :public sub key packet: > version 4, algo 2, created 1262830846, expires 0 > unknown algorithm 2 Algorithm 2 is "RSA Encrypt-Only". > :signature packet: algo 3, keyid 7853D9CDC4E23A82 > version 4, created 1262830857, md5len 0, sigclass 0x18 > digest algo 2, begin of digest 8b f2 > hashed subpkt 2 len 4 (sig created 2010-01-07) > subpkt 16 len 8 (issuer key ID 7853D9CDC4E23A82) > unknown algorithm 3 > Both of those algorithms are deprecated in the OpenPGP spec: "RSA Encrypt-Only (2) and RSA Sign-Only are deprecated and SHOULD NOT be generated, but may be interpreted." > I am using gpg2.0.12 (waiting for gpg4win to be compiled to latest) The 1.4.x branch will interpret these deprecated keys (internally treating them as regular RSA with the appropriate encrypt or sign flags). I don't think gpg2 does that. Was this generated by Hushmail? If so, they to stop generating keys that the spec says SHOULD NOT be generated :) David From sean at srima.ie Fri Jan 29 21:55:15 2010 From: sean at srima.ie (Sean Rima) Date: Fri, 29 Jan 2010 20:55:15 +0000 Subject: Problem encrypting to a hushmail gpg key In-Reply-To: <3703F18F-CE30-470D-BD04-F7836630D07A@jabberwocky.com> References: <4B534793.4090402@srima.ie> <3703F18F-CE30-470D-BD04-F7836630D07A@jabberwocky.com> Message-ID: <934b792d1001291255m77be557bge12d2729de03153b@mail.gmail.com> David Yes the key is generated by hushmail.com. Not sure if they will listen to me, but I will forward this to the list where the problem originated Thanks for the help and sorry for top posting, on my BlackBerry (and sadly no gnupg) Sean On 1/29/10, David Shaw wrote: > On Jan 17, 2010, at 12:23 PM, Sean Rima wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hi >> >> A friend on the pgpnet mailing list is using a hushmail.com gpg key but >> when I import it, I get: >> >> C:\Users\Sean Rima>gpg --import < test.txt >> gpg: key C4E23A82: accepted non self-signed user ID >> ""*********@hushmail.com" <---- at hushmail.com>" >> gpg: key C4E23A82: public key ""---- at hushmail.com" >> " >> imported >> gpg: Total number processed: 1 >> gpg: imported: 1 (RSA: 1) >> >> >> If I edit the key, I see: >> >> pub 0s/C4E23A82 created: 2010-01-07 expires: never usage: SC >> [ unknown] (1). "------ at hushmail.com" <------ at hushmail.com> >> >> >> I see there is no encrytion subkey. >> >> If I look at the key with --list-packets, I see >> >> C:\Users\Sean Rima>gpg --list-packets < test.txt >> :public key packet: >> version 4, algo 3, created 1262830845, expires 0 >> unknown algorithm 3 > > Algorithm 3 is "RSA Sign-Only". > >> :public sub key packet: >> version 4, algo 2, created 1262830846, expires 0 >> unknown algorithm 2 > > Algorithm 2 is "RSA Encrypt-Only". > >> :signature packet: algo 3, keyid 7853D9CDC4E23A82 >> version 4, created 1262830857, md5len 0, sigclass 0x18 >> digest algo 2, begin of digest 8b f2 >> hashed subpkt 2 len 4 (sig created 2010-01-07) >> subpkt 16 len 8 (issuer key ID 7853D9CDC4E23A82) >> unknown algorithm 3 >> > > Both of those algorithms are deprecated in the OpenPGP spec: "RSA > Encrypt-Only (2) and RSA Sign-Only are deprecated and SHOULD NOT be > generated, but may be interpreted." > >> I am using gpg2.0.12 (waiting for gpg4win to be compiled to latest) > > The 1.4.x branch will interpret these deprecated keys (internally treating > them as regular RSA with the appropriate encrypt or sign flags). I don't > think gpg2 does that. > > Was this generated by Hushmail? If so, they to stop generating keys that > the spec says SHOULD NOT be generated :) > > David > > -- Sent from my mobile device From taurus366 at gmail.com Sat Jan 30 03:23:28 2010 From: taurus366 at gmail.com (taurus) Date: Sat, 30 Jan 2010 02:23:28 +0000 Subject: Gnupg doesn't recognize card. In-Reply-To: <4B622A41.7030304@gmail.com> References: <4B622A41.7030304@gmail.com> Message-ID: <55165820-A91C-4372-A3B5-73B3DD4834F5@gmail.com> On 29 January 2010, at 00:22, Chris Ruff wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > >>>> >>>> Gpg does not recognize my fellowship card; >>>> ~ xxx$ gpg --card-status >>>> gpg: selecting openpgp failed: Card error >>>> gpg: OpenPGP card not available: Card error >>>> Reader 01: Gemplus GemPC Twin 00 00 >>> >>> Is that a new OpenPGP card (2.0)? >> >> >> No, it is a v1.0 Fellowship card. >> >> Only the Macbook Pro is new. > > On the Mac (10.5.8) I've found that when I receive this error to kill > the scdaemon and reinsert the reader/card. > > $ killall -u scdaemon #usually has to be entered 2-3x > to > kill it > > Then I'm able to reinsert and perform a 'gpg --card-status' > > Hope this helps. > I kill scdaemon several times but error persists. gpg: selecting openpgp failed: Card error gpg: OpenPGP card not available: Card error Thank you, From jcruff at gmail.com Sat Jan 30 03:51:40 2010 From: jcruff at gmail.com (Chris Ruff) Date: Fri, 29 Jan 2010 21:51:40 -0500 Subject: Gnupg doesn't recognize card. In-Reply-To: <55165820-A91C-4372-A3B5-73B3DD4834F5@gmail.com> References: <4B622A41.7030304@gmail.com> <55165820-A91C-4372-A3B5-73B3DD4834F5@gmail.com> Message-ID: <4B639EBC.1020608@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 1/29/10 9:23 PM, taurus wrote: > > On 29 January 2010, at 00:22, Chris Ruff wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA512 >> >> >>>>> >>>>> Gpg does not recognize my fellowship card; >>>>> ~ xxx$ gpg --card-status >>>>> gpg: selecting openpgp failed: Card error >>>>> gpg: OpenPGP card not available: Card error >>>>> Reader 01: Gemplus GemPC Twin 00 00 >>>> >>>> Is that a new OpenPGP card (2.0)? >>> >>> >>> No, it is a v1.0 Fellowship card. >>> >>> Only the Macbook Pro is new. >> >> On the Mac (10.5.8) I've found that when I receive this error to kill >> the scdaemon and reinsert the reader/card. >> >> $ killall -u scdaemon #usually has to be entered 2-3x to >> kill it >> >> Then I'm able to reinsert and perform a 'gpg --card-status' >> >> Hope this helps. >> > > I kill scdaemon several times but error persists. > gpg: selecting openpgp failed: Card error > gpg: OpenPGP card not available: Card error > > > Thank you, > > > > Have you run 'pcsctest'? - -- __________________________________ Chris Ruff email: jcruff at gmail.com gpg key: 0x307A351B4EC4B6A1 gpg fgpr: BF2F 2497 22E7 FEB5 C805 075C 307A 351B 4EC4 B6A1 -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJLY564AAoJEDB6NRtOxLahEHMQAK7fPDIVAKvXbyX/nDW4kLVN o0qy+E6okt9L0aqpvTuYm4Q6J7SnLW5vHcSdli7Tgr9ZhcLCp9Ut0KkCQHiYyZwv k3sBGZVzb9mHu1t5rIWniKUoOUj9wLVTdvDDuk5TSxpT7oAj9QKgjcSq8m0XHmzM uGNqKiAtQE+3T/9OzEyVXj3mWPCwJKCrM+LYYa312Heb70pSDa8e+yxwjNoRVtsQ 9fvXPYubiYEwAoc3y2rl+6dYlv9N35mxVzt2rUMZ5nvoq4PfSRT7i63MIgY6CsTE LgyhnBYjzewDyJpy6YAW9e2V0SCYRpaJ3mRnFmT4QlQ6uthHEKw/EMrcxTgZ854A 0wjJdRcb4bn04JU2Qj8wnGbI7IryJ0j7H3BOdMD4lrd6jWLC92elT6Nl5ZRr/CuD XR0TMYrIg7pqMH+XmARilGNGX/KzXDjK2Ule33dSXfUTsif3zFyAId3WB+qKta2T y2HGmriJJgmNFM6tIEEvvPEg1/KZ48fDPUq40SkNa3PUpDbLc5VVXPrnrPA44bPJ z+acMc6tvhDvapcbD590Od7wYaNjm8kzEl6MQXX8KmwrLeVW9bO6XJSFb+t2xx0B wxsIWLdbJkOvRfZrcXiEEx/yQih0+x53LTm2fJy/5wcKI00R5+WjAGfv+eW7BMcS +eJONIX3fNAkpv8kw9jT =M9lA -----END PGP SIGNATURE----- From taurus366 at gmail.com Sat Jan 30 19:25:19 2010 From: taurus366 at gmail.com (taurus) Date: Sat, 30 Jan 2010 18:25:19 +0000 Subject: Gnupg doesn't recognize card. In-Reply-To: <4B639EBC.1020608@gmail.com> References: <4B622A41.7030304@gmail.com> <55165820-A91C-4372-A3B5-73B3DD4834F5@gmail.com> <4B639EBC.1020608@gmail.com> Message-ID: <7DBD95E2-D3C7-4581-B0B4-8F6AED087D4F@gmail.com> On 30 January 2010, at 02:51, Chris Ruff wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On 1/29/10 9:23 PM, taurus wrote: >> >> On 29 January 2010, at 00:22, Chris Ruff wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA512 >>> >>> >>>>>> >>>>>> Gpg does not recognize my fellowship card; >>>>>> ~ xxx$ gpg --card-status >>>>>> gpg: selecting openpgp failed: Card error >>>>>> gpg: OpenPGP card not available: Card error >>>>>> Reader 01: Gemplus GemPC Twin 00 00 >>>>> >>>>> Is that a new OpenPGP card (2.0)? >>>> >>>> >>>> No, it is a v1.0 Fellowship card. >>>> >>>> Only the Macbook Pro is new. >>> >>> On the Mac (10.5.8) I've found that when I receive this error to >>> kill >>> the scdaemon and reinsert the reader/card. >>> >>> $ killall -u scdaemon #usually has to be entered >>> 2-3x to >>> kill it >>> >>> Then I'm able to reinsert and perform a 'gpg --card-status' >>> >>> Hope this helps. >>> >> >> I kill scdaemon several times but error persists. >> gpg: selecting openpgp failed: Card error >> gpg: OpenPGP card not available: Card error >> >> >> Thank you, >> >> >> >> > Have you run 'pcsctest'? pcsctest is fine. Werner says the Gemplus readers are buggy, they don't support extended length APDUs. $ pcsctest MUSCLE PC/SC Lite Test Program Testing SCardEstablishContext : Command successful. Testing SCardGetStatusChange Please insert a working reader : Command successful. Testing SCardListReaders : Command successful. Reader 01: Gemplus GemPC Twin 00 00 Enter the reader number : 01 Waiting for card insertion : Command successful. Testing SCardConnect : Command successful. Testing SCardStatus : Command successful. Current Reader Name : Gemplus GemPC Twin 00 00 Current Reader State : 0x34 Current Reader Protocol : 0x1 Current Reader ATR Size : 20 (0x14) Current Reader ATR Value : 3B FA 13 00 FF 81 31 80 45 00 31 C1 73 C0 01 00 00 90 00 B1 Testing SCardDisconnect : Command successful. Testing SCardReleaseContext : Command successful. Testing SCardEstablishContext : Command successful. Testing SCardGetStatusChange Please insert a working reader : Command successful. Testing SCardListReaders : Command successful. Reader 01: Gemplus GemPC Twin 00 00 Thank you. From ml at mareichelt.de Sun Jan 31 00:10:08 2010 From: ml at mareichelt.de (markus reichelt) Date: Sun, 31 Jan 2010 00:10:08 +0100 Subject: FYI: Keysigning events at FOSDEM (Feb 7th) and Chemnitz Linux-Days (March 13th) Message-ID: <20100130231007.GA30234@tatooine.rebelbase.local> Hi, for those interested in keysigning there are two upcoming events: PGP/GPG/CA Keysigning events on Sunday Feb 7th at FOSDEM in Brussels http://fosdem.org/2010/keysigning Deadline for key submission: Monday, Feb 1st 2010 (hurry up!) PGP/GPG Keysigning event on Saturday March 13th at Chemnitz Linux Days More info (in German and English) is available at http://chemnitzer.linux-tage.de/2010/addons/pgp.html Deadline for key submission: Wednesday, March 10th 2010 Thanks to the people organizing the events. At both events the FSFE will be present, so check out its booth if you are generally interested in free software: http://fsfe.org/ -- left blank, right bald -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: not available URL: From chaz at chaz6.com Sun Jan 31 07:48:35 2010 From: chaz at chaz6.com (Chris Hills) Date: Sun, 31 Jan 2010 06:48:35 +0000 Subject: Keyserver doesn't honour signature removal In-Reply-To: <49E1BDE2.1070003__3461.77141550488$1239531340$gmane$org@naturalnet.de> References: <49E1BDE2.1070003__3461.77141550488$1239531340$gmane$org@naturalnet.de> Message-ID: On 12/04/2009 11:09, Dominik George wrote: > Is it even possible to remove signatures from a key and distribute this > change? Or am I doing something wrong? The best thing you can do is to upload the revocation certificate for each key. Keys cannot effectively be removed from a keyserver. From chaz at chaz6.com Sun Jan 31 08:17:22 2010 From: chaz at chaz6.com (Chris Hills) Date: Sun, 31 Jan 2010 07:17:22 +0000 Subject: Keyserver doesn't honour signature removal In-Reply-To: References: <49E1BDE2.1070003__3461.77141550488$1239531340$gmane$org@naturalnet.de> Message-ID: My apologies for the late reply. I just re-subscribed to the group and it was right at the top. I forgot to change the sort order. Oops! From dna at trc.NET Sat Jan 30 22:47:59 2010 From: dna at trc.NET (Doman Name Administrator) Date: Sat, 30 Jan 2010 21:47:59 +0000 Subject: help needed to load idea.dll in Vista32 Message-ID: <4B64A90F.7050402@trc.NET> Hello, We are trying to change over to Mozilla Thunderbird 3 w/OpenPGP on a 32 bit Vista machine. The primary reason being a PGP signature we need to continue to use originally created in 1999. When we go to sign the email with the sig we get: " Send operation aborted. Error - encryption command failed gpg command line and output: C:\Program Files\GNU\GnuPG\gpg.exe gpg: protection algorithm 1 (IDEA) is not supported gpg: the IDEA cipher plugin is not present gpg: please see http://www.gnupg.org/faq/why-not-idea.html for more information gpg: skipped "0xD7AFB487": unknown cipher algorithm gpg: [stdin]: clearsign failed: unknown cipher algorithm " Of course we have already downloaded and intalled the idea.dll made for Windows 32. However, there are no 'options' or gnupg config files nor does it have the files structure of WinXPP. One instruction said we should copy file idea.dll to directory c:\lib\gnupg and add following line to GPG options file, which there is not an options file nor a c:\lib\gnupg directory. I've also changed the registry: [HKEY_CURRENT_USER\Software\GNU\GNUPG] OptFile=C:\\Program Files\\GNU\\GnuPG\\options How in the world am I supposed to get this dll loaded? Thanks, Ellis From John at Mozilla-Enigmail.org Sun Jan 31 18:21:51 2010 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Sun, 31 Jan 2010 11:21:51 -0600 Subject: help needed to load idea.dll in Vista32 In-Reply-To: <4B64A90F.7050402@trc.NET> References: <4B64A90F.7050402@trc.NET> Message-ID: <4B65BC2F.9010202@Mozilla-Enigmail.org> Doman Name Administrator wrote: > Hello, > > We are trying to change over to Mozilla Thunderbird 3 w/OpenPGP on a 32 > bit Vista machine. The primary reason being a PGP signature we need to > continue to use originally created in 1999. > > Of course we have already downloaded and intalled the idea.dll made for > Windows 32. However, there are no 'options' or gnupg config files nor > does it have the files structure of WinXPP. It's not all that different. C:\Documents and Settings\ is now C:\User\. "Application Data" is now AppData. The change is the addition at the next level of several directories to group data: Local, LocalLow, Roaming. GnuPG's application directory will be in Roaming. Running "gpg --version" at a command line prompt should confirm that. SSHing to a Vista box, I got: +> C:\cygwin\home\jpclizbe>"C:\Program Files\Gnu\GnuPG\gpg.exe" --version +> "C:\Program Files\Gnu\GnuPG\gpg.exe" --version +> gpg (GnuPG) 1.4.10 +> Copyright (C) 2008 Free Software Foundation, Inc. +> License GPLv3+: GNU GPL version 3 or later +> This is free software: you are free to change and redistribute it. +> There is NO WARRANTY, to the extent permitted by law. +> +> Home: C:/Users/jpclizbe/AppData/Roaming/gnupg > One instruction said we should copy file idea.dll to directory > c:\lib\gnupg and add following line to GPG options file, which there is > not an options file nor a c:\lib\gnupg directory. Locate GnuPG's HOME directory. The default on Vista (and I believe Windows 7) will be C:\Users\\AppData\Roaming\gnupg\. Running gpg.exe with the --version switch will confirm this - just look for the line starting Home:. Copy/move idea.dll to there. > I've also changed the registry: > > [HKEY_CURRENT_USER\Software\GNU\GNUPG] > OptFile=C:\\Program Files\\GNU\\GnuPG\\options You can safely delete that addition. I don't think anything uses that registry value any longer. > How in the world am I supposed to get this dll loaded? In the same directory to where you copied idea.dll, use Notepad to create a text file named gpg.conf. Include the line load-extension .\idea.dll You may include other options in gpg.conf as well, but that line is what you're looking for. Running "gpg --version" again should show IDEA as an available cipher algorithm. Feel free to ask any Enigmail questions on the Enigmail list, enigmail at mozdev.org. Good luck. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 679 bytes Desc: OpenPGP digital signature URL: