From dshaw at jabberwocky.com Sat May 1 01:44:28 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 30 Apr 2010 19:44:28 -0400 Subject: Crypto Stick released! In-Reply-To: <4BDAF109.2000800@privacyfoundation.de> References: <4BDAF109.2000800@privacyfoundation.de> Message-ID: <4E9B3ED5-55CB-4419-9F80-7B022D60E987@jabberwocky.com> On Apr 30, 2010, at 11:02 AM, Crypto Stick wrote: > Recently the German Privacy Foundation released the open source Crypto > Stick! > > The GPF Crypto Stick is a USB stick in a small form factor containing an > integrated OpenPGP smart card to allow easy and high-secure encryption > e.g. of e-mail or for authentication in network environments. As opposed > to ordinary software solutions, private keys are always inside the > Crypto Stick so that their exposure is impossible. All cryptographic > operations (precisely: decryption and signature because of public key > cryptography) are executed on the PIN-protected Crypto Stick. In case > the Crypto Stick was stolen, got lost, or is used on a > virus-contaminated computer (e.g. Trojan horse) no attacker is able to > access the private keys so that all encrypted data stays secure. Looks very interesting. I'm curious how this differs from the SIM-sized card in a SIM-sized USB reader? For example, the regular 2.0 OpenPGP card in a SCR3320 USB stick reader (http://www.scmmicro.com/security/view_product_en.php?PID=6). David From joke at seiken.de Sat May 1 01:54:56 2010 From: joke at seiken.de (Joke de Buhr) Date: Sat, 1 May 2010 01:54:56 +0200 Subject: Crypto Stick released! In-Reply-To: References: <4BDAF109.2000800@privacyfoundation.de> Message-ID: <201005010154.59026.joke@seiken.de> They seem to be trustworthy. I ordered a crypto stick last sunday. It arrived on friday (inner german transport). The stick works fine with ubuntu 10.04 but you have to install a patched driver for libccid but it's quite possible the patch will be included upstream. The stick works only with gnupg as far as I can talk now. The gnupg support is flawless. But the stick doesn't seem to work with opensc because the stick uses an openpgp card version 2.0 which isn't supported by opensc yet. So you can't use opensc's firefox integration unless opensc releases an updated openpgp card driver. The Firefox extension FireGPG works since it uses gpg. I only tested the stick on linux and I haven't test things like pam authentication up till now. On Friday 30 April 2010 23:41:47 Andre Amorim wrote: > Thats what I'm looking for... > but the shop is all in german, so does anyone knows if > privacyfoundation.de a trustable company? (I mean, there are so many > scams these days) But if it's ok I will be happy to buy one and give a > try. > Thanks > AA. > > On 30 April 2010 16:02, Crypto Stick wrote: > > Recently the German Privacy Foundation released the open source Crypto > > Stick! > > > > The GPF Crypto Stick is a USB stick in a small form factor containing an > > integrated OpenPGP smart card to allow easy and high-secure encryption > > e.g. of e-mail or for authentication in network environments. As opposed > > to ordinary software solutions, private keys are always inside the > > Crypto Stick so that their exposure is impossible. All cryptographic > > operations (precisely: decryption and signature because of public key > > cryptography) are executed on the PIN-protected Crypto Stick. In case > > the Crypto Stick was stolen, got lost, or is used on a > > virus-contaminated computer (e.g. Trojan horse) no attacker is able to > > access the private keys so that all encrypted data stays secure. > > > > The Crypto Stick is developed as a non-profit open source project and > > ensures a very high level of security due to verifiability and an > > attractive price. The open interface of the used OpenPGP smart card > > allows optimal compatibility with various software applications (e.g. > > GnuPG, Mozilla Thunderbird + Enigmail, OpenSSH, Linux PAM, OpenVPN, > > Mozilla Firefox). > > > > You can find more information at: > > http://www.privacyfoundation.de/crypto_stick/crypto_stick_english/ > > > > The Online Shop is currently in German only. Please mail me if you want > > to purchase a Crypto Stick and have trouble placing the order. > > > > _______________________________________________ > > Gnupg-users mailing list > > Gnupg-users at gnupg.org > > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 706 bytes Desc: This is a digitally signed message part. URL: From christoph.anton.mitterer at physik.uni-muenchen.de Sat May 1 02:02:59 2010 From: christoph.anton.mitterer at physik.uni-muenchen.de (Christoph Anton Mitterer) Date: Sat, 01 May 2010 02:02:59 +0200 Subject: Crypto Stick released! In-Reply-To: <4E9B3ED5-55CB-4419-9F80-7B022D60E987@jabberwocky.com> References: <4BDAF109.2000800@privacyfoundation.de> <4E9B3ED5-55CB-4419-9F80-7B022D60E987@jabberwocky.com> Message-ID: <1272672179.3469.17.camel@fermat.scientia.net> On Fri, 2010-04-30 at 19:44 -0400, David Shaw wrote: > Looks very interesting. I'm curious how this differs from the > SIM-sized card in a SIM-sized USB reader? For example, the regular > 2.0 OpenPGP card in a SCR3320 USB stick reader > (http://www.scmmicro.com/security/view_product_en.php?PID=6). I thought it would be exactly like this? OpenPGP SIM card + USB reader? Cheers, Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3387 bytes Desc: not available URL: From joke at seiken.de Sat May 1 02:31:09 2010 From: joke at seiken.de (Joke de Buhr) Date: Sat, 1 May 2010 02:31:09 +0200 Subject: Crypto Stick released! In-Reply-To: <1272672179.3469.17.camel@fermat.scientia.net> References: <4BDAF109.2000800@privacyfoundation.de> <4E9B3ED5-55CB-4419-9F80-7B022D60E987@jabberwocky.com> <1272672179.3469.17.camel@fermat.scientia.net> Message-ID: <201005010231.18212.joke@seiken.de> I think it is. But isn't all packed within an usb dongle. There isn't a sim slot. You can't simply change the openpgp card. At least without opening (breaking) the casing. The SCR3320 seems to be a little more universal. On Saturday 01 May 2010 02:02:59 Christoph Anton Mitterer wrote: > On Fri, 2010-04-30 at 19:44 -0400, David Shaw wrote: > > Looks very interesting. I'm curious how this differs from the > > SIM-sized card in a SIM-sized USB reader? For example, the regular > > 2.0 OpenPGP card in a SCR3320 USB stick reader > > (http://www.scmmicro.com/security/view_product_en.php?PID=6). > > I thought it would be exactly like this? OpenPGP SIM card + USB reader? > > > Cheers, > Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 706 bytes Desc: This is a digitally signed message part. URL: From cryptostick at privacyfoundation.de Sat May 1 14:32:17 2010 From: cryptostick at privacyfoundation.de (Crypto Stick) Date: Sat, 01 May 2010 14:32:17 +0200 Subject: Crypto Stick released! In-Reply-To: <4E9B3ED5-55CB-4419-9F80-7B022D60E987@jabberwocky.com> References: <4BDAF109.2000800@privacyfoundation.de> <4E9B3ED5-55CB-4419-9F80-7B022D60E987@jabberwocky.com> Message-ID: <4BDC1F51.7040005@privacyfoundation.de> > Looks very interesting. I'm curious how this differs from the SIM-sized card in a SIM-sized USB reader? For example, the regular 2.0 OpenPGP card in a SCR3320 USB stick reader (http://www.scmmicro.com/security/view_product_en.php?PID=6). Currently we are developing the next version which will contain more features: - hardware encrypted storage - simple HTML- and text-file-interfaces providing OpenPGP functionality without any software requirement - many more... From stanislav at sidorenko.biz Sat May 1 22:52:15 2010 From: stanislav at sidorenko.biz (Stanislav Sidorenko) Date: Sun, 2 May 2010 00:52:15 +0400 Subject: SHA2 digest, V2 smartcard and gpg-agent problem Message-ID: <201005020052.16107.stanislav@sidorenko.biz> Hi! I've tried to use SHA256 digest for signing using openpgp V2 smartcard and got the following error: gpg: checking created signature failed: bad signature gpg: signing failed: bad signature gpg: signing failed: bad signature It happens only if gpg uses gpg-agent which is configured to use scdaemon for accesing smartcards. If I disable gpg-agent usage (--no-use-agent switch) and enter card PIN code in the console then signing with SHA256 work perfectly. In case of enabled gpg-agent only SHA1 and RIPEMD160 can be used. It looks like an issue in gpg- agent or scdaemon. The issue was found on gpg 1.4.10 and gpg-agent 2.0.14. Thanks, Stanislav From stanislav at sidorenko.biz Sat May 1 22:30:53 2010 From: stanislav at sidorenko.biz (Stanislav Sidorenko) Date: Sun, 2 May 2010 00:30:53 +0400 Subject: SHA2 digest, V2 smartcard and gpg-agent problems Message-ID: <201005020030.53616.stanislav@sidorenko.biz> Hi! I've tried to use SHA256 digest for signing using openpgp V2 smartcard and got the following error: gpg: checking created signature failed: bad signature gpg: signing failed: bad signature gpg: signing failed: bad signature It happens only if gpg uses gpg-agent which is configured to use scdaemon for accesing smartcards. If I disable gpg-agent usage (--no-use-agent switch) and enter card PIN code in the console then signing with SHA256 work perfectly. In case of enabled gpg-agent only SHA1 and RIPEMD160 can be used. It looks like an issue in gpg- agent or scdaemon. The issue was found on gpg 1.4.10 and gpg-agent 2.0.14. Thanks, Stanislav From wk at gnupg.org Mon May 3 12:02:51 2010 From: wk at gnupg.org (Werner Koch) Date: Mon, 03 May 2010 12:02:51 +0200 Subject: Crypto Stick released! In-Reply-To: <201005010154.59026.joke@seiken.de> (Joke de Buhr's message of "Sat, 1 May 2010 01:54:56 +0200") References: <4BDAF109.2000800@privacyfoundation.de> <201005010154.59026.joke@seiken.de> Message-ID: <87mxwhe20k.fsf@vigenere.g10code.de> On Sat, 1 May 2010 01:54, joke at seiken.de said: > an openpgp card version 2.0 which isn't supported by opensc yet. So you can't > use opensc's firefox integration unless opensc releases an updated Checkout http://www.scute.org . Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From joke at seiken.de Mon May 3 12:22:12 2010 From: joke at seiken.de (Joke de Buhr) Date: Mon, 3 May 2010 12:22:12 +0200 Subject: Crypto Stick released! In-Reply-To: <87mxwhe20k.fsf@vigenere.g10code.de> References: <4BDAF109.2000800@privacyfoundation.de> <201005010154.59026.joke@seiken.de> <87mxwhe20k.fsf@vigenere.g10code.de> Message-ID: <201005031222.21850.joke@seiken.de> I tried scute but it didn't work. I tried the versions 1.0, 1.1, 1.2, 1.4 and the svn sources. Scute compiled without problem. I followed the documentation on how to setup gpgsm. Firefox lists crypto device and the private key on the key shows up underneath the crypto device. As soon as I visit a protected page firefox asks which key to choose and after selecting my key I always get this firefox error message "sec_error_pkcs11_function_failed". It doesn't matter which scute version I'm using it's always the same error. It's not specify to a website. I tried several. On Monday 03 May 2010 12:02:51 Werner Koch wrote: > On Sat, 1 May 2010 01:54, joke at seiken.de said: > > an openpgp card version 2.0 which isn't supported by opensc yet. So you > > can't use opensc's firefox integration unless opensc releases an updated > > Checkout http://www.scute.org . > > > Salam-Shalom, > > Werner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 706 bytes Desc: This is a digitally signed message part. URL: From wk at gnupg.org Mon May 3 15:49:35 2010 From: wk at gnupg.org (Werner Koch) Date: Mon, 03 May 2010 15:49:35 +0200 Subject: Crypto Stick released! In-Reply-To: <201005031222.21850.joke@seiken.de> (Joke de Buhr's message of "Mon, 3 May 2010 12:22:12 +0200") References: <4BDAF109.2000800@privacyfoundation.de> <201005010154.59026.joke@seiken.de> <87mxwhe20k.fsf@vigenere.g10code.de> <201005031222.21850.joke@seiken.de> Message-ID: <87iq75drio.fsf@vigenere.g10code.de> On Mon, 3 May 2010 12:22, joke at seiken.de said: > selecting my key I always get this firefox error message > "sec_error_pkcs11_function_failed". Okay we need to check this. This should really work. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From joke at seiken.de Mon May 3 17:17:35 2010 From: joke at seiken.de (Joke de Buhr) Date: Mon, 3 May 2010 17:17:35 +0200 Subject: Crypto Stick released! In-Reply-To: <87iq75drio.fsf@vigenere.g10code.de> References: <4BDAF109.2000800@privacyfoundation.de> <201005031222.21850.joke@seiken.de> <87iq75drio.fsf@vigenere.g10code.de> Message-ID: <201005031717.37997.joke@seiken.de> I'm using Ubuntu lucid (amd64) with firefox 3.6.3. On Monday 03 May 2010 15:49:35 Werner Koch wrote: > On Mon, 3 May 2010 12:22, joke at seiken.de said: > > selecting my key I always get this firefox error message > > "sec_error_pkcs11_function_failed". > > Okay we need to check this. This should really work. > > > Shalom-Salam, > > Werner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 706 bytes Desc: This is a digitally signed message part. URL: From stephen.williams at twcable.com Mon May 3 22:40:26 2010 From: stephen.williams at twcable.com (Williams, Stephen) Date: Mon, 3 May 2010 16:40:26 -0400 Subject: compile errors on Solaris 10 64bit Message-ID: <7AB90E1B152E184A92C1FA2DD63E0DC30302722D55@PRVPEXVS08.corp.twcable.com> Good evening list. I have been trying to get my compile to work and I keep getting the below error. I am only using the -disable-asm option with my configure (found that as a fix to a similar issue in this list). If anyone has any insight into this matter that would be great. Thanks, -Stephen Making all in tools /tmp/gnupg-1.4.10/tools gcc -DHAVE_CONFIG_H -I. -I.. -I../include -I../intl -DLOCALEDIR="\"/usr/local/share/locale\"" -D_REENTRANT -I/usr/local/include -g -O2 -Wall -MT gpgsplit.o -MD -MP -MF .deps/gpgsplit.Tpo -c -o gpgsplit.o gpgsplit.c mv -f .deps/gpgsplit.Tpo .deps/gpgsplit.Po gcc -g -O2 -Wall -o gpgsplit gpgsplit.o ../cipher/libcipher.a ../mpi/libmpi.a ../util/libutil.a /usr/local/lib/libiconv.so -L/usr/local/lib -L/usr/openwin/lib -R/usr/local/lib /usr/local/lib/libintl.so -L/usr/local/lib -L/usr/openwin/lib -L/usr/X11R6/lib /usr/local/lib/libiconv.so -lsec -lc -R/usr/local/lib -R/usr/local/ssl/lib -R/usr/openwin/lib -R/usr/lib -R/usr/local/BerkeleyDB.4.2/lib -R/usr/X11R6/lib -lz -lbz2 ld: warning: file /usr/local/lib/libiconv.so: attempted multiple inclusion of file gcc -DHAVE_CONFIG_H -I. -I.. -I../include -I../intl -DLOCALEDIR="\"/usr/local/share/locale\"" -D_REENTRANT -I/usr/local/include -g -O2 -Wall -MT mpicalc.o -MD -MP -MF .deps/mpicalc.Tpo -c -o mpicalc.o mpicalc.c mv -f .deps/mpicalc.Tpo .deps/mpicalc.Po gcc -g -O2 -Wall -o mpicalc mpicalc.o ../cipher/libcipher.a ../mpi/libmpi.a ../util/libutil.a /usr/local/lib/libiconv.so -L/usr/local/lib -L/usr/openwin/lib -R/usr/local/lib /usr/local/lib/libintl.so -L/usr/local/lib -L/usr/openwin/lib -L/usr/X11R6/lib /usr/local/lib/libiconv.so -lsec -lc -R/usr/local/lib -R/usr/local/ssl/lib -R/usr/openwin/lib -R/usr/lib -R/usr/local/BerkeleyDB.4.2/lib -R/usr/X11R6/lib ld: warning: file /usr/local/lib/libiconv.so: attempted multiple inclusion of file Undefined first referenced symbol in file __udiv_qrnnd ../mpi/libmpi.a(mpih-div.o) ld: fatal: Symbol referencing errors. No output written to mpicalc collect2: ld returned 1 exit status *** Error code 1 make: Fatal error: Command failed for target `mpicalc' Current working directory /tmp/gnupg-1.4.10/tools *** Error code 1 The following command caused the error: failcom='exit 1'; \ for f in x $MAKEFLAGS; do \ case $f in \ *=* | --[!k]*);; \ *k*) failcom='fail=yes';; \ esac; \ done; \ dot_seen=no; \ target=`echo all-recursive | sed s/-recursive//`; \ list='m4 intl zlib util mpi cipher tools g10 keyserver po doc checks'; for subdir in $list; do \ echo "Making $target in $subdir"; \ if test "$subdir" = "."; then \ dot_seen=yes; \ local_target="$target-am"; \ else \ local_target="$target"; \ fi; \ (cd $subdir && make $local_target) \ || eval $failcom; \ done; \ if test "$dot_seen" = "no"; then \ make "$target-am" || exit 1; \ fi; test -z "$fail" make: Fatal error: Command failed for target `all-recursive' Current working directory /tmp/gnupg-1.4.10 *** Error code 1 make: Fatal error: Command failed for target `all' This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout. -------------- next part -------------- An HTML attachment was scrubbed... URL: From beppecosta at yahoo.it Tue May 4 14:50:57 2010 From: beppecosta at yahoo.it (beppecosta) Date: Tue, 4 May 2010 05:50:57 -0700 (PDT) Subject: Compile PTH on AIX Message-ID: <28446986.post@talk.nabble.com> I'm trying to compile pth-2.0.7 on AIX (as prerequisite for GnuPG 2.0.15). Configure runs fine while make exits with this error: ./shtool scpp -o pth_p.h -t pth_p.h.in -Dcpp -Cintern -M '==#==' pth_compat.c pth_debug.c pth_syscall.c pth_errno.c pth_ring.c pth_m ctx.c pth_uctx.c pth_clean.c pth_time.c pth_tcb.c pth_util.c pth_pqueue.c pth_event.c pth_sched.c pth_data.c pth_msg.c pth_cancel.c pth_sync.c pth_attr.c pth_lib.c pth_fork.c pth_high.c pth_ext.c pth_string.c pthread.c ./libtool --mode=compile --quiet gcc -c -I. -O2 -pipe pth_debug.c In file included from pth_p.h.in:54, from pth_debug.c:29: pth.h:93:2: error: #error "FD_SETSIZE is larger than what GNU Pth can handle." I ran a simple utility check that says: FD_SETSIZE=65534 Is there any solution to carry on with build ? Thanks. Giuseppe. -- View this message in context: http://old.nabble.com/Compile-PTH-on-AIX-tp28446986p28446986.html Sent from the GnuPG - User mailing list archive at Nabble.com. From wk at gnupg.org Wed May 5 16:41:06 2010 From: wk at gnupg.org (Werner Koch) Date: Wed, 05 May 2010 16:41:06 +0200 Subject: Compile PTH on AIX In-Reply-To: <28446986.post@talk.nabble.com> (beppecosta@yahoo.it's message of "Tue, 4 May 2010 05:50:57 -0700 (PDT)") References: <28446986.post@talk.nabble.com> Message-ID: <87zl0etnr1.fsf@vigenere.g10code.de> On Tue, 4 May 2010 14:50, beppecosta at yahoo.it said: > pth.h:93:2: error: #error "FD_SETSIZE is larger than what GNU Pth can > handle." > > I ran a simple utility check that says: FD_SETSIZE=65534 You may try to configure it this way: ./configure --with-fdsetsize=65536 Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From beppecosta at yahoo.it Wed May 5 17:33:47 2010 From: beppecosta at yahoo.it (beppecosta) Date: Wed, 5 May 2010 08:33:47 -0700 (PDT) Subject: Compile PTH on AIX In-Reply-To: <87zl0etnr1.fsf@vigenere.g10code.de> References: <28446986.post@talk.nabble.com> <87zl0etnr1.fsf@vigenere.g10code.de> Message-ID: <28462645.post@talk.nabble.com> >You may try to configure it this way: > ./configure --with-fdsetsize=65536 Hi, I've retried configure as suggested but I get this error: Optional Platform Environment: checking for number of signals... 64 checking for default value of FD_SETSIZE... 1024 configure: error: invalid FD_SETSIZE specified -- allowed: 10-9999 ----------- Thanks. -- View this message in context: http://old.nabble.com/Compile-PTH-on-AIX-tp28446986p28462645.html Sent from the GnuPG - User mailing list archive at Nabble.com. From newton at hammet.net Wed May 5 18:18:03 2010 From: newton at hammet.net (Newton Hammet) Date: Wed, 05 May 2010 11:18:03 -0500 Subject: Compile PTH on AIX In-Reply-To: <28462645.post@talk.nabble.com> References: <28446986.post@talk.nabble.com> <87zl0etnr1.fsf@vigenere.g10code.de> <28462645.post@talk.nabble.com> Message-ID: <4BE19A3B.9050303@hammet.net> Maybe since they tell us what is allowed (10-9999) maybe something like: ./configure --with-fdsetsize=8192 would be within the limits plus respecting an implied bias towards powers of 2. -Newton beppecosta wrote: > >> You may try to configure it this way: >> ./configure --with-fdsetsize=65536 >> > > Hi, > > I've retried configure as suggested but I get this error: > > Optional Platform Environment: > checking for number of signals... 64 > checking for default value of FD_SETSIZE... 1024 > configure: error: invalid FD_SETSIZE specified -- allowed: 10-9999 > > ----------- > Thanks. > > From beppecosta at yahoo.it Thu May 6 10:07:25 2010 From: beppecosta at yahoo.it (beppecosta) Date: Thu, 6 May 2010 01:07:25 -0700 (PDT) Subject: Compile PTH on AIX In-Reply-To: <4BE19A3B.9050303@hammet.net> References: <28446986.post@talk.nabble.com> <87zl0etnr1.fsf@vigenere.g10code.de> <28462645.post@talk.nabble.com> <4BE19A3B.9050303@hammet.net> Message-ID: <28470466.post@talk.nabble.com> >Maybe since they tell us what is allowed (10-9999) maybe something like: >./configure --with-fdsetsize=8192 Because FD_SETSIZE is defined somewhere as 65534, I think that fdsetsize=8192 would produce the same #error "FD_SETSIZE is larger than what GNU Pth can handle." -Beppe -- View this message in context: http://old.nabble.com/Compile-PTH-on-AIX-tp28446986p28470466.html Sent from the GnuPG - User mailing list archive at Nabble.com. From beppecosta at yahoo.it Thu May 6 18:09:59 2010 From: beppecosta at yahoo.it (beppecosta) Date: Thu, 6 May 2010 09:09:59 -0700 (PDT) Subject: Compile PTH on AIX In-Reply-To: <4BE19A3B.9050303@hammet.net> References: <28446986.post@talk.nabble.com> <87zl0etnr1.fsf@vigenere.g10code.de> <28462645.post@talk.nabble.com> <4BE19A3B.9050303@hammet.net> Message-ID: <28476011.post@talk.nabble.com> >./configure --with-fdsetsize=8192 As you suggested, I tried with 8192 and both "configure" and "make" did complete without errors. "make test" says : OK - ALL TESTS SUCCESSFULLY PASSED. "make install" is OK. Next week I will try again to compile gpg 2. Thanks. Beppe. -- View this message in context: http://old.nabble.com/Compile-PTH-on-AIX-tp28446986p28476011.html Sent from the GnuPG - User mailing list archive at Nabble.com. From joke at seiken.de Thu May 6 23:49:04 2010 From: joke at seiken.de (Joke de Buhr) Date: Thu, 6 May 2010 23:49:04 +0200 Subject: Signature algorithms Message-ID: <201005062349.06572.joke@seiken.de> I was wondering how gnupg chooses a digest algorithm. I used setpref to configure my gpg key to accept sha512,sha384,... digest algorithms and set gnupg's option "personal-digest-preferences" to prefer sha512,sha384,... hashes. If I sign something and specify myself as recipient gpg2 in verbose mode reports it uses the ripemd160 algorithm. As far as I understand the manpage gpg2 should choose sha512 not ripemd160. Does a smartcard affect the choosen algorithm. I recently started using the "crypto stick" smartcard which should be a openpgp card v2. Thanks Joke -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 706 bytes Desc: This is a digitally signed message part. URL: From eocsor at gmail.com Fri May 7 00:09:06 2010 From: eocsor at gmail.com (Roscoe) Date: Fri, 7 May 2010 08:09:06 +1000 Subject: Split keys In-Reply-To: <4BD88CC6.6020703@gmail.com> References: <0EE14841E1FD8545B7E084F22AEF968102274414@fssbemail.fss.india> <4BD88CC6.6020703@gmail.com> Message-ID: On Thu, Apr 29, 2010 at 5:30 AM, Faramir wrote: ... > ?Well, there are tools implementing SSSS in Windows, but I think > different implementations are not compatible with each other. The only > open source implementation I have found is the one available at > http://point-at-infinity.org/ssss/ > > ?I was told the souce code is simple enough to make an updated version > for windows, but I lack the skill needed to do it, and the person that > told me it won't do it unless the organization in which we are involved > require the tool. So maybe the easiest way would be to install ubuntu in > a machine (maybe a virtual machine), install SSSS from ubuntu's > repositories, and use it on that platform. > > ?I think people would find SSSS a lot more reliable if GnuPG includes > (and maintain it) as a complement of GnuPG, that way we would know it > will be available as long as GnuPG is available, but I understand they > can't implement each and every tool somebody thinks desirable to have. If you're still talking about http://point-at-infinity.org/ssss/, it's free software. you don't have to worry about it disappearing anymore than you have to worry about gpg disappearing. Also being pretty simple to begin with and five years old now, there's not much maintaining to be done. If you lack the skill to port it and need it done pay someone to do it :) (I'd talk to SSSS's dev, then I'd talk to the guy who made the existing win32 port) Regards, -- Roscoe From mailinglisten at hauke-laging.de Fri May 7 04:43:09 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Fri, 7 May 2010 04:43:09 +0200 Subject: Wrong signature hash detection? Message-ID: <201005070443.09906.mailinglisten@hauke-laging.de> Hello, I have created signatures with different keys for a JPEG file. You can find both the graphics file and the signatures on this web page: http://www.hauke-laging.de/organspende.html If I check the signatures, gpg2 2.0.15 (and at least .14, too) returns the wrong hash (unless I misunderstand something): start cmd:> LC_ALL=C gpg --verify --verbose organspende.7f637e7b.1.sig organspende.jpg Version: GnuPG v2.0.14 (GNU/Linux) gpg: armor header: gpg: Signature made Fri May 7 03:48:42 2010 CEST gpg: using RSA key 0x7F637E7B gpg: using PGP trust model gpg: Good signature from "Hauke Laging (Dieser Schl?ssel ist wirklich sicher) " gpg: Signature policy: http://www.hauke-laging.de/openpgp/policy.html gpg: binary signature, digest algorithm SHA1 It says SHA1 though according to my understanding -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iQFMBAABAgA2BQJL43F6LxpodHRwOi8vd3d3LmhhdWtlLWxhZ2luZy5kZS9vcGVu cGdwL3BvbGljeS5odG1sAAoJEDlYRfZ/Y35735kIAIP2LgRqxhySQ0kaOSnFZfWs YgvqeYYGHUeLIQzfGCbxD2VE0CzSQPNN3GabpsXF2DQ5xUh25n+9pu34gPAMvD6v QKM8B31vkSj/KEuCZUXMOBiEDVBQn6ypR9ZmOSo991Lm84fIaOhx8rQ0d1kWxWuH CRHemF49FSCxF/5CMcx+HMWjN6lKhQFK3z61In23Xjmf+dRFYxbPkInqu4tw6q4b OODVVsK8FhCWz2aUNBSgWzwhmwwCD1R4/IblMejrStsbT0tFNzVbg3KKIQ7bHUD5 k++hjk0K332ZXnR4X9jZku7FPpgAtp44/k0Op+yGZqW6RW6zu5s5fFPnkijef6U= =eaxc -----END PGP SIGNATURE----- is obviously not an SHA1 signature. The check deliveres the correct result for the signature of the other key (which I created immediately before on the same system): start cmd:> LC_ALL=C gpg --verify --verbose organspende.eccb5814.2.sig organspende.jpg Version: GnuPG v2.0.14 (GNU/Linux) gpg: armor header: gpg: Signature made Fri May 7 03:49:11 2010 CEST gpg: using RSA key 0x3A403251 gpg: using subkey 0x3A403251 instead of primary key 0xECCB5814 gpg: using PGP trust model gpg: Good signature from "Hauke Laging " gpg: aka "Hauke Laging " gpg: aka "Hauke Laging " gpg: Signature policy: http://www.hauke-laging.de/openpgp/policy.html gpg: binary signature, digest algorithm SHA512 There are two differences between the keys: ECCB5814 has a DSA primary key and an RSA subkey for signing. This key is stored in my normal keyring. 7F637E7B is on a smartcard. Due to some configuration error during key creation the primary key is for signing, too: start cmd:> LC_ALL=C gpg --edit-key 7F637E7B [...] pub 2048R/0x7F637E7B created: 2010-03-04 expires: 2015-03-03 usage: SC Up to now I don't think that any real problems arise from this. It seems to be a "cosmetic" problem. Is this a bug or have I made any mistake? CU Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 From dkg at fifthhorseman.net Fri May 7 05:15:10 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 06 May 2010 23:15:10 -0400 Subject: Wrong signature hash detection? In-Reply-To: <201005070443.09906.mailinglisten@hauke-laging.de> References: <201005070443.09906.mailinglisten@hauke-laging.de> Message-ID: <4BE385BE.40905@fifthhorseman.net> On 05/06/2010 10:43 PM, Hauke Laging wrote: > It says SHA1 though according to my understanding > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.14 (GNU/Linux) > > iQFMBAABAgA2BQJL43F6LxpodHRwOi8vd3d3LmhhdWtlLWxhZ2luZy5kZS9vcGVu > cGdwL3BvbGljeS5odG1sAAoJEDlYRfZ/Y35735kIAIP2LgRqxhySQ0kaOSnFZfWs > YgvqeYYGHUeLIQzfGCbxD2VE0CzSQPNN3GabpsXF2DQ5xUh25n+9pu34gPAMvD6v > QKM8B31vkSj/KEuCZUXMOBiEDVBQn6ypR9ZmOSo991Lm84fIaOhx8rQ0d1kWxWuH > CRHemF49FSCxF/5CMcx+HMWjN6lKhQFK3z61In23Xjmf+dRFYxbPkInqu4tw6q4b > OODVVsK8FhCWz2aUNBSgWzwhmwwCD1R4/IblMejrStsbT0tFNzVbg3KKIQ7bHUD5 > k++hjk0K332ZXnR4X9jZku7FPpgAtp44/k0Op+yGZqW6RW6zu5s5fFPnkijef6U= > =eaxc > -----END PGP SIGNATURE----- > > is obviously not an SHA1 signature. The check deliveres the correct result for > the signature of the other key (which I created immediately before on the same > system): What makes you say this is "obviously not an SHA1 signature" ? When i pipe it through pgpdump, i get this: Old: Signature Packet(tag 2)(332 bytes) Ver 4 - new Sig type - Signature of a binary document(0x00). Pub alg - RSA Encrypt or Sign(pub 1) Hash alg - SHA1(hash 2) Hashed Sub: signature creation time(sub 2)(4 bytes) Time - Thu May 6 21:48:42 EDT 2010 Hashed Sub: policy URL(sub 26)(46 bytes) URL - http://www.hauke-laging.de/openpgp/policy.html Sub: issuer key ID(sub 16)(8 bytes) Key ID - 0x395845F67F637E7B Hash left 2 bytes - df 99 RSA m^d mod n(2048 bits) - ... -> PKCS-1 and gpg --list-packets shows this: :signature packet: algo 1, keyid 395845F67F637E7B version 4, created 1273196922, md5len 0, sigclass 0x00 digest algo 2, begin of digest df 99 hashed subpkt 2 len 4 (sig created 2010-05-07) hashed subpkt 26 len 46 (policy: http://www.hauke-laging.de/openpgp/policy.html) subpkt 16 len 8 (issuer key ID 395845F67F637E7B) data: [2048 bits] Both of which suggest that the digest used is in fact SHA1. Are you judging based on the size of the block? RSA signatures are significantly larger than DSA signatures, even though they sign over the same digest algorithm. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From dshaw at jabberwocky.com Fri May 7 05:19:28 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 6 May 2010 23:19:28 -0400 Subject: Wrong signature hash detection? In-Reply-To: <201005070443.09906.mailinglisten@hauke-laging.de> References: <201005070443.09906.mailinglisten@hauke-laging.de> Message-ID: <029B6ACF-D49D-4706-9235-DD29651AF038@jabberwocky.com> On May 6, 2010, at 10:43 PM, Hauke Laging wrote: > Hello, > > I have created signatures with different keys for a JPEG file. You can find > both the graphics file and the signatures on this web page: > > http://www.hauke-laging.de/organspende.html > > If I check the signatures, gpg2 2.0.15 (and at least .14, too) returns the > wrong hash (unless I misunderstand something): > > start cmd:> LC_ALL=C gpg --verify --verbose organspende.7f637e7b.1.sig > organspende.jpg > Version: GnuPG v2.0.14 (GNU/Linux) > gpg: armor header: > gpg: Signature made Fri May 7 03:48:42 2010 CEST > gpg: using RSA key 0x7F637E7B > gpg: using PGP trust model > gpg: Good signature from "Hauke Laging (Dieser Schl?ssel ist wirklich sicher) > " > gpg: Signature policy: http://www.hauke-laging.de/openpgp/policy.html > > gpg: binary signature, digest algorithm SHA1 > > It says SHA1 though according to my understanding > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.14 (GNU/Linux) > > iQFMBAABAgA2BQJL43F6LxpodHRwOi8vd3d3LmhhdWtlLWxhZ2luZy5kZS9vcGVu > cGdwL3BvbGljeS5odG1sAAoJEDlYRfZ/Y35735kIAIP2LgRqxhySQ0kaOSnFZfWs > YgvqeYYGHUeLIQzfGCbxD2VE0CzSQPNN3GabpsXF2DQ5xUh25n+9pu34gPAMvD6v > QKM8B31vkSj/KEuCZUXMOBiEDVBQn6ypR9ZmOSo991Lm84fIaOhx8rQ0d1kWxWuH > CRHemF49FSCxF/5CMcx+HMWjN6lKhQFK3z61In23Xjmf+dRFYxbPkInqu4tw6q4b > OODVVsK8FhCWz2aUNBSgWzwhmwwCD1R4/IblMejrStsbT0tFNzVbg3KKIQ7bHUD5 > k++hjk0K332ZXnR4X9jZku7FPpgAtp44/k0Op+yGZqW6RW6zu5s5fFPnkijef6U= > =eaxc > -----END PGP SIGNATURE----- > > is obviously not an SHA1 signature. I think there is a misunderstanding. This is absolutely a SHA1 signature. Why do you think it isn't? David From mailinglisten at hauke-laging.de Fri May 7 05:47:49 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Fri, 7 May 2010 05:47:49 +0200 Subject: Wrong signature hash detection? In-Reply-To: <4BE385BE.40905@fifthhorseman.net> References: <201005070443.09906.mailinglisten@hauke-laging.de> <4BE385BE.40905@fifthhorseman.net> Message-ID: <201005070547.49961.mailinglisten@hauke-laging.de> Am Freitag 07 Mai 2010 05:15:10 schrieb Daniel Kahn Gillmor: > Are you judging based on the size of the block? Yes. :-) > RSA signatures are > significantly larger than DSA signatures, even though they sign over the > same digest algorithm. OK. Thanks. So RSA signatures have the same size for different digest algorithms? CU Hauke From dshaw at jabberwocky.com Fri May 7 14:25:12 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 7 May 2010 08:25:12 -0400 Subject: Wrong signature hash detection? In-Reply-To: <201005070547.49961.mailinglisten@hauke-laging.de> References: <201005070443.09906.mailinglisten@hauke-laging.de> <4BE385BE.40905@fifthhorseman.net> <201005070547.49961.mailinglisten@hauke-laging.de> Message-ID: <3FB60B1B-32F7-49B4-A0BB-2553C0A8D49F@jabberwocky.com> On May 6, 2010, at 11:47 PM, Hauke Laging wrote: > Am Freitag 07 Mai 2010 05:15:10 schrieb Daniel Kahn Gillmor: > >> Are you judging based on the size of the block? > > Yes. :-) > > >> RSA signatures are >> significantly larger than DSA signatures, even though they sign over the >> same digest algorithm. > > OK. Thanks. So RSA signatures have the same size for different digest > algorithms? The RSA signature size is based on the size of the RSA key (a bigger key means a bigger signature). DSA signature sizes are based on the size of a value called "q", used when generating the key. Usually, this is loosely tied to the hash and also the key size, but it doesn't have to be. David From dougb at dougbarton.us Fri May 7 18:39:45 2010 From: dougb at dougbarton.us (Doug Barton) Date: Fri, 07 May 2010 09:39:45 -0700 Subject: Wrong signature hash detection? In-Reply-To: <201005070443.09906.mailinglisten@hauke-laging.de> References: <201005070443.09906.mailinglisten@hauke-laging.de> Message-ID: <4BE44251.7040802@dougbarton.us> On 05/06/10 19:43, Hauke Laging wrote: > Hello, > > I have created signatures with different keys for a JPEG file. You can find > both the graphics file and the signatures on this web page: > > http://www.hauke-laging.de/organspende.html > > If I check the signatures, gpg2 2.0.15 (and at least .14, too) returns the > wrong hash (unless I misunderstand something): You do. :) But since no one has pointed out the actual problem yet, here you go ... The sha1 _hash_ of the file organspende.jpg is e4c4bea661f2d50e20213eb8412e7f47222289d0. What you're looking at are PGP signatures based on that hash. hth, Doug -- ... and that's just a little bit of history repeating. -- Propellerheads Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/ From hoper at free.fr Sat May 8 18:26:29 2010 From: hoper at free.fr (Stephane Dupuis) Date: Sat, 08 May 2010 18:26:29 +0200 Subject: Help me to import my secret key please Message-ID: <1273335989.2357.8.camel@scorpion> Hi everybody. After a install "from scratch" of my computer (ubuntu 10.04), I try to import my previous secret key. Don't ask me why, but I did'nt save the .gnupg directory. Instead, I have a .p12 file with the secret key inside. After lots of try and read on the net, (thanks google) I manage to import this file with gpgsm : $ gpgsm -K gpgsm[5195]: can't connect to `/home/hoper/.gnupg/S.gpg-agent': Aucun fichier ou dossier de ce type /home/hoper/.gnupg/pubring.kbx ------------------------------ ID: 0xFFFFFFFFC8ACF3C4 S/N: 01 Issuer: /CN=xxxxxx /L=78210/C=FR/EMail=xxxxxxxx aka: xxxxxxx Subject: /CN=xxxxxx /L=78210/C=FR/EMail=xxxxxxxx aka: xxxxxxx validity: 2009-06-09 19:48:13 through 2011-08-18 19:48:13 key type: 4096 bit RSA key usage: digitalSignature keyEncipherment fingerprint: A5:75:99:1E:F7:71:71:6C:AE:43:93:9F:23:00:6F:BD:C8:AC:F3:C4 and this file : /home/hoper/.gnupg/private-keys-v1.d/F3FFEFBE7661DDAC15F5B1625F9168AF818E8396.key was created. But I want this key to be used as my "default secret key". Well, I want it to appear in the output of "gpg -K". How can I do this ? btw, I already manage to import the public key : $ gpg --list-keys /home/hoper/.gnupg/pubring.gpg ------------------------------ pub 1024D/1F03B55A 2009-06-09 uid hoper sub 4096g/F7C66E72 2009-06-09 My only problem is with the secret part. (my secring.gpg file is still empty). Any help will be really appreciated... (and for people who can speak french, you can answer me here: http://forum.ubuntu-fr.org/viewtopic.php?id=395363 ) Thanks ! From dkg at fifthhorseman.net Sun May 9 01:07:00 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Sat, 08 May 2010 19:07:00 -0400 Subject: Help me to import my secret key please In-Reply-To: <1273335989.2357.8.camel@scorpion> References: <1273335989.2357.8.camel@scorpion> Message-ID: <4BE5EE94.8020605@fifthhorseman.net> On 05/08/2010 12:26 PM, Stephane Dupuis wrote: > $ gpgsm -K > gpgsm[5195]: can't connect to `/home/hoper/.gnupg/S.gpg-agent': Aucun > fichier ou dossier de ce type > /home/hoper/.gnupg/pubring.kbx > ------------------------------ > ID: 0xFFFFFFFFC8ACF3C4 > S/N: 01 > Issuer: /CN=xxxxxx /L=78210/C=FR/EMail=xxxxxxxx > aka: xxxxxxx > Subject: /CN=xxxxxx /L=78210/C=FR/EMail=xxxxxxxx > aka: xxxxxxx > validity: 2009-06-09 19:48:13 through 2011-08-18 19:48:13 > key type: 4096 bit RSA > key usage: digitalSignature keyEncipherment > fingerprint: > A5:75:99:1E:F7:71:71:6C:AE:43:93:9F:23:00:6F:BD:C8:AC:F3:C4 > > and this file : > /home/hoper/.gnupg/private-keys-v1.d/F3FFEFBE7661DDAC15F5B1625F9168AF818E8396.key > was created. > > But I want this key to be used as my "default secret key". Well, I want > it to appear in the output of "gpg -K". > > How can I do this ? > > btw, I already manage to import the public key : > > $ gpg --list-keys > /home/hoper/.gnupg/pubring.gpg > ------------------------------ > pub 1024D/1F03B55A 2009-06-09 > uid hoper > sub 4096g/F7C66E72 2009-06-09 > > My only problem is with the secret part. (my secring.gpg file is still > empty). I'm afraid these are not the same key :( The former key is a 4096-bit RSA key. The latter key is a 1024-bit DSA key with a 4096-bit ElGamal subkey bound to it. Also, the former key has an X.509 certificate assoiated with it, while the latter keys are bound to your identity via OpenPGP certification. While it's possible to have both X.509 certificates and OpenPGP certificates from the same key (we're doing it for TLS servers in the monkeysphere project), it's not common. And in your case, it's not what you've done anyway, since these are clearly different keys because of their different keylengths and algorithms. If you have no way of recovering your old ~/.gnupg/secring.gpg, you have most likely lost control of your old key. In that case, i recommend publishing the revocation certificate you created when you made your key (hoping that you have such an old revocation certificate for 1F03B55A stored someplace accessible to you). Sorry to be the bearer of bad news, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From shavital at mac.com Sun May 9 08:19:42 2010 From: shavital at mac.com (Charly Avital) Date: Sun, 09 May 2010 09:19:42 +0300 Subject: gpg2 says "No Secret Key", gpg1.x says there is In-Reply-To: References: Message-ID: <5E6731A0-A783-4ED3-B309-045F0CCA7F78@mac.com> gpg2 requires gpg-agent to be available (installed and configured). When it is not, the error warning is usually "...secret key not available". Hope this helps Charly Sent from my iPhone On May 8, 2010, at 22:14, Andreas Mattheiss wrote: > Hello, > > for some time gpg2 from subversion has been giving me grief, claiming > there was no secret key, while gpg1.xxx says there is: > > highscreen [21:08] [/raidtest/CVS/gnupg] <# 44> g10/gpg2 --version > gpg (GnuPG) 2.1.0-svn5320 > libgcrypt 1.5.0-svn1429 > Copyright (C) 2010 Free Software Foundation, Inc. > License GPLv3+: GNU GPL version 3 or later > > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. > > Home: ~/.gnupg > Supported algorithms: > Pubkey: RSA, ELG, DSA > Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, > CAMELLIA128, > CAMELLIA192, CAMELLIA256 > Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 > Compression: Uncompressed, ZIP, ZLIB, BZIP2 > > > highscreen [21:09] [/raidtest/CVS/gnupg] <# 46> g10/gpg2 < > ~/.cshrc.asc > gpg: encrypted with 1024-bit ELG key, ID D8F9277B, created 2001-07-15 > "Andreas Mattheiss " > gpg: decryption failed: No secret key > > > But gpg1.xxx, also from svn, says: > > highscreen [21:11] [/raidtest/CVS/gnupg] <# 50> gpg --version > gpg (GnuPG) 1.4.11-svn5308 > Copyright (C) 2009 Free Software Foundation, Inc. > License GPLv3+: GNU GPL version 3 or later > > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. > > Home: ~/.gnupg > Supported algorithms: > Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA > Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, > CAMELLIA128, > CAMELLIA192, CAMELLIA256 > Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 > Compression: highscreen [21:11] [/raidtest/CVS/gnupg] <# 51> gpg < > ~/.cshrc.asc > > You need a passphrase to unlock the secret key for > user: "Andreas Mattheiss " > 1024-bit ELG-E key, ID D8F9277B, created 2001-07-15 (main key ID > 10F7D537) > > Uncompressed, ZIP, ZLIB, BZIP2 > > > This has been going on for about half a year now. libassuen & > friends are > all from svn. > > Any suggestions/workarounds/explanations are welcome. > > Andreas > > > > > > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From hoper at free.fr Sun May 9 09:31:47 2010 From: hoper at free.fr (Stephane Dupuis) Date: Sun, 09 May 2010 09:31:47 +0200 Subject: Help me to import my secret key please In-Reply-To: <4BE5EE94.8020605@fifthhorseman.net> References: <1273335989.2357.8.camel@scorpion> <4BE5EE94.8020605@fifthhorseman.net> Message-ID: <1273390307.2311.8.camel@scorpion> Bad news yes. But well, nobody's dead. It's even quite funny in fact, thinking about how often I repeat to everybody that they need to make backup of everything. This key is the only thing I loose, I will juste made another one. And no, I don't have the revocation certificate :( But I think it's not too bad, because nobody had access to this private key. I just loose it... Small and last question, If I make a new key, with the same email inside, will I be able to send it on servers ? (because they already got the old one...) Thanks a lot for your time. > > I'm afraid these are not the same key :( > > The former key is a 4096-bit RSA key. The latter key is a 1024-bit DSA > key with a 4096-bit ElGamal subkey bound to it. > > Also, the former key has an X.509 certificate assoiated with it, while > the latter keys are bound to your identity via OpenPGP certification. > While it's possible to have both X.509 certificates and OpenPGP > certificates from the same key (we're doing it for TLS servers in the > monkeysphere project), it's not common. And in your case, it's not what > you've done anyway, since these are clearly different keys because of > their different keylengths and algorithms. > > If you have no way of recovering your old ~/.gnupg/secring.gpg, you have > most likely lost control of your old key. In that case, i recommend > publishing the revocation certificate you created when you made your key > (hoping that you have such an old revocation certificate for 1F03B55A > stored someplace accessible to you). > > Sorry to be the bearer of bad news, > > --dkg > From shavital at mac.com Sun May 9 10:40:31 2010 From: shavital at mac.com (Charly Avital) Date: Sun, 09 May 2010 11:40:31 +0300 Subject: Help me to import my secret key please In-Reply-To: <1273390307.2311.8.camel@scorpion> References: <1273335989.2357.8.camel@scorpion> <4BE5EE94.8020605@fifthhorseman.net> <1273390307.2311.8.camel@scorpion> Message-ID: <373BFEFA-E986-4D76-A290-4E7FF3A545C7@mac.com> Yes, you can gnerate a new key pair with the same user ID email, the key server will accept it. Do not forget to generate a revocation certificate and to store in a safe place. You might want to indicate in the comment of the new key that the previous key (key ID) is not usable, if yoi plan to upload the new public key to a key server Charly Sent from my iPhone On May 9, 2010, at 10:31, Stephane Dupuis wrote: > > Bad news yes. But well, nobody's dead. > It's even quite funny in fact, thinking about how often I repeat to > everybody that they need to make backup of everything. > > This key is the only thing I loose, I will juste made another one. > > And no, I don't have the revocation certificate :( > But I think it's not too bad, because nobody had access to this > private > key. I just loose it... > > Small and last question, If I make a new key, with the same email > inside, will I be able to send it on servers ? (because they already > got > the old one...) > > Thanks a lot for your time. > >> >> I'm afraid these are not the same key :( >> >> The former key is a 4096-bit RSA key. The latter key is a 1024-bit >> DSA >> key with a 4096-bit ElGamal subkey bound to it. >> >> Also, the former key has an X.509 certificate assoiated with it, >> while >> the latter keys are bound to your identity via OpenPGP certification. >> While it's possible to have both X.509 certificates and OpenPGP >> certificates from the same key (we're doing it for TLS servers in the >> monkeysphere project), it's not common. And in your case, it's not >> what >> you've done anyway, since these are clearly different keys because of >> their different keylengths and algorithms. >> >> If you have no way of recovering your old ~/.gnupg/secring.gpg, you >> have >> most likely lost control of your old key. In that case, i recommend >> publishing the revocation certificate you created when you made >> your key >> (hoping that you have such an old revocation certificate for 1F03B55A >> stored someplace accessible to you). >> >> Sorry to be the bearer of bad news, >> >> --dkg >> > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From dkg at fifthhorseman.net Sun May 9 15:33:24 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Sun, 09 May 2010 09:33:24 -0400 Subject: Help me to import my secret key please In-Reply-To: <373BFEFA-E986-4D76-A290-4E7FF3A545C7@mac.com> References: <1273335989.2357.8.camel@scorpion> <4BE5EE94.8020605@fifthhorseman.net> <1273390307.2311.8.camel@scorpion> <373BFEFA-E986-4D76-A290-4E7FF3A545C7@mac.com> Message-ID: <4BE6B9A4.50907@fifthhorseman.net> On 05/09/2010 04:40 AM, Charly Avital wrote: > Yes, you can gnerate a new key pair with the same user ID email, the key > server will accept it. Do not forget to generate a revocation > certificate and to store in a safe place. Yup, Charly is correct about this. You can actually have as many keys as you like with the same UID in the public keyservers. > You might want to indicate in > the comment of the new key that the previous key (key ID) is not usable, > if yoi plan to upload the new public key to a key server I'm not sure exactly what Charly means here, but i strongly recommend you do *not* put this kind of remark in the comment section of the User ID for your new key (between the name and the e-mail). A better approach is to make a key transition document that describes the situation, sign it with the new key, and post it publicly. For example: http://fifthhorseman.net/key-transition-2007-06-15.txt (if you still had access to your old key, you could have signed the transition statement with it too) So why do i think you shouldn't put it in the comment section of your new User ID? Your User ID is the linkage between your key and your real-world identity. When you ask people to "sign your key", you are asking them to certify (a) that this key belongs to you, and (b) that they believe this User ID does really belong to you too. If your User ID contains a string that does not really relate to you, you're asking people to certify something unusual and potentially meaningless. Also, consider the situation 5 years from now -- hopefully you'll still be able to use the key you made today. Do you really want a remark about this legacy key to follow you for 5 years? Lastly, since you can't revoke the old key outright, you might consider contacting everyone who has already certified it and asking them to revoke their signatures on the key. You can point them to your published key transition document as a start, but you'll probably want to also contact them offline -- this is also a good opportunity for you to ask them to certify your new key. That way, in the future, there will be no valid certifications on your old key, and which key people should choose for you should become clearer. Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From expires2010 at ymail.com Sun May 9 17:08:17 2010 From: expires2010 at ymail.com (MFPA) Date: Sun, 9 May 2010 16:08:17 +0100 Subject: Help me to import my secret key please In-Reply-To: <373BFEFA-E986-4D76-A290-4E7FF3A545C7@mac.com> References: <1273335989.2357.8.camel@scorpion> <4BE5EE94.8020605@fifthhorseman.net> <1273390307.2311.8.camel@scorpion> <373BFEFA-E986-4D76-A290-4E7FF3A545C7@mac.com> Message-ID: <663742188.20100509160817@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Sunday 9 May 2010 at 9:40:31 AM, in , Charly Avital wrote: > Yes, you can gnerate a new key pair with the same user > ID email, the key server will accept it. An exception: hushmail.com's server; you will need to email and tell them to delete it before uploading another with the same email address in the UID to them. - -- Best regards MFPA mailto:expires2010 at ymail.com Keep them dry and don't feed them after midnight -----BEGIN PGP SIGNATURE----- iQCVAwUBS+bP6aipC46tDG5pAQqzuwP+PBDSOnpgK0eq0W5mF/sMM8QyLaxexprs i+vn7te9Ff2XUYF09PiDJiAghfotZFSAuWsH6MMQEc6O6ORTaPn2wl4X46EGcLYV HDqgWBzdhxyWUumbWxtLk4G1Xpfv9mCTmnyapzIbSbkn0d29dOTk8fCBoc/k5g5A 5Y9yra4XPHY= =0mKy -----END PGP SIGNATURE----- From shavital at mac.com Sun May 9 17:20:06 2010 From: shavital at mac.com (Charly Avital) Date: Sun, 09 May 2010 11:20:06 -0400 Subject: Help me to import my secret key please In-Reply-To: <4BE6B9A4.50907@fifthhorseman.net> References: <1273335989.2357.8.camel@scorpion> <4BE5EE94.8020605@fifthhorseman.net> <1273390307.2311.8.camel@scorpion> <373BFEFA-E986-4D76-A290-4E7FF3A545C7@mac.com> <4BE6B9A4.50907@fifthhorseman.net> Message-ID: <4BE6D2A6.60001@mac.com> Daniel Kahn Gillmor wrote the following on 5/9/10 9:33 AM: > On 05/09/2010 04:40 AM, Charly Avital wrote: >> Yes, you can gnerate a new key pair with the same user ID email, the key >> server will accept it. Do not forget to generate a revocation >> certificate and to store in a safe place. > > Yup, Charly is correct about this. You can actually have as many keys > as you like with the same UID in the public keyservers. > >> You might want to indicate in >> the comment of the new key that the previous key (key ID) is not usable, >> if you plan to upload the new public key to a key server > > I'm not sure exactly what Charly means here, I mean what I have seen done by many users who couldn't revoke their key (either because they had lost the secret key, or had forgotten the passphrase). It is not my invention :-) KeyA is compromised, or lost, and cannot be revoked. The new key, KeyB *might* include in its comments something like: KeyA unusable > but i strongly recommend > you do *not* put this kind of remark in the comment section of the User > ID for your new key (between the name and the e-mail). A better > approach is to make a key transition document that describes the > situation, sign it with the new key, and post it publicly. For example: > > http://fifthhorseman.net/key-transition-2007-06-15.txt Great text, and great approach. One has to hope that people will actually read it. I mean, it's a long text. But definitely a good approach, much more orthodox than the comment approach, which, I repeat, I have seen often used. But "often" is not a sufficient criteria for "good". > > (if you still had access to your old key, you could have signed the > transition statement with it too) > > So why do i think you shouldn't put it in the comment section of your > new User ID? Your User ID is the linkage between your key and your > real-world identity. When you ask people to "sign your key", you are > asking them to certify (a) that this key belongs to you, and (b) that > they believe this User ID does really belong to you too. If your User > ID contains a string that does not really relate to you, The string would relate to the user, it's all a matter of choosing the right wording (very short). > you're asking > people to certify something unusual and potentially meaningless. Not unusual (but again I say, usual is not a proof of goodness). Not potentially meaningless, because the meaning is clear: *that* key is not usable. > > Also, consider the situation 5 years from now -- hopefully you'll still > be able to use the key you made today. Do you really want a remark > about this legacy key to follow you for 5 years? I wouldn't mind. > > Lastly, since you can't revoke the old key outright, you might consider > contacting everyone who has already certified it and asking them to > revoke their signatures on the key. This is a good approach, although it might "taint" the key. Users wouldn't know why signers have revoked their signature, unless they care to read the transition document. > You can point them to your > published key transition document as a start, but you'll probably want > to also contact them offline -- this is also a good opportunity for you > to ask them to certify your new key. They would certify your new key only if they abide by the rules. I wouldn't sign a key because of a key transition document. I would have to contact directly, and better, personally, the owner of the "old" key, of the transition document, and of the new key. > That way, in the future, there > will be no valid certifications on your old key, and which key people > should choose for you should become clearer. > > Regards, > > --dkg > To sum it up (as far as I am concerned, and to avoid further bandwidth usage). I am OK with whatever approach or method that would make it clear that the "old" key is not to be used any more. Take care, Charly From alavarre at gmail.com Sun May 9 18:21:06 2010 From: alavarre at gmail.com (C. Andrews Lavarre) Date: Sun, 09 May 2010 12:21:06 -0400 Subject: transaction already being edited in another register In-Reply-To: References: Message-ID: <4BE6E0F2.4060803@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Regarding http://tinyurl.com/39mwplx discussing the subject error, I have found that: + The General Ledger shows blank transactions that cannot be deleted when this error appears. If you try to Delete Splits in the General Ledger or offending register when it has occurred you then retrigger the error. + However, as suggested in the URL, deleting the transaction immediately when the autofill fails to perform seems to avoid the error. But it definitely is a PITA if you have a lot of common transactions to fill out... :-( Best regards, Andy -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iJwEAQECAAYFAkvm4PEACgkQOMMPCS4qbIZH7wP+KBBEPoVUo2ht6DOKceGyprVu blITKaaOovQzzFFheME1oW7VTNqlM7cQXJfO/U2s598Eiaeqxvb49XgVmhBJbcwq sydXHipioPOHrcSV+TW+smnKTlx3KVTnjY57Ss7oslYkdSSUgB5Xvyk3w4QuIU0D xCB3EbQB4/QWKcxxoyM= =GWTz -----END PGP SIGNATURE----- From faramir.cl at gmail.com Sun May 9 23:10:57 2010 From: faramir.cl at gmail.com (Faramir) Date: Sun, 09 May 2010 17:10:57 -0400 Subject: Help me to import my secret key please In-Reply-To: <4BE6B9A4.50907@fifthhorseman.net> References: <1273335989.2357.8.camel@scorpion> <4BE5EE94.8020605@fifthhorseman.net> <1273390307.2311.8.camel@scorpion> <373BFEFA-E986-4D76-A290-4E7FF3A545C7@mac.com> <4BE6B9A4.50907@fifthhorseman.net> Message-ID: <4BE724E1.7080208@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Daniel Kahn Gillmor escribi?: > On 05/09/2010 04:40 AM, Charly Avital wrote: ... >> You might want to indicate in >> the comment of the new key that the previous key (key ID) is not usable, >> if yoi plan to upload the new public key to a key server > > I'm not sure exactly what Charly means here, but i strongly recommend > you do *not* put this kind of remark in the comment section of the User > ID for your new key (between the name and the e-mail). A better ... > So why do i think you shouldn't put it in the comment section of your > new User ID? Your User ID is the linkage between your key and your > real-world identity. When you ask people to "sign your key", you are > asking them to certify (a) that this key belongs to you, and (b) that > they believe this User ID does really belong to you too. If your User > ID contains a string that does not really relate to you, you're asking > people to certify something unusual and potentially meaningless. But comments field is for comments, not for identity information, so I don't see any problem in adding a hint so people can know "which key should I use?". > Also, consider the situation 5 years from now -- hopefully you'll still > be able to use the key you made today. Do you really want a remark > about this legacy key to follow you for 5 years? Good question, but, since the old key (unless it has expiration date) will still be shown as valid at the keyservers, probably it wil haunt him forever. > Lastly, since you can't revoke the old key outright, you might consider > contacting everyone who has already certified it and asking them to > revoke their signatures on the key. You can point them to your Yes, that can be the most useful way to let people know which key is the right one. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJL5yThAAoJEMV4f6PvczxAo/8H/R82/aC24ryF+BSqprj3YTjS Dep8k5bVw3KPanHiVLp7gR8I1oplNOOWxLvOqnMkjV8HZNpb4b8XtVBbctmc96xQ y4wzYiqcvCm9t0OqqCnbl19o5E1Mak2T7n72Sm3NBYLIryPa8RTJePOFs0d2HPrH K/+iI29C1omHaffabkgF0GM9xZhXSq4/psLkpqIMai4kA2diZ5624BHYumfFDi2J b/LqHJCAikMSyhIXtTxGp5DRZK2eTGcVqbJKlRWZTp9B9BTevuZVkXU8da554w45 CIJAof83dCP0EseBPDv8YYywJZvdd1BA8gVTecmSPnu0tPaHfFdFnfQ4dGATBOY= =xgpU -----END PGP SIGNATURE----- From benjamin at py-soft.co.uk Mon May 10 01:00:17 2010 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Mon, 10 May 2010 00:00:17 +0100 Subject: transaction already being edited in another register In-Reply-To: <4BE6E0F2.4060803@gmail.com> References: <4BE6E0F2.4060803@gmail.com> Message-ID: <8428625126347337207@unknownmsgid> On 9 May 2010, at 17:21, "C. Andrews Lavarre" wrote: > But it definitely is a PITA if you have a lot of common transactions > to > fill out... :-( How does this relate to GnuPG? Ben From dkg at fifthhorseman.net Mon May 10 04:35:00 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Sun, 09 May 2010 22:35:00 -0400 Subject: Help me to import my secret key please In-Reply-To: <4BE724E1.7080208@gmail.com> References: <1273335989.2357.8.camel@scorpion> <4BE5EE94.8020605@fifthhorseman.net> <1273390307.2311.8.camel@scorpion> <373BFEFA-E986-4D76-A290-4E7FF3A545C7@mac.com> <4BE6B9A4.50907@fifthhorseman.net> <4BE724E1.7080208@gmail.com> Message-ID: <4BE770D4.7060800@fifthhorseman.net> On 05/09/2010 05:10 PM, Faramir wrote: > But comments field is for comments, not for identity information, so I > don't see any problem in adding a hint so people can know "which key > should I use?". OK, but how many such comments should we use? (see below...) > Good question, but, since the old key (unless it has expiration date) > will still be shown as valid at the keyservers, probably it wil haunt > him forever. True. And anyone who wants to can also create and upload a key with his exact User ID and no expiration date, and that bogus key will also haunt him forever. Should he include a comment about not using that maliciously-uploaded key as well? What if 10 bogus keys are uploaded with his User ID? If Joe User's real key is actually 0xDECAFBAD and he still has control over it, what should other users do if they see a key uploaded with the User ID of: Joe User (Do Not Use 0xDECAFBAD) (remember that anyone can upload such a key) ? Should people care about or rely upon those comments? Or are they noise? The point is that people who haven't exchanged keys directly need to rely on certifications, not on "oh, this key happens to have a relevant-looking user ID bound to it". Since they already need to rely on certifications, it's best to just treat the bad/old key as though it were one of the malicious keys that anyone could upload. The most useful response is to make sure that your proper key is well-certified, and that any bogus keys are not certified. Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From benjamin at py-soft.co.uk Mon May 10 07:53:55 2010 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Mon, 10 May 2010 06:53:55 +0100 Subject: [#24488576] transaction already being edited in another register Message-ID: <-2099226384388419705@unknownmsgid> On 10 May 2010, at 01:27, "support at midphase.com" wrote: Please remove support at midphase or any other @midphase address from your mailing list, thank you. Appears alavarre at gmail.com has been set to redirect. Use the list homepage to unsubscribe: http://lists.gnupg.org/mailman/listinfo/gnupg-users Ben -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Mon May 10 12:11:37 2010 From: wk at gnupg.org (Werner Koch) Date: Mon, 10 May 2010 12:11:37 +0200 Subject: gpg2 says "No Secret Key", gpg1.x says there is In-Reply-To: (Andreas Mattheiss's message of "Sat, 08 May 2010 21:14:51 +0200") References: Message-ID: <87ljbsqd5y.fsf@vigenere.g10code.de> On Sat, 8 May 2010 21:14, please.post at publicly.invalid said: > for some time gpg2 from subversion has been giving me grief, claiming > there was no secret key, while gpg1.xxx says there is: This is the development version and you can't expect that it will work. In particular we are doing lots of internal changes and it will take some more weeks until it stabilizes again. Maybe even months. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From harakiri_23 at yahoo.com Mon May 10 14:23:42 2010 From: harakiri_23 at yahoo.com (Harakiri) Date: Mon, 10 May 2010 05:23:42 -0700 (PDT) Subject: genkey for DSA with 2048 bit Message-ID: <187224.20922.qm@web52208.mail.re2.yahoo.com> Hello, the old DSA standard only supported 1024 bit, however the newer with SHA256 support 2048 and more. I tried it with the --genkey command, i tried Key-Type: DSA2 Key-Type: DSA-2 Key-Type: DSASHA256 no dice, how can you generate these kind of keys? And, do old gpg versions verify such signatures correctly? Thanks From laurent.jumet at skynet.be Mon May 10 15:21:27 2010 From: laurent.jumet at skynet.be (Laurent Jumet) Date: Mon, 10 May 2010 15:21:27 +0200 Subject: genkey for DSA with 2048 bit In-Reply-To: <187224.20922.qm@web52208.mail.re2.yahoo.com> Message-ID: Hello Harakiri ! Harakiri wrote: > the old DSA standard only supported 1024 bit, however the newer with SHA256 > support 2048 and more. > I tried it with the --genkey command, i tried > Key-Type: DSA2 > Key-Type: DSA-2 > Key-Type: DSASHA256 > no dice, how can you generate these kind of keys? --enable-dsa2 -- Laurent Jumet KeyID: 0xCFAF704C From dshaw at jabberwocky.com Mon May 10 15:37:45 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 10 May 2010 09:37:45 -0400 Subject: genkey for DSA with 2048 bit In-Reply-To: <187224.20922.qm@web52208.mail.re2.yahoo.com> References: <187224.20922.qm@web52208.mail.re2.yahoo.com> Message-ID: <32D4EEF7-A4F7-4837-B679-37059EA11DAD@jabberwocky.com> On May 10, 2010, at 8:23 AM, Harakiri wrote: > Hello, > > the old DSA standard only supported 1024 bit, however the newer with SHA256 support 2048 and more. > > I tried it with the --genkey command, i tried > > Key-Type: DSA2 > Key-Type: DSA-2 > Key-Type: DSASHA256 > > no dice, how can you generate these kind of keys? I assume you are doing a --batch key generation (as that is the one that uses a "Key-Type" field). To generate a > 1024 bit DSA key, just generate a regular DSA key and request a Key-Length that is larger than 1024 bits. You need a recent version of GPG (1.4.4 for the 1.x branch), and until the latest release, you had to provide --enable-dsa2 as well. > And, do old gpg versions verify such signatures correctly? Only 1.4.4 and later for the 1.x branch. I don't recall which 2.x version added support. David From harakiri_23 at yahoo.com Mon May 10 17:31:24 2010 From: harakiri_23 at yahoo.com (Harakiri) Date: Mon, 10 May 2010 08:31:24 -0700 (PDT) Subject: genkey for DSA with 2048 bit In-Reply-To: Message-ID: <850248.42418.qm@web52205.mail.re2.yahoo.com> --- On Mon, 5/10/10, Laurent Jumet wrote: > From: Laurent Jumet > Subject: Re: genkey for DSA with 2048 bit > To: "Harakiri" > Date: Monday, May 10, 2010, 9:21 AM > > Hello Harakiri ! > > Harakiri > wrote: > > > the old DSA standard only supported 1024 bit, however > the newer with SHA256 > > support 2048 and more. > > > I tried it with the --genkey command, i tried > > > Key-Type: DSA2 > > Key-Type: DSA-2 > > Key-Type: DSASHA256 > > > no dice, how can you generate these kind of keys? > > --enable-dsa2 Great, thanks From box500 at inbox.com Mon May 10 21:14:02 2010 From: box500 at inbox.com (JB JB) Date: Mon, 10 May 2010 11:14:02 -0800 Subject: Crypto Stick released! In-Reply-To: <4BDAF109.2000800@privacyfoundation.de> Message-ID: It looks like a great tool but unfortunately the shop is only in German which I do not understand. I attempted to translate it with Google translate but it does not accept the page because it is using port 443 (I think). "Sorry, this URL is invalid http://www.privacyfoundation.de:443/wiki/CryptoStickSoftware" ____________________________________________________________ Send your photos by email in seconds... TRY FREE IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if3 Works in all emails, instant messengers, blogs, forums and social networks. From olav at mozilla-enigmail.org Mon May 10 23:04:20 2010 From: olav at mozilla-enigmail.org (Olav Seyfarth) Date: Mon, 10 May 2010 23:04:20 +0200 Subject: Crypto Stick released! In-Reply-To: References: Message-ID: <4BE874D4.9050600@mozilla-enigmail.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hi *, english version: http://www.privacyfoundation.de/crypto_stick/crypto_stick_english/ Olav - -- The Enigmail Project - OpenPGP Email Security For Mozilla Applications -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQGcBAEBAwAGBQJL6HTRAAoJEKGX32tq4e9WeXAMAIndHF/TckbTVeSqlvhX/XXp qz9ftVmfMdg+E0GAd1KlDFN2wevHs6c4sMPi+Ihyt3peWeP2veURdGFmysJMHLmm LwKGa4JL8CiTisqpf7zOqYaVfNV+Csvvy5OKpZ00qjJyuhNNihjlas/4DFjz3t26 vregHwH+pkbvvy/zf0+4ZhUx0mj7+rF2lgJ7YkUO3OgUPDmGrpP9pYDF4sOuLWV+ Wix6zFRhAEgcA530v4Idje22yGRDB7Hkv4QbuNn8v6IP+FdnF90apA45LvOxS1bu mcTM8Vcd1jgREhzjy0iVy223ccJh1O/xSlTeyLH/EDdVNxLW7NZqYM7I+em0SA8g 6YDAO2/TVyIcpqEiYCRZv4E2o8V7PN2t4YCmOSmehRiNeOx3LpFaxiQXt9nORRQh trc89V+whZoQlG1OtevR1FW1jRxfLvZMML0hhsVU0AVd7MVTV4/NCApo4vNdmy/X eMl9pDx2iWcThATUm+OCcwFMxMl8suIEjdGlp1citw== =dVv/ -----END PGP SIGNATURE----- From John at Mozilla-Enigmail.org Tue May 11 00:37:51 2010 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Mon, 10 May 2010 17:37:51 -0500 Subject: Crypto Stick released! In-Reply-To: <4BE874D4.9050600@mozilla-enigmail.org> References: <4BE874D4.9050600@mozilla-enigmail.org> Message-ID: <4BE88ABF.5020802@Mozilla-Enigmail.org> Olav Seyfarth wrote: > Hi *, > > english version: > http://www.privacyfoundation.de/crypto_stick/crypto_stick_english/ That's the only page I've seen in English, Olav. Check the Shop links: http://www.privacyfoundation.de/shop/ and http://www.privacyfoundation.de/shop/crypto-stick.html Google Translate and Babblefish only do so much of the job. Best Regards, -John -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 499 bytes Desc: OpenPGP digital signature URL: From joke at seiken.de Tue May 11 00:52:23 2010 From: joke at seiken.de (Joke de Buhr) Date: Tue, 11 May 2010 00:52:23 +0200 Subject: Crypto Stick released! In-Reply-To: References: Message-ID: <201005110052.25679.joke@seiken.de> The developers said they are going to translate the shop soon. As stated within the first email of this thread: "The Online Shop is currently in German only. Please mail me if you want to purchase a Crypto Stick and have trouble placing the order." So mail him and ask for help: cryptostick at privacyfoundation.de On Monday 10 May 2010 21:14:02 JB JB wrote: > It looks like a great tool but unfortunately the shop is only in German > which I do not understand. > > I attempted to translate it with Google translate but it does not accept > the page because it is using port 443 (I think). > > "Sorry, this URL is invalid > http://www.privacyfoundation.de:443/wiki/CryptoStickSoftware" > > ____________________________________________________________ > Send your photos by email in seconds... > TRY FREE IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if3 > Works in all emails, instant messengers, blogs, forums and social networks. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 706 bytes Desc: This is a digitally signed message part. URL: From beppecosta at yahoo.it Tue May 11 14:15:20 2010 From: beppecosta at yahoo.it (beppecosta) Date: Tue, 11 May 2010 05:15:20 -0700 (PDT) Subject: Compile PTH on AIX In-Reply-To: <4BE19A3B.9050303@hammet.net> References: <28446986.post@talk.nabble.com> <87zl0etnr1.fsf@vigenere.g10code.de> <28462645.post@talk.nabble.com> <4BE19A3B.9050303@hammet.net> Message-ID: <28523361.post@talk.nabble.com> Hi Newton I've successfully built and installed PTH 2.0.7 and the pth-config says: pth_version="2.0.7 (08-Jun-2006)" Now I've tried to compile gnupg-2.0.15 but configure fails with error: ..... configure: checking for programs ..... checking for pth-config... /QOpenSys/usr/local/bin/pth-config checking for PTH - version >= 1.3.7... yes checking whether PTH installation is sane... no ...... configure: checking system features for estream configure: *** *** It is now required to build with support for the *** GNU Portable Threads Library (Pth). Please install this *** library first. The library is for example available at *** ftp://ftp.gnu.org/gnu/pth/ configure: error: *** *** Required libraries not found. Please consult the above messages *** and install them before running configure again. *** Thanks. Giuseppe. -- View this message in context: http://old.nabble.com/Compile-PTH-on-AIX-tp28446986p28523361.html Sent from the GnuPG - User mailing list archive at Nabble.com. From wk at gnupg.org Tue May 11 15:18:44 2010 From: wk at gnupg.org (Werner Koch) Date: Tue, 11 May 2010 15:18:44 +0200 Subject: Compile PTH on AIX In-Reply-To: <28523361.post@talk.nabble.com> (beppecosta@yahoo.it's message of "Tue, 11 May 2010 05:15:20 -0700 (PDT)") References: <28446986.post@talk.nabble.com> <87zl0etnr1.fsf@vigenere.g10code.de> <28462645.post@talk.nabble.com> <4BE19A3B.9050303@hammet.net> <28523361.post@talk.nabble.com> Message-ID: <87pr12poej.fsf@vigenere.g10code.de> On Tue, 11 May 2010 14:15, beppecosta at yahoo.it said: > checking for PTH - version >= 1.3.7... yes > checking whether PTH installation is sane... no Please look into config.log and locate the above "is sane" check. It shows the actual test program run etc. Paste this part of config.log into a mail. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From beppecosta at yahoo.it Tue May 11 15:38:59 2010 From: beppecosta at yahoo.it (beppecosta) Date: Tue, 11 May 2010 06:38:59 -0700 (PDT) Subject: Compile PTH on AIX In-Reply-To: <87pr12poej.fsf@vigenere.g10code.de> References: <28446986.post@talk.nabble.com> <87zl0etnr1.fsf@vigenere.g10code.de> <28462645.post@talk.nabble.com> <4BE19A3B.9050303@hammet.net> <28523361.post@talk.nabble.com> <87pr12poej.fsf@vigenere.g10code.de> Message-ID: <28524172.post@talk.nabble.com> I think that the problem is still with FD_SETSIZE .... > Paste this part of config.log configure:7909: checking for pth-config configure:7927: found /QOpenSys/usr/local/bin/pth-config configure:7940: result: /QOpenSys/usr/local/bin/pth-config configure:7954: checking for PTH - version >= 1.3.7 configure:7980: result: yes configure:7982: checking whether PTH installation is sane configure:8006: gcc -o conftest -g -O2 -I/QOpenSys/usr/local/include -L/QOpenSys/usr/local/lib conftest.c -lpth -ldl -lnsl >&5 In file included from conftest.c:37: /QOpenSys/usr/local/include/pth.h:93:2: error: #error "FD_SETSIZE is larger than what GNU Pth can handle." configure:8006: $? = 1 configure: failed program was: | /* confdefs.h */ | #define PACKAGE_NAME "gnupg" | #define PACKAGE_TARNAME "gnupg" | #define PACKAGE_VERSION "2.0.15" | #define PACKAGE_STRING "gnupg 2.0.15" | #define PACKAGE_BUGREPORT "http://bugs.gnupg.org" | #define PACKAGE_URL "" | #define PACKAGE "gnupg" | #define VERSION "2.0.15" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define HAVE_UNISTD_H 1 | #define __EXTENSIONS__ 1 | #define _ALL_SOURCE 1 | #define _GNU_SOURCE 1 | #define _POSIX_PTHREAD_SEMANTICS 1 | #define _TANDEM_SOURCE 1 | #define PACKAGE "gnupg" | #define PACKAGE_GT "gnupg2" | #define VERSION "2.0.15" | #define PACKAGE_BUGREPORT "http://bugs.gnupg.org" | #define NEED_LIBGCRYPT_VERSION "1.4.0" | #define NEED_KSBA_VERSION "1.0.2" | #define PK_UID_CACHE_SIZE 4096 | #define _LARGE_FILES 1 | #define EXEEXT "" | #define GNUPG_LIBASSUAN_VERSION "2.0.0" | #define SHRED "/usr/bin/shred" | /* end confdefs.h. */ | #include | | int | main () | { | pth_init (); | ; | return 0; | } configure:8022: result: no -- View this message in context: http://old.nabble.com/Compile-PTH-on-AIX-tp28446986p28524172.html Sent from the GnuPG - User mailing list archive at Nabble.com. From joke at seiken.de Tue May 11 20:47:19 2010 From: joke at seiken.de (Joke de Buhr) Date: Tue, 11 May 2010 20:47:19 +0200 Subject: Encryption to key with multiple subkeys Message-ID: <201005112047.21758.joke@seiken.de> I've got more than one encryption subkey attached to my primary certification key. If someone encrypts a message using my primary key id as recipient gnupg always chooses the most recently created encryption subkey. Both subkeys are valid, neither one of them is revoked. I'm not quiet sure but shouldn't gnupg encrypt to both (all not-revoked) encryption keys in this case? This way the user could decrypt the encrypted message (email) regardless what encryption keys secrets are available at the current location. -- Joke de Buhr -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 706 bytes Desc: This is a digitally signed message part. URL: From ml at mareichelt.com Tue May 11 23:02:18 2010 From: ml at mareichelt.com (markus reichelt) Date: Tue, 11 May 2010 23:02:18 +0200 Subject: Encryption to key with multiple subkeys In-Reply-To: <201005112047.21758.joke@seiken.de> References: <201005112047.21758.joke@seiken.de> Message-ID: <20100511210218.GB21034@pc21.mareichelt.com> * Joke de Buhr wrote: > I'm not quiet sure but shouldn't gnupg encrypt to both (all > not-revoked) encryption keys in this case? This way the user could > decrypt the encrypted message (email) regardless what encryption > keys secrets are available at the current location. Nope. More to the point, think about people having both private UID and business UID on the same key - the way you describe it could mix things up badly. (I guess you know how to tell people to use a specific subkey) -- left blank, right bald -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: not available URL: From dkg at fifthhorseman.net Wed May 12 00:44:37 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 11 May 2010 18:44:37 -0400 Subject: Encryption to key with multiple subkeys In-Reply-To: <20100511210218.GB21034@pc21.mareichelt.com> References: <201005112047.21758.joke@seiken.de> <20100511210218.GB21034@pc21.mareichelt.com> Message-ID: <4BE9DDD5.4010208@fifthhorseman.net> On 05/11/2010 05:02 PM, markus reichelt wrote: > Nope. More to the point, think about people having both private UID > and business UID on the same key - the way you describe it could mix > things up badly. But UIDs aren't bound to subkeys (they're bound to the primary key, just as the subkeys are bound to the primary key), so i'm not sure we have a good way to handle the use case you describe in OpenPGP at all. > (I guess you know how to tell people to use a specific subkey) you mean by keyID or fingerprint? that's brittle and unintelligible for most people. I'm not suggesting that joke's proposal of encrypt-to-all-encryption-capable-subkeys is the right choice, but it's not clear that there's any particular reason to prefer one key over another (perhaps if you were introducing a new asymmetric algorithm, you'd want to keep your old RSA encryption key around for users who don't have support for the new algorithm). I don't see any guidance in RFC 4880 about how to select an encryption-capable subkey if there is more than one (but maybe i'm not looking in the right place) --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From hawke at hawkesnest.net Wed May 12 01:10:51 2010 From: hawke at hawkesnest.net (Alex Mauer) Date: Tue, 11 May 2010 18:10:51 -0500 Subject: Encryption to key with multiple subkeys In-Reply-To: <20100511210218.GB21034__49082.3663109497$1273616682$gmane$org@pc21.mareichelt.com> References: <201005112047.21758.joke@seiken.de> <20100511210218.GB21034__49082.3663109497$1273616682$gmane$org@pc21.mareichelt.com> Message-ID: On 05/11/2010 04:02 PM, markus reichelt wrote: > * Joke de Buhr wrote: > >> I'm not quiet sure but shouldn't gnupg encrypt to both (all >> not-revoked) encryption keys in this case? This way the user could >> decrypt the encrypted message (email) regardless what encryption >> keys secrets are available at the current location. > > Nope. More to the point, think about people having both private UID > and business UID on the same key - the way you describe it could mix > things up badly. How so? There?s no connection between UIDs and keys.... ?Alex Mauer ?hawke? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 554 bytes Desc: OpenPGP digital signature URL: From ml at mareichelt.com Wed May 12 01:22:19 2010 From: ml at mareichelt.com (markus reichelt) Date: Wed, 12 May 2010 01:22:19 +0200 Subject: Encryption to key with multiple subkeys In-Reply-To: References: <201005112047.21758.joke@seiken.de> <20100511210218.GB21034__49082.3663109497$1273616682$gmane$org@pc21.mareichelt.com> Message-ID: <20100511232219.GC21034@pc21.mareichelt.com> * Alex Mauer wrote: > > Nope. More to the point, think about people having both private UID > > and business UID on the same key - the way you describe it could mix > > things up badly. > > How so? There's no connection between UIDs and keys.... Exactly, and you are not getting my point. -- left blank, right bald -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: not available URL: From dkg at fifthhorseman.net Wed May 12 01:26:09 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 11 May 2010 19:26:09 -0400 Subject: Encryption to key with multiple subkeys In-Reply-To: <20100511232219.GC21034@pc21.mareichelt.com> References: <201005112047.21758.joke@seiken.de> <20100511210218.GB21034__49082.3663109497$1273616682$gmane$org@pc21.mareichelt.com> <20100511232219.GC21034@pc21.mareichelt.com> Message-ID: <4BE9E791.2080400@fifthhorseman.net> On 05/11/2010 07:22 PM, markus reichelt wrote: > * Alex Mauer wrote: > >>> Nope. More to the point, think about people having both private UID >>> and business UID on the same key - the way you describe it could mix >>> things up badly. >> >> How so? There's no connection between UIDs and keys.... > > Exactly, and you are not getting my point. I haven't gotten your point either, then. Perhaps you could explain in more detail? Thanks, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From joke at seiken.de Wed May 12 01:34:10 2010 From: joke at seiken.de (Joke de Buhr) Date: Wed, 12 May 2010 01:34:10 +0200 Subject: Encryption to key with multiple subkeys In-Reply-To: <20100511210218.GB21034@pc21.mareichelt.com> References: <201005112047.21758.joke@seiken.de> <20100511210218.GB21034@pc21.mareichelt.com> Message-ID: <201005120134.12807.joke@seiken.de> On Tuesday 11 May 2010 23:02:18 markus reichelt wrote: > * Joke de Buhr wrote: > > I'm not quiet sure but shouldn't gnupg encrypt to both (all > > not-revoked) encryption keys in this case? This way the user could > > decrypt the encrypted message (email) regardless what encryption > > keys secrets are available at the current location. > > Nope. More to the point, think about people having both private UID > and business UID on the same key - the way you describe it could mix > things up badly. Gnupg always choosing the last created encryption subkey doesn't prevent any kind of mix-up if a key has a private UID and a business UID. There is no connection between UID and the chosen subkey. There isn't a way of specifing UID_0 (business) use encryption subkey_1 and UID_1 (private) use encryption subkey_0. At least no way I know about. A user with two encryption keys will always get messages encrypted to the latest subkey regardless of specifying the business UID or private UID as recipient unless the sender explicitly selected a particular subkey for encryption. > (I guess you know how to tell people to use a specific subkey) Telling people which key to use doesn't solve the problem. Think about me switching places between two computers. Each computer got only one of the two encryption secret keys. So if one computer gets compromised I only loose that specific encryption secret key which can then be revoked from the primary key. PC_0 has the secret key to encryption subkey_0 and PC_1 has the secret key to encryption subkey_1. If I tell people to use subkey_0 I won't be able to decrypt the message if I'm working on PC_1. If I'm working on PC_0 I can't decrypt the message if the users used subkey_1 for encryption. Since people don't know where I might receive mails I most certainly will get messages which are intended to be read by the owner of the primary key in over words me but since I don't have the correct public key the sender specified I can't read the message until I switch computers again. On the other hand if a user doesn't specify particular subkey which is certain if he uses a default mailing program gnupg will always pick the last subkey so if I'm currently working on PC_0 (subkey_0) I can't decrypt the message at all. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 706 bytes Desc: This is a digitally signed message part. URL: From joke at seiken.de Wed May 12 01:42:05 2010 From: joke at seiken.de (Joke de Buhr) Date: Wed, 12 May 2010 01:42:05 +0200 Subject: Encryption to key with multiple subkeys In-Reply-To: <4BE9DDD5.4010208@fifthhorseman.net> References: <201005112047.21758.joke@seiken.de> <20100511210218.GB21034@pc21.mareichelt.com> <4BE9DDD5.4010208@fifthhorseman.net> Message-ID: <201005120142.07433.joke@seiken.de> On Wednesday 12 May 2010 00:44:37 Daniel Kahn Gillmor wrote: > I'm not suggesting that joke's proposal of > encrypt-to-all-encryption-capable-subkeys is the right choice, but it's > not clear that there's any particular reason to prefer one key over > another (perhaps if you were introducing a new asymmetric algorithm, > you'd want to keep your old RSA encryption key around for users who > don't have support for the new algorithm). The encrypt-to-all-encryption-capable-subkeys ensures that the owner of the primary key will always be able to decrypt the message no matter what (not- revoke) encryption key secrets he can access at the moment. And since it's his primary key the message is intended to read by him. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 706 bytes Desc: This is a digitally signed message part. URL: From dkg at fifthhorseman.net Wed May 12 02:08:27 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 11 May 2010 20:08:27 -0400 Subject: Encryption to key with multiple subkeys In-Reply-To: <201005120142.07433.joke@seiken.de> References: <201005112047.21758.joke@seiken.de> <20100511210218.GB21034@pc21.mareichelt.com> <4BE9DDD5.4010208@fifthhorseman.net> <201005120142.07433.joke@seiken.de> Message-ID: <4BE9F17B.6000108@fifthhorseman.net> On 05/11/2010 07:42 PM, Joke de Buhr wrote: > The encrypt-to-all-encryption-capable-subkeys ensures that the owner of the > primary key will always be able to decrypt the message no matter what (not- > revoke) encryption key secrets he can access at the moment. yup, i think this is a good argument for your proposed behavior. what i haven't seen yet (haven't thought through yet) is what the counter-arguments might be. For example, consider the introduction of a new encryption-capable asymmetric algorithm X that has "better" properties than RSA (pretend for a moment that some flaw is found in RSA). I might want to have an RSA encryption-capable subkey for all the deployed RSA-only implementations to use, since using RSA is better than nothing. But i might want tools that *do* support X to use my encryption-capable X subkey, and not the RSA key. (the same argument can be made for old, small keys and newer larger keys, if the larger key sizes do not have wide adoption, i think) So that's one (albeit mostly fictional) scenario where you wouldn't want to encrypt to both. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From dshaw at jabberwocky.com Wed May 12 02:43:28 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 11 May 2010 20:43:28 -0400 Subject: Encryption to key with multiple subkeys In-Reply-To: <201005120134.12807.joke@seiken.de> References: <201005112047.21758.joke@seiken.de> <20100511210218.GB21034@pc21.mareichelt.com> <201005120134.12807.joke@seiken.de> Message-ID: On May 11, 2010, at 7:34 PM, Joke de Buhr wrote: > Telling people which key to use doesn't solve the problem. Think about me > switching places between two computers. Each computer got only one of the two > encryption secret keys. So if one computer gets compromised I only loose that > specific encryption secret key which can then be revoked from the primary key. > > PC_0 has the secret key to encryption subkey_0 and PC_1 has the secret key to > encryption subkey_1. If I tell people to use subkey_0 I won't be able to > decrypt the message if I'm working on PC_1. If I'm working on PC_0 I can't > decrypt the message if the users used subkey_1 for encryption. In this example, where one of the two computers is compromised, people encrypting to both of your subkeys guarantees that the attacker can decrypt your communications. In the current behavior of encrypting to the most recent subkey, the attacker only has a 50% chance of getting your communications. You should hope that the older PC is the one that gets compromised :) David From kgo at grant-olson.net Wed May 12 02:49:43 2010 From: kgo at grant-olson.net (Grant Olson) Date: Tue, 11 May 2010 20:49:43 -0400 Subject: Encryption to key with multiple subkeys In-Reply-To: <4BE9F17B.6000108@fifthhorseman.net> References: <201005112047.21758.joke@seiken.de> <20100511210218.GB21034@pc21.mareichelt.com> <4BE9DDD5.4010208@fifthhorseman.net> <201005120142.07433.joke@seiken.de> <4BE9F17B.6000108@fifthhorseman.net> Message-ID: <4BE9FB27.8020504@grant-olson.net> On 5/11/2010 8:08 PM, Daniel Kahn Gillmor wrote: > On 05/11/2010 07:42 PM, Joke de Buhr wrote: >> The encrypt-to-all-encryption-capable-subkeys ensures that the owner of the >> primary key will always be able to decrypt the message no matter what (not- >> revoke) encryption key secrets he can access at the moment. > > yup, i think this is a good argument for your proposed behavior. what i > haven't seen yet (haven't thought through yet) is what the > counter-arguments might be. > I think the semantics and correct behavior become unclear when one of the keys is revoked. - Alice has two encryption keys. - Bob sends to both keys. - Alice revokes one key. - Bob doesn't refresh his keys. Continues sending to both keys. - The unrevoked key decrypts things just fine. If Alice has one key and revokes it, she'll get a warning that Bob is still sending to the revoked key, and can take corrective action. If Alice has two keys and revokes one, should it behave any differently than if another revoked key is used? Right now when I decrypt something, gpg doesn't bother to check to see if other users are revoked (according to my keyring.) gpg is still matching one good key with one good asymmetrically encrypted symmetric key packet. So now Alice doesn't even realize that Bob is still sending sensitive info on a potentially compromised key. You might be able to put a weird exception where gpg checks to see if any of your private keys that are revoked are one of the keys that gpg has encrypted to, but that would behave completely differently than having a revoked key from random user X on the keyring. And if you did, I'm not sure how applications like Enigmail would end up handling the special case. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 552 bytes Desc: OpenPGP digital signature URL: From joke at seiken.de Wed May 12 02:59:44 2010 From: joke at seiken.de (Joke de Buhr) Date: Wed, 12 May 2010 02:59:44 +0200 Subject: Encryption to key with multiple subkeys In-Reply-To: <4BE9F17B.6000108@fifthhorseman.net> References: <201005112047.21758.joke@seiken.de> <201005120142.07433.joke@seiken.de> <4BE9F17B.6000108@fifthhorseman.net> Message-ID: <201005120259.46669.joke@seiken.de> On Wednesday 12 May 2010 02:08:27 Daniel Kahn Gillmor wrote: > yup, i think this is a good argument for your proposed behavior. what i > haven't seen yet (haven't thought through yet) is what the > counter-arguments might be. One possible argument against it could be the increased size of the encrypted message. But the size of an email isn't that important nowadays and if size matters the user should set a compression (bzip2) algorithm within the key settings. > For example, consider the introduction of a new encryption-capable > asymmetric algorithm X that has "better" properties than RSA (pretend > for a moment that some flaw is found in RSA). I might want to have an > RSA encryption-capable subkey for all the deployed RSA-only > implementations to use, since using RSA is better than nothing. But i > might want tools that *do* support X to use my encryption-capable X > subkey, and not the RSA key. The current implementation (always choose last) will use a RSA subkey if it's the last even if the user has a better NEW-subkey capable algorithm. A gnupg commandline option like --realy-use-insecure-rsa could be added to new gnupg versions which support the NEW-subkey algorithm. Old gnupg versions would always use the old RSA subkey because they don't recognize NEW-subkeys. New gnupg versions would always consider RSA keys as insecure and never choose them if there is a NEW-subkey present or the user forces gnupg by specifying --realy-use-insecure-rsa. > (the same argument can be made for old, small keys and newer larger > keys, if the larger key sizes do not have wide adoption, i think) Again the current implementation will use a smaller encryption subkeys if it's the last one. If a user has 2048 encryption subkeys and newer 4096 encryption subkeys he can always revoke the 2048 encryption keys. This way a encrypt-to-all-capable-not- revoked-encryption-subkeys setting wouldn't consider encrypting to these keys anymore. But someone could always encrypt to a revoked 2048 subkey by specifying that particular one. If a user has low sized keys which are not revoked he knows someone could use them since they are not revoked. If it wasn't his attention gnupg will output that the message was encrypted to multiple subkeys if he's using the command line interface and gnupg starts to do encrypt-to-all-... . -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 706 bytes Desc: This is a digitally signed message part. URL: From halim.sahin at freenet.de Wed May 12 10:27:57 2010 From: halim.sahin at freenet.de (Halim Sahin) Date: Wed, 12 May 2010 10:27:57 +0200 Subject: gpg and reiner cyberjack cardreader Message-ID: <20100512082757.GA4658@gentoo.local> Hi, Unfortunately I have a new problem! I have changed my towitoko cardreader with an usb version of reiner cyberjack. Installed the drivers from gentoo. gpg is at version 2.0.14 User added to cyberjack group. The testprrogramm cyberjack reports no errors. pcscd is running as well. gpg --cardstatus works but I can not change anything on the card. gpg --card-edit verify gpg: OpenPGP card not available: IPC write error What can i do? Please help BR. Halim From faramir.cl at gmail.com Wed May 12 11:11:24 2010 From: faramir.cl at gmail.com (Faramir) Date: Wed, 12 May 2010 05:11:24 -0400 Subject: Help me to import my secret key please In-Reply-To: <4BE770D4.7060800@fifthhorseman.net> References: <1273335989.2357.8.camel@scorpion> <4BE5EE94.8020605@fifthhorseman.net> <1273390307.2311.8.camel@scorpion> <373BFEFA-E986-4D76-A290-4E7FF3A545C7@mac.com> <4BE6B9A4.50907@fifthhorseman.net> <4BE724E1.7080208@gmail.com> <4BE770D4.7060800@fifthhorseman.net> Message-ID: <4BEA70BC.40902@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Daniel Kahn Gillmor escribi?: > On 05/09/2010 05:10 PM, Faramir wrote: >> But comments field is for comments, not for identity information, so I >> don't see any problem in adding a hint so people can know "which key >> should I use?". > > OK, but how many such comments should we use? (see below...) > >> Good question, but, since the old key (unless it has expiration date) >> will still be shown as valid at the keyservers, probably it wil haunt >> him forever. > > True. And anyone who wants to can also create and upload a key with his > exact User ID and no expiration date, and that bogus key will also haunt > him forever. Should he include a comment about not using that > maliciously-uploaded key as well? No, the comment could be useful in case somebody had the first (now orphan) key, and now he has found the new key and wants to know which one should he use. Let's think about the following case: Alice creates a key, get it signed by CAcert.org (she has validated her identity in their WoT), and uploads her key to keyservers. Then she loses her private key, make a new one, and get it signed by CAcert too, and uploads it to keyservers. CAcert signatures expire 1 year after being issued, but until then, I don't know if there is a way to make CAcert to revoke the signature. Then Bob finds Alice in PGP-Basics list, and wants to send an encrypted message to her. He just knows her email address, and has set CAcert's key as a valid introducer. He performs a search at keyservers, and find 10 keys saying they belong to Alice. But only 2 of these keys are showed as valid (the bogus keys have not been signed by a valid introducer). But which one is the key he should use? Of course, he can send a clear text message to Alice, and she can tell him which one is the right one, and then Bob would deactivate the orphan key and use the good one. But a comment in the new key would not do any harm, and would allow Bob to chose the good key without having to wait for Alice's reply. ... > If Joe User's real key is actually 0xDECAFBAD and he still has control > over it, what should other users do if they see a key uploaded with the > User ID of: > > Joe User (Do Not Use 0xDECAFBAD) > > (remember that anyone can upload such a key) ? Should people care about > or rely upon those comments? Or are they noise? They should be considered as noise unless these keys have been signed by a valid (trusted) introducer. ... > The most useful response is to make sure that your proper key is > well-certified, and that any bogus keys are not certified. Indeed, the comment advice was just a complementary (and optional) measure, the main response should be to get the certifications revoked. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJL6nC8AAoJEMV4f6PvczxAhk8IAIOHgC16SKDDIPnIVXAMYVOy SWGcVjKRZMKKPZbOsOq+dDJSrKqmktzGjlubxUyeX/IHPpAAp5UNHta2ETEZodqE FgA1D8REQ71TZ9a6uWc2n/X5MS+tl1VGl3gAiQC8MR+xj+pkNsU7u5HWuNt6CWcd z89S6zxmXjqlUqn/lBAmGZQk+KBFWF5azoQbdXCrvEMwx8Owx3J0OKdLL1Mlh3qW 86HGJ5QguZhC2l+O/Fu82yXinW05dCnW9BdKPYGx7Ct8nCnP9FpEfJRTDdAVmSao 4/f7BAf74l28/9ukbswCb9Il6opVI/pnKPOAOhJocV0wxt5eUHszdjBI0A6NuJs= =8PWU -----END PGP SIGNATURE----- From joke at seiken.de Wed May 12 12:02:08 2010 From: joke at seiken.de (Joke de Buhr) Date: Wed, 12 May 2010 12:02:08 +0200 Subject: Encryption to key with multiple subkeys Message-ID: <201005121202.10060.joke@seiken.de> On Wednesday 12 May 2010 02:49:43 Grant Olson wrote: > I think the semantics and correct behavior become unclear when one of > the keys is revoked. > > - Alice has two encryption keys. > > - Bob sends to both keys. > > - Alice revokes one key. > > - Bob doesn't refresh his keys. Continues sending to both keys. > > - The unrevoked key decrypts things just fine. Currently if someone captures the last key and Bobs never refreshes his keyring he will always continue to send to the last key since he doesn't know it's been revoked and a new last key has been added. The attacker could still read Bobs messages. > > If Alice has one key and revokes it, she'll get a warning that Bob is > still sending to the revoked key, and can take corrective action. New behavior encrypt-to-all-not-revoked-encryption-subkeys: Alice gets a warning because Bobs encrypts to both subkeys but one has been revoked at Alice. Alice could still inform Bob to refresh his keyring. Gnupg states that a message is encrypted to multiple keys. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 706 bytes Desc: This is a digitally signed message part. URL: From joke at seiken.de Wed May 12 13:20:09 2010 From: joke at seiken.de (Joke de Buhr) Date: Wed, 12 May 2010 13:20:09 +0200 Subject: Encryption to key with multiple subkeys In-Reply-To: <4BE9FB27.8020504@grant-olson.net> References: <201005112047.21758.joke@seiken.de> <4BE9F17B.6000108@fifthhorseman.net> <4BE9FB27.8020504@grant-olson.net> Message-ID: <201005121320.11827.joke@seiken.de> On Wednesday 12 May 2010 02:49:43 Grant Olson wrote: > So now Alice doesn't even realize that Bob is still sending sensitive > info on a potentially compromised key. > > You might be able to put a weird exception where gpg checks to see if > any of your private keys that are revoked are one of the keys that gpg > has encrypted to, but that would behave completely differently than > having a revoked key from random user X on the keyring. > > And if you did, I'm not sure how applications like Enigmail would end up > handling the special case. Here are some tests how gnupg currently handles revoked subkeys. As you can see programs like Enigmail would notice if someone is still sending to a revoked subkey. If programs now recognize mails are being encrypted to revoked subkeys they would notice with a encrypt-to-all-not-revoked-encryption-subkeys behavior. Alice has a primary key with two encryption subkeys: pub 4096R/637AD7FA created: 2010-05-12 expires: never usage: C trust: ultimate validity: ultimate sub 4096R/97E46ACF created: 2010-05-12 revoked: 2010-05-12 usage: E sub 4096R/5855A984 created: 2010-05-12 revoked: 2010-05-12 usage: E [ultimate] (1). Goo Gle Three messages were send to Alice (last would be encrypt-to-all): 10.asc encrypted to subkey 97E46ACF 01.asc encrypted to subkey 5855A984 11.asc encrypted to subkeys 97E46ACF 5855A984 Alice decrypts the message if no key is revoked: gpg2 --decrypt -o /dev/null < 10.asc gpg: encrypted with 4096-bit RSA key, ID 97E46ACF, created 2010-05-12 "Goo Gle " gpg2 --decrypt -o /dev/null < 01.asc gpg: encrypted with 4096-bit RSA key, ID 5855A984, created 2010-05-12 "Goo Gle " gpg2 --decrypt -o /dev/null < 11.asc gpg: encrypted with 4096-bit RSA key, ID 5855A984, created 2010-05-12 "Goo Gle " gpg: encrypted with 4096-bit RSA key, ID 97E46ACF, created 2010-05-12 "Goo Gle " Alice revokes a subkey (first or last) (example: 97E46ACF): gpg2 --decrypt -o /dev/null < 11.asc gpg: NOTE: key has been revoked gpg: encrypted with 4096-bit RSA key, ID 5855A984, created 2010-05-12 "Goo Gle " gpg: encrypted with 4096-bit RSA key, ID 97E46ACF, created 2010-05-12 "Goo Gle " Gnupg informs Alice the message has been encrypted with a revoked key if Bob didn't refresh his keyring and his gnupg continues to do a encrypt-to-all. She could inform Bob to refresh his keyring. The same goes for other combinations of key revocation. If Alice revoked her last key (5855A984) and Bob's (unrefreshed) gnupg would encrypt a message to the last key as it currently does it would look like this: gpg2 --decrypt -o /dev/null < 01.asc gpg: NOTE: key has been revoked gpg: encrypted with 4096-bit RSA key, ID 5855A984, created 2010-05-12 "Goo Gle " There is no different on Alice side if gnupg would do a encrypt-to-all-not- revoked-encryption-subkeys. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 706 bytes Desc: This is a digitally signed message part. URL: From mailinglisten at hauke-laging.de Wed May 12 17:31:40 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 12 May 2010 17:31:40 +0200 Subject: published key security levels Message-ID: <201005121731.45277.mailinglisten@hauke-laging.de> Hello, do you think it would be useful to integrate some information about the "usage security" of a key into the key? Keys are used differently. The one I use to sign this email is my key for nearly everything. It is (or rather: was) stored on several PCs which are rather comfortable than high security systems (KDE). Offline security is high but few applications only are denied access to ~/.gnupg (by AppArmor). It is not probable but far from impossible that this key is compromised. That is OK for me because I believe that it is most important to have reasonable security available everywhere. Somebody wrote here today: "RSA is better than nothing". That's the point. Of course, it is not a problem to generate several keys for different levels of security. I would not want this key to be accepted for important contracts. For different level keys to be useful the users of public keys have to be enabled to recognise this level (with cryptographic security). My idea is to define some levels which can be added e.g. as signature notations to the key: 0: unknown 1: for testig purposes; private key available to several people 2: low security: key is used on non-trustworthy systems (e.g. for using webmail services from public systems) 3: medium security; key is used on trustworthy systems only 4: hardware security; key is used on smartcards only (including offline backups) 5: paranoid: the key is on a smartcard; signatures and certifications are made on systems which are "guaranteed" to be non-compromised (booting from DVD, not network connection) only. The main problem IMHO is: This information needs to be covered by certifications to be really useful. If it is not, this could happen: A low security key becomes available to an attacker. The attacker is capable of changing the notation. A communication partner gets the changed key with valid signatures and regards it as a high security key. Is there any possibility to get such additional key parts signed without changing the key format (or putting that into the comment field)? An interesting question is: What am I supposed to do if somebody wants me to sign his key at level 4 or 5 if I know that this key is or has been used in other ways, too? ;-) The currently discussed problem of selecting the the right subkey(s) would grow to selecting the right (primary) key, of course. This could be solved by defining global and per addressee levels. If a certain message needs higher or allows lower security then the appropriate key would have to be selected manually. How would this affect the usage of gpg? I tried to make an organization support the usage of gpg by educating its members and offering certification. One of the arguments against this was: "People cannot read their emails on their mobile devices any more then." This is not only a technical problem. It should be up to the sender to decide which level of privacy he demands for his message. So the sender could decide that it is OK for him that the recipient will not be able to read the message everywhere but only in a reasonably secure environment (thus often later). If a message is to not be readable in certain circumstances then it is not an agument that it isn't. It's not a bug, it's a feature. On the other hand the sender could decide that he does not want to send a postcard security level message but that webmail access is OK for him. He would use a level 2 key (too) then. Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From expires2010 at ymail.com Wed May 12 20:06:01 2010 From: expires2010 at ymail.com (MFPA) Date: Wed, 12 May 2010 19:06:01 +0100 Subject: Help me to import my secret key please In-Reply-To: <4BEA70BC.40902@gmail.com> References: <1273335989.2357.8.camel@scorpion> <4BE5EE94.8020605@fifthhorseman.net> <1273390307.2311.8.camel@scorpion> <373BFEFA-E986-4D76-A290-4E7FF3A545C7@mac.com> <4BE6B9A4.50907@fifthhorseman.net> <4BE724E1.7080208@gmail.com> <4BE770D4.7060800@fifthhorseman.net> <4BEA70BC.40902@gmail.com> Message-ID: <185176796.20100512190601@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Wednesday 12 May 2010 at 10:11:24 AM, in , Faramir wrote: > No, the comment could be useful in case somebody had > the first (now orphan) key, and now he has found the > new key and wants to know which one should he use. Although the comment could just state it was his new key from dd/mm/yyyy without mentioning any other key(s). > Let's think about the following case: Alice creates > a key, get it signed by CAcert.org (she has validated > her identity in their WoT), and uploads her key to > keyservers. Then she loses her private key, make a new > one, and get it signed by CAcert too, and uploads it to > keyservers. CAcert signatures expire 1 year after > being issued, but until then, I don't know if there is > a way to make CAcert to revoke the signature. Then > Bob finds Alice in PGP-Basics list, and wants to send > an encrypted message to her. He just knows her email > address, and has set CAcert's key as a valid > introducer. He performs a search at keyservers, and > find 10 keys saying they belong to Alice. But only 2 of > these keys are showed as valid (the bogus keys have not > been signed by a valid introducer). But which one is > the key he should use? Of course, he can send a clear > text message to Alice, and she can tell him which one > is the right one, and then Bob would deactivate the > orphan key and use the good one. But a comment in the > new key would not do any harm, and would allow Bob to > chose the good key without having to wait for Alice's > reply. Bob could encrypt the message asking which key to both of Alice's keys that looked valid. But if Bob's basis for deciding Alice's keys are valid was simply his trust in the CAcert signatures, isn't the newer key with the more recent signature a better bet? > ... >> If Joe User's real key is actually 0xDECAFBAD and he still has control >> over it, what should other users do if they see a key uploaded with the >> User ID of: >> Joe User (Do Not Use 0xDECAFBAD) >> (remember that anyone can upload such a key) ? Should >> people care about or rely upon those comments? Or are >> they noise? > They should be considered as noise unless these keys > have been signed by a valid (trusted) introducer. > ... >> The most useful response is to make sure that your proper key is >> well-certified, and that any bogus keys are not certified. > Indeed, the comment advice was just a complementary > (and optional) measure, the main response should be to > get the certifications revoked. Maybe this indicates a good reason to use expiry dates on keys. And maybe a trusted revocation key that you don't actually use and that lives offline somewhere secure, maybe even split, in case of such eventualities. - -- Best regards MFPA mailto:expires2010 at ymail.com Gypsy Dwarf Escapes Prison: Small Medium at large -----BEGIN PGP SIGNATURE----- iQCVAwUBS+ruC6ipC46tDG5pAQoT/wQAxJglp9ny7kZR/V/wH2x0L117PRjGBQcf /KuErSTS0Ouy3Qf19Me7LHU33srCHMmIRCYKCBeG3pJZQH1+FQDXy99QhTsfaWRy 0Re0x2YkkuU53UVTzh+w2KTnY/3/fsVBSwFJl/U/hdXvPASZOBxFY6yab+QIpbuX Kw2KXySTIQw= =ne+m -----END PGP SIGNATURE----- From joelcsalomon at gmail.com Wed May 12 20:29:18 2010 From: joelcsalomon at gmail.com (Joel C. Salomon) Date: Wed, 12 May 2010 14:29:18 -0400 Subject: published key security levels In-Reply-To: <201005121731.45277.mailinglisten@hauke-laging.de> References: <201005121731.45277.mailinglisten@hauke-laging.de> Message-ID: <4BEAF37E.4020207@gmail.com> On 05/12/2010 11:31 AM, Hauke Laging wrote: > do you think it would be useful to integrate some information about the "usage > security" of a key into the key? > Of course, it is not a problem to generate several keys for different levels > of security. I would not want this key to be accepted for important contracts. > For different level keys to be useful the users of public keys have to be > enabled to recognise this level (with cryptographic security). > > My idea is to define some levels which can be added e.g. as signature > notations to the key: How about this? (I?ll reduce the security levels to two for my suggestion, but it should scale.): I generate two keys, one low-security (e.g., ?Joel Salomon webmail?) and one high-security (?Joel Salomon smartcard?). I sign the low-security key with my high security key, but I don?t ask others to sign it; the only key I put into the web of trust is my high-security key. If the low-security key is compromised, can the attacker rename it (or otherwise fool people into thinking it?s my high-security key) without removing my (high-security) signature on the key? ?Joel C. Salomon -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: From dkg at fifthhorseman.net Wed May 12 22:48:34 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 12 May 2010 16:48:34 -0400 Subject: Help me to import my secret key please In-Reply-To: <185176796.20100512190601@my_localhost> References: <1273335989.2357.8.camel@scorpion> <4BE5EE94.8020605@fifthhorseman.net> <1273390307.2311.8.camel@scorpion> <373BFEFA-E986-4D76-A290-4E7FF3A545C7@mac.com> <4BE6B9A4.50907@fifthhorseman.net> <4BE724E1.7080208@gmail.com> <4BE770D4.7060800@fifthhorseman.net> <4BEA70BC.40902@gmail.com> <185176796.20100512190601@my_localhost> Message-ID: <4BEB1422.8030604@fifthhorseman.net> On 05/12/2010 02:06 PM, MFPA wrote: > Although the comment could just state it was his new key from > dd/mm/yyyy without mentioning any other key(s). even this comment would be superfluous, since the key has a "Created on" timestamp built in. Also, his statement isn't really part of a person's identity, which makes it more dubious to put it in the User ID as well. > Bob could encrypt the message asking which key to both of Alice's keys > that looked valid. But if Bob's basis for deciding Alice's keys are > valid was simply his trust in the CAcert signatures, isn't the newer > key with the more recent signature a better bet? Yes, it is. Furthermore, if Alice had stored a revocation certificate in a safe place, she could simply revoke the old key without needing to rely on CACert (or any other certifier, for that matter). > Maybe this indicates a good reason to use expiry dates on keys. And > maybe a trusted revocation key that you don't actually use and that > lives offline somewhere secure, maybe even split, in case of such > eventualities. Expiry dates on keys are only useful as a safeguard against accidental destruction of the secret key material, not against loss of control of the secret key material to a malicious party. Once an attacker gains control of the primary key's secret key material, she can update the expiration date by issuing a new self-sig. This whole scenario is a good argument for what is already accepted best-practice: generate a worst-case-scenario revocation certificate immediately after generating your key, and store that revocation certificate securely in an offline place (e.g. print it to good paper and destroy the digital copy). This means there are no extra keys to manage, and no third parties to rely on (unless you want to send a copy of your revocation certificate to a trusted friend for use in an emergency). --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From mailinglisten at hauke-laging.de Thu May 13 01:03:50 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Thu, 13 May 2010 01:03:50 +0200 Subject: published key security levels In-Reply-To: <4BEAF37E.4020207@gmail.com> References: <201005121731.45277.mailinglisten@hauke-laging.de> <4BEAF37E.4020207@gmail.com> Message-ID: <201005130103.56115.mailinglisten@hauke-laging.de> Am Mittwoch 12 Mai 2010 20:29:18 schrieb Joel C. Salomon: > I generate two keys, one low-security (e.g., ?Joel Salomon webmail?) and > one high-security (?Joel Salomon smartcard?). I sign the low-security > key with my high security key, but I don?t ask others to sign it; the > only key I put into the web of trust is my high-security key. > > If the low-security key is compromised, can the attacker rename it (or > otherwise fool people into thinking it?s my high-security key) without > removing my (high-security) signature on the key? The main problem is: How do people recognise your high security key as such? By the comment only? The next problem: (AFAIK) You cannot prevent people from signing your keys. Furthermore this feels a bit strange to me. The basic rule is: The more signatures, the better. And now a feature shall be based on avoiding signatures? :-S CU Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From hagen at zhuliguan.net Thu May 13 09:16:56 2010 From: hagen at zhuliguan.net (=?UTF-8?B?SGFnZW4gRsO8cnN0ZW5hdQ==?=) Date: Thu, 13 May 2010 09:16:56 +0200 Subject: published key security levels In-Reply-To: <201005130103.56115.mailinglisten@hauke-laging.de> References: <201005121731.45277.mailinglisten@hauke-laging.de> <4BEAF37E.4020207@gmail.com> <201005130103.56115.mailinglisten@hauke-laging.de> Message-ID: <4BEBA768.4030605@zhuliguan.net> > The main problem is: How do people recognise your high security key as such? > By the comment only? Seems like a pretty good use of the comment field to me. Especially since it might be hard to agree on generally applicable "security levels". Cheers, Hagen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 489 bytes Desc: OpenPGP digital signature URL: From roam at ringlet.net Thu May 13 10:59:14 2010 From: roam at ringlet.net (Peter Pentchev) Date: Thu, 13 May 2010 11:59:14 +0300 Subject: Encryption to key with multiple subkeys In-Reply-To: <201005120259.46669.joke@seiken.de> References: <201005112047.21758.joke@seiken.de> <201005120142.07433.joke@seiken.de> <4BE9F17B.6000108@fifthhorseman.net> <201005120259.46669.joke@seiken.de> Message-ID: <20100513085914.GA1345@straylight.m.ringlet.net> On Wed, May 12, 2010 at 02:59:44AM +0200, Joke de Buhr wrote: > On Wednesday 12 May 2010 02:08:27 Daniel Kahn Gillmor wrote: > > yup, i think this is a good argument for your proposed behavior. what i > > haven't seen yet (haven't thought through yet) is what the > > counter-arguments might be. > > One possible argument against it could be the increased size of the encrypted > message. But the size of an email isn't that important nowadays and if size > matters the user should set a compression (bzip2) algorithm within the key > settings. Just for the record: no, the encrypted message will not be much larger. The way OpenPGP encryption works is that a new, random, once-only session key is generated each time you want to encrypt a message to one or more recipients; the message itself is encrypted using a symmetric algorithm, and only the session key is encrypted using the asymmetric algorithm specified by the users' OpenPGP encryption keys. Thus, only the session key (a couple of hundred bytes at most, and usually just a couple of dozens of bytes) will be encrypted over and over again for each recipient's encryption key - and, in the case discussed, for each encryption subkey of each recipient's key. Well, of course, if you're encrypting a single-byte message, the overhead might be detectable... :) G'luck, Peter -- Peter Pentchev roam at ringlet.net roam at space.bg roam at FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 If the meanings of 'true' and 'false' were switched, then this sentence wouldn't be false. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 834 bytes Desc: not available URL: From mailinglisten at hauke-laging.de Thu May 13 16:15:07 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Thu, 13 May 2010 16:15:07 +0200 Subject: published key security levels In-Reply-To: <4BEBA768.4030605@zhuliguan.net> References: <201005121731.45277.mailinglisten@hauke-laging.de> <201005130103.56115.mailinglisten@hauke-laging.de> <4BEBA768.4030605@zhuliguan.net> Message-ID: <201005131615.13526.mailinglisten@hauke-laging.de> Am Donnerstag 13 Mai 2010 09:16:56 schrieb Hagen F?rstenau: > > The main problem is: How do people recognise your high security key as > > such? By the comment only? > > Seems like a pretty good use of the comment field to me. Especially > since it might be hard to agree on generally applicable "security levels". These two problems are not connected. I don't think that people will like to write an individual description into their comment field. Thus a category standard seems necessary to me. This standard need not be bound to technical, it can be "legal" instead. How big may the loss be you are willing to bear due to a forged signature or revealed confidential information? 0: undetermined (zero) 1: zero 2: low 3: medium 4: high 5: unlimited Everyone can determine for himself then how he translates this into technical and organizational requirements for himself. Another possibility is to allow both statements. CU Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From asger at e-advice.dk Fri May 14 18:34:09 2010 From: asger at e-advice.dk (asger) Date: Fri, 14 May 2010 09:34:09 -0700 (PDT) Subject: Decryption fail in PgP ver. 8.0 Message-ID: <28561592.post@talk.nabble.com> Hello I am running Gpg4win on Vista PC, with Outlook 2007 plugin, Kleopetra. GPA 0.9.0 GnuPG 2.0.14 When I encrypt the file, it will be named: document.txt.gpg I do the encryption manually: Rightclick > More GpgEX options > Encrypt > choose option "Encrypt" When I try to decrypt in PgP ver. 8.0: Pgp does not understand the file extension: .txt.gpg. I do not get the option for Right click > Decrypt. Decryption will work OK on Vista/7 PC with GpG4win. Anybody can help? Regards Asger -- View this message in context: http://old.nabble.com/Decryption-fail-in-PgP-ver.-8.0-tp28561592p28561592.html Sent from the GnuPG - User mailing list archive at Nabble.com. From jcrout at softhome.net Sat May 15 09:59:01 2010 From: jcrout at softhome.net (jcrout at softhome.net) Date: Sat, 15 May 2010 01:59:01 -0600 Subject: Crypto Stick released! In-Reply-To: <201005110052.25679.joke@seiken.de> References: <201005110052.25679.joke@seiken.de> Message-ID: <20100515015901.7213815b@local.lighthouse2> Try passing it a URL using "https" as protocol. I got a similar error and a note saying to request the URL using the latter. Did you see this URL? http://www.privacyfoundation.de/crypto_stick/crypto_stick_english/ - John On Tue, 11 May 2010 00:52:23 +0200 Joke de Buhr wrote: > The developers said they are going to translate the shop soon. > > As stated within the first email of this thread: > > "The Online Shop is currently in German only. Please mail me if you > want to purchase a Crypto Stick and have trouble placing the order." > > So mail him and ask for help: cryptostick at privacyfoundation.de > > > > On Monday 10 May 2010 21:14:02 JB JB wrote: > > It looks like a great tool but unfortunately the shop is only in > > German which I do not understand. > > > > I attempted to translate it with Google translate but it does not > > accept the page because it is using port 443 (I think). > > > > "Sorry, this URL is invalid > > http://www.privacyfoundation.de:443/wiki/CryptoStickSoftware" > > > > ____________________________________________________________ > > Send your photos by email in seconds... > > TRY FREE IM TOOLPACK at > > http://www.imtoolpack.com/default.aspx?rc=if3 Works in all emails, > > instant messengers, blogs, forums and social networks. > > > > _______________________________________________ > > Gnupg-users mailing list > > Gnupg-users at gnupg.org > > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From expires2010 at ymail.com Mon May 17 18:47:33 2010 From: expires2010 at ymail.com (MFPA) Date: Mon, 17 May 2010 17:47:33 +0100 Subject: Help me to import my secret key please In-Reply-To: <4BEB1422.8030604@fifthhorseman.net> References: <1273335989.2357.8.camel@scorpion> <4BE5EE94.8020605@fifthhorseman.net> <1273390307.2311.8.camel@scorpion> <373BFEFA-E986-4D76-A290-4E7FF3A545C7@mac.com> <4BE6B9A4.50907@fifthhorseman.net> <4BE724E1.7080208@gmail.com> <4BE770D4.7060800@fifthhorseman.net> <4BEA70BC.40902@gmail.com> <185176796.20100512190601@my_localhost> <4BEB1422.8030604@fifthhorseman.net> Message-ID: <351371652.20100517174733@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Wednesday 12 May 2010 at 9:48:34 PM, in , Daniel Kahn Gillmor wrote: > On 05/12/2010 02:06 PM, MFPA wrote: >> Although the comment could just state it was his new key from >> dd/mm/yyyy without mentioning any other key(s). > even this comment would be superfluous, since the key > has a "Created on" timestamp built in. Of course; the un-necessary comment would simply add emphasis. > Also, his > statement isn't really part of a person's identity, > which makes it more dubious to put it in the User ID as > well. Nearly 20% of the keys in my keyring have something in the User ID that is clearly not part of a person's identity. What would you say was a non-dubious use of the "comment" field within the User ID? [...] > Expiry dates on keys are only useful as a safeguard > against accidental destruction of the secret key > material, not against loss of control of the secret key > material to a malicious party. True. An expiry date would have been useful on the thread-starter's key, which was lost in a system failure, but obviously not in the case of a compromised secret key. > This whole scenario is a good argument for what is > already accepted best-practice: generate a > worst-case-scenario revocation certificate immediately > after generating your key, and store that revocation > certificate securely in an offline place (e.g. print it > to good paper and destroy the digital copy). This > means there are no extra keys to manage, and no third > parties to rely on (unless you want to send a copy of > your revocation certificate to a trusted friend for use > in an emergency). A good point, well made. - -- Best regards MFPA mailto:expires2010 at ymail.com Dogs look up to us. Cats look down on us. Pigs treat us as equals. -----BEGIN PGP SIGNATURE----- iQCVAwUBS/FzM6ipC46tDG5pAQqdMgQAhS7AB64C8/fdh9LzHS0YKZGd+rByZsb/ szGM2S2LkHAHwEigzFP1lxkzOGFoBsYbWSE5U65Fbz2Yiu4F/+m4FgMgc/lqOLyR 98CNkQIGQmkFe1VwFf05vf/GN77iP6EYBQMRgrGRE+fRuYSFbbLUAJcrBmEr24ut nWFT+18PLlQ= =86v+ -----END PGP SIGNATURE----- From dkg at fifthhorseman.net Mon May 17 21:11:41 2010 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 17 May 2010 15:11:41 -0400 Subject: Comment fields in the User ID [was: Re: Help me to import my secret key please] In-Reply-To: <351371652.20100517174733@my_localhost> References: <1273335989.2357.8.camel@scorpion> <4BE5EE94.8020605@fifthhorseman.net> <1273390307.2311.8.camel@scorpion> <373BFEFA-E986-4D76-A290-4E7FF3A545C7@mac.com> <4BE6B9A4.50907@fifthhorseman.net> <4BE724E1.7080208@gmail.com> <4BE770D4.7060800@fifthhorseman.net> <4BEA70BC.40902@gmail.com> <185176796.20100512190601@my_localhost> <4BEB1422.8030604@fifthhorseman.net> <351371652.20100517174733@my_localhost> Message-ID: <4BF194ED.7050001@fifthhorseman.net> On 05/17/2010 12:47 PM, MFPA wrote: > Nearly 20% of the keys in my keyring have something in the User ID > that is clearly not part of a person's identity. > > What would you say was a non-dubious use of the "comment" field within > the User ID? I've been asking myself the same question; i haven't come up with a clear answer. The closest i've come is when someone uses the comment field to state an organizational affiliation specifically for use with that key, to differentiate from another key, such as: 0xDECAFBAD Maria Lopez (Foo Corp. Administrator) 0xDEADBEEF Maria Lopez (Personal Use) Even these messages might be better stored some other way, though. For example, as OpenPGP notations in the self-signature. What do you think? When are comments in the User ID field actually useful? --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 892 bytes Desc: OpenPGP digital signature URL: From kloecker at kde.org Mon May 17 22:54:38 2010 From: kloecker at kde.org (Ingo =?iso-8859-15?q?Kl=F6cker?=) Date: Mon, 17 May 2010 22:54:38 +0200 Subject: Comment fields in the User ID [was: Re: Help me to import my secret key please] In-Reply-To: <4BF194ED.7050001@fifthhorseman.net> References: <1273335989.2357.8.camel@scorpion> <351371652.20100517174733@my_localhost> <4BF194ED.7050001@fifthhorseman.net> Message-ID: <201005172254.39533@thufir.ingo-kloecker.de> On Monday 17 May 2010, Daniel Kahn Gillmor wrote: > On 05/17/2010 12:47 PM, MFPA wrote: > > Nearly 20% of the keys in my keyring have something in the User ID > > that is clearly not part of a person's identity. > > > > What would you say was a non-dubious use of the "comment" field > > within the User ID? > > I've been asking myself the same question; i haven't come up with a > clear answer. The closest i've come is when someone uses the comment > field to state an organizational affiliation specifically for use > with that key, to differentiate from another key, such as: > > 0xDECAFBAD > Maria Lopez (Foo Corp. Administrator) > > 0xDEADBEEF > Maria Lopez (Personal Use) > > Even these messages might be better stored some other way, though. > For example, as OpenPGP notations in the self-signature. > > What do you think? When are comments in the User ID field actually > useful? I think you gave a good use case. The problem with something like OpenPGP notations or anything else that's not part of the User ID is that most people will never see this information. Most people will only see the user IDs (because that's the only thing the applications they use show to them). Another use case would be marking a key as deprecated. First, you'd add a new user ID "This key is deprecated; use key 0xAABBCCDD instead" (okay, I'm not really using the comment field here) and then you'd revoke the signatures on all user IDs. Of course, there are other more appropriate ways defined in the spec to do this, but IMHO putting the information right in the users face is much more effective than hiding it in some obscure fields. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From beppecosta at yahoo.it Tue May 18 08:57:38 2010 From: beppecosta at yahoo.it (beppecosta) Date: Mon, 17 May 2010 23:57:38 -0700 (PDT) Subject: Compile PTH on AIX In-Reply-To: <87pr12poej.fsf@vigenere.g10code.de> References: <28446986.post@talk.nabble.com> <87zl0etnr1.fsf@vigenere.g10code.de> <28462645.post@talk.nabble.com> <4BE19A3B.9050303@hammet.net> <28523361.post@talk.nabble.com> <87pr12poej.fsf@vigenere.g10code.de> Message-ID: <28592272.post@talk.nabble.com> We understand that the problem is about FDSETSIZE. PTH has been configured and compiled --with-fdsetsize=8192 However gnupg-2 doesn't recognize this option: "configure: WARNING: unrecognized options: --with-fdsetsize" How can I solve this ? Thanks. Giuseppe. -- View this message in context: http://old.nabble.com/Compile-PTH-on-AIX-tp28446986p28592272.html Sent from the GnuPG - User mailing list archive at Nabble.com. From expires2010 at ymail.com Tue May 18 17:55:51 2010 From: expires2010 at ymail.com (MFPA) Date: Tue, 18 May 2010 16:55:51 +0100 Subject: Comment fields in the User ID [was: Re: Help me to import my secret key please] In-Reply-To: <201005172254.39533@thufir.ingo-kloecker.de> References: <1273335989.2357.8.camel@scorpion> <351371652.20100517174733@my_localhost> <4BF194ED.7050001@fifthhorseman.net> <201005172254.39533@thufir.ingo-kloecker.de> Message-ID: <524796904.20100518165551@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Monday 17 May 2010 at 9:54:38 PM, in , Ingo Kl?cker wrote: > The problem with > something like OpenPGP notations or anything else > that's not part of the User ID is that most people > will never see this information. Most people will only > see the user IDs (because that's the only thing the > applications they use show to them). That's a good point. Even if checking signatures, such things might not be shown to the user. > Another use case would be marking a key as deprecated. > First, you'd add a new user ID "This key is deprecated; > use key 0xAABBCCDD instead" (okay, I'm not really > using the comment field here) and then you'd revoke > the signatures on all user IDs. Of course, there are > other more appropriate ways defined in the spec to do > this, but IMHO putting the information right in the > users face is much more effective than hiding it in > some obscure fields. Presumably you would also make that User ID the primary one, so that it had maximum visibility (-; Of course, anybody gaining control of your secret key could do the same and suggest people used a key of their own creation instead... Hopefully your contacts would check the validity of the suggested replacement before encrypting to it. - -- Best regards MFPA mailto:expires2010 at ymail.com Vegetarian: Indian word for lousy hunter!!! -----BEGIN PGP SIGNATURE----- iQCVAwUBS/K4iaipC46tDG5pAQoN/gQAoQ+TXM0urtMfOAiWzaPNDaTFuRCMyowE 6ajH36t7l5RlBJnzyhaNmoe6uKmC8s953GF1aY6GnSIbp8GETmqJ71PsdvyuKYpD jvPY/YSUMBzXI5Qx/ts+ZQlqouUXlwxbahH7vb8kM+l51ncpmqQVSUU5xd0fjyuf WDV/QLH7cFE= =rL7+ -----END PGP SIGNATURE----- From expires2010 at ymail.com Tue May 18 19:40:25 2010 From: expires2010 at ymail.com (MFPA) Date: Tue, 18 May 2010 18:40:25 +0100 Subject: Comment fields in the User ID [was: Re: Help me to import my secret key please] In-Reply-To: <4BF194ED.7050001@fifthhorseman.net> References: <1273335989.2357.8.camel@scorpion> <4BE5EE94.8020605@fifthhorseman.net> <1273390307.2311.8.camel@scorpion> <373BFEFA-E986-4D76-A290-4E7FF3A545C7@mac.com> <4BE6B9A4.50907@fifthhorseman.net> <4BE724E1.7080208@gmail.com> <4BE770D4.7060800@fifthhorseman.net> <4BEA70BC.40902@gmail.com> <185176796.20100512190601@my_localhost> <4BEB1422.8030604@fifthhorseman.net> <351371652.20100517174733@my_localhost> <4BF194ED.7050001@fifthhorseman.net> Message-ID: <888310885.20100518184025@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Monday 17 May 2010 at 8:11:41 PM, in , Daniel Kahn Gillmor wrote: > I've been asking myself the same question; i haven't > come up with a clear answer. The closest i've come is > when someone uses the comment field to state an > organizational affiliation specifically for use with > that key, to differentiate from another key, such as: > 0xDECAFBAD Maria Lopez (Foo Corp. Administrator) > > 0xDEADBEEF Maria Lopez (Personal Use) > That can be a useful, but doesn't really need the "comment" field; it could just be typed as part of the person's name. Some would argue that the "role" was part of the individual's identity; the same individual in a different context is effectively a different identity. I support that theory, but am mindful of a person's disparate identities being more like a stew (where each ingredient affects the others) than a series of discrete sausages. > Even these messages might be better stored some other > way, though. For example, as OpenPGP notations in the > self-signature. "Better" as in "more elegantly." But also less visibly. I don't really see how these messages would be handled as an OpenPGP notation; would you envision them simply being displayed? I don't see a meaningful way an implementation could act on the information except to await user input. > What do you think? When are comments in the User ID > field actually useful? I think they are only useful for telling keys apart at-a-glance in a list or GUI. And then, only when the comment is on the primary UID. - -- Best regards MFPA mailto:expires2010 at ymail.com Roses smell better than onions but don't make such good soup -----BEGIN PGP SIGNATURE----- iQCVAwUBS/LREaipC46tDG5pAQqw0gQAvPFRviWJHepfUeU+1NGHFhajY03/AyMg CqNSmvYfOandKszaz7CymKPlWPySan6GBvyKK2z/ZM8YiwHgZkBHINX6EcJguVVy Snu6KrCG5Y02kbOLSOPSLIL9wchzT97KcOqb5J+0AcqGAwMPFLcHhOvjixCROV4N AzdOBnUkFeU= =fvc9 -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Wed May 19 04:16:57 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 18 May 2010 22:16:57 -0400 Subject: Crypto-related domain name auction to benefit FSF and FSFE Message-ID: <16764547-1216-4E4B-8802-C1BAEE2CFB48@jabberwocky.com> Hi everyone, I have a few crypto-related domain names that I bought a few years ago for one project or another. (Among other ideas, I had once thought to set up a 'who will sign my PGP key?' exchange, but then biglumber.com did it so well, there was little point in doing it all over again). I've been sitting on the domains for a while, but they're not really doing anyone any good like that. So, rather than just letting them expire and be snapped up by link farms, I thought I could do something more useful for the community - auction them off and donate the money to the FSF and FSFE. The 5 domain names are: keyservers.net keyservers.org (I don't own keyservers.com - it's parked by someone with advertising links on it) keysigners.com keysigners.net keysigners.org I figured a two-week auction period would do it, but if someone feels strongly that isn't enough time, let me know. The basic idea is that people can send me their bids for each domain name, and I will post the current high bids (without identifying the bidder) on http://www.jabberwocky.com/domain-auction.html After the auction is over, I will notify the high bidder for each domain that they are the winner. The auction winner is responsible for sending the winning bid directly to the FSF or FSFE (winner's choice). An easy way to do this is via Paypal to donate at fsf.org or paypal at fsfeurope.org, but other means are available if necessary. Once the FSF or FSFE confirms to me the donation has arrived, the auction winner and I can do the usual domain name transfer process. Any questions or comments? I'd like to start the auction on Monday (May 24th). Feel free to forward this note to anyone who might be interested in the domains. David From frankstefan at gmail.com Thu May 20 01:17:32 2010 From: frankstefan at gmail.com (Frank) Date: Wed, 19 May 2010 23:17:32 +0000 (UTC) Subject: Crypto Stick released! References: <4BDAF109.2000800@privacyfoundation.de> Message-ID: Hi everybody, I just got my crypto stick from privacyfoundation.de - I do not speak nor read German well myself, but there is a english version of the site too that you might just want to check out. As for the delievery and service - very good, It took about 10 days to ship Germany to Norway which is not bad at all, i recommend all you to give this a try. The stick is yes, a openpgp smartcard with a USB interface not more than that. -- Frank From eocsor at gmail.com Thu May 20 12:20:43 2010 From: eocsor at gmail.com (Roscoe) Date: Thu, 20 May 2010 20:20:43 +1000 Subject: Crypto Stick released! In-Reply-To: References: <4BDAF109.2000800@privacyfoundation.de>

Message-ID: On Thu, May 20, 2010 at 9:17 AM, Frank wrote: ... > The stick is yes, a openpgp smartcard with a USB > interface not more than that. Well, the programmable 32bit ARM MCU in there isn't to be forgotten :) -- Roscoe From andre at amorim.me Fri May 21 23:12:06 2010 From: andre at amorim.me (Andre Amorim) Date: Fri, 21 May 2010 22:12:06 +0100 Subject: Printed OpenPGP Smart Card Message-ID: Hello list, I planning to start a small business and I would like to give to my costumers a openpgp smartcard but with my company logo printed in it. What kind of options do I have ? Thanks for any help, Andre Amorim. From joke at seiken.de Sat May 22 12:54:59 2010 From: joke at seiken.de (Joke de Buhr) Date: Sat, 22 May 2010 12:54:59 +0200 Subject: SHA2 digest, V2 smartcard and gpg-agent problem In-Reply-To: <201005020052.16107.stanislav@sidorenko.biz> References: <201005020052.16107.stanislav@sidorenko.biz> Message-ID: <201005221255.09475.joke@seiken.de> I've detected the same problem. If I disable the gpg-agent and use gnupg v1 instead gnupg is able to connect to the pcsc daemon and use sha256 (and above) digests. If gnupg uses the agent every attempt to do sha256 signing (--digest-algo sha256) fails. So this is most likely an issue of gpg-agent. On Saturday 01 May 2010 22:52:15 Stanislav Sidorenko wrote: > Hi! > > I've tried to use SHA256 digest for signing using openpgp V2 smartcard and > got the following error: > > gpg: checking created signature failed: bad signature > gpg: signing failed: bad signature > gpg: signing failed: bad signature > > It happens only if gpg uses gpg-agent which is configured to use scdaemon > for accesing smartcards. > > If I disable gpg-agent usage (--no-use-agent switch) and enter card PIN > code in the console then signing with SHA256 work perfectly. In case of > enabled gpg-agent only SHA1 and RIPEMD160 can be used. It looks like an > issue in gpg- agent or scdaemon. > > The issue was found on gpg 1.4.10 and gpg-agent 2.0.14. > > Thanks, > > Stanislav > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 706 bytes Desc: This is a digitally signed message part. URL: From dshaw at jabberwocky.com Mon May 24 16:39:39 2010 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 24 May 2010 10:39:39 -0400 Subject: Crypto domains for auction to benefit FSF and FSFE Message-ID: Hi everyone, I have a few crypto-related domain names that I bought a few years ago for one project or another. I've been sitting on the domains for a while, but they're not really doing anyone any good like that. So, rather than just letting them expire and be snapped up by link farms, I thought I could do something more useful for the community - auction them off and donate the money to the FSF and FSFE. The 5 domain names are: keyservers.net keyservers.org (I don't own keyservers.com - it's parked by someone with advertising links on it) keysigners.com keysigners.net keysigners.org The auction had started and will run through June 7th. More information and current high bids are available at http://www.jabberwocky.com/domain-auction.html Please feel free to forward this note to anyone who you think might be interested in the domains, or let me know and I'll ping them. I'm sending this to gnupg-users and sks-devel to start with. Bid early and often - it's for a good cause! David From rajsk.16 at gmail.com Tue May 25 00:04:53 2010 From: rajsk.16 at gmail.com (raviraj kondraguntla) Date: Mon, 24 May 2010 18:04:53 -0400 Subject: new Installation... configure issues Message-ID: Hi, I am trying to install the gnupg 1.4.10 on solaris 10 server, I have received the below error configure:3550: /opt/SUNWspro/bin/cc --version >&5 ./configure: line 3551: /opt/SUNWspro/bin/cc: No such file or directory configure:3553: $? = 127 configure:3560: /opt/SUNWspro/bin/cc -v >&5 ./configure: line 3561: /opt/SUNWspro/bin/cc: No such file or directory configure:3563: $? = 127 configure:3570: /opt/SUNWspro/bin/cc -V >&5 ./configure: line 3571: /opt/SUNWspro/bin/cc: No such file or directory configure:3573: $? = 127 configure:3596: checking for C compiler default output file name It seems, I need to install C compiler by installing SPROcc 9(unbundled SPARCworks Professional C compiler) Please advise on this. Thanks, Raj -------------- next part -------------- An HTML attachment was scrubbed... URL: From danm at prime.gushi.org Tue May 25 01:20:39 2010 From: danm at prime.gushi.org (Dan Mahoney, System Admin) Date: Mon, 24 May 2010 19:20:39 -0400 (EDT) Subject: new Installation... configure issues In-Reply-To: References: Message-ID: On Mon, 24 May 2010, raviraj kondraguntla wrote: > Hi, > I am trying to install the gnupg 1.4.10 on solaris 10 server, I have received the below error > > configure:3550: /opt/SUNWspro/bin/cc --version >&5 > ./configure: line 3551: /opt/SUNWspro/bin/cc: No such file or directory > configure:3553: $? = 127 > configure:3560: /opt/SUNWspro/bin/cc -v >&5 > ./configure: line 3561: /opt/SUNWspro/bin/cc: No such file or directory > configure:3563: $? = 127 > configure:3570: /opt/SUNWspro/bin/cc -V >&5 > ./configure: line 3571: /opt/SUNWspro/bin/cc: No such file or directory > configure:3573: $? = 127 > configure:3596: checking for C compiler default output file name > It seems, I need to install C compiler by installing SPROcc 9(unbundled SPARCworks Professional C compiler) > > Please advise on this. > > Thanks, > Raj You could just install gcc. -Dan -- "Blargy Frap!" -mtreal, efnet #macintosh channel, 8.10.98, Approx 3AM --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --------------------------- From rjh at sixdemonbag.org Tue May 25 01:25:58 2010 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 24 May 2010 19:25:58 -0400 Subject: new Installation... configure issues In-Reply-To: References: Message-ID: <4BFB0B06.4020709@sixdemonbag.org> On 5/24/10 6:04 PM, raviraj kondraguntla wrote: > Please advise on this. Unfortunately, this is a Solaris system administration issue and not a GnuPG issue. You will be better served asking on one of the OpenSolaris mailing lists. That said, I believe the package you need to download is the SunStudio compiler suite. That will provide you with a C compiler. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5598 bytes Desc: S/MIME Cryptographic Signature URL: From kgo at grant-olson.net Tue May 25 04:19:50 2010 From: kgo at grant-olson.net (Grant Olson) Date: Mon, 24 May 2010 22:19:50 -0400 Subject: new Installation... configure issues In-Reply-To: References: Message-ID: <4BFB33C6.70905@grant-olson.net> On 5/24/2010 6:04 PM, raviraj kondraguntla wrote: > Hi, > I am trying to install the gnupg 1.4.10 on solaris 10 server, I have > received the below error Can you use sunfreeware? I believe they have binaries available for install. I'm not running solaris now, so I can't tell you how well they work. http://www.sunfreeware.com/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 552 bytes Desc: OpenPGP digital signature URL: From John at Mozilla-Enigmail.org Tue May 25 04:43:00 2010 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Mon, 24 May 2010 21:43:00 -0500 Subject: new Installation... configure issues In-Reply-To: References: Message-ID: <4BFB3934.20501@Mozilla-Enigmail.org> raviraj kondraguntla wrote: > > Hi, > I am trying to install the gnupg 1.4.10 on solaris 10 server, I have > received the below error > > configure:3550: /opt/SUNWspro/bin/cc --version >&5 > ./configure: line 3551: /opt/SUNWspro/bin/cc: No such file or directory > configure:3553: $? = 127 > configure:3560: /opt/SUNWspro/bin/cc -v >&5 > ./configure: line 3561: /opt/SUNWspro/bin/cc: No such file or directory > configure:3563: $? = 127 > configure:3570: /opt/SUNWspro/bin/cc -V >&5 > ./configure: line 3571: /opt/SUNWspro/bin/cc: No such file or directory > configure:3573: $? = 127 > configure:3596: checking for C compiler default output file name > It seems, I need to install C compiler by installing SPROcc 9(unbundled > SPARCworks Professional C compiler) SunStudio is a free download these days (or was)... http://developers.sun.com/sunstudio Prebuilt binaries are available on the Sun Freeware site: http://www.sunfreeware.com/programlistsparc10.html#gnupg -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 499 bytes Desc: OpenPGP digital signature URL: From jh at jameshoward.us Tue May 25 15:21:05 2010 From: jh at jameshoward.us (James P. Howard, II) Date: Tue, 25 May 2010 09:21:05 -0400 Subject: Crypto Stick released! In-Reply-To: <4BE874D4.9050600__16888.6849693537$1273530083$gmane$org@mozilla-enigmail.org> References: <4BE874D4.9050600__16888.6849693537$1273530083$gmane$org@mozilla-enigmail.org> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 5/10/10 5:04 PM, Olav Seyfarth wrote: > english version: > http://www.privacyfoundation.de/crypto_stick/crypto_stick_english/ My Crypto Stick arrived in the mail yesterday (Maryland, United States--ordered on May 14). One thing I am confused about, it suggests it accepts RSA keys up to 3072 bits. However, when I tried to copy my existing 2048-bit RSA keys, GPG reponds with: Command> keytocard Signature key ....: [none] Encryption key....: [none] Authentication key: [none] You may only store a 1024 bit RSA key on the card I take it I am missing something obvious in this? James - -- James P. Howard, II, MPA MBCS CGFM jh at jameshoward.us -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJL+87BAAoJEHPMAEw+5CSeGCQH/3cv2suaLFZTptKkALg2XZa6 FRCpJ4um4QsO+xwwdNBQ314XYSWBjmVkvrwHIAYHkzBDwdbbRpH+yrZz41S6T98/ EIRfY4K5zI5dDA+Q6fu+hWiYisZk5coNVI/hEnjEhDjSAhx3QMOEDCZXmUMDdOeg tJR4ZFDC6Y2gT2FIpRZwf6i/HnT4MalHrn9fCywy+3UGWEWWzu2LvZUJGrpB99hq FlZiGF8EubbLlaWtpckQrT9SxZRzihrRQwfeldJOUKJUsE6w7zJK+W8VGtBPBXHT ppBgDYjCr6ABjMkuDDaQdlDEeYtohhLPhiD7598YoI+8wNWpp5MmcEIQ69QTPVE= =AFVC -----END PGP SIGNATURE----- From rajsk.16 at gmail.com Tue May 25 16:03:33 2010 From: rajsk.16 at gmail.com (raviraj kondraguntla) Date: Tue, 25 May 2010 10:03:33 -0400 Subject: new Installation... configure issues In-Reply-To: <4BFB995E.7080302@mozilla-enigmail.org> References: <4BFB995E.7080302@mozilla-enigmail.org> Message-ID: All, Thanks for your reply. I checked the package GCC, it is showing that it was already installed. $ pkginfo | grep -i gcc system SUNWgcc gcc - The GNU C compiler system SUNWgccruntime GCC Runtime libraries $ which cc /usr/ucb/cc But I am not sure why GnuPG software is looking for cc in /opt/SUNWspro/bin/cc I gave CC location while configuring, but it throwed error message again $ ./configure CC=/usr/ucb/cc PATH: /usr/ccs/bin configure:3278: checking for gcc configure:3305: result: /usr/ucb/cc configure:3550: /usr/ucb/cc --version >&5 /usr/ucb/cc: language optional software package not installed configure:3560: /usr/ucb/cc -v >&5 /usr/ucb/cc: language optional software package not installed configure:3570: /usr/ucb/cc -V >&5 /usr/ucb/cc: language optional software package not installed configure:3623: /usr/ucb/cc -Xc -xstrconst -xcg92 $(INCLUDE_FLAGS) -O -DSUN_OS5 -DNLS_ASIA -DAFSTUBS conftest.c >&5 /usr/ucb/cc: language optional software package not installed Please provide me some inputs to proceed -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailinglisten at hauke-laging.de Tue May 25 16:07:33 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Tue, 25 May 2010 16:07:33 +0200 Subject: Crypto Stick released! In-Reply-To: References: <4BE874D4.9050600__16888.6849693537$1273530083$gmane$org@mozilla-enigmail.org> Message-ID: <201005251607.39394.mailinglisten@hauke-laging.de> Am Dienstag 25 Mai 2010 15:21:05 schrieb James P. Howard, II: > You may only store a 1024 bit RSA key on the card > > I take it I am missing something obvious in this? What is the gpg version you use? IIRC You need 2.0.13 or 2.0.14 for 2048 bit keys on a smartcard. CU Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From stefanxe at gmx.net Tue May 25 17:36:09 2010 From: stefanxe at gmx.net (Stefan Xenon) Date: Tue, 25 May 2010 17:36:09 +0200 Subject: Printed OpenPGP Smart Card In-Reply-To: References: Message-ID: <4BFBEE69.4000403@gmx.net> Hi Andre, ask the producer Zeitcontrol: http://zeitcontrol.de/index_e.htm Regards Stefan Am 21.05.2010 23:12, schrieb Andre Amorim: > Hello list, > > I planning to start a small business and I would like to give to my > costumers a openpgp smartcard but with my company logo printed in it. > What kind of options do I have ? > > Thanks for any help, > Andre Amorim. > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From jh at jameshoward.us Tue May 25 17:53:11 2010 From: jh at jameshoward.us (James P. Howard, II) Date: Tue, 25 May 2010 11:53:11 -0400 Subject: Crypto Stick released! In-Reply-To: <201005251607.39394.mailinglisten__7249.26377083666$1274796531$gmane$org@hauke-laging.de> References: <4BE874D4.9050600__16888.6849693537$1273530083$gmane$org@mozilla-enigmail.org> <201005251607.39394.mailinglisten__7249.26377083666$1274796531$gmane$org@hauke-laging.de> Message-ID: On 5/25/10 10:07 AM, Hauke Laging wrote: > What is the gpg version you use? IIRC You need 2.0.13 or 2.0.14 for 2048 bit > keys on a smartcard. That did the trick! I was on 2.0.12 and moved to 2.0.14. -- James P. Howard, II, MPA MBCS CGFM jh at jameshoward.us From Martin.vGagern at gmx.net Mon May 24 16:28:37 2010 From: Martin.vGagern at gmx.net (Martin von Gagern) Date: Mon, 24 May 2010 16:28:37 +0200 Subject: Dropping expired subkeys from batch export Message-ID: <4BFA8D15.2020105@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi there! I'm using GPG 2.0.15. I want to export public keys from a perl script, i.e. using "--batch" if possible. Some of the keys contain multiple subkeys, and some of the subkeys have expired. There are at least two good reasons to strip expired subkeys: - - avoid transfer of unneccessary data - - the PGP Global Directory will refuse keys with expired subkeys I found no easy way to strip expired subkeys from the export output: - - "--export-options export-clean" cleans unusable sigs, but not subkeys - - Even using temporary keyrings won't work, as "--edit-key" to delete a subkey won't work in "--batch" mode, and there seems to be no command-line alternative to this. So the only thing I can imagine would be dropping the "--batch" requirement and hoping that gpg won't ask any interactive questions. And still using a temporary keyring which causes a number of additional commands to set things up and clean up afterwards. Is there an alternative? Some kind of undocumented feature? Any hint? If there isn't, do you agree that there should be, i.e. that this should become a feature request? Greetings, Martin von Gagern -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkv6jRUACgkQRhp6o4m9dFujRgCgiLU++la759Zz4YCtKH+dbOOH 4rkAn2DNSkf96D+jdZJ5vzfQSa14aiwI =7WBc -----END PGP SIGNATURE----- From JBennett at nbic.com Tue May 25 16:03:30 2010 From: JBennett at nbic.com (Jeremy Bennett) Date: Tue, 25 May 2010 10:03:30 -0400 Subject: gpg output to a filename ending with .pgp Message-ID: <5ADDEDF9CC481344A370387FE2A0C62B8258FDE4@nb-srv-mail-001.PIC.local> I have been googling for an answer on how to have gpg encrypt a file to a file with a pgp extension. It looks like maybe the only way is via a output redirect (> ?). I'm trying this via a command line on a windows box. Here is my initial command in a batch file: c:\gnupg\gpg -e -r tester --yes %1 I think I tried to use a --output or a -o switch but neither seemed to work. Has anyone tried this before? Could you paste your command here? Please cc me since i'm not on the mailing list yet. Thanks very much! Jeremy R. Bennett Client Systems Developer/Analyst Narragansett Bay Insurance Company ________________________________ This e-mail message (including attachments, if any) is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, proprietary, confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender and erase this e-mail message immediately. -------------- next part -------------- An HTML attachment was scrubbed... URL: From eggled at gmail.com Tue May 25 19:22:25 2010 From: eggled at gmail.com (Daniel Eggleston) Date: Tue, 25 May 2010 12:22:25 -0500 Subject: gpg output to a filename ending with .pgp In-Reply-To: <5ADDEDF9CC481344A370387FE2A0C62B8258FDE4@nb-srv-mail-001.PIC.local> References: <5ADDEDF9CC481344A370387FE2A0C62B8258FDE4@nb-srv-mail-001.PIC.local> Message-ID: <20100525172225.GB6595@pokeserver.eggled.dyndns.org> On Tue, May 25, 2010 at 10:03:30AM -0400, Jeremy Bennett wrote: > I have been googling for an answer on how to have gpg encrypt a file to a > file with a pgp extension. It looks like maybe the only way is via a > output redirect (> ?). I'm trying this via a command line on a windows > box. Here is my initial command in a batch file: > > c:\gnupg\gpg -e -r tester --yes %1 > > I think I tried to use a --output or a -o switch but neither seemed to > work. > Has anyone tried this before? Could you paste your command here? Please cc > me since i'm not on the mailing list yet. > > Thanks very much! > > > Jeremy R. Bennett > Client Systems Developer/Analyst > Narragansett Bay Insurance Company > > > > > > -------------------------------------------------------------------------- > > This e-mail message (including attachments, if any) is intended for the > use of the individual or entity to which it is addressed and may contain > information that is privileged, proprietary, confidential and exempt from > disclosure. If you are not the intended recipient, you are notified that > any dissemination, distribution or copying of this communication is > strictly prohibited. If you have received this communication in error, > please notify the sender and erase this e-mail message immediately. > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users --output=file.pgp outputs correctly for me: eggled at pokeserver ~ $ gpg -e -a -r eggled at gmail.com --yes --output=file.pgp This is some data eggled at pokeserver ~ $ cat file.pgp -----BEGIN PGP MESSAGE----- Version: GnuPG v2.0.14 (GNU/Linux) ....... snip .......... -----END PGP MESSAGE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From expires2010 at ymail.com Tue May 25 21:13:09 2010 From: expires2010 at ymail.com (MFPA) Date: Tue, 25 May 2010 20:13:09 +0100 Subject: gpg output to a filename ending with .pgp In-Reply-To: <5ADDEDF9CC481344A370387FE2A0C62B8258FDE4@nb-srv-mail-001.PIC.local> References: <5ADDEDF9CC481344A370387FE2A0C62B8258FDE4@nb-srv-mail-001.PIC.local> Message-ID: <1378775424.20100525201309@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Tuesday 25 May 2010 at 3:03:30 PM, in , Jeremy Bennett wrote: > I have been googling for an answer on how to have gpg > encrypt a file to a file with a pgp extension. It > looks like maybe the only way is via a output redirect > (> ?). I'm trying this via a command line on a windows > box. Here is my initial command in a batch file: > c:\gnupg\gpg -e -r tester --yes %1 > I think I tried to use a --output or a -o switch but > neither seemed to work. Has anyone tried this before? > Could you paste your command here? This worked for me:- gpg -e -r mfpa -o test.txt.pgp test.txt - -- Best regards MFPA mailto:expires2010 at ymail.com Did you hear? They took the word gullible out of the dictionary -----BEGIN PGP SIGNATURE----- iQCVAwUBS/whTKipC46tDG5pAQqN9QQAjkS1mxAOYwBYnGdLd3nAFm1IpYAFssVI 5FEw9Vhh5zWeQ59INSqv5bNpEpM+ku0rFHmTIave3SFyGvg3a3DCIZSFlK7j5GfO nTq9JdGUULeVHh8M4ouxGFwpdxLcYFC7znvOaSBy7wmI43Y4d78cdyW6zZmj/A+R i8zMLoPABIM= =dGp7 -----END PGP SIGNATURE----- From JPClizbe at tx.rr.com Tue May 25 23:35:19 2010 From: JPClizbe at tx.rr.com (John Clizbe) Date: Tue, 25 May 2010 16:35:19 -0500 Subject: new Installation... configure issues In-Reply-To: References: <4BFB995E.7080302@mozilla-enigmail.org> Message-ID: <4BFC4297.2040007@tx.rr.com> raviraj kondraguntla wrote: > > All, > Thanks for your reply. > I checked the package GCC, it is showing that it was already installed. > $ pkginfo | grep -i gcc > system SUNWgcc gcc - The GNU C compiler > system SUNWgccruntime GCC Runtime libraries > > $ which cc > /usr/ucb/cc > But I am not sure why GnuPG software is looking for cc in > /opt/SUNWspro/bin/cc the cc in /usr/ucb is not the cc you want (unless you're running an old version of SunOS 4.x) CC=gcc ./configure may get you a bit further along, but I suspect there may be other user environment issues. See http://developers.sun.com/solaris/articles/build_sw_on_solaris.html for advice and directions. /usr/ucb is specifically referenced As others have pointed out, this is not a GnuPG problem -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 499 bytes Desc: OpenPGP digital signature URL: From mailinglisten at hauke-laging.de Wed May 26 02:05:31 2010 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 26 May 2010 02:05:31 +0200 Subject: smartcard signing does not work in VM (in contrast to decryption and authentication) Message-ID: <201005260205.37364.mailinglisten@hauke-laging.de> Hello, I experience a strange problem. I have bought a smartcard in order to have my keys available at work without storing my keys there. I can decrypt files using the smartcard and I can log into my home system via SSH and the smartcard but if I try to sign a file then I get an error message after entering the PIN at the card reader. I don't have the shell output available as I just tried this at home. Using the same smartcard and the same cardreader I can sign files so it seems not to be a hardware problem. This is from the log file, in German though: 2010-05-19 15:15:13 gpg-agent[4920] Handhabungsroutine 0xb786fa58 f?r den fd 8 beendet 2010-05-19 15:15:35 gpg-agent[8699] Handhabungsroutine 0xb78a3b60 f?r fd 8 gestartet 2010-05-19 15:15:35 gpg-agent[8699] new connection to SCdaemon established (reusing) gpg-agent[8699.9] DBG: -> SERIALNO openpgp gpg-agent[8699.9] DBG: <- S SERIALNO D27600012401020000050000047B0000 0 gpg-agent[8699.9] DBG: <- OK gpg-agent[8699.9] DBG: -> SERIALNO openpgp gpg-agent[8699.9] DBG: <- S SERIALNO D27600012401020000050000047B0000 0 gpg-agent[8699.9] DBG: <- OK gpg-agent[8699.9] DBG: -> SETDATA 7AB58F01073D0FC253E898F06D9B22... gpg-agent[8699.9] DBG: <- OK gpg-agent[8699.9] DBG: -> PKSIGN D27600012401020000050000047B0000/8112FDF77EC342B0B125E0D55BA0F8B53A403251 gpg-agent[8699.9] DBG: <- INQUIRE POPUPKEYPADPROMPT ||Bitte die PIN eingeben%0A[Sigs erzeugt: 0] 2010-05-19 15:15:47 gpg-agent[8699] starting a new PIN Entry 2010-05-19 15:15:47 gpg-agent[8699] DBG: connection to PIN entry established gpg-agent[8699.9] DBG: -> END gpg-agent[8699.9] DBG: <- INQUIRE DISMISSKEYPADPROMPT gpg-agent[8699.9] DBG: -> END gpg-agent[8699.9] DBG: <- ERR 100696113 Eingabe-/Ausgabefehler gpg-agent[8699.9] DBG: -> RESTART gpg-agent[8699.9] DBG: <- OK "Eingabe-/Ausgabefehler" (last line but two) is "I/O error". That is approximately the shell error message. I use 2.0.15 on both systems, openSUSE 11.2 each. The most obvious difference is that my home system runs on hardware and the work system in VMware 2 (host system openSUSE 11.1). Thus USB timing may be slightly different but resulting in failure does not make any sense to me. Luckily decryption and authentication are the two features I really need there... ;-) But perhaps somebody has an idea how to let me sign there, too. CU Hauke -- PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 555 bytes Desc: This is a digitally signed message part. URL: From m_d_berger_1900 at yahoo.com Wed May 26 16:14:11 2010 From: m_d_berger_1900 at yahoo.com (Michael D. Berger) Date: Wed, 26 May 2010 14:14:11 +0000 (UTC) Subject: Encrypted Directory Message-ID: I would like to use gpg to create encrypted directories on an external hard drive. I would like to do this for both WinXP and for Linux. Could someone direct me to appropriate documentation? Thanks, Mike. From dennisk at netspace.net.au Wed May 26 10:44:11 2010 From: dennisk at netspace.net.au (Dennis K) Date: Wed, 26 May 2010 18:44:11 +1000 Subject: DSA2 key compatibility Message-ID: <4BFCDF5B.7000209@netspace.net.au> Hello all, I've got a question regarding which signing key I should choose. As I understand it, 1024 bit DSA keys are no longer recommended, which leaves two options. Larger RSA keys or DSA2 keys. I've read stuff about DSA2 being new and not yet widely supported, but that material is from 2006. I've also read that RSA is not necessarily required to be supported by an OpenPGP implementation. My question basically is, is using a DSA2 signing key going to cause compatibility problems, or is it pretty much universally supported now. Also, should I just keep using my existing DSA 1024 bit key and enable DSA2 within GnuPG as I'm doing now, or is it much better to generate a new one. I would like to use DSA2, but am worried about compatibility issues. Are these concerns valid any more? I figure the user list would be able to give clear information. However, a little further research seems to suggest that RSA keys for signing would be more secure. Thanks, Dennis From kgo at grant-olson.net Wed May 26 18:42:00 2010 From: kgo at grant-olson.net (Grant Olson) Date: Wed, 26 May 2010 12:42:00 -0400 Subject: Encrypted Directory In-Reply-To: References: Message-ID: <4BFD4F58.8000703@grant-olson.net> On 5/26/10 10:14 AM, Michael D. Berger wrote: > I would like to use gpg to create encrypted directories > on an external hard drive. I would like to do this for > both WinXP and for Linux. Could someone direct me to > appropriate documentation? > > Thanks, > Mike. > > If you're talking about a 'live' directory, one that you're editing, you're probably better off using something like truecrypt or luks (with FreeOTFE on windows) to create an encrypted partition. If you're talking about a static directory, just zip it up and encrypt normally. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 559 bytes Desc: OpenPGP digital signature URL: From m_d_berger_1900 at yahoo.com Thu May 27 00:08:41 2010 From: m_d_berger_1900 at yahoo.com (Michael D. Berger) Date: Wed, 26 May 2010 22:08:41 +0000 (UTC) Subject: Encrypted Directory References: <4BFD4F58.8000703__16666.6949437515$1274892267$gmane$org@grant-olson.net> Message-ID: On Wed, 26 May 2010 12:42:00 -0400, Grant Olson wrote: > On 5/26/10 10:14 AM, Michael D. Berger wrote: >> I would like to use gpg to create encrypted directories on an external >> hard drive. I would like to do this for both WinXP and for Linux. >> Could someone direct me to appropriate documentation? >> >> Thanks, >> Mike. >> >> >> > If you're talking about a 'live' directory, one that you're editing, > you're probably better off using something like truecrypt or luks (with > FreeOTFE on windows) to create an encrypted partition. > > If you're talking about a static directory, just zip it up and encrypt > normally. > [...] Actually I have both situations and also something in between -- a directory I want to store on the external drive is too large to allow its zip file to coexist on the main disk. To zip and encrypt it I would have to first have unencrypted data on the external drive -- clearly a bad idea. Also, AFAICT, truecrypt, luks, FreeOTFE do not have public key encryption, which I would prefer. Thanks, Mike. From joke at seiken.de Thu May 27 12:34:34 2010 From: joke at seiken.de (Joke de Buhr) Date: Thu, 27 May 2010 12:34:34 +0200 Subject: Encrypted Directory In-Reply-To: References: <4BFD4F58.8000703__16666.6949437515$1274892267$gmane$org@grant-olson.net> Message-ID: <201005271234.44454.joke@seiken.de> On Thursday 27 May 2010 00:08:41 Michael D. Berger wrote: > On Wed, 26 May 2010 12:42:00 -0400, Grant Olson wrote: > > On 5/26/10 10:14 AM, Michael D. Berger wrote: > >> I would like to use gpg to create encrypted directories on an external > >> hard drive. I would like to do this for both WinXP and for Linux. > >> Could someone direct me to appropriate documentation? > >> > >> Thanks, > >> Mike. > > > > If you're talking about a 'live' directory, one that you're editing, > > you're probably better off using something like truecrypt or luks (with > > FreeOTFE on windows) to create an encrypted partition. > > > > If you're talking about a static directory, just zip it up and encrypt > > normally. > > [...] > > Actually I have both situations and also something in between -- > a directory I want to store on the external drive is too large > to allow its zip file to coexist on the main disk. To zip and > encrypt it I would have to first have unencrypted data on the > external drive -- clearly a bad idea. > > Also, AFAICT, truecrypt, luks, FreeOTFE do not have public key > encryption, which I would prefer. Why would you prefer public key encryption? Are you planning on letting other people add files to that directory? > Thanks, > Mike. > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 706 bytes Desc: This is a digitally signed message part. URL: From m_d_berger_1900 at yahoo.com Thu May 27 15:02:00 2010 From: m_d_berger_1900 at yahoo.com (Michael D. Berger) Date: Thu, 27 May 2010 13:02:00 +0000 (UTC) Subject: Encrypted Directory References: <4BFD4F58.8000703__16666.6949437515$1274892267$gmane$org@grant-olson.net> <201005271234.44454.joke__31200.0429294587$1274956615$gmane$org@seiken.de> Message-ID: On Thu, 27 May 2010 12:34:34 +0200, Joke de Buhr wrote: > On Thursday 27 May 2010 00:08:41 Michael D. Berger wrote: >> On Wed, 26 May 2010 12:42:00 -0400, Grant Olson wrote: >> > On 5/26/10 10:14 AM, Michael D. Berger wrote: >> >> I would like to use gpg to create encrypted directories on an >> >> external hard drive. I would like to do this for both WinXP and for >> >> Linux. Could someone direct me to appropriate documentation? >> >> >> >> Thanks, >> >> Mike. >> > >> > If you're talking about a 'live' directory, one that you're editing, >> > you're probably better off using something like truecrypt or luks >> > (with FreeOTFE on windows) to create an encrypted partition. >> > >> > If you're talking about a static directory, just zip it up and >> > encrypt normally. >> >> [...] >> >> Actually I have both situations and also something in between -- a >> directory I want to store on the external drive is too large to allow >> its zip file to coexist on the main disk. To zip and encrypt it I >> would have to first have unencrypted data on the external drive -- >> clearly a bad idea. >> >> Also, AFAICT, truecrypt, luks, FreeOTFE do not have public key >> encryption, which I would prefer. > > Why would you prefer public key encryption? Are you planning on letting > other people add files to that directory? > [...] It is similar to using the the public key with ssh. The public key is on the server (the hard drive in this case) and those with client access (a CD mounted on my WinXP box, but usually kept in a safe) have the secret key. Once you are "logged in", encrypted access continues transparently. That way, the external drive can safely be taken on travels, which is what we intend to do. Mike. From m_d_berger_1900 at yahoo.com Thu May 27 16:03:50 2010 From: m_d_berger_1900 at yahoo.com (Michael D. Berger) Date: Thu, 27 May 2010 14:03:50 +0000 (UTC) Subject: Encrypted Directory References: <4BFD4F58.8000703__16666.6949437515$1274892267$gmane$org@grant-olson.net> Message-ID: On Wed, 26 May 2010 12:42:00 -0400, Grant Olson wrote: [...] > If you're talking about a static directory, just zip it up and encrypt > normally. [...] I tried to zip a 90G directory tree, but it failed on a bad file name -- something in a bookmarks directory, I think, but it doesn't make any difference what it is. Zip will not do. Since I have a Samba connection from a Linux box to the WinXP box, I tried tar -cvzf on the 90G directory on the WinXP box. It seemed to work ok. After about half-an-hour, it had done about 6G. That's ok, but then I remembered I had reliability issues moving large files via Samba, so I stopped it and abandoned that idea. Mike. From kgo at grant-olson.net Thu May 27 16:15:46 2010 From: kgo at grant-olson.net (Grant Olson) Date: Thu, 27 May 2010 10:15:46 -0400 Subject: Encrypted Directory In-Reply-To: References: <4BFD4F58.8000703__16666.6949437515$1274892267$gmane$org@grant-olson.net> Message-ID: <4BFE7E92.5070104@grant-olson.net> On 5/27/10 10:03 AM, Michael D. Berger wrote: > On Wed, 26 May 2010 12:42:00 -0400, Grant Olson wrote: > > [...] > >> If you're talking about a static directory, just zip it up and encrypt >> normally. > > [...] > > I tried to zip a 90G directory tree, but it failed on a bad file > name -- something in a bookmarks directory, I think, but it > doesn't make any difference what it is. Zip will not do. > > Since I have a Samba connection from a Linux box to the WinXP > box, I tried > tar -cvzf > on the 90G directory on the WinXP box. It seemed to work ok. > After about half-an-hour, it had done about 6G. That's ok, > but then I remembered I had reliability issues moving large > files via Samba, so I stopped it and abandoned that idea. > I was using zip generically. But I think pkzip aka winzip aka not-gzip only accepts ascii filenames. I still think you're better off using some sort of encrypted filesystem. You can't get public key encryption, but you can setup two-factor encryption, where someone can't login unless they have both a passphrase and a key-file or smart-card or something like that that has been authorized by the admin. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 559 bytes Desc: OpenPGP digital signature URL: From emylistsddg at gmail.com Fri May 28 02:04:51 2010 From: emylistsddg at gmail.com (eMyListsDDg) Date: Thu, 27 May 2010 17:04:51 -0700 Subject: upgrading from 1.4.7 to 2.0.14 Message-ID: <256203967.20100527170451@gmail.com> i have gnuPG 1.4.7 currently installed on windows xp i want to install gnuPG 2.0.14 question: will there be any compatibility issues with my current keys, etc? -- Best regards, From olav at mozilla-enigmail.org Fri May 28 07:07:46 2010 From: olav at mozilla-enigmail.org (Olav Seyfarth) Date: Fri, 28 May 2010 07:07:46 +0200 Subject: upgrading from 1.4.7 to 2.0.14 In-Reply-To: <256203967.20100527170451@gmail.com> References: <256203967.20100527170451@gmail.com> Message-ID: <4BFF4FA2.8050107@mozilla-enigmail.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hi, > i have gnuPG 1.4.7 currently installed on windows xp > i want to install gnuPG 2.0.14 > question: will there be any compatibility issues with my current keys, etc? None that I know of. I had no troubles to use and edit old and new keys. Olav -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQGcBAEBAwAGBQJL/0+fAAoJEKGX32tq4e9WMFUL+wZfl9tp2p2i9U81pz3w1rE3 UznqXAfa1MLmh7RaL1P7Ln9Emh1uo+DwNlldvDfMGINriGCWiAsi4YBma2nQDxFQ ChGbBHWecpd6Imjmpet/rwqtPvsXcmPbHMbYQvZIGB2F2jPoSG3/CPGgdVYDU14Y Xk2CxibzJ46WoWG1jpHjkVySj2vG8S+Ix1IhcuMzvxscqr8t3RG+r9KvrFLy6cWa PQTYpVOpGxbY1QZ0G6AwhMs7l2D+vnRZkI0aclbNLCSY8+jbnrPY/h7DEOdPfCCS IOu7c1uS35Ekjwz5m4ujp/U8BQvOeMO2ekpP48HmPqKYj589RPPsa6nm/pj6ZlUc OPcb2cTrsjWjzwIbUSvHqpatqwFSwYcTMbM0F6GgnH1AYB66Rr25HpiEfDO+ygMc EOCeO/rYQMIUBqI0dnRH721bjb0uNTwvc479csVnK1ToTCuusTxJfeLb32uPiqEI USBB+NdNUoww3XaqiuFxoucej1iPwPfj1PGhCTa5Wg== =QDV5 -----END PGP SIGNATURE----- From shavital at mac.com Fri May 28 08:02:36 2010 From: shavital at mac.com (Charly Avital) Date: Fri, 28 May 2010 02:02:36 -0400 Subject: upgrading from 1.4.7 to 2.0.14 In-Reply-To: <4BFF4FA2.8050107@mozilla-enigmail.org> References: <256203967.20100527170451@gmail.com> <4BFF4FA2.8050107@mozilla-enigmail.org> Message-ID: <4BFF5C7C.2000004@mac.com> Olav Seyfarth wrote the following on 5/28/10 1:07 AM: > Hi, > >> i have gnuPG 1.4.7 currently installed on windows xp >> i want to install gnuPG 2.0.14 >> question: will there be any compatibility issues with my current keys, etc? > > None that I know of. I had no troubles to use and edit old and new keys. > > Olav No problems with the keys per se, but I am referring here to the 'etc?' in your question. GnuPG 2.0.14 will require the configuration and use of gpg-agent, that will cache (without writing it to disk) the passphrase of your secret key. Thus, for the value you'll set to gpg-agent's cache, you will not have to type your passphrase, after you have typed it once for decrypting, and once for signing. and others. Charly From expires2010 at ymail.com Fri May 28 13:40:34 2010 From: expires2010 at ymail.com (MFPA) Date: Fri, 28 May 2010 12:40:34 +0100 Subject: upgrading from 1.4.7 to 2.0.14 In-Reply-To: <256203967.20100527170451@gmail.com> References: <256203967.20100527170451@gmail.com> Message-ID: <9610273919.20100528124034@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Friday 28 May 2010 at 1:04:51 AM, in , eMyListsDDg wrote: > i have gnuPG 1.4.7 currently installed on windows xp > i want to install gnuPG 2.0.14 > question: will there be any compatibility issues with > my current keys, etc? On the PGPNET mailing list, a couple of members' keys cannot be encrypted to by a member using GnuPG 2.x. People using 1.x have no such issue. IIRC, the keys that 2.x won't encrypt to were generated at Hushmail.com, and use the deprecated "RSA sign-only" and "RSA encrypt-only" public key algorithms (algos 2 and 3) instead of using RSA (algo 1) with the "key flags" subpacket. If any of your contacts have similar keys you may experience this. - -- Best regards MFPA mailto:expires2010 at ymail.com Consistency is the last refuge of the unimaginative -----BEGIN PGP SIGNATURE----- iQCVAwUBS/+ruaipC46tDG5pAQqRSQP/XtKRTJFPA1DwdCSDw5qqeoPPMldg3JtA 7TfD+OQ5W+mc7JFnARharzekWv5SX1WjaS9UKEx0Vw15WpOGf8/4tWd2zk37PACY cFDpLcbknepHTz8+/ADdXNPfaW4F+r9Pe5IolX4nloDlN2WgkM5xjJWG4kh4rSAM Hi6PwAk99fU= =paAQ -----END PGP SIGNATURE----- From Matthew561 at aol.com Fri May 28 13:18:46 2010 From: Matthew561 at aol.com (Matthew Mark Drew) Date: Fri, 28 May 2010 06:18:46 -0500 Subject: upgrading from 1.4.7 to 2.0.14 In-Reply-To: <4BFF5C7C.2000004@mac.com> References: <256203967.20100527170451@gmail.com> <4BFF4FA2.8050107@mozilla-enigmail.org> <4BFF5C7C.2000004@mac.com> Message-ID: <4BFFA696.5050108@aol.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Charly Avital made the following observation on 5/28/2010 1:02 AM: > Olav Seyfarth wrote the following on 5/28/10 1:07 AM: >> Hi, >> >>> i have gnuPG 1.4.7 currently installed on windows xp >>> i want to install gnuPG 2.0.14 >>> question: will there be any compatibility issues with my current keys, etc? >> >> None that I know of. I had no troubles to use and edit old and new keys. >> I would like to know where one can get gpg 2.0.14 complied for windows? Thanks -----BEGIN PGP SIGNATURE----- Comment: It is only with the heart that one can see rightly; Comment: what is essential is invisible to the eye Comment: - Antoine de Saint Exupery iEYEAREIAAYFAkv/ppYACgkQB2/tRSkyQ644uwCg08K4wfUaeR+pMnXbxGERT47h QFEAoOACwEklbSFE5gJQzI2W205GQmGw =cn0k -----END PGP SIGNATURE----- From benjamin at py-soft.co.uk Fri May 28 15:14:56 2010 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Fri, 28 May 2010 14:14:56 +0100 Subject: upgrading from 1.4.7 to 2.0.14 In-Reply-To: <4BFFA696.5050108@aol.com> References: <256203967.20100527170451@gmail.com> <4BFF4FA2.8050107@mozilla-enigmail.org> <4BFF5C7C.2000004@mac.com> <4BFFA696.5050108@aol.com> Message-ID: On 28 May 2010 12:18, Matthew Mark Drew wrote: > ?I would like to know where one can get gpg 2.0.14 complied for windows? http://lmgtfy.com/?q=gpg2+windows+download&l=1 From olav at mozilla-enigmail.org Fri May 28 15:22:56 2010 From: olav at mozilla-enigmail.org (Olav Seyfarth) Date: Fri, 28 May 2010 15:22:56 +0200 Subject: upgrading from 1.4.7 to 2.0.14 In-Reply-To: <4BFFA696.5050108@aol.com> References: <256203967.20100527170451@gmail.com> <4BFF4FA2.8050107@mozilla-enigmail.org> <4BFF5C7C.2000004@mac.com> <4BFFA696.5050108@aol.com> Message-ID: <4BFFC3B0.3010208@mozilla-enigmail.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hi Matthew, > I would like to know where one can get gpg 2.0.14 complied for windows? http://gpg4win.org/ Olav - -- The Enigmail Project - OpenPGP Email Security For Mozilla Applications -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQGcBAEBAwAGBQJL/8OtAAoJEKGX32tq4e9Wd6IL/2Bky9QG6MuDx2fkD3P5+lvJ WdmAGB3InMT511WGBPwr8crJDItjXGx6SrKN7YgrjtSo4uKKvfj68xEdx3YfLO3v cZyU0WHgbSg5FXkyHlTMHkbO2oK+Kciwgzd8pCJE1U3B8j0WWbeYBGCL2/9L1YgN Tyln/NfZ5eccExW6fOvk/EF8heu9y76QqiJ75ljnniPgBgJQsftJadzTDR8eEtin doP7gdQm4qV1dkuovgPuUTcjfmS1wmtI7GY7lXCv3sXxfreX/FeQufl1lS9igiWq jx5c8id7ck/oiafn1MBVHsctFUHospye+xmgJ1wfF4n8hxTz42XcZu4iM9AiazOo gEbP9JsG3bwlVvR/A6bX2N6lto3jtvM16wqSPDB+OVPM9k3Ly4N49ybQbGFmZ/8s KpRPBdz0ukYRQvmfVGk84Vtw6RTDzP3pQK9Fgk64ufjU4wfa1nNMtPqrvlUfXFIi YlW9tgQLZMTMdcjw7SimrC1pvTYP4CanY8CIvRMFSA== =XdSz -----END PGP SIGNATURE----- From wk at gnupg.org Sat May 29 10:49:52 2010 From: wk at gnupg.org (Werner Koch) Date: Sat, 29 May 2010 10:49:52 +0200 Subject: upgrading from 1.4.7 to 2.0.14 In-Reply-To: <4BFFA696.5050108@aol.com> (Matthew Mark Drew's message of "Fri, 28 May 2010 06:18:46 -0500") References: <256203967.20100527170451@gmail.com> <4BFF4FA2.8050107@mozilla-enigmail.org> <4BFF5C7C.2000004@mac.com> <4BFFA696.5050108@aol.com> Message-ID: <87ljb3xfbj.fsf@vigenere.g10code.de> On Fri, 28 May 2010 13:18, Matthew561 at aol.com said: > I would like to know where one can get gpg 2.0.14 complied for windows? http://www.gpg4win.org Please wait until Sunday - I am currently preparing a new release. The included GnuPG version is 2.0.14 with a couple of fixes to make it close to 2.0.15. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From m_d_berger_1900 at yahoo.com Sun May 30 02:24:09 2010 From: m_d_berger_1900 at yahoo.com (Michael D. Berger) Date: Sun, 30 May 2010 00:24:09 +0000 (UTC) Subject: ...key belongs to ... Message-ID: On a Linux box, in encrypting a file with gpg, I get this query: It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes. Use this key anyway? (y/N) n Now in the context in which this is being used, there is no uncertainty regarding key ownership, and the encryption is part of a bash script. The query stops the script. Therefore, how can I prevent this query? Thanks for your help. Mike. From John at Mozilla-Enigmail.org Sun May 30 02:46:29 2010 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Sat, 29 May 2010 19:46:29 -0500 Subject: ...key belongs to ... In-Reply-To: References: Message-ID: <4C01B565.4090007@Mozilla-Enigmail.org> Michael D. Berger wrote: > On a Linux box, in encrypting a file with gpg, I get this query: > > It is NOT certain that the key belongs to the person named > in the user ID. If you *really* know what you are doing, > you may answer the next question with yes. > > Use this key anyway? (y/N) n > > Now in the context in which this is being used, there is no > uncertainty regarding key ownership, and the encryption is > part of a bash script. The query stops the script. > > Therefore, how can I prevent this query? The easiest is to either a) (l)sign the key or b) add '--trust-model always' to the command line -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 499 bytes Desc: OpenPGP digital signature URL: From danm at prime.gushi.org Sun May 30 02:47:45 2010 From: danm at prime.gushi.org (Dan Mahoney, System Admin) Date: Sat, 29 May 2010 20:47:45 -0400 (EDT) Subject: ...key belongs to ... In-Reply-To: References: Message-ID: On Sun, 30 May 2010, Michael D. Berger wrote: > On a Linux box, in encrypting a file with gpg, I get this query: > > It is NOT certain that the key belongs to the person named > in the user ID. If you *really* know what you are doing, > you may answer the next question with yes. > > Use this key anyway? (y/N) n > > Now in the context in which this is being used, there is no > uncertainty regarding key ownership, and the encryption is > part of a bash script. The query stops the script. > > Therefore, how can I prevent this query? Edit the trust of the key, and or sign it with a trust signature. -Dan -- "Don't be so depressed dear." "I have no endorphins, what am I supposed to do?" -DM and SK, February 10th, 1999 --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --------------------------- From m_d_berger_1900 at yahoo.com Sun May 30 02:58:57 2010 From: m_d_berger_1900 at yahoo.com (Michael D. Berger) Date: Sun, 30 May 2010 00:58:57 +0000 (UTC) Subject: ...key belongs to ... References: <4C01B565.4090007__2908.91786939955$1275180457$gmane$org@Mozilla-Enigmail.org> Message-ID: On Sat, 29 May 2010 19:46:29 -0500, John Clizbe wrote: > Michael D. Berger wrote: >> On a Linux box, in encrypting a file with gpg, I get this query: >> >> It is NOT certain that the key belongs to the person named in the >> user ID. If you *really* know what you are doing, you may answer >> the next question with yes. >> >> Use this key anyway? (y/N) n >> >> Now in the context in which this is being used, there is no uncertainty >> regarding key ownership, and the encryption is part of a bash script. >> The query stops the script. >> >> Therefore, how can I prevent this query? > > The easiest is to either > > a) (l)sign the key > > or > > b) add '--trust-model always' to the command line I went to the account in which the key pair was generated and tried to sign the key. I got that the key is already signed. Was there perhaps something in the export of the public key that might have gone wrong? Or, perhaps, is there some other signing that is necessary? Thanks again. Mike. From dougb at dougbarton.us Sun May 30 09:09:30 2010 From: dougb at dougbarton.us (Doug Barton) Date: Sun, 30 May 2010 00:09:30 -0700 Subject: ...key belongs to ... In-Reply-To: References: <4C01B565.4090007__2908.91786939955$1275180457$gmane$org@Mozilla-Enigmail.org> Message-ID: <4C020F2A.3060701@dougbarton.us> On 5/29/2010 5:58 PM, Michael D. Berger wrote: > I went to the account in which the key pair was generated > and tried to sign the key. I got that the key is already > signed. Was there perhaps something in the export of > the public key that might have gone wrong? Or, perhaps, > is there some other signing that is necessary? You need to sign the PUBLIC key on the keyring of the account that is doing the encryption. hth, Doug -- ... and that's just a little bit of history repeating. -- Propellerheads Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/ From emylistsddg at gmail.com Sun May 30 09:19:23 2010 From: emylistsddg at gmail.com (eMyListsDDg) Date: Sun, 30 May 2010 00:19:23 -0700 Subject: upgrading from 1.4.7 to 2.0.14 In-Reply-To: <4BFF5C7C.2000004@mac.com> References: <256203967.20100527170451@gmail.com> <4BFF4FA2.8050107@mozilla-enigmail.org> <4BFF5C7C.2000004@mac.com> Message-ID: <382913786.20100530001923@gmail.com> that i did not realize Charly, thank you for bringing that to my attention > Olav Seyfarth wrote the following on 5/28/10 1:07 AM: >> Hi, >>> i have gnuPG 1.4.7 currently installed on windows xp >>> i want to install gnuPG 2.0.14 >>> question: will there be any compatibility issues with my current keys, etc? >> None that I know of. I had no troubles to use and edit old and new keys. >> Olav > No problems with the keys per se, but I am referring here to the 'etc?' > in your question. > GnuPG 2.0.14 will require the configuration and use of gpg-agent, that > will cache (without writing it to disk) the passphrase of your secret key. > Thus, for the value you'll set to gpg-agent's cache, you will not have > to type your passphrase, after you have typed it once for decrypting, > and once for signing. > > and others. > Charly From emylistsddg at gmail.com Sun May 30 09:17:21 2010 From: emylistsddg at gmail.com (eMyListsDDg) Date: Sun, 30 May 2010 00:17:21 -0700 Subject: upgrading from 1.4.7 to 2.0.14 In-Reply-To: <4BFF4FA2.8050107@mozilla-enigmail.org> References: <256203967.20100527170451@gmail.com> <4BFF4FA2.8050107@mozilla-enigmail.org> Message-ID: <1483908007.20100530001721@gmail.com> thanks for the reply. i'll install and give it a try ... > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > Hi, >> i have gnuPG 1.4.7 currently installed on windows xp >> i want to install gnuPG 2.0.14 >> question: will there be any compatibility issues with my current keys, etc? > None that I know of. I had no troubles to use and edit old and new keys. > Olav > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.14 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > iQGcBAEBAwAGBQJL/0+fAAoJEKGX32tq4e9WMFUL+wZfl9tp2p2i9U81pz3w1rE3 > UznqXAfa1MLmh7RaL1P7Ln9Emh1uo+DwNlldvDfMGINriGCWiAsi4YBma2nQDxFQ > ChGbBHWecpd6Imjmpet/rwqtPvsXcmPbHMbYQvZIGB2F2jPoSG3/CPGgdVYDU14Y > Xk2CxibzJ46WoWG1jpHjkVySj2vG8S+Ix1IhcuMzvxscqr8t3RG+r9KvrFLy6cWa > PQTYpVOpGxbY1QZ0G6AwhMs7l2D+vnRZkI0aclbNLCSY8+jbnrPY/h7DEOdPfCCS > IOu7c1uS35Ekjwz5m4ujp/U8BQvOeMO2ekpP48HmPqKYj589RPPsa6nm/pj6ZlUc > OPcb2cTrsjWjzwIbUSvHqpatqwFSwYcTMbM0F6GgnH1AYB66Rr25HpiEfDO+ygMc > EOCeO/rYQMIUBqI0dnRH721bjb0uNTwvc479csVnK1ToTCuusTxJfeLb32uPiqEI > USBB+NdNUoww3XaqiuFxoucej1iPwPfj1PGhCTa5Wg== > =QDV5 > -----END PGP SIGNATURE----- From eggled at gmail.com Sun May 30 13:28:13 2010 From: eggled at gmail.com (Daniel Eggleston) Date: Sun, 30 May 2010 06:28:13 -0500 Subject: ...key belongs to ... In-Reply-To: References: <4C01B565.4090007__2908.91786939955$1275180457$gmane$org@Mozilla-Enigmail.org> Message-ID: <20100530062813.312ce39f@eggled.dyndns.org> On Sun, 30 May 2010 00:58:57 +0000 (UTC) "Michael D. Berger" wrote: > On Sat, 29 May 2010 19:46:29 -0500, John Clizbe wrote: > > > Michael D. Berger wrote: > >> On a Linux box, in encrypting a file with gpg, I get this query: > >> > >> It is NOT certain that the key belongs to the person named in > >> the user ID. If you *really* know what you are doing, you may > >> answer the next question with yes. > >> > >> Use this key anyway? (y/N) n > >> > >> Now in the context in which this is being used, there is no > >> uncertainty regarding key ownership, and the encryption is part of > >> a bash script. The query stops the script. > >> > >> Therefore, how can I prevent this query? > > > > The easiest is to either > > > > a) (l)sign the key > > > > or > > > > b) add '--trust-model always' to the command line > > I went to the account in which the key pair was generated > and tried to sign the key. I got that the key is already > signed. Was there perhaps something in the export of > the public key that might have gone wrong? Or, perhaps, > is there some other signing that is necessary? > > Thanks again. > Mike. > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > You got that it's already signed because it's self signed. Your error is akin to the message a web browser gives you when the site has a self-signed certificate. There is no guarantee that the certificate comes from the entity it says it does. i.e. you have nothing but the "word" of the certificate confirming its identity. You need to go into the account performing the encryption, import the public key in question if you haven't already, and sign it *there*. Basically, confirming to gpg that you have independently verified this key and know it to be valid. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From kloecker at kde.org Sun May 30 16:10:55 2010 From: kloecker at kde.org (Ingo =?iso-8859-15?q?Kl=F6cker?=) Date: Sun, 30 May 2010 16:10:55 +0200 Subject: ...key belongs to ... In-Reply-To: <20100530062813.312ce39f@eggled.dyndns.org> References: <20100530062813.312ce39f@eggled.dyndns.org> Message-ID: <201005301610.56948@thufir.ingo-kloecker.de> On Sunday 30 May 2010, Daniel Eggleston wrote: > On Sun, 30 May 2010 00:58:57 +0000 (UTC) > > "Michael D. Berger" wrote: > > On Sat, 29 May 2010 19:46:29 -0500, John Clizbe wrote: > > > Michael D. Berger wrote: > > >> On a Linux box, in encrypting a file with gpg, I get this query: > > >> It is NOT certain that the key belongs to the person named in > > >> > > >> the user ID. If you *really* know what you are doing, you may > > >> answer the next question with yes. > > >> > > >> Use this key anyway? (y/N) n > > >> > > >> Now in the context in which this is being used, there is no > > >> uncertainty regarding key ownership, and the encryption is part > > >> of a bash script. The query stops the script. > > >> > > >> Therefore, how can I prevent this query? > > > > > > The easiest is to either > > > > > > a) (l)sign the key > > > > > > or > > > > > > b) add '--trust-model always' to the command line > > > > I went to the account in which the key pair was generated > > and tried to sign the key. I got that the key is already > > signed. Was there perhaps something in the export of > > the public key that might have gone wrong? Or, perhaps, > > is there some other signing that is necessary? > > You got that it's already signed because it's self signed. Your error > is akin to the message a web browser gives you when the site has a > self-signed certificate. There is no guarantee that the certificate > comes from the entity it says it does. i.e. you have nothing but the > "word" of the certificate confirming its identity. > > You need to go into the account performing the encryption, import the > public key in question if you haven't already, and sign it *there*. > Basically, confirming to gpg that you have independently verified > this key and know it to be valid. Since signing requires a private key on the encryption box it might be easier to set the (owner) trust of the public key to be used for encryption to ultimate. Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: