From expires2012 at rocketmail.com Fri Nov 2 00:57:20 2012 From: expires2012 at rocketmail.com (MFPA) Date: Thu, 1 Nov 2012 23:57:20 +0000 Subject: new release of GPA In-Reply-To: <508ECC3D.1040505@sixdemonbag.org> References: <000601cda645$65096080$2f1c2180$@net> <87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de> <508ECC3D.1040505@sixdemonbag.org> Message-ID: <1189958644.20121101235720@my_localhost> Hi On Monday 29 October 2012 at 6:34:37 PM, in , Robert J. Hansen wrote: > What about GPGshell do you find to be a clear win over > GPA? For me, GPGshell runs on my (Windows XP) computer but GPA doesn't. GPA appears to install but when I try to run it, I get a message about a fatal error in GPGME Library. (invoked from ... confdialog.c, line 1447:) Line too long The application will be terminated. (sometimes the error message says "unsupported protocol" instead of "line too long" but it always references confdialog.c line 1447) I just downloaded and installed the version packaged with gpg4win-light-2.1.0, and it gives me the same error ("line too long") as with the version I tried in 2009. -- Best regards MFPA mailto:expires2012 at rocketmail.com All generalizations are dangerous, even this one. From wk at gnupg.org Fri Nov 2 18:27:28 2012 From: wk at gnupg.org (Werner Koch) Date: Fri, 02 Nov 2012 18:27:28 +0100 Subject: new release of GPA In-Reply-To: <1189958644.20121101235720@my_localhost> (MFPA's message of "Thu, 1 Nov 2012 23:57:20 +0000") References: <000601cda645$65096080$2f1c2180$@net> <87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de> <508ECC3D.1040505@sixdemonbag.org> <1189958644.20121101235720@my_localhost> Message-ID: <87objf3ofz.fsf@vigenere.g10code.de> On Fri, 2 Nov 2012 00:57, expires2012 at rocketmail.com said: > (invoked from ... confdialog.c, line 1447:) > Line too long > The application will be terminated. I have not checked, but this commit might be the fix for your problem: commit 44b6bdf63bd459f4469b37ae2454345992cfb661 Author: Werner Koch Date: Fri Jul 13 13:48:32 2012 +0200 Fix segv in option setting * src/confdialog.c (arg_to_str, args_are_equal): Take care of the NO_ARG field to using the values if it has been set. -- This is a part of the fix for bug#1413. The other part is a fix in gpgme. It would be possible to do fix this only in GPA but the fix in gpgme makes gpgme also more robust. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From expires2012 at rocketmail.com Sat Nov 3 16:23:14 2012 From: expires2012 at rocketmail.com (MFPA) Date: Sat, 3 Nov 2012 15:23:14 +0000 Subject: new release of GPA In-Reply-To: <87objf3ofz.fsf@vigenere.g10code.de> References: <000601cda645$65096080$2f1c2180$@net> <87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de> <508ECC3D.1040505@sixdemonbag.org> <1189958644.20121101235720@my_localhost> <87objf3ofz.fsf@vigenere.g10code.de> Message-ID: <1981250021.20121103152314@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Friday 2 November 2012 at 5:27:28 PM, in , Werner Koch wrote: > I have not checked, but this commit might be the fix > for your problem: Thank you for the suggestion. > commit 44b6bdf63bd459f4469b37ae2454345992cfb661 Author: > Werner Koch Date: Fri Jul 13 13:48:32 > 2012 +0200 If I am reading correctly, that is applied in GPA version 0.9.2, which is the GPA version included with GPG4Win version 2.1.1-beta1. I just downloaded this beta version and installed, but unfortunately I still get the same error message on attempting to run GPA. - -- Best regards MFPA mailto:expires2012 at rocketmail.com It is not necessary to have enemies if you go out of your way to make friends hate you. -----BEGIN PGP SIGNATURE----- iQCVAwUBUJU26KipC46tDG5pAQpU+QP/dOq4aWXW4Pwlg+Ebb1kwsgp/pqhErNLA EhzBA+ZFnTpOZkJmT+xDuTLBg+zBySn3x76EH3Ezbe8mi+0uYwVn1hKvjKI1WglY V/0N9GugytLMkaQIr3yYzAftEuIWE7jmAVI8kYNEheBDTA2oo0Jo5TsxGwH6Zs/q x0lI86EZY+s= =7gTY -----END PGP SIGNATURE----- From wk at gnupg.org Sun Nov 4 17:45:05 2012 From: wk at gnupg.org (Werner Koch) Date: Sun, 04 Nov 2012 17:45:05 +0100 Subject: new release of GPA In-Reply-To: <1981250021.20121103152314@my_localhost> (MFPA's message of "Sat, 3 Nov 2012 15:23:14 +0000") References: <000601cda645$65096080$2f1c2180$@net> <87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de> <508ECC3D.1040505@sixdemonbag.org> <1189958644.20121101235720@my_localhost> <87objf3ofz.fsf@vigenere.g10code.de> <1981250021.20121103152314@my_localhost> Message-ID: <87ehk92u7i.fsf@vigenere.g10code.de> On Sat, 3 Nov 2012 16:23, expires2012 at rocketmail.com said: > If I am reading correctly, that is applied in GPA version 0.9.2, which > is the GPA version included with GPG4Win version 2.1.1-beta1. I just No, it is in 0.9.3 which was released after the last Gpg4win beta. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From quannguyen at mbm.vn Mon Nov 5 02:48:15 2012 From: quannguyen at mbm.vn (=?UTF-8?B?Tmd1eeG7hW4gSOG7k25nIFF1w6Ju?=) Date: Mon, 05 Nov 2012 08:48:15 +0700 Subject: Problem with x.509 certificate and OpenPGP Card In-Reply-To: <5086B64E.2080203@gmx.net> References: <5086B64E.2080203@gmx.net> Message-ID: <50971ADF.2090300@mbm.vn> Hello, You can use with OpenSC PKCS#11 module. Some note: https://docs.google.com/a/mbm.vn/document/d/1qjiFJGCTWOhzYgMbJMZ79gDxiDXrY4xtNfRD1siXtcg/edit# On 10/23/2012 10:22 PM, Michael Freischlad wrote: > Dear all, > > I've got a OpenPGP Card 2.0 and would like to use it with Thunderbird > for signing and encrypting mails via s/mime. -- Regards, Qu?n Y!IM: ng_hquan_vn GTalk: ng.hong.quan From casey.marshall at gmail.com Mon Nov 5 04:46:06 2012 From: casey.marshall at gmail.com (Casey Marshall) Date: Sun, 4 Nov 2012 21:46:06 -0600 Subject: [ANN] Hockeypuck: OpenPGP Keyserver Message-ID: [ANN] Hockeypuck: OpenPGP Keyserver I?d like to share Hockeypuck, an OpenPGP Keyserver I?ve developed in Go (http://golang.org). Project Page: https://launchpad.net/hockeypuck Bugs & Roadmap: https://bugs.launchpad.net/hockeypuck How to install, build, etc: https://bazaar.launchpad.net/~hockeypuck/hockeypuck/trunk/view/head:/README Live instance (hosted by my employer, Gazzang): http://keyserver.gazzang.net -Casey -------------- next part -------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iF4EABEIAAYFAlCXNisACgkQ95Ni2kSi0dt9EgEAtBPJP2T8aQVpATP2DSssyJ8s fkWcVOn7l+8h0x5dBygA/0kby7LUNQdROxe/g4SZXv2tW0eaVUtepZB1fDIsD5x1 =3Mje -----END PGP SIGNATURE----- From hardkor.info at gmail.com Mon Nov 5 10:57:30 2012 From: hardkor.info at gmail.com (HardKor) Date: Mon, 5 Nov 2012 10:57:30 +0100 Subject: Is the signature encrypted Message-ID: Hello, I would like to know if when I send an encrypted and signed message the signature is also encrypted or not ? Thank you. HardKor -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at digitalbrains.com Mon Nov 5 13:54:32 2012 From: peter at digitalbrains.com (Peter Lebbing) Date: Mon, 05 Nov 2012 13:54:32 +0100 Subject: Is the signature encrypted In-Reply-To: References: Message-ID: <5097B708.3000207@digitalbrains.com> Hello, > I would like to know if when I send an encrypted and signed message the > signature is also encrypted or not ? You can find out yourself whether GnuPG encrypts the signature. I did the following: $ echo Hoi|gpg2 -o bla.gpg -r de500b3e -se $ gpg2 --list-packets --list-only bla.gpg :pubkey enc packet: version 3, algo 1, keyid 26F7563E73A33BEE data: [2048 bits] :encrypted data packet: length: 368 As it turns out, the signature is inside the "encrypted data packet" (since it's not outside it). So the answer is: yes, GnuPG does encrypt the signature. To check there is indeed a signature: $ gpg2 --list-packets bla.gpg :pubkey enc packet: version 3, algo 1, keyid 26F7563E73A33BEE data: [2048 bits] :encrypted data packet: length: 368 mdc_method: 2 gpg: encrypted with 2048-bit RSA key, ID 73A33BEE, created 2009-11-12 "Peter Lebbing " :compressed packet: algo=2 :onepass_sig packet: keyid 969E018FDE6CDCA1 version 3, sigclass 0x00, digest 2, pubkey 1, last=1 :literal data packet: mode b (62), created 1352119549, name="", raw data: 4 bytes :signature packet: algo 1, keyid 969E018FDE6CDCA1 version 4, created 1352119549, md5len 0, sigclass 0x00 digest algo 2, begin of digest b0 37 hashed subpkt 2 len 4 (sig created 2012-11-05) subpkt 16 len 8 (issuer key ID 969E018FDE6CDCA1) data: [2046 bits] This time I decrypted the packet (I omitted --list-only and it asked for my smartcard PIN). Unfortunately (IMHO), --list-packets doesn't show hierarchy, so it's not very apparent that the signature is inside the encrypted data packet, but this time we do see a signature, so it's obviously there. An interesting followup question is: does the OpenPGP standard dictate that it be done this way, or is it left up to the implementer? I think somebody else will know this without checking (I do not). HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From dshaw at jabberwocky.com Mon Nov 5 15:39:52 2012 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 5 Nov 2012 09:39:52 -0500 Subject: Is the signature encrypted In-Reply-To: References: Message-ID: On Nov 5, 2012, at 4:57 AM, HardKor wrote: > Hello, > > I would like to know if when I send an encrypted and signed message the signature is also encrypted or not ? It is. You can manually construct other arrangements if you so desire, but the built in "--sign --encrypt" in GPG is: encrypt ( compress ( sign ( data ) ) ) David From mailinglisten at hauke-laging.de Mon Nov 5 15:47:26 2012 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Mon, 05 Nov 2012 15:47:26 +0100 Subject: Is the signature encrypted In-Reply-To: References:

Message-ID: <32211299.3BdYyImXMj@inno> Am Mo 05.11.2012, 09:39:52 schrieb David Shaw: > > I would like to know if when I send an encrypted and signed message the > > signature is also encrypted or not ? > It is. You can manually construct other arrangements if you so desire, But not for the (MUA integrated) use with email, can you? Hauke -- ? PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 572 bytes Desc: This is a digitally signed message part. URL: From dshaw at jabberwocky.com Mon Nov 5 16:01:02 2012 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 5 Nov 2012 10:01:02 -0500 Subject: Is the signature encrypted In-Reply-To: <32211299.3BdYyImXMj@inno> References:

<32211299.3BdYyImXMj@inno> Message-ID: <8D7FF7D1-0D59-46CE-9DF1-C90DC1B682A4@jabberwocky.com> On Nov 5, 2012, at 9:47 AM, Hauke Laging wrote: > Am Mo 05.11.2012, 09:39:52 schrieb David Shaw: > >>> I would like to know if when I send an encrypted and signed message the >>> signature is also encrypted or not ? >> It is. You can manually construct other arrangements if you so desire, > > But not for the (MUA integrated) use with email, can you? No. If you're going manual, you're pretty much going manual all the way down (writing your own scripts to verify things, etc). Virtually always you *want* your signature to be encrypted. Why would you want something else? David From dkg at fifthhorseman.net Mon Nov 5 16:04:54 2012 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 05 Nov 2012 10:04:54 -0500 Subject: [ANN] Hockeypuck: OpenPGP Keyserver In-Reply-To: References: Message-ID: <5097D596.3050102@fifthhorseman.net> On 11/04/2012 10:46 PM, Casey Marshall wrote: > I?d like to share Hockeypuck, an OpenPGP Keyserver I?ve developed in > Go (http://golang.org). Cool, i'm glad to hear of it. Does this sync with any of the existing SKS network? I saw no mention of peer synchronization in the README or the project page. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature URL: From avi.wiki at gmail.com Mon Nov 5 15:10:22 2012 From: avi.wiki at gmail.com (Avi) Date: Mon, 5 Nov 2012 09:10:22 -0500 Subject: new release of GPA Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 This is an incomplete list, but what I like about GPGShell is the following: GPA does not work for me--it just crashes. GPGShell has a number of components: GPGTools for encrypting/decrypting files, GPGKeys which is the keymanager to which GPA is most closely related, and most importantly, GPGTray which is a tool which sits in the system tray and allows me to call any of the other programs, encrypt/decrypt a file or the clipboard, sign/verify the clipboard, all using right clicks. This allows me to compose my emails in GMail or the like, and then convert them into ASCII- armored text. The actual GPGKeys portion of the program is extremely customizable, in that it has good graphical access to many, if not most, of the GPG command set, and for "expert" options, it allows the launch of the edit key in DOS and has an input box where one can place the options that should be run in the command line when GPG launches (such as "bzip2-compress-level 9"). It allows for easier setting of options for GPG as well. The author has told me that he is not intending at this point to write a version for GPG2.0, however, so those interested in using ECC when it gets folded in to the main release will need to find another "GPG manager" to use. GPAs inability to run on Win7 machines sort-of takes it out of the running for now, I'm afraid :) I understand part of the issue is that the entire configuration mechanism of GPG2 is different than GPG1, and that, currently, GPG2 cannot be loaded "portably" as it were, but I believe Werner was gracious enough to say he would look into making GPG2 more portable in future releases. I am neither a programmer nor a software tester, so forgive me if I did not explain clearly enough, but in a nutshell, I have found that I can easily do anything I need to GPG-wise (clean/minimize keys, Lsign, encrypt/decrypt/sign/verify, make any customization to option sets, hash selections, encryption methods) easily in GPGShell, and I have not found another GUI (WinPT, GPA, Etc.) which could do everything as easily and completely. Thank you, - --Avi -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (MingW32) - GPGshell v3.78 Comment: Most recent key: Click show in box @ http://is.gd/4xJrs iL4EAREKAGYFAlCXyLVfGGh0dHA6Ly9rZXlzZXJ2ZXIudWJ1bnR1LmNvbS9wa3Mv bG9va3VwP29wPWdldCZoYXNoPW9uJmZpbmdlcnByaW50PW9uJnNlYXJjaD0weDBE NjJCMDE5RjgwRTI5RjkACgkQDWKwGfgOKfnVjwD9FYAfhGDn598p6yhYxckMM/J/ zcEe1ywo5vgaJ/uA2Q4A/1PqwZyM7FBOCHFLYhxvnL7/a2t5X1E8DPgTw4iGSgbb =iTBO -----END PGP SIGNATURE----- ---- User:Avraham pub 3072D/F80E29F9 1/30/2009 Avi (Wikimedia-related key) Primary key fingerprint: 167C 063F 7981 A1F6 71EC ABAA 0D62 B019 F80E 29F9 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailinglisten at hauke-laging.de Mon Nov 5 16:29:24 2012 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Mon, 05 Nov 2012 16:29:24 +0100 Subject: Is the signature encrypted In-Reply-To: <8D7FF7D1-0D59-46CE-9DF1-C90DC1B682A4@jabberwocky.com> References: <32211299.3BdYyImXMj@inno> <8D7FF7D1-0D59-46CE-9DF1-C90DC1B682A4@jabberwocky.com> Message-ID: <5198375.JzoPxoqdiC@inno> Am Mo 05.11.2012, 10:01:02 schrieb David Shaw: > Virtually always you *want* your signature to be encrypted. Why? What critical information is exposed by the signature, assuming I do not forge the from address? > Why would you want something else? The virus-checking mail gateway may want to at least be sure about the sender (which does not assure it of the sending system being non-compromised and not evil). My personal reason is that I (in contrast to one well-known member of this list...) believe signatures to be the only solution against spam and do not want the filters be forced into the the mail client. This could be done by other means than the data signature though. I don't understand why PGP/MIME does not define a seperate signature for the relevant sender created headers (from, to, subject, date). That would protect the headers and allow filters to check the sender without exposing the data signature. Hauke -- ? PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 572 bytes Desc: This is a digitally signed message part. URL: From peter at digitalbrains.com Mon Nov 5 16:30:23 2012 From: peter at digitalbrains.com (Peter Lebbing) Date: Mon, 05 Nov 2012 16:30:23 +0100 Subject: new release of GPA In-Reply-To: References: Message-ID: <44079c6c40adc687d35f26f049b35a4b@butters.digitalbrains.com> On 2012-11-05 15:10, Avi wrote: > This is an incomplete list, but what I like about GPGShell is > the following: I'd just like to say: *Thank you* for your constructive contribution. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From johanw at vulcan.xs4all.nl Mon Nov 5 16:47:40 2012 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Mon, 05 Nov 2012 16:47:40 +0100 Subject: Is the signature encrypted In-Reply-To: <5198375.JzoPxoqdiC@inno> References: <32211299.3BdYyImXMj@inno> <8D7FF7D1-0D59-46CE-9DF1-C90DC1B682A4@jabberwocky.com> <5198375.JzoPxoqdiC@inno> Message-ID: <5097DF9C.7040507@vulcan.xs4all.nl> On 05-11-2012 16:29, Hauke Laging wrote: > I don't understand why PGP/MIME > does not define a seperate signature for the relevant sender created headers > (from, to, subject, date). That would protect the headers and allow filters to > check the sender without exposing the data signature. That would lead to many false warnings about signature errors, since those headers are often mangled with by mail transport software ("long" lines broken, (de)html-ized, control characters inserted (%20 instead of a space), etc. etc. You would have to implement "fuzzy signature checking", just like using text mode ignores \n\r and \n differences but than more extensive. I predict that it will be nearly impossible to get this both so adaptive that the number of false sig errors reduces to almost zero AND does not contain lots of holes for spammers to exploit. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From peter at digitalbrains.com Mon Nov 5 16:55:35 2012 From: peter at digitalbrains.com (Peter Lebbing) Date: Mon, 05 Nov 2012 16:55:35 +0100 Subject: Is the signature encrypted In-Reply-To: <5198375.JzoPxoqdiC@inno> References: <32211299.3BdYyImXMj@inno> <8D7FF7D1-0D59-46CE-9DF1-C90DC1B682A4@jabberwocky.com> <5198375.JzoPxoqdiC@inno> Message-ID: <5097E177.3060500@digitalbrains.com> On 05/11/12 16:29, Hauke Laging wrote: > Why? What critical information is exposed by the signature, assuming I do not > forge the from address? You're constricting your view too much to just e-mail in your analysis. If you look at files stored on someone's hard drive, you don't have a "from address". The signer of that secret data in that file might be confidential as well. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From dshaw at jabberwocky.com Mon Nov 5 16:59:45 2012 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 5 Nov 2012 10:59:45 -0500 Subject: Is the signature encrypted In-Reply-To: <5198375.JzoPxoqdiC@inno> References: <32211299.3BdYyImXMj@inno> <8D7FF7D1-0D59-46CE-9DF1-C90DC1B682A4@jabberwocky.com> <5198375.JzoPxoqdiC@inno> Message-ID: <55D43C48-8EB8-43B7-A8F3-C0F21B300F70@jabberwocky.com> On Nov 5, 2012, at 10:29 AM, Hauke Laging wrote: > Am Mo 05.11.2012, 10:01:02 schrieb David Shaw: > >> Virtually always you *want* your signature to be encrypted. > > Why? What critical information is exposed by the signature, assuming I do not > forge the from address? The fact that it is signed at all, and who signed it. But again, you're not forced into this way. >> Why would you want something else? > > The virus-checking mail gateway may want to at least be sure about the sender > (which does not assure it of the sending system being non-compromised and not > evil). > > My personal reason is that I (in contrast to one well-known member of this > list...) believe signatures to be the only solution against spam and do not > want the filters be forced into the the mail client. This could be done by > other means than the data signature though. I don't understand why PGP/MIME > does not define a seperate signature for the relevant sender created headers > (from, to, subject, date). That would protect the headers and allow filters to > check the sender without exposing the data signature. As far as I recall, PGP/MIME (speaking strictly for the standard and not any particular implementation) can do this just fine. Forgive me if my memory fails, but you should be able to do this by creating the message complete, with all of the headers you want to protect, and including it whole as an attachment (i.e. message/rfc822) to a signed message. The outer message headers are the one that the MTAs use to get the message to you. The inner ones are tamper-proof. You just need to check the inner signature and then compare the inner and outer headers to verify. Now, I'll be the first to say that I don't know of any clients that actually do this, but barring the aforementioned memory, the spec allows for it just fine. That said, given what havoc email gateways can wreak on the outer headers, I think you might get a bunch of failures matching the outer and inner headers. David From mailinglisten at hauke-laging.de Mon Nov 5 17:31:00 2012 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Mon, 05 Nov 2012 17:31 +0100 Subject: Is the signature encrypted In-Reply-To: <5097DF9C.7040507@vulcan.xs4all.nl> References: <5198375.JzoPxoqdiC@inno> <5097DF9C.7040507@vulcan.xs4all.nl> Message-ID: <1832746.9nmgQSztbT@inno> Am Mo 05.11.2012, 16:47:40 schrieb Johan Wevers: > On 05-11-2012 16:29, Hauke Laging wrote: > > I don't understand why PGP/MIME > > does not define a seperate signature for the relevant sender created > > headers (from, to, subject, date). That would protect the headers and > > allow filters to check the sender without exposing the data signature. > > That would lead to many false warnings about signature errors, since > those headers are often mangled with by mail transport software ("long" > lines broken, (de)html-ized, control characters inserted (%20 instead of > a space), etc. etc. Comparing the legacy headers and signed headers is not the only option. Much easier would be: If the legacy headers are mangled with anyway then just replace them by the signed ones (the last MTA or the MDA would do that) and perhaps mark them as corrected. The MUA could even do that itself. This approach would even easily allow to hide the real subject by just setting some dummy value. > I > predict that it will be nearly impossible to get this both so adaptive > that the number of false sig errors reduces to almost zero AND does not > contain lots of holes for spammers to exploit. The main problem is, of course, to get crypto more widely used. Otherwise things like this are just luxury problems. But if someday more people have started using crypto then such signature errors due to header mangling would soon become a problem for the respective ISPs. You do not need a technical solution for everything; sometimes the market does. :-) Given the amount of problems that can arise from spam and malware I am surprised that the Western governments seem not to do anything about securing this meanwhile critical infrastructure. Hauke -- ? PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 572 bytes Desc: This is a digitally signed message part. URL: From vedaal at nym.hush.com Mon Nov 5 17:44:47 2012 From: vedaal at nym.hush.com (vedaal at nym.hush.com) Date: Mon, 05 Nov 2012 11:44:47 -0500 Subject: Is the signature encrypted Message-ID: <20121105164448.0064DE6739@smtp.hushmail.com> On Monday, November 05, 2012 at 9:44 AM, "David Shaw" wrote: > the built in "--sign --encrypt" in GPG is: > > encrypt ( compress ( sign ( data ) ) ) ===== Then, is there any way to tell if it is signed or not, without decrypting it? (other than the fact that the signed and encrypted text is noticeably larger, which can be worked around by the user by making the message wordier, if the user, for whatever reason, wanted to conceal that the message wasn't signed.) tia, vedaal From dshaw at jabberwocky.com Mon Nov 5 17:51:09 2012 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 5 Nov 2012 11:51:09 -0500 Subject: Is the signature encrypted In-Reply-To: <20121105164448.0064DE6739@smtp.hushmail.com> References: <20121105164448.0064DE6739@smtp.hushmail.com> Message-ID: <65179F07-5654-4228-8491-DEB7801EAAC4@jabberwocky.com> On Nov 5, 2012, at 11:44 AM, vedaal at nym.hush.com wrote: > On Monday, November 05, 2012 at 9:44 AM, "David Shaw" wrote: > >> the built in "--sign --encrypt" in GPG is: >> >> encrypt ( compress ( sign ( data ) ) ) > > ===== > > Then, is there any way to tell if it is signed or not, without decrypting it? No. That's a feature :) David From johanw at vulcan.xs4all.nl Mon Nov 5 17:53:00 2012 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Mon, 05 Nov 2012 17:53:00 +0100 Subject: Is the signature encrypted In-Reply-To: <1832746.9nmgQSztbT@inno> References: <5198375.JzoPxoqdiC@inno> <5097DF9C.7040507@vulcan.xs4all.nl> <1832746.9nmgQSztbT@inno> Message-ID: <5097EEEC.1060609@vulcan.xs4all.nl> On 05-11-2012 17:31, Hauke Laging wrote: > Given the amount of problems that can arise from spam and malware I am > surprised that the Western governments seem not to do anything about securing > this meanwhile critical infrastructure. They try, but if I must choose between a strictly gouvernment-controled internet and a free internet including spammers I choose the last option and take the spammers as a unavoidable side effect. -- ir. J.C.A. Wevers PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From kristian.fiskerstrand at sumptuouscapital.com Mon Nov 5 18:12:51 2012 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Mon, 05 Nov 2012 18:12:51 +0100 Subject: [ANN] Hockeypuck: OpenPGP Keyserver In-Reply-To: <5097D596.3050102@fifthhorseman.net> References: <5097D596.3050102@fifthhorseman.net> Message-ID: <5097F393.3020503@sumptuouscapital.com> On 11/05/2012 04:04 PM, Daniel Kahn Gillmor wrote: > On 11/04/2012 10:46 PM, Casey Marshall wrote: >> I?d like to share Hockeypuck, an OpenPGP Keyserver I?ve developed in >> Go (http://golang.org). > Cool, i'm glad to hear of it. Does this sync with any of the existing > SKS network? I saw no mention of peer synchronization in the README or > the project page. > > --dkg Indeed interesting to hear of new keyserver implementations, and having a less homogeneous system should only be beneficial to the overall security. Re SKS sync, this seems to be filed as a RFE/bug already at [0]. Does it currently sync through the old PKS system / email? Another RFE seems to be RFC6637 support - as the keyserver at the moment seems unable to accept my key [1]. In addition, if you want the keyserver to be included in the pool[2] I'd request a /pks/lookup?op=stats implementation similar to SKS (and indeed GnuKS[3], that is implemented with a Software: header) Looking forwards to seeing how this keyserver evolves :) [0] https://bugs.launchpad.net/hockeypuck/+bug/1044767 [1] https://keys2.kfwebs.net/pks/lookup?op=vindex&search=0x43FE956C542CA00B [2] https://sks-keyservers.net/status/ [3] http://key-server.org:11371/pks/lookup?op=stats -- ---------------------------- Kristian Fiskerstrand http://www.sumptuouscapital.com Twitter: @krifisk ---------------------------- Potius sero quam numquam Better late then never ---------------------------- This email was digitally signed using the OpenPGP standard. If you want to read more about this The book: Sending Emails - The Safe Way: An introduction to OpenPGP security is available in both Amazon Kindle and Paperback format at http://www.amazon.com/dp/B006RSG1S4/ ---------------------------- Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 903 bytes Desc: OpenPGP digital signature URL: From faramir.cl at gmail.com Mon Nov 5 21:22:07 2012 From: faramir.cl at gmail.com (Faramir) Date: Mon, 05 Nov 2012 17:22:07 -0300 Subject: new release of GPA In-Reply-To: <87d30087kz.fsf@vigenere.g10code.de> References: <000601cda645$65096080$2f1c2180$@net> <87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de> <508ECC3D.1040505__43340.6063043096$1351535734$gmane$org@sixdemonbag.org> <508EE9FB.3020508@sixdemonbag.org> <87d30087kz.fsf@vigenere.g10code.de> Message-ID: <50981FEF.6040709@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 30-10-2012 9:31, Werner Koch escribi?: > On Mon, 29 Oct 2012 21:41, rjh at sixdemonbag.org said: > >> Could you perhaps make a list of, say, the top five features >> GPGshell supports that GPA doesn't? Things that you, yourself, >> use regularly, > > That is a good idea. At least it might help us to stop responding > to recommendation of GPGshell. BTW, why did the OP not also > recommended PGP Desktop? I have 2 questions: 1.- Is it me, or gpg4win site is down? 2.- Can I install gpg4win in paralel to GPG 1.4.12? I don't know if it would modify my keyrings or something like that. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBCAAGBQJQmB/uAAoJEMV4f6PvczxAwWQH/03z9/gJ1I3qt8DEDVZ96SXm +2qYlCJI7izZJJuQ3k1hJEiuOj8OmlYUk5+PzAKnDZSg667xBoUpxfT1E/wlrZsH rgBnDAwzqsO6lovNP7rVGLsUha9AO+Me1pTwtxg7bAeLMnqTTZQe3CfqMvKsJ+1g WmDVFdOXrtAQnSAhAhYSZsbUNSX7P/KS59bOa83ObUbHMUtOoy5ZZf2vIH09J4d1 jTP0rHMgZpfbQDawCNQClfwIkmWq6jGB80laILbGr08DDEakyNLFbNxHah1ahIG5 hA4mAid16B1xE335BSwJs0rQep3e7ht3cYEIzM+1x4c3Y0hW7NLGjb+0/TBYGLc= =n5pJ -----END PGP SIGNATURE----- From expires2012 at rocketmail.com Mon Nov 5 22:14:33 2012 From: expires2012 at rocketmail.com (MFPA) Date: Mon, 5 Nov 2012 21:14:33 +0000 Subject: new release of GPA In-Reply-To: <87ehk92u7i.fsf@vigenere.g10code.de> References: <000601cda645$65096080$2f1c2180$@net> <87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de> <508ECC3D.1040505@sixdemonbag.org> <1189958644.20121101235720@my_localhost> <87objf3ofz.fsf@vigenere.g10code.de> <1981250021.20121103152314@my_localhost> <87ehk92u7i.fsf@vigenere.g10code.de> Message-ID: <1868953112.20121105211433@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Sunday 4 November 2012 at 4:45:05 PM, in , Werner Koch wrote: > No, it is in 0.9.3 which was released after the last > Gpg4win beta. Thanks. I'll keep an eye out for a windows binary. - -- Best regards MFPA mailto:expires2012 at rocketmail.com Puns are bad but poetry is verse. -----BEGIN PGP SIGNATURE----- iQCVAwUBUJgsVKipC46tDG5pAQq3aAP/RGawnLB3AqDup0ljHvK80Uhod+G+78Di R+ulcBtlV6FMLd2ujiqH5vZAPx1kQ8YyciSXNKiWxF8Gi8moU0jlcZLWz8q3PVrq W6RUBYTPUsZwUK0tKpcasgdZWMvdoTWq3U47BBkpj50O5UkWfehrPZrzUhkDxXLd yu48w1es++k= =whjU -----END PGP SIGNATURE----- From expires2012 at rocketmail.com Mon Nov 5 22:26:43 2012 From: expires2012 at rocketmail.com (MFPA) Date: Mon, 5 Nov 2012 21:26:43 +0000 Subject: new release of GPA In-Reply-To: <50981FEF.6040709@gmail.com> References: <000601cda645$65096080$2f1c2180$@net> <87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de> <508ECC3D.1040505__43340.6063043096$1351535734$gmane$org@sixdemonbag.org> <508EE9FB.3020508@sixdemonbag.org> <87d30087kz.fsf@vigenere.g10code.de> <50981FEF.6040709@gmail.com> Message-ID: <18210608161.20121105212643@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Monday 5 November 2012 at 8:22:07 PM, in , Faramir wrote: > I have 2 questions: > 1.- Is it me, or gpg4win site is down? http://gpg4win.org/ is working for me at the moment. I wasn't trying an hour ago. (-; > 2.- Can I install gpg4win in paralel to GPG 1.4.12? I > don't know if it would modify my keyrings or something > like that. I have installed gpg4win twice in the last few days and my GnuPG 1.4.12 and keyrings etc. appear to have been unaffected by the installation, removal, installation. Your mileage may vary, so probably a wise precaution to back things up first. - -- Best regards MFPA mailto:expires2012 at rocketmail.com Always forgive your enemies; nothing annoys them so much -----BEGIN PGP SIGNATURE----- iQCVAwUBUJgvGaipC46tDG5pAQoXDQP7Bn9NfgqcYGODgDNMNGbEOBzzl16AZaEl J9SWjbRRNFg1QYFb3ymUQbYQo5IyFCTCnn8q6kpXJnONhBY7iZ3d1EITD21syOA6 dKMnm1WBIqKGbK+cUpP7QUng9LDHMDyPuQYG0iwjbwxeoUqzfOiFYylJ6QdkMXix tbN8EYMzrtQ= =pkoQ -----END PGP SIGNATURE----- From faramir.cl at gmail.com Tue Nov 6 07:56:41 2012 From: faramir.cl at gmail.com (Faramir) Date: Tue, 06 Nov 2012 03:56:41 -0300 Subject: new release of GPA In-Reply-To: <18210608161.20121105212643@my_localhost> References: <000601cda645$65096080$2f1c2180$@net> <87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de> <508ECC3D.1040505__43340.6063043096$1351535734$gmane$org@sixdemonbag.org> <508EE9FB.3020508@sixdemonbag.org> <87d30087kz.fsf@vigenere.g10code.de> <50981FEF.6040709@gmail.com> <18210608161.20121105212643@my_localhost> Message-ID: <5098B4A9.4040101@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 05-11-2012 18:26, MFPA escribi?: > Hi Hello, >> I have 2 questions: > >> 1.- Is it me, or gpg4win site is down? > > http://gpg4win.org/ is working for me at the moment. I wasn't > trying an hour ago. (-; My fault, I was trying with www.gpg4win.org >> 2.- Can I install gpg4win in paralel to GPG 1.4.12? I don't know >> if it would modify my keyrings or something like that. > > I have installed gpg4win twice in the last few days and my GnuPG > 1.4.12 and keyrings etc. appear to have been unaffected by the > installation, removal, installation. Your mileage may vary, so > probably a wise precaution to back things up first. Did you install it in a different folder than gpg 1.4.x? Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBCAAGBQJQmLSpAAoJEMV4f6PvczxAWH4H/j1nAjyJmNbLrlmc0wDK61nY Z3PyXaScOx/CJ9DzEGkmMwIWiWxfYqpL1DM1ZdTI/gPpqLvJRYZT3iNpkvSCaLtW D/I4wUXce100VcpuYx3moKrz69y5eDAFIrTtYV0N1l4ppXOI9nwO55/QQFsIIy40 9bQqoaYXD4FlbIe3UG54EAihCf+nCMOOEhKIwkzAyIWH8IEYxxlh20WkKTRm/KqK rI8Eo1gHD5orhv3h+AA1cw9uriktwrcOHQjH1g77lyHcNGtnSf8P6wIHZWlISYll qgEDhi0QrtNmWZfe4DCp0qzcm6pa34Co+CmNdb3RMdW27hJICJ3a61nhOd55on4= =gIiS -----END PGP SIGNATURE----- From casey.marshall at gmail.com Tue Nov 6 06:37:10 2012 From: casey.marshall at gmail.com (Casey Marshall) Date: Mon, 05 Nov 2012 23:37:10 -0600 Subject: [ANN] Hockeypuck: OpenPGP Keyserver In-Reply-To: <5097F393.3020503@sumptuouscapital.com> References: <5097D596.3050102@fifthhorseman.net> <5097F393.3020503@sumptuouscapital.com> Message-ID: <5098A206.40805@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 11/05/2012 11:12 AM, Kristian Fiskerstrand wrote: > On 11/05/2012 04:04 PM, Daniel Kahn Gillmor wrote: >> On 11/04/2012 10:46 PM, Casey Marshall wrote: >>> I?d like to share Hockeypuck, an OpenPGP Keyserver I?ve >>> developed in Go (http://golang.org). >> Cool, i'm glad to hear of it. Does this sync with any of the >> existing SKS network? I saw no mention of peer synchronization >> in the README or the project page. >> >> --dkg > > > Indeed interesting to hear of new keyserver implementations, and > having a less homogeneous system should only be beneficial to the > overall security. > > Re SKS sync, this seems to be filed as a RFE/bug already at [0]. > Does it currently sync through the old PKS system / email? > Not yet, but soon. PKS syncing is an easier stop-gap measure while I study set reconciliation. > Another RFE seems to be RFC6637 support - as the keyserver at the > moment seems unable to accept my key [1]. In addition, if you want > the keyserver to be included in the pool[2] I'd request a > /pks/lookup?op=stats implementation similar to SKS (and indeed > GnuKS[3], that is implemented with a Software: header) > All excellent suggestions, opened in Launchpad. Thanks for the feedback! > Looking forwards to seeing how this keyserver evolves :) > > [0] https://bugs.launchpad.net/hockeypuck/+bug/1044767 [1] > https://keys2.kfwebs.net/pks/lookup?op=vindex&search=0x43FE956C542CA00B > > > [2] https://sks-keyservers.net/status/ > [3] http://key-server.org:11371/pks/lookup?op=stats > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iF4EAREIAAYFAlCYogYACgkQ95Ni2kSi0dspLAD9Ef0VUmUNBLSiPwudn/yhT0YF ZpsQ2XZtQd/mRmls6zkA/2X9h6Gpto+/+CCcPDiFrsHBBBM61NzWnSELJciH5eOs =T3rb -----END PGP SIGNATURE----- From wk at gnupg.org Tue Nov 6 15:30:00 2012 From: wk at gnupg.org (Werner Koch) Date: Tue, 06 Nov 2012 15:30:00 +0100 Subject: new release of GPA In-Reply-To: <5098B4A9.4040101@gmail.com> (Faramir's message of "Tue, 06 Nov 2012 03:56:41 -0300") References: <000601cda645$65096080$2f1c2180$@net> <87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de> <508ECC3D.1040505__43340.6063043096$1351535734$gmane$org@sixdemonbag.org> <508EE9FB.3020508@sixdemonbag.org> <87d30087kz.fsf@vigenere.g10code.de> <50981FEF.6040709@gmail.com> <18210608161.20121105212643@my_localhost> <5098B4A9.4040101@gmail.com> Message-ID: <87txt2yfbr.fsf@vigenere.g10code.de> On Tue, 6 Nov 2012 07:56, faramir.cl at gmail.com said: > My fault, I was trying with www.gpg4win.org Your problem might be that you still filter out the 5.0.0.0/8 net which has been allocated 2 years ago. I check with Intevation that both will point to the same box. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From expires2012 at rocketmail.com Tue Nov 6 20:40:49 2012 From: expires2012 at rocketmail.com (MFPA) Date: Tue, 6 Nov 2012 19:40:49 +0000 Subject: new release of GPA In-Reply-To: <5098B4A9.4040101@gmail.com> References: <000601cda645$65096080$2f1c2180$@net> <87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de> <508ECC3D.1040505__43340.6063043096$1351535734$gmane$org@sixdemonbag.org> <508EE9FB.3020508@sixdemonbag.org> <87d30087kz.fsf@vigenere.g10code.de> <50981FEF.6040709@gmail.com> <18210608161.20121105212643@my_localhost> <5098B4A9.4040101@gmail.com> Message-ID: <38674952.20121106194049@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Tuesday 6 November 2012 at 6:56:41 AM, in , Faramir wrote: > My fault, I was trying with www.gpg4win.org Works with or without the "www." for me. And "https" gets me a different page than "http" > Did you install it in a different folder than gpg > 1.4.x? Yes. Both under P:\Program Files\GNU\. - -- Best regards MFPA mailto:expires2012 at rocketmail.com Don't ask me, I'm making this up as I go! -----BEGIN PGP SIGNATURE----- iQCVAwUBUJln16ipC46tDG5pAQpkIQP9G+9sOn2/yrrvvntE8Cya4QiQ9MetSINj PJsphoFD95/Dh+mvT77YPi99bfSJdhFewasbl7mdjivLQ0L21JBRhPqHOKVVyVaq wHFkwk9nuJVNcrcgeqBCVzP2QYKxS832sFIKcp+eC9cuAielwWG95ENAqq0pSDzh lSmzM+H4zM0= =VEXD -----END PGP SIGNATURE----- From John at enigmail.net Tue Nov 6 22:38:21 2012 From: John at enigmail.net (John Clizbe) Date: Tue, 06 Nov 2012 15:38:21 -0600 Subject: [ANN] Hockeypuck: OpenPGP Keyserver In-Reply-To: <5098A206.40805@gmail.com> References: <5097D596.3050102@fifthhorseman.net> <5097F393.3020503@sumptuouscapital.com> <5098A206.40805@gmail.com> Message-ID: <5099834D.5040108@enigmail.net> Casey Marshall wrote: > On 11/05/2012 11:12 AM, Kristian Fiskerstrand wrote: >> On 11/05/2012 04:04 PM, Daniel Kahn Gillmor wrote: >>> On 11/04/2012 10:46 PM, Casey Marshall wrote: >>>> I?d like to share Hockeypuck, an OpenPGP Keyserver I?ve >>>> developed in Go (http://golang.org). >>> Cool, i'm glad to hear of it. Does this sync with any of the >>> existing SKS network? I saw no mention of peer synchronization >>> in the README or the project page. >>> >>> --dkg > > >> Indeed interesting to hear of new keyserver implementations, and >> having a less homogeneous system should only be beneficial to the >> overall security. > >> Re SKS sync, this seems to be filed as a RFE/bug already at [0]. >> Does it currently sync through the old PKS system / email? > Not yet, but soon. PKS syncing is an easier stop-gap measure while I > study set reconciliation. You'll probably need PKS-style email syncing even after you've setup your own set recon algorithm to sync with the SKS servers. SKS sends and receives PKS-style email updates. It's pretty simple, you send/receive armored keyblocks of changes and merge the changes you receive into your database. Unfortunately a number of SKS server operators have, IMNSHO, misconfigured their servers and turned this off. The pksd code should give you a good guide on how to implement email exchanges. I'd do the receiving/updating part first -- then we can start sending your server updates. http://downloads.sourceforge.net/project/pks/pks/0.9.6/pks-0.9.6.tar.gz >> Another RFE seems to be RFC6637 support - as the keyserver at the >> moment seems unable to accept my key [1]. In addition, if you want >> the keyserver to be included in the pool[2] I'd request a >> /pks/lookup?op=stats implementation similar to SKS (and indeed >> GnuKS[3], that is implemented with a Software: header) Probably ought to move this thread over to the sks-devel list where it's more on-topic. -John -- John P. Clizbe Inet: John (a) Gingerbear DAWT net SKS/Enigmail/PGP-EKP or: John ( @ ) Enigmail DAWT net FSF Assoc #995 / FSFE Fellow #1797 hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 498 bytes Desc: OpenPGP digital signature URL: From faramir.cl at gmail.com Wed Nov 7 00:20:25 2012 From: faramir.cl at gmail.com (Faramir) Date: Tue, 06 Nov 2012 20:20:25 -0300 Subject: new release of GPA In-Reply-To: <87txt2yfbr.fsf@vigenere.g10code.de> References: <000601cda645$65096080$2f1c2180$@net> <87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de> <508ECC3D.1040505__43340.6063043096$1351535734$gmane$org@sixdemonbag.org> <508EE9FB.3020508@sixdemonbag.org> <87d30087kz.fsf@vigenere.g10code.de> <50981FEF.6040709@gmail.com> <18210608161.20121105212643@my_localhost> <5098B4A9.4040101@gmail.com> <87txt2yfbr.fsf@vigenere.g10code.de> Message-ID: <50999B39.8090004@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 06-11-2012 11:30, Werner Koch escribi?: > On Tue, 6 Nov 2012 07:56, faramir.cl at gmail.com said: > >> My fault, I was trying with www.gpg4win.org > > Your problem might be that you still filter out the 5.0.0.0/8 net > which has been allocated 2 years ago. I check with Intevation that > both will Probably it has something to do with a VPN software I have installed (hamachi), I'll uninstall and try, just for curiosity. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBCAAGBQJQmZs4AAoJEMV4f6PvczxA35IIAJ1vA/bptN+y1y5wIBiDGOeY F9rFkV9I2POAiT+rx4+vJlYbedH1Pm7I+Q8qzqsM7GpBB9fHHqVuJiFINuFDiCFI gcqNgbTFMx+5OLG+DH70zvGVUn8e9k1vEFmZ3jgypTI4kOcGeeX7o4eKJlV4y/52 HW9DOyTcU7QkfsAcFvv02xWuModSE+Cx+iWPShnUBEv/ots/hHb1UwtBdF4uFVX/ wdKPM8UIpg5uDg/cYL2gwwLyBwzASa9lP1vV81eCXHJJlQEYlLfiNeA8MeI1JRpG A+/K8F+BlfeZOLdqgioujJtdsEv1uLYQ6XfrSn9hB1lNxsE8r5kPFojIGgrvHZs= =FGR0 -----END PGP SIGNATURE----- From faramir.cl at gmail.com Wed Nov 7 02:59:19 2012 From: faramir.cl at gmail.com (Faramir) Date: Tue, 06 Nov 2012 22:59:19 -0300 Subject: new release of GPA In-Reply-To: <87txt2yfbr.fsf@vigenere.g10code.de> References: <000601cda645$65096080$2f1c2180$@net> <87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de> <508ECC3D.1040505__43340.6063043096$1351535734$gmane$org@sixdemonbag.org> <508EE9FB.3020508@sixdemonbag.org> <87d30087kz.fsf@vigenere.g10code.de> <50981FEF.6040709@gmail.com> <18210608161.20121105212643@my_localhost> <5098B4A9.4040101@gmail.com> <87txt2yfbr.fsf@vigenere.g10code.de> Message-ID: <5099C077.5050905@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 06-11-2012 11:30, Werner Koch escribi?: > On Tue, 6 Nov 2012 07:56, faramir.cl at gmail.com said: > >> My fault, I was trying with www.gpg4win.org > > Your problem might be that you still filter out the 5.0.0.0/8 net > which has been allocated 2 years ago. I check with Intevation that > both will point to the same box. Yes, uninstalling hamachi and comodo vpn solved the problem, they were old versions that used that range of addresses. Back to the subject, does GpgEx require Kleopatra to run? Any other dependences? Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBCAAGBQJQmcB3AAoJEMV4f6PvczxAXiUH/RrGc74o7Sc+mrIoN8iry3IW QozqDHw0jVux9XycrcUvdqcUrnUmyOIpclvbwitwThJ0r6rCOCEyDJznlUTwxOry KFfwOkE+jpG1LzzfFHq8so5qOtxuuDfx1wSpnDBt6Ad3MqqxBZNj4aX3ZDZwsaIn vm2gRdMa4tv6FAJqa3qSYxzCMxxbYAV+v0FY4Elm9s/K3qX1y836GUF2EENfc1xs 9cNcWu0xVMKNJ8DuNamg9dflFmm8KWAIgudwvxPGNj6IOt0yPz4VfsUbrAJHFjsG FnHtd6KJhTqgodPQNM7vMOo/poQI8i7q1uSaxYCknVCeEca8hlaM/Cjpu/WhNIw= =GQSc -----END PGP SIGNATURE----- From mailinglisten at hauke-laging.de Wed Nov 7 03:58:16 2012 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 07 Nov 2012 03:58:16 +0100 Subject: Is it possible to create additional signatures for subkeys? Message-ID: <11019999.eWSvG3alNO@inno> Hello, subject says it all... UIDs can be revoked and reactivated by a newer signature. But I have not found a way to create new signatures for subkeys. There are at least two reasons to do that: 1) Like with UIDs, correcting an unwanted revocation. 2) What really happened to me: The subkey signature can have unwanted components (caused by --cert-notation). Technically I do not see a difference between UIDs ans subkeys which would explain this asymmetry. But gpg offers to create new signatures for UIDs but seems not to offer that for subkeys (the same for signature deletion). There is also no equivalent to --allow-non-selfsigned-uid for subkeys. I used gpgsplit to get rid of the revocation signature. But this is of no use if the revocation signature has escaped into the public. I also stripped off the subkey self-signature but then the subkey does not get imported at all (I had hoped for a repair option). I have to admit that I have not checked the RfC. Does it prevent the existence of several subkey signatures? Or is there no fundamental reason against this but due to lack of demand this has not been implemented? Hauke -- ? PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 572 bytes Desc: This is a digitally signed message part. URL: From wk at gnupg.org Wed Nov 7 09:33:34 2012 From: wk at gnupg.org (Werner Koch) Date: Wed, 07 Nov 2012 09:33:34 +0100 Subject: Card fails to decrypt using 4096-bit key In-Reply-To: <1351696640.21551.9.camel@oban> (Yves-Alexis Perez's message of "Wed, 31 Oct 2012 16:17:20 +0100") References: <1351696640.21551.9.camel@oban> Message-ID: <87obj9x15t.fsf@vigenere.g10code.de> On Wed, 31 Oct 2012 16:17, corsac at corsac.net said: > Signing using a 4096R key works just fine, but decryption using an 4096R > encryption key doesn't, with the same error. This is using GnuPG v2.0.19 > on Debian sid, with pcscd 1.8.6 (in case that matters). I fixed this yesterday for 2.0 and master. The log file will now also show a note if you try to decrypt using a key > 2048 with one of the non-working cards. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Wed Nov 7 09:31:08 2012 From: wk at gnupg.org (Werner Koch) Date: Wed, 07 Nov 2012 09:31:08 +0100 Subject: new release of GPA In-Reply-To: <5099C077.5050905@gmail.com> (Faramir's message of "Tue, 06 Nov 2012 22:59:19 -0300") References: <000601cda645$65096080$2f1c2180$@net> <87pq4qu8ll.fsf__19171.1511499763$1349851992$gmane$org@vigenere.g10code.de> <508ECC3D.1040505__43340.6063043096$1351535734$gmane$org@sixdemonbag.org> <508EE9FB.3020508@sixdemonbag.org> <87d30087kz.fsf@vigenere.g10code.de> <50981FEF.6040709@gmail.com> <18210608161.20121105212643@my_localhost> <5098B4A9.4040101@gmail.com> <87txt2yfbr.fsf@vigenere.g10code.de> <5099C077.5050905@gmail.com> Message-ID: <87sj8lx19v.fsf@vigenere.g10code.de> On Wed, 7 Nov 2012 02:59, faramir.cl at gmail.com said: > Back to the subject, does GpgEx require Kleopatra to run? Any other > dependences? Either Kleopatra or GPA will work. Gpgex starts them if they are not yet running (first tries Kleopatra but falls back to gpa, if Kleopatra is not installed). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From CONNIE.RODRIGUEZ at childrens.com Wed Nov 7 17:48:41 2012 From: CONNIE.RODRIGUEZ at childrens.com (Connie Rodriguez) Date: Wed, 7 Nov 2012 16:48:41 +0000 Subject: SSH key and PGP key Message-ID: <078A4041329BD74FBA22553ECFBAF6EF51C609@CMCPBEXMAIL07.Childrens.med> Any help is appreciated! My knowledge is very limited on encryption/decryption. I understand the concept but that is just about it! I currently have gpg installed on our unix system. I have been asked to provide a SSH key and GPG key that will expire annually to our bank vendor. In the beginning I had set our key to not expire when I first set it up..can I change this? Also, how do I create and export a ssh key? Thanks for any help someone can provide Connie Rodriguez Enterprise Application Analyst Children's Medical Center Dallas 1935 Medical District Drive Dallas, TX 75235 (214)456-8480 Please consider the environment before printing this e-mail. This e-mail, facsimile, or letter and any files or attachments transmitted with it contains information that is confidential and privileged. This information is intended only for the use of the individual(s) and entity(ies) to whom it is addressed. If you are the intended recipient, further disclosures are prohibited without proper authorization. If you are not the intended recipient, any disclosure, copying, printing, or use of this information is strictly prohibited and possibly a violation of federal or state law and regulations. If you have received this information in error, please notify Children's Medical Center Dallas immediately at 214-456-4444 or via e-mail at privacy at childrens.com. Children's Medical Center Dallas and its affiliates hereby claim all applicable privileges related to this information. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mailinglisten at hauke-laging.de Wed Nov 7 20:44:43 2012 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 07 Nov 2012 20:44:43 +0100 Subject: SSH key and PGP key In-Reply-To: <078A4041329BD74FBA22553ECFBAF6EF51C609@CMCPBEXMAIL07.Childrens.med> References: <078A4041329BD74FBA22553ECFBAF6EF51C609@CMCPBEXMAIL07.Childrens.med> Message-ID: <3979185.QYsb2VYkDC@inno> Am Mi 07.11.2012, 16:48:41 schrieb Connie Rodriguez: > In the beginning I had set our key to not expire when I first set it > up..can I change this? --edit-key expire > Also, how do I create and export a ssh key? SSH-Keys do not expire AFAIK. You can use OpenPGP-Keys (with authentication capability) if you use gpg-agent as replacement for ssh-agent. Without a smartcard this is not easy (unless you use gpg 2.1); you may have a look at gpgkey2ssh and at monkeysphere. If you do not want/need to use an OpenPGP key for SSH then you can create SSH keys with ssh-keygen. Hauke -- ? PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 572 bytes Desc: This is a digitally signed message part. URL: From jeroen at budts.be Wed Nov 7 20:14:36 2012 From: jeroen at budts.be (Jeroen Budts) Date: Wed, 07 Nov 2012 20:14:36 +0100 Subject: SSH key and PGP key In-Reply-To: <078A4041329BD74FBA22553ECFBAF6EF51C609@CMCPBEXMAIL07.Childrens.med> References: <078A4041329BD74FBA22553ECFBAF6EF51C609@CMCPBEXMAIL07.Childrens.med> Message-ID: <509AB31C.1080409@budts.be> On 11/07/2012 05:48 PM, Connie Rodriguez wrote: > Any help is appreciated! My knowledge is very limited on > encryption/decryption. I understand the concept but that is just about it! > > I currently have gpg installed on our unix system. I have been asked to > provide a SSH key and GPG key that will expire annually to our bank > vendor. In the beginning I had set our key to not expire when I first > set it up..can I change this? Also, how do I create and export a ssh > key? > > Thanks for any help someone can provide > To change the expiration date of your key you can do the following: (where $KEYID is the id of your key) gpg --edit-key $KEYID Then type 'expire' and press enter type '1y', to make it valid for one year, and press enter Then type 'save' and enter again. That should do it. To use your GPG key for SSH authentication, i'll point you to my blog post about it: http://budts.be/weblog/2012/08/ssh-authentication-with-your-pgp-key It contains a few methods on how to achieve this. Hope this helps, Jeroen -- website: http://budts.be/ - twitter: @teranex ___________________________________ Registered Linux User #482240 - GetFirefox.com - ubuntu.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: OpenPGP digital signature URL: From mailinglisten at hauke-laging.de Wed Nov 7 22:08:24 2012 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 07 Nov 2012 22:08:24 +0100 Subject: Is it possible to create additional signatures for subkeys? In-Reply-To: <11019999.eWSvG3alNO@inno> References: <11019999.eWSvG3alNO@inno> Message-ID: <1494410.3Ca7iAopJ2@inno> Am Mi 07.11.2012, 03:58:16 schrieb Hauke Laging: > Or is there no fundamental reason > against this but due to lack of demand this has not been implemented? The question by someone else how to adapt the expiration date gave me the idea how to create a new signature for a subkey. This can indeed be done by --edit- key expire, it is not even necessary to strip off the revocation signature in advance. But in contrast to UIDs gpg does not use the newest signature. Despite of the newer self-signature the subkey is still treated as invalid. Just for info in case someone is interested. I don't know whether this is a bug or a feature, though. As long as the mainkey is not revoked this behaviour does not make sense to me. Hauke -- ? PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 572 bytes Desc: This is a digitally signed message part. URL: From mailinglisten at hauke-laging.de Thu Nov 8 05:47:16 2012 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Thu, 08 Nov 2012 05:47:16 +0100 Subject: How can certifications of revoked keys be detected? Invalid key shown as valid... Message-ID: <4271444.tqko7qOnnR@inno> Hello, I just made some tests to find out how gpg reacts to the listing of signatures if a key is revoked. Unfortunately I cannot find any difference. I ran --check-trustdb after the revocation, but the certification of the revoked key is still listed as sig!2 --edit-key check does not show any difference either. I do not even find something about that in the documentation. It says for --check-sigs: ?A "!" indicates that the signature has been successfully verified, a "-" denotes a bad signature and a "%" is used if an error occurred while checking the signature (e.g. a non supported algorithm).? Is a signature of a revoked key a "bad signature"? If not, how is that status displayed? I have not found any information about that in the documentation. Even worse: The validity of the key was calculated wrongly because the certifications were treated like ones from a valid key: start cmd:> gpg --list-keys 0x756A032D pub 1024R/0x756A032D 2012-11-07 uid [ vollst.] import this uid uid [ vollst.] unsigned uid ("vollst." is German for "complete"). I had set the ownertrust level for this key to "marginal" (it's a test key for which I have the private key). Then I deleted the signatures of the revoked key. After that the key validity was shown as "unknown" ("unbek." in the German output): start cmd:> gpg --list-keys 0x756A032D gpg: "Trust-DB" wird ?berpr?ft [...] pub 1024R/0x756A032D 2012-11-07 uid [ unbek.] import this uid uid [ unbek.] unsigned uid Is the web of trust really supposed to "work" this way? :-/ My Google search showed me a similar discussion, four years old: http://bugs.g10code.com/gnupg/issue910 The there mentioned --no-sig-cache didn't make any difference either. start cmd:> gpg --version gpg (GnuPG) 2.0.18 libgcrypt 1.5.0 Hauke -- ? PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 572 bytes Desc: This is a digitally signed message part. URL: From melvincarvalho at gmail.com Thu Nov 8 09:37:49 2012 From: melvincarvalho at gmail.com (Melvin Carvalho) Date: Thu, 8 Nov 2012 09:37:49 +0100 Subject: import trustdb.gpg or start from scratch? Message-ID: I've just managed to recover my gpg key from an old machine that died. But the trust db was not imported. Does anyone know if there's a safe way to recover my web of trust, or should I make an ultimately trusted key first, and start from scratch? -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Thu Nov 8 14:01:20 2012 From: wk at gnupg.org (Werner Koch) Date: Thu, 08 Nov 2012 14:01:20 +0100 Subject: import trustdb.gpg or start from scratch? In-Reply-To: (Melvin Carvalho's message of "Thu, 8 Nov 2012 09:37:49 +0100") References: Message-ID: <87txt0tfj3.fsf@vigenere.g10code.de> On Thu, 8 Nov 2012 09:37, melvincarvalho at gmail.com said: > Does anyone know if there's a safe way to recover my web of trust, or > should I make an ultimately trusted key first, and start from scratch? ssh otherbox rm .gnupg/trustdb.gpg gpg --export-ownertrust | ssh otherbox gpg --import-ownertrust Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From mailinglisten at hauke-laging.de Fri Nov 9 19:33:10 2012 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Fri, 09 Nov 2012 19:33:10 +0100 Subject: ownertrust level of imported secret keys Message-ID: <1379245.JVd7NkcRcC@inno> Hello, I noticed a behaviour which could be improved. If a key is generated then its ownertrust is set to ultimate. But if a secret key is imported the ownertrust keeps unchanged. I guess that the idea behind this may be that you can be sure that noone else can create a signature by a key you have generated but that the import of a secret key can mean that someone else has shared his secret key with you which does not make signatures of that key more trustworthy. As I think that people should be advised to use offline mainkeys so they should not be bothered with unnecessary problems arising from that. Thus I suggest to output a warning / hint if a secret key is imported. Something like: "You have imported a secret key. It may be useful (probably if you are the only owner of this secret key) to set the trust level of this key to ultimate (see --edit key trust)." Or even ask and do it. Hauke -- ? PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 572 bytes Desc: This is a digitally signed message part. URL: From mailinglisten at hauke-laging.de Fri Nov 9 19:34:43 2012 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Fri, 09 Nov 2012 19:34:43 +0100 Subject: difference in validity states Message-ID: <10927108.Qj7xW3SFcB@inno> Hello, in /usr/share/doc/packages/gpg2/DETAILS there is a list of validity states: [...] n = The key is valid m = The key is marginal valid. f = The key is fully valid u = The key is ultimately valid. What is the difference between the meaning of n and f? Hauke -- ? PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 572 bytes Desc: This is a digitally signed message part. URL: From melvincarvalho at gmail.com Sat Nov 10 20:33:40 2012 From: melvincarvalho at gmail.com (Melvin Carvalho) Date: Sat, 10 Nov 2012 20:33:40 +0100 Subject: import trustdb.gpg or start from scratch? In-Reply-To: <87txt0tfj3.fsf@vigenere.g10code.de> References: <87txt0tfj3.fsf@vigenere.g10code.de> Message-ID: On 8 November 2012 14:01, Werner Koch wrote: > On Thu, 8 Nov 2012 09:37, melvincarvalho at gmail.com said: > > > Does anyone know if there's a safe way to recover my web of trust, or > > should I make an ultimately trusted key first, and start from scratch? > > ssh otherbox rm .gnupg/trustdb.gpg > gpg --export-ownertrust | ssh otherbox gpg --import-ownertrust > Hi Werner, thanks so much for getting back Unfortunately the old box is now dead, but I recovered the hard drive. I tried: gpg --import-ownertrust trustdb.gpg But got: gpg: error in `trustdb.gpg': line too long Any ideas? > > > Salam-Shalom, > > Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From greetreeuuvn at yahoo.com Sun Nov 11 04:07:18 2012 From: greetreeuuvn at yahoo.com (Guo Dong) Date: Sat, 10 Nov 2012 19:07:18 -0800 (PST) Subject: gpg is safe? Message-ID: <1352603238.20284.YahooMailNeo@web160504.mail.bf1.yahoo.com> Hello everyone: ???? I am the user of gpg software.but when i use this software, i found some question,let me think this software is not enough safe like it says.The question i meets is inthe attach,I hope anybody can check it,and give me some advise,thank you! ????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? Henry Kuo ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? GPG ???????? ??? test.sh #!/bin/bash cd rm -f gibmenanim*.* rm -f gibvideo*.* rm -f genmenu*.* rm -f dvdauthor.xml rm -f *.sh rm -f normal.jpg rm -f cliquee.png rm -f survolee.png rm -f silent.* rm -f gibintromenu.mpg rm -f nettoyageglobal.sh 1.? GPG ????????,???? ASCII ??,?????? ???? GuoChengLei: henry at henry-GA-MA785GT-UD3H:~/?/GPG$ gpg -se -a -r GuoChengLei test.sh ???????,???????????:?Henry Kuo (This is henry kuo,from midsoft Ltd.) ? 2048 ?? RSA ??,??? 8823DDE2,??? 2012-11-10 2.??????,?? test.sh.asc ??: ----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.11 (GNU/Linux) hQEMA4bb8dzHYUT1AQgAgK/ldf5kFyU+v1K7lCc59yT8S7/PqFR5JGCiLhIWju AF ZD7+1QDEamYBmUigGvzRHgW7yn26qkgh3eT8RZ8Bhih55CSj20fLhGIS8Sv4 S6b0 daur5U4Ng5EC/7syG1QX3NqP/HH8ov2fufZaA6u8QGv29HjBAWwexA198OvR 4RrW M7o3DRSqKXqRt9npVldC6BG7jmH6476EVUfanWuGP44PHowl3FJXH9IrQiOk NS5V hLOXfX4NCQNaK8W+nmviVybYoR6taLoExnxEfsPwHo0R2mwZTzycUIYQl9x/ Ol5v Fu+6Mv4FhNg26znao3WGkWhVmq/Ay1cCoizXgRfiP9LpAUf2HgdXVLvl9YNZ Urap dICG7vQmLHgPaXLeYSMYHtTjVA5WpB+WVU2ni2YUoPJMqB/NSIqO+T1Pfb AClGxu / 4rygue8cjJ9stdeTEnZbdRL7n6D6bL4CZ1glhQK1eGazvrEvROugsZ0mP8Z7fWb DG6Xt1YOPTOgSmm6hCDxBGYCva+BBh/7HU5JUSSnMlIwjpTcD+bgHzdQzu Q6Dej3 mrcWnDsp4z2Xj1eeq2MyX3VQ6n8FmrwBS1Is7CJntRFdnjm1zNrmzx5R/asQ/k Yg FybY6UbanEOwuRASP/rPttOtLEvoV6Ishy9ujHHwKm34I64JIK9lnZ5g3hl0CEv U nStaZBJeAm0CF9DLhNwPikPKanpIfptrp6IN5ZPLmqyflg6yERLdztiL0q03fn8U u5fnrRrju1uEyMjGLGeKTA3+R1afPEwr1ue14LnYKHhTT6Qgy5wyaYTWSpvPn PIq r8JOvQssCI978l4kMRL/ODXLUms7OvpzGa6saifw6NPs+/wzwImN8GUt+x2Ru H/b FKm2lVZS9CekNvL6ilIgJWie9KS7VXnuPZJBreEebLrXZQfyl59PpnJS1YtlewcJ GfMibc7D2J6Bdn1WT89j+v/2tZNKPmshlpt9FSlY+QMbWoqt6T4rGfZHZ5mAA Oq6 T6noOKEyPebi41EHGJuNUXUBrQ== =a3oA -----END PGP MESSAGE----- 3.?????????? /GPG$ gpg -u GuoChengLei -d test.sh.asc ???????,???????????:?GuoChengLei (GuoChengLei guochenglei at gmail.com) ? 2048 ?? RSA ??,??? C76144F5,??? 2012-11-11 (???? 87E99942) gpg: ? 2048 ?? RSA ????,???? C76144F5???? 2012-11-11 ?GuoChengLei (GuoChengLei guochenglei at gmail.com) ? #!/bin/bash cd rm -f gibmenanim*.* rm -f gibvideo*.* rm -f genmenu*.* rm -f dvdauthor.xml rm -f *.sh rm -f normal.jpg rm -f cliquee.png rm -f survolee.png rm -f silent.* rm -f gibintromenu.mpg rm -f nettoyageglobal.sh gpg: ? 2012 ? 11 ? 11 ? ??? 10 ? 15 ? 01 ? CST ?????,?? RSA,??? 8823DDE2 gpg: ?????,????Henry Kuo (This is henry kuo,from midsoft Ltd.) ? 4.???????? test.sh.asc ????,?????????? ??: -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.11 (GNU/Linux) hQEMA4bb8dzHYUT1AQgAgK/ldf5kFyU+v1K7lCc59yT8S7/PqFR5JGCiLhIWju AF ZD7+1QDEamYBmUigGvzRHgW7yn26qkgh3eT8RZ8Bhih55CSj20fLhGIS8Sv4 S6b0 daur5U4Ng5EC/7syG1QX3NqP/HH8ov2fufZaA6u8QGv29HjBAWwexA198OvR 4RrW M7o3DRSqKXqRt9npVldC6BG7jmH6476EVUfanWuGP44PHowl3FJXH9IrQiOk NS5V hLOXfX4NCQNaK8W+nmviVybYoR6taLoExnxEfsPwHo0R2mwZTzycUIYQl9x/ Ol5v Fu+6Mv4FhNg26znao3WGkWhVmq/Ay1cCoizXgRfiP9LpAUf2HgdXVLvl9YNZ Urap dICG7vQmLHgPaXLeYSMYHtTjVA5WpB+WVU2ni2YUoPJMqB/NSIqO+T1Pfb AClGxu / 4rygue8cjJ9stdeTEnZbdRL7n6D6bL4CZ1glhQK1eGazvrEvROugsZ0mP8Z7fWb DG6Xt1YOPTOgSmm6hCDxBGYCva+BBh/7HU5JUSSnMlIwjpTcD+bgHzdQzu Q6Dej3 mrcWnDsp4z2Xj1eeq2MyX3VQ6n8FmrwBS1Is7CJntRFdnjm1zNrmzx5R/asQ/k Yg FybY6UbanEOwuRASP/rPttOtLEvoV6Ishy9ujHHwKm34I64JIK9lnZ5g3hl0CEv U nStaZBJeAm0CF9DLhNwPikPKanpIfptrp6IN5ZPLmqyflg6yERLdztiL0q03fn8U u5fnrRrju1uEyMjGLGeKTA3+R1afPEwr1ue14LnYKHhTT6Qgy5wyaYTWSpvPn PIq r8JOvQssCI978l4kMRL/ODXLUms7OvpzGa6saifw6NPs+/wzwImN8GUt+x2Ru H/b FKm2lVZS9CekNvL6ilIgJWie9KS7VXnuPZJBreEebLrXZQfyl59PpnJS1YtlewcJ GfMibc7D2J6Bdn1WT89j+v/2tZNKPmshlpt9FSlY+QMbWoqt6T4rGfZHZ5mAA Oq6 T6noOKEyPebi41EHGJuNUXUBrQ== =a3oA2 -----END PGP MESSAGE----- 5.???????,?????????????: /GPG$ gpg -d test.sh.asc ???????,???????????:?GuoChengLei (GuoChengLei guochenglei at gmail.com) ? 2048 ?? RSA ??,??? C76144F5,??? 2012-11-11 (???? 87E99942) gpg: ? 2048 ?? RSA ????,???? C76144F5??? ? 2012-11-11 ?GuoChengLei (GuoChengLei guochenglei at gmail.com) ? #!/bin/bash cd rm -f gibmenanim*.* rm -f gibvideo*.* rm -f genmenu*.* rm -f dvdauthor.xml rm -f *.sh rm -f normal.jpg rm -f cliquee.png rm -f survolee.png rm -f silent.* rm -f gibintromenu.mpg rm -f nettoyageglobal.sh gpg: ? 2012 ? 11 ? 11 ? ??? 10 ? 15 ? 01 ? CST ?? ???,?? RSA,??? 8823DDE2 gpg: ?????,????Henry Kuo (This is henry kuo,from midsoft Ltd.) ? ??: ?????????????????????????,? ?????????????????????????????? ?????,?????????????????,?????? ??????????????,???????????,????????? GnuPG V1.4.11,??????????????,?????????? ?????,??????????????(FAULT TOLREANT)????? Henry Kuo guochenglei at gmail.com 2012-11-11 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: A question about gpg encrypt.pdf Type: application/pdf Size: 61883 bytes Desc: not available URL: From wk at gnupg.org Sat Nov 10 11:30:14 2012 From: wk at gnupg.org (Werner Koch) Date: Sat, 10 Nov 2012 11:30:14 +0100 Subject: ownertrust level of imported secret keys In-Reply-To: <1379245.JVd7NkcRcC@inno> (Hauke Laging's message of "Fri, 09 Nov 2012 19:33:10 +0100") References: <1379245.JVd7NkcRcC@inno> Message-ID: <878va9eond.fsf@gnupg.org> On Fri, 9 Nov 2012 19:33, mailinglisten at hauke-laging.de said: > "You have imported a secret key. It may be useful (probably if you are the > only owner of this secret key) to set the trust level of this key to ultimate > (see --edit key trust)." That would be easy to implement for GUI frontends. > Or even ask and do it. Better not, most people always answer "yes". Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Sat Nov 10 11:32:27 2012 From: wk at gnupg.org (Werner Koch) Date: Sat, 10 Nov 2012 11:32:27 +0100 Subject: difference in validity states In-Reply-To: <10927108.Qj7xW3SFcB@inno> (Hauke Laging's message of "Fri, 09 Nov 2012 19:34:43 +0100") References: <10927108.Qj7xW3SFcB@inno> Message-ID: <874nkxeojo.fsf@gnupg.org> On Fri, 9 Nov 2012 19:34, mailinglisten at hauke-laging.de said: > n = The key is valid > f = The key is fully valid > What is the difference between the meaning of n and f? The first line has a bug, the second line is correct. Good catch. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From rjh at sixdemonbag.org Sun Nov 11 17:18:42 2012 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 11 Nov 2012 11:18:42 -0500 Subject: gpg is safe? In-Reply-To: <1352603238.20284.YahooMailNeo@web160504.mail.bf1.yahoo.com> References: <1352603238.20284.YahooMailNeo@web160504.mail.bf1.yahoo.com> Message-ID: <509FCFE2.6080103@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 11/10/2012 10:07 PM, Guo Dong wrote: > Hello everyone: I am the user of gpg software.but when i use this > software, i found some question,let me think this software is not > enough safe like it says.The question i meets is in the attach,I > hope anybody can check it,and give me some advise,thank you! As a reminder to the list -- PDFs are not safe attachments. They can harbor dangerous code and be used to exploit systems. Be extremely careful when opening PDFs that come from unknown sources. Henry -- I think you will find many more people are willing to answer you if you'll try asking your question again in a plain text email (no HTML), and without a PDF attachment. -----BEGIN PGP SIGNATURE----- iFYEAREIAAYFAlCfz+IACgkQI4Br5da5jhC8CADgt915CBhw75F/Pk9gkxFtroFC ImGuvLeVi9ODtQDgqSSNBACxNux2YdGnS0ohlf9Jc0hCN2bYdCgXfw== =BhcK -----END PGP SIGNATURE----- From wk at gnupg.org Mon Nov 12 10:13:58 2012 From: wk at gnupg.org (Werner Koch) Date: Mon, 12 Nov 2012 10:13:58 +0100 Subject: import trustdb.gpg or start from scratch? In-Reply-To: (Melvin Carvalho's message of "Sat, 10 Nov 2012 20:33:40 +0100") References: <87txt0tfj3.fsf@vigenere.g10code.de> Message-ID: <87625bi3op.fsf@gnupg.org> On Sat, 10 Nov 2012 20:33, melvincarvalho at gmail.com said: > gpg --import-ownertrust trustdb.gpg That does not work. --import-ownertrust expects the format as produced by --export-ownertrust. What you can do is to put trustdb.gpg into an empty directy and run the export command: cp trustdb.gpg YOURTMPDIR gpg --homedir YOURTMPDIR --export-ownertrust > foo Then import foo. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From pashdown at xmission.com Mon Nov 12 17:02:15 2012 From: pashdown at xmission.com (Pete Ashdown) Date: Mon, 12 Nov 2012 09:02:15 -0700 Subject: gpg-agent partitioning between sessions? Message-ID: <50A11D87.3080105@xmission.com> I'm trying to "drop-in" gpg-agent for ssh-agent, and I was surprised to find how gpg-agent behaves with multiple instances. If I run a second instance,and it asks me for an ssh-key password, it does not recognize the password, but if I hit return, it gets auth (I presume) from the first instance and connects on through. Is there a way for it to not do this? I'd rather that the ssh-key password was prompted for each new session and the gpg-agents did not communicate with each other. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dougb at dougbarton.us Mon Nov 12 19:41:24 2012 From: dougb at dougbarton.us (Doug Barton) Date: Mon, 12 Nov 2012 10:41:24 -0800 Subject: gpg-agent partitioning between sessions? In-Reply-To: <50A11D87.3080105@xmission.com> References: <50A11D87.3080105@xmission.com> Message-ID: <50A142D4.6090308@dougbarton.us> On 11/12/2012 08:02 AM, Pete Ashdown wrote: > I'm trying to "drop-in" gpg-agent for ssh-agent, and I was surprised to > find how gpg-agent behaves with multiple instances. Why are your running multiple instances? From pashdown at xmission.com Mon Nov 12 23:48:38 2012 From: pashdown at xmission.com (Pete Ashdown) Date: Mon, 12 Nov 2012 15:48:38 -0700 Subject: gpg-agent partitioning between sessions? In-Reply-To: <50A142D4.6090308@dougbarton.us> References: <50A11D87.3080105@xmission.com> <50A142D4.6090308@dougbarton.us> Message-ID: <50A17CC6.6000603@xmission.com> I thought this was required to have per terminal key storage. On 11/12/2012 11:41 AM, Doug Barton wrote: > On 11/12/2012 08:02 AM, Pete Ashdown wrote: >> I'm trying to "drop-in" gpg-agent for ssh-agent, and I was surprised to >> find how gpg-agent behaves with multiple instances. > Why are your running multiple instances? > > From dougb at dougbarton.us Mon Nov 12 23:52:14 2012 From: dougb at dougbarton.us (Doug Barton) Date: Mon, 12 Nov 2012 14:52:14 -0800 Subject: gpg-agent partitioning between sessions? In-Reply-To: <50A17CC6.6000603@xmission.com> References: <50A11D87.3080105@xmission.com> <50A142D4.6090308@dougbarton.us> <50A17CC6.6000603@xmission.com> Message-ID: <50A17D9E.7040609@dougbarton.us> What do you mean by that? Are you talking about different users, or do you want to have different key stores for different terminals for the same user? If the latter, why? Doug On 11/12/2012 02:48 PM, Pete Ashdown wrote: > I thought this was required to have per terminal key storage. > > On 11/12/2012 11:41 AM, Doug Barton wrote: >> On 11/12/2012 08:02 AM, Pete Ashdown wrote: >>> I'm trying to "drop-in" gpg-agent for ssh-agent, and I was surprised to >>> find how gpg-agent behaves with multiple instances. >> Why are your running multiple instances? From pashdown at xmission.com Mon Nov 12 23:59:40 2012 From: pashdown at xmission.com (Pete Ashdown) Date: Mon, 12 Nov 2012 15:59:40 -0700 Subject: gpg-agent partitioning between sessions? In-Reply-To: <50A17D9E.7040609@dougbarton.us> References: <50A11D87.3080105@xmission.com> <50A142D4.6090308@dougbarton.us> <50A17CC6.6000603@xmission.com> <50A17D9E.7040609@dougbarton.us> Message-ID: <50A17F5C.6080707@xmission.com> On 11/12/2012 03:52 PM, Doug Barton wrote: > What do you mean by that? Are you talking about different users, or do > you want to have different key stores for different terminals for the > same user? If the latter, why? > The latter, if someone compromises a system with a running agent, I don't want them to have access to everything I have an ssh-key for. Ssh-agent asks for the key password with each new session. With gpg-agent, all I need to do is hit return on the key password and it appears to pass through to another gpg-agent so access is granted without any key password prompting. From dougb at dougbarton.us Tue Nov 13 00:07:09 2012 From: dougb at dougbarton.us (Doug Barton) Date: Mon, 12 Nov 2012 15:07:09 -0800 Subject: gpg-agent partitioning between sessions? In-Reply-To: <50A17F5C.6080707@xmission.com> References: <50A11D87.3080105@xmission.com> <50A142D4.6090308@dougbarton.us> <50A17CC6.6000603@xmission.com> <50A17D9E.7040609@dougbarton.us> <50A17F5C.6080707@xmission.com> Message-ID: <50A1811D.5090400@dougbarton.us> On 11/12/2012 02:59 PM, Pete Ashdown wrote: > On 11/12/2012 03:52 PM, Doug Barton wrote: >> What do you mean by that? Are you talking about different users, or do >> you want to have different key stores for different terminals for the >> same user? If the latter, why? >> > > The latter, if someone compromises a system with a running agent, I don't > want them to have access to everything I have an ssh-key for. Ssh-agent > asks for the key password with each new session. With gpg-agent, all I > need to do is hit return on the key password and it appears to pass through > to another gpg-agent so access is granted without any key password prompting. I'm not sure you're thinking about the problem in the right way. If they compromise the system, aren't all of your agent sessions vulnerable? You are much better off setting a reasonable inactivity timeout for your session. Look at these settings in gpg-agent.conf: default-cache-ttl N max-cache-ttl N default-cache-ttl-ssh N max-cache-ttl-ssh N hth, Doug From mailinglisten at hauke-laging.de Tue Nov 13 00:08:15 2012 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Tue, 13 Nov 2012 00:08:15 +0100 Subject: gpg-agent partitioning between sessions? In-Reply-To: <50A17F5C.6080707@xmission.com> References: <50A11D87.3080105@xmission.com> <50A17D9E.7040609@dougbarton.us> <50A17F5C.6080707@xmission.com> Message-ID: <4657250.8jQr1GJRjH@inno> Am Mo 12.11.2012, 15:59:40 schrieb Pete Ashdown: > The latter, if someone compromises a system with a running agent, I don't > want them to have access to everything I have an ssh-key for. What prevents an attacker from connecting to the socket of another running ssh-agent in your opinion? Hauke -- ? PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 572 bytes Desc: This is a digitally signed message part. URL: From pashdown at xmission.com Tue Nov 13 00:15:14 2012 From: pashdown at xmission.com (Pete Ashdown) Date: Mon, 12 Nov 2012 16:15:14 -0700 Subject: gpg-agent partitioning between sessions? In-Reply-To: <50A1811D.5090400@dougbarton.us> References: <50A11D87.3080105@xmission.com> <50A142D4.6090308@dougbarton.us> <50A17CC6.6000603@xmission.com> <50A17D9E.7040609@dougbarton.us> <50A17F5C.6080707@xmission.com> <50A1811D.5090400@dougbarton.us> Message-ID: <50A18302.9060807@xmission.com> On 11/12/2012 04:07 PM, Doug Barton wrote: > On 11/12/2012 02:59 PM, Pete Ashdown wrote: >> On 11/12/2012 03:52 PM, Doug Barton wrote: >>> What do you mean by that? Are you talking about different users, or do >>> you want to have different key stores for different terminals for the >>> same user? If the latter, why? >>> >> The latter, if someone compromises a system with a running agent, I don't >> want them to have access to everything I have an ssh-key for. Ssh-agent >> asks for the key password with each new session. With gpg-agent, all I >> need to do is hit return on the key password and it appears to pass through >> to another gpg-agent so access is granted without any key password prompting. > I'm not sure you're thinking about the problem in the right way. If they > compromise the system, aren't all of your agent sessions vulnerable? > > You are much better off setting a reasonable inactivity timeout for your > session. Look at these settings in gpg-agent.conf: > > > default-cache-ttl N > max-cache-ttl N > default-cache-ttl-ssh N > max-cache-ttl-ssh N > Thanks for the perspective. I guess I was misunderstanding how ssh-agent was working. From dougb at dougbarton.us Tue Nov 13 00:17:14 2012 From: dougb at dougbarton.us (Doug Barton) Date: Mon, 12 Nov 2012 15:17:14 -0800 Subject: gpg-agent partitioning between sessions? In-Reply-To: <50A18302.9060807@xmission.com> References: <50A11D87.3080105@xmission.com> <50A142D4.6090308@dougbarton.us> <50A17CC6.6000603@xmission.com> <50A17D9E.7040609@dougbarton.us> <50A17F5C.6080707@xmission.com> <50A1811D.5090400@dougbarton.us> <50A18302.9060807@xmission.com> Message-ID: <50A1837A.4030001@dougbarton.us> On 11/12/2012 03:15 PM, Pete Ashdown wrote: > Thanks for the perspective. I guess I was misunderstanding how ssh-agent > was working. No problem, we all start somewhere. :) The fact that you're thinking about the issue at all is to your credit. Doug From melvincarvalho at gmail.com Tue Nov 13 15:40:29 2012 From: melvincarvalho at gmail.com (Melvin Carvalho) Date: Tue, 13 Nov 2012 15:40:29 +0100 Subject: import trustdb.gpg or start from scratch? In-Reply-To: <87625bi3op.fsf@gnupg.org> References: <87txt0tfj3.fsf@vigenere.g10code.de> <87625bi3op.fsf@gnupg.org> Message-ID: On 12 November 2012 10:13, Werner Koch wrote: > On Sat, 10 Nov 2012 20:33, melvincarvalho at gmail.com said: > > > gpg --import-ownertrust trustdb.gpg > > That does not work. --import-ownertrust expects the format as produced > by --export-ownertrust. What you can do is to put trustdb.gpg into an > empty directy and run the export command: > > cp trustdb.gpg YOURTMPDIR > gpg --homedir YOURTMPDIR --export-ownertrust > foo > > Then import foo. > Worked! Thanks so much. So I assume when backing up a key you should always back up trustdb too? > > Salam-Shalom, > > Werner > > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Tue Nov 13 18:45:38 2012 From: wk at gnupg.org (Werner Koch) Date: Tue, 13 Nov 2012 18:45:38 +0100 Subject: import trustdb.gpg or start from scratch? In-Reply-To: (Melvin Carvalho's message of "Tue, 13 Nov 2012 15:40:29 +0100") References: <87txt0tfj3.fsf@vigenere.g10code.de> <87625bi3op.fsf@gnupg.org> Message-ID: <87obj1l7lp.fsf@vigenere.g10code.de> On Tue, 13 Nov 2012 15:40, melvincarvalho at gmail.com said: > So I assume when backing up a key you should always back up trustdb too? Yes. Actually eyerything in ~/.gnupg and below should be go into the backup. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From rjh at sixdemonbag.org Wed Nov 14 00:27:01 2012 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 13 Nov 2012 18:27:01 -0500 Subject: import trustdb.gpg or start from scratch? In-Reply-To: <87obj1l7lp.fsf@vigenere.g10code.de> References: <87txt0tfj3.fsf@vigenere.g10code.de> <87625bi3op.fsf@gnupg.org> <87obj1l7lp.fsf@vigenere.g10code.de> Message-ID: <50A2D745.1060804@sixdemonbag.org> On 11/13/12 12:45 PM, Werner Koch wrote: > Yes. Actually eyerything in ~/.gnupg and below should be go into the > backup. Including random_seed? I've always been under the impression that's a big no-no. From mailinglisten at hauke-laging.de Wed Nov 14 06:17:26 2012 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 14 Nov 2012 06:17:26 +0100 Subject: Anyone interested in preparing and improving training courses? Message-ID: <1807840.et29ga4asN@inno> Hello, after having given training courses earlier (voluntarily) for small groups of non-IT people I have just given my first OpenPGP / GnuPG course at the Berlin Linux user group. My plan is to establish this as a permanent service. The most important information I learnt from this training course is that it is extremely important to have a good plan what to put into such a course (even for people assumed to be IT-related). I think it's safe to assume that my technical skills exceed my teaching skills a lot. Don't laugh about my course now... I hope that doing this on a regular basis will help me to improve the course content, the course slides, the attendee preparation and so on. Now, that I have explained my situation, my question: Is anyone on this list interested in a regular exchange of experiences with and ideas for GnuPG training courses? Someone who has already given such courses or is planning or at least willing to do so? Obviously my material and web page are in German so understanding German would be helpful. But the knowledge how to make a good training course should be language independent. A similar problem: How can more be people be interested in learning GnuPG. My current approach is to teach the BeLUG members first and the make them take their non-BeLUG contacts to a later course. Perfect would be somebody interested and experienced in this and living in Berlin, of course. ;-) But input from everyone else is welcome, too. Contact my by email or XMPP (hauke.laging at googlemail.com). Hauke -- ? PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 572 bytes Desc: This is a digitally signed message part. URL: From wk at gnupg.org Wed Nov 14 10:52:06 2012 From: wk at gnupg.org (Werner Koch) Date: Wed, 14 Nov 2012 10:52:06 +0100 Subject: import trustdb.gpg or start from scratch? In-Reply-To: <50A2D745.1060804@sixdemonbag.org> (Robert J. Hansen's message of "Tue, 13 Nov 2012 18:27:01 -0500") References: <87txt0tfj3.fsf@vigenere.g10code.de> <87625bi3op.fsf@gnupg.org> <87obj1l7lp.fsf@vigenere.g10code.de> <50A2D745.1060804@sixdemonbag.org> Message-ID: <87390cldfd.fsf@vigenere.g10code.de> On Wed, 14 Nov 2012 00:27, rjh at sixdemonbag.org said: > Including random_seed? I've always been under the impression that's a > big no-no. Well, it is a backup and assumed to be used after a loss of data and not to replicate the data to several sites. random_seed is a cache file to speed up things. It is never used directly. For key generation we make sure that at least 300 fresh random bytes are mixed into the 600 bytes of the random pool (the state on which the RNG works). For session keys, we work on a random pool which has been initialized from the random_seed file. But we also mix some other state into it (from the fast entropy gatherer). Without a random_seed file, every use of session keys (i.e. a plain public key encryption) would require a lot of time to get entropy from the slow gatherer (usually /dev/random). That just takes too long and wastes precious entropy. Thus I consider it better to backup everything than to forget an important file. Backup's are always encrypted - aren't they? Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From kristian.fiskerstrand at sumptuouscapital.com Wed Nov 14 12:15:49 2012 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Wed, 14 Nov 2012 12:15:49 +0100 Subject: import trustdb.gpg or start from scratch? In-Reply-To: <87390cldfd.fsf@vigenere.g10code.de> References: <87txt0tfj3.fsf@vigenere.g10code.de> <87625bi3op.fsf@gnupg.org> <87obj1l7lp.fsf@vigenere.g10code.de> <50A2D745.1060804@sixdemonbag.org> <87390cldfd.fsf@vigenere.g10code.de> Message-ID: <50A37D65.2040608@sumptuouscapital.com> On 11/14/2012 10:52 AM, Werner Koch wrote: > On Wed, 14 Nov 2012 00:27, rjh at sixdemonbag.org said: > >> Including random_seed? I've always been under the impression that's a >> big no-no. > > Well, it is a backup and assumed to be used after a loss of data and not > to replicate the data to several sites. > > random_seed is a cache file to speed up things. It is never used > directly. For key generation we make sure that at least 300 fresh > random bytes are mixed into the 600 bytes of the random pool (the state > on which the RNG works). > > For session keys, we work on a random pool which has been initialized > from the random_seed file. But we also mix some other state into it > (from the fast entropy gatherer). Without a random_seed file, every use > of session keys (i.e. a plain public key encryption) would require a lot > of time to get entropy from the slow gatherer (usually /dev/random). > That just takes too long and wastes precious entropy. Is there any configuration option to force the use of /dev/random? I'm thinking mainly of the case where a system has a TRNG device and there isn't expected to be a block on such a request. -- ---------------------------- Kristian Fiskerstrand http://www.sumptuouscapital.com Twitter: @krifisk ---------------------------- Divide et impera Divide and govern ---------------------------- This email was digitally signed using the OpenPGP standard. If you want to read more about this The book: Sending Emails - The Safe Way: An introduction to OpenPGP security is available in both Amazon Kindle and Paperback format at http://www.amazon.com/dp/B006RSG1S4/ ---------------------------- Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 903 bytes Desc: OpenPGP digital signature URL: From kuerzn at googlemail.com Wed Nov 14 11:34:53 2012 From: kuerzn at googlemail.com (Johannes Gerer) Date: Wed, 14 Nov 2012 11:34:53 +0100 Subject: import trustdb.gpg or start from scratch? In-Reply-To: <87390cldfd.fsf@vigenere.g10code.de> References: <87txt0tfj3.fsf@vigenere.g10code.de> <87625bi3op.fsf@gnupg.org> <87obj1l7lp.fsf@vigenere.g10code.de> <50A2D745.1060804@sixdemonbag.org> <87390cldfd.fsf@vigenere.g10code.de> Message-ID: How do I decrypt my backup in case of a disaster, if the secret key is in the encrypted backup? Am 14.11.2012 11:08 schrieb "Werner Koch" : > On Wed, 14 Nov 2012 00:27, rjh at sixdemonbag.org said: > > > Including random_seed? I've always been under the impression that's a > > big no-no. > > Well, it is a backup and assumed to be used after a loss of data and not > to replicate the data to several sites. > > random_seed is a cache file to speed up things. It is never used > directly. For key generation we make sure that at least 300 fresh > random bytes are mixed into the 600 bytes of the random pool (the state > on which the RNG works). > > For session keys, we work on a random pool which has been initialized > from the random_seed file. But we also mix some other state into it > (from the fast entropy gatherer). Without a random_seed file, every use > of session keys (i.e. a plain public key encryption) would require a lot > of time to get entropy from the slow gatherer (usually /dev/random). > That just takes too long and wastes precious entropy. > > Thus I consider it better to backup everything than to forget an > important file. Backup's are always encrypted - aren't they? > > > Shalom-Salam, > > Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Wed Nov 14 22:02:03 2012 From: wk at gnupg.org (Werner Koch) Date: Wed, 14 Nov 2012 22:02:03 +0100 Subject: import trustdb.gpg or start from scratch? In-Reply-To: (Johannes Gerer's message of "Wed, 14 Nov 2012 11:34:53 +0100") References: <87txt0tfj3.fsf@vigenere.g10code.de> <87625bi3op.fsf@gnupg.org> <87obj1l7lp.fsf@vigenere.g10code.de> <50A2D745.1060804@sixdemonbag.org> <87390cldfd.fsf@vigenere.g10code.de> Message-ID: <871ufvgapg.fsf@vigenere.g10code.de> On Wed, 14 Nov 2012 11:34, kuerzn at googlemail.com said: > How do I decrypt my backup in case of a disaster, if the secret key is in > the encrypted backup? You surely have your secret key somewhere on a CD or a printout (cf. paperkey), right? Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Wed Nov 14 22:03:54 2012 From: wk at gnupg.org (Werner Koch) Date: Wed, 14 Nov 2012 22:03:54 +0100 Subject: import trustdb.gpg or start from scratch? In-Reply-To: <50A37D65.2040608@sumptuouscapital.com> (Kristian Fiskerstrand's message of "Wed, 14 Nov 2012 12:15:49 +0100") References: <87txt0tfj3.fsf@vigenere.g10code.de> <87625bi3op.fsf@gnupg.org> <87obj1l7lp.fsf@vigenere.g10code.de> <50A2D745.1060804@sixdemonbag.org> <87390cldfd.fsf@vigenere.g10code.de> <50A37D65.2040608@sumptuouscapital.com> Message-ID: <87txsrew1x.fsf@vigenere.g10code.de> On Wed, 14 Nov 2012 12:15, kristian.fiskerstrand at sumptuouscapital.com said: > Is there any configuration option to force the use of /dev/random? I'm You mena, not to use the seed file? gpg --no-random-seed-file Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From kristian.fiskerstrand at sumptuouscapital.com Wed Nov 14 22:18:12 2012 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Wed, 14 Nov 2012 22:18:12 +0100 Subject: import trustdb.gpg or start from scratch? In-Reply-To: <87txsrew1x.fsf@vigenere.g10code.de> References: <87txt0tfj3.fsf@vigenere.g10code.de> <87625bi3op.fsf@gnupg.org> <87obj1l7lp.fsf@vigenere.g10code.de> <50A2D745.1060804@sixdemonbag.org> <87390cldfd.fsf@vigenere.g10code.de> <50A37D65.2040608@sumptuouscapital.com> <87txsrew1x.fsf@vigenere.g10code.de> Message-ID: <50A40A94.90301@sumptuouscapital.com> On 11/14/2012 10:03 PM, Werner Koch wrote: > On Wed, 14 Nov 2012 12:15, kristian.fiskerstrand at sumptuouscapital.com > said: > >> Is there any configuration option to force the use of /dev/random? I'm > > You mena, not to use the seed file? > > gpg --no-random-seed-file > I do indeed, thank you :) -- ---------------------------- Kristian Fiskerstrand http://www.sumptuouscapital.com Twitter: @krifisk ---------------------------- "Great things are not accomplished by those who yield to trends and fads and popular opinion." (Jack Kerouac) ---------------------------- This email was digitally signed using the OpenPGP standard. If you want to read more about this The book: Sending Emails - The Safe Way: An introduction to OpenPGP security is available in both Amazon Kindle and Paperback format at http://www.amazon.com/dp/B006RSG1S4/ ---------------------------- Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 903 bytes Desc: OpenPGP digital signature URL: From mailinglisten at hauke-laging.de Fri Nov 16 06:02:54 2012 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Fri, 16 Nov 2012 06:02:54 +0100 Subject: setting primary UID of other's keys and allowing direct UID subaddressing Message-ID: <2554028.aj5erzppO9@inno> Hello, I just noticed that I cannot set the primary UID of a key for which I don't have the secret key. From the perspective of an official certificate that makes sense but for the usage of a public key it does not IMHO. The primary UID has technical implications and is the only shown in several cases. The key owner has his reasons for chosing this UID as the primary but these reasons need not make sense for some users of his key. The primary UID may not even contain the name or not an email address. I created my new key with a primary UID which consists of my name and a comment only. This may seem stupid or disturbing for someone who has imported several of my keys. I see absolutely no reason why the key owner should force the decision which UID is shown on the key user (the more as he probably doesn't even want to). Deleting the unwanted UIDs is not an option because they come back with every key(ring) update. Nor would this approach be very elegant... But this is not just about visual appearance. Key information like preferred keyserver, policy URL and cipher/hash preferences are bound to the UIDs. It says in the documentation that these pieces of information are taken from the respective UID ? IF the key is addressed by the UID. This is not a good idea if there are several keys with matching UIDs. I admit I was too lazy to check but I doubt that the email clients use the email address for key selection. The two programs I know (KMail and Thunderbird / Enigmail) ask you for the key to be used if you add someone to the addressbook or define a recipient rule. But they show you the key ID so I guess they select the key by its ID, too (which makes perfect sense in general). But if they do then the data of the primary UID is used because gpg doesn't even know which address the data is sent to. AFAIK it is not even possible to use both a key ID and a UID simultaneously to select a key. But this would be necessary for the intended result. Thus I would like to suggest two changes to gpg: 1) Allow a configuration (external to the key like the ownertrust) to set the UID to be used as primary UID in the local system. In order to get the current behaviour a new option would be necessary, something like: --use-real-primary-uid It seems to me that you need --list-options show-sig-subpackets to get an explicit statement of gpg which is the primary UID. I don't think that normal applications do that. Probably they consider the first UID output by gpg to be the primary (this formal status is not relevant to applications anyway). Could be covered by (1) mostly but would be nice anyway: 2) Allow a combined key ID - UID addressing scheme. As even the email address can occur in several UIDs a clean solution would be to use "UID IDs" along the lines of key IDs. Internally the UIDs are already hashed anyway (and shown: field 8 of --with-colons output) so just take the last 32 bit of that hash as UID ID. Key selection could look like this then: gpg --recipient 0x1A571DF5/0x7AAE70CD --sign --encrypt That would be a simple change for the email clients. Hauke -- ? PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 572 bytes Desc: This is a digitally signed message part. URL: From dshaw at jabberwocky.com Fri Nov 16 07:00:50 2012 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 16 Nov 2012 01:00:50 -0500 Subject: setting primary UID of other's keys and allowing direct UID subaddressing In-Reply-To: <2554028.aj5erzppO9@inno> References: <2554028.aj5erzppO9@inno> Message-ID: <34C034CD-62B1-4D35-A21B-CCD64B0CE02F@jabberwocky.com> On Nov 16, 2012, at 12:02 AM, Hauke Laging wrote: > Thus I would like to suggest two changes to gpg: > > 1) Allow a configuration (external to the key like the ownertrust) to set the > UID to be used as primary UID in the local system. In order to get the current > behaviour a new option would be necessary, something like: > --use-real-primary-uid This violates the spec: Implementing software should interpret a self-signature's preference subpackets as narrowly as possible. For example, suppose a key has two user names, Alice and Bob. Suppose that Alice prefers the symmetric algorithm CAST5, and Bob prefers IDEA or TripleDES. If the software locates this key via Alice's name, then the preferred algorithm is CAST5; if software locates the key via Bob's name, then the preferred algorithm is IDEA. If the key is located by Key ID, the algorithm of the primary User ID of the key provides the preferred symmetric algorithm. and later: The symmetric algorithm preference is an ordered list of algorithms that the keyholder accepts. Since it is found on a self-signature, it is possible that a keyholder may have multiple, different preferences. For example, Alice may have TripleDES only specified for "alice at work.com" but CAST5, Blowfish, and TripleDES specified for "alice at home.org". Note that it is also possible for preferences to be in a subkey's binding signature. It would violate Alice's desires to use alice at home's preferences when emailing alice at work. She specified what algorithms she wants for each location (say, for example, that her work has policies about which algorithms are permissible for work mail). Changing which user ID is primary does something similar - it changes what algorithm will be used without her permission. > 2) Allow a combined key ID - UID addressing scheme. As even the email address > can occur in several UIDs a clean solution would be to use "UID IDs" along the > lines of key IDs. Internally the UIDs are already hashed anyway (and shown: > field 8 of --with-colons output) so just take the last 32 bit of that hash as > UID ID. Key selection could look like this then: > > gpg --recipient 0x1A571DF5/0x7AAE70CD --sign --encrypt This is legal, but possibly overkill. If the intent is to say "encrypt to user at example.com, but I want the one attached to key 0x12345678" then I'd do it as something like "gpg -r 0x12345678:user at example.com". There is no need to use a hash of the user ID here, as it doesn't disambiguate any more or any less than the actual string does (given the same user ID string, you'll have the same hash each time). That said, it does seem like overkill. How much of a problem is this in practice? David From expires2012 at rocketmail.com Sat Nov 17 00:27:43 2012 From: expires2012 at rocketmail.com (MFPA) Date: Fri, 16 Nov 2012 23:27:43 +0000 Subject: setting primary UID of other's keys and allowing direct UID subaddressing In-Reply-To: <2554028.aj5erzppO9@inno> References: <2554028.aj5erzppO9@inno> Message-ID: <1726082744.20121116232743@my_localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi On Friday 16 November 2012 at 5:02:54 AM, in , Hauke Laging wrote: > I see absolutely no reason why the key owner should > force the decision which UID is shown on the key user Doesn't GnuPG list them all? Or did you mean in a GUI key manager? > I admit I was too > lazy to check but I doubt that the email clients use > the email address for key selection. At least one email client does: The Bat! passes the email address in angle brackets to GnuPG for key selection. If more than one key matches, you get a choice. And if the email in the UID is not surrounded by angle brackets, it does not match. - -- Best regards MFPA mailto:expires2012 at rocketmail.com Only dead fish go with the flow -----BEGIN PGP SIGNATURE----- iQCVAwUBUKbL/aipC46tDG5pAQoXEQP/YNq7x0339pLYcPimsKl/gSK/UBgjMrv+ +Gp4WX11cxEn+K6ednRn6Fu/aLj8kQLzrEWdz9bvjwAKvloCIgrkHYNq9tmib+My eiKkwxKQdsuKaj+kWWSNVIOw9csIoLgUPR8hp0ahVyW0P+Qk9JI+PHQqrUusahfC Y7IEumCnApI= =Lgkj -----END PGP SIGNATURE----- From jeff.dagenais at gmail.com Tue Nov 20 04:57:13 2012 From: jeff.dagenais at gmail.com (=?iso-8859-1?Q?Jean-Fran=E7ois_Dagenais?=) Date: Mon, 19 Nov 2012 22:57:13 -0500 Subject: Authenticating info on a "compromizable" system Message-ID: <3332C439-CC7E-49A5-B297-3808A9AC6605@gmail.com> Hi all, BTW, I am a seasonned programmer, systems designer and kernel hacker but totally new to cryptography. I am in the process of trying to absorb information right now about gpg... I would like to shortcut to my destination faster however. Hope someone can give some clues and/or directions. We have a linux embedded system (yocto based) which, once into the wild, can essentially be considered compromizable, i.e. root access, replace kernel, software, etc. We write information in EEPROMs which are located on 2-3 components (physical electronic boards) in the system. The information is of the kind: - product id number - board serial number - unit serial number - etc. I want to sign the content somehow (not encrypt it, it's not sensitive info) so that the running software (which could be compromized remember) can authenticate the information as coming from the company, it's production crew, or authorized resellers which may have to perform board swapping and such. Authentication ensures we can detect system tempering honour software options, warranty and such. Of course we want to make it hard for attackers to fake this, it doesn't have to be bullet-proof. I thought of generating a key for this purpose, call it "Production key", with a passphrase on it. Authorized people are given the passphrase. And the software has the public key obfuscated in its bowels. Rotate the obfuscation on each update release to mess with the attacker. This is too simple to be useable I imaging, hence reaching out to the mailing list. As a side question, if the "Production key" pgp key-pair has a passphrase on it, can it's .gnupg dir with the trustdb.gpg be out in the wild? I ask because the EEPROM update tool might have be distributed with the system. Thanks for the pointers... until then, I will go back to scanning the documentation for clues ;) /jfd From mailinglisten at hauke-laging.de Tue Nov 20 07:45:44 2012 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Tue, 20 Nov 2012 07:45:44 +0100 Subject: Authenticating info on a "compromizable" system In-Reply-To: <3332C439-CC7E-49A5-B297-3808A9AC6605@gmail.com> References: <3332C439-CC7E-49A5-B297-3808A9AC6605@gmail.com> Message-ID: <2937411.o4erQNIV7J@inno> Am Mo 19.11.2012, 22:57:13 schrieb Jean-Fran?ois Dagenais: > We write information in EEPROMs which are located on 2-3 components > (physical electronic boards) in the system. The information is of the kind: > - product id number - board serial number - unit serial number - etc. > > I want to sign the content somehow (not encrypt it, it's not sensitive info) > so that the running software (which could be compromized remember) can > authenticate the information as coming from the company, it's production > crew, or authorized resellers which may have to perform board swapping and > such. > > Authentication ensures we can detect system tempering honour software > options, warranty and such. Of course we want to make it hard for attackers > to fake this, it doesn't have to be bullet-proof. > > I thought of generating a key for this purpose, call it "Production key", > with a passphrase on it. Authorized people are given the passphrase. And > the software has the public key obfuscated in its bowels. Rotate the > obfuscation on each update release to mess with the attacker. > > This is too simple to be useable I imaging, hence reaching out to the > mailing list. I think it is as you describe: Easy but of limited protection (depending on the possibility to compromise your software or its keyring or the contained gnupg). And, of course, it does not prevent an attacker from copying a signed configuration from another system. > As a side question, if the "Production key" pgp key-pair has a passphrase on > it, can it's .gnupg dir with the trustdb.gpg be out in the wild? I ask > because the EEPROM update tool might have be distributed with the system. A passphrase like gslLThmk8DlrZR1Me6 offers protection similar to that of a 2048 bit key (see --s2k-count, too). So disclosing the safely encrypted secret key would not be a problem. How such an observation might influence the opinion of your customers and partners about your work is a different question, of course... trustdb.gpg just stores the ownertrust level of keys. It just tells someone which (but not necessarily all) keys you have in your keyring and how much you trust them. Hauke -- ? PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 572 bytes Desc: This is a digitally signed message part. URL: From cloos at jhcloos.com Wed Nov 21 02:01:57 2012 From: cloos at jhcloos.com (James Cloos) Date: Tue, 20 Nov 2012 20:01:57 -0500 Subject: splot x,y,z,color w pm3d Message-ID: I'd like to do pm3d splots of datafiles using three columns for x, y, z and a fourth column for the color at that point. Can gnuplot do that without first pre-processing the data into datablocks? If not, what should the files look like to specify a colour independent of the third column? -JimC -- James Cloos OpenPGP: 1024D/ED7DAEA6 From rjh at sixdemonbag.org Wed Nov 21 03:36:08 2012 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 20 Nov 2012 21:36:08 -0500 Subject: splot x,y,z,color w pm3d In-Reply-To: References: Message-ID: <50AC3E18.904@sixdemonbag.org> On 11/20/12 8:01 PM, James Cloos wrote: > Can gnuplot do that without first pre-processing the data into > datablocks? I don't know, but I hope you're able to find someone who does. You may wish to consider asking on a Gnuplot-related mailing list: this one is about the GNU Privacy Guard, a piece of cryptographic software to help secure email and files. :) You may want to check out: http://www.gnuplot.info/help.html From mailinglisten at hauke-laging.de Wed Nov 21 18:46:36 2012 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 21 Nov 2012 18:46:36 +0100 Subject: making (future) OpenPGP cards without PIN pad safer Message-ID: <15388590.nla8gUO9Ni@inno> Hello, I am not familiar with smardcard hardware especially not with the way how the passwords are checked on the smartcards. From this naive perspective this just came to my mind: I have a card reader with PIN pad but there are several card readers without one. I never liked the idea of connecting a smartcard to an unsafe system but I understand the cost argument. The card already has additional storage for private use (if I have understood the documentation correctly). The idea: Wouldn't it be rather easily possible to allow the use of the card by a) either the real password (like today) b) or one of several one-time passwords (TANs) which you can load into the card by supplying the real password (or the admin password)? This reduce the risk of using the card with systems of unknown security a lot (without increasing the cost of the card). Hauke -- ? PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 572 bytes Desc: This is a digitally signed message part. URL: From cloos at jhcloos.com Wed Nov 21 19:48:35 2012 From: cloos at jhcloos.com (James Cloos) Date: Wed, 21 Nov 2012 13:48:35 -0500 Subject: splot x,y,z,color w pm3d In-Reply-To: (James Cloos's message of "Tue, 20 Nov 2012 20:01:57 -0500") References: Message-ID: [SIGH] Needless to say that went to the wrong list. ? -JimC -- James Cloos OpenPGP: 1024D/ED7DAEA6 From cloos at jhcloos.com Wed Nov 21 19:50:32 2012 From: cloos at jhcloos.com (James Cloos) Date: Wed, 21 Nov 2012 13:50:32 -0500 Subject: splot x,y,z,color w pm3d In-Reply-To: <50AC3E18.904@sixdemonbag.org> (Robert J. Hansen's message of "Tue, 20 Nov 2012 21:36:08 -0500") References: <50AC3E18.904@sixdemonbag.org> Message-ID: RJH> You may wish to consider asking on a Gnuplot-related mailing list: As one might guess, gnupg is right next to gnuplot in my *Group* buffer. Sometimes cut-n-paste misses. -JimC -- James Cloos OpenPGP: 1024D/ED7DAEA6 From lists at michel-messerschmidt.de Wed Nov 21 20:42:38 2012 From: lists at michel-messerschmidt.de (Michel Messerschmidt) Date: Wed, 21 Nov 2012 20:42:38 +0100 Subject: making (future) OpenPGP cards without PIN pad safer In-Reply-To: <15388590.nla8gUO9Ni@inno> References: <15388590.nla8gUO9Ni@inno> Message-ID: <20121121194238.GA4887@ryu.matrix> On Wed, Nov 21, 2012 at 06:46:36PM +0100, Hauke Laging wrote: > The card already has additional storage for private use (if I have understood > the documentation correctly). The idea: Wouldn't it be rather easily possible > to allow the use of the card by > > a) either the real password (like today) > > b) or one of several one-time passwords (TANs) which you can load into the > card by supplying the real password (or the admin password)? > > This reduce the risk of using the card with systems of unknown security a lot > (without increasing the cost of the card). If you want to reduce the dependency on unknown systems, I would rather have a look at cards with integrated keypad. A future OpenPGP card might take advantage of this feature. It will not remove the trust dependency on a potentially insecure system, but will reduce the exposure of your credentials (private key and PIN/passphrase). From mailinglisten at hauke-laging.de Wed Nov 21 21:45:31 2012 From: mailinglisten at hauke-laging.de (Hauke Laging) Date: Wed, 21 Nov 2012 21:45:31 +0100 Subject: making (future) OpenPGP cards without PIN pad safer In-Reply-To: <20121121194238.GA4887@ryu.matrix> References: <15388590.nla8gUO9Ni@inno> <20121121194238.GA4887@ryu.matrix> Message-ID: <3514237.UoF8DiE2RY@inno> Am Mi 21.11.2012, 20:42:38 schrieb Michel Messerschmidt: > If you want to reduce the dependency on unknown systems, I would > rather have a look at cards with integrated keypad. > A future OpenPGP card might take advantage of this feature. That is more expensive than my proposal but not safer. The only advantage is that card usage is not blocked if you need more crypto operations than you have TANs available. But that is mainly a question of storage (i.e. no problem). Hauke -- ? PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 572 bytes Desc: This is a digitally signed message part. URL: From mls at jama.is Thu Nov 22 08:30:36 2012 From: mls at jama.is (mls at jama.is) Date: Thu, 22 Nov 2012 08:30:36 +0100 Subject: making (future) OpenPGP cards without PIN pad safer In-Reply-To: <3514237.UoF8DiE2RY@inno> References: <15388590.nla8gUO9Ni@inno> <20121121194238.GA4887@ryu.matrix> <3514237.UoF8DiE2RY@inno> Message-ID: <1432551.HdymiLOHUU@e9a4bfs47> On Wednesday, 21. November 2012, 21:45:31 Hauke Laging wrote: > That is more expensive than my proposal but not safer. The only advantage is > that card usage is not blocked if you need more crypto operations than you > have TANs available. But that is mainly a question of storage (i.e. no > problem). But it is also much more convenient. I personally would prefer a card with a integrated keyboard over using TANs. Regards, mls From andre76 at fastmail.fm Fri Nov 23 06:17:27 2012 From: andre76 at fastmail.fm (andre76 at fastmail.fm) Date: Fri, 23 Nov 2012 06:17:27 +0100 Subject: Possibility of corrupted file? Message-ID: <1353647847.8350.140661157114629.385E1B34@webmail.messagingengine.com> . What is the possibility of gpg encrypted file becoming corrupted? I use another file encryption program and have never had any problems with any file that was encrypted. So, I'm beginning to experiment with using symmetric encryption of files to myself and I want to get an idea from experienced long term users of the likelihood of a file getting ruined by gpg. What do you think? -- http://www.fastmail.fm - The way an email service should be From mathias at koerber.org Fri Nov 23 11:20:40 2012 From: mathias at koerber.org (Mathias Koerber) Date: Fri, 23 Nov 2012 18:20:40 +0800 Subject: signing key selection - GNUPG Keychain Access Message-ID: <50AF4DF8.9000204@koerber.org> I am using GNUPG Keychain Access on Mountain Lion and am trying to sign keys. The popup offers my available private keys in the dropdown only by the email address/comment text, but since I have several keys with the same email address, it is impossible to tell which is which. Should that not also show the keyID to make it possible to properly identify which key is to be used? Is there a preference setting for that? TiA M -------------- next part -------------- A non-text attachment was scrubbed... Name: Screen Shot 2012-11-22 at 10.18.10 PM.jpg Type: image/jpeg Size: 25683 bytes Desc: not available URL: From rjh at sixdemonbag.org Fri Nov 23 17:38:02 2012 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 23 Nov 2012 11:38:02 -0500 Subject: Possibility of corrupted file? In-Reply-To: <1353647847.8350.140661157114629.385E1B34@webmail.messagingengine.com> References: <1353647847.8350.140661157114629.385E1B34@webmail.messagingengine.com> Message-ID: <50AFA66A.4090807@sixdemonbag.org> On 11/23/2012 12:17 AM, andre76 at fastmail.fm wrote: > What is the possibility of gpg encrypted file becoming corrupted? Miniscule, to the point where I have not ever heard of GnuPG mangling a file. Your file may get corrupted while it's on disk, a stray cosmic ray may flip a bit, and so on, but GnuPG itself is quite reliable in this regard. From mlisten at hammernoch.net Fri Nov 23 20:08:11 2012 From: mlisten at hammernoch.net (=?ISO-8859-1?Q?Ludwig_H=FCgelsch=E4fer?=) Date: Fri, 23 Nov 2012 20:08:11 +0100 Subject: signing key selection - GNUPG Keychain Access In-Reply-To: <50AF4DF8.9000204@koerber.org> References: <50AF4DF8.9000204@koerber.org> Message-ID: <50AFC99B.2010707@hammernoch.net> On 23.11.12 11:20, Mathias Koerber wrote: > I am using GNUPG Keychain Access on Mountain Lion > and am trying to sign keys. > > The popup offers my available private keys in the dropdown only by the > email address/comment text, > but since I have several keys with the same email address, it is > impossible to tell which is which. > > Should that not also show the keyID to make it possible to properly > identify which key is to be used? > > Is there a preference setting for that? Although I'm on Mac OS, I don't use Keychain Access, so I can't suggest a solution. Probably you'll get more attention in gpgtools support forum: https://support.gpgtools.org/ HTH Ludwig From peter at asgalon.net Fri Nov 23 16:58:57 2012 From: peter at asgalon.net (Peter Koellner) Date: Fri, 23 Nov 2012 16:58:57 +0100 (CET) Subject: Debian64, gnupg-2.0.19, gpg-agent problems Message-ID: Hi! I am configuring a crypto-stick for use with 4096 bit RSA keys and have run into two problems that look as if they are related to gpg-agent. The first is that gpg2 somehow fails to ask for the PIN when decrypting a formerly encrypted test file, so I have to use gpg 1.4.x to decrypt. The other is that after enabling ssh support even gpg1 fails until I kill gpg-agent, then it asks for a pin again but ssh key authentication fails again... I have described the setup process in https://www.privacyfoundation.de/forum/viewtopic.php?f=13&t=1145&p=7789#p7789 I am not sure what debug data I could provide to get to the bottom of this, so if someone wants to take a look and needs more info, please CC: to my address... regards peter -- peter kollner From wk at gnupg.org Mon Nov 26 10:28:02 2012 From: wk at gnupg.org (Werner Koch) Date: Mon, 26 Nov 2012 10:28:02 +0100 Subject: Debian64, gnupg-2.0.19, gpg-agent problems In-Reply-To: (Peter Koellner's message of "Fri, 23 Nov 2012 16:58:57 +0100 (CET)") References: Message-ID: <87y5hod87x.fsf@vigenere.g10code.de> On Fri, 23 Nov 2012 16:58, peter at asgalon.net said: > I am configuring a crypto-stick for use with 4096 bit RSA keys and have run into two problems that look as if they are related to gpg-agent. 4096 bit RSA OpenPGP smartcards do not yet work with released GnuPG versions. There is a reason why the cards have an imprint of 3072 ;-). Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From wk at gnupg.org Mon Nov 26 18:00:20 2012 From: wk at gnupg.org (Werner Koch) Date: Mon, 26 Nov 2012 18:00:20 +0100 Subject: Debian64, gnupg-2.0.19, gpg-agent problems In-Reply-To: (Peter Koellner's message of "Mon, 26 Nov 2012 12:56:09 +0100 (CET)") References: <87y5hod87x.fsf@vigenere.g10code.de> Message-ID: <87wqx8b8pn.fsf@vigenere.g10code.de> On Mon, 26 Nov 2012 12:56, peter at asgalon.net said: > with 3072 bit RSA keys with either gpg1 or gpg2? Or what type of keys > would you recommend if I wanted to give someone with basic linux > experience and a need for a reasonable level of communication privacy The answer is simple and been repeated here many times: Use the default values (as of now 2048 bit RSA). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From peter at asgalon.net Mon Nov 26 12:56:09 2012 From: peter at asgalon.net (Peter Koellner) Date: Mon, 26 Nov 2012 12:56:09 +0100 (CET) Subject: Debian64, gnupg-2.0.19, gpg-agent problems In-Reply-To: <87y5hod87x.fsf@vigenere.g10code.de> References: <87y5hod87x.fsf@vigenere.g10code.de> Message-ID: On Mon, 26 Nov 2012, Werner Koch wrote: > On Fri, 23 Nov 2012 16:58, peter at asgalon.net said: > >> I am configuring a crypto-stick for use with 4096 bit RSA keys and have run into two problems that look as if they are related to gpg-agent. > > 4096 bit RSA OpenPGP smartcards do not yet work with released GnuPG > versions. There is a reason why the cards have an imprint of 3072 ;-). Ah. It does not seem to get easier... ;-) I recently got some requests from interested people who wanted to start using gnupg regularly, but a few first experimental steps showed that it was not quite that easy compiling a set of best practices for a layman to follow. So I thought I check out how it works with a USB crypto token, and so I just followed the claim that the card is capable of 4096 bit RSA encryption using gpg 2.0.19 - not that I needed maximum security keys that badly... Basically, it seems to work now somehow with a combination of gpg2 and gpg1, but the tutorial might as well be suitable as a scary campfire story ;-) So if I do interpret this correctly, should it work without any hassle with 3072 bit RSA keys with either gpg1 or gpg2? Or what type of keys would you recommend if I wanted to give someone with basic linux experience and a need for a reasonable level of communication privacy an USB token and a few pages with instructions how to configure and use it, so they would not be in danger of tripping over their own feet sooner or later? -- peter kollner From duemme at gmail.com Wed Nov 28 17:29:46 2012 From: duemme at gmail.com (Mannini Matteo) Date: Wed, 28 Nov 2012 17:29:46 +0100 Subject: GPG W32 1.0.6-2 - PRIVATE KEY IMPORT ISSUE Message-ID: Hello Sirs, I downloaded GPG W32 1.0.6-2 on a Windows machine. I started gpg from the command line and It created C:\gnupg. I have GPG running on another windows machine (I think is version 1.0.4) so I tried to import my keys. For the secretkey I tried like this: export: gpg --armor --output "secretkey.txt" --export-secret-keys "My-NAME" import: gpg --allow-secret-key-import "secdretkey.txt" My problem is that after the import command nothing comes out if I enter: gpg --list-secret-keys Could you please tell me where I make a mistake ? Regards Matteo -------------- next part -------------- An HTML attachment was scrubbed... URL: From laurent.jumet at skynet.be Thu Nov 29 07:47:43 2012 From: laurent.jumet at skynet.be (Laurent Jumet) Date: Thu, 29 Nov 2012 07:47:43 +0100 Subject: GPG W32 1.0.6-2 - PRIVATE KEY IMPORT ISSUE In-Reply-To: Message-ID: Hello Mannini ! Mannini Matteo wrote: > I downloaded GPG W32 1.0.6-2 on a Windows machine. Actually, I'm using version 1.4.12 and I cannot ensure you with the features of 1.0.6-2 -- Laurent Jumet KeyID: 0xCFAF704C From peter at digitalbrains.com Thu Nov 29 10:16:51 2012 From: peter at digitalbrains.com (Peter Lebbing) Date: Thu, 29 Nov 2012 10:16:51 +0100 Subject: GPG W32 1.0.6-2 - PRIVATE KEY IMPORT ISSUE In-Reply-To: References: Message-ID: <50B72803.6030700@digitalbrains.com> > I downloaded GPG W32 1.0.6-2 on a Windows machine. > I started gpg from the command line and It created C:\gnupg. > I have GPG running on another windows machine (I think is version 1.0.4) so I > tried to import my keys. I'm confused by the version numbers you indicate. They sound like they're prehistoric, unsupported and simply too old to use. > import: > gpg --allow-secret-key-import "secdretkey.txt" It should be: gpg --allow-secret-key-import --import "secretkey.txt" You are allowing secret key import, but not actually importing. You're invoking the default action, which for keys is displaying them, not importing them. So you need to specify that the wanted action is --import. Good luck, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at From wk at gnupg.org Thu Nov 29 10:24:48 2012 From: wk at gnupg.org (Werner Koch) Date: Thu, 29 Nov 2012 10:24:48 +0100 Subject: GPG W32 1.0.6-2 - PRIVATE KEY IMPORT ISSUE In-Reply-To: (Mannini Matteo's message of "Wed, 28 Nov 2012 17:29:46 +0100") References: Message-ID: <87ip8o92xr.fsf@vigenere.g10code.de> On Wed, 28 Nov 2012 17:29, duemme at gmail.com said: > I downloaded GPG W32 1.0.6-2 on a Windows machine. This is a 11 years old version og GnuPG! You should not use it at all. The cuirrent version is 1.4.12 and a simple installer is available at ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.12.exe > import: > gpg --allow-secret-key-import "secdretkey.txt" --allow-secret-ket-import is only an option but not a command. Thus gpg will try to decrypt what is in secdretkey.txt - which is not possible - it will thus only show you the content of the file. Use gpg --allow-secret-key-import --import "secdretkey.txt" but please update to a modern and supported version first (then you don't need the --allow-secret-key-import anymore). Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. From dshaw at JABBERWOCKY.COM Fri Nov 30 00:26:45 2012 From: dshaw at JABBERWOCKY.COM (David Shaw) Date: Thu, 29 Nov 2012 18:26:45 -0500 Subject: Paperkey with ECC support Message-ID: <86CFEDE4-B525-4B1C-A2FC-F63BAD6748A1@JABBERWOCKY.COM> Hi folks, I've updated paperkey to work with elliptic curve OpenPGP keys. I would really appreciate it if anyone out there could give this devel version a try (either with ECC or regular keys, or ideally both). Source: http://www.jabberwocky.com/software/paperkey/paperkey-1.3-devel.tar.gz Source + Win32 binary: http://www.jabberwocky.com/software/paperkey/paperkey-1.3-devel-win32.zip Thanks! David From duemme at gmail.com Thu Nov 29 10:49:39 2012 From: duemme at gmail.com (Mannini Matteo) Date: Thu, 29 Nov 2012 10:49:39 +0100 Subject: GPG W32 1.0.6-2 - PRIVATE KEY IMPORT ISSUE In-Reply-To: <87ip8o92xr.fsf@vigenere.g10code.de> References: <87ip8o92xr.fsf@vigenere.g10code.de> Message-ID: I'm now running version 1.4.9 and everything works just fine. Thank you. Matteo On Thu, Nov 29, 2012 at 10:24 AM, Werner Koch wrote: > On Wed, 28 Nov 2012 17:29, duemme at gmail.com said: > > > I downloaded GPG W32 1.0.6-2 on a Windows machine. > > This is a 11 years old version og GnuPG! You should not use it at all. > The cuirrent version is 1.4.12 and a simple installer is available at > > ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.4.12.exe > > > import: > > gpg --allow-secret-key-import "secdretkey.txt" > > --allow-secret-ket-import is only an option but not a command. Thus gpg > will try to decrypt what is in secdretkey.txt - which is not possible - > it will thus only show you the content of the file. > > Use > > gpg --allow-secret-key-import --import "secdretkey.txt" > > but please update to a modern and supported version first (then you > don't need the --allow-secret-key-import anymore). > > > Shalom-Salam, > > Werner > > -- > Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sben1783 at yahoo.de Fri Nov 30 23:07:44 2012 From: sben1783 at yahoo.de (Ben Staude) Date: Fri, 30 Nov 2012 23:07:44 +0100 Subject: Is it safe to rename file.gpg to `md5sum file`? Message-ID: <50B92E30.1000902@yahoo.de> Hi all, I'm thinking about a scenario for remote backup with gpg-encrypted files (--symmetric, one by one). In addition to encrypting the files contents, I'd like to hide their names also. My backup tool can do the gpg-part for me (i.e. encrypt every file when backing it up) and it creates a "summary" file with the source path of every file, some stat() details and (for deduplication purposes), the md5sum of the original file. Now one simple and convenient approach to hide the file names would be a small script that iterates over the summary file and renames each gpg'ed file with it's own (unencrypted) md5sum. That way, I could use the summary file as a lookup table to find an encrypted, md5sum-named file by its original name/path. Is this a sane way to go? I'm wondering whether the md5sum leaks too much information about the original file contents, so that the encryption (--cipher-algo AES256 would be my current choice) isn't really safe any more? Thanks in advance Ben