GNUPG 1.0

Zygo Blaxell eayhfhbo@umail.corel.com
Thu, 25 Nov 1999 16:52:11 GMT 

Signed message created at Thu Nov 25 11:52:01 1999 by zblaxell@lain

------------=_943548717-24241-0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain

[ Sorry for answering a FAQ, but I'd like to know how well I really know
this stuff ;-) ]

On Wed, 24 Nov 1999 19:30:42 -0800 (PST), Todd A. Jacobs <nospam@codegnome.=
org> wrote:

>On Sun, 21 Nov 1999 erikg@nbnet.nb.ca wrote:

>

>> something, someone that has my public key but let's say is running PGP

>> whatever version, they *can* decrypt my messages right?

>

>Only the owner of the secret key can decrypt a message once it has been

>encoded for that key. In short, the answer is "no."


But perhaps erikg meant to ask a different question:

If someone is running PGP whatever version, and you send them an encrypted
message with their public key, can they decrypt it?

If you can get an implementation of RSA and IDEA from somewhere and
load it into GnuPG as an extension, theoretically you can do this.
Supposedly, you can send a PGP message to someone with a PGP version
2.x public key like this:

gpg --load-extension idea --load-extension rsa --rfc1991 \
	--digest-algo md5 --cipher-algo idea \
	--encrypt --recipient <user ID> message-file.txt

However, I just tested this with PGP 2.6.3a, and it didn't work.  I
created a new user account (so there's no user-specific configuration
lying around), generated a passphrase-less PGP key, exported the public
key from PGP, imported it into GPG, then tried to generate an encrypted
message with GPG and decrypt it with PGP.  Everything went well except
for decrypting it:

$ pgp -d test
Pretty Good Privacy(tm) 2.6.3a - Public-key encryption for the masses.
(c) 1990-96 Philip Zimmermann, Phil's Pretty Good Software. 1996-03-04
Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc.
Distributed by the Massachusetts Institute of Technology.
Export of this software may be restricted by the U.S. government.
Current time: 1999/11/25 16:07 GMT

File is encrypted.  Secret key is required to read it.=20
Key for user ID: John Q. Smith <12345.6789@compuserve.com>
1024-bit key, key ID C47E0345, created 1999/11/25

Advisory warning: This RSA secret key is not protected by a passphrase.
Just a moment....
Error: Decrypted plaintext is corrupted.
=2E
For a usage summary, type:  pgp -h
For more detailed help, consult the PGP User's Guide.

If someone wants to look at this, secret keys and all (I generated the
secret keys only for the purpose of this test--normally I don't use PGP
at all), let me know.


>> really understand the trust thign.. I typed gpg --edit-key Acid-Duck

>

>You assign trust based on how much you trust the owner of the key to

>authenticate other keys.=20


Trust is a measure of whether or not you believe that the key belongs
to a particular person.  Mallory could generate a key with "Acid-Duck"
and an email address in the user ID (not the same key data as the one you
generated, but key data with the same name attached), and give it to Bob.
If Bob encrypts a message with that key, Mallory (and only Mallory)
can read it.  Mallory might pass the message along to you with your
public key, and Mallory might even pull the same trick on you so that
when you send mail to Bob, Mallory can read it.  As long as you and Bob
never verify each other's keys, you'll never know that Mallory reads
all your mail.

If you trust Alice, you can tell gpg that you want gpg to trust Alice's
key (by signing it with your key), as well as any key signed by Alice.
If Alice also signs Bob's real key, then you can tell the difference=20
between Bob's real key, and the fake key with the same user ID generated
by Mallory.

AFAICT, this doesn't change very much of GPG's behavior...it will still
verify signatures and return 0 exit status, even for untrusted keys.
However, GPG will give you warning messages, and it will prompt you if
you attempt to send a message to an untrusted key.  For people writing
wrappers around GPG (e.g. mail programs and GUIs), GPG will also output
information on --status-fd about the GPG computed trust value.

--=20
I don't speak for Corel. zygob@corel.ca at work, zblaxell@furryterror.org
at play.  GPG-encrypted email preferred at zblaxell@feedme.hungrycats.org
GPG @ Home fingerprint: 2B32 546D 21A5 0DB2 20C8  AF10 1D4A 610E 6972 2DEE
GPG @ Work fingerprint: CC25 D214 1B4B 2767 51B9  51E5 58DD 13B9 875B C08E

------------=_943548717-24241-0
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQA4PWkxWN0TuYdbwI4RAliyAJ4kare5mCA7k6le9jlD7KRz54FK7wCfTF4W
Onr1jmAyAohTjlZPTD6IwOU=
=IZZA
-----END PGP SIGNATURE-----

------------=_943548717-24241-0--
-- 
The address in the headers is not the poster's real email address.  Do not send
private mail to the poster using your mailer's "reply" feature.  CC's of mail 
to mailing lists are OK.  Problem reports to "postmaster@umail.corel.com".  
The poster's email address is "zblaxell@lain.wine.lnx".