GnuPG fails to import some PGP keys

Daniele Arena daniele@ripe.net
Fri, 20 Oct 2000 12:14:24 +0200 (CEST) 

Hi Werner and all,

I guess that means we won't be able to import these two keys as-they-are
to a GnuPG keyring...:( Well, I guess we'll find some workaround.

I tried to find some documentation which would explain why some keys can
be imported by PGP but not by GnuPG (maybe that depends on how the key was
generated? The algorithm? The PGP version? Etc.), but I failed. Maybe
someone can provide me with some pointers to such documentation?

Again, thanks for the help.

Cheers,

Daniele.

--------------------------------------------------------------------------
Daniele Arena			RIPE NCC - Database Group
phone  : +31 20 535 4444	Singel 258
fax    : +31 20 535 4445	1016AB Amsterdam
e-mail : daniele@ripe.net	The Netherlands


On Thu, 19 Oct 2000, Werner Koch wrote:


> On Thu, 19 Oct 2000, Daniele Arena wrote:

> 

> > Thanks a lot for the answer!

> 

> No problem, we need the RIPE ;-)

> 

> > The trick actually works, except for one key, 0x1228A499 (see below for

> > the full public key). I have to import this key in PGP, then export it and

> 

> It seems that the signature packet is scrambled.  I don't know why

> PGP accepts it.

> 

> > If you could implement the b), that would be great. It would be especially

> 

> Done - will show up in the CVS soon.

> 

> > "--allow-non-selfsigned-uid" doesn't help. The key is 0x41B35C52, it is

> > correctly imported by PGP 5.0, and not even the

> > "import-then-export-with-pgp-then-try-gpg" trick works. Did I maybe hit an

> 

> Theis key has a user ID with no self-signature and no other

> signature on it.  You can't trust this user ID.

> 

> At least one signature is needed to accept a user ID,

> --allow-non-selfsigned-uid just drops the requirement that this is

> a self-signature.  I fixed the documentation of

> --allow-non-selfsigned-uid to make this more clear.

> 

> This requirement of one arbitraru signature is not secure but the

> reason to implement the option was to help people with IN keys: The

> IN CA requires 2 keys: One SIGN-ONLY and another one for

> ENCRYPT-ONLY. Special strings in the user ID mark those keys.

> Because the encryption key is signed by the SIGN-ONLY key, there is

> no self-signature oh that key.

> 

> ciao,

> 

>   Werner

> 

> -- 

> Werner Koch				GnuPG key:  621CC013

> OpenIT GmbH                             http://www.OpenIT.de

> 

> -- 

> Archive is at http://lists.gnupg.org - Unsubscribe by sending mail

> with a subject of  "unsubscribe"  to gnupg-users-request@gnupg.org

> 

> 


-- 
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of  "unsubscribe"  to gnupg-users-request@gnupg.org