From dshaw@jabberwocky.com Fri May 2 13:45:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Fri May 2 12:45:02 2003 Subject: verification of clearsigned e-mails // question/request In-Reply-To: <200304292102.33342@fortytwo.ch> References: <200304291625.h3TGPfV8086335@mailserver3.hushmail.com> <200304292102.33342@fortytwo.ch> Message-ID: <20030502034734.GB29938@jabberwocky.com> --17pEHd4RhPHOinZp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 29, 2003 at 09:02:29PM +0200, Adrian 'Dagurashibanipal' von Bid= der wrote: > On Tuesday 29 April 2003 18:25, vedaal@hush.com wrote: > > for verification of clearsigned messages, when there is a 'bad' signatu= re, > > > > would it be possible/feasible to have an option of '--try-all-unwraps', >=20 > IMHO fixing a broken system of how clearsigned text is transported is not= =20 > something that belongs into gpg, but into the system which deals with the= =20 > (broken) transport of the text, i.e. the mail program. >=20 > Even better: nag those who send broken signatures to fix their systems. I= =20 > guess in 90% of the cases the problem is at the sender's end.=20 The wrapping problem seems to affect Windows PGP users far more than users of any of the *nix systems. This isn't something intrinsic in Windows, but rather in the mail programs on Windows - they generally don't have direct OpenPGP integration, and so do tricks to grab the text before sending. It's common to grab the text, sign it, and then have the mail program be "helpful" and re-wrap the text before it sends it. I agree with Adrian. It would be nice to try several different combinations of document to try and get an invalid sig to validate... but that should be something external to GnuPG. It's the kind of thing you could do with just a little perl or python (or quite a lot of C). David --17pEHd4RhPHOinZp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+sepW4mZch0nhy8kRAkr4AKDlOELSIttxdQ4yB33sAdlug3l/rgCgsB1w PaGL/9jR4NgRSxZRLOYj+Yc= =jmfl -----END PGP SIGNATURE----- --17pEHd4RhPHOinZp-- From jbruni@mac.com Fri May 2 17:55:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Fri May 2 16:55:02 2003 Subject: verification of clearsigned e-mails // question/request In-Reply-To: <20030502034734.GB29938@jabberwocky.com> Message-ID: This is not just with Windows. MS Outlook Express on Mac OS also tries to be helpful by converting tabs into space runs after the message is signed. Fortunately, Outlook Express does not run on OS X. On Thursday, May 1, 2003, at 08:47 PM, David Shaw wrote: > The wrapping problem seems to affect Windows PGP users far more than > users of any of the *nix systems. This isn't something intrinsic in > Windows, but rather in the mail programs on Windows - they generally > don't have direct OpenPGP integration, and so do tricks to grab the > text before sending. It's common to grab the text, sign it, and then > have the mail program be "helpful" and re-wrap the text before it > sends it. From matt@rangie.com Fri May 2 19:15:02 2003 From: matt@rangie.com (Matthew Reeve) Date: Fri May 2 18:15:02 2003 Subject: Blank encrypted messages In-Reply-To: <001b01c30ee9$b4f54e90$0800a8c0@ANYA> Message-ID: <003c01c30f65$90f64cc0$0800a8c0@ANYA> Found it!! In the function below, I 'fopen' then 'fputs' to the file, but it's not flushed until the file pointer goes out of scope at the end of the = function. At the time of calling gpg, the file is created but empty. By adding an 'fclose' call on that pointer prior to calling gpg the problem is = solved! That's why when running it from the command line there was no problem, = even when using the same files. Anyway, thanks everyone for your help, both on and off list! Matthew Reeve > -----Original Message----- > From: gnupg-users-admin@gnupg.org=20 > [mailto:gnupg-users-admin@gnupg.org] On Behalf Of Matthew Reeve > Sent: 30 April 2003 08:26 > To: 'Joseph Bruni' > Cc: gnupg-users@gnupg.org > Subject: RE: Blank encrypted messages >=20 >=20 >=20 > > Does the variable "$msg" exist in the subshell? If it's not=20 > > defined the=20 > > you would be just echoing nothing into the left-hand side=20 > of the pipe. >=20 > It's an interesting thought - I rewrote the script to look=20 > like this, also > addressing Adam's concerns about the security of echoing $msg. >=20 > The file called $plainTxt is created and contains the correct=20 > data. The file > called $crypted is also created and contains a PGP message. However, > decrypting the contents of $crypted gives an empty string. >=20 > The 'echo' shows the encryption command is the following. >=20 > /usr/bin/gpg --encrypt -v -ao > /var/www/tempFiles/1195e9ed7ad15a57907ff4b87bc4653aoutput=20 > --always-trust -r > matt@rangie.com=20 > /var/www/tempFiles/1195e9ed7ad15a57907ff4b87bc4653adata >=20 >=20 > If I copy and paste the encryption command into a shell running as the > apache user (instead of calling it from PHP), an encrypted=20 > file is created > containing a PGP message which contains the correct data when=20 > decrypted. >=20 > Is there any way to see what is going on with gpg while it's running?=20 >=20 > ********* > function _encrypt($msg)=20 > {=20 > $oldhome =3D getEnv("HOME");=20 > putenv("HOME=3D/var/www");=20 >=20 > $tmpToken =3D md5(uniqid(rand())); > $plainTxt =3D "/var/www/tempFiles/" . $tmpToken . "data"; > $crypted =3D "/var/www/tempFiles/" . $tmpToken . "output"; > $fp =3D fopen($plainTxt, "w+"); > fputs($fp, $msg); >=20 > echo "/usr/bin/gpg --encrypt -v -ao $crypted --always-trust -r > matt@rangie.com $plainTxt"; > passthru("/usr/bin/gpg --encrypt -v -ao $crypted=20 > --always-trust -r > matt@rangie.com $plainTxt"); > putenv("HOME=3D$oldhome");=20 >=20 > $fd =3D fopen($crypted, "r"); > $message =3D fread($fd, filesize($crypted)); > fclose($fd); >=20 > return $message; > }=20 > *************** >=20 > Thanks for the help! >=20 > Matthew Reeve >=20 >=20 > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users >=20 From eleuteri@myrealbox.com Fri May 2 19:20:02 2003 From: eleuteri@myrealbox.com (David Picon Alvarez) Date: Fri May 2 18:20:02 2003 Subject: Feature request Message-ID: <013701c310c6$4e125860$f92489c3@enterprise> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, When signing someone's key, you obtain a message saying something like: "You are going to sign this with your key blablabla" where blablabla is your primary UID. Could it be so that you'd get the UID of the primary key as well? - --David. -----BEGIN PGP SIGNATURE----- Comment: This message is digitally signed and can be verified for authenticity. iQIVAwUBPrKaD6YOp7uFKb/EAQKovQ/8D9tXXbT5Fg3Mj1+73CXMnlpWr766kurp PzkAtqbQSzVk0fBntilpzO9SOKkIUWnLbPGZhZ7XoH9fQbC8pPGb5KEaLSX8OLQH bTs4vhNTq+c8D3I0RYL6gv5ep1UcmEklgXaEpn9lG5/bp1IH/lPEWUZSz2QtLRWw LgHpPvK08ukIWxEtRMIvk7RGBc+LHKWpEBr6eoxfYy0eNJN5ToZRtdOg1zm9tG31 UsdHzmB99i9yfNBg/DzCs/zUXvuo1mQKhH8q0lKWn4hF9WIJ3/Y8GlKrK84feZMu BlkqDaGCFq0zlrw4XC7JbDlEe9/jatsLk+Ak0qW9671dxkDLWWnWb+ytwpcIe70X z21DC2rEWmnNPUQm9ak8q6X1NYDqIjpjlkZs/ecvtDVXodf9MjCWCTXr8Wscpkvs c4TbwI4a13ljqZWs1mpVXN7b0040S1CvQx7Pvmi8uMwLeJ3aJHkt/rc40j3smLk7 QEAdEOybFJuMA+upv18ozzre9iUmSFPHa4448iMoHTdkmYH2kWcstU2D9w9XFd7T 9SHDwEt0S/f/nQz/ASBc50OH7rTIZVp1grMRkXIXyGz3SBsbbkW8m53ogm5F1s/a 76646t0hd9p9LJYnayXnFPKju+oLYuZTc/tZETjmfj+GlxMsT4a4Zkx3jsIdBEyS EA/51uCizJg= =eqfZ -----END PGP SIGNATURE----- From jbruni@mac.com Sat May 3 00:56:03 2003 From: jbruni@mac.com (Joseph Bruni) Date: Fri May 2 23:56:03 2003 Subject: Fwd: GPG ON UNIX 11 Message-ID: <2782763.1051912651736.JavaMail.jbruni@mac.com> I have encountered the same thing that you have. The problem is that you are trying to use GCC. When you use GCC it uses a different version of the file "sys/types.h" that does not contain all the symbols that HP's version of "sys/types.h". Try and change your configuration to use HP's ANSI C compiler. Specifically, GCC's version of sys/types.h does not define "bsize_t". On Friday, May 02, 2003, at 12:33PM, Pedro Velez wrote: >Hi Joseph > >Thanks for your response on HP UX Copilation errors > >I did this steps >1. the dile hettextp.h was modified and the resulta was the same with >different errosr >2. We isntalled GCC, GNUMAKE and repeat de procedure again >3: The result was the errors changed : > /usr/include/sys/socket.h:502: parse error before "__sendpath64" >/usr/include/sys/socket.h:502: parse error before "bsize_t" >/usr/include/sys/socket.h:504: parse error before "sendfile" >/usr/include/sys/socket.h: In function `sendfile': >/usr/include/sys/socket.h:504: parse error before "bsize_t" >/usr/include/sys/socket.h: At top level: >/usr/include/sys/socket.h:505: parse error before "sendpath" >/usr/include/sys/socket.h: In function `sendpath': >/usr/include/sys/socket.h:505: parse error before "bsize_t" >make[2]: *** [http.o] Error 1 >make[2]: Leaving directory `/home/G588LEXS/gnupg-1.2.1/util' >make[1]: *** [all-recursive] Error 1 >make[1]: Leaving directory `/home/G588LEXS/gnupg-1.2.1' >make: *** [all] Error 2 > > >Can you help us with this please? > >Thanks Again > >Pedro Velez > > >Ca > > > > -- PGP Fingerprint: 886F 6A8A 68A1 5E90 EF3F 8EFA E2B8 3F99 7343 C1E3 From jbruni@mac.com Sat May 3 03:49:03 2003 From: jbruni@mac.com (Joseph Bruni) Date: Sat May 3 02:49:03 2003 Subject: verification of clearsigned e-mails // question/request In-Reply-To: <20030502034734.GB29938@jabberwocky.com> Message-ID: This is not just with Windows. MS Outlook Express on Mac OS also tries to be helpful by converting tabs into space runs after the message is signed. Fortunately, Outlook Express does not run on OS X. On Thursday, May 1, 2003, at 08:47 PM, David Shaw wrote: > The wrapping problem seems to affect Windows PGP users far more than > users of any of the *nix systems. This isn't something intrinsic in > Windows, but rather in the mail programs on Windows - they generally > don't have direct OpenPGP integration, and so do tricks to grab the > text before sending. It's common to grab the text, sign it, and then > have the mail program be "helpful" and re-wrap the text before it > sends it. From dshaw@jabberwocky.com Sat May 3 04:46:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sat May 3 03:46:02 2003 Subject: Feature request In-Reply-To: <013701c310c6$4e125860$f92489c3@enterprise> References: <013701c310c6$4e125860$f92489c3@enterprise> Message-ID: <20030503014627.GA11042@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, May 02, 2003 at 05:17:17PM +0100, David Picon Alvarez wrote: > When signing someone's key, you obtain a message saying something like: > "You are going to sign this with your key blablabla" where blablabla is your > primary UID. Could it be so that you'd get the UID of the primary key as > well? I'm afraid I don't follow this. Can you give an example? David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+sx9z4mZch0nhy8kRAvTKAJ9pC2dFHFTFsHm4wlqLvOWLNJDYYwCdEIju +1RprgLUMciL37MY6SBFg4Q= =XRZj -----END PGP SIGNATURE----- From eleuteri@myrealbox.com Sat May 3 05:56:02 2003 From: eleuteri@myrealbox.com (David Picon Alvarez) Date: Sat May 3 04:56:02 2003 Subject: Feature request References: <013701c310c6$4e125860$f92489c3@enterprise> <20030503014627.GA11042@jabberwocky.com> Message-ID: <001701c3111f$198e9960$f92489c3@enterprise> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I'm afraid I don't follow this. Can you give an example? Excuse my confusion. What I'm saying is this. Let's say I want to sign key aaaaaaaa and I own keys bbbbbbbb and cccccccc. Now instead of getting the message: "You are about to sign with your key name (comment) e-mail@address. type of message I'd rather be told: "You are about to sign with your key BBBBBBBB. Or even better the whole fpr. When I said the UID I meant I wanted the keyID of the prim key. I hope this makes a bit more sense. My mind is a bit dull after coding useless stuff. - --David. -----BEGIN PGP SIGNATURE----- Comment: This message is digitally signed and can be verified for authenticity. iQIVAwUBPrMvFKYOp7uFKb/EAQKjdA//d82/uQp8r0ky9PPJBGfRuv0dEIZCi7kb UOYV9LNRB2RRNDneCd+PM8K5775b7njgTq45PttbhLj4yrzdblcGvrKPFDyYkzYn oOnjdF4vpdKv+Rj9f9qO/AZUEE/ngnOsg8y1zQC9cY/xBApen3WVM6sz8nHHgzNl JOJNL80L8zC35WY308jRuQQOAXop+OzEEMihN8u/sBgG9vVnK2N6e9TG6BVceHzP 0wiDKS9KdgaNScUcQbRZoqnm45YmZKxM7TyUAMWF3tScaushS7TXE42s8Wf3jHVT 3rzzhhOOZdAmI0Cuf2hg63LpzvhOH8Bg4oRJF3Xtvb50pFcQSDL0rW6PkyGtmE3v ZXurtuV+LVqgBjAcAos5JiaSUtZaBcIzGsroF9zLANcdxBiEKqLm/+yvPjAXhfWj OW914Uo0ZMX+Odfll5pJcFmcCXrHubYqdWCj8ILMu2ZHhEb4Iw8HofYrFbpK7vh4 HCDqPrLWu5DutevhsqhGLqFrJCjQms+F0PUGTtqnkDCZMwCClkbyg3ToAtGidkOI OfBOITjpcxHcCD0X5EDg34dCoSgrGhX5Dhe15TPEfEM3KppHwP/Dwd+xHTakSQft +/N6njExoLjgic93lpOoiZPXl5jSfZVB9V3dek/G7EAYlnoTTPDQHISRXm2QkEYi QIoIMAHP1to= =jlUj -----END PGP SIGNATURE----- From jbruni@mac.com Sat May 3 06:21:03 2003 From: jbruni@mac.com (Joseph Bruni) Date: Sat May 3 05:21:03 2003 Subject: Feature request In-Reply-To: <20030503014627.GA11042@jabberwocky.com> Message-ID: <5799770C-7D16-11D7-9783-003065B1243E@mac.com> On Friday, May 2, 2003, at 06:46 PM, David Shaw wrote: >> When signing someone's key, you obtain a message saying something=20 >> like: >> "You are going to sign this with your key blablabla" where blablabla=20= >> is your >> primary UID. Could it be so that you'd get the UID of the primary key=20= >> as >> well? > > I'm afraid I don't follow this. Can you give an example? > > David > Friends don't let friends do English... --=20 He felt that his whole life was some kind of dream and he sometimes=20 wondered whose it was and whether they were enjoying it. =97 Douglas = Adams= From JPClizbe@attbi.com Sat May 3 06:32:02 2003 From: JPClizbe@attbi.com (John P. Clizbe) Date: Sat May 3 05:32:02 2003 Subject: GPG 1.2.2 released? Message-ID: <3EB33863.9020605@attbi.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I noticed 1.2.2 is now in the release subdirectories on the ftp server. Is this the release version? source (5/1/2003 6:00:00 PM): ftp://ftp.gnupg.org/GnuPG/gnupg/gnupg-1.2.2.tar.gz ftp://ftp.gnupg.org/GnuPG/gnupg/gnupg-1.2.2.tar.gz.sig and Win32 binaries (5/1/2003 6:02:00 PM): ftp://ftp.gnupg.org/GnuPG/binary/gnupg-w32cli-1.2.2.zip ftp://ftp.gnupg.org/GnuPG/binary/gnupg-w32cli-1.2.2.zip.sig No news on the GnuPG-Announce list. Hopefully we'll see a Nullify build soon. - -- John P. Clizbe Inet: JPClizbe@EarthLink.net Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Most men take the straight and narrow. A few take the road less traveled. I chose to cut through the woods." "There is safety in Numbers... *VERY LARGE PRIME* Numbers 9:00PM Tonight on _REAL_IRONY_: Vegetarian Man Eaten by Cannibals -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc1-nr1 (Windows 2000) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+szhiHQSsSmCNKhARAnsYAKClxKOkpY08p2dJcDCbZkJffBi8NACgvNFp mQOkivIQZD0tXs4UNTpcl30= =qQCV -----END PGP SIGNATURE----- From shavital@netbox.com Sat May 3 08:59:02 2003 From: shavital@netbox.com (Charly Avital) Date: Sat May 3 07:59:02 2003 Subject: GPG 1.2.2 released? In-Reply-To: <3EB33863.9020605@attbi.com> References: <3EB33863.9020605@attbi.com> Message-ID: At 10:32 PM -0500 5/2/03, John P. Clizbe wrote: >I noticed 1.2.2 is now in the release subdirectories on the ftp server. >Is this the release version? > >source (5/1/2003 6:00:00 PM): > ftp://ftp.gnupg.org/GnuPG/gnupg/gnupg-1.2.2.tar.gz > ftp://ftp.gnupg.org/GnuPG/gnupg/gnupg-1.2.2.tar.gz.sig > >and Win32 binaries (5/1/2003 6:02:00 PM): > ftp://ftp.gnupg.org/GnuPG/binary/gnupg-w32cli-1.2.2.zip > ftp://ftp.gnupg.org/GnuPG/binary/gnupg-w32cli-1.2.2.zip.sig > >No news on the GnuPG-Announce list. Hopefully we'll see a Nullify build >soon. > >- -- >John P. Clizbe Inet: JPClizbe@EarthLink.net >Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 No gnupg-1.2.2 module seems to be available on CVS: --------------------- % cvs -z3 -d :pserver:anoncvs@cvs.gnupg.org:/cvs/gnupg checkout gnupg-1.2.2 cvs server: cannot find module `gnupg-1.2.2' - ignored --------------------- Charly From redbird@mac.com Sat May 3 09:02:01 2003 From: redbird@mac.com (Gordon Worley) Date: Sat May 3 08:02:01 2003 Subject: [Announce] 1.2.2 release candidate 2 In-Reply-To: <20030424202324.GE28568@jabberwocky.com> Message-ID: On Thursday, April 24, 2003, at 04:23 PM, David Shaw wrote: > This is fixed in 1.2.2. Alas, the answer seems to be "no assembler > for OS X". Hi! I got it working (passes all tests) by using the powerpc64 assembler code. Don't know if that's going to work for all processors, but it worked for mine (867 MHz G4 in a 12" PowerBook). Maybe powerpc32 and powerpc64 got swapped somehow? HTH. -- Gordon Worley - Mac GPG Project http://macgpg.sourceforge.net/ ``Doveriai no proveriai.'' redbird@mac.com --Russian proverb PGP: 0xBBD3B003 From cmt@rz.uni-karlsruhe.de Sat May 3 10:08:02 2003 From: cmt@rz.uni-karlsruhe.de (Christoph Moench-Tegeder) Date: Sat May 3 09:08:02 2003 Subject: Fwd: GPG ON UNIX 11 In-Reply-To: <2782763.1051912651736.JavaMail.jbruni@mac.com> References: <2782763.1051912651736.JavaMail.jbruni@mac.com> Message-ID: <20030503070940.GA26454@rz-ewok.rz.uni-karlsruhe.de> ## Joseph Bruni (jbruni@mac.com): > I have encountered the same thing that you have. The problem is that > you are trying to use GCC. That should not be a problem. I build gnupg 1.2.1 on HP-UX 10 and 11 using gcc: Compiler: gcc 2.95.2 Environment: CFLAGS='-O3 -fomit-frame-pointer' PICFLAGS=+z CXXFLAGS='-O3 -fomit-frame-pointer' I'm not sure if your gcc is broken in some way, perhaps our installation has been tweaked a little. Regards, Christoph -- Spare Space From redbird@mac.com Sat May 3 12:45:02 2003 From: redbird@mac.com (Gordon Worley) Date: Sat May 3 11:45:02 2003 Subject: [Announce] 1.2.2 release candidate 2 In-Reply-To: <20030424202324.GE28568@jabberwocky.com> Message-ID: <4F0A523F-7D28-11D7-B239-000A9579131A@mac.com> On Thursday, April 24, 2003, at 04:23 PM, David Shaw wrote: > This is fixed in 1.2.2. Alas, the answer seems to be "no assembler > for OS X". Hi! I got it working (passes all tests) by using the powerpc64 assembler code. Don't know if that's going to work for all processors, but it worked for mine (867 MHz G4 in a 12" PowerBook). Maybe powerpc32 and powerpc64 got swapped somehow? HTH. -- Gordon Worley - Mac GPG Project http://macgpg.sourceforge.net/ ``Doveriai no proveriai.'' redbird@mac.com --Russian proverb PGP: 0xBBD3B003 From wk@gnupg.org Sat May 3 13:20:01 2003 From: wk@gnupg.org (Werner Koch) Date: Sat May 3 12:20:01 2003 Subject: GPG 1.2.2 released? In-Reply-To: <3EB33863.9020605@attbi.com> ("John P. Clizbe"'s message of "Fri, 02 May 2003 22:32:51 -0500") References: <3EB33863.9020605@attbi.com> Message-ID: <874r4cnxax.fsf@alberti.g10code.de> On Fri, 02 May 2003 22:32:51 -0500, John P Clizbe said: > I noticed 1.2.2 is now in the release subdirectories on the ftp server. > Is this the release version? Yes. We need to give the mirrors some time to catch up and unfortunately one of my boxes died on May 1 and I was without mail until yesterday. -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From malte_gell@t-online.de Sat May 3 15:45:04 2003 From: malte_gell@t-online.de (Malte Gell) Date: Sat May 3 14:45:04 2003 Subject: Why Twofish implementation only with 256 bit ? Message-ID: <200305031446.03152.malte_gell@t-online.de> Hi, one of the common capabilities of all AES candidates was to offer different key length, e.g. 128,192,256 bit. So one can edit his key in order to make use of AES256 instead of "standard" 128 bit AES. Why is this not the case with Twofish ? If I look at cipher.h it seems 128 bit Twofish is deprecated and only experimental and the cipher option "Twofish" always refers to 256 bit Twofish, so why is there no Twofish/Twofish192/Twofish256 just as it is the case with Rijndael ? Are there any special implementation issues regarding Twofish one should be aware of ? I can't imagine that 128 bit Twofish is dropped due to security reasons... Malte From jbruni@mac.com Sat May 3 17:13:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Sat May 3 16:13:02 2003 Subject: GPG ON UNIX 11 In-Reply-To: <20030503070940.GA26454@rz-ewok.rz.uni-karlsruhe.de> Message-ID: <905154B4-7D71-11D7-8194-00039362C012@mac.com> I guess I need to clarify a bit. If you use the GCC as supplied by the HPUX Porting and Archive Center (version 3.2) you will have a "sys/types.h" that is broken. However, if you use the GCC 3.2 supplied from the HP dev center, the sys/types.h has the rest of the symbols defined. If you use the HP ANSI C compiler, but make the one change to ./intl/gettextP.h to work around the broken "inline" keyword, you will get GPG 1.2.1 to work on HP/UX 11.11. The problem that Pedro described was due to the broken sys/types.h supplied with that particular implementation of GCC. When you say you have GPG working HP/UX 11 are you referring to 11.0 or 11.11 for PA-RISC or 11.20 for IPF? HP/UX is a very fragmented platform these days. On Saturday, May 3, 2003, at 12:09 AM, Christoph Moench-Tegeder wrote: > ## Joseph Bruni (jbruni@mac.com): > >> I have encountered the same thing that you have. The problem is that >> you are trying to use GCC. > > That should not be a problem. I build gnupg 1.2.1 on HP-UX 10 and 11 > using gcc: > > Compiler: gcc 2.95.2 > Environment: > CFLAGS='-O3 -fomit-frame-pointer' > PICFLAGS=+z > CXXFLAGS='-O3 -fomit-frame-pointer' > > I'm not sure if your gcc is broken in some way, perhaps our > installation > has been tweaked a little. > > Regards, > Christoph > > -- > Spare Space > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From rdmyers@pe.net Sat May 3 17:48:02 2003 From: rdmyers@pe.net (Rodney D. Myers) Date: Sat May 3 16:48:02 2003 Subject: GPG 1.2.2 released? In-Reply-To: <3EB33863.9020605@attbi.com> References: <3EB33863.9020605@attbi.com> Message-ID: <20030503074808.3437dffe.rdmyers@pe.net> On Fri, 02 May 2003 22:32:51 -0500 "John P. Clizbe" wrote: > > I noticed 1.2.2 is now in the release subdirectories on the ftp > server. Is this the release version? Just upgraded from 1.2.1, to 1.2.2, and now Sylpheed gives the error message; Error: Could not find any key associated with the currently selected key id '0x7256FA2F'. I even tried the sub key, which is my new email address. This did work earlier in the morning, before I upgraded. Any help would be appreciated. Thanks -- Rodney D. Myers ICQ#: AIM#: YAHOO: 18002350 mailman452 mailman42_5 They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Ben Franklin - 1759 From dshaw@jabberwocky.com Sat May 3 18:10:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sat May 3 17:10:02 2003 Subject: GPG ON UNIX 11 In-Reply-To: <905154B4-7D71-11D7-8194-00039362C012@mac.com> References: <20030503070940.GA26454@rz-ewok.rz.uni-karlsruhe.de> <905154B4-7D71-11D7-8194-00039362C012@mac.com> Message-ID: <20030503151036.GC11042@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, May 03, 2003 at 07:14:33AM -0700, Joseph Bruni wrote: > I guess I need to clarify a bit. If you use the GCC as supplied by the > HPUX Porting and Archive Center (version 3.2) you will have a > "sys/types.h" that is broken. However, if you use the GCC 3.2 supplied > from the HP dev center, the sys/types.h has the rest of the symbols > defined. If you use the HP ANSI C compiler, but make the one change to > ./intl/gettextP.h to work around the broken "inline" keyword, you will > get GPG 1.2.1 to work on HP/UX 11.11. Note that GnuPG 1.2.2 has a built in workaround for the broken inline keyword with the HP ANSI C compiler. The problem should be automatically detected and resolved. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.2-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+s9vs4mZch0nhy8kRAsPxAKDNTbrp0hhsgDd3Zmbu9UYRK8+fugCgid/U ndd3h5LPnaKe2wGqTYvdDFQ= =vlM1 -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Sat May 3 18:11:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sat May 3 17:11:02 2003 Subject: Why Twofish implementation only with 256 bit ? In-Reply-To: <200305031446.03152.malte_gell@t-online.de> References: <200305031446.03152.malte_gell@t-online.de> Message-ID: <20030503151202.GD11042@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, May 03, 2003 at 02:46:02PM +0200, Malte Gell wrote: > one of the common capabilities of all AES candidates was to offer > different key length, e.g. 128,192,256 bit. So one can edit his key in > order to make use of AES256 instead of "standard" 128 bit AES. > > Why is this not the case with Twofish ? If I look at cipher.h it seems > 128 bit Twofish is deprecated and only experimental and the cipher > option "Twofish" always refers to 256 bit Twofish, so why is there no > Twofish/Twofish192/Twofish256 just as it is the case with Rijndael ? The reason is the OpenPGP standard. "Twofish", in RFC-2440, is specified as 256-bit. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.2-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+s9xC4mZch0nhy8kRAjOjAKCiC9/16rbrD5Pp7mc60FPrRkaqWwCgr+Wd dJFT3tw/MoI/3bi5j6RcoA4= =7S4T -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Sat May 3 18:18:03 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sat May 3 17:18:03 2003 Subject: [Announce] 1.2.2 release candidate 2 In-Reply-To: <4F0A523F-7D28-11D7-B239-000A9579131A@mac.com> References: <20030424202324.GE28568@jabberwocky.com> <4F0A523F-7D28-11D7-B239-000A9579131A@mac.com> Message-ID: <20030503151903.GE11042@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, May 03, 2003 at 01:30:10AM -0400, Gordon Worley wrote: > > On Thursday, April 24, 2003, at 04:23 PM, David Shaw wrote: > > >This is fixed in 1.2.2. Alas, the answer seems to be "no assembler > >for OS X". > > Hi! > > I got it working (passes all tests) by using the powerpc64 assembler > code. Don't know if that's going to work for all processors, but it > worked for mine (867 MHz G4 in a 12" PowerBook). Maybe powerpc32 and > powerpc64 got swapped somehow? Ah, heh. powerpc64 is a stub directory, with no code in it. Using that is the same as disabling assembler. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.2-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+s93n4mZch0nhy8kRAvWMAKC7hsojhXgFbweMB6vNBErq4TZEFQCgnM89 Wlia7zQcFcLyvnyKhfU6VME= =bh79 -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Sat May 3 18:30:09 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sat May 3 17:30:09 2003 Subject: Feature request In-Reply-To: <001701c3111f$198e9960$f92489c3@enterprise> References: <013701c310c6$4e125860$f92489c3@enterprise> <20030503014627.GA11042@jabberwocky.com> <001701c3111f$198e9960$f92489c3@enterprise> Message-ID: <20030503153054.GF11042@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, May 03, 2003 at 03:52:54AM +0100, David Picon Alvarez wrote: > > I'm afraid I don't follow this. Can you give an example? > > Excuse my confusion. What I'm saying is this. Let's say I want to sign key > aaaaaaaa and I own keys bbbbbbbb and cccccccc. Now instead of getting the > message: > "You are about to sign with your key name (comment) e-mail@address. type of > message I'd rather be told: > "You are about to sign with your key BBBBBBBB. Or even better the whole fpr. > > When I said the UID I meant I wanted the keyID of the prim key. Ah, I understand now. That's a good point. It is currently difficult to tell which key you are signing with if you have more than one key with the same user ID string. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.2-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+s+Cu4mZch0nhy8kRAueOAKCVZqzEendWjKHQSq8++EhXz82O+gCggGe3 hcEL/z0czyl746CpEJZq3Pg= =2GK6 -----END PGP SIGNATURE----- From cmt@rz.uni-karlsruhe.de Sat May 3 18:31:32 2003 From: cmt@rz.uni-karlsruhe.de (Christoph Moench-Tegeder) Date: Sat May 3 17:31:32 2003 Subject: GPG ON UNIX 11 In-Reply-To: <905154B4-7D71-11D7-8194-00039362C012@mac.com> References: <20030503070940.GA26454@rz-ewok.rz.uni-karlsruhe.de> <905154B4-7D71-11D7-8194-00039362C012@mac.com> Message-ID: <20030503153214.GA27579@rz-ewok.rz.uni-karlsruhe.de> ## Joseph Bruni (jbruni@mac.com): > I guess I need to clarify a bit. If you use the GCC as supplied by the > HPUX Porting and Archive Center (version 3.2) you will have a > "sys/types.h" that is broken. However, if you use the GCC 3.2 supplied > from the HP dev center, the sys/types.h has the rest of the symbols > defined. If you use the HP ANSI C compiler, but make the one change to > ./intl/gettextP.h to work around the broken "inline" keyword, you will > get GPG 1.2.1 to work on HP/UX 11.11. The problem that Pedro described > was due to the broken sys/types.h supplied with that particular > implementation of GCC. Uhm... "Our" gcc has been bootstrapped by a colleague. It is not a version supplied by HP. > When you say you have GPG working HP/UX 11 are > you referring to 11.0 or 11.11 for PA-RISC or 11.20 for IPF? HP/UX is a > very fragmented platform these days. I built gnupg on PA-RISC 1.1 (a model 735). The binaries are distributed via NFS and do work fine on our 785s, too. There's also a 715, still running HP-UX 9... Regards, Christoph -- Spare Space From rdmyers@pe.net Sat May 3 18:55:02 2003 From: rdmyers@pe.net (Rodney D. Myers) Date: Sat May 3 17:55:02 2003 Subject: GPG 1.2.2 released? In-Reply-To: <20030503074808.3437dffe.rdmyers@pe.net> References: <3EB33863.9020605@attbi.com> <20030503074808.3437dffe.rdmyers@pe.net> Message-ID: <20030503085508.65d2ecd1.rdmyers@pe.net> --TEsr3e8ERT7dh=.S Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Sat, 3 May 2003 07:48:08 -0700 "Rodney D. Myers" wrote: Bit by the Sylpheed anomaly. Sylpheed only looks in /usr, while the default ./configure places gpg in /usr/local. Sorry about this. > On Fri, 02 May 2003 22:32:51 -0500 > "John P. Clizbe" wrote: > > > > > I noticed 1.2.2 is now in the release subdirectories on the ftp > > server. Is this the release version? > > Just upgraded from 1.2.1, to 1.2.2, and now Sylpheed gives the error > message; > > Error: > Could not find any key associated with the currently selected key id > '0x7256FA2F'. I even tried the sub key, which is my new email address. > > This did work earlier in the morning, before I upgraded. > > Any help would be appreciated. > > Thanks > -- Rodney D. Myers ICQ#: AIM#: YAHOO: 18002350 mailman452 mailman42_5 They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Ben Franklin - 1759 --TEsr3e8ERT7dh=.S Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+s+ZgRzSENXJW+i8RAn7zAJ9ZmOuLwYgvYlUKlY6PnN3iP4nLcACdGXu/ hIAxvoIqL42pMA6z1m+DIkk= =8imr -----END PGP SIGNATURE----- --TEsr3e8ERT7dh=.S-- From shavital@netbox.com Sat May 3 19:01:02 2003 From: shavital@netbox.com (Charly Avital) Date: Sat May 3 18:01:02 2003 Subject: Gnupg 1.2.2 installed (was: GPG 1.2.2 released?) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 12:23 PM +0200 5/3/03, Werner Koch wrote: >On Fri, 02 May 2003 22:32:51 -0500, John P Clizbe said: > >> I noticed 1.2.2 is now in the release subdirectories on the ftp server. >> Is this the release version? > >Yes. We need to give the mirrors some time to catch up and >unfortunately one of my boxes died on May 1 and I was without mail >until yesterday. Installed under Mac OS 10.2.5, running OK. David - No --disable-asm was required, just straightforward ./configure Werner - Thanks for taking care of the man issue. Charly -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) Comment: GnuPG for Privacy iD8DBQE+s+Z/8SG5rMkbCF4RAsMUAJ9sQCsJQEmgoVxzHBkCpvcJfiAWlgCdHA8t MoRIL+SsVhxtAifsktX7aI8= =Dmhm -----END PGP SIGNATURE----- From shavital@netbox.com Sat May 3 19:27:03 2003 From: shavital@netbox.com (Charly Avital) Date: Sat May 3 18:27:03 2003 Subject: Gnupg 1.2.2 installed (was: GPG 1.2.2 released?) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 12:23 PM +0200 5/3/03, Werner Koch wrote: >On Fri, 02 May 2003 22:32:51 -0500, John P Clizbe said: > >> I noticed 1.2.2 is now in the release subdirectories on the ftp server. >> Is this the release version? > >Yes. We need to give the mirrors some time to catch up and >unfortunately one of my boxes died on May 1 and I was without mail >until yesterday. Installed under Mac OS 10.2.5, running OK. David - No --disable-asm was required, just straightforward ./configure Werner - Thanks for taking care of the man issue. Charly -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) Comment: GnuPG for Privacy iD8DBQE+s+Z/8SG5rMkbCF4RAsMUAJ9sQCsJQEmgoVxzHBkCpvcJfiAWlgCdHA8t MoRIL+SsVhxtAifsktX7aI8= =Dmhm -----END PGP SIGNATURE----- From richard@sheflug.co.uk Sat May 3 20:47:02 2003 From: richard@sheflug.co.uk (Richard Ibbotson) Date: Sat May 3 19:47:02 2003 Subject: GPG 1.2.2 released? In-Reply-To: <20030503085508.65d2ecd1.rdmyers@pe.net> References: <3EB33863.9020605@attbi.com> <20030503074808.3437dffe.rdmyers@pe.net> <20030503085508.65d2ecd1.rdmyers@pe.net> Message-ID: <200305031845.24714.richard@sheflug.co.uk> Hi Just downloaded gnupg-1.2.2.tar.gz and also .. gnupg-1.2.2.tar.gz.sig from... ftp://www.gnupg.org/gcrypt/gnupg Then I did... gpg --verify gnupg-1.2.2.tar.gz.sig Which produced this .... gpg: Signature made Thu 01 May 2003 16:10:15 BST using DSA key ID 57548DCD gpg: Can't check signature: public key not found This was with a trusted installation of GnuPG 1.2.1. Anyone know why --verify failed and what should I do next so that I can install the 1.2.2 version ? -- Richard From Todd Sat May 3 21:32:02 2003 From: Todd (Todd) Date: Sat May 3 20:32:02 2003 Subject: GPG 1.2.2 released? In-Reply-To: <200305031845.24714.richard@sheflug.co.uk> References: <3EB33863.9020605@attbi.com> <20030503074808.3437dffe.rdmyers@pe.net> <20030503085508.65d2ecd1.rdmyers@pe.net> <200305031845.24714.richard@sheflug.co.uk> Message-ID: <20030503183322.GG2374@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Richard Ibbotson wrote: > Just downloaded gnupg-1.2.2.tar.gz and also .. gnupg-1.2.2.tar.gz.sig [...] > gpg: Signature made Thu 01 May 2003 16:10:15 BST using DSA key ID > 57548DCD > gpg: Can't check signature: public key not found [...] > This was with a trusted installation of GnuPG 1.2.1. Anyone know why > --verify failed and what should I do next so that I can install the > 1.2.2 version ? You must not have Werner's key on your keyring. You'll need to get it if you want to check the signature on the 1.2.2 tarball. - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ============================================================================ If you can't beat 'em, arrange to have them beaten. -- George Carlin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iD8DBQE+tAtxuv+09NZUB1oRAuuHAKDYlPbeQivSE1fJMupr207VVBayYACgwTAX vG1nCsGCSCvb5roP4zSDilY= =sz1n -----END PGP SIGNATURE----- From bminton@efn.org Sat May 3 21:37:03 2003 From: bminton@efn.org (Brian Minton) Date: Sat May 3 20:37:03 2003 Subject: GPG 1.2.2 released? In-Reply-To: <200305031845.24714.richard@sheflug.co.uk> References: <3EB33863.9020605@attbi.com> <20030503074808.3437dffe.rdmyers@pe.net> <20030503085508.65d2ecd1.rdmyers@pe.net> <200305031845.24714.richard@sheflug.co.uk> Message-ID: <20030503183629.GA6087@bminton.dyn.cheapnet.net> On Sat, May 03, 2003 at 06:46:09PM +0100, Richard Ibbotson wrote: > Hi > > Just downloaded gnupg-1.2.2.tar.gz and also .. gnupg-1.2.2.tar.gz.sig > from... > > ftp://www.gnupg.org/gcrypt/gnupg > > Then I did... > > gpg --verify gnupg-1.2.2.tar.gz.sig > > Which produced this .... > > gpg: Signature made Thu 01 May 2003 16:10:15 BST using DSA key ID > 57548DCD > gpg: Can't check signature: public key not found > You don't have Werner's public key. Download it with the command gpg --keyserver pgp.mit.edu --recv 57548DCD of course, feel free to use your own favorite keyserver. > > This was with a trusted installation of GnuPG 1.2.1. Anyone know why > --verify failed and what should I do next so that I can install the > 1.2.2 version ? it failed because you don't have the public key to check it. -- Brian Minton | OpenPGP fingerprint: brian@minton.name | 81BE 3A84 A502 ABDD B2CC http://brian.minton.name | 4BFD 7227 8820 5703 7472 Live long, and prosper longer! KeyID: 0x57037472 From linux@codehelp.co.uk Sat May 3 21:42:01 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Sat May 3 20:42:01 2003 Subject: GPG 1.2.2 released? In-Reply-To: <200305031845.24714.richard@sheflug.co.uk> References: <3EB33863.9020605@attbi.com> <20030503085508.65d2ecd1.rdmyers@pe.net> <200305031845.24714.richard@sheflug.co.uk> Message-ID: <200305031943.10477.linux@codehelp.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 03 May 2003 6:46 pm, Richard Ibbotson wrote: > gpg: Signature made Thu 01 May 2003 16:10:15 BST using DSA key ID > 57548DCD > gpg: Can't check signature: public key not found > This was with a trusted installation of GnuPG 1.2.1. Anyone know why > --verify failed and what should I do next so that I can install the > 1.2.2 version ? gpg --recv-keys 57548dcd You need to have the corresponding key already in your keyring on your own machine. Use --keyserver keyserver.linux.it if you haven't got a default keyserver setup. gpg --list-keys 57548dcd will then give: pub 1024D/57548DCD 1998-07-07 Werner Koch (gnupg sig) and the verify will be able to check the signature. - -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.wewantbroadband.co.uk/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+tA29iAEJSii8s+MRArG6AJ9+R9p0DytG4t/waOLwzhaVxymgIgCgsdGw l3+xbNGh/ofzishD4pyP0nI= =lTsS -----END PGP SIGNATURE----- From jbruni@mac.com Sat May 3 21:55:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Sat May 3 20:55:02 2003 Subject: GPG 1.2.2 released? In-Reply-To: <200305031845.24714.richard@sheflug.co.uk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Download Werner's public key from the GnuPG web site. http://www.gnupg.org/signature_key.html These procedures are documented in the "Integrity Check" section of the web site. Joe On Saturday, May 3, 2003, at 10:46 AM, Richard Ibbotson wrote: > Hi > > Just downloaded gnupg-1.2.2.tar.gz and also .. gnupg-1.2.2.tar.gz.sig > from... > > ftp://www.gnupg.org/gcrypt/gnupg > > Then I did... > > gpg --verify gnupg-1.2.2.tar.gz.sig > > Which produced this .... > > gpg: Signature made Thu 01 May 2003 16:10:15 BST using DSA key ID > 57548DCD > gpg: Can't check signature: public key not found > > > This was with a trusted installation of GnuPG 1.2.1. Anyone know why > --verify failed and what should I do next so that I can install the > 1.2.2 version ? > > > > -- > Richard > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin) iEYEARECAAYFAj60ENsACgkQ4rg/mXNDweOtrgCgmF32VsfXlyOh/7NEHR/f/q3z /AAAoLCRGohxC1bbHOGq43Xr/Jy8f2rD =wyOd -----END PGP SIGNATURE----- From tyketto@wizard.com Sat May 3 22:25:03 2003 From: tyketto@wizard.com (A Guy Called Tyketto) Date: Sat May 3 21:25:03 2003 Subject: GPG 1.2.2 released? In-Reply-To: <200305031845.24714.richard@sheflug.co.uk> References: <3EB33863.9020605@attbi.com> <20030503074808.3437dffe.rdmyers@pe.net> <20030503085508.65d2ecd1.rdmyers@pe.net> <200305031845.24714.richard@sheflug.co.uk> Message-ID: <20030503192544.GA6604@wizard.com> --DocE+STaALJfprDB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, May 03, 2003 at 06:46:09PM +0100, Richard Ibbotson wrote: > Hi >=20 > Just downloaded gnupg-1.2.2.tar.gz and also .. gnupg-1.2.2.tar.gz.sig=20 > from... >=20 > ftp://www.gnupg.org/gcrypt/gnupg >=20 > Then I did... >=20 > gpg --verify gnupg-1.2.2.tar.gz.sig >=20 > Which produced this .... >=20 > gpg: Signature made Thu 01 May 2003 16:10:15 BST using DSA key ID=20 > 57548DCD > gpg: Can't check signature: public key not found >=20 >=20 > This was with a trusted installation of GnuPG 1.2.1. Anyone know why=20 > --verify failed and what should I do next so that I can install the=20 > 1.2.2 version ? I just did a 'gpg gnupg-1.2.2.tar.bz2.sig' and it verified, however= ,=20 the key has expired: tyketto@box:/usr/local/src/security$ gpg gnupg-1.2.2.tar.bz2.sig gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: Signature made Sat May 3 05:02:29 2003 CDT using DSA key ID 57548DCD gpg: Good signature from "Werner Koch (gnupg sig) " gpg: Note: This key has expired! Primary key fingerprint: 6BD9 050F D8FC 941B 4341 2DCC 68B7 AB89 5754 8DCD tyketto@box:/usr/local/src/security$ In other news, make fails in ./checks during the original compile, = on=20 Solaris 2.8: SunOS charleston-peak 5.8 Generic_108528-19 sun4u sparc SUNW,Sun-Fire gcc version 2.95.3 20010315 (release) gmake[3]: Leaving directory `/tmp/gnupg-1.2.2/doc' gmake[2]: Leaving directory `/tmp/gnupg-1.2.2/doc' Making all in checks gmake[2]: Entering directory `/tmp/gnupg-1.2.2/checks' echo '#!/bin/sh' >./gpg_dearmor echo "../g10/gpg --no-options --no-greeting \ --no-secmem-warning --batch --dearmor" >>./gpg_dearmor chmod 755 ./gpg_dearmor =2E/gpg_dearmor > ./pubring.gpg < ./pubring.asc Bus Error gmake[2]: *** [pubring.gpg] Error 138 gmake[2]: Leaving directory `/tmp/gnupg-1.2.2/checks' gmake[1]: *** [all-recursive] Error 1 gmake[1]: Leaving directory `/tmp/gnupg-1.2.2' gmake: *** [all] Error 2 BL. --=20 Brad Littlejohn | Email: tyketto@wizard.com Unix Systems Administrator, | tyketto@ozemail.com.au Web + NewsMaster, BOFH.. Smeghead! :) | http://www.wizard.com/~tyketto PGP: 1024D/E319F0BF 6980 AAD6 7329 E9E6 D569 F620 C819 199A E319 F0BF --DocE+STaALJfprDB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+tBe2yBkZmuMZ8L8RAoY3AJ9AFOFRIovHIQmAdshzsGJSYhiAjwCbBD4f 37Yl12KB/TkXq7ORg7f0MsU= =pR9G -----END PGP SIGNATURE----- --DocE+STaALJfprDB-- From richard@sheflug.co.uk Sat May 3 22:25:27 2003 From: richard@sheflug.co.uk (Richard Ibbotson) Date: Sat May 3 21:25:27 2003 Subject: GPG 1.2.2 released? In-Reply-To: References: Message-ID: <200305032025.05271.richard@sheflug.co.uk> Hi > http://www.gnupg.org/signature_key.html Thanks for everyone's help. Thought I had Werner's key on my public keyring. Thank you -- Richard From malsyned@cif.rochester.edu Sat May 3 23:07:04 2003 From: malsyned@cif.rochester.edu (Dennis Lambe Jr.) Date: Sat May 3 22:07:04 2003 Subject: Invalid subkey binding Message-ID: <1051992609.8134.18.camel@dennisx.cif.rochester.edu> --=-tQ2awQ46HIAzQuXbuGM0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable I uploaded my public key to two of the keyservers that David Shaw said would be able to handle my subkeys, keyserver.kjsl.com and hkp://keyserver.bu.edu. A friend then signed my key and sent the changes to keyserver.bu.edu, from which I refreshed my key. Later, I refreshed it again and gpg now reports: ~$ gpg --refresh lambe gpg: refreshing 1 key from keyserver.kjsl.com gpg: key F53BA904: invalid subkey binding gpg: key F53BA904: "Dennis Patrick Lambe Jr." not changed gpg: Total number processed: 1 gpg: unchanged: 1 I've compared the --list-packets output of the key on the keyservers to that of a known-good copy of my key, and apart from the order that the UIDs are listed, and the order that signatures are listed on the UIDs, the outputs are identical. So as far as I can tell, what I am able to retrieve from the servers is a working, complete coy of my public key.=20 There must be something else going on, though, for GPG to complain about an invalid subkey binding. Can anyone offer something by way of explanation, or, maybe just maybe, a way to fix the problem? Thanks, --Dennis Lambe Jr. --=-tQ2awQ46HIAzQuXbuGM0 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: My public key is available at http://cif.rochester.edu/~malsyned/public_key.html iD8DBQA+tCIh+yh/ThbejSgRApWsAJ0W4WzaPzDmMOx/6zC65wsYOIeapwCeKTo5 jIlYKDQ0Cmq0MnGo0nZnwZg= =Q6ND -----END PGP SIGNATURE----- --=-tQ2awQ46HIAzQuXbuGM0-- From jurgen@botz.org Sun May 4 00:25:04 2003 From: jurgen@botz.org (Jurgen Botz) Date: Sat May 3 23:25:04 2003 Subject: gnupg-1.2.1: public key not found Message-ID: <3EB433F6.3060801@botz.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Maybe I'm doing something stupid here... gnupg-1.2.1 as shipped with RedHat. I just downloaded the new FreeS/WAN release and associated signatures and keys... I want to verify the signatures. So I did ~ $ gpg --import freeswan-allkeys This seemed to work. Then I did... ~ $ gpgv freeswan-allkeys.sig ~ gpgv: Signature made Sat 22 Feb 2003 02:40:24 PM PST using RSA key ID 46EAFCE1 ~ gpgv: Can't check signature: public key not found Hmmm... but doing 'gpg --list-keys' shows that the relevant keys are in my keyring... ~ pub 1024R/970F6D91 1998-02-10 Linux FreeS/WAN Software Team ~ pub 2047R/46EAFCE1 2002-03-29 Linux FreeS/WAN Software Team ~ pub 1024R/5A7E4731 2002-06-25 FreeSWAN RPM signing key Strange. Also... ~ $ rpm -K freeswan-module-2.00_2.4.20_9-0.i386.rpm ~ freeswan-module-2.00_2.4.20_9-0.i386.rpm: sha1 (MD5) (PGP) md5 NOT OK (MISSING KEYS: PGP#5a7e4731) Again, the key id is one of the ones I imported above and which 'gpg --list-keys' shows as being there. What could be going on? :j -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+tDP2TswFs/ZeZvwRAtifAJwJI21Tcu2HlCyooWEe61GT6zAtzACcCOgo NZjaJ/SzBuROK9t8iYhkwp8= =6Fxp -----END PGP SIGNATURE----- From wk@gnupg.org Sun May 4 00:28:04 2003 From: wk@gnupg.org (Werner Koch) Date: Sat May 3 23:28:04 2003 Subject: [Announce] GnuPG 1.2.2 released Message-ID: <87wuh7n6w5.fsf@alberti.g10code.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello! We are pleased to announce the availability of a new stable GnuPG release: Version 1.2.2 The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It is a complete and free replacement of PGP and can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440. This new release implements most of OpenPGP's optional features, has somewhat better interoperabilty with non-conforming OpenPGP implementations and improved keyserver support. *************************************************************** * Due to a bug found in the key validdation code, we strongly * * suggest to update to this release if you are relying on the * * Web-Of-Trust semantics. * *************************************************************** Getting the Software ==================== GnuPG 1.2.2 can be downloaded from one of the *GnuPG mirror sites*. The list of mirrors can be found at http://www.gnupg.org/mirrors.html. On the mirrors you should find the follwing files in the *gnupg* directory: gnupg-1.2.2.tar.bz2 (2.1 MB) gnupg-1.2.2.tar.bz2.sig GnuPG 1.2 source compressed using BZIP2 and OpenPGP signature. gnupg-1.2.2.tar.gz (3.1 MB) gnupg-1.2.2.tar.gz.sig GnuPG source compressed using GZIP and OpenPGP signature. gnupg-1.2.1-1.2.2.diff.gz (1.1 MB) A patch file to upgrade a 1.2.1 GnuPG source. This file is signed; you have to use GnuPG > 0.9.5 to verify the signature. GnuPG has a feature to allow clear signed patch files which can still be processed by the patch utility. Select one of them. To shorten the download time, you probably want to get the BZIP2 compressed file. Please try another mirror if exceptional your mirror is not yet up to date. We have uploaded the .gz tarbvall on May 1, so at least this one should be available at the mirrors. In the *binary* directory, you should find these files: gnupg-w32cli-1.2.2.zip (1.3 MB) gnupg-w32cli-1.2.2.zip.sig GnuPG compiled for Microsoft Windows and OpenPGP signature. Note that this is a command line version and comes without a graphical installer tool. You have to use an UNZIP utility to extract the files and install them manually. The included file README.W32 has further instructions. Checking the Integrity ====================== In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-1.2.2.tar.bz2 you would use this command: gpg --verify gnupg-1.2.2.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key by finger wk 'at' g10code.com . Never use a GnuPG version you just downloaded to check the integrity of the source - use an existing GnuPG installation. * If you are not able to use an old version of GnuPG, you have to verify the MD5 checksum. Assuming you downloaded the file gnupg-1.2.2.tar.bz2, you would run the md5sum command like this: md5sum gnupg-1.2.2.tar.bz2 and check that the output matches the first line from the following list: 4e1b357b22e1d45d14d340ce03d39b63 gnupg-1.2.2.tar.bz2 01cf9c6b949603d0511f6fc07bc758d2 gnupg-1.2.2.tar.gz bbb2691b0322f570c7e683049ba3c777 gnupg-1.2.1-1.2.2.diff.gz 7f7f4b5312f3ebddc67eba0b6a8661a4 gnupg-w32cli-1.2.2.zip Upgrade Information =================== If you are upgrading from a version prior to 1.0.7, you should run the script tools/convert-from-106 once. Please note also that due to a bug in versions prior to 1.0.6 it may not be possible to downgrade to such versions unless you apply the patch http://www.gnupg.org/developer/gpg-woody-fix.txt . If you have any problems, please see the FAQ and the mailing list archive at http://lists.gnupg.org. Please direct questions to the gnupg-users@gnupg.org mailing list. What's New =========== Here is a list of major user visible changes since 1.2.1: Configuration: * A "convert-from-106" script has been added. This is a simple script that automates the conversion from a 1.0.6 or earlier version of GnuPG to a 1.0.7 or later version. New features: * A "--trust-model always" option has been added to smooth the transition to a future GnuPG that has multiple trust models. This is identical to the current "--always-trust" option. * Care is taken to prevent compiler optimization from removing memory wiping code. * New option --no-mangle-dos-filenames so that filenames are not truncated in the W32 version. * New command "revuid" in the --edit-key menu to revoke a user ID. This is a simpler interface to the old method (which still works) of revoking the user ID self-signature. * Status VALIDSIG now also contains the primary key fingerprint, as well as the signature version, public key algorithm, hash algorithm, and signature class. * Add read-only support for the SHA-256 hash, and optional read-only support for the SHA-384 and SHA-512 hashes. * New option --enable-progress-filter for use with frontends. Incompatible changes: * Notation names that do not contain a '@' are no longer allowed unless --expert is set. This is to help prevent pollution of the (as yet unused) IETF notation namespace. * Disabled keys are now skipped when selecting keys for encryption. If you are using the --with-colons key listings to detect disabled keys, please see doc/DETAILS for a minor format change in this release. OpenPGP compatibility: * Fixed a compatibility problem with CryptoEx by increasing the window size of the uncompressor. * Note that the TIGER/192 digest algorithm is in the process of being dropped from the OpenPGP standard. While this release of GnuPG still contains it, it is disabled by default. To ensure you will still be able to use your messages with future versions of GnuPG and other OpenPGP programs, please do not use this algorithm. Bug fixes: * A bug in key validation has been fixed. This bug only affects keys with more than one user ID (photo IDs do not count here), and results in all user IDs on a given key being treated with the validity of the most-valid user ID on that key. Other changes: * Minor trustdb changes to make the trust calculations match common usage. * New translations: Finnish, Hungarian, Slovak, and Traditional Chinese. Internationalization ==================== GnuPG comes with support for these langauges: American English Hungarian (hu) Catalan (ca) Indonesian (id) Czech (cs) Italian (it) Danish (da)[*] Japanese (ja) Dutch (nl)[*] Polish (pl) Esperanto (eo)[*] Brazilian Portuguese (pt_BR)[*] Estonian (et) Portuguese (pt) Finnish (fi) Slovak (sk) French (fr) Spanish (es) Galician (gl) Swedish (sv) German (de) Traditional Chinese (zh_TW) Greek (el) Turkish (tr) Languages marked with [*] were not updated for this releases and you may notice untranslated messages. We may release an update of the translations when we have received some translation updates. Many thanks to the translators for their ongoing support of GnuPG. Happy Hacking, The GnuPG team (David, Stefan, Timo and Werner) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+tB1KbH7huGIcwBMRArYTAJ0deLOyUMDFQwy3+nj/VFgUHIrPGACggUFV uPS86Mf9N/pjVNNNfNXWen4= =HX8r -----END PGP SIGNATURE----- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From redbird@mac.com Sun May 4 00:33:03 2003 From: redbird@mac.com (Gordon Worley) Date: Sat May 3 23:33:03 2003 Subject: Strange make check output Message-ID: I get strange output when running make check for gnupg-1.2.2. Any idea what all of those `missing' lines are? mango% make check -i Making check in intl make[1]: Nothing to be done for `check'. Making check in zlib make[1]: Nothing to be done for `check'. Making check in util make[1]: Nothing to be done for `check'. Making check in mpi make[1]: Nothing to be done for `check'. Making check in cipher make[1]: Nothing to be done for `check'. Making check in tools make[1]: Nothing to be done for `check'. Making check in g10 make[1]: Nothing to be done for `check'. Making check in keyserver make[1]: Nothing to be done for `check'. Making check in po make[1]: Nothing to be done for `check'. Making check in doc make check-am make[2]: Nothing to be done for `check-am'. Making check in checks make check-TESTS ./version.test: [: missing `]' ./version.test: [: missing `]' gpg (GnuPG) 1.2.2 Copyright (C) 2003 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: . Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA, ELG Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256 Compression: Uncompressed, ZIP, ZLIB PASS: version.test ./mds.test: [: missing `]' ./mds.test: [: missing `]' Hash algorithm TIGER/192 is not installed Hash algorithm SHA-384 is not installed Hash algorithm SHA-512 is not installed PASS: mds.test ./decrypt.test: [: missing `]' ./decrypt.test: [: missing `]' PASS: decrypt.test ./decrypt-dsa.test: [: missing `]' ./decrypt-dsa.test: [: missing `]' PASS: decrypt-dsa.test ./sigs.test: [: missing `]' ./sigs.test: [: missing `]' PASS: sigs.test ./sigs-dsa.test: [: missing `]' ./sigs-dsa.test: [: missing `]' PASS: sigs-dsa.test ./encrypt.test: [: missing `]' ./encrypt.test: [: missing `]' PASS: encrypt.test ./encrypt-dsa.test: [: missing `]' ./encrypt-dsa.test: [: missing `]' PASS: encrypt-dsa.test ./seat.test: [: missing `]' ./seat.test: [: missing `]' PASS: seat.test ./clearsig.test: [: missing `]' ./clearsig.test: [: missing `]' PASS: clearsig.test ./encryptp.test: [: missing `]' ./encryptp.test: [: missing `]' PASS: encryptp.test ./detach.test: [: missing `]' ./detach.test: [: missing `]' PASS: detach.test ./armsigs.test: [: missing `]' ./armsigs.test: [: missing `]' PASS: armsigs.test ./armencrypt.test: [: missing `]' ./armencrypt.test: [: missing `]' PASS: armencrypt.test ./armencryptp.test: [: missing `]' ./armencryptp.test: [: missing `]' PASS: armencryptp.test ./signencrypt.test: [: missing `]' ./signencrypt.test: [: missing `]' PASS: signencrypt.test ./signencrypt-dsa.test: [: missing `]' ./signencrypt-dsa.test: [: missing `]' PASS: signencrypt-dsa.test ./armsignencrypt.test: [: missing `]' ./armsignencrypt.test: [: missing `]' PASS: armsignencrypt.test ./armdetach.test: [: missing `]' ./armdetach.test: [: missing `]' PASS: armdetach.test ./armdetachm.test: [: missing `]' ./armdetachm.test: [: missing `]' PASS: armdetachm.test ./detachm.test: [: missing `]' ./detachm.test: [: missing `]' PASS: detachm.test ./genkey1024.test: [: missing `]' ./genkey1024.test: [: missing `]' PASS: genkey1024.test ./conventional.test: [: missing `]' ./conventional.test: [: missing `]' PASS: conventional.test ./conventional-mdc.test: [: missing `]' ./conventional-mdc.test: [: missing `]' PASS: conventional-mdc.test ./multisig.test: [: missing `]' ./multisig.test: [: missing `]' PASS: multisig.test =================== All 25 tests passed =================== make[1]: Nothing to be done for `check-am'. -- Gordon Worley - Mac GPG Project http://macgpg.sourceforge.net/ ``Doveriai no proveriai.'' redbird@mac.com --Russian proverb PGP: 0xBBD3B003 From jbruni@mac.com Sun May 4 01:13:03 2003 From: jbruni@mac.com (Joseph Bruni) Date: Sun May 4 00:13:03 2003 Subject: gnupg-1.2.1: public key not found In-Reply-To: <3EB433F6.3060801@botz.org> Message-ID: <4DE80D64-7DB4-11D7-B2D9-003065B1243E@mac.com> Maybe you need to "validate" the imported keys by signing them? On Saturday, May 3, 2003, at 02:26 PM, Jurgen Botz wrote: > ~ $ rpm -K freeswan-module-2.00_2.4.20_9-0.i386.rpm > ~ freeswan-module-2.00_2.4.20_9-0.i386.rpm: sha1 (MD5) (PGP) md5 NOT > OK > (MISSING KEYS: PGP#5a7e4731) > > Again, the key id is one of the ones I imported above and which > 'gpg --list-keys' shows as being there. > > What could be going on? > > :j From gnupg-users@gnupg.org Sun May 4 01:38:03 2003 From: gnupg-users@gnupg.org (Claus Assmann) Date: Sun May 4 00:38:03 2003 Subject: Strange make check output In-Reply-To: ; from redbird@mac.com on Sat, May 03, 2003 at 05:24:56PM -0400 References: Message-ID: <20030503153932.A23393@zardoc.esmtp.org> On Sat, May 03, 2003, Gordon Worley wrote: > I get strange output when running make check for gnupg-1.2.2. Any idea > what all of those `missing' lines are? > ./version.test: [: missing `]' > ./version.test: [: missing `]' Try this: *** gnupg-1.2.2/checks/defs.inc Thu May 1 06:17:46 2003 --- gnupg-1.2.2-/checks/defs.inc Sat May 3 15:35:00 2003 *************** *** 99,107 **** [ -z "$srcdir" ] && fatal "not called from make" # Make sure we have a valid option files even with VPATH builds. ! if [ -f ./options]; then : ! elif [ -f ./gpg.conf]; then : elif [ -f $srcdir/options ]; then cat $srcdir/options >gpg.conf --- 99,107 ---- [ -z "$srcdir" ] && fatal "not called from make" # Make sure we have a valid option files even with VPATH builds. ! if [ -f ./options ]; then : ! elif [ -f ./gpg.conf ]; then : elif [ -f $srcdir/options ]; then cat $srcdir/options >gpg.conf From johanw@vulcan.xs4all.nl Sun May 4 01:40:02 2003 From: johanw@vulcan.xs4all.nl (Johan Wevers) Date: Sun May 4 00:40:02 2003 Subject: Warnings from make check in 1.2.2 Message-ID: <200305032340.BAA03352@vulcan.xs4all.nl> Hello, I downloaded the .tar.gz file for gnupg 1.2.2. I did ./configure --with-included-zlib --prefix=/usr/local/lib/gnupg --enable-tiger --enable-sha512 and a make without any errors or warnings. Then I ran make check and got this: [...] PASS: armdetachm.test ./detachm.test: [: missing `]' ./detachm.test: [: missing `]' PASS: detachm.test ./genkey1024.test: [: missing `]' ./genkey1024.test: [: missing `]' PASS: genkey1024.test ./conventional.test: [: missing `]' ./conventional.test: [: missing `]' PASS: conventional.test ./conventional-mdc.test: [: missing `]' ./conventional-mdc.test: [: missing `]' PASS: conventional-mdc.test ./multisig.test: [: missing `]' ./multisig.test: [: missing `]' PASS: multisig.test =================== All 25 tests passed =================== make[2]: Leaving directory /tmp/gnupg-1.2.2/checks' make[1]: Leaving directory /tmp/gnupg-1.2.2/checks' make[1]: Entering directory /tmp/gnupg-1.2.2' make[1]: Nothing to be done for `check-am'. make[1]: Leaving directory /tmp/gnupg-1.2.2' make install went OK, and the program seems to run OK as far as I can check. My system is Slackware Linux 3.3 with kernel 2.0.38, gcc 2.7.2.2, GNU Make version 3.74. Does anyone know what's going on here? I never got those messages about missing ]'s with other gpg versions, including 1.2.2rc2 and 1.3.1. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From jharris@widomaker.com Sun May 4 02:03:02 2003 From: jharris@widomaker.com (Jason Harris) Date: Sun May 4 01:03:02 2003 Subject: Invalid subkey binding In-Reply-To: <1051992609.8134.18.camel@dennisx.cif.rochester.edu> References: <1051992609.8134.18.camel@dennisx.cif.rochester.edu> Message-ID: <20030503230431.GA84223@pm1.ric-30.lft.widomaker.com> --Q68bSM7Ycu6FN28Q Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, May 03, 2003 at 04:10:09PM -0400, Dennis Lambe Jr. wrote: > I uploaded my public key to two of the keyservers that David Shaw said > would be able to handle my subkeys, keyserver.kjsl.com and > hkp://keyserver.bu.edu. A friend then signed my key and sent the > changes to keyserver.bu.edu, from which I refreshed my key. Later, I > refreshed it again and gpg now reports: >=20 > ~$ gpg --refresh lambe > gpg: refreshing 1 key from keyserver.kjsl.com > gpg: key F53BA904: invalid subkey binding > gpg: key F53BA904: "Dennis Patrick Lambe Jr." not changed > gpg: Total number processed: 1 > gpg: unchanged: 1 Check the verbose (default) listing on keyserver.kjsl.com and see that a "[keybind, hash: type 2, 6e 50]" signature is present on both subkeys, making it likely to be a duplicate (that is invalid when paired with the wrong subkey). pgpdump[.net] and gpg -v -v will also display the stored top two bytes of hashes over signed data areas as well as a whole lot more information. See RFC 2440 for details. --=20 Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com | web: http://jharris.cjb.net/ --Q68bSM7Ycu6FN28Q Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+tEr9SypIl9OdoOMRAq9YAJ4qZR21MFzBpfcUBOG/W0OwtW4n0wCeKEex K85xAAbisk4En24xxEYicJU= =E5lG -----END PGP SIGNATURE----- --Q68bSM7Ycu6FN28Q-- From jbruni@mac.com Sun May 4 02:38:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Sun May 4 01:38:02 2003 Subject: Strange make check output In-Reply-To: <20030503153932.A23393@zardoc.esmtp.org> Message-ID: <74B20E1C-7DC0-11D7-937A-003065B1243E@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In the file ./checks/defs.inc there are a couple of lines with bad syntax for '['. Line 102: if [ -f ./options]; then Line 104: elif [ -f ./gpg.conf]; then The program, '/bin/[', is expecting whitespace in front of the final ']' parameter. Adding a space fixes all the "missing ]" warnings. - -Joe On Saturday, May 3, 2003, at 03:39 PM, Claus Assmann wrote: > On Sat, May 03, 2003, Gordon Worley wrote: >> I get strange output when running make check for gnupg-1.2.2. Any >> idea >> what all of those `missing' lines are? > >> ./version.test: [: missing `]' >> ./version.test: [: missing `]' > > Try this: > > *** gnupg-1.2.2/checks/defs.inc Thu May 1 06:17:46 2003 > --- gnupg-1.2.2-/checks/defs.inc Sat May 3 15:35:00 2003 > *************** > *** 99,107 **** > [ -z "$srcdir" ] && fatal "not called from make" > > # Make sure we have a valid option files even with VPATH builds. > ! if [ -f ./options]; then > : > ! elif [ -f ./gpg.conf]; then > : > elif [ -f $srcdir/options ]; then > cat $srcdir/options >gpg.conf > --- 99,107 ---- > [ -z "$srcdir" ] && fatal "not called from make" > > # Make sure we have a valid option files even with VPATH builds. > ! if [ -f ./options ]; then > : > ! elif [ -f ./gpg.conf ]; then > : > elif [ -f $srcdir/options ]; then > cat $srcdir/options >gpg.conf > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin) iEUEARECAAYFAj60UyoACgkQ4rg/mXNDweNUNgCgiAuA4vOLQB50VYvStzyLhyI7 ntQAmPQWQFSRdALP+jAWqZe/mNE/UzA= =mUc+ -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Sun May 4 03:47:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sun May 4 02:47:02 2003 Subject: gnupg-1.2.1: public key not found In-Reply-To: <3EB433F6.3060801@botz.org> References: <3EB433F6.3060801@botz.org> Message-ID: <20030504004715.GH11042@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, May 03, 2003 at 02:26:14PM -0700, Jurgen Botz wrote: > Maybe I'm doing something stupid here... gnupg-1.2.1 as shipped with > RedHat. I just downloaded the new FreeS/WAN release and associated > signatures and keys... I want to verify the signatures. So I did > > ~ $ gpg --import freeswan-allkeys > > This seemed to work. Then I did... > > ~ $ gpgv freeswan-allkeys.sig > ~ gpgv: Signature made Sat 22 Feb 2003 02:40:24 PM PST using RSA key ID > 46EAFCE1 > ~ gpgv: Can't check signature: public key not found > > Hmmm... but doing 'gpg --list-keys' shows that the relevant keys > are in my keyring... 'gpg' and 'gpgv' use two different keyrings. Importing a key into the gpg keyring does not import it into the gpgv keyring. See the gpgv man page for the details. > Strange. Also... > > ~ $ rpm -K freeswan-module-2.00_2.4.20_9-0.i386.rpm > ~ freeswan-module-2.00_2.4.20_9-0.i386.rpm: sha1 (MD5) (PGP) md5 NOT OK > (MISSING KEYS: PGP#5a7e4731) rpm uses its own keyring as well. Try "rpm --import". David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.2-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+tGMT4mZch0nhy8kRAqxwAJ0RzjxMexr8fWGWUfDnNx0IRbnRzwCghtVj 9GAyiTnRz2lYoIgJ3scVWD4= =6rZA -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Sun May 4 03:53:01 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sun May 4 02:53:01 2003 Subject: Invalid subkey binding In-Reply-To: <1051992609.8134.18.camel@dennisx.cif.rochester.edu> References: <1051992609.8134.18.camel@dennisx.cif.rochester.edu> Message-ID: <20030504005335.GI11042@jabberwocky.com> --8t9RHnE3ZwKMSgU+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, May 03, 2003 at 04:10:09PM -0400, Dennis Lambe Jr. wrote: > I uploaded my public key to two of the keyservers that David Shaw said > would be able to handle my subkeys, keyserver.kjsl.com and > hkp://keyserver.bu.edu. A friend then signed my key and sent the > changes to keyserver.bu.edu, from which I refreshed my key. Later, I > refreshed it again and gpg now reports: >=20 > ~$ gpg --refresh lambe > gpg: refreshing 1 key from keyserver.kjsl.com > gpg: key F53BA904: invalid subkey binding > gpg: key F53BA904: "Dennis Patrick Lambe Jr." not changed > gpg: Total number processed: 1 > gpg: unchanged: 1 >=20 > I've compared the --list-packets output of the key on the keyservers to > that of a known-good copy of my key, and apart from the order that the > UIDs are listed, and the order that signatures are listed on the UIDs, > the outputs are identical. So as far as I can tell, what I am able to > retrieve from the servers is a working, complete coy of my public key.=20 > There must be something else going on, though, for GPG to complain about > an invalid subkey binding. Can anyone offer something by way of > explanation, or, maybe just maybe, a way to fix the problem? Probably someone sent an update to your key to one of the other keyservers, which garbled it a bit, and re-synched that back to keyserver.bu.edu. Basically, one of your subkeys has two signatures on it, only one of which is valid. So long as you have both your subkeys (and you do), it's a harmless warning, and can safely be ignored. David --8t9RHnE3ZwKMSgU+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.2-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+tGSP4mZch0nhy8kRAidfAJ4kDo347cAcyVpHdI8s8FGTggmUKgCg0k1W 1i4uxYNwJ02J7sGszzXjxmU= =3B3g -----END PGP SIGNATURE----- --8t9RHnE3ZwKMSgU+-- From dshaw@jabberwocky.com Sun May 4 05:44:12 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sun May 4 04:44:12 2003 Subject: [Announce] Key validity bug in GnuPG 1.2.1 and earlier Message-ID: <20030504013525.GA10689@jabberwocky.com> --OwLcNYc0lM97+oe1 Content-Type: multipart/mixed; boundary="5vNYLRcllDrimb99" Content-Disposition: inline --5vNYLRcllDrimb99 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline As part of the development of GnuPG 1.2.2, a bug was discovered in the key validation code. This bug causes keys with more than one user ID to give all user IDs on the key the amount of validity given to the most-valid key. This bug does not impact any key with only one user ID. Photo IDs ("user attribute IDs") do not count as an additional user ID for the purposes of this bug. For example, given a key with two user IDs: Alice and Alice's other address If the encrypting user has a trust path to to the ID alice@example.com, then this ID is fully valid, and there is no warning message when encrypting to alice@example.com. If the encrypting user has either an insufficient or no trust path to the ID "alice@corp.example.net", then that ID is either not fully valid, or not valid at all respectively. There should be a warning message given when encrypting to this other user ID ("it is not certain this key belongs to the user named in the user ID / do you want to encrypt to it anyway?"), but due to the bug, the invalid user ID is accepted as valid and no warning message is given. This bug has been fixed in the newly released GnuPG 1.2.2, and upgrading is the recommended fix for this problem. For those who cannot upgrade for whatever reason, the attached patch fixes the problem as well. The patch should apply (perhaps with some offsets) to GnuPG 1.2,1, 1.2.0, or 1.0.7. Note that GnuPG 1.0.6 (and possibly earlier) versions have the same problem, but these versions are too old to successfully apply the patch. If you are using GnuPG 1.0.6 or earlier versions, please upgrade. The GnuPG Team (David, Stefan, Timo and Werner) --5vNYLRcllDrimb99 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="patch-gnupg-1.2.1-trustfix.txt" Content-Transfer-Encoding: quoted-printable Index: g10/trustdb.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /cvs/gnupg/gnupg/g10/trustdb.c,v retrieving revision 1.89.2.1 diff -u -r1.89.2.1 trustdb.c --- g10/trustdb.c 2 Oct 2002 21:56:03 -0000 1.89.2.1 +++ g10/trustdb.c 4 May 2003 01:12:38 -0000 @@ -808,16 +808,27 @@ while (recno) { read_record (recno, &vrec, RECTYPE_VALID); - if ( validity < (vrec.r.valid.validity & TRUST_MASK) ) - validity =3D (vrec.r.valid.validity & TRUST_MASK); - if ( namehash && !memcmp (vrec.r.valid.namehash, namehash, 20) ) - break; + if(namehash) + { + /* If namehash is given we return the trust for that user ID + ONLY. If the namehash is not found, then there is no + validity at all (i.e. the user ID wasn't signed). */ + if(memcmp(vrec.r.valid.namehash,namehash,20)=3D=3D0) + { + validity=3D(vrec.r.valid.validity & TRUST_MASK); + break; + } + } + else + { + /* If no namehash is given, we take the maximum validity + over all user IDs */ + if ( validity < (vrec.r.valid.validity & TRUST_MASK) ) + validity =3D (vrec.r.valid.validity & TRUST_MASK); + } recno =3D vrec.r.valid.next; } =20 - if (recno) /* okay, use the user ID associated one */ - validity =3D (vrec.r.valid.validity & TRUST_MASK); - if ( (trec.r.trust.ownertrust & TRUST_FLAG_DISABLED) ) validity |=3D TRUST_FLAG_DISABLED; =20 Index: g10/pkclist.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /cvs/gnupg/gnupg/g10/pkclist.c,v retrieving revision 1.73.2.1 diff -u -r1.73.2.1 pkclist.c --- g10/pkclist.c 17 Oct 2002 13:49:30 -0000 1.73.2.1 +++ g10/pkclist.c 4 May 2003 01:12:39 -0000 @@ -524,17 +524,23 @@ return 0; =20 if( !opt.batch && !rc ) { - char *p; u32 keyid[2]; - size_t n; =20 keyid_from_pk( pk, keyid); tty_printf( "%4u%c/%08lX %s \"", nbits_from_pk( pk ), pubkey_letter( pk->pubkey_algo ), (ulong)keyid[1], datestr_from_pk( pk ) ); - p =3D get_user_id( keyid, &n ); - tty_print_utf8_string( p, n ), - m_free(p); + /* If the pk was chosen by a particular user ID, this is the + one to ask about. */ + if(pk->user_id) + tty_print_utf8_string(pk->user_id->name,pk->user_id->len); + else + { + size_t n; + char *p =3D get_user_id( keyid, &n ); + tty_print_utf8_string( p, n ); + m_free(p); + } tty_printf("\"\n"); print_fingerprint (pk, NULL, 2); tty_printf("\n"); @@ -887,8 +893,27 @@ } else { int trustlevel; + =20 + /* Fill in the namehash so we can get the validity + for this particular UID. If we start using it + in more places than here, it might be good to + fill this in for all PKs. */ +=20 + if(pk->user_id) + { + pk->namehash=3Dm_alloc(20); +=20 + if( pk->user_id->attrib_data ) + rmd160_hash_buffer (pk->namehash, + pk->user_id->attrib_data, + pk->user_id->attrib_len); + else + rmd160_hash_buffer (pk->namehash, + pk->user_id->name, + pk->user_id->len ); + } =20 - trustlevel =3D get_validity (pk, NULL); + trustlevel =3D get_validity (pk, pk->namehash); if( (trustlevel & TRUST_FLAG_DISABLED) ) { tty_printf(_("Public key is disabled.\n") ); } @@ -901,8 +926,6 @@ } else { PK_LIST r; - char *p; - size_t n; u32 keyid[2]; =20 keyid_from_pk( pk, keyid); @@ -911,9 +934,16 @@ pubkey_letter( pk->pubkey_algo ), (ulong)keyid[1], datestr_from_pk( pk ) ); - p =3D get_user_id( keyid, &n ); - tty_print_utf8_string( p, n ); - m_free(p); + if(pk->user_id) + tty_print_utf8_string(pk->user_id->name, + pk->user_id->len); + else + { + size_t n; + char *p =3D get_user_id( keyid, &n ); + tty_print_utf8_string( p, n ); + m_free(p); + } tty_printf("\"\n"); =20 r =3D m_alloc( sizeof *r ); @@ -981,6 +1011,25 @@ } else if( !(rc=3Dcheck_pubkey_algo2(pk->pubkey_algo, use )) ) { int trustlevel; + + /* Fill in the namehash so we can get the validity + for this particular UID. If we start using it + in more places than here, it might be good to + fill this in for all PKs. */ +=20 + if(pk->user_id) + { + pk->namehash=3Dm_alloc(20); +=20 + if( pk->user_id->attrib_data ) + rmd160_hash_buffer (pk->namehash, + pk->user_id->attrib_data, + pk->user_id->attrib_len); + else + rmd160_hash_buffer (pk->namehash, + pk->user_id->name, + pk->user_id->len ); + } =20 trustlevel =3D get_validity (pk, pk->namehash); if( (trustlevel & TRUST_FLAG_DISABLED) ) { --5vNYLRcllDrimb99-- --OwLcNYc0lM97+oe1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.2-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+tG5d4mZch0nhy8kRAtCZAJ0VnEX0CY0kIZzFuNu+jfMgbD2bMACfRey6 QqvErtdN8LUieDGnA3PIkb0= =ndLi -----END PGP SIGNATURE----- --OwLcNYc0lM97+oe1-- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From jbruni@mac.com Sun May 4 07:00:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Sun May 4 06:00:02 2003 Subject: feature request Message-ID: <06770CB5-7DE5-11D7-88B1-003065B1243E@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If it's not too much trouble, I would like to see an option added to =0D "configure" that would allow me to change the compiled-in default value =0D= of GNUPG_HOMEDIR. (I already know about the GNUPGHOME environment =0D variable.)=0D =0D Here is why: On Mac OS X, files and directories whose name begins with =0D= a dot are not visible in the Finder or in any other program using the =0D= standard Open File and Save File routines. Apple does this to honor the =0D= Unix tradition of considering such objects as "invisible". This is =0D fine, but I don't think that the files contained in ~/.gnupg should be =0D= invisible. Rather, these files should be visible to such utilities as =0D= Backup (for obvious reasons). In the OS X way of thinking, these files =0D= should probably reside in the ~/Library/GnuPG directory. Therefore, I =0D= would like to set the compiled-in default value of GNUPG_HOMEDIR to =0D "~/Library/GnuPG".=0D =0D (Apple ran into this problem with their "Stickies" application. When OS =0D= X 10.0 shipped, the Stickies database was named ".StickiesDatabase", =0D which was not visible to Backup. They have since renamed the database =0D= file not to use a preceding dot.)=0D =0D If there is already a way of doing this through setting a flag to =0D "configure", could someone please point this out?=0D =0D Regards,=0D Joseph Bruni=0D =0D - -- =0D Even he, to whom most things that most people would think were pretty =0D= smart were pretty dumb, thought it was pretty smart. =E2=80=94 Douglas = Adams=0D -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) iEYEARECAAYFAj60kIUACgkQ4rg/mXNDweMs0ACgu1DCS78iKISPsUg3ynqF/lHP grMAoPG7n0p4fXNxMwDqOjrPPqi/SBBP =3DIHNl -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Sun May 4 07:57:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sun May 4 06:57:02 2003 Subject: feature request In-Reply-To: <06770CB5-7DE5-11D7-88B1-003065B1243E@mac.com> References: <06770CB5-7DE5-11D7-88B1-003065B1243E@mac.com> Message-ID: <20030504045724.GA12401@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, May 03, 2003 at 09:01:04PM -0700, Joseph Bruni wrote: > If it's not too much trouble, I would like to see an option added to > "configure" that would allow me to change the compiled-in default value > of GNUPG_HOMEDIR. (I already know about the GNUPGHOME environment > variable.) > > Here is why: On Mac OS X, files and directories whose name begins with > a dot are not visible in the Finder or in any other program using the > standard Open File and Save File routines. Apple does this to honor the > Unix tradition of considering such objects as "invisible". This is > fine, but I don't think that the files contained in ~/.gnupg should be > invisible. Rather, these files should be visible to such utilities as > Backup (for obvious reasons). In the OS X way of thinking, these files > should probably reside in the ~/Library/GnuPG directory. Therefore, I > would like to set the compiled-in default value of GNUPG_HOMEDIR to > "~/Library/GnuPG". > > (Apple ran into this problem with their "Stickies" application. When OS > X 10.0 shipped, the Stickies database was named ".StickiesDatabase", > which was not visible to Backup. They have since renamed the database > file not to use a preceding dot.) There is currently no way to do this via autoconf, but you can do it manually if you like. Use ./configure as normal, then edit the file "g10defs.h", and put whatever value you like in for GNUPG_HOMEDIR. Then "make" as usual. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.2-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+tJ204mZch0nhy8kRAuR3AJ9D+NaJYQk8KQ9G+W/JeQ0A0lwT5QCfeMbG ZwGmLl31n8aVichUgaeoyls= =LolA -----END PGP SIGNATURE----- From johanw@vulcan.xs4all.nl Sun May 4 11:16:03 2003 From: johanw@vulcan.xs4all.nl (Johan Wevers) Date: Sun May 4 10:16:03 2003 Subject: feature request In-Reply-To: <06770CB5-7DE5-11D7-88B1-003065B1243E@mac.com> from Joseph Bruni at "May 3, 2003 09:01:04 pm" Message-ID: <200305040914.LAA00665@vulcan.xs4all.nl> Joseph Bruni wrote: >Here is why: On Mac OS X, files and directories whose name begins with >a dot are not visible in the Finder or in any other program using the >standard Open File and Save File routines. Apple does this to honor the >Unix tradition of considering such objects as "invisible". This is bullshit from Apple. All Unix backup tools I know of backup such files. Onlyt from files ending with a ~, which are often backup files from editors, and files in /tmp are often excluded. They should fix their GUI tools. BTW, doesn't OS X have something like ls -la? -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From johanw@vulcan.xs4all.nl Sun May 4 11:16:27 2003 From: johanw@vulcan.xs4all.nl (Johan Wevers) Date: Sun May 4 10:16:27 2003 Subject: Warnings from make check in 1.2.2 In-Reply-To: <001001c311c9$eebbf560$f92489c3@enterprise> from David Picon Alvarez at "May 4, 2003 00:15:47 am" Message-ID: <200305040818.KAA00410@vulcan.xs4all.nl> David Picon Alvarez wrote: >> My system is Slackware Linux 3.3 with kernel 2.0.38, gcc 2.7.2.2, GNU Make >> version 3.74. >Isn't that development environment a bit dated? Yes. >Not that I think it has to do with that, it's just curiosity on how come >you are running such an old kernel and gcc and yet the newest GnuPG. I hope >you're not offended by my curiosity. Actually, I'm in the process of upgrading to Slackware 8. The only thing currently stopping me is that I don't get CNews to run on it. It isn't default in it anymore, the source doesn't compile on it and the Slack 3.3 version gives a segfault. And I prefer not to switch to INN. CNews is just fine when you use uucp for mail and news. However, I prefer to keep some packages up to date, including GnuPG. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From gnupg-users@nahrath.de Sun May 4 15:28:02 2003 From: gnupg-users@nahrath.de (Michael Nahrath) Date: Sun May 4 14:28:02 2003 Subject: feature request In-Reply-To: <06770CB5-7DE5-11D7-88B1-003065B1243E@mac.com> References: <06770CB5-7DE5-11D7-88B1-003065B1243E@mac.com> Message-ID: <3EB5076D.7080104@nahrath.de> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigE5BA6BC8618647749D12E3E0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Joseph Bruni wrote: > If it's not too much trouble, I would like to see an option added to > "configure" that would allow me to change the compiled-in default value > of GNUPG_HOMEDIR. (I already know about the GNUPGHOME environment > variable.) > > Here is why: On Mac OS X, files and directories whose name begins with a > dot are not visible in the Finder or in any other program using the > standard Open File and Save File routines. Actually doing a [command]+[shift]+[g] gives a rather simple interface to reach those folders in the finder. > Apple does this to honor the > Unix tradition of considering such objects as "invisible". This is fine, > but I don't think that the files contained in ~/.gnupg should be > invisible. At least they should not be visible data directly under ~/ > Rather, these files should be visible to such utilities as > Backup (for obvious reasons). Aren't they? So this should be a bug report about 'Backup'. > In the OS X way of thinking, these files > should probably reside in the ~/Library/GnuPG directory. Reasonable path in the layout of MacOS X, but unfortunately this would break every other tool that relies to find the GPG homedir in ~/.gnupg > Therefore, I > would like to set the compiled-in default value of GNUPG_HOMEDIR to > "~/Library/GnuPG". Have you tried mv ~/.gnupg ~/Library/GnuPG ln -s ~/Library/GnuPG ~/.gnupg Wasn't that sufficient to your needs? Greeting, Michi --------------enigE5BA6BC8618647749D12E3E0 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) Comment: http://www.biglumber.com/x/web?qs=0x9A4C704C iEYEARECAAYFAj61B3gACgkQ19dRf5pMcEyK1gCgq7JyHB5lpGjchMHB3UZ5azzD MUsAn0G6wuBSqXN4+NNR2XxgGbNuyY0E =4NRa -----END PGP SIGNATURE----- --------------enigE5BA6BC8618647749D12E3E0-- From chris@yonderway.com Sun May 4 18:06:03 2003 From: chris@yonderway.com (Chris Hedemark) Date: Sun May 4 17:06:03 2003 Subject: feature request In-Reply-To: <200305040914.LAA00665@vulcan.xs4all.nl> Message-ID: <220259A4-7E42-11D7-BEB0-0003939CC61E@yonderway.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, May 4, 2003, at 05:14 AM, Johan Wevers wrote: > BTW, doesn't OS X have something like ls -la? Yes. On the command line it is very much like FreeBSD. He was talking about the Finder, which is the GUI front end to the filesystem. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) iEYEARECAAYFAj61LLoACgkQYPuF4Zq9lvZIqwCg76T2GpPgC729WSLryKthtJjn IvMAoL/+z6D0if8XjxHgIwQYD+87jG8W =QMUm -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Sun May 4 19:44:01 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sun May 4 18:44:01 2003 Subject: Warnings from make check in 1.2.2 In-Reply-To: <200305032340.BAA03352@vulcan.xs4all.nl> References: <200305032340.BAA03352@vulcan.xs4all.nl> Message-ID: <20030504164452.GG12401@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, May 04, 2003 at 01:40:15AM +0200, Johan Wevers wrote: > I downloaded the .tar.gz file for gnupg 1.2.2. I did > > ./configure --with-included-zlib --prefix=/usr/local/lib/gnupg > --enable-tiger --enable-sha512 > > and a make without any errors or warnings. Then I ran make check and got > this: > ./detachm.test: [: missing `]' > ./detachm.test: [: missing `]' > Does anyone know what's going on here? I never got those messages about > missing ]'s with other gpg versions, including 1.2.2rc2 and 1.3.1. This is a typo in the 1.2.2 release. It can be safely ignored. What matters is if the tests report PASS or FAIL. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.2-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+tUOE4mZch0nhy8kRAvH7AKDe/ShfLTSiCf2qaTw+FdPu9W+H7gCgtXn8 oxuMkRM9IGAtOIB8FJkeY+g= =OANA -----END PGP SIGNATURE----- From malsyned@cif.rochester.edu Sun May 4 20:01:01 2003 From: malsyned@cif.rochester.edu (Dennis Lambe Jr.) Date: Sun May 4 19:01:01 2003 Subject: Invalid subkey binding In-Reply-To: <20030503230431.GA84223@pm1.ric-30.lft.widomaker.com> References: <1051992609.8134.18.camel@dennisx.cif.rochester.edu> <20030503230431.GA84223@pm1.ric-30.lft.widomaker.com> Message-ID: <1052067803.13145.1.camel@dennisx.cif.rochester.edu> --=-wDpzIZUcxWGEL32oTokP Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Sat, 2003-05-03 at 19:04, Jason Harris wrote: > Check the verbose (default) listing on keyserver.kjsl.com and see that > a "[keybind, hash: type 2, 6e 50]" signature is present on both subkeys, > making it likely to be a duplicate (that is invalid when paired with > the wrong subkey). On Sat, 2003-05-03 at 20:53, David Shaw wrote: > Probably someone sent an update to your key to one of the other > keyservers, which garbled it a bit, and re-synched that back to > keyserver.bu.edu. Basically, one of your subkeys has two signatures > on it, only one of which is valid. >=20 > So long as you have both your subkeys (and you do), it's a harmless > warning, and can safely be ignored. Thanks for the info, guys. This mailing list is incredibly friendly and useful. I'm glad this isn't going to be a problem. I don't suppose there's a way to get that erroneous subkey signature to go away? some kind of magical revocation certificate that makes the world forget it even existed? --Dennis Lambe --=-wDpzIZUcxWGEL32oTokP Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: My public key is available at http://cif.rochester.edu/~malsyned/public_key.html iD8DBQA+tUfa+yh/ThbejSgRAlMJAJ9RshikIbgEudPLsTrrGIsYzlCi4ACghFgj g9dOCPv6Hxy/0Z4m0+sj4Xw= =l8wX -----END PGP SIGNATURE----- --=-wDpzIZUcxWGEL32oTokP-- From dshaw@jabberwocky.com Sun May 4 20:33:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sun May 4 19:33:02 2003 Subject: GPG 1.2.2 released? In-Reply-To: <20030503192544.GA6604@wizard.com> References: <3EB33863.9020605@attbi.com> <20030503074808.3437dffe.rdmyers@pe.net> <20030503085508.65d2ecd1.rdmyers@pe.net> <200305031845.24714.richard@sheflug.co.uk> <20030503192544.GA6604@wizard.com> Message-ID: <20030504173315.GH12401@jabberwocky.com> --AjmyJqqohANyBN/e Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, May 03, 2003 at 12:25:44PM -0700, A Guy Called Tyketto wrote: > In other news, make fails in ./checks during the original compile= , on=20 > Solaris 2.8: >=20 > SunOS charleston-peak 5.8 Generic_108528-19 sun4u sparc SUNW,Sun-Fire > gcc version 2.95.3 20010315 (release) >=20 > gmake[3]: Leaving directory `/tmp/gnupg-1.2.2/doc' > gmake[2]: Leaving directory `/tmp/gnupg-1.2.2/doc' > Making all in checks > gmake[2]: Entering directory `/tmp/gnupg-1.2.2/checks' > echo '#!/bin/sh' >./gpg_dearmor > echo "../g10/gpg --no-options --no-greeting \ > --no-secmem-warning --batch --dearmor" >>./gpg_dearmor > chmod 755 ./gpg_dearmor > ./gpg_dearmor > ./pubring.gpg < ./pubring.asc > Bus Error Can you send me a stack backtrace for this? gpg_dearmor is just a shell script around gpg, so do: gpg --no-options --no-greeting --no-secmem-warning --batch --dearmor > .= /pubring.gpg < ./pubring.asc If/when it bus errors, backtrace that. David --AjmyJqqohANyBN/e Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.2-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+tU7b4mZch0nhy8kRAkFxAJ48ApFSXr6ty7oSAZtwtgbux+vGfQCdGpaA Gve7UoCJ0ZTusGTgJwZRJfM= =/bs2 -----END PGP SIGNATURE----- --AjmyJqqohANyBN/e-- From tony.kwok@3web.net Sun May 4 21:51:02 2003 From: tony.kwok@3web.net (tk) Date: Sun May 4 20:51:02 2003 Subject: feature request In-Reply-To: <3EB5076D.7080104@nahrath.de> References: <06770CB5-7DE5-11D7-88B1-003065B1243E@mac.com> <3EB5076D.7080104@nahrath.de> Message-ID: <3EB56153.4020100@3web.net> Michael Nahrath wrote: > Joseph Bruni wrote: > >>If it's not too much trouble, I would like to see an option added to >>"configure" that would allow me to change the compiled-in default value >>of GNUPG_HOMEDIR. (I already know about the GNUPGHOME environment >>variable.) >> >>Here is why: On Mac OS X, files and directories whose name begins with a >>dot are not visible in the Finder or in any other program using the >>standard Open File and Save File routines. > > At least they should not be visible data directly under ~/ > And why is that? tk From dshaw@jabberwocky.com Sun May 4 23:32:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sun May 4 22:32:02 2003 Subject: Invalid subkey binding In-Reply-To: <1052067803.13145.1.camel@dennisx.cif.rochester.edu> References: <1051992609.8134.18.camel@dennisx.cif.rochester.edu> <20030503230431.GA84223@pm1.ric-30.lft.widomaker.com> <1052067803.13145.1.camel@dennisx.cif.rochester.edu> Message-ID: <20030504203245.GI12401@jabberwocky.com> --kbCYTQG2MZjuOjyn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, May 04, 2003 at 01:03:23PM -0400, Dennis Lambe Jr. wrote: > On Sat, 2003-05-03 at 19:04, Jason Harris wrote: > > Check the verbose (default) listing on keyserver.kjsl.com and see that > > a "[keybind, hash: type 2, 6e 50]" signature is present on both subkeys, > > making it likely to be a duplicate (that is invalid when paired with > > the wrong subkey). >=20 > On Sat, 2003-05-03 at 20:53, David Shaw wrote: > > Probably someone sent an update to your key to one of the other > > keyservers, which garbled it a bit, and re-synched that back to > > keyserver.bu.edu. Basically, one of your subkeys has two signatures > > on it, only one of which is valid. > >=20 > > So long as you have both your subkeys (and you do), it's a harmless > > warning, and can safely be ignored. >=20 > Thanks for the info, guys. This mailing list is incredibly friendly and > useful. >=20 > I'm glad this isn't going to be a problem. I don't suppose there's a > way to get that erroneous subkey signature to go away? some kind of > magical revocation certificate that makes the world forget it even > existed? No. Since it is an error, there is nothing in the protocol to invalidate it. It is inherently invalid. Note that GnuPG does remove the invalid signature. The keyserver is what keeps trying to put it back, causing the warning message. This is proper behavior as GnuPG can check the signature and see that it is invalid. The keyserver cannot check, and so does not risk removing a signature that might be valid. David --kbCYTQG2MZjuOjyn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.2-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+tXjt4mZch0nhy8kRAqQFAKDROAneLh59WpyiOZgkHsbRuD5tiQCfVAtI FtFqRM8kgxlRX6AMA4I3i00= =XtAn -----END PGP SIGNATURE----- --kbCYTQG2MZjuOjyn-- From hdbtroll@moment.net Mon May 5 00:58:02 2003 From: hdbtroll@moment.net (DB Troll) Date: Sun May 4 23:58:02 2003 Subject: Unable to recieve public key Message-ID: <3EB58D0E.8030101@moment.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Lately I have had some signed messages that lock the system for 2-3 minutes with my firewall on. If I shutdown the firewall this does not happen but all of the messages still take a bit before enigmail shows Unverified signature, click pen icon. When I click icon it of course opens another window to import public key. I say OK the it comes back with yet another box stating Unable to receive public key gpg: requesting key 0x49E...... from wwwkeys.uk.pgp.net gpg: no valid OpenPGP data found gpg: Total number processed: 0 Anyone advise on this. TIA David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+tY0O3VVncqMjOZsRArPEAJ9nUA2cgpAMqqPQ4v6RwyHmso3gVgCfaxW7 tNUqH9gEZJPec+2021iOpi8= =XdNU -----END PGP SIGNATURE----- From Robin Lynn Frank Mon May 5 02:00:01 2003 From: Robin Lynn Frank (Robin Lynn Frank) Date: Mon May 5 01:00:01 2003 Subject: OT (slightly)gpg and kgpg Message-ID: <200305041603.26480.rlfrank@paradigm-omega.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Compiled and installed 1.2.2...all is well Got kgpg 1.0.0, compiled and installed it...most is well. It works with = gpg=20 okay, but the honor http proxy option is greyed out. One minor annoyance= is=20 that it can't seem to find its icons. If anyone has a quick answer to th= is,=20 I'd appreciate it. Thanks. - --=20 Sed quis custodiet ipsos custodes? =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Robin Lynn Frank - Director of Operations - Paradigm-Omega, LLC Copyright and PGP/GPG info in mail or message headers. Email acceptance policy at http://paradigm-omega.com/email_policy.html =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+tZwxVWi6vGR+wzYRAmH0AJ0d78nwcHIvlpM674jIGotZk2ijfgCaAjGP hkoLvnhtpySGrsY7H0imqb0=3D =3Dtbtp -----END PGP SIGNATURE----- From jharris@widomaker.com Mon May 5 04:44:02 2003 From: jharris@widomaker.com (Jason Harris) Date: Mon May 5 03:44:02 2003 Subject: new (2003-05-04) keyanalyze results Message-ID: <20030505014506.GA87246@pm1.ric-30.lft.widomaker.com> --AhhlLboLdkugWU4S Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2003-05-04/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ --=20 Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com | web: http://jharris.cjb.net/ --AhhlLboLdkugWU4S Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+tcIfSypIl9OdoOMRAvjtAJ9kGcozNKyICZIPykrOXw/Oav6tWACfdAZv bJI4LgBfQhtzVEB3wWcKDOs= =jNGc -----END PGP SIGNATURE----- --AhhlLboLdkugWU4S-- From sebastian@karotte.org Mon May 5 12:18:02 2003 From: sebastian@karotte.org (Sebastian Wiesinger) Date: Mon May 5 11:18:02 2003 Subject: Problem with Import of ultimate trusted key Message-ID: <20030505091931.GA6456@data.fire-world.de> Hi all! I have a problem here with the import of my own public key into another keyring (the key is in pubring.gpg and in mykey.asc): I use gpg 1.2.1 with the following options: gpg --no-options --armor --no-default-keyring --keyring mykey.gpg --import mykey.asc If I do so, the import resets the trust of my key to "unkown", also in my main keyring (well it just updates the trustdb). Is it possible to stop gpg from updating the trustdb for specific imports? Sebastian -- GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) Wehret den Anfaengen: http://odem.org/informationsfreiheit/ 'But...I died,' said the shade of Unity. YES, said Death. THIS IS THE NEXT PART... - Terry Pratchett, Thief Of Time From thomas@elsgaard.dk Mon May 5 12:54:02 2003 From: thomas@elsgaard.dk (thomas@elsgaard.dk) Date: Mon May 5 11:54:02 2003 Subject: hi guys, i need som newbie help... Message-ID: <200305051154601.SM00916@Debug> hi guys i have just installed gnupg, no problems but when i try to send a encrypted mail to my other mail adress i get the following error: thomas@elsgaard.dk skipped: public key not found.. but if i list my public keys i get: pub 1024D/664212CF 2003-05-05 Thomas Elsgaard (administrator) sub 1024g/A450C93D 2003-05-05 pub 1024D/29966025 2003-05-05 Thomas Elsgaard (administrator) sub 1024g/1F35F2C5 2003-05-05 so why can't i send the mail ?? ///Thomas From dshaw@jabberwocky.com Mon May 5 16:47:03 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Mon May 5 15:47:03 2003 Subject: Problem with Import of ultimate trusted key In-Reply-To: <20030505091931.GA6456@data.fire-world.de> References: <20030505091931.GA6456@data.fire-world.de> Message-ID: <20030505134732.GJ12401@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, May 05, 2003 at 11:19:31AM +0200, Sebastian Wiesinger wrote: > I have a problem here with the import of my own public key into > another keyring (the key is in pubring.gpg and in mykey.asc): > > I use gpg 1.2.1 with the following options: > > gpg --no-options --armor --no-default-keyring --keyring mykey.gpg --import mykey.asc > > If I do so, the import resets the trust of my key to "unkown", also in > my main keyring (well it just updates the trustdb). Yes. This is intentional since GnuPG sees you importing a key that doesn't currently exist... but at the same time sees that key has ultimate trust in the trustdb. Since GnuPG normally deletes trust when a key is deleted, this means there is a mismatch between the trustdb and the keyring(s). > Is it possible to stop gpg from updating the trustdb for specific > imports? gpg --trustdb-name ./temp.trustdb ....... rm ./temp.trustdb David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.2-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+tmt04mZch0nhy8kRAhdrAKC8aY9E90eE6loq9r0Rf+ukvD7xTACfWB6y OhqQn5qVnieAFCS8TxqZSEs= =41MO -----END PGP SIGNATURE----- From rene@clerc.nl Mon May 5 18:54:02 2003 From: rene@clerc.nl (=?iso-8859-1?Q?Ren=E9?= Clerc) Date: Mon May 5 17:54:02 2003 Subject: GnuPG 1.2.2 make fails Message-ID: <20030505155307.GD5135@clerc.nl> --z6Eq5LdranGa6ru8 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi all, The make of GnuPG fails on my Linux machine: gcc -DGNUPG_LIBEXECDIR=3D"\"/usr/local/libexec/gnupg\"" -g -O2 -Wall -o g= pg g10.o build-packet.o compress.o free-packet.o getkey.o keydb.o keyring.= o seskey.o kbnode.o mainproc.o armor.o mdfilter.o textfilter.o progress.o m= isc.o openfile.o keyid.o parse-packet.o comment.o status.o plaintext.o sig-= check.o keylist.o signal.o pkclist.o skclist.o pubkey-enc.o passphrase.o se= ckey-cert.o encr-data.o cipher.o encode.o sign.o verify.o revoke.o decrypt.= o keyedit.o dearmor.o import.o export.o hkp.o trustdb.o tdbdump.o tdbio.o d= elkey.o keygen.o pipemode.o helptext.o keyserver.o photoid.o exec.o mkdtemp= =2Eo =2E./cipher/libcipher.a ../mpi/libmpi.a ../util/libutil.a -ldl -lz passphrase.o: In function `agent_get_passphrase': /home/rene/src/gnupg-1.2.2/g10/passphrase.c:648: undefined reference to `bi= nd_textdomain_codeset' /home/rene/src/gnupg-1.2.2/g10/passphrase.c:656: undefined reference to `bi= nd_textdomain_codeset' /home/rene/src/gnupg-1.2.2/g10/passphrase.c:769: undefined reference to `bi= nd_textdomain_codeset' /home/rene/src/gnupg-1.2.2/g10/passphrase.c:861: undefined reference to `bi= nd_textdomain_codeset' /home/rene/src/gnupg-1.2.2/g10/passphrase.c:884: undefined reference to `bi= nd_textdomain_codeset' collect2: ld returned 1 exit status make[2]: *** [gpg] Error 1 make[2]: Leaving directory `/home/rene/src/gnupg-1.2.2/g10' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/rene/src/gnupg-1.2.2' make: *** [all] Error 2 Any clues? If you need any more information, please do ask. TIA, --=20 Ren=E9 Clerc - (rene@clerc.nl) A Smith and Wesson beats four aces. -Canada Bill Jones --z6Eq5LdranGa6ru8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+tojjwja9HprOCscRAuGpAJ4/p4cLfFX9neMbHXRFsABR/UVeFACfdV4n QpBLv2Ln5WcrdMF5MTufUYg= =Hhus -----END PGP SIGNATURE----- --z6Eq5LdranGa6ru8-- From jbruni@mac.com Mon May 5 19:17:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Mon May 5 18:17:02 2003 Subject: Building 1.2.2 on HP/UX 11.11 Message-ID: <7152981.1052151484061.JavaMail.jbruni@mac.com> Never a dull moment with HP/UX... For some reason, autoconf did not correctly locate gettimeofday and flagged it as nonexistant. The build failed, but by modifying config.h to set the HAVE_GETTIMEOFDAY to 1, GPG built just fine with no other issues. Now I get to fight with it on Tru64... For some reason EXTERN_UNLESS_MAIN_MODULE is not getting defined properly. I'm beginning to think that POSIX is a myth. :) -- PGP Fingerprint: 886F 6A8A 68A1 5E90 EF3F 8EFA E2B8 3F99 7343 C1E3 From sebastian@karotte.org Mon May 5 19:41:02 2003 From: sebastian@karotte.org (Sebastian Wiesinger) Date: Mon May 5 18:41:02 2003 Subject: Problem with Import of ultimate trusted key In-Reply-To: <20030505134732.GJ12401@jabberwocky.com> References: <20030505091931.GA6456@data.fire-world.de> <20030505134732.GJ12401@jabberwocky.com> Message-ID: <20030505164217.GA8939@data.fire-world.de> --uAKRQypu60I7Lcqm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable * David Shaw [2003-05-05 16:29]: > > Is it possible to stop gpg from updating the trustdb for specific > > imports? >=20 > gpg --trustdb-name ./temp.trustdb ....... > rm ./temp.trustdb Ah great, didn't know that option existed. It's not mentionend in the man-file or in --help. --=20 GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) Wehret den Anfaengen: http://odem.org/informationsfreiheit/ 'But...I died,' said the shade of Unity. YES, said Death. THIS IS THE NEXT PART... - Terry Pratchett, Thief Of Time --uAKRQypu60I7Lcqm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+tpRoG2A09Ha3nyARAtHoAJ9MBESfRym4pDA8e851HPcnwVFuCACfb62i hCVGrgA4DUN9/fvP8l1Cot4= =zaMo -----END PGP SIGNATURE----- --uAKRQypu60I7Lcqm-- From ellement@sdd.hp.com Mon May 5 20:16:06 2003 From: ellement@sdd.hp.com (David Ellement) Date: Mon May 5 19:16:06 2003 Subject: Building 1.2.2 on HP/UX 11.11 In-Reply-To: <7152981.1052151484061.JavaMail.jbruni@mac.com> References: <7152981.1052151484061.JavaMail.jbruni@mac.com> Message-ID: <20030505171700.GC18951@sdd.hp.com> On 2003-05-05, Joseph Bruni wrote > Never a dull moment with HP/UX... For some reason, autoconf did not > correctly locate gettimeofday and flagged it as nonexistant. The build > failed, but by modifying config.h to set the HAVE_GETTIMEOFDAY to 1, > GPG built just fine with no other issues. I saw the same thing (HP/UX 11.11 & gcc 3.2.2). In config.log, the cause is listed as "conflicting types for `gettimeofday'". It looks like the test program defines gettimeofday as well as includes sys/time.h. -- David Ellement From dshaw@jabberwocky.com Mon May 5 20:29:01 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Mon May 5 19:29:01 2003 Subject: GnuPG 1.2.2 make fails In-Reply-To: <20030505155307.GD5135@clerc.nl> References: <20030505155307.GD5135@clerc.nl> Message-ID: <20030505172946.GP12401@jabberwocky.com> --EDJsL2R9iCFAt7IV Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, May 05, 2003 at 05:53:07PM +0200, Ren=E9 Clerc wrote: > Hi all, >=20 > The make of GnuPG fails on my Linux machine: >=20 > gcc -DGNUPG_LIBEXECDIR=3D"\"/usr/local/libexec/gnupg\"" -g -O2 -Wall -o= gpg g10.o build-packet.o compress.o free-packet.o getkey.o keydb.o keyrin= g.o seskey.o kbnode.o mainproc.o armor.o mdfilter.o textfilter.o progress.o= misc.o openfile.o keyid.o parse-packet.o comment.o status.o plaintext.o si= g-check.o keylist.o signal.o pkclist.o skclist.o pubkey-enc.o passphrase.o = seckey-cert.o encr-data.o cipher.o encode.o sign.o verify.o revoke.o decryp= t.o keyedit.o dearmor.o import.o export.o hkp.o trustdb.o tdbdump.o tdbio.o= delkey.o keygen.o pipemode.o helptext.o keyserver.o photoid.o exec.o mkdte= mp.o > ../cipher/libcipher.a ../mpi/libmpi.a ../util/libutil.a -ldl -lz > passphrase.o: In function `agent_get_passphrase': > /home/rene/src/gnupg-1.2.2/g10/passphrase.c:648: undefined reference to `= bind_textdomain_codeset' > /home/rene/src/gnupg-1.2.2/g10/passphrase.c:656: undefined reference to `= bind_textdomain_codeset' > /home/rene/src/gnupg-1.2.2/g10/passphrase.c:769: undefined reference to `= bind_textdomain_codeset' > /home/rene/src/gnupg-1.2.2/g10/passphrase.c:861: undefined reference to `= bind_textdomain_codeset' > /home/rene/src/gnupg-1.2.2/g10/passphrase.c:884: undefined reference to `= bind_textdomain_codeset' Try ./configure --with-included-gettext David --EDJsL2R9iCFAt7IV Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.2-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+tp+K4mZch0nhy8kRAncGAJ9O9ltZfuDXBbnWKzPZvPKlM7OpygCgu6tr V7Kq8S0LFkG7ThEYZrR3NUM= =9FLX -----END PGP SIGNATURE----- --EDJsL2R9iCFAt7IV-- From jbruni@mac.com Mon May 5 20:33:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Mon May 5 19:33:02 2003 Subject: GPG 1.2.2 on Tru64 4.0F Message-ID: <4097198.1052156040233.JavaMail.jbruni@mac.com> This is so much fun. The file ./include/iobuf.h contains the following snipet: #ifndef EXTERN_UNLESS_MAIN_MODULE #if defined (__riscos__) && !defined (INCLUDED_BY_MAIN_MODULE) #define EXTERN_UNLESS_MAIN_MODULE extern #else #define EXTERN_UNLESS_MAIN_MODULE #endif #endif EXTERN_UNLESS_MAIN_MODULE int iobuf_debug_mode; While trying to compile ./util/g10u.c it seems that I've encountered a bug in DEC's (HP's) compiler. At the time that this header file is being compiled, the macro EXTERN_UNLESS_MAIN_MODULE is not defined. But, wonder of wonders, the C preprocessor does not evaluate either of the branches. At the point that iobuf_debug_mode is being defined, the macro EXTERN_UNLESS_MAIN_MODULE remains not defined at all. I ran this through the compiler with the -E option and was aghast at the results. For grins I inserted the following just before iobuf_debug_mode: #ifndef EXTERN_UNLESS_MAIN_MODULE #error #endif EXTERN_UNLESS_MAIN_MODULE int iobuf_debug_mode; and the compile aborts because it hit my #error directive though it shouldn't have. I guess DEC's compiler doesn't like nested #if directives? -- PGP Fingerprint: 886F 6A8A 68A1 5E90 EF3F 8EFA E2B8 3F99 7343 C1E3 From dshaw@jabberwocky.com Mon May 5 20:42:01 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Mon May 5 19:42:01 2003 Subject: Building 1.2.2 on HP/UX 11.11 In-Reply-To: <7152981.1052151484061.JavaMail.jbruni@mac.com> References: <7152981.1052151484061.JavaMail.jbruni@mac.com> Message-ID: <20030505174240.GQ12401@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, May 05, 2003 at 10:18:04AM -0600, Joseph Bruni wrote: > Never a dull moment with HP/UX... For some reason, autoconf did not > correctly locate gettimeofday and flagged it as nonexistant. The > build failed, but by modifying config.h to set the HAVE_GETTIMEOFDAY > to 1, GPG built just fine with no other issues. Strange. That sounds like something in autoconf. What does your config.log show for the gettimeofday check? Is the old inline problem at least working all right? David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.2-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+tqKQ4mZch0nhy8kRAmLKAKCx55lgMM6v6Nl3RXcLG0KvknilTACg46ww UAxYn9/h8n9FtYpCCDFe3LE= =e/a0 -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Mon May 5 20:49:12 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Mon May 5 19:49:12 2003 Subject: Building 1.2.2 on HP/UX 11.11 In-Reply-To: <20030505174240.GQ12401@jabberwocky.com> References: <7152981.1052151484061.JavaMail.jbruni@mac.com> <20030505174240.GQ12401@jabberwocky.com> Message-ID: <20030505174953.GR12401@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, May 05, 2003 at 01:42:40PM -0400, David Shaw wrote: > On Mon, May 05, 2003 at 10:18:04AM -0600, Joseph Bruni wrote: > > > Never a dull moment with HP/UX... For some reason, autoconf did not > > correctly locate gettimeofday and flagged it as nonexistant. The > > build failed, but by modifying config.h to set the HAVE_GETTIMEOFDAY > > to 1, GPG built just fine with no other issues. > > Strange. That sounds like something in autoconf. What does your > config.log show for the gettimeofday check? > > Is the old inline problem at least working all right? Actually, I have a related question - what error did you get when gettimeofday did not exist? Theoretically, GnuPG should be able to build without it. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.2-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+tqRB4mZch0nhy8kRAjjtAKCKVgSegSjKzGulWuqSNUyz6hnI5gCcCBJn Y3Q+rUuk1Jm9uPKd1CoG+MI= =S7GT -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Mon May 5 21:12:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Mon May 5 20:12:02 2003 Subject: Problem with Import of ultimate trusted key In-Reply-To: <20030505164217.GA8939@data.fire-world.de> References: <20030505091931.GA6456@data.fire-world.de> <20030505134732.GJ12401@jabberwocky.com> <20030505164217.GA8939@data.fire-world.de> Message-ID: <20030505181312.GS12401@jabberwocky.com> --mhjHhnbe5PrRcwjY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, May 05, 2003 at 06:42:17PM +0200, Sebastian Wiesinger wrote: > * David Shaw [2003-05-05 16:29]: > > > Is it possible to stop gpg from updating the trustdb for specific > > > imports? > >=20 > > gpg --trustdb-name ./temp.trustdb ....... > > rm ./temp.trustdb >=20 > Ah great, didn't know that option existed. It's not mentionend in the > man-file or in --help. You're right. I'll add that for 1.2.3. David --mhjHhnbe5PrRcwjY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.2-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+tqm44mZch0nhy8kRAr2TAKCOjfLR6MzRWmBlLOn1nEMdZDrjFACg37KM PG2BVQoTvg6zxVj6RxlEbD8= =r2B+ -----END PGP SIGNATURE----- --mhjHhnbe5PrRcwjY-- From dshaw@jabberwocky.com Mon May 5 22:24:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Mon May 5 21:24:02 2003 Subject: GPG 1.2.2 on Tru64 4.0F In-Reply-To: <4097198.1052156040233.JavaMail.jbruni@mac.com> References: <4097198.1052156040233.JavaMail.jbruni@mac.com> Message-ID: <20030505192435.GU12401@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, May 05, 2003 at 11:34:00AM -0600, Joseph Bruni wrote: > This is so much fun. The file ./include/iobuf.h contains the following snipet: > > #ifndef EXTERN_UNLESS_MAIN_MODULE > #if defined (__riscos__) && !defined (INCLUDED_BY_MAIN_MODULE) > #define EXTERN_UNLESS_MAIN_MODULE extern > #else > #define EXTERN_UNLESS_MAIN_MODULE > #endif > #endif > EXTERN_UNLESS_MAIN_MODULE int iobuf_debug_mode; > > > While trying to compile ./util/g10u.c it seems that I've encountered > a bug in DEC's (HP's) compiler. At the time that this header file is > being compiled, the macro EXTERN_UNLESS_MAIN_MODULE is not > defined. But, wonder of wonders, the C preprocessor does not > evaluate either of the branches. At the point that iobuf_debug_mode > is being defined, the macro EXTERN_UNLESS_MAIN_MODULE remains not > defined at all. I ran this through the compiler with the -E option > and was aghast at the results. For grins I inserted the following > just before iobuf_debug_mode: > > > #ifndef EXTERN_UNLESS_MAIN_MODULE > #error > #endif > EXTERN_UNLESS_MAIN_MODULE int iobuf_debug_mode; > > and the compile aborts because it hit my #error directive though it > shouldn't have. I guess DEC's compiler doesn't like nested #if > directives? That's very odd. What happens if you change the empty definition of EXTERN_UNLESS_MAIN_MODULE in include/iobuf.h to: #define EXTERN_UNLESS_MAIN_MODULE " " David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.2-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+trpz4mZch0nhy8kRArx5AJ0eDWsrMdTBlxtAIqz6JWANsiqZKACfVseM x6693/4K6f8wduA4ZX7Cqas= =IMIk -----END PGP SIGNATURE----- From jbruni@mac.com Mon May 5 22:47:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Mon May 5 21:47:02 2003 Subject: Building 1.2.2 on HP/UX 11.11 Message-ID: <3541619.1052164113473.JavaMail.jbruni@mac.com> The inline problem never reared its head on HP. After fixing the #define in config.h for the gettimeofday, everything compiled and checked out fine. Tru64 on the other hand... I gave up on DEC's compiler and switch to gcc 3.2.2. Life is good again. I think I'm going to lobby my Congressman to pass a law mandating GCC from now on. I think buggy compilers should carry a minimum penalty of dismemberment. Joe On Monday, May 05, 2003, at 11:42AM, David Shaw wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On Mon, May 05, 2003 at 10:18:04AM -0600, Joseph Bruni wrote: > >> Never a dull moment with HP/UX... For some reason, autoconf did not >> correctly locate gettimeofday and flagged it as nonexistant. The >> build failed, but by modifying config.h to set the HAVE_GETTIMEOFDAY >> to 1, GPG built just fine with no other issues. > >Strange. That sounds like something in autoconf. What does your >config.log show for the gettimeofday check? > >Is the old inline problem at least working all right? > >David >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.3.2-cvs (GNU/Linux) >Comment: http://www.jabberwocky.com/david/keys.asc > >iD8DBQE+tqKQ4mZch0nhy8kRAmLKAKCx55lgMM6v6Nl3RXcLG0KvknilTACg46ww >UAxYn9/h8n9FtYpCCDFe3LE= >=e/a0 >-----END PGP SIGNATURE----- > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- PGP Fingerprint: 886F 6A8A 68A1 5E90 EF3F 8EFA E2B8 3F99 7343 C1E3 From jbruni@mac.com Mon May 5 22:51:03 2003 From: jbruni@mac.com (Joseph Bruni) Date: Mon May 5 21:51:03 2003 Subject: Building 1.2.2 on HP/UX 11.11 Message-ID: <7854381.1052164335359.JavaMail.jbruni@mac.com> here is the section from config.log: configure:12938: checking for gettimeofday configure:12988: cc -o conftest -g -Ae -D_HPUX_SOURCE conftest.c >&5 cc: "configure", line 13057: error 1584: Inconsistent type declaration: "gettimeofday". cc: "configure", line 13064: warning 604: Pointers are not assignment-compatible. cc: "configure", line 13073: warning 605: Illegal pointer combination for !=. I get a LOT of "pointer not assignment-compatible" warnings throughout the build process using HP's compiler. I don't think this is really a problem since I'm building everything in 32-bit mode. I'm not using the DD64 option. On Monday, May 05, 2003, at 11:49AM, David Shaw wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On Mon, May 05, 2003 at 01:42:40PM -0400, David Shaw wrote: >> On Mon, May 05, 2003 at 10:18:04AM -0600, Joseph Bruni wrote: >> >> > Never a dull moment with HP/UX... For some reason, autoconf did not >> > correctly locate gettimeofday and flagged it as nonexistant. The >> > build failed, but by modifying config.h to set the HAVE_GETTIMEOFDAY >> > to 1, GPG built just fine with no other issues. >> >> Strange. That sounds like something in autoconf. What does your >> config.log show for the gettimeofday check? >> >> Is the old inline problem at least working all right? > >Actually, I have a related question - what error did you get when >gettimeofday did not exist? Theoretically, GnuPG should be able to >build without it. > >David >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.3.2-cvs (GNU/Linux) >Comment: http://www.jabberwocky.com/david/keys.asc > >iD8DBQE+tqRB4mZch0nhy8kRAjjtAKCKVgSegSjKzGulWuqSNUyz6hnI5gCcCBJn >Y3Q+rUuk1Jm9uPKd1CoG+MI= >=S7GT >-----END PGP SIGNATURE----- > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- PGP Fingerprint: 886F 6A8A 68A1 5E90 EF3F 8EFA E2B8 3F99 7343 C1E3 From linux@codehelp.co.uk Mon May 5 23:05:03 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Mon May 5 22:05:03 2003 Subject: Unable to recieve public key In-Reply-To: <3EB6BB7D.20509@moment.net> References: <3EB58D0E.8030101@moment.net> <200305051852.22618.linux@codehelp.co.uk> <3EB6BB7D.20509@moment.net> Message-ID: <200305052105.47792.linux@codehelp.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 05 May 2003 8:29 pm, DB Troll wrote: > Neil Williams wrote: > > On Sunday 04 May 2003 10:58 pm, DB Troll wrote: > > You have auto-key-retrieve set as an option in .gnupg/gpg.conf / options > > ? > > Yes, > # Example HKP keyserver: > > keyserver x-hkp://wwwkeys.uk.pgp.net > > # broken-http-proxy = try to work around a buggy HTTP proxy > > # > > keyserver-options auto-key-retrieve,verbose,verbose > > My version is 1.2.1 > > Do I just want to uncomment broken-http-proxy. > Thanks Add the broken-proxy command to the keyserver option: keyserver-options auto-key-retrieve,verbose,verbose broken-http-proxy (Doesn't this option use spaces instead of commas? I think it should read:) keyserver-options auto-key-retrieve broken-http-proxy - -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.wewantbroadband.co.uk/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+tsQaiAEJSii8s+MRAsk7AKCDXTdm/hwAah1HBD1yc3k4yt6CzgCfdZBs KgGgSnx31F4YPTcXguE0mDk= =+cN2 -----END PGP SIGNATURE----- From hdbtroll@moment.net Mon May 5 23:32:03 2003 From: hdbtroll@moment.net (DB Troll) Date: Mon May 5 22:32:03 2003 Subject: Unable to recieve public key In-Reply-To: <200305052105.47792.linux@codehelp.co.uk> References: <3EB58D0E.8030101@moment.net> <200305051852.22618.linux@codehelp.co.uk> <3EB6BB7D.20509@moment.net> <200305052105.47792.linux@codehelp.co.uk> Message-ID: <3EB6CA84.9020807@moment.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Neil Williams wrote: > On Monday 05 May 2003 8:29 pm, DB Troll wrote: > >>Neil Williams wrote: >> >>>On Sunday 04 May 2003 10:58 pm, DB Troll wrote: >>> >>My version is 1.2.1 >> >>Do I just want to uncomment broken-http-proxy. >>Thanks > > > Add the broken-proxy command to the keyserver option: > keyserver-options auto-key-retrieve,verbose,verbose broken-http-proxy > > (Doesn't this option use spaces instead of commas? I think it should read:) > keyserver-options auto-key-retrieve broken-http-proxy > > -- > > Neil Williams > ============= > http://www.codehelp.co.uk > http://www.dclug.org.uk > > http://www.wewantbroadband.co.uk/ > Thanks Niel, Changes the config as suggested and the times for checking seem to have diminished but several of the messages still return unverified signature and when I tell it to retrieve key it comes back with no OpenPGP data found, is this because these peoples keys are not registered. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+tsqE3VVncqMjOZsRAua3AJ4sdEQ8t/ERwSIkNFmSs0ZhK9yLwACeLmkN nyyKhpP83JcBJhZlIOtXuUE= =wI26 -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Mon May 5 23:51:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Mon May 5 22:51:02 2003 Subject: Building 1.2.2 on HP/UX 11.11 In-Reply-To: <7854381.1052164335359.JavaMail.jbruni@mac.com> References: <7854381.1052164335359.JavaMail.jbruni@mac.com> Message-ID: <20030505205206.GV12401@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, May 05, 2003 at 01:52:15PM -0600, Joseph Bruni wrote: > here is the section from config.log: > > configure:12938: checking for gettimeofday > configure:12988: cc -o conftest -g -Ae -D_HPUX_SOURCE conftest.c >&5 > cc: "configure", line 13057: error 1584: Inconsistent type declaration: "gettimeofday". > cc: "configure", line 13064: warning 604: Pointers are not assignment-compatible. > cc: "configure", line 13073: warning 605: Illegal pointer combination for !=. > > I get a LOT of "pointer not assignment-compatible" warnings throughout the build process using HP's compiler. I don't think this is really a problem since I'm building everything in 32-bit mode. I'm not using the DD64 option. Sorry - I wasn't clear. I meant to ask what error you got when building GnuPG when gettimeofday wasn't available. Not the configure error. It was probably something in cipher/ David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.2-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+ts714mZch0nhy8kRAp8uAKDh2ldYcLJ0GDgr/hhhzWfgpURrrQCfS3un 2Wj64rCsLsNt+p+vuYVaGxA= =k5AN -----END PGP SIGNATURE----- From jbruni@mac.com Tue May 6 00:01:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Mon May 5 23:01:02 2003 Subject: Building 1.2.2 on Tru64 4.0F Message-ID: <1963591.1052168560910.JavaMail.jbruni@mac.com> I did a few more experiments on Tru64. If I change the empty macro defn to be #define EXTERN_UNLESS_MAIN_MODULE "" I get the same results: source='g10u.c' object='g10u.o' libtool=no depfile='.deps/g10u.Po' tmpdepfile='.deps/g10u.TPo' depmode=tru64 /bin/ksh ../scripts/depcomp cc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../include -I../intl -g -w -c `test -f 'g10u.c' || echo './'`g10u.c cc: Error: ../include/iobuf.h, line 81: Missing ";". (nosemi) EXTERN_UNLESS_MAIN_MODULE int iobuf_debug_mode; --------------------------^ However, if I change the compiler to c89, it compiles just fine ./configure CC=c89 So, on Tru64 you can build this with either GCC 3.2.2 or c89, but not with cc. -- PGP Fingerprint: 886F 6A8A 68A1 5E90 EF3F 8EFA E2B8 3F99 7343 C1E3 From linux@codehelp.co.uk Tue May 6 01:13:02 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Tue May 6 00:13:02 2003 Subject: Unable to recieve public key In-Reply-To: <3EB6CA84.9020807@moment.net> References: <3EB58D0E.8030101@moment.net> <200305052105.47792.linux@codehelp.co.uk> <3EB6CA84.9020807@moment.net> Message-ID: <200305052313.54670.linux@codehelp.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 05 May 2003 9:33 pm, DB Troll wrote: > Thanks Niel, Changes the config as suggested and the times for checking > seem to have diminished but several of the messages still return > unverified signature and when I tell it to retrieve key it comes back > with no OpenPGP data found, is this because these peoples keys are not > registered. > David Some people don't send their keys to keyservers out of preference. Some people use subkeys and other bits that some keyservers can't handle. Either way, the keyserver reports no key data found. If you do want the key, sometimes people who have experienced problems with their own keys on keyservers add details of their keys to their ordinary text signature (keyid, website location, etc.) for manual import into your own rings. In previous cases, I've just emailed the person concerned asking if they could let me know the location of a website or name of a keyserver that holds their key data. Once imported, you won't have any further delays on that key. - -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.wewantbroadband.co.uk/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+tuIhiAEJSii8s+MRApQgAJ9cIxZb3jmtFKnuHw2ZsUzCMWHD3QCfVic3 AZiu3skXwWMQCjK3Q6cUB4c= =8DNk -----END PGP SIGNATURE----- From linux@codehelp.co.uk Tue May 6 01:27:02 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Tue May 6 00:27:02 2003 Subject: hi guys, i need som newbie help... In-Reply-To: <200305051154601.SM00916@Debug> References: <200305051154601.SM00916@Debug> Message-ID: <200305052327.50798.linux@codehelp.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 05 May 2003 3:54 pm, thomas@elsgaard.dk wrote: > hi guys > > i have just installed gnupg, no problems > > but when i try to send a encrypted mail to my > other mail adress i get the following error: To encrypt you usually need to have signed the recipient key. > thomas@elsgaard.dk skipped: public key not > found.. Although I thought GnuPG would have said so rather than just saying the key wasn't found. I can't check because your keys aren't on a keyserver. Use: $ gpg --keyserver keyserver.linux.it --send-keys 664212cf 29966025 > so why can't i send the mail ?? See if it is signed using: $ gpg --check-sigs 664212cf 29966025 You should see a self-signature AND a signature from each of the two keys: e.g. on my two keys: pub 1024D/A897FD02 2002-01-27 Neil Williams (laptop) sig!3 A897FD02 2002-01-27 Neil Williams (laptop) sig! 28BCB3E3 2002-07-01 Neil Williams (CodeHelp) pub 1024D/28BCB3E3 2002-01-27 Neil Williams (CodeHelp) sig!3 28BCB3E3 2002-01-27 Neil Williams (CodeHelp) sig!3 A897FD02 2003-01-14 Neil Williams (laptop) You might also have to edit each key to set the trust level. You have to set one of your keys (the ones with a secret and public key) to ultimate trust - so that the mail client knows who you are. Check also that you have set a keyid to use in the configuration of the mail client. Trust can be a hard thing to get to grips with so be careful not to set a high trust level or sign other people's keys without personal contact and verification. (Don't sign my keys, for example, the info above is not enough to verify a key). - -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.wewantbroadband.co.uk/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+tuVliAEJSii8s+MRAliDAKCS7VzklAn2vHpNCOJgrfN2eGtEPACgpTos bekrWhYgSqOiH/WGgnruOQA= =WFPx -----END PGP SIGNATURE----- From hdbtroll@moment.net Tue May 6 02:33:02 2003 From: hdbtroll@moment.net (DB Troll) Date: Tue May 6 01:33:02 2003 Subject: Unable to recieve public key In-Reply-To: <200305052313.54670.linux@codehelp.co.uk> References: <3EB58D0E.8030101@moment.net> <200305052105.47792.linux@codehelp.co.uk> <3EB6CA84.9020807@moment.net> <200305052313.54670.linux@codehelp.co.uk> Message-ID: <3EB6F4E7.9030809@moment.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Neil Williams wrote: > On Monday 05 May 2003 9:33 pm, DB Troll wrote: > > Some people don't send their keys to keyservers out of preference. > Some people use subkeys and other bits that some keyservers can't handle. > > Either way, the keyserver reports no key data found. > > If you do want the key, sometimes people who have experienced problems with > their own keys on keyservers add details of their keys to their ordinary text > signature (keyid, website location, etc.) for manual import into your own > rings. > > In previous cases, I've just emailed the person concerned asking if they could > let me know the location of a website or name of a keyserver that holds their > key data. > > Once imported, you won't have any further delays on that key. > > -- > > Neil Williams > ============= > http://www.codehelp.co.uk > http://www.dclug.org.uk > > http://www.wewantbroadband.co.uk/ > Thanks Neil. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+tvT33VVncqMjOZsRAp4qAJsE/J0NvUsOhi1wNnnYnzrmdF+YcACfco0T 06AKxYMO8s+b+IvrB8N8Fx8= =TqCV -----END PGP SIGNATURE----- From jbruni@mac.com Tue May 6 02:44:01 2003 From: jbruni@mac.com (Joseph Bruni) Date: Tue May 6 01:44:01 2003 Subject: Building 1.2.2 on HP/UX 11.11 Message-ID: <3993912.1052178315055.JavaMail.jbruni@mac.com> Sorry, here is the output from the error when gettimeofday is left "undefined". The error occurs when trying to compile "random.c". It looks like it tries to use the "times" function instead, and "struct tms" doesn't exist. source='random.c' object='random.o' libtool=no \ depfile='.deps/random.Po' tmpdepfile='.deps/random.TPo' \ depmode=hp /bin/sh ../scripts/depcomp \ cc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../include -I../intl -g -Ae -D_HPUX_SOURCE -c `test -f 'random.c' || echo './'`random.c cc: "random.c", line 254: warning 604: Pointers are not assignment-compatible. cc: "random.c", line 308: warning 604: Pointers are not assignment-compatible. cc: "random.c", line 318: warning 604: Pointers are not assignment-compatible. cc: "random.c", line 324: warning 604: Pointers are not assignment-compatible. cc: "random.c", line 335: warning 604: Pointers are not assignment-compatible. cc: "random.c", line 457: warning 604: Pointers are not assignment-compatible. cc: "random.c", line 457: warning 563: Argument #1 is not the correct type. cc: "random.c", line 458: warning 604: Pointers are not assignment-compatible. cc: "random.c", line 458: warning 563: Argument #1 is not the correct type. cc: "random.c", line 538: warning 604: Pointers are not assignment-compatible. cc: "random.c", line 538: warning 563: Argument #1 is not the correct type. cc: "random.c", line 539: warning 604: Pointers are not assignment-compatible. cc: "random.c", line 539: warning 563: Argument #1 is not the correct type. cc: "random.c", line 545: warning 604: Pointers are not assignment-compatible. cc: "random.c", line 545: warning 563: Argument #1 is not the correct type. cc: "random.c", line 553: warning 604: Pointers are not assignment-compatible. cc: "random.c", line 553: warning 563: Argument #1 is not the correct type. cc: "random.c", line 554: warning 604: Pointers are not assignment-compatible. cc: "random.c", line 554: warning 563: Argument #1 is not the correct type. cc: "random.c", line 597: warning 604: Pointers are not assignment-compatible. cc: "random.c", line 597: warning 563: Argument #1 is not the correct type. cc: "random.c", line 655: error 1574: Unknown size for "buf". cc: "random.c", line 657: error 1594: The sizeof operator cannot be applied to types with unknown size. *** Error exit code 1 From ellement@sdd.hp.com Tue May 6 02:48:02 2003 From: ellement@sdd.hp.com (David Ellement) Date: Tue May 6 01:48:02 2003 Subject: Building 1.2.2 on HP/UX 11.11 In-Reply-To: <20030505205206.GV12401@jabberwocky.com> References: <7854381.1052164335359.JavaMail.jbruni@mac.com> <20030505205206.GV12401@jabberwocky.com> Message-ID: <20030505234931.GA4660@sdd.hp.com> On 2003-05-05, David Shaw wrote > Sorry - I wasn't clear. I meant to ask what error you got when > building GnuPG when gettimeofday wasn't available. Not the configure > error. It was probably something in cipher/ cipher/random.c is the first thing that fails to fail. -- David Ellement From jbruni@mac.com Tue May 6 02:49:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Tue May 6 01:49:02 2003 Subject: times() on hp/ux Message-ID: <5171396.1052178619563.JavaMail.jbruni@mac.com> David, The definition of struct tms is located in and is bracketed with a #ifdef _INCLUDE_POSIX_SOURCE macro. I don't know if that helps you any. Joe Bruni From wbo@mandrakesoft.com Tue May 6 03:00:01 2003 From: wbo@mandrakesoft.com (Wolfgang Bornath) Date: Tue May 6 02:00:01 2003 Subject: Keys not trusted Message-ID: <200305060203.30183.wbo@mandrakesoft.com> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Being fairly new in this I joined this list and received some messages=20 by people who signed their messages. I always imported the keys (using=20 the gpg option --auto-key-retrieve) and kmail tells me "Message is signed by XY (blahblub) (Key-ID: 0x12345678). Signature is valid but the key is not trusted." When I want to send a private mail to somebody like that and I want to=20 encrypt the text I see the list of my pubring but all imported keys are=20 marked red and I cannot encrypt. Only my own public key is marked green and I can use it to send=20 encrypted mails to myself (Big Deal!) I signed one of those public keys because I know the person and my sig=20 is listed but still the same. Could someone explain or point me into the right direction? wobo =2D --=20 Public GnuPG key available at keyserver pgp.mit.edu =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+tvvIXpTF6eCkAF0RAq9RAKCBjHPhQJQknrtCiph7uE3aVNWjYQCfQGEu 0N50dXyMpNCQzyCNipQG5xM=3D =3DpYtx =2D----END PGP SIGNATURE----- From frank.calfo@csgpro.com Tue May 6 03:18:02 2003 From: frank.calfo@csgpro.com (Frank Calfo) Date: Tue May 6 02:18:02 2003 Subject: example command-fd and passphrase-fd Message-ID: <5.2.1.1.0.20030505171444.00aca058@mail.csgpro.com> Could someone please send a simple Windows and Unix example of using command-fd and passphrase-fd to encrypt a file ? Thanks! From dshaw@jabberwocky.com Tue May 6 03:31:01 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Tue May 6 02:31:01 2003 Subject: Building 1.2.2 on HP/UX 11.11 In-Reply-To: <3993912.1052178315055.JavaMail.jbruni@mac.com> References: <3993912.1052178315055.JavaMail.jbruni@mac.com> Message-ID: <20030506003137.GX12401@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, May 05, 2003 at 05:45:15PM -0600, Joseph Bruni wrote: > Sorry, here is the output from the error when gettimeofday is left > "undefined". The error occurs when trying to compile "random.c". It > looks like it tries to use the "times" function instead, and "struct > tms" doesn't exist. Got it. It'll be fixed in 1.2.3, though if autoconf had a problem finding gettimeofday(), I'm not sure if it would fine times() either... David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.2-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+twJp4mZch0nhy8kRAmSaAKCiYbjN7mjwYUwK5Rb2dj20t4JJ+QCfQvek OUnisK7FCez3vDrIpY1H8xY= =Yv5C -----END PGP SIGNATURE----- From graham.todd@ntlworld.com Tue May 6 08:33:03 2003 From: graham.todd@ntlworld.com (Graham) Date: Tue May 6 07:33:03 2003 Subject: Keys not trusted In-Reply-To: <200305060203.30183.wbo@mandrakesoft.com> References: <200305060203.30183.wbo@mandrakesoft.com> Message-ID: <200305060639.45880.graham.todd@ntlworld.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 06 May 2003 1:03 am, Wolfgang Bornath wrote: [snipped] > When I want to send a private mail to somebody like that and I want > to encrypt the text I see the list of my pubring but all imported > keys are marked red and I cannot encrypt. > Only my own public key is marked green and I can use it to send > encrypted mails to myself (Big Deal!) This is one of the basic things about GPG which newcomers find difficult=20 :-) All keys that you get are "untrusted" unless you sign them. That way=20 you allocate a level of trust to them. You will receive keys all the=20 time from people and they will be "untrusted": this is quite normal. =20 Unless you want to comunicate with the keyowner and send him/her a=20 signed key, simply locally sign it (in PGP terms this gives you a=20 non-exportable signature) and it will be trusted. You do this by the=20 command: gpg --lsign-key When it comes to encryption, by default you can only encrypt to trusted=20 keys. Simply locally sign the key before setting out to encrypt :-)=20 Some MUAs (like Mozilla Mail with Enigmail) make all keys trusted by=20 default, which I think is very dangerous, so I turn this off. HTH - --=20 Graham GPG Keys at encryption.keys@ntlworld.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Please sign and encrypt for internet privacy iD8DBQE+t0qdIwtBZOk1250RAnIUAJ9BDngfjF+EeYe9jIt0ll3l90u9jQCeMpmB 4EEyTss8Y4Ec208Tujehz0w=3D =3DFz3x -----END PGP SIGNATURE----- From avbidder@fortytwo.ch Tue May 6 08:49:02 2003 From: avbidder@fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Tue May 6 07:49:02 2003 Subject: Keys not trusted In-Reply-To: <200305060203.30183.wbo@mandrakesoft.com> References: <200305060203.30183.wbo@mandrakesoft.com> Message-ID: <200305060750.30515@fortytwo.ch> --Boundary-02=_m00t+Akvv8RzXuO Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Tuesday 06 May 2003 02:03, Wolfgang Bornath wrote: > Hi, > > Being fairly new in this I joined this list and received some messages > by people who signed their messages. I always imported the keys (using > the gpg option --auto-key-retrieve) and kmail tells me > "Message is signed by XY (blahblub) (Key-ID: 0x12345678). > Signature is valid but the key is not trusted." This is not a bad thing in itself - it just means that you do not absolutel= y=20 know that you have the person's true public key. It could be just somebody= =20 posting a public key under their name. > When I want to send a private mail to somebody like that and I want to > encrypt the text I see the list of my pubring but all imported keys are > marked red and I cannot encrypt. > Only my own public key is marked green and I can use it to send > encrypted mails to myself (Big Deal! Hmm. I think kmail has an option to allow you to send encrypted mail to=20 untrusted keys. However, it doesn't make sense since you don't really know= =20 who you're sending an encrypted mail to. (Of course, for casual use, you c= an=20 usually trust that a published email address if used for some time on maili= ng=20 lists with always the same key does correspond to the real person. And, if= =20 you look at their public key and there's many signatures on the key from=20 other people on the mailing list or other people you know, it's a good chan= ce=20 that the key is actually genuine. It's just not that secure if you assume=20 that there's an actual enemy around trying to steal somebody's identity). > I signed one of those public keys because I know the person and my sig > is listed but still the same. It is good practice to really carefully check that you really have the righ= t=20 key (and, if you don't know the person good enough, of course also that you= =20 have the right person). Personally, I check the fingerprint with people I=20 know. Just a little paranoia there, but with the web of trust idea you have= =20 other people relying on you doing this check carefully, and an error affect= s=20 not only you but potentially lots of people. > Could someone explain or point me into the right direction? You need to build a web of trust - get your key signed by other GPG/PGP use= rs,=20 and sign their key. http://biglumber.com may list some people in your area,= =20 and there's also a keysigning mailing list (search the archives or google, = I=20 don't have the address handy right now) where you could ask if there's some= =20 people in your area. Then you also need to assign trust values to the keys = =2D=20 you assess how much you trust other people to be careful when they sign a k= ey=20 =2D by running gpg --update-trustdb. I'd reccmmend that you read the documentation on http://gnupg.org, especial= ly=20 the chapters about key signing and the Web of Trust:=20 http://www.gnupg.org/gph/en/manual.html; the interesting bits are in chapte= r=20 3 and 4. greets =2D- vbi =2D-=20 Available for key signing in Z=FCrich and Basel, Switzerland (what's this? Look at http://fortytwo.ch/gpg/intro) --Boundary-02=_m00t+Akvv8RzXuO Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iKcEABECAGcFAj63TSZgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjMmbWQ1c3VtPTE0Y2E2MTZmMTQ2ODJhODJj YjljYzI1YzliMzRhMTBkAAoJEIukMYvlp/fWdgQAn0lPtPt2aH/jXMOkjRMMQLNW l4yCAKDBFsiaYbCPa0ZO7WdywtOlN9Us5Q== =bbH3 -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.3&md5sum=14ca616f14682a82cb9cc25c9b34a10d --Boundary-02=_m00t+Akvv8RzXuO-- From wbo@mandrakesoft.com Thu May 8 17:19:07 2003 From: wbo@mandrakesoft.com (Wolfgang Bornath) Date: Thu May 8 16:19:07 2003 Subject: Keys not trusted In-Reply-To: <200305060750.30515@fortytwo.ch> References: <200305060203.30183.wbo@mandrakesoft.com> <200305060750.30515@fortytwo.ch> Message-ID: <200305060924.30909.wbo@mandrakesoft.com> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ** Adrian 'Dagurashibanipal' von Bidder (Dienstag, 6. Mai 2003 07:50) > I'd reccmmend that you read the documentation on http://gnupg.org, > especially the chapters about key signing and the Web of Trust: > http://www.gnupg.org/gph/en/manual.html; the interesting bits are in > chapter 3 and 4. Thanks for your elaborate answer. I read about the 'Web of Trust' and I=20 know about signing keys. Sorry, I did not mention that I signed that=20 key just locally so it would not be exported (just what Graham wrote). I looked but did not find the option for kmail to encrypt with keys not=20 trusted. wobo =2D --=20 Public GnuPG key available at keyserver www.mandrakesecure.net =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+t2MmXpTF6eCkAF0RAinmAJ4gbj13hD4iMwOIJflceAej5mQoqgCfbHup JeE2nshyoCZCUfYlf5lfAt8=3D =3Drdq7 =2D----END PGP SIGNATURE----- From wbo@mandrakesoft.com Thu May 8 17:19:30 2003 From: wbo@mandrakesoft.com (Wolfgang Bornath) Date: Thu May 8 16:19:30 2003 Subject: Keys not trusted In-Reply-To: <200305060639.45880.graham.todd@ntlworld.com> References: <200305060203.30183.wbo@mandrakesoft.com> <200305060639.45880.graham.todd@ntlworld.com> Message-ID: <200305060930.46316.wbo@mandrakesoft.com> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ** Graham (Dienstag, 6. Mai 2003 07:39) > This is one of the basic things about GPG which newcomers find > difficult I find the principle of trusted and untrusted keys a logical thing given=20 the way this PGP/GnuPG works. > When it comes to encryption, by default you can only encrypt to > trusted keys. Simply locally sign the key before setting out to > encrypt :-). That's what I did with that person's key, just signed it locally. I read=20 the man page before ;) Only thing I forgot was to update the trustdb. wobo =2D --=20 Public GnuPG key available at keyserver www.mandrakesecure.net =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+t2SiXpTF6eCkAF0RAmajAJ9L17OFtOraN+2jjnouzlVbG5UbUwCgka+t =46tM6uWkSJnwCMfPd579EHGk=3D =3Dbeax =2D----END PGP SIGNATURE----- From rene@clerc.nl Thu May 8 17:20:24 2003 From: rene@clerc.nl (=?iso-8859-1?Q?Ren=E9?= Clerc) Date: Thu May 8 16:20:24 2003 Subject: GnuPG 1.2.2 make fails In-Reply-To: <20030505172946.GP12401@jabberwocky.com> References: <20030505155307.GD5135@clerc.nl> <20030505172946.GP12401@jabberwocky.com> Message-ID: <20030506084231.GG5135@clerc.nl> --ZInfyf7laFu/Kiw7 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable * David Shaw [05-05-2003 20:04]: [make failure] > Try ./configure --with-included-gettext This did the trick.=20 Thanks, --=20 Ren=E9 Clerc - (rene@clerc.nl) --ZInfyf7laFu/Kiw7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+t3V3wja9HprOCscRAsYyAJ44PKDlMRea/E6Gfk0zjWCt9iEpbACdGf7o d+I4MSjSENRgPEovPcFU0Pg= =z8L7 -----END PGP SIGNATURE----- --ZInfyf7laFu/Kiw7-- From Marc.Mutz@uni-bielefeld.de Thu May 8 17:21:19 2003 From: Marc.Mutz@uni-bielefeld.de (Marc Mutz) Date: Thu May 8 16:21:19 2003 Subject: [Announce] GnuPG 1.2.2 released In-Reply-To: <87wuh7n6w5.fsf@alberti.g10code.de> References: <87wuh7n6w5.fsf@alberti.g10code.de> Message-ID: <200305041540.27733@sendmail.mutz.com> --Boundary-02=_LhRt+wzRXf1UF2O Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Saturday 03 May 2003 21:54, Werner Koch wrote: > release: Version 1.2.2 make check outputs: =2E/conventional.test: line 102: [: missing `]' =2E/conventional.test: line 104: [: missing `]' for every test. They pass, though. RC2 didn't have this. Marc =2D-=20 If you read this Mail while moving in traffic, you could hit lantern stakes or end up knocked over by trucks. -- freely adapted from iX 11/2002 editorial --Boundary-02=_LhRt+wzRXf1UF2O Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2rc2 (GNU/Linux) iD8DBQA+tRhL3oWD+L2/6DgRApvmAJ93f/xreKd18QnwY1/qhHaCe3kpggCfc17T YDA8sWTsPEVX3j3Q3cbBP/c= =Y9NS -----END PGP SIGNATURE----- --Boundary-02=_LhRt+wzRXf1UF2O-- From mailaccount200001@yahoo.com Thu May 8 17:21:41 2003 From: mailaccount200001@yahoo.com (Tom) Date: Thu May 8 16:21:41 2003 Subject: Corrupt keyrings Message-ID: <20030505020355.74635.qmail@web40401.mail.yahoo.com> $ gpg --delete-secret-and-public-key AE68B2FE gpg (GnuPG) 1.2.1; Copyright (C) 2002 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information sec 4096R/AE68B2FE (date) (userid) Delete this key from the keyring? yes This is a secret key! - really delete? yes gpg: /home/user/.gnupg/secring.gpg: copy to `/home/user/.gnupg/secring.gpg.tmp' failed: file read error gpg: deleting keyblock failed: file read error gpg: AE68B2FE: delete key failed: file read error $ mv secring.gpg temp.gpg $ gpg --delete-key AE68B2FE gpg (GnuPG) 1.2.1; Copyright (C) 2002 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: keyring `/home/user/.gnupg/secring.gpg' created pub 4096R/AE68B2FE (date) (userid) Delete this key from the keyring? yes gpg: /home/user/.gnupg/pubring.gpg: copy to `/home/user/.gnupg/pubring.gpg.tmp' failed: file read error gpg: deleting keyblock failed: file read error gpg: AE68B2FE: delete key failed: file read error $ gpg --export --output pubring.asc gpg: Warning: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: keyring_get_keyblock: read error: invalid packet gpg: error reading keyblock: invalid keyring $ gpg --export-secret-keys --output secring.asc gpg: Warning: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: keyring_get_keyblock: read error: invalid packet gpg: error reading keyblock: invalid keyring Attempting to export individual keys to a file fails silently. I can list keys in both the public and secret keyrings without any problem. I can encrypt and decrypt messages without any problem (I have not tried every key yet, however). I can not do anything that would change a key ring, however. Any ideas about the cause, or even better, a solution? TS __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com From gerberb@zenez.com Thu May 8 17:22:07 2003 From: gerberb@zenez.com (Boyd Lynn Gerber) Date: Thu May 8 16:22:07 2003 Subject: make check fails on all tests on gnupg-1.2.2 for OpenServer 5.0.X, OpenUNIX 8.0.0 and UnixWare 7.1.X Message-ID: make check fails all tests on OpenServer, UnixWare and OpenUNIX. 1.2.1 passed all tests. Below is the output from make check the only difference is the directory tree location. Making check in intl make[1]: Entering directory `/home/build/ou8/gnupg-1.2.2/intl' make[1]: Nothing to be done for `check'. make[1]: Leaving directory `/home/build/ou8/gnupg-1.2.2/intl' Making check in zlib make[1]: Entering directory `/home/build/ou8/gnupg-1.2.2/zlib' make[1]: Nothing to be done for `check'. make[1]: Leaving directory `/home/build/ou8/gnupg-1.2.2/zlib' Making check in util make[1]: Entering directory `/home/build/ou8/gnupg-1.2.2/util' make[1]: Nothing to be done for `check'. make[1]: Leaving directory `/home/build/ou8/gnupg-1.2.2/util' Making check in mpi make[1]: Entering directory `/home/build/ou8/gnupg-1.2.2/mpi' make[1]: Nothing to be done for `check'. make[1]: Leaving directory `/home/build/ou8/gnupg-1.2.2/mpi' Making check in cipher make[1]: Entering directory `/home/build/ou8/gnupg-1.2.2/cipher' make[1]: Nothing to be done for `check'. make[1]: Leaving directory `/home/build/ou8/gnupg-1.2.2/cipher' Making check in tools make[1]: Entering directory `/home/build/ou8/gnupg-1.2.2/tools' make[1]: Nothing to be done for `check'. make[1]: Leaving directory `/home/build/ou8/gnupg-1.2.2/tools' Making check in g10 make[1]: Entering directory `/home/build/ou8/gnupg-1.2.2/g10' make[1]: Nothing to be done for `check'. make[1]: Leaving directory `/home/build/ou8/gnupg-1.2.2/g10' Making check in keyserver make[1]: Entering directory `/home/build/ou8/gnupg-1.2.2/keyserver' make[1]: Nothing to be done for `check'. make[1]: Leaving directory `/home/build/ou8/gnupg-1.2.2/keyserver' Making check in po make[1]: Entering directory `/home/build/ou8/gnupg-1.2.2/po' make[1]: Nothing to be done for `check'. make[1]: Leaving directory `/home/build/ou8/gnupg-1.2.2/po' Making check in doc make[1]: Entering directory `/home/build/ou8/gnupg-1.2.2/doc' make check-am make[2]: Entering directory `/home/build/ou8/gnupg-1.2.2/doc' make[2]: Nothing to be done for `check-am'. make[2]: Leaving directory `/home/build/ou8/gnupg-1.2.2/doc' make[1]: Leaving directory `/home/build/ou8/gnupg-1.2.2/doc' Making check in checks make[1]: Entering directory `/home/build/ou8/gnupg-1.2.2/checks' make check-TESTS make[2]: Entering directory `/home/build/ou8/gnupg-1.2.2/checks' UX:test (./version.test): ERROR: ] missing FAIL: version.test UX:test (./mds.test): ERROR: ] missing FAIL: mds.test UX:test (./decrypt.test): ERROR: ] missing FAIL: decrypt.test UX:test: ERROR: ./decrypt-dsa.test: ] missing FAIL: decrypt-dsa.test UX:test (./sigs.test): ERROR: ] missing FAIL: sigs.test UX:test (sigs-dsa.test): ERROR: ] missing FAIL: sigs-dsa.test UX:test (./encrypt.test): ERROR: ] missing FAIL: encrypt.test UX:test: ERROR: ./encrypt-dsa.test: ] missing FAIL: encrypt-dsa.test UX:test (./seat.test): ERROR: ] missing FAIL: seat.test UX:test (clearsig.test): ERROR: ] missing FAIL: clearsig.test UX:test (encryptp.test): ERROR: ] missing FAIL: encryptp.test UX:test (./detach.test): ERROR: ] missing FAIL: detach.test UX:test (./armsigs.test): ERROR: ] missing FAIL: armsigs.test UX:test: ERROR: ./armencrypt.test: ] missing FAIL: armencrypt.test UX:test: ERROR: ./armencryptp.test: ] missing FAIL: armencryptp.test UX:test: ERROR: ./signencrypt.test: ] missing FAIL: signencrypt.test UX:test: ERROR: ./signencrypt-dsa.test: ] missing FAIL: signencrypt-dsa.test UX:test: ERROR: ./armsignencrypt.test: ] missing FAIL: armsignencrypt.test UX:test (armdetach.test): ERROR: ] missing FAIL: armdetach.test UX:test: ERROR: ./armdetachm.test: ] missing FAIL: armdetachm.test UX:test (./detachm.test): ERROR: ] missing FAIL: detachm.test UX:test: ERROR: ./genkey1024.test: ] missing FAIL: genkey1024.test UX:test: ERROR: ./conventional.test: ] missing FAIL: conventional.test UX:test: ERROR: ./conventional-mdc.test: ] missing FAIL: conventional-mdc.test UX:test (multisig.test): ERROR: ] missing FAIL: multisig.test ================================== 25 of 25 tests failed Please report to bug-gnupg@gnu.org ================================== make[2]: *** [check-TESTS] Error 1 make[2]: Leaving directory `/home/build/ou8/gnupg-1.2.2/checks' make[1]: *** [check-am] Error 2 make[1]: Leaving directory `/home/build/ou8/gnupg-1.2.2/checks' make: *** [check-recursive] Error 1 -- Boyd Gerber ZENEZ 1042 Fort Union #135, Midvale, Utah 84047 Office 801-604-5332 From ingo.kloecker@epost.de Thu May 8 17:26:04 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-15?q?Kl=F6cker?=) Date: Thu May 8 16:26:04 2003 Subject: Keys not trusted In-Reply-To: <200305060750.30515@fortytwo.ch> References: <200305060203.30183.wbo@mandrakesoft.com> <200305060750.30515@fortytwo.ch> Message-ID: <200305061919.02446@erwin.ingo-kloecker.de> --Boundary-02=_G6+t+ZYD05hKAS6 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Tuesday 06 May 2003 07:50, Adrian 'Dagurashibanipal' von Bidder=20 wrote: > On Tuesday 06 May 2003 02:03, Wolfgang Bornath wrote: > > When I want to send a private mail to somebody like that and I want > > to encrypt the text I see the list of my pubring but all imported > > keys are marked red and I cannot encrypt. > > Only my own public key is marked green and I can use it to send > > encrypted mails to myself (Big Deal! > > Hmm. I think kmail has an option to allow you to send encrypted mail > to untrusted keys. No. It doesn't (yet). But, as Graham already pointed out, you can always=20 locally sign keys which you want to use for encryption. However, you=20 should only do this if you are fairly sure that the key really belongs=20 to the person who is mentioned in the user ids of the key. Regards, Ingo --Boundary-02=_G6+t+ZYD05hKAS6 Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+t+6GGnR+RTDgudgRApWfAJ9ZOAq/V2IUL3+5u+8JVzOhA6XJhwCfdjVq srfxQILRp6Sr298CmlC3ow8= =6LhM -----END PGP SIGNATURE----- --Boundary-02=_G6+t+ZYD05hKAS6-- From malte_gell@t-online.de Thu May 8 17:27:14 2003 From: malte_gell@t-online.de (Malte Gell) Date: Thu May 8 16:27:14 2003 Subject: Keys not trusted In-Reply-To: <200305060203.30183.wbo@mandrakesoft.com> References: <200305060203.30183.wbo@mandrakesoft.com> Message-ID: <200305062259.08993.malte_gell@t-online.de> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Am Dienstag, 6. Mai 2003 02:03 schrieb Wolfgang Bornath: > Hi, > > Being fairly new in this I joined this list and received some > messages by people who signed their messages. I always imported the > keys (using the gpg option --auto-key-retrieve) and kmail tells me > "Message is signed by XY (blahblub) (Key-ID: 0x12345678). > Signature is valid but the key is not trusted." KMail (other clients too ?) will only accept such keys, if they're=20 signed. You could (locally) sign this key and then KMail will accept=20 it. By the way, does someone know, whether this behaviour completely=20 depend on the MUA or is this some OpenPGP recommendation ? By the way, if you want to get subscribed to lots of mailing lists, the=20 =2D --auto-key-retrieve option may bloat your key ring in the long run. It= =20 may contain lots of keys from people you may never have contact with.=20 So it happens now with my key, because this message is signed ;-) If=20 you want to contact a person whose message is signed you can get=20 his/her key at a later point of time anyway. KMail always shows the key=20 ID of a signed message, no matter if you have the key locally on your=20 keyring, you still can get it if really needed. Regards Malte =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iEYEAREDAAYFAj64IhcACgkQGzg12gD8wBatrwCgvTRol2r/7RPAIvyYHOLhJNQd wQsAn1licf9XAgmcX+nsV4xJFJlTRCa+ =3DLK2X =2D----END PGP SIGNATURE----- From wk@gnupg.org Thu May 8 17:38:58 2003 From: wk@gnupg.org (Werner Koch) Date: Thu May 8 16:38:58 2003 Subject: Building 1.2.2 on Tru64 4.0F In-Reply-To: <1963591.1052168560910.JavaMail.jbruni@mac.com> (Joseph Bruni's message of "Mon, 05 May 2003 15:02:40 -0600") References: <1963591.1052168560910.JavaMail.jbruni@mac.com> Message-ID: <87addxwmh5.fsf@alberti.g10code.de> On Mon, 05 May 2003 15:02:40 -0600, Joseph Bruni said: > So, on Tru64 you can build this with either GCC 3.2.2 or c89, but not with cc. Obviously this OS comes with a crippled (i.e. K&R) compiler. From HP/UX experience I know that this one is good enough to build gcc, though. -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From colstar@iprimus.com.au Thu May 8 18:25:02 2003 From: colstar@iprimus.com.au (Colin Brown) Date: Thu May 8 17:25:02 2003 Subject: How to build gnupg on winXP Message-ID: <000001c31576$2be15de0$6b1a32d2@workstation> This is a multi-part message in MIME format. ------=_NextPart_000_0001_01C315B9.3A049DE0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hi all, I am having trouble building gnupg, I downloaded all the programs, but seem to still have a problem, could someone tell me what I am doing wrong I followed the directions according to http://web.tiscali.it/no-redirect-tiscali/clbianco/gnupg/eng/gnupg.html Here is the errors I am getting $ scripts/autogen.sh --build-w32 scripts/autogen.sh: [: /home/radier: binary operator expected scripts/autogen.sh: /home/radier: No such file or directory scripts/autogen.sh: /home/radier: No such file or directory Best Regards Colin Taking the easy way out "Windows 95 is a 32-bit shell for a 16-bit extension to an 8-bit operating system designed for a 4-bit microprocessor by a 2-bit company that can't stand one bit of competition." Pgp key: http://home.iprimus.com.au/colstar/pgpkey/colstar.asc ------=_NextPart_000_0001_01C315B9.3A049DE0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable How to build gnupg on winXP

Hi all,

I am having trouble building gnupg, I = downloaded all the programs, but seem to still have a problem, could = someone tell me what I am doing wrong

I followed the directions according = to  http://web.tiscali.it/no-redirect-tiscali/clbianco/gnupg/e= ng/gnupg.html


Here is the errors I am getting

$ scripts/autogen.sh --build-w32
scripts/autogen.sh: [: /home/radier: = binary operator expected
scripts/autogen.sh: /home/radier: No = such file or directory
scripts/autogen.sh: /home/radier: No = such file or directory



Best Regards
Colin

Taking the easy way out
"Windows 95 is a
32-bit shell for a
16-bit extension to an
8-bit operating system designed for a
4-bit microprocessor by a
2-bit company that can't stand one bit of competition."

Pgp key: http://home.iprimus.com.au/colstar/pgpkey/colstar.asc


------=_NextPart_000_0001_01C315B9.3A049DE0-- From r_runner@poczta.onet.pl Fri May 9 13:43:02 2003 From: r_runner@poczta.onet.pl (Road Runner) Date: Fri May 9 12:43:02 2003 Subject: How to build gnupg on winXP:Addendum In-Reply-To: <3EBB4D04.1090405@poczta.onet.pl> References: <000001c31576$2be15de0$6b1a32d2@workstation> <3EBB4D04.1090405@poczta.onet.pl> Message-ID: <3EBB5671.20107@poczta.onet.pl> Road Runner wrote: >Hello > >Building gnupg on XP is easier than using MS Outlook, but you need the >latest stable versions of: >1. MinGW -- Minimalist GNU For Windows, >2. Minimal System -- Msys. >You can find it at http://www.mingw.org or on Sourceforge. > https://sourceforge.net/project/showfiles.php?group_id=2435 >The most easy way is take an executable versions (for today: >MinGW-2.0.0-3.exe and MSYS-1.0.8.exe) and together, in cooperative with >your Pointing Device (Mouse?) installing it - of course if you prefer >alone work you can take binaries in tar.gz format. > Binaries of each tools and utils you need (GCC, binutils, w32api, gdb, make and so on) >Next step - unpack GnuPG, ./configure, make, make check, make install. >You need no options for straight build. > > And of course "strip" >Happy building > >RR > From r_runner@poczta.onet.pl Fri May 9 13:43:32 2003 From: r_runner@poczta.onet.pl (Road Runner) Date: Fri May 9 12:43:32 2003 Subject: How to build gnupg on winXP In-Reply-To: <000001c31576$2be15de0$6b1a32d2@workstation> References: <000001c31576$2be15de0$6b1a32d2@workstation> Message-ID: <3EBB4D04.1090405@poczta.onet.pl> Colin Brown wrote: >Hi all, > >I am having trouble building gnupg, I downloaded all the programs, but >seem to still have a problem, could someone tell me what I am doing >wrong >I followed the directions according to >http://web.tiscali.it/no-redirect-tiscali/clbianco/gnupg/eng/gnupg.html > Hello Building gnupg on XP is easier than using MS Outlook, but you need the latest stable versions of: 1. MinGW -- Minimalist GNU For Windows, 2. Minimal System -- Msys. You can find it at http://www.mingw.org or on Sourceforge. The most easy way is take an executable versions (for today: MinGW-2.0.0-3.exe and MSYS-1.0.8.exe) and together, in cooperative with your Pointing Device (Mouse?) installing it - of course if you prefer alone work you can take binaries in tar.gz format. Next step - unpack GnuPG, ./configure, make, make check, make install. You need no options for straight build. Happy building RR From linux@codehelp.co.uk Fri May 9 13:44:02 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Fri May 9 12:44:02 2003 Subject: Keysigning In-Reply-To: <200305060750.30515@fortytwo.ch> References: <200305060203.30183.wbo@mandrakesoft.com> <200305060750.30515@fortytwo.ch> Message-ID: <200305082001.35713.linux@codehelp.co.uk> --Boundary-02=_Pmqu+AWCCQ1f1nb Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Description: signed data Content-Disposition: inline On Tuesday 06 May 2003 6:50 am, Adrian 'Dagurashibanipal' von Bidder wrote: > > You need to build a web of trust - get your key signed by other GPG/PGP > users, and sign their key. http://biglumber.com may list some people in I'm getting tremendous delays on that server - every page times out. > your area, and there's also a keysigning mailing list (search the archives If the speed problems are just temporary, I think others here should try to increase the numbers on the site - many cities have just one member. -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.wewantbroadband.co.uk/ --Boundary-02=_Pmqu+AWCCQ1f1nb Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD4DBQA+uqmPiAEJSii8s+MRAlCRAJwJdbz3rDE1KdRnTt4mecrGVQPxzwCYz6RP A06huilkCfTd6QNpGrjqqw== =rjrN -----END PGP SIGNATURE----- --Boundary-02=_Pmqu+AWCCQ1f1nb-- From mailaccount200001@yahoo.com Fri May 9 13:47:01 2003 From: mailaccount200001@yahoo.com (Tom) Date: Fri May 9 12:47:01 2003 Subject: Corrupt keyrings Message-ID: <20030506155020.28200.qmail@web40410.mail.yahoo.com> $ gpg --delete-secret-and-public-key AE68B2FE gpg (GnuPG) 1.2.1; Copyright (C) 2002 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information sec 4096R/AE68B2FE (date) (userid) Delete this key from the keyring? yes This is a secret key! - really delete? yes gpg: /home/user/.gnupg/secring.gpg: copy to `/home/user/.gnupg/secring.gpg.tmp' failed: file read error gpg: deleting keyblock failed: file read error gpg: AE68B2FE: delete key failed: file read error $ mv secring.gpg temp.gpg $ gpg --delete-key AE68B2FE gpg (GnuPG) 1.2.1; Copyright (C) 2002 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: keyring `/home/user/.gnupg/secring.gpg' created pub 4096R/AE68B2FE (date) (userid) Delete this key from the keyring? yes gpg: /home/user/.gnupg/pubring.gpg: copy to `/home/user/.gnupg/pubring.gpg.tmp' failed: file read error gpg: deleting keyblock failed: file read error gpg: AE68B2FE: delete key failed: file read error $ gpg --export --output pubring.asc gpg: Warning: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: keyring_get_keyblock: read error: invalid packet gpg: error reading keyblock: invalid keyring $ gpg --export-secret-keys --output secring.asc gpg: Warning: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: keyring_get_keyblock: read error: invalid packet gpg: error reading keyblock: invalid keyring Attempting to export individual keys to a file fails silently. I can list keys in both the public and secret keyrings without any problem. I can encrypt and decrypt messages without any problem (I have not tried every key yet, however). I can not do anything that would change a key ring, however. Any ideas about the cause, or even better, a solution? TS __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com From mailaccount200001@yahoo.com Fri May 9 14:15:02 2003 From: mailaccount200001@yahoo.com (Tom) Date: Fri May 9 13:15:02 2003 Subject: Corrupt keyrings Message-ID: <20030509000914.51127.qmail@web40404.mail.yahoo.com> $ gpg --delete-secret-and-public-key AE68B2FE gpg (GnuPG) 1.2.1; Copyright (C) 2002 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information sec 4096R/AE68B2FE (date) (userid) Delete this key from the keyring? yes This is a secret key! - really delete? yes gpg: /home/user/.gnupg/secring.gpg: copy to `/home/user/.gnupg/secring.gpg.tmp' failed: file read error gpg: deleting keyblock failed: file read error gpg: AE68B2FE: delete key failed: file read error $ mv secring.gpg temp.gpg $ gpg --delete-key AE68B2FE gpg (GnuPG) 1.2.1; Copyright (C) 2002 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: keyring `/home/user/.gnupg/secring.gpg' created pub 4096R/AE68B2FE (date) (userid) Delete this key from the keyring? yes gpg: /home/user/.gnupg/pubring.gpg: copy to `/home/user/.gnupg/pubring.gpg.tmp' failed: file read error gpg: deleting keyblock failed: file read error gpg: AE68B2FE: delete key failed: file read error $ gpg --export --output pubring.asc gpg: Warning: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: keyring_get_keyblock: read error: invalid packet gpg: error reading keyblock: invalid keyring $ gpg --export-secret-keys --output secring.asc gpg: Warning: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: keyring_get_keyblock: read error: invalid packet gpg: error reading keyblock: invalid keyring Attempting to export individual keys to a file fails silently. I can list keys in both the public and secret keyrings without any problem. I can encrypt and decrypt messages without any problem (I have not tried every key yet, however). I can not do anything that would change a key ring, however. Any ideas about the cause, or even better, a solution? TS __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com From yenot@sec.to Fri May 9 14:27:02 2003 From: yenot@sec.to (Yenot) Date: Fri May 9 13:27:02 2003 Subject: Keys not trusted In-Reply-To: <200305060203.30183.wbo@mandrakesoft.com> References: <200305060203.30183.wbo@mandrakesoft.com> Message-ID: <200305090151.56006.yenot@sec.to> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 06 May 2003 04:03 am, Wolfgang Bornath wrote: > > Being fairly new in this I joined this list and received some > messages by people who signed their messages. I always imported the > keys (using the gpg option --auto-key-retrieve) and kmail tells me > "Message is signed by XY (blahblub) (Key-ID: 0x12345678). > Signature is valid but the key is not trusted." > > When I want to send a private mail to somebody like that and I want > to encrypt the text I see the list of my pubring but all imported > keys are marked red and I cannot encrypt. You're certainly not the only person with this problem. I know at least some of the Kmail developers read this list, so may be it would be useful to start a discussion on the matter. I think Kmail, and mail agents in general, need some way of sending e-mail to unknown parties. Just because I don't know someone's real identity, doesn't mean that I don't want to send them mail. And it certainly doesn't mean that I want to add all these letters to a TIA (Total Information Awareness) database, or in general share these letters with every Eve, Carnivore, and archiving SMTP server between our two computers. One way to pick the best key for such e-mail only acquaintances would be for people within various communities to all use a single robot authentication authority (for example: http://www.toehold.com/robotca). Some members of this list, such as GnuPG developer David Shaw, consider this to be a bad idea. Shaw proposes that when no trust path to an e-mail exists, the mail client should encrypt to all available keys for the given e-mail address (warning the user appropriately). Then when/if the party you sent to replies, you can set the definitive key based on the key they use in their reply. (For this to be accessible to non-crypto zealots, the mail agent would also need some way of locally signing a key based on the signature of a received mail.) I can think of a couple other ideas that would involve caching previously seen address/fingerprint pairs. Maybe with an SSH like feature that warns when an address/fingerprint doesn't match the address/fingerprint previously seen. (All my ideas have minor problems, so I'll wait and see what other people have to say first.) Do the developers of Kmail, Sylpheed, and/or Enigmail have a vision of how the mail agent of the future can increase the use of PGP for casual Internet communications without making major compromises on the security of more serious communications with known entities? - Yenot -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+utpUP247TY29IxARApviAJ0fbLnhXsbl1lGuMeAIU7AWvpzoigCfe6Rn L2oLstholTrVXw0L4BW/vT8= =RTMQ -----END PGP SIGNATURE----- From steve-gnupg@gbnet.net Fri May 9 14:32:02 2003 From: steve-gnupg@gbnet.net (Steve Kennedy) Date: Fri May 9 13:32:02 2003 Subject: Building 1.2.2 on SunOS 4 In-Reply-To: <87addxwmh5.fsf@alberti.g10code.de> References: <1963591.1052168560910.JavaMail.jbruni@mac.com> <87addxwmh5.fsf@alberti.g10code.de> Message-ID: <20030508164607.GG25034@gbnet.net> Trying to build on SunOS 4.1.4 on Sparc, gcc (2.73) gmake[2]: Entering directory `/vol/home/steve/todo/build/ns/gnupg-1.2.2/tools' gcc -O2 -Wall -o mpicalc mpicalc.o ../cipher/libcipher.a ../mpi/libmpi.a ../util/libutil.a ../intl/libintl.a -liconv -lz ld: Undefined symbol _mpihelp_rshift ___udiv_qrnnd _mpihelp_add_n _mpihelp_lshift collect2: ld returned 2 exit status Steve -- NetTek Ltd Phone/Fax +44-(0)20 7483 2455 SMS steve-pager (at) gbnet.net [body] gpg 1024D/468952DB 2001-09-19 From chris@yonderway.com Fri May 9 16:13:02 2003 From: chris@yonderway.com (Chris Hedemark) Date: Fri May 9 15:13:02 2003 Subject: Keysigning In-Reply-To: <200305082001.35713.linux@codehelp.co.uk> Message-ID: <03F6E45C-8220-11D7-A015-0003939CC61E@yonderway.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday, May 8, 2003, at 03:01 PM, Neil Williams wrote: > If the speed problems are just temporary, I think others here should > try to > increase the numbers on the site - many cities have just one member. I'm listed under one of the big cities, Philadelphia. Biglumber.com isn't smart enough unfortunately to group suburbs with their parent city, so what most of the "Philadelphians" did was say they lived in Philadelphia even though they really live in an outlying suburb. So if you live near a big city, but you listed yourself under your true town of residence outside of that city, you might want to consider adjusting your listing to better represent what OpenPGP users live in your metro area. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) iEYEARECAAYFAj67qXsACgkQYPuF4Zq9lvYllgCg57ryCfrGLY0irzLsB2sEnPSL KGsAniNJsdEp7VdGlVKCFTB16bW9xuWV =r8Ok -----END PGP SIGNATURE----- From wbo@mandrakesoft.com Fri May 9 17:11:02 2003 From: wbo@mandrakesoft.com (Wolfgang Bornath) Date: Fri May 9 16:11:02 2003 Subject: Keys not trusted In-Reply-To: <200305090151.56006.yenot@sec.to> References: <200305060203.30183.wbo@mandrakesoft.com> <200305090151.56006.yenot@sec.to> Message-ID: <200305091612.05938.wbo@mandrakesoft.com> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ** Yenot (Freitag, 9. Mai 2003 00:29) > > You're certainly not the only person with this problem. I know at > least some of the Kmail developers read this list, so may be it would > be useful to start a discussion on the matter. I think Kmail, and > mail agents in general, need some way of sending e-mail to unknown > parties. Just because I don't know someone's real identity, doesn't > mean that I don't want to send them mail. And it certainly doesn't > mean that I want to add all these letters to a TIA (Total Information > Awareness) database, or in general share these letters with every > Eve, Carnivore, and archiving SMTP server between our two computers. You may have a point there and your following ideas may not be bad. But having read some more of the documentation (especially about the=20 overall concept) I agree with the current behaviour of kmail. Who do I send mails to which should be encrypted so that only the=20 addressee can read the contents? Right, only to persons who I trust not=20 to reveal the contents of my private thoughts to any other person. I can't think of a situation where I would send such private thoughts to=20 a person I don't know and/or have a kind of relationship with. And if I=20 have such a relation to that person there is a way to establish a=20 trusted communication to exchange trusted keys (via a known third=20 party, a trusted organization or institution, etc.). When it comes to exchanging data which should not be sent in the open=20 there are organizations in all areas of the world where you can have=20 your key signed so that it is acknowledged by other people. As an example, in Germany we have a computer magazine (c't) which offers=20 signing of keys when you show up at exhibitions at their booth with=20 your key and a official id card (passport, drivers license, etc.).=20 There are other possibilities. I don't see any need to spoil the concept of the Web of Trust. wobo =2D --=20 Public GnuPG key available at keyserver pgp.mit.edu =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+u7csXpTF6eCkAF0RAiYvAJ4gfrAuw6Q6iddzaAD+ZcUPWGCDvwCgjQzR mFq5k6mq6kI7BssaFQREoSw=3D =3DGZXo =2D----END PGP SIGNATURE----- From cmt@rz.uni-karlsruhe.de Fri May 9 17:13:02 2003 From: cmt@rz.uni-karlsruhe.de (Christoph Moench-Tegeder) Date: Fri May 9 16:13:02 2003 Subject: make check fails on all tests on gnupg-1.2.2 for OpenServer 5.0.X, OpenUNIX 8.0.0 and UnixWare 7.1.X In-Reply-To: References: Message-ID: <20030508170439.GA14299@rz-ewok.rz.uni-karlsruhe.de> ## Boyd Lynn Gerber (gerberb@zenez.com): > make check fails all tests on OpenServer, UnixWare and OpenUNIX. 1.2.1 > passed all tests. Below is the output from make check the only difference > is the directory tree location. checks/defs.inc is broken for all shells excepts bash. Here is the patch: --- checks/defs.inc.orig Tue May 6 10:57:03 2003 +++ checks/defs.inc Tue May 6 10:57:21 2003 @@ -99,9 +99,9 @@ [ -z "$srcdir" ] && fatal "not called from make" # Make sure we have a valid option files even with VPATH builds. -if [ -f ./options]; then +if [ -f ./options ]; then : -elif [ -f ./gpg.conf]; then +elif [ -f ./gpg.conf ]; then : elif [ -f $srcdir/options ]; then cat $srcdir/options >gpg.conf @@ -112,4 +112,4 @@ exec 2> ${pgmname}.log : -# end \ No newline at end of file +# end Regards, Christoph -- Spare Space From greg@turnstep.com Fri May 9 17:25:02 2003 From: greg@turnstep.com (greg@turnstep.com) Date: Fri May 9 16:25:02 2003 Subject: Keysigning In-Reply-To: <03F6E45C-8220-11D7-A015-0003939CC61E@yonderway.com> Message-ID: <4478188dd1393dd09f1887ef1b8ed955@biglumber.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> You need to build a web of trust - get your key signed by other GPG/PGP >> users, and sign their key. http://biglumber.com may list some people in > I'm getting tremendous delays on that server - every page times out. Sorry about that. Some spammer decided to use one of my domain names as their "from" address, and I got swamped with bounces. :( In addition, uce@ftc.gov is bouncing as well (they are out of disk space - go fig). Damage control is mostly done now, so the site should be more responsive. > I'm listed under one of the big cities, Philadelphia. Biglumber.com > isn't smart enough unfortunately to group suburbs with their parent > city, so what most of the "Philadelphians" did was say they lived in > Philadelphia even though they really live in an outlying suburb. I am open to ideas about how to do this. Generally, it is better to list yourself as the nearest big city - people out of town are not going to be familiar with the suburb names, and most meetings will actually take place in the "main city" itself. Therefore I recommend listing yourself as the nearest large city and putting your specific location in the notes. We are up to 328 cities now. I combine them whenever possible, such as typos and English vs. I8N spellings (e.g. German cities): if anyone sees a city that looks out of place, please let me know. - -- Greg Sabino Mullane greg@turnstep.com PGP Key: 0x14964AC8 200305090959 -----BEGIN PGP SIGNATURE----- Comment: http://www.turnstep.com/pgp.html iD8DBQE+u7nIvJuQZxSWSsgRAqxUAJ0VwhWIMu8AzhVrHTDoH2kJQPk3ZgCglbVW bwNinAWZOFQ2ETnn8IipJ+A= =OKWb -----END PGP SIGNATURE----- From wbo@mandrakesoft.com Fri May 9 17:47:01 2003 From: wbo@mandrakesoft.com (Wolfgang Bornath) Date: Fri May 9 16:47:01 2003 Subject: Keys not trusted In-Reply-To: <200305062259.08993.malte_gell@t-online.de> References: <200305060203.30183.wbo@mandrakesoft.com> <200305062259.08993.malte_gell@t-online.de> Message-ID: <200305082103.14168.wbo@mandrakesoft.com> ** Malte Gell (Dienstag, 6. Mai 2003 22:58) > By the way, if you want to get subscribed to lots of mailing lists, > the --auto-key-retrieve option may bloat your key ring in the long > run. It may contain lots of keys from people you may never have > contact with. So it happens now with my key, because this message is > signed ;-) If you want to contact a person whose message is signed > you can get his/her key at a later point of time anyway. KMail always > shows the key ID of a signed message, no matter if you have the key > locally on your keyring, you still can get it if really needed. Yes I know. I just used this option (auto-key-retrieve) for the first few days for experimenting. I have commented out this line now. Thanks anyway for caring :) wobo -- Public GnuPG key available at keyserver www.mandrakesecure.net From charles.kronschnable@mnhospitals.org Fri May 9 17:47:24 2003 From: charles.kronschnable@mnhospitals.org (Charles Kronschnable) Date: Fri May 9 16:47:24 2003 Subject: Automated Encryption Message-ID: <9054CB3E21D9D311AF2D00E029492EF201A055A4@louie.mhhp.com> This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C31639.EB629800 Content-Type: text/plain; charset="iso-8859-1" My task is to send encrypted emails via an asp page. I have two options I believe. The first is to have my asp page execute a dos shell and use commands to encrypt a file on the server and then attach that file to the email using cdonts, but I can't find a resource for dos commands anywhere, I realize that gnupg is opensource and there are all kinds of unix/linux references but nothing for a win os. Or I can create a email box on our server and have cdonts email to that box, the box would intern automatically encrypt the data and ship it off to the recipient, problem is when I turn on encrypt new messages by default, and try sending an email it asks which key i want to use, is there a way around that? Im using Gnu Privacy Assistant for Ms Outlook 2k. If anyone can help on either of these two options that would be very helpful!! charles kronschnable programmer/analyst minnesota hospital association minnesota health & housing alliance charles.kronschnable@mnhospitals.org ------_=_NextPart_001_01C31639.EB629800 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Automated Encryption

My task is to send encrypted emails = via an asp page.  I have two options I believe.  The first is = to have my asp page execute a dos shell and use commands to encrypt a = file on the server and then attach that file to the email using cdonts, = but I can't find a resource for dos commands anywhere, I realize that = gnupg is opensource and there are all kinds of unix/linux references = but nothing for a win os. 

Or

I can create a email box on our server = and have cdonts email to that box, the box would intern automatically = encrypt the data and ship it off to the recipient, problem is when I = turn on encrypt new messages by default, and try sending an email it = asks which key i want to use, is there a way around that?  Im = using Gnu Privacy Assistant for Ms Outlook 2k.

If anyone can help on either of these = two options that would be very helpful!!



charles = kronschnable
programmer/analyst
minnesota hospital = association
minnesota health = & housing alliance
charles.kronschnable@mnhospitals.org

------_=_NextPart_001_01C31639.EB629800-- From dlc@users.sourceforge.net Fri May 9 18:26:02 2003 From: dlc@users.sourceforge.net (darren chamberlain) Date: Fri May 9 17:26:02 2003 Subject: Automated Encryption In-Reply-To: <9054CB3E21D9D311AF2D00E029492EF201A055A4@louie.mhhp.com> References: <9054CB3E21D9D311AF2D00E029492EF201A055A4@louie.mhhp.com> Message-ID: <20030509-f7536f5238f5add659a536c89fbf6f64@tumbleweed.boston.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 * Charles Kronschnable [2003-05-09 11:14]: > My task is to send encrypted emails via an asp page. I have two > options I believe. The first is to have my asp page execute a dos > shell and use commands to encrypt a file on the server and then attach > that file to the email using cdonts, but I can't find a resource for > dos commands anywhere, I realize that gnupg is opensource and there > are all kinds of unix/linux references but nothing for a win os. The command line options for gpg.exe should be the same as for the *nix version, since they're build from the same code base. Does gpg --help not help? > I can create a email box on our server and have cdonts email to that > box, the box would intern automatically encrypt the data and ship it > off to the recipient, problem is when I turn on encrypt new messages > by default, and try sending an email it asks which key i want to use, > is there a way around that? Im using Gnu Privacy Assistant for Ms > Outlook 2k. Take a look at http://www.gnupg.org/(en)/documentation/faqs.html#q4.14 ("How can I use GnuPG in an automated environment?"), and see if that helps. (darren) - -- DISCLAIMER: Use of this advanced computing technology does not imply an endorsement of Western industrial civilization. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+u8hmzsinjrVhZaoRAoM6AJ0YO69O7Ek6wPfzHjVwb25VQn5naACgg+Cz d5ckJaQldHBspPaHY/Hm1hE= =0ON8 -----END PGP SIGNATURE----- From chris@yonderway.com Fri May 9 18:57:02 2003 From: chris@yonderway.com (Chris Hedemark) Date: Fri May 9 17:57:02 2003 Subject: Keysigning In-Reply-To: <4478188dd1393dd09f1887ef1b8ed955@biglumber.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, May 9, 2003, at 10:25 AM, greg@turnstep.com wrote: > I am open to ideas about how to do this. This is not a small task. And it only works for the USA users. Geolocate users based on their ZIP code, and use the US Census "TIGER" database to group them with the nearest city. I don't know how to apply this on an international scale unless people are willing/able to provide meaningful GPS coordinates. Having this capability buys you something else, though; a user can say what ZIP code they're in and how far they are willing to drive for a keysigning. This will lead to a lot of overlapping bubbles that people are willing to meet within. At a "dumb" level you can merely send someone a list of who they can reasonably expect to meet based on mutually convenient travel range. At a more intelligent level, key analysis could be performed to sort out who is close that has already signed your key vs. who has yet to sign it. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) iEYEARECAAYFAj67z+wACgkQYPuF4Zq9lvac1gCfZ5izXP6pYmSaJ1GoIHN0Wa82 ZDgAmgO3d37qmMk9ckJbqa0EawSmIn8K =jBCf -----END PGP SIGNATURE----- From lucas@gonze.com Fri May 9 19:46:02 2003 From: lucas@gonze.com (Lucas Gonze) Date: Fri May 9 18:46:02 2003 Subject: Keysigning In-Reply-To: References: Message-ID: There are a number of services that do geolocation based on IP address. These are all commercial, as far as I know. - Lucas On Fri, 9 May 2003, Chris Hedemark wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > On Friday, May 9, 2003, at 10:25 AM, greg@turnstep.com wrote: > > > I am open to ideas about how to do this. > > This is not a small task. And it only works for the USA users. > > Geolocate users based on their ZIP code, and use the US Census "TIGER" > database to group them with the nearest city. > > I don't know how to apply this on an international scale unless people > are willing/able to provide meaningful GPS coordinates. > > Having this capability buys you something else, though; a user can say > what ZIP code they're in and how far they are willing to drive for a > keysigning. This will lead to a lot of overlapping bubbles that people > are willing to meet within. At a "dumb" level you can merely send > someone a list of who they can reasonably expect to meet based on > mutually convenient travel range. At a more intelligent level, key > analysis could be performed to sort out who is close that has already > signed your key vs. who has yet to sign it. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.2 (Darwin) > > iEYEARECAAYFAj67z+wACgkQYPuF4Zq9lvac1gCfZ5izXP6pYmSaJ1GoIHN0Wa82 > ZDgAmgO3d37qmMk9ckJbqa0EawSmIn8K > =jBCf > -----END PGP SIGNATURE----- > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From graham.todd@ntlworld.com Fri May 9 19:49:02 2003 From: graham.todd@ntlworld.com (Graham) Date: Fri May 9 18:49:02 2003 Subject: Keys not trusted In-Reply-To: <200305062259.08993.malte_gell@t-online.de> References: <200305060203.30183.wbo@mandrakesoft.com> <200305062259.08993.malte_gell@t-online.de> Message-ID: <200305091755.48203.graham.todd@ntlworld.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 06 May 2003 9:58 pm, Malte Gell wrote: > By the way, if you want to get subscribed to lots of mailing lists, > the --auto-key-retrieve option may bloat your key ring in the long > run. It may contain lots of keys from people you may never have > contact with [snipped] I am subscribed to 10 mailing lists, on four of which I am a Moderator. =20 I use the --auto-key-retrieve option always. It has been a feature of the way I used PGP and latterly GPG that I=20 regularly do keyring maintenance. Once a week, I weed out keys from my=20 keyring that I have no use for, and I've been doing this since the=20 heady days I was indtroduced to DOS and PGP 2.6.x. Weekly maintenance=20 also gives me the chance to test keyservers, and check the trustdb. I am surprised that you appear not to do this too. Or am I unusual in=20 my use of GPG? - --=20 Graham GPG Keys at encryption.keys@ntlworld.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Please sign and encrypt for internet privacy iD8DBQE+u92RIwtBZOk1250RAnF6AKDY0Qopl56GTbDHvyAwQTfObcZf8wCgs77W 8xLJR4kN5fIsOu4CBt2UY8w=3D =3DCSIG -----END PGP SIGNATURE----- From dlc@users.sourceforge.net Fri May 9 20:25:02 2003 From: dlc@users.sourceforge.net (darren chamberlain) Date: Fri May 9 19:25:02 2003 Subject: Keys not trusted In-Reply-To: <200305091755.48203.graham.todd@ntlworld.com> References: <200305060203.30183.wbo@mandrakesoft.com> <200305062259.08993.malte_gell@t-online.de> <200305091755.48203.graham.todd@ntlworld.com> Message-ID: <20030509-57c41a1cb88bf5d499d6ca1536e4f287@tumbleweed.boston.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 * Graham [2003-05-09 13:17]: > It has been a feature of the way I used PGP and latterly GPG that I > regularly do keyring maintenance. Once a week, I weed out keys from > my keyring that I have no use for, and I've been doing this since the > heady days I was indtroduced to DOS and PGP 2.6.x. Weekly maintenance > also gives me the chance to test keyservers, and check the trustdb. How do you know which keys you don't need? Do you simply eyeball the userids and delete the ones you don't recognize, or is there a more efficient way? I currently have over 300 public keys on my keyring (I also have the auto-retrieve option set), and I'm very sure I don't need most of those, but how can I tell which ones I actually need? (darren) - -- I look for what needs to be done.... After all, that's how the universe designs itself. -- R. Buckminster Fuller -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+u+QwzsinjrVhZaoRAoR/AJ4r9EjGgwJIUtm+ryVJPyGmN460sgCfcNGF 68B26DNUbazdWTn0iSHVyV8= =QCsH -----END PGP SIGNATURE----- From chris@yonderway.com Fri May 9 21:24:02 2003 From: chris@yonderway.com (Chris Hedemark) Date: Fri May 9 20:24:02 2003 Subject: Keysigning In-Reply-To: Message-ID: <786FC60B-824B-11D7-A015-0003939CC61E@yonderway.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, May 9, 2003, at 12:46 PM, Lucas Gonze wrote: > There are a number of services that do geolocation based on IP address. > These are all commercial, as far as I know. I subscribe to the list so there is no reason to send me two copies. Anywho, geolocation based on IP address flat out simply doesn't work. Don't believe me? Give me a web site to visit and then based on your server logs tell me where in the world I am within 100 miles of accuracy. You can't. When you're talking about something like keysignings your accuracy needs to be much greater still. Most folks are willing to drive only so far to meet someone to swap signatures. If you're giving them too many false hits for "neighbors" the system will be useless out of the starting gate. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) iEYEARECAAYFAj678mEACgkQYPuF4Zq9lvZRXACg8q6+4klY55BbJWx6eoi5o2+h CTsAnivYzIbDL2Ri1MjHfKDzeOG9ygAc =x1uq -----END PGP SIGNATURE----- From lucas@gonze.com Fri May 9 22:34:02 2003 From: lucas@gonze.com (Lucas Gonze) Date: Fri May 9 21:34:02 2003 Subject: Keysigning In-Reply-To: <786FC60B-824B-11D7-A015-0003939CC61E@yonderway.com> References: <786FC60B-824B-11D7-A015-0003939CC61E@yonderway.com> Message-ID: No need to rip me a new asshole, thanks. IP location works well for most people, so it's a sensible default, and it incorporates laziness, which is a virtue. Over and out. - Lucas On Fri, 9 May 2003, Chris Hedemark wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > On Friday, May 9, 2003, at 12:46 PM, Lucas Gonze wrote: > > > There are a number of services that do geolocation based on IP address. > > These are all commercial, as far as I know. > > I subscribe to the list so there is no reason to send me two copies. > > Anywho, geolocation based on IP address flat out simply doesn't work. > Don't believe me? Give me a web site to visit and then based on your > server logs tell me where in the world I am within 100 miles of > accuracy. You can't. When you're talking about something like > keysignings your accuracy needs to be much greater still. Most folks > are willing to drive only so far to meet someone to swap signatures. > If you're giving them too many false hits for "neighbors" the system > will be useless out of the starting gate. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.2 (Darwin) > > iEYEARECAAYFAj678mEACgkQYPuF4Zq9lvZRXACg8q6+4klY55BbJWx6eoi5o2+h > CTsAnivYzIbDL2Ri1MjHfKDzeOG9ygAc > =x1uq > -----END PGP SIGNATURE----- > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From olafwazhere@yahoo.com.au Fri May 9 22:53:02 2003 From: olafwazhere@yahoo.com.au (=?iso-8859-1?q?Stewart=20Wright?=) Date: Fri May 9 21:53:02 2003 Subject: Signing with different sub-keys. Message-ID: <20030509195435.50520.qmail@web21308.mail.yahoo.com> Hi All, I am trying to work out how to have multiple signing subkeys and sign different files with different keys. However, I am failing to get it to work. Here's what I do -- perhaps someone can make a suggestion. As a test I got rid of my secring and pubring and started from scratch generating a dummy DSA/ElGamal key which I then added DSA and RSA signing subkeys: pub 1024D/B37D0D59 2003-05-08 test key 1 sub 1024g/8A112A7E 2003-05-08 sub 1024D/E1A24F95 2003-05-08 sub 1024R/F2D5AAA9 2003-05-09 I then tried making a series of signings: 0) gpg --output msg0.asc --clearsign msg 1) gpg --output msg1.asc --clearsign -u B37D0D59 msg 2) gpg --output msg2.asc --clearsign -u 8A112A7E msg 3) gpg --output msg3.asc --clearsign -u E1A24F95 msg 4) gpg --output msg4.asc --clearsign -u F2D5AAA9 msg (Remembering that the ElGamal key 8A112A7E shouldn't be able to sign...) I then verified the signature using gpg --verify msg0.asc GnuPG tells me that the signatures were made with: 0) DSA key ID B37D0D59 1) RSA key ID F2D5AAA9 2) RSA key ID F2D5AAA9 3) RSA key ID F2D5AAA9 4) RSA key ID F2D5AAA9 Now, it seems that 0) makes sense, but surely 1) should be B37D0D59, 2) should be ??? 3) is E1A24F95 and 4) F2D5AAA9 Am I doing something wrong? Any ideas or help would be appreciated. Thanks, Olaf http://mobile.yahoo.com.au - Yahoo! Mobile - Check & compose your email via SMS on your Telstra or Vodafone mobile. From eleuteri@myrealbox.com Fri May 9 23:16:02 2003 From: eleuteri@myrealbox.com (David Picon Alvarez) Date: Fri May 9 22:16:02 2003 Subject: keyservers Message-ID: <016101c31667$6690bcf0$f92489c3@enterprise> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Some friends and me have decided to start programming a keyserver with support for all the features of OpenPGP keys. We have little experience, so even though it's somewhat off-topic I wonder what's the most appropriate protocol to use... Any help welcome. - --David. -----BEGIN PGP SIGNATURE----- Comment: This message is digitally signed and can be verified for authenticity. iQIVAwUBPrwL3qYOp7uFKb/EAQLHhRAApdpTwlda91esQj20y9IoZz8OwQDvTV2m 98+tSClijhWDVgir1cnvZB9AKXwBTEEW4UXNykH7qels8KVqsF3SefWp6qZTc1jA t0N3cT6sKbiX8rePIpMMNMvX5v0w3JNSaI268JfjRl2IyhhGQ2m/VogJ2usV+Wy8 UT905zc18T6+MMs8PfhZ24q0siwdVeDbBN1NWxJ+zvQuiVUGRmJbJFx7InBLnyUJ ucA45SaYOogvMp66WfiT8pqbMKM7IhWZddO6oZJ5srV8uTDJEV+YJVm+enFuttT0 Oy/eDrtXfr/2J/cLbmf4/CGK4GsoONrosSHBRnmzV6pjSFoN6EPzHWfXo6yEAPwH Nf95MQp3ptn1+2c1yTFr/rJpDm4D5AQdbRvQSdzrqeOXhmNx2E/13stnq6qP0rsl 4ndacEncvpDYG7pMUyxvmqaedfKUcCdb7VqbK69rG8BUQYbvbZD08LmhFn6eE32l 8e7iUGkyqKKqltUhZSTt8s7tvMXlT62SGBMl3gO7JmUFDwDqDEVKujz0fyZ/DpeP fvTekZ1nqsxLVbQjKmevdLZLJXAwigPKSCWE9Ujlkr4ygiCMQiMRy4i8KChJ3TNV AspZb6d3C57RrMrvO6DPAbLZEMNVcm2IwpXv8U4lHYl2Tnz0zYrU4QEd63wJOzTb 4DlCxAdg3UU= =ZHUK -----END PGP SIGNATURE----- From wbo@mandrakesoft.com Fri May 9 23:24:02 2003 From: wbo@mandrakesoft.com (Wolfgang Bornath) Date: Fri May 9 22:24:02 2003 Subject: Keysigning In-Reply-To: References: <786FC60B-824B-11D7-A015-0003939CC61E@yonderway.com> Message-ID: <200305092225.14173.wbo@mandrakesoft.com> ** Lucas Gonze (Freitag, 9. Mai 2003 21:34) > ... laziness, which is a virtue. Amen! wobo -- Public GnuPG key available at keyserver www.mandrakesecure.net From eleuteri@myrealbox.com Fri May 9 23:56:02 2003 From: eleuteri@myrealbox.com (David Picon Alvarez) Date: Fri May 9 22:56:02 2003 Subject: Signing with different sub-keys. References: <20030509195435.50520.qmail@web21308.mail.yahoo.com> Message-ID: <018f01c3166c$eac53e60$f92489c3@enterprise> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > 0) gpg --output msg0.asc --clearsign msg > 1) gpg --output msg1.asc --clearsign -u B37D0D59 msg > 2) gpg --output msg2.asc --clearsign -u 8A112A7E msg > 3) gpg --output msg3.asc --clearsign -u E1A24F95 msg > 4) gpg --output msg4.asc --clearsign -u F2D5AAA9 msg If I remember correctly, writing an exclamation mark (!) after the keyID should do the trick. - --David. -----BEGIN PGP SIGNATURE----- Comment: This message is digitally signed and can be verified for authenticity. iQIVAwUBPrwVHqYOp7uFKb/EAQKmphAAiv1WLS+HKpqp7sCmRIhv9Re/j2YDab4B A7xfBpeOYCdTgA2x6yxSHEYAzektkKTkpb1VIXvOyZAfyHCUHL9qEelkwkF1iVrc 61R7LBfuArdqHEYukbvQMA6mSbr3HqpHxudwk2O65TIb1cfC4HAY8AHpT8Ehzjcg VaC17tIJOb6D5vAyYtWG/BPEHqQGrhXWg2p8ddgEP/Tp83R83sxKlk3bwQ3A+Mr8 Ad5pxhSgyTDp8zur/mMD0uzUWjSw1SDpLbky3Pw1eKmHDeucfmGRizPiU7r2gIPQ LS3UnWgthYdI8QWC6+A47suaP2B97OEgGehla7RMLqGTZzv3DJfgmT59jW6ESESx BF0qQ9D9876c/he3za56NWaWn/5tp6Ktsg+OJEDhnza7v5dE5k2MbiFMAHrzls8K X2dfzCVRaQjRtA1MTssp3KbtrAG3MhL8gwBLA81t9+4kopDdRsO0B3INadaSR1IC CPonlr9JHHm1NZqup9/PlitEiKJoT/u7dGr0kPIv3IRhqmXtcbcPAlxxXlUyOwLT w7shFqVYQ/aXoensvMzCDfv7sPIkUVZtCqt9r1r2Dk/6EQE4nUOFgn7Vv/KX36Uk X+pTEfdxB8LKzIMtyRGhwNRyiQUfoqkqqFAsCXBST1mAC4aUCrZhygyNe6iCMGbo SUts1G2R3Ck= =NCfn -----END PGP SIGNATURE----- From gnupg-users@nahrath.de Sat May 10 00:38:02 2003 From: gnupg-users@nahrath.de (Michael Nahrath) Date: Fri May 9 23:38:02 2003 Subject: Keysigning In-Reply-To: <4478188dd1393dd09f1887ef1b8ed955@biglumber.com> References: <4478188dd1393dd09f1887ef1b8ed955@biglumber.com> Message-ID: <3EBC2010.6010203@nahrath.de> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig8AFB187156D7C4ADE27330A9 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit greg@turnstep.com wrote: >>I'm listed under one of the big cities, Philadelphia. Biglumber.com >>isn't smart enough unfortunately to group suburbs with their parent >>city, so what most of the "Philadelphians" did was say they lived in >>Philadelphia even though they really live in an outlying suburb. > > > I am open to ideas about how to do this. Create a new field for free Text to give more detailed information about one's location. I am currently listed under "Hildesheim, Germany". This is correct and should continue to be the main category. But in an additional location field I would add "Germany -> Niedersachsen. Hildesheim lies betwheen Hannover, Göttingen and Braunschweig". Only an extended (yet to implement) search would find me under all of those city's names. BTW: German postal numbers are quite usefull to represent geographical locations. Greeting, Michi --------------enig8AFB187156D7C4ADE27330A9 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) Comment: http://www.biglumber.com/x/web?qs=0x9A4C704C iEYEARECAAYFAj68IBsACgkQ19dRf5pMcEw+iQCcCu9KHL/35bpuWdLxxj7mMdRP 4soAoMUwb2Y1nxDCvZFJgIldPDWMFVGK =r9l/ -----END PGP SIGNATURE----- --------------enig8AFB187156D7C4ADE27330A9-- From dcarrera@math.umd.edu Sat May 10 01:13:02 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Sat May 10 00:13:02 2003 Subject: [Q] Comparison of Encryption Algorithms Message-ID: <20030509221428.GA2383@math.umd.edu> Hello, I'm been trying to learn about "how secure" some encryption algorithms are, but I haven't found what I want. Perhaps someone can point me to a resourse. I'm most interested in Blowfish, IDEA and RSA because I understand that they are the most powerful and on DSA and ElGamal as I understand that they are used by GPG. I want to get an idea of the computing power needed to break those. As well as any other security concerns that I should be aware of. I am a mathematecian, I'm not afraid of doing some calculations to get the answers I want. From gnupg-users@nahrath.de Sat May 10 01:14:02 2003 From: gnupg-users@nahrath.de (Michael Nahrath) Date: Sat May 10 00:14:02 2003 Subject: keyservers In-Reply-To: <016101c31667$6690bcf0$f92489c3@enterprise> References: <016101c31667$6690bcf0$f92489c3@enterprise> Message-ID: <3EBC2858.2050407@nahrath.de> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig06C7F41D92636019DEBF8CD5 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit David Picon Alvarez wrote: > Hi, > > Some friends and me have decided to start programming a keyserver with > support for all the features of OpenPGP keys. There are at least three independent keyserver programmes currently developed independently already. Why not rather contribute to one of those? > We have little experience, so > even though it's somewhat off-topic I wonder what's the most appropriate > protocol to use... The mailinglist exists (public archive at ). Maybe you should rather discuss this issue there. A RFC about the http: keyserver protocol is currently in draft state: Greeting, Michi --------------enig06C7F41D92636019DEBF8CD5 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) Comment: http://www.biglumber.com/x/web?qs=0x9A4C704C iEYEARECAAYFAj68KGEACgkQ19dRf5pMcEzeewCfUVphvVbunZ0ZLI+Buix0rUMJ BfUAnRWzf7uVOcUOOQWb9BzDtskGepj5 =yjNW -----END PGP SIGNATURE----- --------------enig06C7F41D92636019DEBF8CD5-- From dshaw@jabberwocky.com Sat May 10 01:19:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sat May 10 00:19:02 2003 Subject: keyservers In-Reply-To: <016101c31667$6690bcf0$f92489c3@enterprise> References: <016101c31667$6690bcf0$f92489c3@enterprise> Message-ID: <20030509221953.GD4414@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, May 09, 2003 at 09:12:44PM +0100, David Picon Alvarez wrote: > Some friends and me have decided to start programming a keyserver with > support for all the features of OpenPGP keys. We have little experience, so > even though it's somewhat off-topic I wonder what's the most appropriate > protocol to use... > Any help welcome. If you want to build a keyserver, I'd subscribe to the pgp-keyserver-folk mailing list and discuss your plans there. See http://keyserver.kjsl.com/~jharris/archives/ to start. Also, if you want GnuPG to be able to use your keyserver without writing a special plugin, you need to read this: http://www.ietf.org/internet-drafts/draft-shaw-openpgp-hkp-00.txt David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+vCmJ4mZch0nhy8kRAq5vAKCYln+9/fYlt3j2CDXOFPdK8xN4sgCeO4no LgnM6bS8VOhcC7UWTytgFTk= =QcH8 -----END PGP SIGNATURE----- From eleuteri@myrealbox.com Sat May 10 01:22:03 2003 From: eleuteri@myrealbox.com (David Picon Alvarez) Date: Sat May 10 00:22:03 2003 Subject: keyservers References: <016101c31667$6690bcf0$f92489c3@enterprise> <3EBC2858.2050407@nahrath.de> Message-ID: <009401c31678$f7036fb0$f92489c3@enterprise> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > The mailinglist exists > (public archive at ). > Maybe you should rather discuss this issue there. Thanks for the info, and sorry for the OT. - --David. -----BEGIN PGP SIGNATURE----- Comment: This message is digitally signed and can be verified for authenticity. iQIVAwUBPrwpSaYOp7uFKb/EAQIGkBAAlq0hkYctbnhYmxpPeoHuBSBq+VFb3Ok4 qLb8DuMhw7UbT3XJWjnn+NLPuU7JzK40R5IyncboSqpgTAbKahyfKbMPDIrmZTwk iVUPMmds+kpnixlmsTFGZqTFv7iXhKCT9//06bEmUeyfNjB6FWZ3/ntPJ0F06q2c L0+aLCq0oiUfvMVhnDH8KiIT/nCKIl+tqQYwcGYZmDX9FjUv4Rj/9rvvZ0f8h5c1 sIwzv2YpdrLCWBORXmOez4rVtuDG1Q4w5DS+9Z0TSWDa6gZuMeu6pVDleGwaVE6Q hNR4SUaBSsf6yHFiFpLx6lvtiVpV2jKz7Pk2o1YQFVq42n61TLDCpmn740D/6GxB npmQ29yLUoaG0E/g+M4IO85/TkADASCTy+9qaM+PHHFV2ckPoONh6uQP3OdUFJe8 xiOnknyUi5iGUwRDkRzoQmaBH8U/7m7YIC+mywhpR0HTwLLYGqV2IiWjkdF6Le1R cswmca9dndH/eJWVNC/G12gVVDoZ24b5RzlCrEIsTQSPcc2fTo87W16Y59ipXIRN y1DLm91k7VM7hLfL3z7ua/gh4ZQ+YU9JInfh6m36vppz2AnSKjTZBFSAGtzJX+M+ /AFwBO8I5WIRcAlpVf/Uhk0JHAsogchcshnkyG4CrucdENqUlLm81HteUQNYEvhe K1uVBXlAz2g= =csnF -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Sat May 10 01:31:01 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sat May 10 00:31:01 2003 Subject: Keysigning In-Reply-To: <4478188dd1393dd09f1887ef1b8ed955@biglumber.com> References: <03F6E45C-8220-11D7-A015-0003939CC61E@yonderway.com> <4478188dd1393dd09f1887ef1b8ed955@biglumber.com> Message-ID: <20030509223138.GE4414@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, May 09, 2003 at 02:25:16PM -0000, greg@turnstep.com wrote: > > I'm listed under one of the big cities, Philadelphia. Biglumber.com > > isn't smart enough unfortunately to group suburbs with their parent > > city, so what most of the "Philadelphians" did was say they lived in > > Philadelphia even though they really live in an outlying suburb. > > I am open to ideas about how to do this. Generally, it is better to list > yourself as the nearest big city - people out of town are not going to > be familiar with the suburb names, and most meetings will actually take > place in the "main city" itself. How about just adding two extra fields: "Nearest big city" and "Distance to nearest big city" ? David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+vCxK4mZch0nhy8kRAquMAJ0dBo/kRHqyaHNsKAPmVnw0YgveIgCg0R5H GMefq2dZMfbJpOeP9JErzTA= =VBUT -----END PGP SIGNATURE----- From gnupg-users@nahrath.de Sat May 10 01:49:02 2003 From: gnupg-users@nahrath.de (Michael Nahrath) Date: Sat May 10 00:49:02 2003 Subject: mobile GPG installation Message-ID: <3EBC3092.6010605@nahrath.de> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigB6B7248D425390898EAFBC45 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hello, Some friends of mine are travelling people, working in different places all over the country, having no own flat and not at all an own computer. Although they deal with traditional craftsmanship some are rather up to date when it comes to digital communication. Usually their first question whenever one visits me is "Do you have internet, may I check may mails?" :-) They have their mail accounts at some freemailer services and use them solely via web frontend on other people's computers or in internet cafes. I have been asked if there is a practical way to use OpenPGP under such circumstances. Even if they would carry their secret and public keyrings with them on a floppy or on a USB-stick GPG needs to import the keys to it's own directories or it would need a lot of extra typing for each command. That includes the risk that by error the secret key would be imported and remain on the computer's users keyring or other unwanted effects. The other problem is that most computers don't have an OpenPGP application installed by default and that it is always a bit delicate to install software on other people's computers when you are a guest. Is there a way to make a fully running GPG-installation on a USB stick or some other removable medium? Simply plug in your stick and use the GPG application and your own keyrings from it directly, without any local installation or permanent changes required. Best of all was a FAT32 formatted medium that contains several installations for different OSes, but (like it or not ...) Windows was the most important platform. Greeting, Michi --------------enigB6B7248D425390898EAFBC45 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) Comment: http://www.biglumber.com/x/web?qs=0x9A4C704C iEYEARECAAYFAj68MJ4ACgkQ19dRf5pMcEytwQCdFOEAZYHAyr7yVP97Nh164y93 NUoAoI5I0LtmJxeF5rTAV7u30RsRgcHt =mqAK -----END PGP SIGNATURE----- --------------enigB6B7248D425390898EAFBC45-- From DenisMcCauley@ifrance.com Sat May 10 02:25:01 2003 From: DenisMcCauley@ifrance.com (Denis McCauley) Date: Sat May 10 01:25:01 2003 Subject: Signing with different sub-keys. In-Reply-To: <20030509195435.50520.qmail@web21308.mail.yahoo.com> References: <20030509195435.50520.qmail@web21308.mail.yahoo.com> Message-ID: <20030509130933.FB85.DENISMCCAULEY@ifrance.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 10 May 2003 05:54:35 +1000 (EST) Stewart Wright wrote: > Hi All, > > I am trying to work out how to have multiple signing > subkeys and sign different files with different keys. > However, I am failing to get it to work. > > Here's what I do -- perhaps someone can make a > suggestion. > > As a test I got rid of my secring and pubring and > started from scratch generating a dummy DSA/ElGamal > key which I then added DSA and RSA signing subkeys: > > pub 1024D/B37D0D59 2003-05-08 test key 1 > sub 1024g/8A112A7E 2003-05-08 > sub 1024D/E1A24F95 2003-05-08 > sub 1024R/F2D5AAA9 2003-05-09 > > I then tried making a series of signings: > 0) gpg --output msg0.asc --clearsign msg > 1) gpg --output msg1.asc --clearsign -u B37D0D59 msg > 2) gpg --output msg2.asc --clearsign -u 8A112A7E msg > 3) gpg --output msg3.asc --clearsign -u E1A24F95 msg > 4) gpg --output msg4.asc --clearsign -u F2D5AAA9 msg > > (Remembering that the ElGamal key 8A112A7E shouldn't > be able to sign...) > > I then verified the signature using > gpg --verify msg0.asc > > GnuPG tells me that the signatures were made with: > 0) DSA key ID B37D0D59 > 1) RSA key ID F2D5AAA9 > 2) RSA key ID F2D5AAA9 > 3) RSA key ID F2D5AAA9 > 4) RSA key ID F2D5AAA9 > > Now, it seems that > 0) makes sense, but surely > 1) should be B37D0D59, > 2) should be ??? > 3) is E1A24F95 and > 4) F2D5AAA9 > As David Picon Alvarez has replied: "If I remember correctly, writing an exclamation mark (!) after the keyID should do the trick." Otherwise GPG will automatically use the most recently created subkey. But your test 0 result seems strange because GPG should automatically use a signature subkey if one is present. My signing key on this message is an example of this behaviour. Cheers - -- ===================================== Denis McCauley GPG/PGP keys at http://www.djmccauley.tk ===================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1-nr1 (Windows 2000) - GPGshell v2.70 Comment: Key ID: 0x578247B4 (using signature subkey 0x4980C4F7) iD8DBQE+vDflJpZGKkmAxPcRAuAIAJ9S84/lf5tbdpUZ7WTOsuEnrkoO2QCePu6J u/xSgLtmsn2N/to0Id2RbR8= =alva -----END PGP SIGNATURE----- _____________________________________________________________________ Envie de discuter en "live" avec vos amis ? Télécharger MSN Messenger http://www.ifrance.com/_reloc/m la 1ère messagerie instantanée de France From peter@tallwomensclothing.com Sat May 10 03:04:02 2003 From: peter@tallwomensclothing.com (Peter Gillett) Date: Sat May 10 02:04:02 2003 Subject: Automated Encryption In-Reply-To: <9054CB3E21D9D311AF2D00E029492EF201A055A4@louie.mhhp.com> Message-ID: Charles, to set up gpg to work on a W2K server, Copy gpg.exe (the w32 one) to an executable directory on your webserver, and pubring.gpg, secring.gpg, trustdb.gpg and random_seed to a directory on your webserver that has read and write and delete permissions. This will be your gpg home directory, so have the permissions of pubring.gpg and secring.gpg set to read only, but not write, delete or execute, and set the permissions of trustdb.gpg and random_seed to read and write, but not execute or delete. To encrypt a file called c:\test\homedir\fred.txt with the key bill@here.there, run the dos command... c:\test\exe\gpg.exe --homedir c:\test\homedir --batch --no-version --always-trust --no-tty --comment "" --ear bill@here.there This will produce afile fred.asc, encrypted with bill@here.there's key, with no version or comment. We use this method (but using perl scripts) to automatically encrypt orders for our website that runs on a shared server running IIS 5.0 under W2K hope this helps Peter Gillett The Long Tall Clothing Company http://www.tallwomensclothing.com -----Original Message----- From: gnupg-users-admin@gnupg.org [mailto:gnupg-users-admin@gnupg.org]On Behalf Of Charles Kronschnable Sent: Saturday, 10 May 2003 00:48 To: 'gnupg-users@gnupg.org' Subject: Automated Encryption My task is to send encrypted emails via an asp page. I have two options I believe. The first is to have my asp page execute a dos shell and use commands to encrypt a file on the server and then attach that file to the email using cdonts, but I can't find a resource for dos commands anywhere, I realize that gnupg is opensource and there are all kinds of unix/linux references but nothing for a win os. From jbruni@mac.com Sat May 10 03:59:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Sat May 10 02:59:02 2003 Subject: keyservers In-Reply-To: <016101c31667$6690bcf0$f92489c3@enterprise> Message-ID: Just out of curiosity, why is the signature on your message longer than the message itself? Joe On Friday, May 9, 2003, at 01:12 PM, David Picon Alvarez wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > Some friends and me have decided to start programming a keyserver with > support for all the features of OpenPGP keys. We have little > experience, so > even though it's somewhat off-topic I wonder what's the most > appropriate > protocol to use... > Any help welcome. > > - --David. > > -----BEGIN PGP SIGNATURE----- > Comment: This message is digitally signed and can be verified for > authenticity. > > iQIVAwUBPrwL3qYOp7uFKb/EAQLHhRAApdpTwlda91esQj20y9IoZz8OwQDvTV2m > 98+tSClijhWDVgir1cnvZB9AKXwBTEEW4UXNykH7qels8KVqsF3SefWp6qZTc1jA > t0N3cT6sKbiX8rePIpMMNMvX5v0w3JNSaI268JfjRl2IyhhGQ2m/VogJ2usV+Wy8 > UT905zc18T6+MMs8PfhZ24q0siwdVeDbBN1NWxJ+zvQuiVUGRmJbJFx7InBLnyUJ > ucA45SaYOogvMp66WfiT8pqbMKM7IhWZddO6oZJ5srV8uTDJEV+YJVm+enFuttT0 > Oy/eDrtXfr/2J/cLbmf4/CGK4GsoONrosSHBRnmzV6pjSFoN6EPzHWfXo6yEAPwH > Nf95MQp3ptn1+2c1yTFr/rJpDm4D5AQdbRvQSdzrqeOXhmNx2E/13stnq6qP0rsl > 4ndacEncvpDYG7pMUyxvmqaedfKUcCdb7VqbK69rG8BUQYbvbZD08LmhFn6eE32l > 8e7iUGkyqKKqltUhZSTt8s7tvMXlT62SGBMl3gO7JmUFDwDqDEVKujz0fyZ/DpeP > fvTekZ1nqsxLVbQjKmevdLZLJXAwigPKSCWE9Ujlkr4ygiCMQiMRy4i8KChJ3TNV > AspZb6d3C57RrMrvO6DPAbLZEMNVcm2IwpXv8U4lHYl2Tnz0zYrU4QEd63wJOzTb > 4DlCxAdg3UU= > =ZHUK > -----END PGP SIGNATURE----- > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From malte_gell@t-online.de Sat May 10 04:36:02 2003 From: malte_gell@t-online.de (Malte Gell) Date: Sat May 10 03:36:02 2003 Subject: Keys not trusted In-Reply-To: <200305091755.48203.graham.todd@ntlworld.com> References: <200305060203.30183.wbo@mandrakesoft.com> <200305062259.08993.malte_gell@t-online.de> <200305091755.48203.graham.todd@ntlworld.com> Message-ID: <200305100325.30133.malte_gell@t-online.de> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 > On Tuesday 06 May 2003 9:58 pm, Malte Gell wrote: > > By the way, if you want to get subscribed to lots of mailing lists, > > the --auto-key-retrieve option may bloat your key ring in the long > > run. It may contain lots of keys from people you may never have > > contact with > > [snipped] > > I am subscribed to 10 mailing lists, on four of which I am a > Moderator. I use the --auto-key-retrieve option always. =2E =2E =2E > I am surprised that you appear not to do this too. Or am I unusual > in my use of GPG? Maybe it is me who is unusual in the way of using GPG ;-) I've used this=20 option for some time but I had the feeling that when enabled it made me=20 a bit lazy regarding checking the authenticity of the keys I retrieved.=20 So I disabled it and if there is a person whose key I realley need I=20 make more efforts to get his/her key and to check its authenticity,=20 with auto-key-retrieve enabled I tend to be too lazy to really check=20 the key's authenticity, that's all... On the other hand, if you check=20 your keyring everyweek then this is also a thorough way of keeping the=20 keyring tidy, it's just a matter of taste how to keep the keyring in=20 shape I think. Regards Malte =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iEYEAREDAAYFAj68V7AACgkQGzg12gD8wBZYigCePab0LtoCLqP/qjLwMPfOB/ho +78AoJmNhJb3PkAGVghG5Id/MiJhp5HR =3D+jd9 =2D----END PGP SIGNATURE----- From bminton@efn.org Sat May 10 04:49:02 2003 From: bminton@efn.org (Brian Minton) Date: Sat May 10 03:49:02 2003 Subject: keyservers In-Reply-To: References: <016101c31667$6690bcf0$f92489c3@enterprise> Message-ID: <20030510014949.GA26972@bminton.dyn.cheapnet.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, May 09, 2003 at 05:53:03PM -0700, Joseph Bruni wrote: > Just out of curiosity, why is the signature on your message > longer than the message itself? by the way, many mail programs can automatically verify the signature, so you don't even have to see the raw signature. - -- Brian Minton | OpenPGP fingerprint: brian@minton.name | 81BE 3A84 A502 ABDD B2CC http://brian.minton.name | 4BFD 7227 8820 5703 7472 Live long, and prosper longer! KeyID: 0x57037472 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+vFq8cieIIFcDdHIRAgWuAJsHibamL6hxe6LwfXluCvVlX9dODwCePfUy yff92qigYiJBIL7sWBM1598= =fs3E -----END PGP SIGNATURE----- From eleuteri@myrealbox.com Sat May 10 05:06:01 2003 From: eleuteri@myrealbox.com (David Picon Alvarez) Date: Sat May 10 04:06:01 2003 Subject: keyservers References: Message-ID: <003b01c31698$42e24130$f92489c3@enterprise> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Just out of curiosity, why is the signature on your message longer than > the message itself? Because (1) my message was short and (2) the key is RSA 4096 bits. - --David. -----BEGIN PGP SIGNATURE----- Comment: This message is digitally signed and can be verified for authenticity. iQIVAwUBPrxd2aYOp7uFKb/EAQLA5w//Qym5UG9TSRC6gxnYFdJCQogBrRH9vL+H JVRsLLZaWBIqFXhJQYSKT51j9PIO/kt9Gi6ICj19bioaMSIMCWnF8QVW1dNAlEn3 ebg9SOUilcHATzLQ9Dj8KEZf0UDgtcdZC7fKD1DzxWZv3pnPe50Or25oVJYQlMei iKpbmi2GNfQwFBchhwIAuAYtsMVB2zjMPIdWQVilU49MT9RhPsqr7rj26kYU2hdH qLVOnyhfkTKN0bDuY4un4MkpH0Nl/58qPeHbarwUs9os52xA91JP2CVSYH+wrYZM fxBYh27gxacb8OBOwCLe1uVGuPzI9KheBpOgPBY+SnPaqVeErh8q/Le08UEzs6uj c3T+PZKbUPZrAejVoT+eE2lNJf4f53YWzY1viDrycV/aR1IFcaIBgjuzdvhFT5WA wBNseG1VnuwrvEcLsKQORc1xtpv9baDKKxDy2zIhj9fM00HtRlDe0S1BZ039OCii sJ0Tssaw6LrLcqUCDOsw8+cMRmCzf9fVEhDCABFsY2G5FYTPyOubQ+ZlvWE9mqGB 3+VlyxN/DlUqzJYuR7ECpeV2jqwepxcGw4bAQE8XZYjuC0hNPosuygNgsLR7h9bA qVB1gpPGh6KLqMSG2Qw6u5pTRV8YoMAyZcBDUnl4rsw3r5h3Ava65g+wd/oNopzd cZLREO1BBbU= =AN9x -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Sat May 10 05:58:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sat May 10 04:58:02 2003 Subject: keyservers In-Reply-To: References: <016101c31667$6690bcf0$f92489c3@enterprise> Message-ID: <20030510025831.GH4414@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, May 09, 2003 at 05:53:03PM -0700, Joseph Bruni wrote: > Just out of curiosity, why is the signature on your message longer than > the message itself? The size of an RSA signature is proportional to the size of the key. He has a large RSA key. http://www.mccune.cc/PGPpage2.htm#Short is more or less accurate on the subject. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+vGrX4mZch0nhy8kRAs7WAKCQd97EbNYBw0f0Rk6+7SyUaZc5JgCghs1J oZa6fwylkFaMxD0gLwKab+A= =5PNZ -----END PGP SIGNATURE----- From jbruni@mac.com Sat May 10 06:09:01 2003 From: jbruni@mac.com (Joseph Bruni) Date: Sat May 10 05:09:01 2003 Subject: keyservers In-Reply-To: <003b01c31698$42e24130$f92489c3@enterprise> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 That makes sense. Thanks! On Friday, May 9, 2003, at 07:02 PM, David Picon Alvarez wrote: > >> Just out of curiosity, why is the signature on your message longer >> than >> the message itself? > > Because (1) my message was short and (2) the key is RSA 4096 bits. > - --David. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) iEYEARECAAYFAj68a8MACgkQ4rg/mXNDweNbRACaA1WMkGnZmfQ049yFHecIy/EW WBwAoMi3RD/jo87rmaGGAdnoT7iBpCgS =8WxS -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Sat May 10 06:22:01 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sat May 10 05:22:01 2003 Subject: mobile GPG installation In-Reply-To: <3EBC3092.6010605@nahrath.de> References: <3EBC3092.6010605@nahrath.de> Message-ID: <20030510032236.GJ4414@jabberwocky.com> --SUOF0GtieIMvvwua Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sat, May 10, 2003 at 12:49:54AM +0200, Michael Nahrath wrote: > Is there a way to make a fully running GPG-installation on a USB stick or > some other removable medium? Simply plug in your stick and use the GPG > application and your own keyrings from it directly, without any local > installation or permanent changes required. It's pretty easy to do this. Just copy the 'gpg' binary plus the .gnupg directory onto the removable storage. When you want to use it, insert the storage, and then you can run gpg directly from the removable storage as: gpg --homedir (path_to_the_.gnupg_directory) On Unix you can set the GNUPGHOME environment variable instead of using --homedir, but that does not work on Windows. Note that this isn't terribly secure - an untrusted computer can easily have a program on it to snatch your keys. David --SUOF0GtieIMvvwua Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+vHB84mZch0nhy8kRAhxjAKCbeuJizzotYiLoc/7eJ+BGvjcY3ACgiNb5 27AEAa/7DDjHrA0DHiBni90= =eA5f -----END PGP SIGNATURE----- --SUOF0GtieIMvvwua-- From dshaw@jabberwocky.com Sat May 10 06:26:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sat May 10 05:26:02 2003 Subject: [Q] Comparison of Encryption Algorithms In-Reply-To: <20030509221428.GA2383@math.umd.edu> References: <20030509221428.GA2383@math.umd.edu> Message-ID: <20030510032657.GK4414@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, May 09, 2003 at 06:14:29PM -0400, Daniel Carrera wrote: > Hello, > > I'm been trying to learn about "how secure" some encryption algorithms > are, but I haven't found what I want. Perhaps someone can point me to a > resourse. > > I'm most interested in Blowfish, IDEA and RSA because I understand that > they are the most powerful and on DSA and ElGamal as I understand that > they are used by GPG. > > I want to get an idea of the computing power needed to break those. As > well as any other security concerns that I should be aware of. I am a > mathematecian, I'm not afraid of doing some calculations to get the > answers I want. It's not an easy question to answer, because it's a hard question to ask right ;) Probably the best resource to look at is the book Applied Cryptography. Also read http://www.samsimpson.com/pgpfaq.html for some OpenPGP-specific discussion. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+vHGB4mZch0nhy8kRAg36AJ9t1XGyuDBFDx0Ry/nh/pjp/XYEcACg0yt1 2+mjawFVMZRKCp8ORPqJL1s= =yMIS -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Sat May 10 07:41:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sat May 10 06:41:02 2003 Subject: Building 1.2.2 on SunOS 4 In-Reply-To: <20030508164607.GG25034@gbnet.net> References: <1963591.1052168560910.JavaMail.jbruni@mac.com> <87addxwmh5.fsf@alberti.g10code.de> <20030508164607.GG25034@gbnet.net> Message-ID: <20030510044207.GM4414@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, May 08, 2003 at 05:46:07PM +0100, Steve Kennedy wrote: > Trying to build on SunOS 4.1.4 on Sparc, gcc (2.73) > > gmake[2]: Entering directory > `/vol/home/steve/todo/build/ns/gnupg-1.2.2/tools' > gcc -O2 -Wall -o mpicalc mpicalc.o ../cipher/libcipher.a > ../mpi/libmpi.a ../util/libutil.a ../intl/libintl.a -liconv -lz > ld: Undefined symbol > _mpihelp_rshift > ___udiv_qrnnd > _mpihelp_add_n > _mpihelp_lshift > collect2: ld returned 2 exit status Hmm. In the main gnupg build directory, what does "grep underscore config.log" return? David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+vIMf4mZch0nhy8kRAv8BAJ9B3RWXOvKQ6kBODmCFHO17ltVgSACg112w GvWRPdMa6ZA2Q0l7HTBS1dA= =i/wy -----END PGP SIGNATURE----- From sathishkumarbt@yahoo.com Sat May 10 09:08:03 2003 From: sathishkumarbt@yahoo.com (sathish kumar) Date: Sat May 10 08:08:03 2003 Subject: (no subject) Message-ID: <20030510060938.58725.qmail@web14602.mail.yahoo.com> --0-1319038858-1052546978=:56922 Content-Type: text/plain; charset=us-ascii hi , i am doing project on network security using cryptography. where, i use a authenticating server which check the authenticable client user. In this i use gnupg to generate keys and encrypted messages. my query is that can i use gnupg commands in the client program or just the encrypted message file which will be send to the authenticatin g server. another query is that during exporting public key can i use ip address to send the key to another p.c. whether i have to communicate through client-server program or gnupg will connect to another p.c. mail the ans to my email id:- sathishkumarbt@yahoo.com --------------------------------- Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. --0-1319038858-1052546978=:56922 Content-Type: text/html; charset=us-ascii

hi ,

i am doing project on network security using cryptography.

where, i use a authenticating server which check the

authenticable client user.

In this i use gnupg to generate keys and encrypted messages.

my query is that can i use gnupg commands in the client program or

just the encrypted message file which will be send to the authenticatin

g server.

another query is that during exporting public key can i use ip address

to send the key to another p.c.

whether i have to communicate through client-server program or

gnupg will connect to another p.c.

mail the ans to my email id:-

sathishkumarbt@yahoo.com

Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo. --0-1319038858-1052546978=:56922-- From JPClizbe@attbi.com Sat May 10 10:30:02 2003 From: JPClizbe@attbi.com (John Clizbe) Date: Sat May 10 09:30:02 2003 Subject: [Q] Comparison of Encryption Algorithms In-Reply-To: <20030509221428.GA2383@math.umd.edu> References: <20030509221428.GA2383@math.umd.edu> Message-ID: <3EBCAA86.1090205@attbi.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Daniel Carrera wrote: > Hello, > > I'm been trying to learn about "how secure" some encryption algorithms > are, but I haven't found what I want. Perhaps someone can point me to a > resourse. > > I'm most interested in Blowfish, IDEA and RSA because I understand that > they are the most powerful and on DSA and ElGamal as I understand that > they are used by GPG. > > I want to get an idea of the computing power needed to break those. As > well as any other security concerns that I should be aware of. I am a > mathematecian, I'm not afraid of doing some calculations to get the > answers I want. > Hmm, I'd start with either of Schneier's books: _Applied_Cryptography_ (http://www.counterpane.com/applied.html) or the newly released _Practical_Cryptography_ (http://www.counterpane.com/book-practical.html). Counterpane also has an online bibliography of over 1400 papers and articles on Crypto (Got to be better than the sci.crypt archives) available at http://www.counterpane.com/biblio/ . I'd also check the monthly CRYPTO-GRAM newsletter (also available on the same site). Extensive list of PKI links at http://www.pki-page.org/ And check Keith Ray's OpenPGP page at http://www.nullify.org/openpgp.html, some of the links there may just answer your questions. Hopefully this is enough to get you started. Keep us posted, would you? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+vKqFHQSsSmCNKhARAntZAKC6NjLJ1CTNrYOnRJLqVVEF8L8a5wCcD9i9 LSdMJrB9LSyPNSJRJeJWA2s= =QpLO -----END PGP SIGNATURE----- From avbidder@fortytwo.ch Sat May 10 11:27:02 2003 From: avbidder@fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Sat May 10 10:27:02 2003 Subject: Keys not trusted In-Reply-To: <20030509-57c41a1cb88bf5d499d6ca1536e4f287@tumbleweed.boston.com> References: <200305060203.30183.wbo@mandrakesoft.com> <200305091755.48203.graham.todd@ntlworld.com> <20030509-57c41a1cb88bf5d499d6ca1536e4f287@tumbleweed.boston.com> Message-ID: <200305101027.51808@fortytwo.ch> --Boundary-02=_HgLv+0DszvYF2vN Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Friday 09 May 2003 19:24, darren chamberlain wrote: > * Graham [2003-05-09 13:17]: [keyring maintenance] > How do you know which keys you don't need? Do you simply eyeball the > userids and delete the ones you don't recognize, or is there a more > efficient way? I currently have over 300 public keys on my keyring (I > also have the auto-retrieve option set), and I'm very sure I don't need > most of those, but how can I tell which ones I actually need? Yo! 300 keys sounds about right :-) I have a little script that just presents me with 5 random keys. I then del= ete=20 those where I don't recognize the name (either from mailing lists, or=20 privately) - I do this more or less weekly (sometimes less). It's far from= =20 perfect, but I don't want to go through the whole keyring. Of course I=20 occasionally delete a key that is then downloaded again when I read mail, b= ut=20 as those aren't people I know, I don't think this is a problem.=20 cheers =2D- vbi =2D-=20 featured link: http://fortytwo.ch/smtp --Boundary-02=_HgLv+0DszvYF2vN Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iKcEABECAGcFAj68uAdgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjQmbWQ1c3VtPTgxNjMwYmFhYmU5YTA2NzBi YjE5YzFmYTg1MjdhN2FiAAoJEIukMYvlp/fWeUUAn2FBZFDRdQahSCfAZFLDQ5TR vma9AJsGFpdNTOmJ9udh3i0Z7px2kHKi0A== =YORh -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.4&md5sum=81630baabe9a0670bb19c1fa8527a7ab --Boundary-02=_HgLv+0DszvYF2vN-- From martin.bretschneider@gmx.de Sat May 10 12:35:02 2003 From: martin.bretschneider@gmx.de (Martin Bretschneider) Date: Sat May 10 11:35:02 2003 Subject: mobile GPG installation In-Reply-To: <3EBC3092.6010605@nahrath.de> References: <3EBC3092.6010605@nahrath.de> Message-ID: --=.+Fph)K:GWBtD'u Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Michael Nahrath wrote: Hi Michael, > They have their mail accounts at some freemailer services and use > them solely via web frontend on other people's computers or in > internet cafes. They can use a kind of secure webservices. Check www.hushmail.com or http://www.sys3175.co.uk/securemail.php and ask google using this keywords. HTH and kind regards from Springe;) -- www.bretschneidernet.de OpenPGP_0x4EA52583 JID_breti@jabber.org _o)(o_ Sallust: -./\\//\.- Nam idem velle atque idem _\_VV_/_ nolle, ea demum firma amicitia est. --=.+Fph)K:GWBtD'u Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+vL0JGK1ebE6lJYMRAvlbAJwOLtc0to4tanH2X/ilaqTqqh8S7ACdGUrF eIpIG+epOEOt+aO4kR8/d/4= =Sw0u -----END PGP SIGNATURE----- --=.+Fph)K:GWBtD'u-- From pplf@wanadoo.fr Sat May 10 12:48:02 2003 From: pplf@wanadoo.fr (pplf) Date: Sat May 10 11:48:02 2003 Subject: ftp.gnupg.org down ? Message-ID: <3EBCCACB.5050504@wanadoo.fr> For info, from France ftp.gnupg.org is unreachable since 2 days. -- pplf - French OpenPGP page "OpenPGP en francais" PGP: 8263 8399 2074 5277 a6d3 http://www.openpgp.fr.st 622d 1b66 ea3d caa0 8c94 From wk@gnupg.org Sat May 10 12:50:02 2003 From: wk@gnupg.org (Werner Koch) Date: Sat May 10 11:50:02 2003 Subject: mobile GPG installation In-Reply-To: <20030510032236.GJ4414@jabberwocky.com> (David Shaw's message of "Fri, 9 May 2003 23:22:36 -0400") References: <3EBC3092.6010605@nahrath.de> <20030510032236.GJ4414@jabberwocky.com> Message-ID: <87znlvf7tx.fsf@alberti.g10code.de> On Fri, 9 May 2003 23:22:36 -0400, David Shaw said: > Note that this isn't terribly secure - an untrusted computer can > easily have a program on it to snatch your keys. We are working on a GnuPG smartcard; expect a prototype in about 2 months. For cost reasons it will only allow for 1024 bit RSA but you can be sure that the secret keys will stay non-compromised by remote attacks or trojans in Internet cafes. Salam-Shalom, Werner -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From konrad@crunchy-frog.org Sat May 10 12:53:01 2003 From: konrad@crunchy-frog.org (Konrad Podloucky) Date: Sat May 10 11:53:01 2003 Subject: [Q] Comparison of Encryption Algorithms In-Reply-To: <20030509221428.GA2383@math.umd.edu> References: <20030509221428.GA2383@math.umd.edu> Message-ID: <1052560434.670.5.camel@muaddib.podl> --=-2MsEa9lgpGK6AVG5WU35 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Sat, 2003-05-10 at 00:14, Daniel Carrera wrote: > Hello, >=20 > I'm been trying to learn about "how secure" some encryption algorithms=20 > are, but I haven't found what I want. Perhaps someone can point me to a=20 > resourse. >=20 As others have noted Schneier's "Applied Cryptography" will give you a good idea about security. However, if you are willing to get a bit more into details, have a look at the "Handbook of Applied Cryptography". A.J. Menezes (one of the authors) has made it available online at http://www.cacr.math.uwaterloo.ca/hac/. Konrad --=20 "Free people are free to make mistakes and commit crimes and do bad things." =20 -- Donald Rumsfeld on the chaos after the "liberation" of Iraq --=-2MsEa9lgpGK6AVG5WU35 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Comment: For key usage policy see http://www.crunchy-frog.org/pgp/policy.html iQEVAwUAPrzMMSV8Kic3b+OjAQKgOwgAh5+Mh0eUk6XPRto0DRsABsmU+oplEfcs pqMkox+pygQRvYlUJRZr1o9cLgi73wNZjduvLMfvpOhVOyOUoAk9hQgBTrHX5NoY ZZDkqNEQNI5aSx2gM+dRM+XEat3sb9miLvuhUaVOxnb58git4Ng4ieKue7FWGpRB C+bW6laUjw+fzYP1kvBmv8jKnipXteyHM6cUdZs4xfMXIjNYx7gYdwhXpuYawF+O VREtBfv9b3HEANN9ks16xQG0w49Vi39a6gwQtrl/wc+eIVCtZjtksdMOi8v1i6VK EKJdYoid8eukfuTHHQXUqqc4egoeVnzYUu6vi/Xzv/s/RFvgWBMgKw== =dgFE -----END PGP SIGNATURE----- --=-2MsEa9lgpGK6AVG5WU35-- From ingo.kloecker@epost.de Sat May 10 20:00:01 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Sat May 10 19:00:01 2003 Subject: mobile GPG installation In-Reply-To: <3EBC3092.6010605@nahrath.de> References: <3EBC3092.6010605@nahrath.de> Message-ID: <200305101857.14329@erwin.ingo-kloecker.de> --Boundary-02=_q9Sv+CZWENe8L55 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Saturday 10 May 2003 00:49, Michael Nahrath wrote: > Is there a way to make a fully running GPG-installation on a USB > stick or some other removable medium? Simply plug in your stick and > use the GPG application and your own keyrings from it directly, > without any local installation or permanent changes required. > > Best of all was a FAT32 formatted medium that contains several > installations for different OSes, but (like it or not ...) Windows > was the most important platform. You should have a look at Knoppix. It boots Linux on almost any PC from=20 CD without writing anything to the hard disks. So it's pretty secure.=20 If you don't trust the packagers of the downloadable Knoppix cdimage=20 then simply make your own one. This is definitely as secure as it gets=20 if you have to use a PC which is not your own one. I would still put my=20 secret keyring on a small medium like a USB stick because then you can=20 even let your friends play around with your Knoppix without risking=20 that your secret keys are stolen and because the data on a USB stick=20 can be changed much more easily. Regards, Ingo --Boundary-02=_q9Sv+CZWENe8L55 Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+vS9qGnR+RTDgudgRAhCFAJ9GUK2/x8c29QcQGsYIQ/p22ZWscgCfYKLZ b2YaJ8peOiczjbXWDQQX1bs= =WC8R -----END PGP SIGNATURE----- --Boundary-02=_q9Sv+CZWENe8L55-- From wk@gnupg.org Sat May 10 20:00:25 2003 From: wk@gnupg.org (Werner Koch) Date: Sat May 10 19:00:25 2003 Subject: ftp.gnupg.org down ? In-Reply-To: <3EBCCACB.5050504@wanadoo.fr> (pplf's message of "Sat, 10 May 2003 11:47:55 +0200") References: <3EBCCACB.5050504@wanadoo.fr> Message-ID: <87n0hug2ce.fsf@alberti.g10code.de> On Sat, 10 May 2003 11:47:55 +0200, pplf said: > For info, from France ftp.gnupg.org is unreachable since 2 days. We experienced several problems with the machine. The mainboard was replaced yesterday so the hardware hopefully won't make any more problems. Due to a tight budget of the GUUG, we have temporary moved teh FTP service to another box which usually don't use all traffic included in the server housing fee. However, we run another ftp daemon on that box and this one sometime crashes: I am looking into these crashes and try to fix the reason to help with development. Anyway, please use a mirror as listed on the webpage. Salam-Shalom, Werner -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From thomas.scheffczyk@verwaltung.uni-mainz.de Sat May 10 21:14:02 2003 From: thomas.scheffczyk@verwaltung.uni-mainz.de (Thomas Scheffczyk) Date: Sat May 10 20:14:02 2003 Subject: gnupg encrypted mail and malware/spam Message-ID: <3EBD41B6.8030602@verwaltung.uni-mainz.de> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig73898E9E9B2AFA9B1874E57F Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Hello all, I don't know if this topic was discussed before, my searches in the list archive were not successfull, but perhaps I used just the wrong keywords. Here is my problem: If gnupg is used to protect mail messages it also disables all server based protection measures against malware and spam. No virus scanner nor spam filter an firewalls or gateways can check the encrypted messages. All protection is to be done on the host where the mail is decrypted. At least for bigger networks this is nearly impossible do do: No system administrator will be happy if most of the defence lines will be unusable and without doubt is needs a lot more manpower to secure all local workstations to a level comparable with a firewall. I guess that this problem is very sensitive, especially in the gnupg community; because standard solutions would be key escrowing or automativally co-encryption with corporate keys. Gnupg is used for various task within the network I'm responsible for and I really want to give all users access to gnupg to allow them to protect their privacy and the data that is transferred by mail, but I can't risc the security and integrity of the network itself. Any solutions, hints, positive and even negative experience with this or simillar problems is very desired. TIA Thomas PS: I do not fear 'ordinary' viruses or other malware. What i really fear is a sophisticated attacker that send on a very slow rate backdoors to single users in my network. I can not guarantee the really no user will start the program. If it is started, it's easy to create a backchannel over allowed traffic like http. PPS: I hope the I don't awake sleeping dogs, but what would happen, if spammers would start to send encrypted messages? All countermeasures like spamassassin or even statistical token analysis wouldn'd stop this kind of spam. --------------enig73898E9E9B2AFA9B1874E57F Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQE+vUG2ICWLj6LjFjIRAu1LAJ0amp0BQSiXJZ57tskWgBFAsfl66QCeIUTp FV7FNU5On7//XG3Acln7qfc= =m7Dr -----END PGP SIGNATURE----- --------------enig73898E9E9B2AFA9B1874E57F-- From steve-gnupg@gbnet.net Sat May 10 22:31:03 2003 From: steve-gnupg@gbnet.net (Steve Kennedy) Date: Sat May 10 21:31:03 2003 Subject: Building 1.2.2 on SunOS 4 In-Reply-To: <20030510044207.GM4414@jabberwocky.com> References: <1963591.1052168560910.JavaMail.jbruni@mac.com> <87addxwmh5.fsf@alberti.g10code.de> <20030508164607.GG25034@gbnet.net> <20030510044207.GM4414@jabberwocky.com> Message-ID: <20030510193203.GA27496@gbnet.net> On Sat, May 10, 2003 at 12:42:07AM -0400, David Shaw wrote: > On Thu, May 08, 2003 at 05:46:07PM +0100, Steve Kennedy wrote: > > Trying to build on SunOS 4.1.4 on Sparc, gcc (2.73) > > gmake[2]: Entering directory > > `/vol/home/steve/todo/build/ns/gnupg-1.2.2/tools' > > gcc -O2 -Wall -o mpicalc mpicalc.o ../cipher/libcipher.a > > ../mpi/libmpi.a ../util/libutil.a ../intl/libintl.a -liconv -lz > > ld: Undefined symbol > > _mpihelp_rshift > > ___udiv_qrnnd > > _mpihelp_add_n > > _mpihelp_lshift > > collect2: ld returned 2 exit status > Hmm. In the main gnupg build directory, what does > "grep underscore config.log" return? ac_cv_sys_symbol_underscore=no Steve -- NetTek Ltd Phone/Fax +44-(0)20 7483 2455 SMS steve-pager (at) gbnet.net [body] gpg 1024D/468952DB 2001-09-19 From linux@codehelp.co.uk Sat May 10 23:20:02 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Sat May 10 22:20:02 2003 Subject: gnupg encrypted mail and malware/spam In-Reply-To: <3EBD41B6.8030602@verwaltung.uni-mainz.de> References: <3EBD41B6.8030602@verwaltung.uni-mainz.de> Message-ID: <200305102117.25875.linux@codehelp.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 10 May 2003 7:15 pm, Thomas Scheffczyk wrote: > If gnupg is used to protect mail messages it also disables all server > based protection measures against malware and spam. No virus scanner nor > spam filter an firewalls or gateways can check the encrypted messages. This isn't often a problem - a signed email is not attractive as a vehicle of spam - those who send spam want to be invisible not verifiably identifiable. Encrypting the mail even without signing it is a MAJOR workload for spammers who need to send tens of millions of emails to even get a few responses. Each one would need to be individually encrypted. Even if a spammer used every single key on a keyserver, it really is not appealing. > All protection is to be done on the host where the mail is decrypted. At There are spam filters that can be run within the mail client on manual action - - post decryption. At present, it is fiddly but it's also not exactly a priority. (SpamAssassin is one of the filters that can be run this way. It is only Perl and it would be easy to adapt the code to cope. A script could perform the steps required for SpamAssassin to receive the original plain text.) > least for bigger networks this is nearly impossible do do: No system > administrator will be happy if most of the defence lines will be > unusable and without doubt is needs a lot more manpower to secure all > local workstations to a level comparable with a firewall. I really can't see that this could even be a problem worth the effort. > Gnupg is used for various task within the network I'm responsible for > and I really want to give all users access to gnupg to allow them to > protect their privacy and the data that is transferred by mail, but I > can't risc the security and integrity of the network itself. ? spam only affects the network itself when a spammer uses your domain to pretend to send from - the bounces overwhelm the victim server. How does it matter if the spam is one form or another? It's the sheer size that matters. Encryption doesn't add that much to the total traffic. > PPS: I hope the I don't awake sleeping dogs, but what would happen, if > spammers would start to send encrypted messages? All countermeasures > like spamassassin or even statistical token analysis wouldn'd stop this > kind of spam. As above: Encrypting spam individually to tens of millions of users is not a trivial task! Compared to just using a database of email addresses, I can't see that it is at all appealing for a spammer. - -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+vV5Uk7DVr6iX/QIRAoG2AJ9MVDCqy4TB7gBJttw4pBxBDiwgdgCaAgaN NH7YZ1tir1NRoRbGODCU8RE= =9/6b -----END PGP SIGNATURE----- From engage@BLOCK.n0sq.net Sat May 10 23:37:02 2003 From: engage@BLOCK.n0sq.net (engage) Date: Sat May 10 22:37:02 2003 Subject: Political tag lines (was: ftp.gnupg.org down ?) In-Reply-To: <87n0hug2ce.fsf@alberti.g10code.de> References: <3EBCCACB.5050504@wanadoo.fr> <87n0hug2ce.fsf@alberti.g10code.de> Message-ID: <200305101433.35708.engage@n0sq.net> Until people quit making political statements that have nothing to do with GnuPG, I'm unsubscribing. These types of statements are inflammatory, also. I guess I need to find an alternative to GPG also. Besides, Ghandi was an idiot. Do people really believe that people like Sadaam Hussein are going to say "Oh my God! They're not fighting back! It's time to relinquish power, quit supporting terrorists, quit killing people, and quit exploiting them!"? Get real dude. If YOU were under the thumb of such a man, you'd be glad if the U.S. came to your rescue. I'm sure glad that I live in the U.S. On Saturday 10 May 2003 11:04 am, Werner Koch wrote: >On Sat, 10 May 2003 11:47:55 +0200, pplf said: >> For info, from France ftp.gnupg.org is unreachable since 2 days. > >We experienced several problems with the machine. The mainboard was >replaced yesterday so the hardware hopefully won't make any more >problems. Due to a tight budget of the GUUG, we have temporary moved >teh FTP service to another box which usually don't use all traffic >included in the server housing fee. However, we run another ftp >daemon on that box and this one sometime crashes: I am looking into >these crashes and try to fix the reason to help with development. > >Anyway, please use a mirror as listed on the webpage. > > >Salam-Shalom, > > Werner From dshaw@jabberwocky.com Sat May 10 23:41:03 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sat May 10 22:41:03 2003 Subject: Building 1.2.2 on SunOS 4 In-Reply-To: <20030510193203.GA27496@gbnet.net> References: <1963591.1052168560910.JavaMail.jbruni@mac.com> <87addxwmh5.fsf@alberti.g10code.de> <20030508164607.GG25034@gbnet.net> <20030510044207.GM4414@jabberwocky.com> <20030510193203.GA27496@gbnet.net> Message-ID: <20030510204128.GQ4414@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, May 10, 2003 at 08:32:03PM +0100, Steve Kennedy wrote: > On Sat, May 10, 2003 at 12:42:07AM -0400, David Shaw wrote: > > > On Thu, May 08, 2003 at 05:46:07PM +0100, Steve Kennedy wrote: > > > Trying to build on SunOS 4.1.4 on Sparc, gcc (2.73) > > > gmake[2]: Entering directory > > > `/vol/home/steve/todo/build/ns/gnupg-1.2.2/tools' > > > gcc -O2 -Wall -o mpicalc mpicalc.o ../cipher/libcipher.a > > > ../mpi/libmpi.a ../util/libutil.a ../intl/libintl.a -liconv -lz > > > ld: Undefined symbol > > > _mpihelp_rshift > > > ___udiv_qrnnd > > > _mpihelp_add_n > > > _mpihelp_lshift > > > collect2: ld returned 2 exit status > > Hmm. In the main gnupg build directory, what does > > "grep underscore config.log" return? > > ac_cv_sys_symbol_underscore=no What happens if you do "./configure ac_cv_sys_symbol_underscore=yes" ? David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+vWP44mZch0nhy8kRAj8yAKDiDOW5RovAdjWLW7I/2jx+K+68nACdFw+n 1GfMDs5zDBU+ne0BwRz5O3Y= =zBvU -----END PGP SIGNATURE----- From dcarrera@math.umd.edu Sat May 10 23:46:03 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Sat May 10 22:46:03 2003 Subject: [Q] Comparison of Encryption Algorithms In-Reply-To: <1052560434.670.5.camel@muaddib.podl> References: <20030509221428.GA2383@math.umd.edu> <1052560434.670.5.camel@muaddib.podl> Message-ID: <20030510204721.GA728@math.umd.edu> Thank you all for all the links. They are great resources. I will be reading those for a while. Thanks again, -- Daniel Carrera Graduate Teaching Assistant. Math Dept. University of Maryland. (301) 405-5137 From dcarrera@math.umd.edu Sun May 11 00:11:01 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Sat May 10 23:11:01 2003 Subject: [Q] Comparison of Encryption Algorithms In-Reply-To: <20030510032657.GK4414@jabberwocky.com> References: <20030509221428.GA2383@math.umd.edu> <20030510032657.GK4414@jabberwocky.com> Message-ID: <20030510211151.GA782@math.umd.edu> > Probably the best resource to look at is the book Applied > Cryptography. Also read http://www.samsimpson.com/pgpfaq.html for > some OpenPGP-specific discussion. > > David Does the information here also apply equally to GnuPG? The FAQ says that GnuPG is OpenPGP-compliant, so I guess it does. Thanks for the help. -- Daniel Carrera Graduate Teaching Assistant. Math Dept. University of Maryland. (301) 405-5137 From dshaw@jabberwocky.com Sun May 11 00:12:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sat May 10 23:12:02 2003 Subject: encrypted spam (was Re: gnupg encrypted mail and malware/spam) In-Reply-To: <3EBD41B6.8030602@verwaltung.uni-mainz.de> References: <3EBD41B6.8030602@verwaltung.uni-mainz.de> Message-ID: <20030510211223.GR4414@jabberwocky.com> --uCPdOCrL+PnN2Vxy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, May 10, 2003 at 08:15:18PM +0200, Thomas Scheffczyk wrote: > PPS: I hope the I don't awake sleeping dogs, but what would happen, if=20 > spammers would start to send encrypted messages? All countermeasures=20 > like spamassassin or even statistical token analysis wouldn'd stop this= =20 > kind of spam. This is not something I'd worry about. In fact, I think encryption would put a serious dent into spam by making it less economical. One of the reasons that spam is such a problem is that it costs the spammer about as much to send to 1,000 people as it does to send to 1,000,000. The cost per message is not zero, but is incredibly low. If you put encryption into the mix, the cost of encrypting to each different user raises the cost per user and hurts the economics of the equation. This is similar to the "hashcash" idea, where a mail contains a proof of work done to generate it. David --uCPdOCrL+PnN2Vxy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+vWs24mZch0nhy8kRAmVZAKCISyd3Nk0+gDYdgUzfQQ6ZmH/7TgCgxhN6 uRoIzUWDycmQf7Opy0K4ljQ= =nR7H -----END PGP SIGNATURE----- --uCPdOCrL+PnN2Vxy-- From dcarrera@math.umd.edu Sun May 11 01:11:02 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Sun May 11 00:11:02 2003 Subject: [Q] Generating a key pair. Message-ID: <20030510221144.GB782@math.umd.edu> Greetings all, I want to create my key-pair. I've done this before, but I have a couple of questions: 1) What key size should I pick for the asymmetric key? The OpenPGP FAQ (http://www.samsimpson.com/pgpfaq.html#SubKeySize) says that 2048 bits is best, but the GnuPG default is 1024. Why is that? 2) The GnuPG FAQ says that I can improve the random number generation by using the --enable-static-rnd=... option, but GnuPG doesn't seem to recognize that option. I'm on a Solaris system which does have a /dev/random device. Thanks for the help, -- Daniel Carrera Graduate Teaching Assistant. Math Dept. University of Maryland. (301) 405-5137 From wbo@mandrakesoft.com Sun May 11 01:13:02 2003 From: wbo@mandrakesoft.com (Wolfgang Bornath) Date: Sun May 11 00:13:02 2003 Subject: Political tag lines (was: ftp.gnupg.org down ?) In-Reply-To: <200305101433.35708.engage@n0sq.net> References: <3EBCCACB.5050504@wanadoo.fr> <87n0hug2ce.fsf@alberti.g10code.de> <200305101433.35708.engage@n0sq.net> Message-ID: <200305110014.43900.wbo@mandrakesoft.com> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ** engage (Samstag, 10. Mai 2003 22:37) > Until people quit making political statements that have nothing to do > with GnuPG, I'm unsubscribing. These types of statements are > inflammatory, also. I guess I need to find an alternative to GPG > also. It took me a while to find out WTF you're talking about. Then I realized=20 you meant the Gandhi quotation. Please be so kind and do as you state=20 above. Thank you very much. wobo =2D --=20 Public GnuPG key available at keyserver www.mandrakesecure.net =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+vXnOXpTF6eCkAF0RAicOAJ9aO1suvVzehzqcpfOdACyZbBudAQCePZg+ KLzhS3iYGmt5ZNOtvhPOt3M=3D =3DaKz2 =2D----END PGP SIGNATURE----- From dcarrera@math.umd.edu Sun May 11 01:30:02 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Sun May 11 00:30:02 2003 Subject: [Q] Generating a key pair. In-Reply-To: <20030510222506.GA13374@bminton.dyn.cheapnet.net> References: <20030510221144.GB782@math.umd.edu> <20030510222506.GA13374@bminton.dyn.cheapnet.net> Message-ID: <20030510223113.GC782@math.umd.edu> > On Sat, May 10, 2003 at 06:11:45PM -0400, Daniel Carrera wrote: > > 2) The GnuPG FAQ says that I can improve the random number > > generation by using the --enable-static-rnd=... option, but > > GnuPG doesn't seem to recognize that option. > > > > I'm on a Solaris system which does have a /dev/random device. > > that option is a compile-time option to the configure script used > to build gpg. If you got a pre-compiled binary for your OS, it > probably makes use of /dev/random. gpg --version will tell you > more information, but I don't know if there is a way to get it to > tell you where it is getting its entropy. I compiled it myself. I still have the sources. Is there a way I can figure out if this option was used? I guess I'll need to recompile. If that is the case, how should I use that option in my case? I'm on a Solaris system but it has a /dev/random like Linux. Does that mean I should use --enable-static-rnd=linux ? Thanks, -- Daniel Carrera Graduate Teaching Assistant. Math Dept. University of Maryland. (301) 405-5137 From eugene@esmiley.net Sun May 11 01:51:02 2003 From: eugene@esmiley.net (Eugene Smiley) Date: Sun May 11 00:51:02 2003 Subject: gnupg encrypted mail and malware/spam In-Reply-To: <200305102117.25875.linux@codehelp.co.uk> Message-ID: Neil wrote:=20 > On Saturday 10 May 2003 7:15 pm, Thomas Scheffczyk wrote: >> If gnupg is used to protect mail messages it also disables all >> server based protection measures against malware and spam. No >> virus scanner nor spam filter an firewalls or gateways can check >> the encrypted messages.=20 >=20 > This isn't often a problem - a signed email is not attractive as > a vehicle of spam - those who send spam want to be invisible not > verifiably identifiable.=20 >=20 > Encrypting the mail even without signing it is a MAJOR workload > for spammers who need to send tens of millions of emails to even > get a few responses. Each one would need to be individually > encrypted. Even if a spammer used every single key on a > keyserver, it really is not appealing.=20 I think you are missing the point with regard to the issue of=20 server based virus scanning. It isn't that hard to imagine a=20 virus generating an email via Outlook which is then passed to=20 GPGRelay; the user isn't paying attention, types the passphrase, and it get's emailed; the user on the other end decrypts it and=20 opens the attachment... BLAMO! From bminton@efn.org Sun May 11 02:07:01 2003 From: bminton@efn.org (Brian Minton) Date: Sun May 11 01:07:01 2003 Subject: [Q] Generating a key pair. In-Reply-To: <20030510223113.GC782@math.umd.edu> References: <20030510221144.GB782@math.umd.edu> <20030510222506.GA13374@bminton.dyn.cheapnet.net> <20030510223113.GC782@math.umd.edu> Message-ID: <20030510230725.GA13620@bminton.dyn.cheapnet.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, May 10, 2003 at 06:31:14PM -0400, Daniel Carrera wrote: > I compiled it myself. I still have the sources. Is there a way I can > figure out if this option was used? I think you can find it if you look in the file configure.status, but it is kind of hard to read. > > I guess I'll need to recompile. If that is the case, how should I use > that option in my case? I'm on a Solaris system but it has a /dev/random > like Linux. Does that mean I should use --enable-static-rnd=linux ? I think so, but am not completely sure - -- Brian Minton | OpenPGP fingerprint: brian@minton.name | 81BE 3A84 A502 ABDD B2CC http://brian.minton.name | 4BFD 7227 8820 5703 7472 Live long, and prosper longer! KeyID: 0x57037472 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+vYYtcieIIFcDdHIRAn2AAJ40i6pO/Yx9OV3QkpsBczIS3ru+pACg30X+ laC5PZY/p5wKlOcO9xCohII= =d0Ce -----END PGP SIGNATURE----- From agreene@pobox.com Sun May 11 02:53:02 2003 From: agreene@pobox.com (Anthony E. Greene) Date: Sun May 11 01:53:02 2003 Subject: gnupg encrypted mail and malware/spam In-Reply-To: <"from thomas.scheffczyk"@verwaltung.uni-mainz.de> References: <3EBD41B6.8030602@verwaltung.uni-mainz.de> Message-ID: <20030510195340.A12480@cp5340.hyatsv01.md.comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10-May-2003/20:15 +0200, Thomas Scheffczyk wrote: >If gnupg is used to protect mail messages it also disables all server >based protection measures against malware and spam. No virus scanner nor >spam filter an firewalls or gateways can check the encrypted messages. [snip] Your needs are not well addressed by GnuPG. You should consider buying some of the tools offered by PGP Corp. http://www.pgp.com/ Tony - -- Anthony E. Greene OpenPGP Key: 0x6C94239D/7B3D BD7D 7D91 1B44 BA26 C484 A42A 60DD 6C94 239D AOL/Yahoo Messenger: TonyG05 HomePage: Linux. The choice of a GNU generation -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Anthony E. Greene 0x6C94239D iD8DBQE+vZD+pCpg3WyUI50RAvejAKDqsy57eqUFnP9F69MfvmFKS9r8rgCgjEwO 80S5iTSSQePEgf/4FBjnsCg= =9gPp -----END PGP SIGNATURE----- From chris@yonderway.com Sun May 11 04:05:02 2003 From: chris@yonderway.com (Chris Hedemark) Date: Sun May 11 03:05:02 2003 Subject: Political tag lines (was: ftp.gnupg.org down ?) In-Reply-To: <200305101433.35708.engage@n0sq.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, May 10, 2003, at 04:37 PM, engage wrote: > Until people quit making political statements that have nothing to do > with > GnuPG, I'm unsubscribing. These types of statements are inflammatory, > also. I > guess I need to find an alternative to GPG also. Don't let the door hit your bum on the way out. - -- (See mail headers for more info) "What difference does it make to the dead, the orphans and the homeless, whether the mad destruction is wrought under the name of totalitarianism or the holy name of liberty or democracy?" - Mahatma Gandhi -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) iEYEARECAAYFAj69ogMACgkQYPuF4Zq9lvYQFQCgiEc5f1dsuE9639wNroGAL3Dr KzIAni8wwTJmS8Z8b0Ks9+XpSSO659zf =Ay7N -----END PGP SIGNATURE----- From JPClizbe@attbi.com Sun May 11 04:54:01 2003 From: JPClizbe@attbi.com (John Clizbe) Date: Sun May 11 03:54:01 2003 Subject: gnupg encrypted mail and malware/spam In-Reply-To: References: Message-ID: <3EBDAD5D.6050308@attbi.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eugene Smiley wrote: > > I think you are missing the point with regard to the issue of > server based virus scanning. It isn't that hard to imagine a > virus generating an email via Outlook which is then passed to - --------------------------------^^^^^^^ > GPGRelay; the user isn't paying attention, types the passphrase, > and it get's emailed; the user on the other end decrypts it and > opens the attachment... BLAMO! Ding! There's the REAL culprit - There seems to be as many LookOut! exploits out on the 'Net as there are attacks against InternetExploder. Perhaps a less-easily hijacked MUA is needed. What you describe here is more E-mail worm than SPAM. - -- John P. Clizbe Inet: JPClizbe@EarthLink.net Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Most men take the straight and narrow. A few take the road less traveled. I chose to cut through the woods." "There is safety in Numbers... *VERY LARGE PRIME* Numbers 9:00PM Tonight on _REAL_IRONY_: Vegetarian Man Eaten by Cannibals -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+va1bHQSsSmCNKhARAqzaAKDgMv56IqkJGjjQSVGKzogavvfyFwCfa2Oz 358LuEyVVYm3v04zI8QaaXY= =GB8D -----END PGP SIGNATURE----- From DenisMcCauley@ifrance.com Sun May 11 05:10:02 2003 From: DenisMcCauley@ifrance.com (Denis McCauley) Date: Sun May 11 04:10:02 2003 Subject: [Q] Generating a key pair. In-Reply-To: <20030510221144.GB782@math.umd.edu> References: <20030510221144.GB782@math.umd.edu> Message-ID: <20030510160855.2E99.DENISMCCAULEY@ifrance.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 10 May 2003 18:11:45 -0400 Daniel Carrera wrote: > 1) What key size should I pick for the asymmetric key? > The OpenPGP FAQ (http://www.samsimpson.com/pgpfaq.html#SubKeySize) > says that 2048 bits is best, but the GnuPG default is 1024. Why is that? > That's a good question. Very few GPG users seem to trust 1024-bit encryption keys these days. I ran through 100+ keys of list members which I've imported and only 13% have encryption keys of this size. The vast majority are 2048 bits. Cheers - -- ===================================== Denis McCauley GPG/PGP keys at http://www.djmccauley.tk ===================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1-nr1 (Windows 2000) - GPGshell v2.70 Comment: Key ID: 0x578247B4 (using signature subkey 0x4980C4F7) iD8DBQE+vbCGJpZGKkmAxPcRAvKFAKCvRkFGSxaXhTbmb48euk3otqdi7gCgrxxU B96o2cQmFbF3bYQkt0sC3s8= =vKxZ -----END PGP SIGNATURE----- _____________________________________________________________________ Envie de discuter en "live" avec vos amis ? Télécharger MSN Messenger http://www.ifrance.com/_reloc/m la 1ère messagerie instantanée de France From dcarrera@math.umd.edu Sun May 11 05:20:02 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Sun May 11 04:20:02 2003 Subject: [Q] Uploading my public key to a key server. Message-ID: <20030511022128.GA1177@math.umd.edu> Hello, Alright, I have a brand-new 2048-bit ElGamal key and I want to upload it to a keyserver. How do I do that? In which other ways do people usually advertise their public key? I plan on starting to sign my emails, but that doesn't advertise my public key, does it? Thanks for the help, -- Daniel Carrera Graduate Teaching Assistant. Math Dept. University of Maryland. (301) 405-5137 From dcarrera@math.umd.edu Sun May 11 05:39:03 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Sun May 11 04:39:03 2003 Subject: Getting started with signatures. Message-ID: <20030511024040.GC1216@math.umd.edu> --lMM8JwqTlfDpEaS6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello all, I'm trying to get started with email signatures. I already got my email cl= ient=20 (Mutt) to sign my outgoing messages. I guess that the next thing I need to= do is: - Upload my public key to keyservers so my signatures can be verified. - Get other people's public keys so I can verify their signatures. Could someone tell me how I can do these? If anyone is using Mutt, perhaps I could get some Mutt-specific help: It looks like Mutt is not even trying to verify any of the signed messages = other=20 than my own. Does anyone know how to fix this? Thanks for the help, --=20 Daniel Carrera Graduate Teaching Assistant. Math Dept. University of Maryland. (301) 405-5137 --lMM8JwqTlfDpEaS6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (SunOS) iD8DBQE+vbgnngS5oA/rzsMRAp5pAKCTh3FHnmTjLy5YArUonOWvCtzWyQCfRIt6 i+HdQ2wQbkcgzauyYoc0hHY= =ppy4 -----END PGP SIGNATURE----- --lMM8JwqTlfDpEaS6-- From rlaager@wiktel.com Sun May 11 05:45:03 2003 From: rlaager@wiktel.com (Richard Laager) Date: Sun May 11 04:45:03 2003 Subject: Photo ID Display Behavior Message-ID: <000001c31767$8b426340$da7620d1@umcrookston.edu> Using version 1.2.1 of GPG, I discovered the following behavior: If a key has multiple photo IDs, all will be displayed when doing a "showphoto". This seems appropriate. However, the photo IDs are displayed even if the self-signature on the photo ID is revoked. I didn't test it, but all the evidence seems to suggest that the photo ID would be displayed if the self-signature was absent or expired. I believe this is the current intended behavior. PGP (only tested with 6.5.8ckt) displays all photo IDs in a scrolling list, even those that are revoked, etc. I'd like to suggest that the behavior be modified. Just as revoked user IDs are hidden when doing a gpg --list-key, I suggest that only photo IDs with a valid* self-signature be displayed. The advantage to doing so would be that a user could replace his/her photo ID every so often, just as a photo on a passport** is replaced every 10 years or so. By either revoking or letting the self-signatures on old photos expire, the user could have a current photo displayed with his/her key. The old photos would simply be hidden, without having to be deleted. * By valid, I mean an unrevoked, cryptographically valid signature with a creation time in the past, and an expiration date in the future. ** I realize the major flaw in this analogy. Passports are reissued with new photos. :-) Richard Laager From dshaw@jabberwocky.com Sun May 11 05:50:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sun May 11 04:50:02 2003 Subject: [Q] Generating a key pair. In-Reply-To: <20030510223113.GC782@math.umd.edu> References: <20030510221144.GB782@math.umd.edu> <20030510222506.GA13374@bminton.dyn.cheapnet.net> <20030510223113.GC782@math.umd.edu> Message-ID: <20030511025051.GS4414@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, May 10, 2003 at 06:31:14PM -0400, Daniel Carrera wrote: > > On Sat, May 10, 2003 at 06:11:45PM -0400, Daniel Carrera wrote: > > > 2) The GnuPG FAQ says that I can improve the random number > > > generation by using the --enable-static-rnd=... option, but > > > GnuPG doesn't seem to recognize that option. > > > > > > I'm on a Solaris system which does have a /dev/random device. > > > > that option is a compile-time option to the configure script used > > to build gpg. If you got a pre-compiled binary for your OS, it > > probably makes use of /dev/random. gpg --version will tell you > > more information, but I don't know if there is a way to get it to > > tell you where it is getting its entropy. > > I compiled it myself. I still have the sources. Is there a way I can > figure out if this option was used? grep ac_cv_have_dev_random config.log > I guess I'll need to recompile. If that is the case, how should I use > that option in my case? I'm on a Solaris system but it has a /dev/random > like Linux. Does that mean I should use --enable-static-rnd=linux ? You shouldn't need to. If you have a /dev/random device, configure should automaticaly do the right thing. (And if it doesn't, then it should be fixed). David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+vbqL4mZch0nhy8kRAu9IAJ9Nmk3GBwA5s6EJ6yVQRmNN9ddSGACfaOS5 N3XpciskbpahbegHzDUYOLo= =64ov -----END PGP SIGNATURE----- From bminton@efn.org Sun May 11 05:54:03 2003 From: bminton@efn.org (Brian Minton) Date: Sun May 11 04:54:03 2003 Subject: [Q] Uploading my public key to a key server. In-Reply-To: <20030511022128.GA1177@math.umd.edu> References: <20030511022128.GA1177@math.umd.edu> Message-ID: <20030511025141.GA19943@bminton.dyn.cheapnet.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, May 10, 2003 at 10:21:28PM -0400, Daniel Carrera wrote: > Hello, > > Alright, I have a brand-new 2048-bit ElGamal key and I want to > upload it to a keyserver. How do I do that? gpg --keyserver some.key.server --send some-keyid for instance, I did this: gpg --keyserver the.earth.li --send 57037472 In theory, the keyservers sync with each other, but I have had some better luck sending my key manually to several keyservers. See http://keyserver.kjsl.com/~jharris/keyserver.html for more info. > In which other ways do people usually advertise their public > key? I plan on starting to sign my emails, but that doesn't > advertise my public key, does it? Indirectly it does. When you sign a message, the keyid of the signing key is included in the signature. As for advertising it, many people put it in their email sig, on their website, or in their .plan (don't worry if you don't know what a .plan is :-]) - -- Brian Minton | OpenPGP fingerprint: brian@minton.name | 81BE 3A84 A502 ABDD B2CC http://brian.minton.name | 4BFD 7227 8820 5703 7472 Live long, and prosper longer! KeyID: 0x57037472 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+vbq8cieIIFcDdHIRArPhAJ9Z4u+gH5noEUxwJsPY38vfE5q/YgCfd3NB mZpb4qvkGSeFUnMwSo9Osdo= =tLPX -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Sun May 11 05:59:03 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sun May 11 04:59:03 2003 Subject: [Q] Generating a key pair. In-Reply-To: <20030510221144.GB782@math.umd.edu> References: <20030510221144.GB782@math.umd.edu> Message-ID: <20030511030000.GT4414@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, May 10, 2003 at 06:11:45PM -0400, Daniel Carrera wrote: > Greetings all, > > I want to create my key-pair. I've done this before, but I have a couple > of questions: > > 1) What key size should I pick for the asymmetric key? > The OpenPGP FAQ (http://www.samsimpson.com/pgpfaq.html#SubKeySize) > says that 2048 bits is best, but the GnuPG default is 1024. Why is that? "Best" is subjective. You need to weigh speed (the bigger the key, the slower the encryption), type of key (primary keys should be larger in some key use schemes), the algorithm (RSA signing keys make large signatures, and they get larger with the key size, DSA signing keys are capped at 1024), and intended use. This sounds far more complicated than it is, and lot of these factors are of the "killing a fly with a sledgehammer" sort. The question becomes just how flat do you want to make the fly, because it's dead either way. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+vbyw4mZch0nhy8kRAp3HAKCOBU9OpEpmgUUKUWMrqA1zGF36sgCgqEqm fAIvtBCrNELEgjwgoANnrr0= =kpFV -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Sun May 11 06:02:01 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sun May 11 05:02:01 2003 Subject: [Q] Uploading my public key to a key server. In-Reply-To: <20030511022128.GA1177@math.umd.edu> References: <20030511022128.GA1177@math.umd.edu> Message-ID: <20030511030236.GU4414@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, May 10, 2003 at 10:21:28PM -0400, Daniel Carrera wrote: > Hello, > > Alright, I have a brand-new 2048-bit ElGamal key and I want to upload it > to a keyserver. How do I do that? > > In which other ways do people usually advertise their public key? > I plan on starting to sign my emails, but that doesn't advertise my public > key, does it? It advertises the keyid of your signing key, which someone could then use to retrieve the key from a keyserver. Of course, it has to get to the keyserver first. Use "gpg --keyserver wwwkeys.pgp.net --send-key (thekeyid)" HOWEVER: DON'T DO THIS UNTIL YOU HAVE MADE A BACKUP AND A REVOCATION CERTIFICATE! The keyservers are filled with keys that are "lost" in one way or another - keys that cannot be deleted, and cannot be revoked because the key owner lost the secret key for whatever reason. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+vb1M4mZch0nhy8kRAhjPAKCtebRZM/m7F1EEk/6R132RRFjJDACg3YkB hOzibumJHZ9vbjHgwaOU1YE= =OnF0 -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Sun May 11 06:03:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sun May 11 05:03:02 2003 Subject: [Q] Comparison of Encryption Algorithms In-Reply-To: <20030510211151.GA782@math.umd.edu> References: <20030509221428.GA2383@math.umd.edu> <20030510032657.GK4414@jabberwocky.com> <20030510211151.GA782@math.umd.edu> Message-ID: <20030511030353.GV4414@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, May 10, 2003 at 05:11:51PM -0400, Daniel Carrera wrote: > > Probably the best resource to look at is the book Applied > > Cryptography. Also read http://www.samsimpson.com/pgpfaq.html for > > some OpenPGP-specific discussion. > > > > David > > Does the information here also apply equally to GnuPG? > > The FAQ says that GnuPG is OpenPGP-compliant, so I guess it does. Yes it does. Generally speaking, anything you see on the net about PGP applies to GnuPG as well. There are exceptions, of course, but Sam Simpson's FAQ is about both. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+vb2Z4mZch0nhy8kRAukuAJ9ZZ1C9z0CYCmHugvELPYKZmCUTGwCgiU6w Xizr13nMtcU9HHMrmOZT5WY= =G/tu -----END PGP SIGNATURE----- From dcarrera@math.umd.edu Sun May 11 06:06:01 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Sun May 11 05:06:01 2003 Subject: [Q] Uploading my public key to a key server. In-Reply-To: <20030511025141.GA19943@bminton.dyn.cheapnet.net> References: <20030511022128.GA1177@math.umd.edu> <20030511025141.GA19943@bminton.dyn.cheapnet.net> Message-ID: <20030511030739.GD1216@math.umd.edu> --kvUQC+jR9YzypDnK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > > Alright, I have a brand-new 2048-bit ElGamal key and I want to > > upload it to a keyserver. How do I do that? >=20 > gpg --keyserver some.key.server --send some-keyid >=20 > for instance, I did this: gpg --keyserver the.earth.li --send > 57037472 Who assigns the keyid? Is that derived from my public key? If so, who do I find out what my keyid is? For that matter, how do I find out what my public key is so I can post it somewhere? > Indirectly it does. When you sign a message, the keyid of the > signing key is included in the signature.=20 Could you show me where? Here is your signature. I can't discern where th= e keyid=20 is (yes, I know you also had your keyid elsewhere in your email, but not ev= eryone=20 does that). > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.2 (GNU/Linux) >=20 > iD8DBQE+vbq8cieIIFcDdHIRArPhAJ9Z4u+gH5noEUxwJsPY38vfE5q/YgCfd3NB > mZpb4qvkGSeFUnMwSo9Osdo=3D > =3DtLPX > -----END PGP SIGNATURE----- Thanks again, --=20 Daniel Carrera Graduate Teaching Assistant. Math Dept. University of Maryland. (301) 405-5137 --kvUQC+jR9YzypDnK Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (SunOS) iD8DBQE+vb56ngS5oA/rzsMRAlJwAKC0CB6O5St7jJVDJPMpvkVRsQCGVwCgvxNI NCxoRr0AK6hdht2LdVBcolM= =5bSb -----END PGP SIGNATURE----- --kvUQC+jR9YzypDnK-- From dcarrera@math.umd.edu Sun May 11 06:25:02 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Sun May 11 05:25:02 2003 Subject: [Q] Uploading my public key to a key server. In-Reply-To: <20030511030236.GU4414@jabberwocky.com> References: <20030511022128.GA1177@math.umd.edu> <20030511030236.GU4414@jabberwocky.com> Message-ID: <20030511032641.GE1216@math.umd.edu> --zaRBsRFn0XYhEU69 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > > I plan on starting to sign my emails, but that doesn't advertise my pub= lic=20 > > key, does it? >=20 > It advertises the keyid of your signing key, which someone could then > use to retrieve the key from a keyserver. Of course, it has to get to > the keyserver first. >=20 > Use "gpg --keyserver wwwkeys.pgp.net --send-key (thekeyid)" >=20 > HOWEVER: DON'T DO THIS UNTIL YOU HAVE MADE A BACKUP AND A REVOCATION > CERTIFICATE! Oh, thanks for the warning. 1) I have a revocation certificate. I printed a paper copy and put it in m= y=20 wallet. I also encrypted and signed the file and put it in ~/.gnupg. Are = these=20 the usual ways to safeguard the revocation certificate? 2) What do I need to backup? My private key? I don't have a CD burner, so I don't really know how I can make a secure ba= ckup. --=20 Daniel Carrera Graduate Teaching Assistant. Math Dept. University of Maryland. (301) 405-5137 --zaRBsRFn0XYhEU69 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (SunOS) iD8DBQE+vcLwngS5oA/rzsMRAt9xAJ42G+Tbva8T5Twz4FXhLno5ho7tCwCgydbs 23D3vc+gsI3RUiw858Xr9nQ= =C5K1 -----END PGP SIGNATURE----- --zaRBsRFn0XYhEU69-- From graham.todd@ntlworld.com Sun May 11 07:15:02 2003 From: graham.todd@ntlworld.com (Graham) Date: Sun May 11 06:15:02 2003 Subject: gnupg encrypted mail and malware/spam In-Reply-To: References: Message-ID: <3EBDCFBD.5080105@ntlworld.com> Eugene Smiley wrote: [snipped] >> I think you are missing the point with regard to the issue of >> server based virus scanning. It isn't that hard to imagine a >> virus generating an email via Outlook which is then passed to >> GPGRelay; the user isn't paying attention, types the passphrase, >> and it get's emailed; the user on the other end decrypts it and >> opens the attachment... BLAMO! And I think you are missing the point. A virus is (by definition) a piece of code that executes automatically once it is on your system. However, Windows is an OS that is designed to automatically execute code: its one of its inherant properties and one its main security weaknesses. It is the reason why a number of mailing lists do not allow attachments and why many users delete attachments when they come from an unknown source. Encrypted code cannot be executed automatically, and provided you take certain security measure (always run an attachment through a virus filter, for instance, or a trojan filter, before opening it) you should be safe. Or you can opt to use an OS which doesn't execute code automatically, such as Linux. Many Linux based email servers do, in fact, scan for Windows viruses, but its up to the individual user to protect his own system. The original poster was asking whether spammers could use encryption to get round spam checking. As was pointed out, the additional resources in time and effort would not make it worth it, and for the message to get through to the recipient they would have to harvest vast numbers of keys, which though technically feasible is impractical. However using an MUA based Beysian spam filtering system (such as that in Mozilla Mail from version 1.3) you can easily filter for spam once decryption has taken place and before the message is opened. It all boils down to whether GPG should protect users who can't be bothered to protect themselves :) -- Graham GPG Keys at encryption.keys@ntlworld.com From eugene@esmiley.net Sun May 11 07:15:28 2003 From: eugene@esmiley.net (Eugene Smiley) Date: Sun May 11 06:15:28 2003 Subject: gnupg encrypted mail and malware/spam In-Reply-To: <3EBDAD5D.6050308@attbi.com> Message-ID: John wrote:=20 > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 >=20 > Eugene Smiley wrote: >> I think you are missing the point with regard to the issue of >> server based virus scanning. It isn't that hard to imagine a >> virus generating an email via Outlook which is then passed to >> GPGRelay; the user isn't paying attention, types the passphrase, >> and it get's emailed; the user on the other end decrypts it and >> opens the attachment... BLAMO! >=20 > Ding! There's the REAL culprit - There seems to be as many > LookOut! exploits out on the 'Net as there are attacks against > InternetExploder.=20 When you have companies -- such as my former employer -- that become Microsoft Software Partners and dictate that Outlook must be used, there is little that can be done. People can argue until they are=20 blue about Outlook being broken and attack prone, but until MS fixes=20 it, we all must deal with the consequences. > Perhaps a less-easily hijacked MUA is needed. What you describe > here is more E-mail worm than SPAM.=20 Exactly, but I wasn't talking about Spam. Here's what I was responding = to: Thomas Scheffczyk wrote:=20 > If GnuPG is used to protect mail messages it also disables all > server based protection measures against malware and Spam. No > virus scanner nor Spam filter on firewalls or gateways can check > the encrypted messages.=20 Spam had already been addressed, but "malware" wasn't. Virii, Trojans, and Worms can all be encrypted within a message, and won't be detected=20 by a virus scanner on the mail gateway. That's why I created the above possible scenario. Eugene From eugene@esmiley.net Sun May 11 07:32:11 2003 From: eugene@esmiley.net (Eugene Smiley) Date: Sun May 11 06:32:11 2003 Subject: [Q] Uploading my public key to a key server. In-Reply-To: <20030511032641.GE1216@math.umd.edu> Message-ID: Daniel wrote:=20 >> HOWEVER: DON'T DO THIS UNTIL YOU HAVE MADE A BACKUP AND A >> REVOCATION CERTIFICATE! >=20 > 1) I have a revocation certificate. I printed a paper copy and > put it in my wallet. I also encrypted and signed the file and > put it in ~/.gnupg. Are these the usual ways to safeguard the > revocation certificate?=20 Having encrypted the revocation certificate will do you little good=20 if you forget your passphrase, which is not uncommon. > 2) What do I need to backup? My private key? > I don't have a CD burner, so I don't really know how I can make a > secure backup.=20 The easiest thing would be to use a floppy disk. Copy your keypair and the revocation certificate on to it and stash it away. Don't=20 forget, however, that if you change the passphrase on your keypair that you should update your backup, lest you forget the passphrase that was in effect when you made the copy. ;) Eugene From Robin Lynn Frank Sun May 11 08:39:03 2003 From: Robin Lynn Frank (Robin Lynn Frank) Date: Sun May 11 07:39:03 2003 Subject: Political tag lines (was: ftp.gnupg.org down ?) In-Reply-To: <200305101433.35708.engage@n0sq.net> References: <3EBCCACB.5050504@wanadoo.fr> <87n0hug2ce.fsf@alberti.g10code.de> <200305101433.35708.engage@n0sq.net> Message-ID: <200305102242.10076.rlfrank@paradigm-omega.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 10 May 2003 13:37, engage wrote: > Until people quit making political statements that have nothing to do w= ith > GnuPG, I'm unsubscribing. These types of statements are inflammatory, a= lso. > I guess I need to find an alternative to GPG also. > > Besides, Ghandi was an idiot. Do people really believe that people like > Sadaam Hussein are going to say "Oh my God! They're not fighting back! = It's > time to relinquish power, quit supporting terrorists, quit killing peop= le, > and quit exploiting them!"? > > Get real dude. If YOU were under the thumb of such a man, you'd be glad= if > the U.S. came to your rescue. I'm sure glad that I live in the U.S. > I'm confused. To protest political statements which have nothing to do w= ith=20 GnuPG, you make a political statement that has nothing to do with GnuPG.=20 Hmmm. - --=20 Sed quis custodiet ipsos custodes? =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Robin Lynn Frank - Director of Operations - Paradigm-Omega, LLC Copyright and PGP/GPG info in mail or message headers. Email acceptance policy at http://paradigm-omega.com/email_policy.html =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+veKnVWi6vGR+wzYRAgplAKDFc9euDV4V0PpRmv1wxjg4lR5U2QCg2oet KUQnFXClTDfu6w4UGh8j758=3D =3DcMa+ -----END PGP SIGNATURE----- From burns@runbox.com Sun May 11 08:49:02 2003 From: burns@runbox.com (Burns) Date: Sun May 11 07:49:02 2003 Subject: mobile GPG installation In-Reply-To: <200305101857.14329@erwin.ingo-kloecker.de> Message-ID: <20030511055043.7867.qmail@web10501.mail.yahoo.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > On Saturday 10 May 2003 00:49, Michael Nahrath wrote: > > Is there a way to make a fully running GPG-installation on a USB > > stick or some other removable medium? Simply plug in your stick and > > use the GPG application and your own keyrings from it directly, > > without any local installation or permanent changes required. > > > > Best of all was a FAT32 formatted medium that contains several > > installations for different OSes, but (like it or not ...) Windows > > was the most important platform. > > You should have a look at Knoppix. It boots Linux on almost > any PC from CD without writing anything to the hard disks. So > it's pretty secure. If you don't trust the packagers of the > downloadable Knoppix cdimage then simply make your own one. > This is definitely as secure as it gets if you have to use a > PC which is not your own one. I would still put my secret > keyring on a small medium like a USB stick because then you > can even let your friends play around with your Knoppix > without risking that your secret keys are stolen and because > the data on a USB stick can be changed much more easily. > > Regards, > Ingo If you can install GnuPG on a Windows machine, but you just don't want to LEAVE your private keys there, this is one way to do it: Change homedir (in the registry) to "A:\gpgsec" (trust file and random seed file will be here from now on, along with your own keypairs) Leave the executables in "C\GnuPG" (for example) GnuPG lets you use multiple keyrings, like, this in your gpg.conf file: no-default-keyring keyring C:\gpgpub\pubring.gpg secret-keyring C:\gpgpub\secring.gpg keyring A:\gpgsec\pubring.gpg secret-keyring A:\gpgsec\secring.gpg In this case, C:\gpgpub\pubring.gpg holds your common public keys (that take up a lot of room) and C:\gpgpub\secring.gpg is just an empty file. Your keypairs (public and private) would be on the 3-1/2" floppy in A: that you take with you. When you run gpg, the floppy has to be there, and you might have to update the trust file (if others have access to gpg too) but I think this works. Somebody, let me know if I'm giving bad advice here. Randy -----BEGIN PGP SIGNATURE----- iD8DBQE+veRdhNLaTSzsrh8RAhlaAKDH51GdLeCvQmVux8bOZanoFpcXGQCgmYIV lD2f2SRE0MxF9cDI/L2K1X4= =Bs0D -----END PGP SIGNATURE----- From jbruni@mac.com Sun May 11 09:49:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Sun May 11 08:49:02 2003 Subject: Political tag lines (was: ftp.gnupg.org down ?) In-Reply-To: <200305102242.10076.rlfrank@paradigm-omega.com> Message-ID: On Saturday, May 10, 2003, at 10:41 PM, Robin Lynn Frank wrote: >> Get real dude. If YOU were under the thumb of such a man, you'd be >> glad if >> the U.S. came to your rescue. I'm sure glad that I live in the U.S. >> > I'm confused. To protest political statements which have nothing to > do with > GnuPG, you make a political statement that has nothing to do with > GnuPG. > Hmmm. > > That's it! I've had it up to here with logic. If it weren't for Snoopy and Woodstock, there would be no reason for us to use encryption at all!. So there! I'm outahere... forever! Or, at least until I get bored again. Or something. From Todd Sun May 11 11:03:02 2003 From: Todd (Todd) Date: Sun May 11 10:03:02 2003 Subject: Getting started with signatures. In-Reply-To: <20030511024040.GC1216@math.umd.edu> References: <20030511024040.GC1216@math.umd.edu> Message-ID: <20030511080424.GX32053@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Daniel Carrera wrote: > Hello all, Hi. > I'm trying to get started with email signatures. I already got my email > client (Mutt) to sign my outgoing messages. Hooray for mutt! :) > - Upload my public key to keyservers so my signatures can be verified. gpg --send-keys That also assumes you have set a keyserver in your gpg.conf file. If not, you'll need to add a --keyserver option on the command line. > - Get other people's public keys so I can verify their signatures. You can grab particular keys from the keyserver using gpg --recv-keys Or you could use the auto-key retrieval option to have gpg try and get any keys you don't already have when it is verifying a signature. The pros and cons of this were discussed here in the past day or so. > If anyone is using Mutt, perhaps I could get some Mutt-specific help: It > looks like Mutt is not even trying to verify any of the signed messages > other than my own. That may well be an issue of the pgp signature format. Mutt uses PGP/MIME by default and that's all well and good. However, most MUA's simply can't (or won't) send and receive mail in this format. They just put an OpenPGP block in the message body. You can make mutt check these signatures in several ways. The recommended way in 1.4 and above is to use the check-traditional-pgp function, which is bound to ESC P by default. The other way is to use procmail to munge the message headers. See the PGP-Notes.txt file that comes with mutt for details on how to do that. I prefer to leave the messages intact and I take advantage of a nice mutt patch that forces mutt to check for traditional (inline) pgp signatures[1]. That way I don't have to hit ESC P all the time. I also use traditional (inline) signatures for most of my list mail since that is the more widely supported format. This can also be made easier with a patch[2]. Check the mutt-users list archives for more discussion on this (it comes up pretty regularly). [1] http://www.pizzashack.org/mutt/ [2] http://www.woolridge.org/mutt/pgp-menu-traditional.html - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ============================================================================ We can have justice whenever those who have not been injured by injustice are as outraged by it as those who have been. -- Solon (594 B.C.) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iD8DBQE+vgQIuv+09NZUB1oRAs8vAKCgoohqZ7iQ20tkACVMhSN6Y1mVVQCfQuaq pOA0zRWlNhqEof4Rant9+ZY= =LoKW -----END PGP SIGNATURE----- From pt@radvis.nu Sun May 11 11:16:02 2003 From: pt@radvis.nu (Per Tunedal) Date: Sun May 11 10:16:02 2003 Subject: gnupg encrypted mail and malware/spam Message-ID: <5.1.0.14.2.20030511101611.021deac0@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 00:16 2003-05-11 -0400, you wrote: >John wrote: >> Eugene Smiley wrote: >>> I think you are missing the point with regard to the issue of >>> server based virus scanning. It isn't that hard to imagine a >>> virus generating an email via Outlook which is then passed to >>> GPGRelay; the user isn't paying attention, types the passphrase, >>> and it get's emailed; the user on the other end decrypts it and >>> opens the attachment... BLAMO! >> >> Ding! There's the REAL culprit - There seems to be as many >> LookOut! exploits out on the 'Net as there are attacks against >> InternetExploder. > >When you have companies -- such as my former employer -- that become >Microsoft Software Partners and dictate that Outlook must be used, >there is little that can be done. People can argue until they are >blue about Outlook being broken and attack prone, but until MS fixes >it, we all must deal with the consequences. > >> Perhaps a less-easily hijacked MUA is needed. What you describe >> here is more E-mail worm than SPAM. > >Exactly, but I wasn't talking about Spam. Here's what I was responding to: > >Thomas Scheffczyk wrote: >> If GnuPG is used to protect mail messages it also disables all >> server based protection measures against malware and Spam. No >> virus scanner nor Spam filter on firewalls or gateways can check >> the encrypted messages. > >Spam had already been addressed, but "malware" wasn't. Virii, Trojans, >and Worms can all be encrypted within a message, and won't be detected >by a virus scanner on the mail gateway. That's why I created the above >possible scenario. > >Eugene > Hi, Checking for malware can easily be done after decryption by any antivirus scanner on the client. The resident scanner (monitor or what ever it is called) stops the virus if it's known. Ordinary e-mail clients like e.g. Eudora saves the attachment in an ordinary folder and thus the attachment can easily be scanned by the antivirus. If you use Outlook or Outlook Express you'd better use a virus scanner with an e-mail module. It can easily be configured to scan mail after decryption with e.g. GPGrelay: the mail first passes GPGrelay and then is scanned by the antivirus module. But: The virus scanner at the e-mail server cannot scan encrypted traffic, as the original message stated. Unless using the commercial PGP:s feature ADK. You can get extra security by using antivirusprotection that stops any unknown code from running on the Windows client e.g. the Swedish Abtrusion Protector (using SHA-1 checksums) http://www.abtrusion.com/ or the personal firewall Tiny Personal Firewall (using md5 checksums) http://www.tinysoftware.com Abtrusion Protector is only for WindowsXP. Tiny's solution is a bit tricky to set up and configure, both do use a lot of resources. (What you win in one end you loose in an other ...) Per Tunedal -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) - GPGrelay v0.92 iD8DBQE+vgbm2Jp9Z++ji2YRAvDfAJ9/o38C4Jol5NRUOHXzuYYeo/KqkQCgzM0Y 3mwMyCdflBUkzIyJKCXAbCc= =BV43 -----END PGP SIGNATURE----- From thomas@northernsecurity.net Sun May 11 11:56:03 2003 From: thomas@northernsecurity.net (Thomas =?iso-8859-1?Q?Sj=F6gren?=) Date: Sun May 11 10:56:03 2003 Subject: Getting started with signatures. In-Reply-To: <20030511024040.GC1216@math.umd.edu> References: <20030511024040.GC1216@math.umd.edu> Message-ID: <20030511085635.GA5851@northernsecurity.net> On Sat, May 10, 2003 at 10:40:41PM -0400, Daniel Carrera wrote: > - Upload my public key to keyservers so my signatures can be verified. gpg --keyserver [keyserver] --send-key [your key id] > - Get other people's public keys so I can verify their signatures. gpg --keyserver [keyserver] --recv-keys [other ppl key id] > If anyone is using Mutt, perhaps I could get some Mutt-specific help: > It looks like Mutt is not even trying to verify any of the signed messages other > than my own. Does anyone know how to fix this? well, gpg is only capable of verifying signatures if you have the public key of the person. try using --keyserver-options auto-key-retrieve in you gpg.conf man gpg: auto-key-retrieve This option enables the automatic retrieving of keys from a keyserver when verifying signatures made by keys that are not on the local keyring. /Thomas -- == thomas@northernsecurity.net == thomas@se.linux.org == 0x114AA85C -- From linux@codehelp.co.uk Sun May 11 13:23:02 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Sun May 11 12:23:02 2003 Subject: [Q] Uploading my public key to a key server. In-Reply-To: <20030511030739.GD1216@math.umd.edu> References: <20030511022128.GA1177@math.umd.edu> <20030511025141.GA19943@bminton.dyn.cheapnet.net> <20030511030739.GD1216@math.umd.edu> Message-ID: <200305111124.16232.linux@codehelp.co.uk> --Boundary-02=_QTiv+NPeI/+REui Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Description: signed data Content-Disposition: inline On Sunday 11 May 2003 4:07 am, Daniel Carrera wrote: > > > Alright, I have a brand-new 2048-bit ElGamal key and I want to > > > upload it to a keyserver. How do I do that? > Who assigns the keyid? Is that derived from my public key? Yes. The keyid is part of the keypair. When you generate a new key, a new keyid is calculated. (It was displayed when you created the key.) > If so, who do I find out what my keyid is? You get the keyid from the --list-keys output: gpg --list-keys pub 1024D/28BCB3E3 2002-01-27 Neil Williams (CodeHelp) The keyid follows the / so mine is 28BCB3E3. pub = public key 1024 = keysize D = keytype (I think) then the creation date, name, comment and email address. List the keys, locate your own (sounds like you only have your own or maybe a few others in your ring so far) and make a note of it. With more use of GnuPG, you'll be able to remember the keyid. You'll need the keyid for all your future work with GnuPG and if you want to use other email clients - like KMail - to sign emails. > For that matter, how do I find out what my public key is so I can post it > somewhere? The public key should be exported as a text file and then you can post it to a site, either as a .txt file or as .asc - take a look at http://www.codehelp.co.uk/html/neilwilliams.html To create the file, use: gpg -a --output mykey.asc --export You can then view the contents of the file to verify that it contains a keyblock: cat mykey.asc > > Indirectly it does. When you sign a message, the keyid of the > > signing key is included in the signature. > > Could you show me where? Here is your signature. I can't discern where > the keyid is (yes, I know you also had your keyid elsewhere in your email, > but not everyone does that). The way that the signature is displayed is down to your choice of email client. I use KMail which clearly shows the keyid of all signed emails, my own and everyone else's, between the headers and the body of the message. Others here should be able to help you find the keyid and verification details in Mutt. > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.2.2 (GNU/Linux) > > > > iD8DBQE+vbq8cieIIFcDdHIRArPhAJ9Z4u+gH5noEUxwJsPY38vfE5q/YgCfd3NB > > mZpb4qvkGSeFUnMwSo9Osdo= > > =tLPX > > -----END PGP SIGNATURE----- The keyid is retrievable from this sig but only with the original email. It depends on how the email has been constructed and the easiest ones I've verified on the command line are ones that use the old 'inline' signature, not the MIME type (as used in this email). I'm not sure how Mutt helps you distinguish between the two as KMail does. I think you are referring to the email from Brian Minton sent on Sun May 11 03:51:41 2003 - this is actually an 'inline' message. Save this email to a file (unchanged) with a simple filename: test.asc and use gpg to verify: gpg --verify test.asc gpg: Signature made Sun May 11 03:51:40 2003 BST using DSA key ID 57037472 gpg: Good signature from "Brian Minton " gpg: aka "Brian Minton " gpg: aka "Brian Minton " gpg: aka "Brian Minton " gpg: aka "Brian Minton " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 81BE 3A84 A502 ABDD B2CC 4BFD 7227 8820 5703 7472 The keyid is clearly shown. The key is not certified because I haven't met Brian to exchange and verify the key so I haven't signed it. You should get the same warning. Don't start signing keys until you've learnt more about key verification, keysigning events and fingerprint verification. (Most of the keys I have signed have also signed my own key. gpg --list-sigs will show those - most will show up as unknown because they aren't members of this list but all are available from keyservers.) Before I signed these keys, I verified their email addresses over a period of many months of private and list correspondence (using mostly signed emails), I arranged a meeting with the people concerned, verified photographic ID for each one to match the name against the physical person (new photo type driving licence or passport) and then verified the fingerprint of the key with a printed copy given to me by that person at the meeting. Each stage is important to make sure you really do have the right person, the right email address and the right key - by signing a key, you are claiming to have verified all three as accurate. > > Thanks again, -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.wewantbroadband.co.uk/ --Boundary-02=_QTiv+NPeI/+REui Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+viTQiAEJSii8s+MRAhRmAKCEBQ1JBmf8keFd3rzCvjJaI63ijACgxqQn OjTNIP7nrXYPi3MDLvVh3vg= =nlzJ -----END PGP SIGNATURE----- --Boundary-02=_QTiv+NPeI/+REui-- From linux@codehelp.co.uk Sun May 11 13:46:03 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Sun May 11 12:46:03 2003 Subject: Getting started with signatures. In-Reply-To: <20030511024040.GC1216@math.umd.edu> References: <20030511024040.GC1216@math.umd.edu> Message-ID: <200305111147.23603.linux@codehelp.co.uk> --Boundary-02=_7oiv+vKQK723A+l Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Description: signed data Content-Disposition: inline On Sunday 11 May 2003 3:40 am, Daniel Carrera wrote: >From your signed email posted to the list, your keyid is: 0FEBCEC3 To use keyserver websites like: http://www.pgp.uk.demon.net/pks/pks-commands.html you may need to specify the keyid using the 0x prefix (marks it as hexadecimal), so enter: 0x0FEBCEC3 To send to a keyserver, use: gpg --keyserver pgp.mit.edu --send-key 0FEBCEC3 (lower case letters are acceptable too). 0febcec3 Other keyservers I use include: keyserver.linux.it pgp.uk.demon.net There are plenty more. -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.wewantbroadband.co.uk/ --Boundary-02=_7oiv+vKQK723A+l Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+vio7iAEJSii8s+MRAmLXAKCf8HtzRSLxA9oc2t5MNodAyddX3wCg7Gq8 KOV+UCv4BqL1jq3Wdz7lXuU= =q0pn -----END PGP SIGNATURE----- --Boundary-02=_7oiv+vKQK723A+l-- From thomas.scheffczyk@verwaltung.uni-mainz.de Sun May 11 14:28:03 2003 From: thomas.scheffczyk@verwaltung.uni-mainz.de (Thomas Scheffczyk) Date: Sun May 11 13:28:03 2003 Subject: gnupg encrypted mail and malware/spam In-Reply-To: <20030510195340.A12480@cp5340.hyatsv01.md.comcast.net> References: <3EBD41B6.8030602@verwaltung.uni-mainz.de> <20030510195340.A12480@cp5340.hyatsv01.md.comcast.net> Message-ID: <3EBE33EF.4050500@verwaltung.uni-mainz.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anthony E. Greene schrieb: >>If gnupg is used to protect mail messages it also disables all server >>based protection measures against malware and spam. No virus scanner nor >>spam filter an firewalls or gateways can check the encrypted messages. > > Your needs are not well addressed by GnuPG. You should consider buying > some of the tools offered by PGP Corp. > > http://www.pgp.com/ > Hello Tony, hello all, thank you all for your comments and suggestions. Perhaps I'm to pessimistic, but I do not share the opinion that it would to much work for spammers to encrypt (not sign) their messages. I can imagine that the success ratio of an encrypted spam would be remarkably higher compared with a unencrypted and often filtered message :-( Just a comment to pgp: I used the commercial version of pgp for a while, but if even possible I will never do again. I bought quite a couple of licences just a month before NAI decided to set the development of pgp to hold. The worst thing was, that it wasn't possible to use pgp on WinXP and I really didn't want to maintain different programs for each platform. I guess that my question was a little misleading and to spam centric. A graphical firewall and a gateway for checked files would be a possible solution. Another solution would be to accept encrypted messages only for functional (i.e. non personal) mail to avoid any kind of key escrow for personal keys. Until now, no comment was given to my first post scriptum: 'I do not fear 'ordinary' viruses or other malware. What i really fear is a sophisticated attacker that send on a very slow rate backdoors to single users in my network. I can not guarantee the really no user will start the program. If it is started, it's easy to create a backchannel over allowed traffic like http.' Does nobody fear this, too? I'm very surprised that this threat was never discussed in the context of public key infrastructures. I know a couple of big institutions (please apologize that I don't list the institutions right here) that do allow personal use of encryption, but only one (a health insurance company) was aware of this problem. (Their solution is to allow cryptography only for special messages like data exchange with universities ;-) Hoping for more comments and suggestions, Yours, Thomas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQE+vjPvICWLj6LjFjIRAuUmAJ0cPXRJdXMXAzkI9cw5UTBz8o5XBgCgrFsr ukGIg2Ew+UjScLFicmcEywU= =5VpT -----END PGP SIGNATURE----- From steve-gnupg@gbnet.net Sun May 11 16:03:04 2003 From: steve-gnupg@gbnet.net (Steve Kennedy) Date: Sun May 11 15:03:04 2003 Subject: Building 1.2.2 on SunOS 4 In-Reply-To: <20030510204128.GQ4414@jabberwocky.com> References: <1963591.1052168560910.JavaMail.jbruni@mac.com> <87addxwmh5.fsf@alberti.g10code.de> <20030508164607.GG25034@gbnet.net> <20030510044207.GM4414@jabberwocky.com> <20030510193203.GA27496@gbnet.net> <20030510204128.GQ4414@jabberwocky.com> Message-ID: <20030511130424.GB2715@gbnet.net> On Sat, May 10, 2003 at 04:41:28PM -0400, David Shaw wrote: > > > Hmm. In the main gnupg build directory, what does > > > "grep underscore config.log" return? > > ac_cv_sys_symbol_underscore=no > What happens if you do "./configure ac_cv_sys_symbol_underscore=yes" ? That worked fine, thanks. Steve -- NetTek Ltd Phone/Fax +44-(0)20 7483 2455 SMS steve-pager (at) gbnet.net [body] gpg 1024D/468952DB 2001-09-19 From linux@codehelp.co.uk Sun May 11 16:30:03 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Sun May 11 15:30:03 2003 Subject: gnupg encrypted mail and malware/spam In-Reply-To: <3EBE33EF.4050500@verwaltung.uni-mainz.de> References: <3EBD41B6.8030602@verwaltung.uni-mainz.de> <20030510195340.A12480@cp5340.hyatsv01.md.comcast.net> <3EBE33EF.4050500@verwaltung.uni-mainz.de> Message-ID: <200305111430.57378.linux@codehelp.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 11 May 2003 12:28 pm, Thomas Scheffczyk wrote: > Perhaps I'm to pessimistic, but I do not share the opinion that it would > to much work for spammers to encrypt (not sign) their messages. I can > imagine that the success ratio of an encrypted spam would be remarkably > higher compared with a unencrypted and often filtered message :-( When the spam filters can still operate on the decrypted message, I can't see that it would succeed. Encrypted does not have to mean unfiltered. It just changes the location from server to user. With an open source email client, you could even adjust the program source code to do this without intervention - - in between decryption and display. Your basic problem is user training. You seem frightened that if the server filters are bypassed that users will open any attachment, run any program and visit any site listed inside the email. If this is the case, your only real recourse is training. Alternatively, move to a more secure filesystem like Unix/Linux where the root and system files are simply not visible to users, so limiting any possible damage to user files. Even then, users will still have to be taught the consequences of casual and irresponsible behaviour. You cannot protect the users from themselves and IMHO GnuPG should not be twisted into a means to protect the careless from their own mistakes / incompetence. > I guess that my question was a little misleading and to spam centric. A > graphical firewall and a gateway for checked files would be a possible > solution. Another solution would be to accept encrypted messages only > for functional (i.e. non personal) mail to avoid any kind of key escrow > for personal keys. Just how are you going to implement that??? Bounce every message until you get a valid account?? There are personal spam firewalls out there that can work that way but these can prove unpopular. > 'I do not fear 'ordinary' viruses or other malware. What i really fear > is a sophisticated attacker that send on a very slow rate backdoors to > single users in my network. I can not guarantee the really no user will > start the program. If it is started, it's easy to create a backchannel > over allowed traffic like http.' You mean a Trojan? Or a root-kit? Then use an intrusion detection system, you simply cannot cover every possibility that someone may use, to deliberately install something like this, any other way. Email is not the only way to get rooted - I wouldn't even think it was the most common. > Does nobody fear this, too? I'm very surprised that this threat was > never discussed in the context of public key infrastructures. I know a The threat is nothing to do with GnuPG. You seem to be talking about a general network security issue that is more related to keeping the OS up to date with patches and general system maintenance. You are in danger of blaming the messenger. Have you excluded all other routes? Instant Messaging? IRC? Deliberate introduction by users? Known exploits? 'A sophisticated attacker' will not want to rely on a method that, in turn, relies totally on a user decrypting a message and launching the attachment. There would need to be some kind of inside knowledge that a specific user would be likely to ignore all the basic security rules and willfully compromise their own system. An attacker willing to put in that much work is not going to stop if that method fails. Other attackers wouldn't even bother with the encrypted route, there are far easier targets on a system. > couple of big institutions (please apologize that I don't list the > institutions right here) that do allow personal use of encryption, but Probably because they don't understand it and / or are anxious to read all outgoing mail. (Note lack of smiley - some companies would love to filter all outgoing mail and probably already do.) > only one (a health insurance company) was aware of this problem. (Their > solution is to allow cryptography only for special messages like data > exchange with universities ;-) Then it sounds like they don't understand the issue. Personal encryption can be as much about prevention of identity fraud as 'subterfuge'. I sign emails because I don't want anyone else to be able to pose as me. I encrypt personal data so that it cannot be used to allow an attack to proceed beyond the compromised machine. (There may be other ways for an attacker to get to the next machine but it won't be by finding copies of passwords etc. lying around on the system.) Encryption can be part of your security and can be used to halt an incursion that has been made using other methods. If all users encrypted their passwords and other personal ID data with their own personal keys, it could be made much harder for attackers to move from one compromised machine to the next. (Assuming of course, that the original passwords are half-way decent in the first place and not going to be cracked with a simple dictionary attack.) No one program or principle can give you security - the point is to target the weakest link. Only worry about encrypted emails when all other targets are removed. In the meantime, get an intrusion detection program. - -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.wewantbroadband.co.uk/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+vlCQiAEJSii8s+MRAgE+AKDHncX2NZGEURR5CT+aiQKOPONBYgCgsLgP GqoXeMY6kYDYKrFv4YKJ5h0= =6Di6 -----END PGP SIGNATURE----- From ingo.kloecker@epost.de Sun May 11 16:44:02 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Sun May 11 15:44:02 2003 Subject: Keys not trusted In-Reply-To: <200305090151.56006.yenot@sec.to> References: <200305060203.30183.wbo@mandrakesoft.com> <200305090151.56006.yenot@sec.to> Message-ID: <200305111455.24901@erwin.ingo-kloecker.de> --Boundary-02=_8gkv+/+Z+ZaGTIQ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Friday 09 May 2003 00:29, Yenot wrote: > On Tuesday 06 May 2003 04:03 am, Wolfgang Bornath wrote: > > Being fairly new in this I joined this list and received some > > messages by people who signed their messages. I always imported the > > keys (using the gpg option --auto-key-retrieve) and kmail tells me > > "Message is signed by XY (blahblub) (Key-ID: 0x12345678). > > Signature is valid but the key is not trusted." > > > > When I want to send a private mail to somebody like that and I want > > to encrypt the text I see the list of my pubring but all imported > > keys are marked red and I cannot encrypt. > > You're certainly not the only person with this problem. I know at > least some of the Kmail developers read this list, so may be it would > be useful to start a discussion on the matter. I think Kmail, and > mail agents in general, need some way of sending e-mail to unknown > parties. Just because I don't know someone's real identity, doesn't > mean that I don't want to send them mail. You don't have to know them personally. You just have to know someone=20 who verified their identity (and then signed their key). And if you=20 want to send a message to someone who regularly signs the messages he=20 sends to a mailing-list (so that you can be more or less sure that you=20 would use the right key for encryption) then you can simply locally=20 sign this key (with "I have not checked at all." of course). The=20 problem currently is that gpg doesn't report the strength of a=20 signature. (Or does it?) It just tells you that a signature is good or=20 bad. But a good signature from a locally signed "I have not checked at=20 all." key is definitely not very valuable. It would be good if gpg=20 would evaluate the strength of a signature so that mail clients could=20 show it. IMO making the usage of unverified keys too easy (i.e. the user just has=20 to click away a warning) will result in a weakening and a slower growth=20 of the web of trust. Why weakening? Because people who routinely use unverified keys will=20 sooner or later sign unverified keys. Why slower growth? Because exchanging fingerprints and signing keys=20 isn't necessary. So why bother? > One way to pick the best key for such e-mail only acquaintances would > be for people within various communities to all use a single robot > authentication authority (for example: > http://www.toehold.com/robotca). Some members of this list, such as > GnuPG developer David Shaw, consider this to be a bad idea. The RobotCA simply verifies the email address. You can easily do this=20 yourself by sending an encrypted challenge to the person you want to=20 communicate with. (Yes, I know that an encrypted challenge will only=20 verify the encryption key.) > Shaw=20 > proposes that when no trust path to an e-mail exists, the mail client > should encrypt to all available keys for the given e-mail address > (warning the user appropriately). Then when/if the party you sent to > replies, you can set the definitive key based on the key they use in > their reply. This isn't really a good idea. You encrypt with a valid and with a=20 forged key. The message is intercepted, decrypted and answered by the=20 forger. You have been fooled. The right way to do this is to ask the user which key should be used if=20 several keys contain the email address. The user could for example know=20 the right key from all the signatures that were made with this key on=20 mailing-list messages. If the user doesn't know the right key then=20 encryption is pointless. Prominent example: AFAIK there's a forged key=20 for Phil Zimmermann. You should definitely go to his website to get the=20 correct key instead of downloading all keys with his name and=20 encrypting to all of them. > (For this to be accessible to non-crypto zealots, the=20 > mail agent would also need some way of locally signing a key based on > the signature of a received mail.) Key-Management shouldn't be done by a mail client. There are=20 applications which are much better for this, e.g. gpa and kgpg. > I can think of a couple other ideas that would involve caching > previously seen address/fingerprint pairs. Maybe with an SSH like > feature that warns when an address/fingerprint doesn't match the > address/fingerprint previously seen. (All my ideas have minor > problems, so I'll wait and see what other people have to say first.) Well, if you don't automatically retrieve missing keys then you will=20 notice if a message was signed with an unknown key because then the=20 signature can't be verfied. > Do the developers of Kmail, Sylpheed, and/or Enigmail have a vision > of how the mail agent of the future can increase the use of PGP for > casual Internet communications without making major compromises on > the security of more serious communications with known entities? IMO KMail is already almost there. The only thing which is missing is an=20 easy way to download missing keys. And in KDE 3.2 there will be KGpg=20 which allows easy key management. If you think KMail is missing a=20 useful feature then please file a wish at bugs.kde.org. Regards, Ingo --Boundary-02=_8gkv+/+Z+ZaGTIQ Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+vkg8GnR+RTDgudgRAkFrAJ9Ijh8gOROKLwHSq1IwHhPXCFNf2gCeIL5i oeHryUvFsjqw1uOL/UV1sZU= =MUFX -----END PGP SIGNATURE----- --Boundary-02=_8gkv+/+Z+ZaGTIQ-- From casd@myrealbox.com Sun May 11 18:09:03 2003 From: casd@myrealbox.com (Santos) Date: Sun May 11 17:09:03 2003 Subject: Reg file on gnupg for windows Message-ID: <3EBB41B0.8060201@myrealbox.com> Hi. The file gnupg-w32.reg on gnupg for windows has this: -------------------------------------------------- REGEDIT4 [HKEY_LOCAL_MACHINE\Software\GNU] [HKEY_LOCAL_MACHINE\Software\GNU\GNUPG] [HKEY_LOCAL_MACHINE\Software\GNU\GNUPG] "HomeDir"="C:\\GnuPG" "gpgProgram"="C:\\GnuPG\\gpg.exe" [HKEY_CURRENT_USER\Control Panel\Mingw32] [HKEY_CURRENT_USER\Control Panel\Mingw32\NLS] [HKEY_CURRENT_USER\Control Panel\Mingw32\NLS] "MODir"="C:\\GnuPG\\Locale" ---------------------------------------------------´ I unziped gnupg to F:\Program Files\gnupg, will those "c:\" paths on the .reg file cause trouble? Santos From cripto@ecn.org Sun May 11 18:09:34 2003 From: cripto@ecn.org (Anonymous) Date: Sun May 11 17:09:34 2003 Subject: mobile GPG installation Message-ID: <921dd33c85c0af4a267187cd0d4b805c@ecn.org> > The other problem is that most computers don't have an OpenPGP application > installed by default and that it is always a bit delicate to install > software on other people's computers when you are a guest. I have read about a project that built a Java-only SSH client which can be run from any (Java-enabled) browser, with nothing to install on the local computer. Look around for anything similar for OpenPGP... From tony.kwok@3web.net Sun May 11 18:22:02 2003 From: tony.kwok@3web.net (tk) Date: Sun May 11 17:22:02 2003 Subject: mobile GPG installation In-Reply-To: <20030511055043.7867.qmail@web10501.mail.yahoo.com> References: <20030511055043.7867.qmail@web10501.mail.yahoo.com> Message-ID: <3EBE6AD0.5010000@3web.net> Burns wrote: > Change homedir (in the registry) to "A:\gpgsec" (trust file and > random seed file will be here from now on, along with your own > keypairs) ... > Somebody, let me know if I'm giving bad advice here. Only in the sense that (as per original poster's scenario) fiddling with the registry entries on the computer that belongs to someone else, who lets you look at your mail for a few minutes is a bad idea. We are still waiting for the good GPG creators to understand the very real need for a GPG variant that REQUIRES NO INSTALLATION, i.e., a program that is not "fused" to a particular "box", but only to an operating system and the medium it resides on (floppy, CD...). (Why is this such a difficult concept to fathom?) tk From pt@radvis.nu Sun May 11 19:26:02 2003 From: pt@radvis.nu (Per Tunedal) Date: Sun May 11 18:26:02 2003 Subject: gnupg encrypted mail and malware/spam In-Reply-To: <3EBE33EF.4050500@verwaltung.uni-mainz.de> References: <20030510195340.A12480@cp5340.hyatsv01.md.comcast.net> <3EBD41B6.8030602@verwaltung.uni-mainz.de> <20030510195340.A12480@cp5340.hyatsv01.md.comcast.net> Message-ID: <5.1.0.14.2.20030511181801.02036bb8@localhost> At 13:28 2003-05-11 +0200, you wrote: >'I do not fear 'ordinary' viruses or other malware. What i really fear >is a sophisticated attacker that send on a very slow rate backdoors to >single users in my network. I can not guarantee the really no user will >start the program. If it is started, it's easy to create a backchannel >over allowed traffic like http.' > >Does nobody fear this, too? I'm very surprised that this threat was >never discussed in the context of public key infrastructures. >Hoping for more comments and suggestions, > >Yours, > >Thomas Hi again Thomas, did you read my mail about stopping unknown software from running on the client? I believe it is a step forward that such software is available from at least 2 different developers. It's quite popular to use Abtrusion Protector to "lock" computers at Swedish schools. Wouldn't the same kind of solution be applicable at your company? Per Tunedal From dshaw@jabberwocky.com Sun May 11 20:14:03 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sun May 11 19:14:03 2003 Subject: Photo ID Display Behavior In-Reply-To: <000001c31767$8b426340$da7620d1@umcrookston.edu> References: <000001c31767$8b426340$da7620d1@umcrookston.edu> Message-ID: <20030511171451.GW4414@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, May 10, 2003 at 09:46:37PM -0500, Richard Laager wrote: > Using version 1.2.1 of GPG, I discovered the following behavior: If a > key has multiple photo IDs, all will be displayed when doing a > "showphoto". This seems appropriate. However, the photo IDs are > displayed even if the self-signature on the photo ID is revoked. I > didn't test it, but all the evidence seems to suggest that the photo ID > would be displayed if the self-signature was absent or expired. I > believe this is the current intended behavior. Yes, this is intended behavior. The reason is that the --edit-key menu is to see and manipulate what is really on the key. A revoked/expired photo ID shows up with a "[revoked]" or "[expired]" just like a textual user ID would. > PGP (only tested with 6.5.8ckt) displays all photo IDs in a > scrolling list, even those that are revoked, etc. PGP 6 doesn't have any notion of a revoked user ID. It treats revoked user IDs as unrevoked. > I'd like to suggest that the behavior be modified. Just as revoked > user IDs are hidden when doing a gpg --list-key, I suggest that only > photo IDs with a valid* self-signature be displayed. The advantage > to doing so would be that a user could replace his/her photo ID > every so often, just as a photo on a passport** is replaced every 10 > years or so. By either revoking or letting the self-signatures on > old photos expire, the user could have a current photo displayed > with his/her key. The old photos would simply be hidden, without > having to be deleted. This is in fact how the --list-keys photo code works now, and if you do "--show-photos --list-keys", you get the semantics you want. - --list-keys does not display expired or revoked user IDs unless - --verbose is set, and that holds for both textual and photo IDs. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+voUL4mZch0nhy8kRAjLgAJwMUBdyljFgjvCy4E61pQWxtXNAIwCfSX/3 1N3f1a+v+LKnIMN/rYmTRFw= =6l1J -----END PGP SIGNATURE----- From avbidder@fortytwo.ch Sun May 11 20:32:02 2003 From: avbidder@fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Sun May 11 19:32:02 2003 Subject: mobile GPG installation In-Reply-To: <3EBE6AD0.5010000@3web.net> References: <20030511055043.7867.qmail@web10501.mail.yahoo.com> <3EBE6AD0.5010000@3web.net> Message-ID: <200305111933.24401@fortytwo.ch> --Boundary-02=_klov+j+dupGKMFQ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Sunday 11 May 2003 17:22, tk wrote: > Burns wrote: > > Change homedir (in the registry) to "A:\gpgsec" (trust file and > > random seed file will be here from now on, along with your own > > keypairs) > > ... > > > Somebody, let me know if I'm giving bad advice here. > > Only in the sense that (as per original poster's scenario) > fiddling with the registry entries on the computer that belongs > to someone else, who lets you look at your mail for a few > minutes is a bad idea. We are still waiting for the good GPG > creators to understand the very real need for a GPG variant > that REQUIRES NO INSTALLATION, i.e., a program that is > not "fused" to a particular "box", but only to an operating > system and the medium it resides on (floppy, CD...). > > (Why is this such a difficult concept to fathom?) Because the creators of gpg try to create a secure software, not a package= =20 that just seems secure. You propose to insert a disk/usb-stick/whatever with your secret keyring in= to=20 a computer which you basically can't trust. I don't think that this is=20 something the gpg authors should spend time to make easy. cheers =2D- vbi =2D-=20 OpenPGP encrypted mail welcome - my key: http://fortytwo.ch/gpg/92082481 --Boundary-02=_klov+j+dupGKMFQ Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iKcEABECAGcFAj6+iWRgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjQmbWQ1c3VtPTgxNjMwYmFhYmU5YTA2NzBi YjE5YzFmYTg1MjdhN2FiAAoJEIukMYvlp/fWIIMAn05NDXodxZlkTMunFIW+XGs+ qka8AJ9oSfnudV5JeEKMiVNVjjV30+Uyeg== =ZMkL -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.4&md5sum=81630baabe9a0670bb19c1fa8527a7ab --Boundary-02=_klov+j+dupGKMFQ-- From dcarrera@math.umd.edu Sun May 11 20:41:02 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Sun May 11 19:41:02 2003 Subject: [Q] key vs subkey. Message-ID: <20030511174220.GA1085@math.umd.edu> --Nq2Wo0NMKNjxTN9z Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello all, Thanks for all the help. I'm learning this stuff pretty quickly. The=20 resources have been very useful. I'm currently figuring out subkeys. This is what I know so far: - I have a unique DSA key for signing. - I can have multiple ElGamal keys for encription. These are the subkeys. - The command below tells me that my 1024-bit DSA key has a KeyID 0FEBCEC3, and that of my 2048-bit ElGamal key is 0D1C25EC. dcarrera ~ $ gpg --fingerprint daniel pub 1024D/0FEBCEC3 2003-05-10 Daniel Carrera (PhD Student, Math)=20 Key fingerprint =3D C678 4F28 6418 6A62 F186 98FC 9E04 B9A0 0FEB CEC3 sub 2048g/0D1C25EC 2003-05-10 [expires: 2005-05-09] So far so good? Now my questions: - What's the difference between the fingerprint and the KeyID? - Does only the signing key have a fingerprint? - Which KeyID do I use to generate my public key? I figure it must be the ElGamal one. Thanks for the help, --=20 Daniel Carrera | OpenPGP fingerprint: | DSA KeyID: Graduate TA Math Dept. | C678 4F28 6418 6A62 F186 | 0x0FEBCEC3 UMD (301) 405-5137 | 98FC 9E04 B9A0 0FEB CEC3 |=20 --Nq2Wo0NMKNjxTN9z Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (SunOS) iD8DBQE+vot8ngS5oA/rzsMRAoctAKC/oHPyKO9yNWbU+XYVb87pFLqm8ACfalOY XLpQoE6vCZuvSml9KpUKeek= =hjrm -----END PGP SIGNATURE----- --Nq2Wo0NMKNjxTN9z-- From gnupg-users@nahrath.de Sun May 11 20:42:17 2003 From: gnupg-users@nahrath.de (Michael Nahrath) Date: Sun May 11 19:42:17 2003 Subject: mobile GPG installation In-Reply-To: References: <3EBC3092.6010605@nahrath.de> Message-ID: <3EBE8BC2.3020100@nahrath.de> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig2D62F3B029AE4FDCE5BA6BC8 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Martin Bretschneider wrote: >>They have their mail accounts at some freemailer services and use >>them solely via web frontend on other people's computers or in >>internet cafes. > They can use a kind of secure webservices. Check www.hushmail.com I had a look at their website and can't take them serious in security concerns. They do everything to prevent users seeing what is really happening. > or > http://www.sys3175.co.uk/securemail.php Thanks for that tip. Looks interesting. I guess I'll give it a try on my own webspace. The principal problem for users is still: They have to trust me and they have to trust my webserver's hostmasters. And they have to trust that the Browser's connection to the webserver is secure ... But the idea to provide such a web-service on my own is appealing. Greeting, Michi --------------enig2D62F3B029AE4FDCE5BA6BC8 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) Comment: http://www.biglumber.com/x/web?qs=0x9A4C704C iEYEARECAAYFAj6+i8oACgkQ19dRf5pMcExU3QCggvnuKrODci2CBhANlDa+twEw ePcAniMkElgCOi+wHmbk2TBKeMLLlmKw =w1KZ -----END PGP SIGNATURE----- --------------enig2D62F3B029AE4FDCE5BA6BC8-- From ingo.kloecker@epost.de Sun May 11 21:37:03 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Sun May 11 20:37:03 2003 Subject: gnupg encrypted mail and malware/spam In-Reply-To: <3EBE33EF.4050500@verwaltung.uni-mainz.de> References: <3EBD41B6.8030602@verwaltung.uni-mainz.de> <20030510195340.A12480@cp5340.hyatsv01.md.comcast.net> <3EBE33EF.4050500@verwaltung.uni-mainz.de> Message-ID: <200305112035.04886@erwin.ingo-kloecker.de> --Boundary-02=_Yfpv+lsdrJYLhTo Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Sunday 11 May 2003 13:28, Thomas Scheffczyk wrote: > Until now, no comment was given to my first post scriptum: > > 'I do not fear 'ordinary' viruses or other malware. What i really > fear is a sophisticated attacker that send on a very slow rate > backdoors to single users in my network. I can not guarantee the > really no user will start the program. If it is started, it's easy to > create a backchannel over allowed traffic like http.' > > Does nobody fear this, too? No, but only because being a single user on a single computer I don't=20 have to fear the ignorance of other users. There's not much you can do to prevent this from happening apart from=20 installing a strict policy for the usage of encryption. One option=20 would be to disallow MIME (OpenPGP or S/MIME) encrypted messages and=20 only allow inline encryption because with inline encryption attachments=20 can't be encrypted. Another option would be to disallow any encryption.=20 Of course both options are not applicable if you want to exchange data=20 in encrypted attachments. Another more complicated option would be to only allow inline encryption=20 for personal mail and to allow MIME encryption with a personal=20 "business" key which is also known to the company (key escrow) or with=20 an additional company key (i.e. all messages are encrypted with the=20 user's personal key _and_ the company key) for all business related=20 mail. All incoming MIME messages which can't be decrypted would be=20 rejected or whatever. This would assure that all attachments can be=20 scanned for malware and on the same time allow personal use of=20 encryption for normal text messages. Regards, Ingo --Boundary-02=_Yfpv+lsdrJYLhTo Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+vpfYGnR+RTDgudgRAkvgAJwMtLlEyXLnXDpY1JGE9hLAnUHDDQCgoF0f uijW0zC0WsZGb5cT85R2dOQ= =s88n -----END PGP SIGNATURE----- --Boundary-02=_Yfpv+lsdrJYLhTo-- From tony.kwok@3web.net Sun May 11 21:39:03 2003 From: tony.kwok@3web.net (tk) Date: Sun May 11 20:39:03 2003 Subject: mobile GPG installation In-Reply-To: <200305111933.24401@fortytwo.ch> References: <20030511055043.7867.qmail@web10501.mail.yahoo.com> <3EBE6AD0.5010000@3web.net> <200305111933.24401@fortytwo.ch> Message-ID: <3EBE990A.9010201@3web.net> Adrian 'Dagurashibanipal' von Bidder wrote: > > Because the creators of gpg try to create a secure software, > not a package that just seems secure. > > You propose to insert a disk/usb-stick/whatever with your > secret keyring into a computer which you basically can't trust. > I don't think that this is something the gpg authors should > spend time to make easy. This is nonsense. As a user, I am the best judge which computer to trust and which not to trust. No computer that is ever left unattended for any period of time could be trusted hundred percent - yet most users run GPG on such computers. On the other hand, many users could find computers that they use only occasionally and that belong to others (friends, employers, etc.) at least as trustworthy as the computer they leave unattended in their rental flat which, for instance, their landlord (and who knows who else) can easily visit while they are at work. Yes, malware/keyloggers/etc. on a computer can be a problem, but the solution has nothing to do with fusing the software package to a prticular box. This is an extremely naive solution at best, and if you think of it, in many instances it might be outright counterproductive. tk From dshaw@jabberwocky.com Sun May 11 22:19:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sun May 11 21:19:02 2003 Subject: mobile GPG installation In-Reply-To: <3EBE6AD0.5010000@3web.net> References: <20030511055043.7867.qmail@web10501.mail.yahoo.com> <3EBE6AD0.5010000@3web.net> Message-ID: <20030511191927.GZ4414@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, May 11, 2003 at 03:22:56PM +0000, tk wrote: > Burns wrote: > >Change homedir (in the registry) to "A:\gpgsec" (trust file and > >random seed file will be here from now on, along with your own > >keypairs) > ... > >Somebody, let me know if I'm giving bad advice here. > > Only in the sense that (as per original poster's scenario) > fiddling with the registry entries on the computer that belongs > to someone else, who lets you look at your mail for a few > minutes is a bad idea. We are still waiting for the good GPG > creators to understand the very real need for a GPG variant > that REQUIRES NO INSTALLATION, i.e., a program that is > not "fused" to a particular "box", but only to an operating > system and the medium it resides on (floppy, CD...). gpg --homedir d:\whatever\you\like. No registry. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+vqI/4mZch0nhy8kRApnCAKC0bGEJW7GVkfYy3iB/+s7kdSyU7ACZAUNb EeplbgoYGZs7YOcjTnD+kGI= =CNVq -----END PGP SIGNATURE----- From linux@codehelp.co.uk Sun May 11 22:30:02 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Sun May 11 21:30:02 2003 Subject: [Q] key vs subkey. In-Reply-To: <20030511174220.GA1085@math.umd.edu> References: <20030511174220.GA1085@math.umd.edu> Message-ID: <200305112031.32582.linux@codehelp.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 11 May 2003 6:42 pm, Daniel Carrera wrote: > Hello all, > > Thanks for all the help. I'm learning this stuff pretty quickly. The > resources have been very useful. I still can't find your key though. Have you sent it to a keyserver? > I'm currently figuring out subkeys. This is what I know so far: > - I have a unique DSA key for signing. > - I can have multiple ElGamal keys for encription. These are the > subkeys. (also unique) > - The command below tells me that my 1024-bit DSA key has a KeyID > 0FEBCEC3, and that of my 2048-bit ElGamal key is 0D1C25EC. > > dcarrera ~ $ gpg --fingerprint daniel > pub 1024D/0FEBCEC3 2003-05-10 Daniel Carrera (PhD Student, Math) > > Key fingerprint = C678 4F28 6418 6A62 F186 98FC 9E04 B9A0 0FEB CEC3 > sub 2048g/0D1C25EC 2003-05-10 [expires: 2005-05-09] > > So far so good? Now my questions: > > - What's the difference between the fingerprint and the KeyID? The fingerprint is a summary of the key that is used to verify that the key I eventually download from a keyserver is the same key as you are using. Each key has a unique fingerprint. The KeyID is used to identify the key - like a name, smaller and more memorable than an entire fingerprint. > - Does only the signing key have a fingerprint? Pass. Someone else here will undoubtedly know that. > - Which KeyID do I use to generate my public key? Do you mean export? You have already generated the public key. To export the key, use 0FEBCEC3. (same whether you are exporting to a file or to a keyserver (hint)). > I figure it must be the ElGamal one. You already said the ElGamal is for encryption. > Thanks for the help, - -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.wewantbroadband.co.uk/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+vqUSiAEJSii8s+MRAgtCAJ48Ohz1kYx/lTvMW36GV6Qpwk9HfQCaAksl VfauzBFOL1PlMnFF54XMFgM= =/02d -----END PGP SIGNATURE----- From malsyned@cif.rochester.edu Sun May 11 22:44:03 2003 From: malsyned@cif.rochester.edu (Dennis Lambe Jr.) Date: Sun May 11 21:44:03 2003 Subject: [Q] key vs subkey. In-Reply-To: <20030511174220.GA1085@math.umd.edu> References: <20030511174220.GA1085@math.umd.edu> Message-ID: <1052682442.20244.16.camel@dennisx.cif.rochester.edu> --=-qelZgHosB+m4C32B+07s Content-Type: text/plain Content-Transfer-Encoding: quoted-printable > - What's the difference between the fingerprint and the KeyID? The KeyID is a short, easy-ish to remember number that (probably) uniquely identifies your key. It can be used to specify the key you're dealing with to gpg commands, and it is the value on which keyservers index their keys, and by which signatures refer to the key which created them. An example KeyID: F53BA904 The Fingerprint is a longer number which also (probably, much more probably) uniquely identifies your key, with the added property that it would be cosmically difficult for a man-in-the-middle to generate another key with the same fingerprint, allowing him to spoof the authentification and signing of keys. Fingerprints are treated as unforgeable proof that two people are talking about the same key, without them having to read the whole key to eachother. They are considered necessary and sufficient for confident signing of keys. To see the fingerprint of a key, the command gpg --fingerprint KeyID can be used. An example fingerprint: 580D 265C 0FF3 099B A799 1FC7 FEB2 E4CC F53B A904 > - Does only the signing key have a fingerprint? Any public key has a fingerprint, but only the primary signing key's fingerprint is usually used, since once the primary key has been verified, secondary keys that are bound to it by valid signatures can be trusted. > - Which KeyID do I use to generate my public key? > I figure it must be the ElGamal one. The KeyID merely identifies an already-generated key. If you're talking about exporting the key, then you can use the key-id, as well as any unique string of characters in an identity attached to that key. The public key consists both of the primary signing key and the encryption subkey. Usually, the KeyID of the /signing/ key is used to refer to the entire key, since the encryption key is expected to be less permanent. Essentially, you can act as though you were always talking about just the signing key, and GnuPG will treat any subkeys attached to it as part of the package. --Dennis Lambe --=-qelZgHosB+m4C32B+07s Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: My public key is available at http://cif.rochester.edu/~malsyned/public_key.html iD8DBQA+vqjK+yh/ThbejSgRAlMiAJwNKhbK8ZYLfwhCbpXRsFAJgzgacgCgg9dn iDVF/hi0FxhnGtg7/Lfbfuw= =5b9E -----END PGP SIGNATURE----- --=-qelZgHosB+m4C32B+07s-- From dcarrera@math.umd.edu Sun May 11 22:56:03 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Sun May 11 21:56:03 2003 Subject: [Q] Sending a key to a keyserver Message-ID: <20030511195706.GA1352@math.umd.edu> --k1lZvvs/B4yU6o8G Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi all, I really think I'm doing everything right, and I don't understand why it's= =20 not working. I'm trying to upload my key to a keyserver. Here is what I= =20 get: dcarrera ~ $ gpg --list-keys daniel pub 1024D/0FEBCEC3 2003-05-10 Daniel Carrera (PhD Student, Math)=20 sub 2048g/0D1C25EC 2003-05-10 [expires: 2005-05-09] dcarrera ~ $ gpg --send-keys 0x0FEBCEC3 gpgkeys: error adding key 0x0FEBCEC3 to keyserver: Already exists gpg: keyserver internal error What does it mean by my key "already exists". It can't be in the server=20 already. I haven't put it up yet. Besides, if it were Neil would have=20 been able to retrieve it. Does anyone know what's going on? Thanks. --=20 Daniel Carrera | OpenPGP fingerprint: | DSA KeyID: Graduate TA Math Dept. | C678 4F28 6418 6A62 F186 | 0x0FEBCEC3 UMD (301) 405-5137 | 98FC 9E04 B9A0 0FEB CEC3 |=20 --k1lZvvs/B4yU6o8G Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (SunOS) iD8DBQE+vqsRngS5oA/rzsMRAhqoAKCXL6KfBv+JI1BeKursnwa1o/lEfACfWQRz RGXj1CYRDLLHCZSJ0emlqN0= =Ldqu -----END PGP SIGNATURE----- --k1lZvvs/B4yU6o8G-- From thomas.scheffczyk@verwaltung.uni-mainz.de Sun May 11 23:10:03 2003 From: thomas.scheffczyk@verwaltung.uni-mainz.de (Thomas Scheffczyk) Date: Sun May 11 22:10:03 2003 Subject: gnupg encrypted mail and malware/spam In-Reply-To: <200305111430.57378.linux@codehelp.co.uk> References: <3EBD41B6.8030602@verwaltung.uni-mainz.de> <20030510195340.A12480@cp5340.hyatsv01.md.comcast.net> <3EBE33EF.4050500@verwaltung.uni-mainz.de> <200305111430.57378.linux@codehelp.co.uk> Message-ID: <3EBEAE77.6030100@verwaltung.uni-mainz.de> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig6CF1271F9979A4B4FD2458B2 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Neil Williams wrote: >>Perhaps I'm to pessimistic, but I do not share the opinion that it would >>to much work for spammers to encrypt (not sign) their messages. I can >>imagine that the success ratio of an encrypted spam would be remarkably >>higher compared with a unencrypted and often filtered message :-( > > When the spam filters can still operate on the decrypted message, I can't see > that it would succeed. Encrypted does not have to mean unfiltered. It just > changes the location from server to user. With an open source email client, > you could even adjust the program source code to do this without intervention > - in between decryption and display. Hello Neil, you are right, security will definitively change from beeing border/network to host centric. If there is no other solution it's the way I have to go. > Your basic problem is user training. You seem frightened that if the server > filters are bypassed that users will open any attachment, run any program and > visit any site listed inside the email. If this is the case, your only real > recourse is training. Do you have the resources to train all users to a sophisticated level. I would like to have, but I don't have. > Alternatively, move to a more secure filesystem like > Unix/Linux where the root and system files are simply not visible to users, > so limiting any possible damage to user files. This is also possible with WinNT/2000/XP: you don't use IE and Outlook, restrict rights, etc. That fine against malware that's not targeted especially against your system. > Even then, users will still > have to be taught the consequences of casual and irresponsible behaviour. Sorry I can not agree with your conclusion especially because your first statement is right. It's all user training. But see this from the other side. There are people that have to do their job to earn money. They don't wan't to use a computer, they have to. We (at least I) give them tools they roughly can use but don't really understand. Who is to blame if an error occurs? I think in most cases it's the administration and not the user. > You cannot protect the users from themselves and IMHO GnuPG should not be > twisted into a means to protect the careless from their own mistakes / > incompetence. Big words. Just an issue where GnuPG can be involved that will explain my concerns: I'm not sure about the juristical consequences that a gnupg signed mail can have. Who is responsible if within this mail 5000 litres of milk (harmless example) is ordered? Who has to pay if the user denies his/her responsibility? Does the user have to prove his innocence, because 'it's a digitally signed message and gnupg is secure'? Think on automatic teller machine frauds in Great Britain and how long the banks were able to deny any responsibility. Did every user of this machine knew the riscs and the fact that the banks were lying about the security of ther systems (see http://axion.physics.ubc.ca/atm.html or the book 'Security engeneering' from Ross Anderson for more details). Another example from germany: I was really surprised that I 'have to serve' a mail account if I publish the mail address. If I don't do it can have negative consequences like missed time limits that started when a message arrived in my postbox. So of I don't know the juristical consequences of my (technical) acts, how should a average user know the technical consequences of theirs? >>I guess that my question was a little misleading and to spam centric. A >>graphical firewall and a gateway for checked files would be a possible >>solution. Another solution would be to accept encrypted messages only >>for functional (i.e. non personal) mail to avoid any kind of key escrow >>for personal keys. > > Just how are you going to implement that??? Bounce every message until you get > a valid account?? There are personal spam firewalls out there that can work > that way but these can prove unpopular. > Graphical firewall: The concept of a grphical firewall and experiences with an implementation can be found at: https://www.dfn-cert.de/dfn/berichte/db093/maczkowsky-vnc.pdf It's called 'Graphical' firewall, because only the 'picture' of a mail client or a browser is displayed on the workstation of a user. The programs run on a server in a different network. Attached files have to be saved on a gateway and will be transferred to the inner network after beeing checked. Files that have to be transfered to external addresses go the same way in the opposite direction. From the users point of view is the additional tranfer the biggest difference. Messages without attachments are handled like in a local program. In this environment the use of GnuPG is a real security enhencement without a drawback. Functional mail accounts: Each group of an organisation get it's own mail account that is not associated with a real person. The GnuPG key for this account is known by all members of this group and by the mail gateway. On the gateway it's not loaded automatically at startup. The necessary passwords are stored only in non swapable memory and the system is specially hardened (i.e. rsbac). Incoming messages are decrypted on this system. This kind of use is published with the keys. Central encryption/decryption: See http://www.gnupg.org/aegypten/index.html for this. >>'I do not fear 'ordinary' viruses or other malware. What i really fear >>is a sophisticated attacker that send on a very slow rate backdoors to >>single users in my network. I can not guarantee the really no user will >>start the program. If it is started, it's easy to create a backchannel >>over allowed traffic like http.' > > > You mean a Trojan? Or a root-kit? Then use an intrusion detection system, you > simply cannot cover every possibility that someone may use, to deliberately > install something like this, any other way. Email is not the only way to get > rooted - I wouldn't even think it was the most common. > Perhaps not the most common, but a possible one. Would you open a security hole without asking if there are ways to avoid the risc? Do you remember how the source code of windows was stolen? It started with a unsecured private computer and a tunneling program that was inserted inside the microsoft network on this way. >>Does nobody fear this, too? I'm very surprised that this threat was >>never discussed in the context of public key infrastructures. I know a > The threat is nothing to do with GnuPG. You seem to be talking about a general > network security issue that is more related to keeping the OS up to date with > patches and general system maintenance. In my opinion it is connected with making cryptography availiable on workstations in a secured network. > You are in danger of blaming the messenger. Please apologise, I never wanted to blame GnuPG (the messenger) for anything. It's a great program. I use it in my private environment for various tasks and would like it at work, too. Because of this I asked for advise on this mailing list. > Have you excluded all other routes? Instant Messaging? IRC? > Deliberate introduction by users? Known exploits? I'm happy that I'm allowed to have a quite restrictive security pollicy. Nothing perfect, but not to bad at all. > > 'A sophisticated attacker' will not want to rely on a method that, in turn, > relies totally on a user decrypting a message and launching the attachment. > There would need to be some kind of inside knowledge that a specific user > would be likely to ignore all the basic security rules and willfully > compromise their own system. An attacker willing to put in that much work is > not going to stop if that method fails. Other attackers wouldn't even bother > with the encrypted route, there are far easier targets on a system. > I would go this way :-( It's so easy to forge mail messages. And it's also very easy to create an interesting program like a screensaver or some kind of 'christmas fred' that at least one user will try out. >>couple of big institutions (please apologize that I don't list the >>institutions right here) that do allow personal use of encryption, but > > Probably because they don't understand it and / or are anxious to read all > outgoing mail. (Note lack of smiley - some companies would love to filter all > outgoing mail and probably already do.) Also no smiley here: I don't want to filter mail, I really want to respect the privacy of the users in my network. If the price for the use of GnuPG would be a general key escrow I would not introduce GnuPG. >>only one (a health insurance company) was aware of this problem. (Their >>solution is to allow cryptography only for special messages like data >>exchange with universities ;-) > > Then it sounds like they don't understand the issue. Personal encryption can > be as much about prevention of identity fraud as 'subterfuge'. I sign emails > because I don't want anyone else to be able to pose as me. I encrypt personal > data so that it cannot be used to allow an attack to proceed beyond the > compromised machine. (There may be other ways for an attacker to get to the > next machine but it won't be by finding copies of passwords etc. lying around > on the system.) Encryption can be part of your security and can be used to > halt an incursion that has been made using other methods. If all users > encrypted their passwords and other personal ID data with their own personal > keys, it could be made much harder for attackers to move from one compromised > machine to the next. I agree. > (Assuming of course, that the original passwords are > half-way decent in the first place and not going to be cracked with a simple > dictionary attack.) Just an remark: If a password ist just composed of upper and lowercase alpabetic characters and digits it has a 'entropy' of about 70/255, with all direct accessible characters about 90/255. So a 'average' 8 character long password is comparable with a 16 to 24 bit symmetric key. Knowing this, even a brute force attack can be amazingly successful against 'real' passwords. But this leads to a new question that I would like to ask in a new thread: user choosen or generated passwords - what is more secure? > No one program or principle can give you security - the point is to target the > weakest link. Only worry about encrypted emails when all other targets are > removed. In the meantime, get an intrusion detection program. Who told you that I'm only worried about encrypted mail messages ;-) Thanks for your answer, Thomas --------------enig6CF1271F9979A4B4FD2458B2 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+vq6AICWLj6LjFjIRAhktAJ45K9J1ha8YlSYTdl6MSQTyG0vvxQCfZ5az kWc7hUveJSJJDk/wShOHOWs= =ST31 -----END PGP SIGNATURE----- --------------enig6CF1271F9979A4B4FD2458B2-- From dshaw@jabberwocky.com Sun May 11 23:36:03 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sun May 11 22:36:03 2003 Subject: [Q] Sending a key to a keyserver In-Reply-To: <20030511195706.GA1352@math.umd.edu> References: <20030511195706.GA1352@math.umd.edu> Message-ID: <20030511203631.GA4414@jabberwocky.com> --xaMk4Io5JJdpkLEb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, May 11, 2003 at 03:57:06PM -0400, Daniel Carrera wrote: > Hi all, >=20 > I really think I'm doing everything right, and I don't understand why it'= s=20 > not working. I'm trying to upload my key to a keyserver. Here is what I= =20 > get: >=20 > dcarrera ~ $ gpg --list-keys daniel > pub 1024D/0FEBCEC3 2003-05-10 Daniel Carrera (PhD Student, Math)=20 > > sub 2048g/0D1C25EC 2003-05-10 [expires: 2005-05-09] >=20 > dcarrera ~ $ gpg --send-keys 0x0FEBCEC3 > gpgkeys: error adding key 0x0FEBCEC3 to keyserver: Already exists > gpg: keyserver internal error That is an error from an LDAP keyserver. > What does it mean by my key "already exists". It can't be in the server= =20 > already. I haven't put it up yet. Besides, if it were Neil would have= =20 > been able to retrieve it. It's there: gpgkeys: LDAP fetch for: (pgpkeyid=3D0FEBCEC3) gpgkeys: requesting key 0x0FEBCEC3 from ldap://keyserver.pgp.com User ID: Daniel Carrera (PhD Student, Math) Short key ID: 0FEBCEC3 Presumably Neil was looking on one of the HKP keyservers. The LDAP keyserver don't sync very well (if at all) with the HKP keyservers. David --xaMk4Io5JJdpkLEb Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+vrRP4mZch0nhy8kRAsADAJ0UlT+fo3yFf3qdaWqUxEApPpOGLACeNfq9 ZPuloFC1fCSmBPnLWJ9ksLY= =AMPd -----END PGP SIGNATURE----- --xaMk4Io5JJdpkLEb-- From martin.bretschneider@gmx.de Sun May 11 23:47:03 2003 From: martin.bretschneider@gmx.de (Martin Bretschneider) Date: Sun May 11 22:47:03 2003 Subject: mobile GPG installation In-Reply-To: <3EBE8BC2.3020100@nahrath.de> References: <3EBC3092.6010605@nahrath.de> <3EBE8BC2.3020100@nahrath.de> Message-ID: --=.jkFbAiWMfSr4qr Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Michael Nahrath wrote: Hi Michael, > Martin Bretschneider wrote: > > >>They have their mail accounts at some freemailer services and use > >>them solely via web frontend on other people's computers or in > >>internet cafes. > > > They can use a kind of secure webservices. Check www.hushmail.com > > I had a look at their website and can't take them serious in > security concerns. They do everything to prevent users seeing what > is really happening. That strage since Philip R. Zimmermann has worked for/still works for/has founded this enterprise... Ask goole or heise.de for details;) > > or > > http://www.sys3175.co.uk/securemail.php > > Thanks for that tip. Looks interesting. I guess I'll give it a try > on my own webspace. But it does not support PGP/MIME. > The principal problem for users is still: They have to trust me and > they have to trust my webserver's hostmasters. > And they have to trust that the Browser's connection to the > webserver is secure ... Yes maybe the server-browser-connection (e.g. SSL 128bit) is less secure than OpenPGP itself. > But the idea to provide such a web-service on my own is appealing. But then you have to be very trustable! Kind regards from Martin -- www.bretschneidernet.de OpenPGP_0x4EA52583 AIM_realfurbour (o_ (o_ Mark Twain: _-//$ //> Where prejudice exists it - V_/_V_)_ always discolors our thoughts. --=.jkFbAiWMfSr4qr Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+vrMNGK1ebE6lJYMRApSDAJ4nkc7y1S2lH8GDzoyUXlk9MTl1tgCfQjC3 UuslkYYsM/k7N1aAqO/w7xM= =9nHv -----END PGP SIGNATURE----- --=.jkFbAiWMfSr4qr-- From ingo.kloecker@epost.de Mon May 12 00:55:03 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Sun May 11 23:55:03 2003 Subject: gnupg encrypted mail and malware/spam In-Reply-To: <3EBEAE77.6030100@verwaltung.uni-mainz.de> References: <3EBD41B6.8030602@verwaltung.uni-mainz.de> <200305111430.57378.linux@codehelp.co.uk> <3EBEAE77.6030100@verwaltung.uni-mainz.de> Message-ID: <200305112301.19589@erwin.ingo-kloecker.de> --Boundary-02=_forv+XU6TZij3J+ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Sunday 11 May 2003 22:11, Thomas Scheffczyk wrote: > Just an remark: If a password ist just composed of upper and > lowercase alpabetic characters and digits it has a 'entropy' of about > 70/255, with all direct accessible characters about 90/255. So a > 'average' 8 character long password is comparable with a 16 to 24 bit > symmetric key. Knowing this, even a brute force attack can be > amazingly successful against 'real' passwords. But this leads to a > new question that I would like to ask in a new thread: user choosen > or generated passwords - what is more secure? Well, of course generated passwords are more secure to be broken by=20 outsiders. OTOH, insiders might easily be able to break such passwords=20 because often the passwords can be found under the keyboard or on the=20 monitor. The best solution is the usage of smartcards. Then the secret=20 key can't be compromised because it never leaves the smartcard. Regards, Ingo --Boundary-02=_forv+XU6TZij3J+ Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+vrofGnR+RTDgudgRAoziAKC4qx59cHItuHqKp2rr/S0tOOIRfgCg2JZ3 pQw57J1NXvRbz6xH3Hk/S2A= =EXc9 -----END PGP SIGNATURE----- --Boundary-02=_forv+XU6TZij3J+-- From dcarrera@math.umd.edu Mon May 12 01:15:02 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Mon May 12 00:15:02 2003 Subject: [Q] Sending a key to a keyserver In-Reply-To: <20030511203631.GA4414@jabberwocky.com> References: <20030511195706.GA1352@math.umd.edu> <20030511203631.GA4414@jabberwocky.com> Message-ID: <20030511221546.GA1485@math.umd.edu> --5vNYLRcllDrimb99 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > gpgkeys: LDAP fetch for: (pgpkeyid=3D0FEBCEC3) > gpgkeys: requesting key 0x0FEBCEC3 from ldap://keyserver.pgp.com >=20 > User ID: Daniel Carrera (PhD Student, Math) > Short key ID: 0FEBCEC3 >=20 > Presumably Neil was looking on one of the HKP keyservers. The LDAP > keyserver don't sync very well (if at all) with the HKP keyservers. Alright, I guess it's getting distributed how. I successfully added it to= =20 keyserver.kjsl.com and pgp.mit.edu the way Manuel Samper showed me. When I try to add it to the LDAP servers gpg just hangs. I've tried with= =20 keyserver.pgp.com and pgp.surfnet.nl. Here is my command-line: gpg --keyserver keyserver.pgp.com --send-key 0x0FEBCEC3 Am I doing something wrong? Also, what are LDAP and HKP severs? Thanks a lot, --=20 Daniel Carrera | OpenPGP fingerprint: | DSA KeyID: Graduate TA Math Dept. | C678 4F28 6418 6A62 F186 | 0x0FEBCEC3 UMD (301) 405-5137 | 98FC 9E04 B9A0 0FEB CEC3 |=20 --5vNYLRcllDrimb99 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (SunOS) iD8DBQE+vsuRngS5oA/rzsMRAuzjAJ9tnH7rIY0DhvRtAB99O0fmvvGMSACfTiL4 eC50F2O6a8l5k4E1MtNpcnM= =VEeE -----END PGP SIGNATURE----- --5vNYLRcllDrimb99-- From malsyned@cif.rochester.edu Mon May 12 01:19:03 2003 From: malsyned@cif.rochester.edu (Dennis Lambe Jr.) Date: Mon May 12 00:19:03 2003 Subject: multiple keyservers Message-ID: <1052691768.23436.10.camel@dennisx.cif.rochester.edu> --=-uMN/UrAnpWcTg2U/OkyQ Content-Type: text/plain Content-Transfer-Encoding: quoted-printable If I specify multiple keyservers on the command line or in gpg.conf, how does that affect the behavior of the various keyserver operations? If I send my key, which server does it get sent to? all of them, the first one, the last one, a random one? If I refresh my keys, where does the data get pulled from? If I search, which servers get searched? If I receive, which server sends what data in what order? I haven't been able to deduce much from watching except that order clearly makes some difference to GnuPG's behavior. --Dennis Lambe --=-uMN/UrAnpWcTg2U/OkyQ Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: My public key is available at http://cif.rochester.edu/~malsyned/public_key.html iD8DBQA+vs0z+yh/ThbejSgRAhAwAKC0K5NUT93CneqKFTNRpBApAmzqIwCgiEU2 8xX2999f6u1ce4tulPlUuhU= =6Dv/ -----END PGP SIGNATURE----- --=-uMN/UrAnpWcTg2U/OkyQ-- From Todd Mon May 12 02:48:02 2003 From: Todd (Todd) Date: Mon May 12 01:48:02 2003 Subject: multiple keyservers In-Reply-To: <1052691768.23436.10.camel@dennisx.cif.rochester.edu> References: <1052691768.23436.10.camel@dennisx.cif.rochester.edu> Message-ID: <20030511234908.GA32053@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dennis Lambe Jr. wrote: > If I specify multiple keyservers on the command line or in gpg.conf, how > does that affect the behavior of the various keyserver operations? If I > send my key, which server does it get sent to? all of them, the first > one, the last one, a random one? If I refresh my keys, where does the > data get pulled from? If I search, which servers get searched? If I > receive, which server sends what data in what order? I think it uses the last one, but it's been a few weeks since I was playing with this. There was a thread here a few weeks back about multiple keyservers. David Shaw said this was on the to do list, but hasn't been implemented just yet. That thread starts here in the archives: http://lists.gnupg.org/pipermail/gnupg-users/2003-April/017842.html - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ============================================================================ The means are the ends in progress -- Gandhi -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iD8DBQE+vuF0uv+09NZUB1oRAjfLAJ0fk1+ndtYHVfkD9DG5dGfgCgt8eACgwEL/ cEc3TD4UxxUdP13CJTL+6Ho= =YaWB -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Mon May 12 03:39:03 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Mon May 12 02:39:03 2003 Subject: multiple keyservers In-Reply-To: <1052691768.23436.10.camel@dennisx.cif.rochester.edu> References: <1052691768.23436.10.camel@dennisx.cif.rochester.edu> Message-ID: <20030512003937.GB4414@jabberwocky.com> --xjyYRNSh/RebjC6o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sun, May 11, 2003 at 06:22:49PM -0400, Dennis Lambe Jr. wrote: > If I specify multiple keyservers on the command line or in gpg.conf, how > does that affect the behavior of the various keyserver operations? If I > send my key, which server does it get sent to? all of them, the first > one, the last one, a random one? If I refresh my keys, where does the > data get pulled from? If I search, which servers get searched? If I > receive, which server sends what data in what order? It is possible that a future version of GnuPG will use multiple keyservers at once, but for now, the last specified keyserver is the only one that is used. All others are ignored. David --xjyYRNSh/RebjC6o Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+vu1I4mZch0nhy8kRAqdTAJ0egy+XtOEYWBzoy0KO/dkk6dbwBQCfYj1W ai+i/NFYx9r3JGKwxhF1dFY= =8qYp -----END PGP SIGNATURE----- --xjyYRNSh/RebjC6o-- From dshaw@jabberwocky.com Mon May 12 03:41:03 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Mon May 12 02:41:03 2003 Subject: [Q] Sending a key to a keyserver In-Reply-To: <20030511221546.GA1485@math.umd.edu> References: <20030511195706.GA1352@math.umd.edu> <20030511203631.GA4414@jabberwocky.com> <20030511221546.GA1485@math.umd.edu> Message-ID: <20030512004212.GC4414@jabberwocky.com> --zhtSGe8h3+lMyY1M Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, May 11, 2003 at 06:15:46PM -0400, Daniel Carrera wrote: > > gpgkeys: LDAP fetch for: (pgpkeyid=3D0FEBCEC3) > > gpgkeys: requesting key 0x0FEBCEC3 from ldap://keyserver.pgp.com > >=20 > > User ID: Daniel Carrera (PhD Student, Math) > > Short key ID: 0FEBCEC3 > >=20 > > Presumably Neil was looking on one of the HKP keyservers. The LDAP > > keyserver don't sync very well (if at all) with the HKP keyservers. >=20 > Alright, I guess it's getting distributed how. I successfully added it t= o=20 > keyserver.kjsl.com and pgp.mit.edu the way Manuel Samper showed me. >=20 > When I try to add it to the LDAP servers gpg just hangs. I've tried with= =20 > keyserver.pgp.com and pgp.surfnet.nl. Here is my command-line: >=20 > gpg --keyserver keyserver.pgp.com --send-key 0x0FEBCEC3 >=20 > Am I doing something wrong? gpg --keyserver ldap://keyserver.pgp.com --send-key 0x0FEBCEC3 ^^^^^^^ If you don't specify a scheme (ldap, mailto, etc), then GnuPG assumes "hkp://" > Also, what are LDAP and HKP severs? Two different keyserver protocols, each with their own good and bad points. David --zhtSGe8h3+lMyY1M Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+vu3j4mZch0nhy8kRAmZqAKC8mPQSfCmQjRROg7QsK/K9qzPolQCeOSuQ 6soAtkKFjVzhGYRYYHxc29w= =Rlvp -----END PGP SIGNATURE----- --zhtSGe8h3+lMyY1M-- From dcarrera@math.umd.edu Mon May 12 04:30:02 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Mon May 12 03:30:02 2003 Subject: Mutt and GPG (was: Getting started with signatures) In-Reply-To: <20030511080424.GX32053@psilocybe.teonanacatl.org> References: <20030511024040.GC1216@math.umd.edu> <20030511080424.GX32053@psilocybe.teonanacatl.org> Message-ID: <20030512012644.GA2149@math.umd.edu> --X1bOJ3K7DJ5YkBrT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > > If anyone is using Mutt, perhaps I could get some Mutt-specific help: It > > looks like Mutt is not even trying to verify any of the signed messages > > other than my own. >=20 > That may well be an issue of the pgp signature format. Mutt uses PGP/MIME > by default... I've looked into it. Yes, I'm pretty sure that's the problem. > You can make mutt check these signatures in several ways. The=20 > recommended way in 1.4 and above is to use the check-traditional-pgp=20 > function, which is bound to ESC P by default. Mutt doesn't seem to recognize that option. I put it in my .muttrc file (I= =20 bound it to ESC V and I got this error: check-traditional-pgp: no such function in map BTW, ESC P doesn't do a PGP check either. > I prefer to leave the messages intact and I take advantage of a nice mutt > patch that forces mutt to check for traditional (inline) pgp signatures[1= ]. [snip] > [1] http://www.pizzashack.org/mutt/ > [2] http://www.woolridge.org/mutt/pgp-menu-traditional.html Could you help me with patches? I've spent all afternoon trying to figure= =20 out how to apply a patch and I just can't get it to work. I'm starting with the very first patch: patch-1.4.0.ddm.crypt-menu.1 (from [1]) dcarrera ~ $ ls mutt-1.4/ patch-1.4.0.ddm.crypt-menu.1 patch-1.4.0.ddm.pgp-always-check-traditional.1 patch-1.4.1.dw.pgp-menu-traditional.2 dcarrera ~ $ patch < patch-1.4.0.ddm.crypt-menu.1 Looks like a unified context diff. File to patch: I don't know what to type here. The man page for patch hasn't shown me=20 anything useful. I've looked everywhere and I just can't figure out why=20 this isn't working. I hope you can help, --=20 Daniel Carrera | OpenPGP fingerprint: | DSA KeyID: Graduate TA Math Dept. | C678 4F28 6418 6A62 F186 | 0x0FEBCEC3 UMD (301) 405-5137 | 98FC 9E04 B9A0 0FEB CEC3 |=20 --X1bOJ3K7DJ5YkBrT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (SunOS) iD8DBQE+vvhTngS5oA/rzsMRAkLvAJ9AfIgrHbIh034jIboP04YoVNej5gCdGBcr 3lQUgvCSB9cdkVrgfHFdFik= =iyAp -----END PGP SIGNATURE----- --X1bOJ3K7DJ5YkBrT-- From dshaw@jabberwocky.com Mon May 12 04:42:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Mon May 12 03:42:02 2003 Subject: Building 1.2.2 on SunOS 4 In-Reply-To: <20030511130424.GB2715@gbnet.net> References: <1963591.1052168560910.JavaMail.jbruni@mac.com> <87addxwmh5.fsf@alberti.g10code.de> <20030508164607.GG25034@gbnet.net> <20030510044207.GM4414@jabberwocky.com> <20030510193203.GA27496@gbnet.net> <20030510204128.GQ4414@jabberwocky.com> <20030511130424.GB2715@gbnet.net> Message-ID: <20030512014223.GD4414@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, May 11, 2003 at 02:04:24PM +0100, Steve Kennedy wrote: > On Sat, May 10, 2003 at 04:41:28PM -0400, David Shaw wrote: > > > > > Hmm. In the main gnupg build directory, what does > > > > "grep underscore config.log" return? > > > ac_cv_sys_symbol_underscore=no > > What happens if you do "./configure ac_cv_sys_symbol_underscore=yes" ? > > That worked fine, thanks. Good. Now we just have to figure out why the autoconf test didn't detect that properly... :/ David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+vvv/4mZch0nhy8kRAj2DAJ98LuuT2kUQD2UyMVZd79wGAju9VgCfUkdr HjiWLIQ006vWKbdqeyyyIZE= =WHzw -----END PGP SIGNATURE----- From johanw@vulcan.xs4all.nl Mon May 12 05:00:03 2003 From: johanw@vulcan.xs4all.nl (Johan Wevers) Date: Mon May 12 04:00:03 2003 Subject: Reg file on gnupg for windows In-Reply-To: <3EBB41B0.8060201@myrealbox.com> from Santos at "May 9, 2003 06:50:40 am" Message-ID: <200305112315.BAA01873@vulcan.xs4all.nl> Santos wrote: > "HomeDir"="C:\\GnuPG" > "gpgProgram"="C:\\GnuPG\\gpg.exe" Change this to the directory you put the file gpg.exe in. In your case this it should be "HomeDir"="F:\\Program Files\\gnupg" "gpgProgram"="F:\\Program Files\\gnupg\\gpg.exe" -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From johanw@vulcan.xs4all.nl Mon May 12 05:00:33 2003 From: johanw@vulcan.xs4all.nl (Johan Wevers) Date: Mon May 12 04:00:33 2003 Subject: gnupg encrypted mail and malware/spam In-Reply-To: <3EBDCFBD.5080105@ntlworld.com> from Graham at "May 11, 2003 05:21:17 am" Message-ID: <200305112341.BAA02366@vulcan.xs4all.nl> Graham wrote: > Encrypted code cannot be executed automatically, Virusses that encrypt themselves with a random key and precede with decryption code existed already in the late 1980's. If the method used isn't known to the virus scanner you can't detect it, and it will at least fool some heuristic scanners that scan for code that copies itself. However, self-modifying code can be another trigger that's something is wrong. But then, UPX and pklite packed executables might trigger an alarm too. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From Todd Mon May 12 07:07:02 2003 From: Todd (Todd) Date: Mon May 12 06:07:02 2003 Subject: Mutt and GPG (was: Getting started with signatures) In-Reply-To: <20030512012644.GA2149@math.umd.edu> References: <20030511024040.GC1216@math.umd.edu> <20030511080424.GX32053@psilocybe.teonanacatl.org> <20030512012644.GA2149@math.umd.edu> Message-ID: <20030512040812.GC32053@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Daniel Carrera wrote: >> That may well be an issue of the pgp signature format. Mutt uses PGP/MIME >> by default... > > I've looked into it. Yes, I'm pretty sure that's the problem. This bites a lot of people, unfortunately. Someday, PGP/MIME will be widely supported and we can then move on to some other problem... >> You can make mutt check these signatures in several ways. The >> recommended way in 1.4 and above is to use the check-traditional-pgp >> function, which is bound to ESC P by default. > > Mutt doesn't seem to recognize that option. I put it in my .muttrc file > (I bound it to ESC V and I got this error: > > check-traditional-pgp: no such function in map I'm not sure what might be wrong with your muttrc entry. You should be able to make something like that work. If not, the mutt-users list would be the place to ask about it. > BTW, ESC P doesn't do a PGP check either. Are you using a capital P, e.g. shift p and not just ESC p? If you are using a capital P, what happens when you do this on a traditionally signed or encrypted message? Do you get some error or something? > Could you help me with patches? I've spent all afternoon trying to figure > out how to apply a patch and I just can't get it to work. > > I'm starting with the very first patch: > > patch-1.4.0.ddm.crypt-menu.1 (from [1]) > > dcarrera ~ $ ls > mutt-1.4/ > patch-1.4.0.ddm.crypt-menu.1 > patch-1.4.0.ddm.pgp-always-check-traditional.1 > patch-1.4.1.dw.pgp-menu-traditional.2 > dcarrera ~ $ patch < patch-1.4.0.ddm.crypt-menu.1 > Looks like a unified context diff. > File to patch: I think you want to cd into the mutt-1.4 dir and then use the -p option to patch. The patches have mutt-1.4 and mutt-1.4.new in the paths for the files they're modifying, so to strip the directory from the path, use patch -p1 < patch I should have been more specific about which patch I meant on the first url. The crypt-menu patch probably conflicts with the pgp-menu-traditional patch (they both tweak some of the same code in compose.c). I only use patch-1.4.0.ddm.pgp-always-check-traditional.1 and patch-1.4.1.dw.pgp-menu-traditional.2. You may also find that you need to apply one of the patches before the other if you get "Hunk failed" errors. I happen to apply the menu-trad patch first in my builds, but I don't remember if that's intentional or just by chance. If you're going to build mutt from source, you might want to grab 1.4.1, it contains a security fix for imap servers. Feel free to bug me off list if you have any trouble. I'll try to help you out. - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ============================================================================ Stop tolerating in your leaders what you would not tolerate in your friends. -- Michael Ventura -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iD8DBQE+vx4ruv+09NZUB1oRAoupAKDAcM15FxjUHWaVWJg93jyjIJnOIQCg/ft6 az0EME142MOCaZLwZu3elSI= =J6aj -----END PGP SIGNATURE----- From adam@viratech.com Mon May 12 08:02:03 2003 From: adam@viratech.com (Adam Smith) Date: Mon May 12 07:02:03 2003 Subject: Cracking AES Message-ID: <000d01c31843$ec10b820$0200000a@discovery> Greetings! I have recently had a hardware token to awry, so I got my backup keys from the secure location where I stored them two years ago, but I protected the backup using AES256 with a pass phrase consisting of every password I've ever used before concatenated together. I remember all of them except for the strongest one; 32 characters of upper case, lower case, all symbols, and an ASCII character thrown in there. I remember a good number of it, however, and think that with about 10E10 attempts I should be able to get it. This is computationally a walk in the park but I have to get my environment set up to try all of these. I run a mixed Win32/OpenBSD environment but am far more familiar with Windows. I set up a batch file like so: @echo off echo GUESS1|gpg.exe -q --passphrase-fd 0 --output text.out --decrypt text.pgp echo GUESS2|gpg.exe -q --passphrase-fd 0 --output text.out --decrypt text.pgp ... This does not work for me, however, because GPG messes up when you try to feed it a '&' through this method (I'm escaping all of the special characters in echo using a '^' but can't find an escape character for GPG). Any suggestions Even if it did work, however, I'd still like to be able to do more than 8 tries per second. With the right kind of coding I should be able to easily get 10,000 tries/second but do not have any experience. Is source code available for the Windows binary (I could not find it)? Anyone ever done this before? Thanks! Adam Smith From jbruni@mac.com Mon May 12 08:03:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Mon May 12 07:03:02 2003 Subject: gnupg encrypted mail and malware/spam In-Reply-To: <3EBDAD5D.6050308@attbi.com> Message-ID: You hit the nail on the head here. If the most virus-vulnerable software were not also the most common, the anti-virus companies would be nearly out of business. As an IT manager, it is intellectually dishonest to continue to try to play both sides of the game here: One cannot on the one hand claim to be for system security, cost effectiveness, etc., while at the same time continue to support and recommend software from Microsoft. To do so is merely paying lip-service and is professionally dishonorable. To establish a corporate policy banning the use of encryption because "someone might slip through a Windows virus" is reprehensible. If one of my employees ever recommended something like that I would fire him. On Saturday, May 10, 2003, at 06:54 PM, John Clizbe wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Eugene Smiley wrote: >> >> I think you are missing the point with regard to the issue of >> server based virus scanning. It isn't that hard to imagine a >> virus generating an email via Outlook which is then passed to > - --------------------------------^^^^^^^ >> GPGRelay; the user isn't paying attention, types the passphrase, >> and it get's emailed; the user on the other end decrypts it and >> opens the attachment... BLAMO! > > Ding! There's the REAL culprit - There seems to be as many LookOut! > exploits out on the 'Net as there are attacks against InternetExploder. > > Perhaps a less-easily hijacked MUA is needed. What you describe here is > more E-mail worm than SPAM. > > - -- > John P. Clizbe Inet: JPClizbe@EarthLink.net > Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 > "Most men take the straight and narrow. A few take the road less > traveled. I chose to cut through the woods." > "There is safety in Numbers... *VERY LARGE PRIME* Numbers > 9:00PM Tonight on _REAL_IRONY_: Vegetarian Man Eaten by Cannibals > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.2 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQE+va1bHQSsSmCNKhARAqzaAKDgMv56IqkJGjjQSVGKzogavvfyFwCfa2Oz > 358LuEyVVYm3v04zI8QaaXY= > =GB8D > -----END PGP SIGNATURE----- > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From pt@radvis.nu Mon May 12 09:38:02 2003 From: pt@radvis.nu (Per Tunedal) Date: Mon May 12 08:38:02 2003 Subject: gnupg encrypted mail and malware/spam In-Reply-To: <200305112035.04886@erwin.ingo-kloecker.de> References: <3EBE33EF.4050500@verwaltung.uni-mainz.de> <3EBD41B6.8030602@verwaltung.uni-mainz.de> <20030510195340.A12480@cp5340.hyatsv01.md.comcast.net> <3EBE33EF.4050500@verwaltung.uni-mainz.de> Message-ID: <5.1.0.14.2.20030512082841.02c42ac0@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 20:34 2003-05-11 +0200, Ingo Kl=F6cker wrote: >On Sunday 11 May 2003 13:28, Thomas Scheffczyk wrote: >> Until now, no comment was given to my first post scriptum: >> >> 'I do not fear 'ordinary' viruses or other malware. What i = really >> fear is a sophisticated attacker that send on a very slow = rate >> backdoors to single users in my network. I can not = guarantee the >> really no user will start the program. If it is started, = it's easy to >> create a backchannel over allowed traffic like http.' >> >> Does nobody fear this, too? >There's not much you can do to prevent this from happening = apart from >installing a strict policy for the usage of encryption. One = option >would be to disallow MIME (OpenPGP or S/MIME) encrypted = messages and >only allow inline encryption because with inline encryption = attachments >can't be encrypted. > >Regards, >Ingo Yes, Ingo! GPGrelay encrypts attachments when using inlined = encryption! I really like it! A wonderful feature ;-)> Per Tunedal -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) - GPGrelay v0.92 iD8DBQE+v0E+2Jp9Z++ji2YRAnjlAJ42zheesHsNh2eZbImdn00izWv6rwCcC4L2 Hd8631S/5mBvviWdiHqTX/o=3D =3DV3xD -----END PGP SIGNATURE----- From wk@gnupg.org Mon May 12 10:05:03 2003 From: wk@gnupg.org (Werner Koch) Date: Mon May 12 09:05:03 2003 Subject: mobile GPG installation In-Reply-To: <3EBE990A.9010201@3web.net> (tk's message of "Sun, 11 May 2003 18:40:10 +0000") References: <20030511055043.7867.qmail@web10501.mail.yahoo.com> <3EBE6AD0.5010000@3web.net> <200305111933.24401@fortytwo.ch> <3EBE990A.9010201@3web.net> Message-ID: <87k7cwej77.fsf@alberti.g10code.de> On Sun, 11 May 2003 18:40:10 +0000, tk said: > Yes, malware/keyloggers/etc. on a computer can be a problem, No they are an immense problem. There a hundred of thousands script kiddies waiting to attack your box. In contrast only a few people can get physical access. BTW, using the registry has been done due to a huge public demand. --homedir bypasses the registry except expect for internationalization. -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From wk@gnupg.org Mon May 12 10:10:02 2003 From: wk@gnupg.org (Werner Koch) Date: Mon May 12 09:10:02 2003 Subject: mobile GPG installation In-Reply-To: (Martin Bretschneider's message of "Sun, 11 May 2003 22:30:58 +0200") References: <3EBC3092.6010605@nahrath.de> <3EBE8BC2.3020100@nahrath.de> Message-ID: <87he80eiyz.fsf@alberti.g10code.de> On Sun, 11 May 2003 22:30:58 +0200, Martin Bretschneider said: > That strage since Philip R. Zimmermann has worked for/still works > for/has founded this enterprise... Ask goole or heise.de for details;) He also worked for NAI who - afaik - released a tool to create self-decrypting PGP files ... > Yes maybe the server-browser-connection (e.g. SSL 128bit) is less > secure than OpenPGP itself. The primary problem with SSL is the required PKI which frankly does not exists. Look into most browsers and you will find root certificates from very questionable organisations; i.e. it is not hard to create a faked certificate. -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From ingo.kloecker@epost.de Mon May 12 10:37:03 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Mon May 12 09:37:03 2003 Subject: gnupg encrypted mail and malware/spam In-Reply-To: <5.1.0.14.2.20030512082841.02c42ac0@localhost> References: <3EBE33EF.4050500@verwaltung.uni-mainz.de> <5.1.0.14.2.20030512082841.02c42ac0@localhost> Message-ID: <200305120920.13217@erwin.ingo-kloecker.de> --Boundary-02=_ss0v+1L+D6ZOO4Q Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Monday 12 May 2003 08:30, you wrote: > At 20:34 2003-05-11 +0200, Ingo Kl=F6cker wrote: > >On Sunday 11 May 2003 13:28, Thomas Scheffczyk wrote: > >> Until now, no comment was given to my first post scriptum: > >> > >> 'I do not fear 'ordinary' viruses or other malware. What i really > >> fear is a sophisticated attacker that send on a very slow rate > >> backdoors to single users in my network. I can not guarantee the > >> really no user will start the program. If it is started, it's > >> easy to create a backchannel over allowed traffic like http.' > >> > >> Does nobody fear this, too? > > > >There's not much you can do to prevent this from happening apart > > from installing a strict policy for the usage of encryption. One > > option would be to disallow MIME (OpenPGP or S/MIME) encrypted > > messages and only allow inline encryption because with inline > > encryption attachments can't be encrypted. > > > >Regards, > >Ingo > > Yes, Ingo! GPGrelay encrypts attachments when using inlined > encryption! I really like it! A wonderful feature ;-)> Well, that's good for you. ;-) But there is no standard for inline=20 encrypted attachments. So that's no problem because there's probably=20 not a single native Windows email client which automatically decrypts=20 these attachments. Heck, not even PGP/MIME is supported by Outlook. So=20 what's the problem anyway? I don't think that an attacker will use PGP=20 (be it inline or PGP/MIME) as long as Outlook only supports S/MIME=20 encryption natively. Regards, Ingo --Boundary-02=_ss0v+1L+D6ZOO4Q Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+v0ssGnR+RTDgudgRAkyQAKDLH+yts02Ok6llsUgJdH9R5uG3owCgxaz4 DPSGUV7iFLXjGlN5zTdTBnA= =2g6h -----END PGP SIGNATURE----- --Boundary-02=_ss0v+1L+D6ZOO4Q-- From heiko.teichmeier@sw-meerane.de Mon May 12 11:09:03 2003 From: heiko.teichmeier@sw-meerane.de (Heiko Teichmeier) Date: Mon May 12 10:09:03 2003 Subject: Reg file on gnupg for windows References: <200305112315.BAA01873@vulcan.xs4all.nl> Message-ID: <3EBF5682.8000800@sw-meerane.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Johan Wevers schrieb: > Santos wrote: > > >>"HomeDir"=3D"C:\\GnuPG" >>"gpgProgram"=3D"C:\\GnuPG\\gpg.exe" > > > Change this to the directory you put the file gpg.exe in. In your case > this it should be > > "HomeDir"=3D"F:\\Program Files\\gnupg" The "HomeDir" is the directory where the gpg.conf- or options-file is stored and (most) the keyrings. We use for this directory a networkbased userspecific dir with read_and_write-rights only for the user. So the user can access with each computer in our network to him own keys and options. > "gpgProgram"=3D"F:\\Program Files\\gnupg\\gpg.exe" > - -- Mit freundlichen Gr=FC=DFen Stadtwerke Meerane GmbH Teichmeier Netzmeister NB Elt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ heiko.teichmeier@sw-meerane.de Tel: +49 3764 791720 Fax: +49 3764 791719 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.sw-meerane.de ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1-nr1 (Windows 98) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+v1aBD371SiWcNJkRAlu9AKCSW5fh2JA5U/gbMZJW2qVgNg49cwCeJytT vXr9Nz09nhyZbImTZFzEpC8=3D =3DJgyf -----END PGP SIGNATURE----- From pt@radvis.nu Mon May 12 11:52:02 2003 From: pt@radvis.nu (Per Tunedal) Date: Mon May 12 10:52:02 2003 Subject: OT Outlook Re: gnupg encrypted mail and malware/spam In-Reply-To: <200305120920.13217@erwin.ingo-kloecker.de> References: <5.1.0.14.2.20030512082841.02c42ac0@localhost> <3EBE33EF.4050500@verwaltung.uni-mainz.de> <5.1.0.14.2.20030512082841.02c42ac0@localhost> Message-ID: <5.1.0.14.2.20030512104759.020307f8@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 09:20 2003-05-12 +0200, you wrote: >On Monday 12 May 2003 08:30, you wrote: >> At 20:34 2003-05-11 +0200, Ingo Kl=F6cker wrote: >> >> Yes, Ingo! GPGrelay encrypts attachments when using inlined >> encryption! I really like it! A wonderful feature ;-)> > >Well, that's good for you. ;-) But there is no standard for = inline >encrypted attachments. So that's no problem because there's = probably >not a single native Windows email client which automatically = decrypts >these attachments. Heck, not even PGP/MIME is supported by = Outlook. So >what's the problem anyway? I don't think that an attacker = will use PGP >(be it inline or PGP/MIME) as long as Outlook only supports = S/MIME >encryption natively. > >Regards, >Ingo I read there was a bug in Outlook that sent mail unecrypted = though it was supposed to be encrypted, in some occasions. No warning to = sender. Classed as "a medium security issue" by MS. Not fixed yet as far as I = know. I believe there is an advantage in open software ... Per Tunedal -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) - GPGrelay v0.92 iD8DBQE+v2DL2Jp9Z++ji2YRAqViAKCnLBJQKBw3+Ayz/VRwbVt5jUBGbwCfSfZG HmEOvD+pEtAJPRHYyDQNOnQ=3D =3D1+hj -----END PGP SIGNATURE----- From cnk@dodo.com.au Mon May 12 11:59:01 2003 From: cnk@dodo.com.au (Chris Mance) Date: Mon May 12 10:59:01 2003 Subject: call gpg to encrypt a file with php on windows Message-ID: <015901c31864$d2ffc6c0$0100a8c0@server> Hi I'm using gnugpg on win 2000 I was wondering how to encrypt a file to send via email using php. Thanks in advance. Chris Mance From daniel@amristar.com.au Mon May 12 12:57:03 2003 From: daniel@amristar.com.au (Daniel Harvey) Date: Mon May 12 11:57:03 2003 Subject: What is the status of gpg-agent? Message-ID: Hi, What is the status of gpg-agent? I cannot seem to find a recent reference to it and cannot find it in the latest source (1.2.2). I admit that I haven't looked in CVS, but it doesn't seem to be around? Regards -- Daniel Harvey Phone/Fax +61 8 9389 7844/33 Director, Amristar Pty Ltd; www.amristar.com.au Mobile +61 41 444 8136 From wk@gnupg.org Mon May 12 15:05:03 2003 From: wk@gnupg.org (Werner Koch) Date: Mon May 12 14:05:03 2003 Subject: What is the status of gpg-agent? In-Reply-To: (Daniel Harvey's message of "Sun, 11 May 2003 23:13:21 +0800 (WST)") References: Message-ID: <873cjke58g.fsf@alberti.g10code.de> On Sun, 11 May 2003 23:13:21 +0800 (WST), Daniel Harvey said: > What is the status of gpg-agent? I cannot seem to find a recent reference > to it and cannot find it in the latest source (1.2.2). Either use the one from the newpg package under alpha/aegypten/ or the CVS GNUPG-1-9-BRANCH using the co option -f. Salam-Shalom, Werner -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From wk@gnupg.org Mon May 12 15:10:02 2003 From: wk@gnupg.org (Werner Koch) Date: Mon May 12 14:10:02 2003 Subject: OT Outlook Re: gnupg encrypted mail and malware/spam In-Reply-To: <5.1.0.14.2.20030512104759.020307f8@localhost> (Per Tunedal's message of "Mon, 12 May 2003 10:52:08 +0200") References: <5.1.0.14.2.20030512082841.02c42ac0@localhost> <3EBE33EF.4050500@verwaltung.uni-mainz.de> <5.1.0.14.2.20030512082841.02c42ac0@localhost> <5.1.0.14.2.20030512104759.020307f8@localhost> Message-ID: <87znlscqhr.fsf@alberti.g10code.de> On Mon, 12 May 2003 10:52:08 +0200, Per Tunedal said: > I read there was a bug in Outlook that sent mail unecrypted though it was > supposed to be encrypted, in some occasions. No warning to sender. Classed To be correct, this happens only in the Outlook <-> Exchange communication and not to the outsize world. If you believe that there are no malicious user inside the local network there is no harm. Well, if you believe... -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From apavelec@benefit-services.com Mon May 12 16:14:03 2003 From: apavelec@benefit-services.com (Adam Pavelec) Date: Mon May 12 15:14:03 2003 Subject: mobile GPG installation References: <3EBC3092.6010605@nahrath.de><3EBE8BC2.3020100@nahrath.de> <87he80eiyz.fsf@alberti.g10code.de> Message-ID: <004c01c31888$75939150$2027a8c0@apavelec> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, May 12, 2003 3:12 AM [GMT-5=EST], Werner Koch wrote: > He also worked for NAI who - afaik - released a tool to create > self-decrypting PGP files ... Speaking of which, has anyone been working on such a tool that uses GnuPG? The ability to create Self-Decrypting Archives comes in quite handy when dealing with luddites. TIA, Adam -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 iD8DBQE+v54cDwRQnkBSh2sRAvkUAJ9VeIkf6tarIjA2BRRHQKtOuSkSkgCgteHs tbSoce03xXEzNkoF11Si4eQ= =YX+b -----END PGP SIGNATURE----- From wk@gnupg.org Mon May 12 17:05:02 2003 From: wk@gnupg.org (Werner Koch) Date: Mon May 12 16:05:02 2003 Subject: mobile GPG installation In-Reply-To: <004c01c31888$75939150$2027a8c0@apavelec> ("Adam Pavelec"'s message of "Mon, 12 May 2003 09:14:40 -0400") References: <3EBC3092.6010605@nahrath.de> <3EBE8BC2.3020100@nahrath.de> <87he80eiyz.fsf@alberti.g10code.de> <004c01c31888$75939150$2027a8c0@apavelec> Message-ID: <87r874cl3r.fsf@alberti.g10code.de> On Mon, 12 May 2003 09:14:40 -0400, Adam Pavelec said: > Speaking of which, has anyone been working on such a tool that > uses GnuPG? The ability to create Self-Decrypting Archives > comes in quite handy when dealing with luddites. We have talked about this here several times. GnuPG won't provide such a thing for 4 reasons: 1. It is not secure and can easily be attacked (replacing the decryption code by custom code which sends the passphrase back to the attacker). 2. It gives a false sense of security. 3. It is not portable - a sender does not necessary know on what platform the recipient wants to unpack/decrypt the document. Well, ia32 is a good guess but tehre are a lot of users with PDA using a non-ia32 CPU. And of course there is not only Windows. 4. It is easier to install an real crypto application and use this to decrypt something. Nobody would sends a PDF reader along with a PDF document. Shalom-Salam, Werner -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From dlc@users.sourceforge.net Mon May 12 17:26:02 2003 From: dlc@users.sourceforge.net (darren chamberlain) Date: Mon May 12 16:26:02 2003 Subject: gnupg encrypted mail and malware/spam In-Reply-To: <3EBE33EF.4050500@verwaltung.uni-mainz.de> References: <3EBD41B6.8030602@verwaltung.uni-mainz.de> <20030510195340.A12480@cp5340.hyatsv01.md.comcast.net> <3EBE33EF.4050500@verwaltung.uni-mainz.de> Message-ID: <20030512-d76806a6cbfb142f0633ee0935136f67@tumbleweed.boston.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 * Thomas Scheffczyk [2003-05-12 08:55]: > I do not fear 'ordinary' viruses or other malware. What i really fear > is a sophisticated attacker that send on a very slow rate backdoors to > single users in my network. I can not guarantee the really no user will > start the program. If it is started, it's easy to create a backchannel > over allowed traffic like http. The third sentence ("I can not guarantee the really no user will start the program") makes me think this might be a problem solved by a policy, or by social means, not technology, or at least not only technology. For example, several years ago, I worked in a place where email clients capable of executing code were *explicitly forbidden*, in order to prevent this from happening. (darren) - -- Do what thou wilt shall be the whole of the Law. Love is the law, love under will. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+v64XzsinjrVhZaoRAt4MAJ9ctz1zZPuSSJc0UHqAGhQ8CH9EmACeLqZ4 ozwPXPPZh1hidSYOE5NPlOc= =SV77 -----END PGP SIGNATURE----- From sbutler@fchn.com Mon May 12 18:08:02 2003 From: sbutler@fchn.com (Steve Butler) Date: Mon May 12 17:08:02 2003 Subject: gnupg encrypted mail and malware/spam Message-ID: <9A86613AB85FF346BB1321840DB42B4B01EBFDB7@jupiter.fchn.com> Now that HPIAA is in force within the USA, many of us in the health care industry must install encryption software for individuals who must exchange protected health information (PHI) with cooperating institutions. Thus, we have PGP and GnuPG on several client machines around the company. However, this is not the major problem of bringing unintended viruii into the company. Folks do use the web to check their personal email accounts during breaks or the lunch hour. An attachment can be zipped with a password (another form of encryption). Finally, there are folks who must be allowed on to the Web as part of their work day. These folks will surf it during breaks. More viruii pop in on their machines. We have found it best to have two competing virus scanning software. Usually written by different authors. One sits near (or on) the firewall and monitors the traffic (including email). The other sits on each client within the company and monitors that particular box. There have been incidents that demonstrate the wisdom of spreading the virus checking around. Don't depend on a single point of failure. --Steve Butler Oracle Administrator First Choice Health Network "Those who give up liberty for the sake of security deserve neither liberty nor security." -- Ben Franklin -----Original Message----- From: Thomas Scheffczyk [mailto:thomas.scheffczyk@verwaltung.uni-mainz.de] Sent: Sunday, May 11, 2003 4:29 AM To: Anthony E. Greene Cc: gnupg-users@gnupg.org Subject: Re: gnupg encrypted mail and malware/spam -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anthony E. Greene schrieb: >>If gnupg is used to protect mail messages it also disables all server >>based protection measures against malware and spam. No virus scanner nor >>spam filter an firewalls or gateways can check the encrypted messages. > > Your needs are not well addressed by GnuPG. You should consider buying > some of the tools offered by PGP Corp. > > http://www.pgp.com/ > Hello Tony, hello all, thank you all for your comments and suggestions. Perhaps I'm to pessimistic, but I do not share the opinion that it would to much work for spammers to encrypt (not sign) their messages. I can imagine that the success ratio of an encrypted spam would be remarkably higher compared with a unencrypted and often filtered message :-( Just a comment to pgp: I used the commercial version of pgp for a while, but if even possible I will never do again. I bought quite a couple of licences just a month before NAI decided to set the development of pgp to hold. The worst thing was, that it wasn't possible to use pgp on WinXP and I really didn't want to maintain different programs for each platform. I guess that my question was a little misleading and to spam centric. A graphical firewall and a gateway for checked files would be a possible solution. Another solution would be to accept encrypted messages only for functional (i.e. non personal) mail to avoid any kind of key escrow for personal keys. Until now, no comment was given to my first post scriptum: 'I do not fear 'ordinary' viruses or other malware. What i really fear is a sophisticated attacker that send on a very slow rate backdoors to single users in my network. I can not guarantee the really no user will start the program. If it is started, it's easy to create a backchannel over allowed traffic like http.' Does nobody fear this, too? I'm very surprised that this threat was never discussed in the context of public key infrastructures. I know a couple of big institutions (please apologize that I don't list the institutions right here) that do allow personal use of encryption, but only one (a health insurance company) was aware of this problem. (Their solution is to allow cryptography only for special messages like data exchange with universities ;-) Hoping for more comments and suggestions, Yours, Thomas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQE+vjPvICWLj6LjFjIRAuUmAJ0cPXRJdXMXAzkI9cw5UTBz8o5XBgCgrFsr ukGIg2Ew+UjScLFicmcEywU= =5VpT -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From burns@runbox.com Mon May 12 20:18:02 2003 From: burns@runbox.com (Burns) Date: Mon May 12 19:18:02 2003 Subject: SDA (was: mobile GPG installation) In-Reply-To: <87r874cl3r.fsf@alberti.g10code.de> Message-ID: <20030512171928.53543.qmail@web10508.mail.yahoo.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --- Werner Koch wrote: > On Mon, 12 May 2003 09:14:40 -0400, Adam Pavelec said: > > > Speaking of which, has anyone been working on such a tool that > > uses GnuPG? The ability to create Self-Decrypting Archives > > comes in quite handy when dealing with luddites. > > We have talked about this here several times. GnuPG won't provide > such a thing for 4 reasons: > > 1. It is not secure and can easily be attacked (replacing the > decryption code by custom code which sends the passphrase back to > the attacker). You can achieve some protection if the recipient (someone without gpg/pgp) has a md5 hash application, to check for the proper hash value (previously given over the phone?) before they opened it. A very simple to use hash utility for Windows: MD5 for Win32 http://www.geocities.com/ballarke/Applications/MD5Win32/ Just a thought. Randy -----BEGIN PGP SIGNATURE----- iD8DBQE+v9YUhNLaTSzsrh8RApCCAJ4lvgDKrIUCH6RF7F6PpjES+P96PgCgre4/ nJDtWnwTPyUPu9ILdBB5vqc= =aMpF -----END PGP SIGNATURE----- From Todd Mon May 12 21:34:02 2003 From: Todd (Todd) Date: Mon May 12 20:34:02 2003 Subject: SDA (was: mobile GPG installation) In-Reply-To: <20030512171928.53543.qmail@web10508.mail.yahoo.com> References: <87r874cl3r.fsf@alberti.g10code.de> <20030512171928.53543.qmail@web10508.mail.yahoo.com> Message-ID: <20030512183435.GO32053@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Burns wrote: > You can achieve some protection if the recipient (someone without > gpg/pgp) has a md5 hash application, to check for the proper hash > value (previously given over the phone?) before they opened it. That's not a standard part of any Windows OS though (as far as I know, but I don't use windows if I can avoid it so I could be wrong). So the user you want to send the SDA to still has to install some software. They might as well install an OpenPGP application if they want to decrypt OpenPGP data. - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ============================================================================ Men have become the tools of their tools. -- Henry David Thoreau (1817-1862) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iD8DBQE+v+k7uv+09NZUB1oRAjw9AKDk5yTeIWuQSAnAGnjR7zwfuzMG5wCg7wNB 1xNZT5pi2YQCWOEttu9XBoI= =xCn5 -----END PGP SIGNATURE----- From agreene@pobox.com Mon May 12 22:01:02 2003 From: agreene@pobox.com (Anthony E. Greene) Date: Mon May 12 21:01:02 2003 Subject: Was www.gnupg.org compromised? In-Reply-To: <20030512181249.GA9885@mail.volta.dyndns.org> References: <20030512181249.GA9885@mail.volta.dyndns.org> Message-ID: <3EBFF099.6030300@pobox.com> mike ledoux wrote: > I've just tried to download GnuPG 1.2.2 sources to upgrade, and am > having some problems. The bz2 link on the website claims to be > 2.1MB, the copy I just downloaded was 4.5MB. Needless to say, the > signature didn't verify. I also tried the gz link, which claimed a > 3MB download, which actually came in at 6.4MB. Again, the signature > didn't verify. If you used a browser, try using wget instead. Sometimes browsers uncompress as they download. Tony -- Anthony E. Greene OpenPGP Key: 0x6C94239D/7B3D BD7D 7D91 1B44 BA26 C484 A42A 60DD 6C94 239D AOL/Yahoo Chat: TonyG05 HomePage: Linux. The choice of a GNU generation. From jharris@widomaker.com Mon May 12 22:19:03 2003 From: jharris@widomaker.com (Jason Harris) Date: Mon May 12 21:19:03 2003 Subject: Was www.gnupg.org compromised? In-Reply-To: <20030512181249.GA9885@mail.volta.dyndns.org> References: <20030512181249.GA9885@mail.volta.dyndns.org> Message-ID: <20030512192032.GB87246@pm1.ric-30.lft.widomaker.com> --2B/JsCI69OhZNC5r Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, May 12, 2003 at 02:12:49PM -0400, mike ledoux wrote: =20 > I've just tried to download GnuPG 1.2.2 sources to upgrade, and am > having some problems. The bz2 link on the website claims to be > 2.1MB, the copy I just downloaded was 4.5MB. Needless to say, the > signature didn't verify. I also tried the gz link, which claimed a > 3MB download, which actually came in at 6.4MB. Again, the signature > didn't verify. >=20 > Does anyone have any information about this? The server lists the correct filesize. Try downloading it again. You should have: %esha1sum $pd/gnupg-1.2.2.tar.bz2* 8f620b67dad86577cf77d7b43ba2ae43e204b5bc 2225034 /usr/ports/distfi= les/gnupg-1.2.2.tar.bz2 827271d587e55035ee091b26404c8b41ac15d78f 65 /usr/ports/distfi= les/gnupg-1.2.2.tar.bz2.sig But first try: %truncate -s 2225034 gnupg-1.2.2.tar.bz2 in case something got appended to it. --=20 Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com | web: http://jharris.cjb.net/ --2B/JsCI69OhZNC5r Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+v/P/SypIl9OdoOMRApUNAJ9F+NEI2lm77fLdBdAALqaqAIWz2ACfX4z3 qLmKTjJB2GDlS4wxyz0S1ys= =hqMM -----END PGP SIGNATURE----- --2B/JsCI69OhZNC5r-- From linux@codehelp.co.uk Mon May 12 22:30:02 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Mon May 12 21:30:02 2003 Subject: [Q] Sending a key to a keyserver In-Reply-To: <20030511203631.GA4414@jabberwocky.com> References: <20030511195706.GA1352@math.umd.edu> <20030511203631.GA4414@jabberwocky.com> Message-ID: <200305121927.21062.linux@codehelp.co.uk> --Boundary-02=_Ie+v+1V2rvsWVHr Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Description: signed data Content-Disposition: inline On Sunday 11 May 2003 9:36 pm, David Shaw wrote: > On Sun, May 11, 2003 at 03:57:06PM -0400, Daniel Carrera wrote: > It's there: > > Presumably Neil was looking on one of the HKP keyservers. The LDAP I was looking on HKP but earlier in the day. I picked it up fine on checking my email as normal tonight - would have been earlier but I wasn't online. -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.wewantbroadband.co.uk/ --Boundary-02=_Ie+v+1V2rvsWVHr Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+v+eIiAEJSii8s+MRAplhAKCY7g+GUN/0x36hRDFM9hWOEmG9fACeJspI KGR2aLI3is3/rIGPgs7G3kw= =abyB -----END PGP SIGNATURE----- --Boundary-02=_Ie+v+1V2rvsWVHr-- From shavital@netbox.com Mon May 12 22:38:03 2003 From: shavital@netbox.com (Charly Avital) Date: Mon May 12 21:38:03 2003 Subject: Was www.gnupg.org compromised? In-Reply-To: <20030512181249.GA9885@mail.volta.dyndns.org> References: <20030512181249.GA9885@mail.volta.dyndns.org> Message-ID: At 2:12 PM -0400 5/12/03, mike ledoux wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >I've just tried to download GnuPG 1.2.2 sources to upgrade, and am >having some problems. The bz2 link on the website claims to be >2.1MB, the copy I just downloaded was 4.5MB. Needless to say, the >signature didn't verify. I also tried the gz link, which claimed a >3MB download, which actually came in at 6.4MB. Again, the signature >didn't verify. > >Does anyone have any information about this? Just tried the bz2 link, for file and signature. File is 2.1 MB, signature verifies 'Good signature from Werner Koch...etc.' Charly From dcarrera@math.umd.edu Tue May 13 03:08:03 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Tue May 13 02:08:03 2003 Subject: [Q] DSA 1024-bit limit. Message-ID: <20030513000908.GA6891@math.umd.edu> --yrj/dFKFPuw6o+aM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello all, I was thinking about the DSA 1024-bit limit. Is that something I should=20 be worried about? Is there any hope that this limit will be fixed in the= =20 forseable future? If having a 1024-bit key now is cause for concern, then it will become a=20 real problem in a few years. =46rom the resources people gave me I found some reasoning as to why signin= g=20 keys can afford to be less secure. But I'd still be happier if they were= =20 secure. Cheers, --=20 Daniel Carrera | OpenPGP fingerprint: | DSA KeyID: Graduate TA Math Dept. | C678 4F28 6418 6A62 F186 | 0x0FEBCEC3 UMD (301) 405-5137 | 98FC 9E04 B9A0 0FEB CEC3 |=20 --yrj/dFKFPuw6o+aM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (SunOS) iD8DBQE+wDejngS5oA/rzsMRAp79AJ4xQbK550rzAzQYM1hQ509CC4JJNwCeL43p un8Y94iNrczZQ+CMJgqtju8= =pIm+ -----END PGP SIGNATURE----- --yrj/dFKFPuw6o+aM-- From dcarrera@math.umd.edu Tue May 13 03:27:03 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Tue May 13 02:27:03 2003 Subject: [Q] DSA 1024-bit limit. In-Reply-To: <20030513000908.GA6891@math.umd.edu> References: <20030513000908.GA6891@math.umd.edu> Message-ID: <20030513002826.GF6891@math.umd.edu> --yRA+Bmk8aPhU85Qt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On a related note. Is there any way that I can create a second key-pair=20 that has a signing key with more than 1024 bits? I know that this wouldn't comply with the DSA standard, but if I am in a=20 situation where I truly need security I might decide that I don't care=20 about the standard. Having the option of a larger key would help my peace= =20 of mind. --=20 Daniel Carrera | OpenPGP fingerprint: | DSA KeyID: Graduate TA Math Dept. | C678 4F28 6418 6A62 F186 | 0x0FEBCEC3 UMD (301) 405-5137 | 98FC 9E04 B9A0 0FEB CEC3 |=20 --yRA+Bmk8aPhU85Qt Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (SunOS) iD8DBQE+wDwpngS5oA/rzsMRApUuAJ9zFs6PTsgjvx31oO8VcEg6VicwmQCcCAKp QIXXclRl4wbumW347RwIWR4= =PMj+ -----END PGP SIGNATURE----- --yRA+Bmk8aPhU85Qt-- From tony.kwok@3web.net Tue May 13 05:53:04 2003 From: tony.kwok@3web.net (tk) Date: Tue May 13 04:53:04 2003 Subject: mobile GPG installation In-Reply-To: <87k7cwej77.fsf@alberti.g10code.de> References: <20030511055043.7867.qmail@web10501.mail.yahoo.com> <3EBE6AD0.5010000@3web.net> <200305111933.24401@fortytwo.ch> <3EBE990A.9010201@3web.net> <87k7cwej77.fsf@alberti.g10code.de> Message-ID: <3EC05E76.6010604@3web.net> Werner Koch wrote: > No they are an immense problem. There a hundred of thousands script > kiddies waiting to attack your box. In contrast only a few people can > get physical access. I agree with your correction - hope you will agree with mine: Yes, malware/keyloggers/etc. are bigger problem than the tone of my previous post implies. But physical protection of the box is alaso a *sigificant* problem for many users. And use of "other people's computers" can often mitigate this problem; as, I believe, the original poster aluded. I will terminate my contribution to this thread with the following thought: It is valid to advise the user to use GPG only on a trusted computer. It is however not valid to assume there will be only one computer he or she can trust. tk From bminton@efn.org Tue May 13 05:58:04 2003 From: bminton@efn.org (Brian Minton) Date: Tue May 13 04:58:04 2003 Subject: mobile GPG installation In-Reply-To: <921dd33c85c0af4a267187cd0d4b805c@ecn.org> References: <921dd33c85c0af4a267187cd0d4b805c@ecn.org> Message-ID: <20030513025720.GA11679@bminton.dyn.cheapnet.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, May 10, 2003 at 01:43:09PM +0200, Anonymous wrote: > I have read about a project that built a Java-only SSH client which can be > run from any (Java-enabled) browser, with nothing to install on the > local computer. Look around for anything similar for OpenPGP... the ssh client is called mindterm, http://www.appgate.com/mindterm/ There are some implementations of openpgp, but I haven't looked at them in a while. http://www.cryptix.org/products/openpgp/ is one. Of course, www.hushmail.com is a famous one, http://www.bifroest.demon.co.uk/ctc/ctcjava.htm is one, but it looks like it hasn't been updated in a while... http://www.bouncycastle.org/ seems to be another one. Some of those links are crypto APIs in java, not necessarily openpgp - -- Brian Minton | OpenPGP fingerprint: brian@minton.name | 81BE 3A84 A502 ABDD B2CC http://brian.minton.name | 4BFD 7227 8820 5703 7472 Live long, and prosper longer! KeyID: 0x57037472 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+wF8QcieIIFcDdHIRApHTAJsGrWBbObQfqb2+JJX0P2Fm7JoLPACfS8mG Eq+r4wLcTP8ITMHwo2D55TU= =GGDi -----END PGP SIGNATURE----- From bminton@efn.org Tue May 13 06:10:02 2003 From: bminton@efn.org (Brian Minton) Date: Tue May 13 05:10:02 2003 Subject: mobile GPG installation In-Reply-To: <3EBE8BC2.3020100@nahrath.de> References: <3EBC3092.6010605@nahrath.de> <3EBE8BC2.3020100@nahrath.de> Message-ID: <20030513030855.GB11679@bminton.dyn.cheapnet.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, May 11, 2003 at 07:43:30PM +0200, Michael Nahrath wrote: > Martin Bretschneider wrote: > > >>They have their mail accounts at some freemailer services and use > >>them solely via web frontend on other people's computers or in > >>internet cafes. > > > They can use a kind of secure webservices. Check www.hushmail.com > > I had a look at their website and can't take them serious in security > concerns. They do everything to prevent users seeing what is really happening. check out http://www.hush.ai (it will redirect you to the current source repository). All their source is available for verification. - -- Brian Minton | OpenPGP fingerprint: brian@minton.name | 81BE 3A84 A502 ABDD B2CC http://brian.minton.name | 4BFD 7227 8820 5703 7472 Live long, and prosper longer! KeyID: 0x57037472 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+wGG7cieIIFcDdHIRAveFAJwNaVl2Wpf4GOWnJ1/huZm+Xw22OgCdGkDF kSGR0AkIF3OH6SG7yb9oWNI= =OmnL -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Tue May 13 06:48:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Tue May 13 05:48:02 2003 Subject: [Q] DSA 1024-bit limit. In-Reply-To: <20030513002826.GF6891@math.umd.edu> <20030513000908.GA6891@math.umd.edu> References: <20030513000908.GA6891@math.umd.edu> <20030513002826.GF6891@math.umd.edu> <20030513000908.GA6891@math.umd.edu> Message-ID: <20030513034820.GF9658@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, May 12, 2003 at 08:09:08PM -0400, Daniel Carrera wrote: > Hello all, > > I was thinking about the DSA 1024-bit limit. Is that something I should > be worried about? Is there any hope that this limit will be fixed in the > forseable future? > > If having a 1024-bit key now is cause for concern, then it will become a > real problem in a few years. > > From the resources people gave me I found some reasoning as to why signing > keys can afford to be less secure. But I'd still be happier if they were > secure. The DSA 1024-bit limit is not really a problem in practice. DSA is also limited to a 160-bit hash which is (some arm waving here) around as "strong" as the 1024-bit key. If you made a larger DSA key, then the hash would become the weak point, and you didn't really gain anything. If you don't want to be limited to a 1024-bit signing key, don't use DSA. You can make an RSA signing key up to 4096 bits without any special hackery. There are drawbacks to this (such as a truly massive signature size), but it's a good way to get a larger key size. Some people (like me), have a 4096-bit RSA signing key, but use a 1024-bit DSA subkey for day to day use. On Mon, May 12, 2003 at 08:28:26PM -0400, Daniel Carrera wrote: > On a related note. Is there any way that I can create a second key-pair > that has a signing key with more than 1024 bits? > > I know that this wouldn't comply with the DSA standard, but if I am in a > situation where I truly need security I might decide that I don't care > about the standard. Having the option of a larger key would help my peace > of mind. The problem with not caring about the standard is you can issue massive signatures with a large DSA key.... but who is going to be able to verify them? David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+wGsE4mZch0nhy8kRAgOlAJ43KUSmXQqCJQwuHsOa800kDlT8vACg3N4Z Vzr+V57E6jB552rQCl5VERE= =Gism -----END PGP SIGNATURE----- From jbruni@mac.com Tue May 13 07:11:05 2003 From: jbruni@mac.com (Joseph Bruni) Date: Tue May 13 06:11:05 2003 Subject: [Q] Uploading my public key to a key server. In-Reply-To: Message-ID: <2DF7A5E6-84F8-11D7-A618-003065B1243E@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 And, for those of us without floppy drives, USB keychains are way-cool. I actually use my keychain as a permanent home for my keys (kind of poetic in a way). Then I just point GPG to the location of my key files. When I'm done, I just unplug and go. No secret keys left behind. On Saturday, May 10, 2003, at 09:31 PM, Eugene Smiley wrote: > >> 2) What do I need to backup? My private key? >> I don't have a CD burner, so I don't really know how I can make a >> secure backup. > > The easiest thing would be to use a floppy disk. Copy your keypair > and the revocation certificate on to it and stash it away. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) iEYEARECAAYFAj7AbyEACgkQ4rg/mXNDweNMrgCeLixWB1lT56l3nJu5S+LR6FNU Uy0AoNCHH82Y988Mjouoj3gbWRwotiwz =EZZi -----END PGP SIGNATURE----- From wk@gnupg.org Tue May 13 11:05:04 2003 From: wk@gnupg.org (Werner Koch) Date: Tue May 13 10:05:04 2003 Subject: mobile GPG installation In-Reply-To: <3EC05E76.6010604@3web.net> (tk's message of "Tue, 13 May 2003 02:54:46 +0000") References: <20030511055043.7867.qmail@web10501.mail.yahoo.com> <3EBE6AD0.5010000@3web.net> <200305111933.24401@fortytwo.ch> <3EBE990A.9010201@3web.net> <87k7cwej77.fsf@alberti.g10code.de> <3EC05E76.6010604@3web.net> Message-ID: <87y91bb7aa.fsf@alberti.g10code.de> On Tue, 13 May 2003 02:54:46 +0000, tk said: > It is valid to advise the user to use GPG only on a trusted computer. > It is however not valid to assume there will be only one computer > he or she can trust. Agreed. -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From wk@gnupg.org Tue May 13 11:05:42 2003 From: wk@gnupg.org (Werner Koch) Date: Tue May 13 10:05:42 2003 Subject: [Q] Uploading my public key to a key server. In-Reply-To: <2DF7A5E6-84F8-11D7-A618-003065B1243E@mac.com> (Joseph Bruni's message of "Mon, 12 May 2003 21:05:48 -0700") References: <2DF7A5E6-84F8-11D7-A618-003065B1243E@mac.com> Message-ID: <87vfwfb76y.fsf@alberti.g10code.de> On Mon, 12 May 2003 21:05:48 -0700, Joseph Bruni said: > (kind of poetic in a way). Then I just point GPG to the location of my > key files. When I'm done, I just unplug and go. No secret keys left > behind. ... unless some unexpected software took a copy of the key -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From johanw@vulcan.xs4all.nl Tue May 13 15:23:02 2003 From: johanw@vulcan.xs4all.nl (Johan Wevers) Date: Tue May 13 14:23:02 2003 Subject: [Q] DSA 1024-bit limit. In-Reply-To: <20030513000908.GA6891@math.umd.edu> from Daniel Carrera at "May 12, 2003 08:09:08 pm" Message-ID: <200305130944.LAA03589@vulcan.xs4all.nl> Daniel Carrera wrote: > I was thinking about the DSA 1024-bit limit. Is that something I should > be worried about? Not now, but who knows how fast public keys loose their strength? But if you are concerned, use an RSA key. If you create a v3 RSA key, with pgp or with GnuPG after patching it, you can use the same key for encryption and signing. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From yenot@sec.to Tue May 13 16:58:02 2003 From: yenot@sec.to (Yenot) Date: Tue May 13 15:58:02 2003 Subject: Opportunistic Encryption [Was: Keys not trusted] In-Reply-To: <200305111455.24901@erwin.ingo-kloecker.de> References: <200305060203.30183.wbo@mandrakesoft.com> <200305090151.56006.yenot@sec.to> <200305111455.24901@erwin.ingo-kloecker.de> Message-ID: <200305131719.26463.yenot@sec.to> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 11 May 2003 04:55 pm, Ingo Klöcker wrote: > > IMO making the usage of unverified keys too easy (i.e. the user > just has to click away a warning) will result in a weakening and a > slower growth of the web of trust. Web-of-trust solutions can work within companies and various communities, but the web of trust based on public keyservers will never become a universal solution. We should support web-of-trust solutions (i.e. use OpenPGP), but we shouldn't ban opportunistic encryption in order to force the growth of the Web-of-Trust. Here's two of the reasons why "The Web-of-Trust" (the implementation based on worldwide public keyservers) will never be more than part of the total solution: 1) Keysigning parties are never going to catch on with the masses. It's an expensive operation. Protocols that require expensive operations (purchasing a certificate, attending keysigning parties, etc.) will never catch on with the masses. In order to protect the masses, we need opportunistic encryption. Opportunistic encryption may not prevent active attacks, but it kills the common case (eavesdropping). To eliminate active attacks, we have direct key signing, keysigning authorities schemes, and the Web-of-Trust. 2) As implemented today, the Web-of-Trust is bad for privacy. Advertising e-mail addresses combined with a list of your closest contacts (via signatures) works well for an authentication protocol, but it's not a good privacy protocol. I'm not the only one with this opinion. 50% of the residential phone customers in California, USA pay around $0.28 *every* month to keep their phone number unpublished. The nationwide percent in America is only around 24%, but some of the phone monopolies extort as much as $6.95/month to keep a phone number unpublished. On top of this, I believe there have been multiple battles to stop American phone companies from selling name/address/phone lists of peoples' closest contacts based on call history. The Web-of-Trust forces people to disclose this very same information that a large percentage of the population (at least in America) do not want published. Solution: Allow all forms of authentication including no authentication at all. Make adding keys and creating local signatures, directly from the mail client [with or without the help of an external program], as easy as humanly possible. 3 Authentication Levels: L1) No protection (unencrypted, key not available) L2) Passive attack protection (encrypted, key not verified) L3) Active attack protection (encrypted, key verified) The difference between (L2) and (L3) could be clearly visable to the user with clever icons. I strongly believe that we can solve this problem without confusing the user or giving them a false sense of security. Also see analogous problem in current web browser implementations: http://marc.theaimsgroup.com/?l=cryptography&m=104774889818071&w=2 For getting from L2 -> L3, I think it would be nice if programs like KMail provided a very simple pop-up showing: 1) fingerprint of your key 2) fingerprint of key to be verified 3) an "OK" button to locally sign the key I'm fine with Kgpg or some other keymanager providing the pop-up, but the goal is to not confuse the user. If we automate as much as possible and allow users to climb the security chain in small, manageable steps, OpenPGP could actually see widespread use someday. Outstanding Question: How to pick an unauthenticated key? If I'm replying to a signed message (and the reply-to address matches a UID on the signing key), I would pick the key used to sign the received message. If I'm starting a new message, the choice is less obvious. When multiple keys with no trust path exist, David Shaw proposes that we encrypt to all valid keys. Shaw's solution kills the common case of passive eavesdropping (i.e. it's better than what we have now). Refinements to Shaw's proposal using some form of caching might be possible. > IMO KMail is already almost there. The only thing which is missing > is an easy way to download missing keys. And in KDE 3.2 there will > be KGpg which allows easy key management. If you think KMail is > missing a useful feature then please file a wish at bugs.kde.org. I love KMail and agree that it is almost there. I could be wrong, but I don't think the changes discussed above would be a major leap for KMail or its users. I'll log my requests at bugs.kde.org, but I thought it would be better to come to a consensus here first [unlikely, but I have hope]. - Yenot -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+wPivP247TY29IxARAs0RAKCnksjwu9Ign7xM0+7katfpBDC+2QCfaFLY EMIjCUMngGajDdJmppuVcVc= =Z/Ol -----END PGP SIGNATURE----- From dcarrera@math.umd.edu Tue May 13 17:44:03 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Tue May 13 16:44:03 2003 Subject: [Q] DSA 1024-bit limit. In-Reply-To: <20030513034820.GF9658@jabberwocky.com> References: <20030513000908.GA6891@math.umd.edu> <20030513002826.GF6891@math.umd.edu> <20030513000908.GA6891@math.umd.edu> <20030513034820.GF9658@jabberwocky.com> Message-ID: <20030513144541.GA1301@math.umd.edu> --LZvS9be/3tNcYl/X Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > Some people (like me), have a 4096-bit RSA signing key, but use a > 1024-bit DSA subkey for day to day use. I'm interested. How can I do that? I already have a "key chain" (is that what you call it?). Do I need to=20 start over? > The problem with not caring about the standard is you can issue > massive signatures with a large DSA key.... but who is going to be > able to verify them? Well, I was thinking of my wanting to communicate with one single person=20 using more security than that afforded by DSA. I'd just make sure that=20 this one person can read my non-compliant key and I'd just a compliant key= =20 with the rest of the world. But no need. I can have a large RSA key for cases where I want the extra= =20 security and a DSA key for day-to-day use. Is there a limit on now large an RSA signing key can be? How large should it be to be comparable to my 2048-bit ElGamal key? I know that, for encryption, RSA is thought to be only a little less=20 secure than ElGamal. So I guess a 2048-bit RSA key will do. Unless=20 there's something about key-signing that I'm not aware of. Thanks for the help. --=20 Daniel Carrera | OpenPGP fingerprint: | DSA KeyID: Graduate TA Math Dept. | C678 4F28 6418 6A62 F186 | 0x0FEBCEC3 UMD (301) 405-5137 | 98FC 9E04 B9A0 0FEB CEC3 |=20 --LZvS9be/3tNcYl/X Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (SunOS) iD8DBQE+wQUUngS5oA/rzsMRArKrAKDFICbL1P4sRoQyfo6hDnsgwr2/JACgx9+E yP3JlxvtVWAciBKH/E11XcQ= =qjaq -----END PGP SIGNATURE----- --LZvS9be/3tNcYl/X-- From wbo@mandrakesoft.com Tue May 13 19:03:02 2003 From: wbo@mandrakesoft.com (Wolfgang Bornath) Date: Tue May 13 18:03:02 2003 Subject: Problem: OpenPGP Module not listed Message-ID: <200305131800.20136.wbo@mandrakesoft.com> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Using KMail with GnuPG. KMail accepts my GnuPG key for signing and de-/encrypting and it also=20 shows signed messages with the proper Information. Every now and then I stumble on messages in this list where KMail gives=20 an error message: "Message is signed with an unknown key. The key cannot be verified. Problem: OpenPGP module not listed. Use dialogue 'Settings->KMail settings->Security' to configure this=20 module or ask your system admin to do so." In KMail settings I *have* the tab 'OpenPGP' and the standard is set to=20 'OpenPGP' although I use GnuPGP. It works all the time except with some=20 of the messages. Example where I got such an error: Re: [Q] DSA 1024-bit limit. =46rom: Daniel Carrera Date: Today 16:45:41 Message-ID: <20030513144541.GA1301@math.umd.edu> Mind that I use a german version and the error message is translated to=20 my best knowledge. The original german text is: "Nachricht wurde signiert mit einem unbekannten Schl=FCssel. Die G=FCltigkeit der Signatur kann nicht =FCberpr=FCft werden. Problem: OpenPGP Modul wurde nicht angegeben. Verwenden Sie den Dialog 'Einstellungen->KMail einrichten->Sicherheit',=20 um das Modul festzulegen oder bitten Sie den Systemverwalter darum." wobo =2D --=20 Public GnuPG key available at keyserver www.mandrakesecure.net =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+wRaCXpTF6eCkAF0RAhNuAKCDuljxwS2uXC8LxyWl14K/WKs2VACfTY/g 53H6ZEQxJ+EhnLHhtDozH/g=3D =3D1/+G =2D----END PGP SIGNATURE----- From tony.kwok@3web.net Tue May 13 19:07:02 2003 From: tony.kwok@3web.net (tk) Date: Tue May 13 18:07:02 2003 Subject: Opportunistic Encryption [Was: Keys not trusted] In-Reply-To: <200305131719.26463.yenot@sec.to> References: <200305060203.30183.wbo@mandrakesoft.com> <200305090151.56006.yenot@sec.to> <200305111455.24901@erwin.ingo-kloecker.de> <200305131719.26463.yenot@sec.to> Message-ID: <3EC11870.3020809@3web.net> Yenot wrote: > >>IMO making the usage of unverified keys too easy (i.e. the user >>just has to click away a warning) will result in a weakening and a >>slower growth of the web of trust. > > Web-of-trust solutions can work within companies and various > communities, but the web of trust based on public keyservers will > never become a universal solution. We should support web-of-trust > solutions (i.e. use OpenPGP), but we shouldn't ban opportunistic > encryption in order to force the growth of the Web-of-Trust. .../snip/ Valid arguments, excellent post! The value of privacy was simply not factored in when the WOT system was originally concieved. This was (perhaps?) understandable at the time, but tempora mutantur (et nos in illis). tk From pt@radvis.nu Tue May 13 19:36:02 2003 From: pt@radvis.nu (Per Tunedal) Date: Tue May 13 18:36:02 2003 Subject: Opportunistic Encryption [Was: Keys not trusted] In-Reply-To: <200305131719.26463.yenot@sec.to> References: <200305111455.24901@erwin.ingo-kloecker.de> <200305060203.30183.wbo@mandrakesoft.com> <200305090151.56006.yenot@sec.to> <200305111455.24901@erwin.ingo-kloecker.de> Message-ID: <5.1.0.14.2.20030513175817.02b34c70@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 17:52 2003-05-13 +0400, you wrote: > >On Sunday 11 May 2003 04:55 pm, Ingo Kl=F6cker wrote: >> >> IMO making the usage of unverified keys too easy (i.e. the user >> just has to click away a warning) will result in a weakening and a >> slower growth of the web of trust. > >We should support web-of-trust >solutions (i.e. use OpenPGP), but we shouldn't ban opportunistic >encryption in order to force the growth of the Web-of-Trust. > Agree, but I do prefere the robot-CA model for "granny encryption". > >1) Keysigning parties are never going to catch on with the masses. > It's an expensive operation. Protocols that require expensive > operations (purchasing a certificate, attending keysigning > parties, etc.) will never catch on with the masses. > Agree. > In order to protect the masses, we need opportunistic encryption. > Opportunistic encryption may not prevent active attacks, but it > kills the common case (eavesdropping). To eliminate active > attacks, we have direct key signing, keysigning authorities > schemes, and the Web-of-Trust. Or rather a simple verification binding the key to the e-mailadress like the robot-CA. > >2) As implemented today, the Web-of-Trust is bad for privacy. > Advertising e-mail addresses combined with a list of your closest > contacts (via signatures) works well for an authentication > protocol, but it's not a good privacy protocol. > True, I'm waiting for the spammers to "tap" the key servers. It can be done, that's why it will be done eventually. On this list there was a discussion how to not put the "real" e-mail address in the UID of the key, but rather a dummy e-mail address "changes@times.u.know.com" That might be a problem with the robot-CA model! > > >Solution: > >Allow all forms of authentication including no authentication at all. >Make adding keys and creating local signatures, directly from the >mail client [with or without the help of an external program], as >easy as humanly possible. > > >3 Authentication Levels: > >L1) No protection (unencrypted, key not available) >L2) Passive attack protection (encrypted, key not verified) >L3) Active attack protection (encrypted, key verified) > I would like to add the robot-CA protection i.e. the e-mail address connected to the key. (The robot signs the key, encrypts it and sends it to the e-mail addresses in the UID:s of the key. Only a person having access to both the e-mail account and the secret key can use the signatures. http://www.toehold.com/cgi-bin/rcacgi ) >The difference between (L2) and (L3) could be clearly visable to the >user with clever icons. I strongly believe that we can solve this >problem without confusing the user or giving them a false sense of >security. > Agree. > >Outstanding Question: How to pick an unauthenticated key? > >If I'm replying to a signed message (and the reply-to address matches >a UID on the signing key), I would pick the key used to sign the >received message. If I'm starting a new message, the choice is less >obvious. When multiple keys with no trust path exist, David Shaw >proposes that we encrypt to all valid keys. Shaw's solution kills >the common case of passive eavesdropping (i.e. it's better than what >we have now). Refinements to Shaw's proposal using some form of >caching might be possible. > > A robot-signature might be useful as it connects the key to the e-mail address. > > - Yenot Per Tunedal -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) iD8DBQE+wR8F2Jp9Z++ji2YRAiRqAJ9UkX3MruJCiShV4Je3RKUCDXmb2wCeKdCL LFKwvi2KcwnvWgPGBd6B0i4=3D =3Dd4XI -----END PGP SIGNATURE----- From jharris@widomaker.com Tue May 13 20:18:02 2003 From: jharris@widomaker.com (Jason Harris) Date: Tue May 13 19:18:02 2003 Subject: Opportunistic Encryption [Was: Keys not trusted] In-Reply-To: <200305131719.26463.yenot@sec.to> References: <200305060203.30183.wbo@mandrakesoft.com> <200305090151.56006.yenot@sec.to> <200305111455.24901@erwin.ingo-kloecker.de> <200305131719.26463.yenot@sec.to> Message-ID: <20030513171840.GC87246@pm1.ric-30.lft.widomaker.com> --OBd5C1Lgu00Gd/Tn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 13, 2003 at 05:52:47PM +0400, Yenot wrote: > Web-of-trust solutions can work within companies and various > communities, but the web of trust based on public keyservers will > never become a universal solution. We should support web-of-trust > solutions (i.e. use OpenPGP), but we shouldn't ban opportunistic > encryption in order to force the growth of the Web-of-Trust. Without fingerprint verification in person, many will argue that their current notion of the WoT doesn't apply. Opportunistic encryption will make more messages encrypted, but it doesn't prevent MITM attacks. PRZ doesn't feel that most people are targets of such attacks, which is why he now advocates opportunistic encryption. > 1) Keysigning parties are never going to catch on with the masses. > It's an expensive operation. Protocols that require expensive > operations (purchasing a certificate, attending keysigning > parties, etc.) will never catch on with the masses. So? Them asses can use cryptography without performing said expensive operations. > In order to protect the masses, we need opportunistic encryption. Protect them asses from what and/or whom? If they don't have a threat model, maybe they have nothing to defend. > 2) As implemented today, the Web-of-Trust is bad for privacy. > Advertising e-mail addresses combined with a list of your closest > contacts (via signatures) works well for an authentication > protocol, but it's not a good privacy protocol. Privacy and anonymity are two separate things. > I'm not the only one with this opinion. 50% of the residential > phone customers in California, USA pay around $0.28 *every* month > to keep their phone number unpublished. The nationwide percent (But how many block their number when making outbound calls? How many also avoid using toll-free numbers?) > in America is only around 24%, but some of the phone monopolies > extort as much as $6.95/month to keep a phone number unpublished. (Extortion it is.) > On top of this, I believe there have been multiple battles to stop > American phone companies from selling name/address/phone lists > of peoples' closest contacts based on call history. The > Web-of-Trust forces people to disclose this very same information > that a large percentage of the population (at least in America) do > not want published. No, most people choose to put their names on their keys because using names instead of numbers (keyids) to identify keys is easier. Assume we didn't, but still wanted to encrypt email. At a keysigning, we'd have to provide our email addresses anyway. (Photo IDs might be irrelevant if we're not certifying everyone's real name for any auxiliary purposes.) We could take everyone's word that they own the keys they claim to own, or we could email them encrypted challenges. In our MUAs, we'd probably manually associate key with email addresses. This gives us keys which can't be harvested for their email addresses and can't be attached to a real person unless you've met them at a keysigning or do traffic analysis on their email. (If needed, use --throw-keyid so that anyone doing traffic analysis can't attribute a specific key[id] to that person.) (If you need even more anonymity, wear masks at the keysigning and communicate through anonymous channels.) The WoT doesn't cease to exist for "anonymous" keys. In fact, it becomes purer. If you don't have a trust path to an "anonymous" key, you can't even put any trust into it based on a name or email address that you might be willing to trust. --=20 Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com | web: http://jharris.cjb.net/ --OBd5C1Lgu00Gd/Tn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+wSjuSypIl9OdoOMRAr3VAKCCW4SpVa7jW+gmja+q2kcuLhJK9ACfePQV B4Z+MOUtPrdnqaCbFqLgWh4= =jcaX -----END PGP SIGNATURE----- --OBd5C1Lgu00Gd/Tn-- From wbo@mandrakesoft.com Tue May 13 22:27:02 2003 From: wbo@mandrakesoft.com (Wolfgang Bornath) Date: Tue May 13 21:27:02 2003 Subject: Problem: OpenPGP Module not listed In-Reply-To: <200305131738.06208.linux@codehelp.co.uk> References: <200305131800.20136.wbo@mandrakesoft.com> <200305131738.06208.linux@codehelp.co.uk> Message-ID: <200305132123.46518.wbo@mandrakesoft.com> ** Neil Williams (Dienstag, 13. Mai 2003 18:38) > I had a brief problem with KMail of this type - it was because there > was a blank entry in the security crypto-plugin page. It might be > worth checking - just click the line below the OpenPGP line. If it > highlights, click remove. There is no blamk line - and there is no OpenPGP line as well. This may be the problem - but why do I have only some messages with this error then and not all? Yours is one of them, BTW. And: What do I put in such a line? wobo -- Public GnuPG key available at keyserver www.mandrakesecure.net From gnupg-users@nahrath.de Tue May 13 22:31:02 2003 From: gnupg-users@nahrath.de (Michael Nahrath) Date: Tue May 13 21:31:02 2003 Subject: [Q] Sending a key to a keyserver In-Reply-To: <20030511203631.GA4414@jabberwocky.com> References: <20030511195706.GA1352@math.umd.edu> <20030511203631.GA4414@jabberwocky.com> Message-ID: <3EC1030B.9040302@nahrath.de> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig4D021350494E6F7C055A8B68 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit David Shaw wrote: > Presumably Neil was looking on one of the HKP keyservers. The LDAP > keyserver don't sync very well (if at all) with the HKP keyservers. AFAIK the LDAP keyservers are driven by PGP.com and they are the default servers in PGP8. OTOH all GPG applications default to the HKP network and GPG can't even fully access the LDAP keyservers. Both networks are not connected. IMO this shisma within OpenPGP is currently the greatest interoptability problem betwheen PGP and GPG users. If I understood some postings on the keyserver-folks list right, the problem is that PGP.com doesn't cooperate to provide and accept the neccesary data for a syncronisation (and don't answer to any mail requests). How do you feel: * Do they intend to make communicaton harder for GPG users intentionally? * May there be valid technical reasons to not want the syncronisation? * Do they underestimate the value of a well working keyserver network? * Don't the right people within PGP.com know about the problem? Some time ago someone on this list succeded in getting the openpgp website updated by directly addressing Phil Zimmerman (although I felt that his style of ranting was completely unadequate). Might this be a way to get the LDAP keyservers fixed as well? Greeting, Michi --------------enig4D021350494E6F7C055A8B68 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) Comment: http://www.biglumber.com/x/web?qs=0x9A4C704C iEYEARECAAYFAj7BAxUACgkQ19dRf5pMcExZcgCg4jhK9Pvsw7R5XCYGtpKbxIUq FmMAoKO6I49kCu62jASPCN1iCL5HweBq =ZVtH -----END PGP SIGNATURE----- --------------enig4D021350494E6F7C055A8B68-- From dcarrera@math.umd.edu Wed May 14 00:01:02 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Tue May 13 23:01:02 2003 Subject: [ERROR] gpg: waiting for lock Message-ID: <20030513210147.GA2552@math.umd.edu> --2oS5YaxWCcQjTEyO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Does anyone know what the following error means? I've been getting it on occassion. Some times it helps if I try a=20 different keyserver, but some times (like now) it seems to make no=20 difference. $ gpg --recv-key 0x57548DCD gpg: waiting for lock (held by 2813 - probably dead) (deadlock?) ... gpg: waiting for lock (held by 2813 - probably dead) (deadlock?) ... gpg: waiting for lock (held by 2813 - probably dead) (deadlock?) ... gpg: waiting for lock (held by 2813 - probably dead) (deadlock?) ... Thanks, --=20 Daniel Carrera | OpenPGP fingerprint: Graduate TA, Math Dept | C678 4F28 6418 6A62 F186 98FC 9E04 B9A0 0FEB CEC3 UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp/key.html --2oS5YaxWCcQjTEyO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (SunOS) iD8DBQE+wV06ngS5oA/rzsMRAh1rAJ43NEeSREYg79awp7usX29ccl0i3ACfWRXb gJIKZo1U2iUTuBZFLrJdP0k= =93Bb -----END PGP SIGNATURE----- --2oS5YaxWCcQjTEyO-- From dshaw@jabberwocky.com Wed May 14 00:14:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Tue May 13 23:14:02 2003 Subject: [Q] Sending a key to a keyserver In-Reply-To: <3EC1030B.9040302@nahrath.de> References: <20030511195706.GA1352@math.umd.edu> <20030511203631.GA4414@jabberwocky.com> <3EC1030B.9040302@nahrath.de> Message-ID: <20030513211502.GB25493@jabberwocky.com> --J/dobhs11T7y2rNN Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 13, 2003 at 04:36:59PM +0200, Michael Nahrath wrote: > David Shaw wrote: >=20 > > Presumably Neil was looking on one of the HKP keyservers. The LDAP > > keyserver don't sync very well (if at all) with the HKP keyservers. >=20 > AFAIK the LDAP keyservers are driven by PGP.com and they are the default > servers in PGP8. >=20 > OTOH all GPG applications default to the HKP network and GPG can't even > fully access the LDAP keyservers. Says who? ;) gpg --keyserver ldap://keyserver.pgp.com --recv-keys 99242560 Anyone who has the LDAP libraries installed when they build GnuPG gets LDAP support built in by default. > Both networks are not connected. >=20 > IMO this shisma within OpenPGP is currently the greatest interoptability > problem betwheen PGP and GPG users. >=20 > If I understood some postings on the keyserver-folks list right, the prob= lem > is that PGP.com doesn't cooperate to provide and accept the neccesary data > for a syncronisation (and don't answer to any mail requests). >=20 > How do you feel: > * Do they intend to make communicaton harder for GPG users intentionally? > * May there be valid technical reasons to not want the syncronisation? > * Do they underestimate the value of a well working keyserver network? > * Don't the right people within PGP.com know about the problem? I don't think the pgp.com folks are intentionally causing problems with the rest of the world. It's far more likely they are just very busy starting a new company and the keyserver is not a very high priority. David --J/dobhs11T7y2rNN Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+wWBV4mZch0nhy8kRAiHUAJsFfBT87MukLlOEnwVt3wY8imJTYwCdE3w+ onV6r7FpN4lBQi4M8XPKe48= =d4nD -----END PGP SIGNATURE----- --J/dobhs11T7y2rNN-- From dcarrera@math.umd.edu Wed May 14 00:18:02 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Tue May 13 23:18:02 2003 Subject: [ERROR] gpg: waiting for lock In-Reply-To: <20030513210147.GA2552@math.umd.edu> References: <20030513210147.GA2552@math.umd.edu> Message-ID: <20030513211931.GB2552@math.umd.edu> --LpQ9ahxlCli8rRTG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Alright. I now know that this error is because GnuPG creates the file ~/.gnupg/secring.gpg.lock and should remove it when its done. For some=20 reason it hasn't done that a few times. Is this something I should worry= =20 about? Is it safe to just delete this file and move on? Daniel. On Tue, May 13, 2003 at 05:01:47PM -0400, Daniel Carrera wrote: > Does anyone know what the following error means? > I've been getting it on occassion. Some times it helps if I try a=20 > different keyserver, but some times (like now) it seems to make no=20 > difference. >=20 > $ gpg --recv-key 0x57548DCD > gpg: waiting for lock (held by 2813 - probably dead) (deadlock?) ... > gpg: waiting for lock (held by 2813 - probably dead) (deadlock?) ... > gpg: waiting for lock (held by 2813 - probably dead) (deadlock?) ... > gpg: waiting for lock (held by 2813 - probably dead) (deadlock?) ... >=20 > Thanks, > --=20 > Daniel Carrera | OpenPGP fingerprint: > Graduate TA, Math Dept | C678 4F28 6418 6A62 F186 98FC 9E04 B9A0 0FEB CEC3 > UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp/key.html --=20 Daniel Carrera | OpenPGP fingerprint: Graduate TA, Math Dept | C678 4F28 6418 6A62 F186 98FC 9E04 B9A0 0FEB CEC3 UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp/key.html --LpQ9ahxlCli8rRTG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (SunOS) iD8DBQE+wWFingS5oA/rzsMRAoKDAJ45cpElyoNeOZ7PGtoAAVjNgiwOsgCgjrbN pmV056Z2xBDBUgH3txrP8q0= =Jimc -----END PGP SIGNATURE----- --LpQ9ahxlCli8rRTG-- From DenisMcCauley@ifrance.com Wed May 14 00:54:02 2003 From: DenisMcCauley@ifrance.com (Denis McCauley) Date: Tue May 13 23:54:02 2003 Subject: [Q] DSA 1024-bit limit. In-Reply-To: <20030513144541.GA1301@math.umd.edu> References: <20030513034820.GF9658@jabberwocky.com> <20030513144541.GA1301@math.umd.edu> Message-ID: <20030513114718.DC06.DENISMCCAULEY@ifrance.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 13 May 2003 10:45:41 -0400 Daniel Carrera wrote: > > Some people (like me), have a 4096-bit RSA signing key, but use a > > 1024-bit DSA subkey for day to day use. > > I'm interested. How can I do that? > I already have a "key chain" (is that what you call it?). Do I need to > start over? > You can have more than one key pair on your keyring. To create a key like that of David Shaw (or mine) you create a new key choosing the option (5) RSA (sign only). Then you add the other (sub) keys: >gpg --edit-key >addkey which brings up the key-creation dialogue. When the subkey has been created finish with >save You can have either DSA (sign) and ElGamal (encrypt), or stay with RSA, which will allow you to have a bigger signing subkey (2048 bits for example). IMO, the real worry with the 1024-bit limit on regular DSA keys is that they are the primary keys on which you collect the signatures that construct your web of trust. If you have to revoke them because they are no longer secure you lose all the signatures you've painstakingly collected. Subkeys on the other hand can be revoked and replaced as necessary without affecting signatures on the primary key. However, there are some problems associated with such keys. You should check out Adrian von Bidder's explanation at http://fortytwo.ch/gpg/subkey > > Is there a limit on now large an RSA signing key can be? 4096 bits with GPG, though there are some unofficial versions of PGP which can create RSA keys up to 16k. - -- ===================================== Denis McCauley GPG/PGP keys at http://www.djmccauley.tk ===================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1-nr1 (Windows 2000) - GPGshell v2.70 Comment: Key ID: 0x578247B4 (using signature subkey 0x4980C4F7) Comment: 3C0A D97D 5FC5 A250 20BC EBC6 EB0E 9716 5782 47B4 iD8DBQE+wWgSJpZGKkmAxPcRAmu2AKCbXcLS73dAzENq8+g0w8ZFeh8gFgCg272T LmuvzrSbAV5RCWHudt96Nps= =hcxB -----END PGP SIGNATURE----- _____________________________________________________________________ Envie de discuter en "live" avec vos amis ? Télécharger MSN Messenger http://www.ifrance.com/_reloc/m la 1ère messagerie instantanée de France From dcarrera@math.umd.edu Wed May 14 01:29:02 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Wed May 14 00:29:02 2003 Subject: [Q] DSA 1024-bit limit. In-Reply-To: <20030513114718.DC06.DENISMCCAULEY@ifrance.com> References: <20030513034820.GF9658@jabberwocky.com> <20030513144541.GA1301@math.umd.edu> <20030513114718.DC06.DENISMCCAULEY@ifrance.com> Message-ID: <20030513222948.GA9909@math.umd.edu> --UlVJffcvxoiEqYs2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > You can have more than one key pair on your keyring. To create a key > like that of David Shaw (or mine) you create a new key choosing the > option (5) RSA (sign only). Then you add the other (sub) keys: Thanks. Now I have a 2048-bit RSA key as well. Where can I learn more about how subkeys work? I just tried to do=20 something and I goofed. These are my current keys: Command> list daniel pub 1024D/0FEBCEC3 created: 2003-05-10 expires: 2005-05-09 trust: u/u sub 2048g/0D1C25EC created: 2003-05-10 expires: 2005-05-09 sub 2048R/E3CA8FAE created: 2003-05-13 expires: 2006-05-12 (1). Daniel Carrera (PhD Student, Math) I tried to change the expire date of the ElGamal key to 2006, but instead= =20 it changed that of the DSA key: Command> expire 0D1C25EC [snip] =20 pub 1024D/0FEBCEC3 created: 2003-05-10 expires: 2006-05-12 trust: u/u sub 2048g/0D1C25EC created: 2003-05-10 expires: 2005-05-09 sub 2048R/E3CA8FAE created: 2003-05-13 expires: 2006-05-12 What just happened there? > You can have either DSA (sign) and ElGamal (encrypt), or stay with RSA, > which will allow you to have a bigger signing subkey (2048 bits for > example). Great. How do I do that? I don't mean to ask too many RTFM questions. I= =20 am reading the FM, but I don't always find the information I want there. For instance, the man page tells me how to sign keys, but not how to use=20 an alternate key for signing. Thanks for the help. --=20 Daniel Carrera | OpenPGP fingerprint: Graduate TA, Math Dept | C678 4F28 6418 6A62 F186 98FC 9E04 B9A0 0FEB CEC3 UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp/key.html --UlVJffcvxoiEqYs2 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (SunOS) iQEVAwUBPsFx2ZMuikfjyo+uAQIF3wf8CI5nOnCd8GqEFaz97S94AJD9j64WNfX5 ZX4X2BSjW3XEZdAjg/0ibiwc8b9DGnHzhvKLZgys6NMvvOg/fulorPiIf9hDANzw 4CosrpTS4zrcQHuQm7t+m/zF6B7HztsFUPDtJvsXC2dPs6Kx3h6oMkoQXvZIvjLL zc48Wop1hCkqSSwCLFEVLwjapuBq6uDhn2Mer4GO6RqVVNDLgkg4nxsaUNLhnfOs HuG8/HiB3B++aKFsVsEgnGIuawmhhw6FXJzzAbESqKBlGJ2N9RH8qgjGNAnIGGIk /fcyXicZWdbik1VGYegqPOiW4DAumi3n7tbMBZhsZAlsulEoabCJnw== =GyxB -----END PGP SIGNATURE----- --UlVJffcvxoiEqYs2-- From ingo.kloecker@epost.de Wed May 14 02:21:02 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Wed May 14 01:21:02 2003 Subject: Problem: OpenPGP Module not listed In-Reply-To: <200305131800.20136.wbo@mandrakesoft.com> References: <200305131800.20136.wbo@mandrakesoft.com> Message-ID: <200305140014.58261@erwin.ingo-kloecker.de> --Boundary-02=_h5Ww+TnV6S4a7G8 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Tuesday 13 May 2003 17:59, Wolfgang Bornath wrote: > Using KMail with GnuPG. > KMail accepts my GnuPG key for signing and de-/encrypting and it also > shows signed messages with the proper Information. > Every now and then I stumble on messages in this list where KMail > gives an error message: > > "Message is signed with an unknown key. > The key cannot be verified. > Problem: OpenPGP module not listed. > Use dialogue 'Settings->KMail settings->Security' to configure this > module or ask your system admin to do so." KMail has built-in support for clearsigned messages. But support for=20 PGP/MIME messages (where the signature is in a separate attachment) is=20 only available through a plugin (plugin has been translated as "Modul"=20 in the German translation). Read the howto at kmail.kde.org if you want=20 to know how to install the appropriate plugin. =46YI, this message is signed with the PGP/MIME plugin. Regards, Ingo --Boundary-02=_h5Ww+TnV6S4a7G8 Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+wW5hGnR+RTDgudgRAvsVAJsFVqmnSGYywdfVujAv3spGToN73ACeOrY0 C9EN6y1jITGV8LgXZTWHxwQ= =x6dD -----END PGP SIGNATURE----- --Boundary-02=_h5Ww+TnV6S4a7G8-- From ingo.kloecker@epost.de Wed May 14 02:21:33 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Wed May 14 01:21:33 2003 Subject: Opportunistic Encryption [Was: Keys not trusted] In-Reply-To: <200305131719.26463.yenot@sec.to> References: <200305060203.30183.wbo@mandrakesoft.com> <200305111455.24901@erwin.ingo-kloecker.de> <200305131719.26463.yenot@sec.to> Message-ID: <200305140053.49973@erwin.ingo-kloecker.de> --Boundary-02=_9dXw+80XM/UMz1J Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Tuesday 13 May 2003 15:52, Yenot wrote: > 2) As implemented today, the Web-of-Trust is bad for privacy. > Advertising e-mail addresses combined with a list of your closest > contacts (via signatures) works well for an authentication > protocol, but it's not a good privacy protocol. Nobody forces you to put your name or your email address on a key. And=20 nobody forces you to let your key be signed by others or to sign=20 others' keys. > The > Web-of-Trust forces people to disclose this very same information > that a large percentage of the population (at least in America) > do not want published. Trust is the principle the WoT is built upon. Without trust the WoT=20 can't exist. And trust can't really co-exist with anonymity. You have=20 to know who the key owner is before you can tell GnuPG how much trust=20 you want to put in the key owner. > Solution: [snip] > 3 Authentication Levels: > > L1) No protection (unencrypted, key not available) > L2) Passive attack protection (encrypted, key not verified) > L3) Active attack protection (encrypted, key verified) > > The difference between (L2) and (L3) could be clearly visable to the > user with clever icons. I strongly believe that we can solve this > problem without confusing the user or giving them a false sense of > security. Any proposals for how these clever icons should look like? > For getting from L2 -> L3, I think it would be nice if programs like > KMail provided a very simple pop-up showing: > 1) fingerprint of your key > 2) fingerprint of key to be verified > 3) an "OK" button to locally sign the key =46irst you talk about making encryption as easy as possible for the=20 masses (by omitting fingerprint exchanges at keysigning events) and now=20 you propose to show them the fingerprint? Do you really think that=20 showing the fingerprint will be any good for Joe User? > Outstanding Question: How to pick an unauthenticated key? > > If I'm replying to a signed message (and the reply-to address matches > a UID on the signing key), I would pick the key used to sign the > received message. Good idea. Regards, Ingo --Boundary-02=_9dXw+80XM/UMz1J Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+wXd9GnR+RTDgudgRAuXoAKCAtS684q5wycMDGMqW1gc+74CgcgCfWmLm mZc5drKSnhPpn7KB8Gegm7E= =H7gT -----END PGP SIGNATURE----- --Boundary-02=_9dXw+80XM/UMz1J-- From gnupg-users@nahrath.de Wed May 14 02:36:02 2003 From: gnupg-users@nahrath.de (Michael Nahrath) Date: Wed May 14 01:36:02 2003 Subject: [Q] Sending a key to a keyserver In-Reply-To: <20030513211502.GB25493@jabberwocky.com> References: <20030511195706.GA1352@math.umd.edu> <20030511203631.GA4414@jabberwocky.com> <3EC1030B.9040302@nahrath.de> <20030513211502.GB25493@jabberwocky.com> Message-ID: <3EC18174.9080706@nahrath.de> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigD310090E2F3CC51A4B2841E6 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit David Shaw wrote: >>OTOH all GPG applications default to the HKP network and GPG can't even >>fully access the LDAP keyservers. > Says who? ;) > > gpg --keyserver ldap://keyserver.pgp.com --recv-keys 99242560 [michi@localhost]~$ gpg --keyserver ldap://keyserver.pgp.com --send-keys 99242560 gpgkeys: error adding key 99242560 to keyserver: Already exists gpg: keyserver internal error Currently I don't have a key to change, but next time I have to signe a key I'll try to check if tis is simply an errouros error-message. >>How do you feel: >>* Do they intend to make communicaton harder for GPG users intentionally? >>* May there be valid technical reasons to not want the syncronisation? >>* Do they underestimate the value of a well working keyserver network? >>* Don't the right people within PGP.com know about the problem? > I don't think the pgp.com folks are intentionally causing problems > with the rest of the world. It's far more likely they are just very > busy starting a new company and the keyserver is not a very high > priority. Should we try to intervene to make them rewrap priorities? Gives me plenty of trouble, since I made a friend change from PGP to GPG and now he can't find his other PGP using friends any more ... Greeting, Michi --------------enigD310090E2F3CC51A4B2841E6 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) Comment: http://www.biglumber.com/x/web?qs=0x9A4C704C iEYEARECAAYFAj7BgX8ACgkQ19dRf5pMcExY6QCgsLAf7TDWKQfzB70IorH4CjlW fBUAoLXCQxWJgQtnFUocnmWjeZOEUxdu =RrRL -----END PGP SIGNATURE----- --------------enigD310090E2F3CC51A4B2841E6-- From eugene@esmiley.net Wed May 14 04:15:02 2003 From: eugene@esmiley.net (Eugene Smiley) Date: Wed May 14 03:15:02 2003 Subject: [Q] Sending a key to a keyserver In-Reply-To: <3EC18174.9080706@nahrath.de> Message-ID: Michi wrote:=20 > David Shaw wrote: >> Says who? ;) >>=20 >> gpg --keyserver ldap://keyserver.pgp.com --recv-keys 99242560 >=20 > [michi@localhost]~$ gpg --keyserver ldap://keyserver.pgp.com > --send-keys 99242560=20 > gpgkeys: error adding key 99242560 to keyserver: Already exists=20 > gpg: keyserver internal error=20 Why are you trying to send David's key to the server? This is=20 generally considered bad ettiquette. The error makes sense as=20 his key already exists on the server. ;) > Currently I don't have a key to change, but next time I have to > sing a key I'll try to check if its is simply an errouros > error-message.=20 >=20 > David Shaw wrote: >> I don't think the pgp.com folks are intentionally causing >> problems with the rest of the world. It's far more likely they >> are just very busy starting a new company and the keyserver is >> not a very high priority. >=20 > Should we try to intervene to make them rewrap priorities? There has been discussion on the PGP-Users mailinglist by some=20 PGP employees about dealing with the keyserver issue. They know=20 it exists, but the are interested in improving the quality of=20 the keyserver vs. synchronizing a bunch of unused keys. Creating=20 a solution to the existing problems is not an overnight thing. > Gives me plenty of trouble, since I made a friend change from=20 > PGP to GPG and now he can't find his other PGP using friends any > more ...=20 Why not just use --keyserver keyserver.pgp.com for his friends'=20 keys? I do this without any issues. I tend to send my keys to multiple servers whether I am using PGP=20 or GPG to mitigate the issue of people not finding it. Eugene From dshaw@jabberwocky.com Wed May 14 04:19:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Wed May 14 03:19:02 2003 Subject: [Q] Sending a key to a keyserver In-Reply-To: <3EC18174.9080706@nahrath.de> References: <20030511195706.GA1352@math.umd.edu> <20030511203631.GA4414@jabberwocky.com> <3EC1030B.9040302@nahrath.de> <20030513211502.GB25493@jabberwocky.com> <3EC18174.9080706@nahrath.de> Message-ID: <20030514011922.GE25493@jabberwocky.com> --eAbsdosE1cNLO4uF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 14, 2003 at 01:36:20AM +0200, Michael Nahrath wrote: > David Shaw wrote: >=20 > >>OTOH all GPG applications default to the HKP network and GPG can't even > >>fully access the LDAP keyservers. >=20 > > Says who? ;) > >=20 > > gpg --keyserver ldap://keyserver.pgp.com --recv-keys 99242560 >=20 > [michi@localhost]~$ gpg --keyserver ldap://keyserver.pgp.com --send-keys > 99242560 > gpgkeys: error adding key 99242560 to keyserver: Already exists > gpg: keyserver internal error >=20 > Currently I don't have a key to change, but next time I have to signe a k= ey > I'll try to check if tis is simply an errouros error-message. Not erroneous - that is an actual error. You tried to add 99242560 to the keyserver, and it's already there. It's not what I'd call a terribly *serious* error... ;) > >>How do you feel: > >>* Do they intend to make communicaton harder for GPG users intentionall= y? > >>* May there be valid technical reasons to not want the syncronisation? > >>* Do they underestimate the value of a well working keyserver network? > >>* Don't the right people within PGP.com know about the problem? >=20 > > I don't think the pgp.com folks are intentionally causing problems > > with the rest of the world. It's far more likely they are just very > > busy starting a new company and the keyserver is not a very high > > priority. >=20 > Should we try to intervene to make them rewrap priorities? >=20 > Gives me plenty of trouble, since I made a friend change from PGP to GPG = and > now he can't find his other PGP using friends any more ... Tell your friend to put "keyserver ldap://keyserver.pgp.com" in his gpg.conf file and he's done. David --eAbsdosE1cNLO4uF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+wZma4mZch0nhy8kRAsGIAKCB7bwgorHtG/74cdHvZWlfAgqWmQCbBDk3 jx7h3eJcIqDOIZGiTR+RN4o= =61I8 -----END PGP SIGNATURE----- --eAbsdosE1cNLO4uF-- From dcarrera@math.umd.edu Wed May 14 04:33:02 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Wed May 14 03:33:02 2003 Subject: [Q] Multiple signing keys (was: DSA 1024-bit limit) In-Reply-To: <1052871144.1584.36.camel@dennisx.cif.rochester.edu> References: <20030513034820.GF9658@jabberwocky.com> <20030513144541.GA1301@math.umd.edu> <20030513114718.DC06.DENISMCCAULEY@ifrance.com> <20030513222948.GA9909@math.umd.edu> <1052871144.1584.36.camel@dennisx.cif.rochester.edu> Message-ID: <20030514013435.GA10204@math.umd.edu> --T4sUOijqQbZv57TR Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Alright. I'm trying to figure out how to use a dual (RSA, DSA)=20 signing-key pair. This is what I currently have: Command> list =20 pub 1024D/0FEBCEC3 created: 2003-05-10 expires: 2006-05-12 trust: u/u sub 2048g/0D1C25EC created: 2003-05-10 expires: 2006-05-13 sub 2048R/E3CA8FAE created: 2003-05-13 expires: 2006-05-12 (1). Daniel Carrera (PhD Student, Math) 1) When I sign, how do I specify a non-default signing key? 2) I don't fully understand the role of the primary key. In my case, I=20 could have two possible setups: - Primary signing RSA, secondary signing DSA, secondary ElGamal. - Primary signing DSA, secondary signing RSA, secondary ElGamal. How are these two different? Tell me if I got it right: I understand that the primary key is somehow more important (for one, it's= =20 supposed to last longer). So I imagine that having a primary RSA (with=20 more than 1024 bits) is the better option. Does my primary key serve for the authenticity of my secondary keys? If=20 so, I imagine that it's better for the primary key to be stronger (ie.=20 RSA). Did I get this right? > One option that the previous responder didn't take into account, but > which David Shaw recommends and which makes sense to me and the > paranoid, standards-conscious folks with which I consort is: >=20 > Strong (2048 or above) RSA Primary signing key > for collecting signatures and being long-term reliable > for signing other keys > Standard (1024) DSA signing subkey > for (legally?) signing documents and emails > (signing subkeys are automatically used in favor of primary keys by > gnupg for this) > Strong (2048 or above) ElGamal encryption subkey Given the fact that I am a paranoid, standards-conscious person: I should now revoke my current key-ring because the primary key is DSA. I should then start over using a primary RSA with 2048 bits instead. If this is a good idea, it's best that I do it now that I'm just getting=20 started and my key-ring is pretty empty. Is this conclusion correct? If so, is there any further advise for my new key-ring? This is what I'd= =20 have in mind: - 2048 RSA signing -- primary. - 1024 DSA signing. - 2048 ElGamal encryption. Thanks a lot, --=20 Daniel Carrera | OpenPGP fingerprint: Graduate TA, Math Dept | C678 4F28 6418 6A62 F186 98FC 9E04 B9A0 0FEB CEC3 UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp/key.html --T4sUOijqQbZv57TR Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (SunOS) iQEVAwUBPsGdKZMuikfjyo+uAQKuowgAhoAyXsLzNTdbW+9d2qDFbM2MFVWU+UFr iqoQNeMzqDhHmOxpWQ+D8tlsMSOHZJs3XY1W++eR5hpcowhmS5eWRQ8XNkxUBDKL sS2364fgWSkvZO4bqjD0OBzxRr+ArtN1IdyIlyAuUIh7ETl2QqwKqL7u9qV+cDvD yJLA9/EUcRmBZLmvx6wm2nAYbUBjpx5RnsS0IqIrmn6LvnAbeRRN7nox3rvgOIVX UX7iUYx2efXgmgtfy8Wecs+bpBbW1nwP0gkr8Pn3koIn47OhAa+HzJzloFZR7Viq z49d6EzvWn1P32hVeNv1DbROeevURptuOpbhyxBU2Pqn+myrZ350cQ== =Erpz -----END PGP SIGNATURE----- --T4sUOijqQbZv57TR-- From wbo@mandrakesoft.com Wed May 14 05:02:01 2003 From: wbo@mandrakesoft.com (Wolfgang Bornath) Date: Wed May 14 04:02:01 2003 Subject: Problem: OpenPGP Module not listed In-Reply-To: <200305140014.58261@erwin.ingo-kloecker.de> References: <200305131800.20136.wbo@mandrakesoft.com> <200305140014.58261@erwin.ingo-kloecker.de> Message-ID: <200305140359.05794.wbo@mandrakesoft.com> ** Ingo Kl=F6cker (Mittwoch, 14. Mai 2003 00:14) > > KMail has built-in support for clearsigned messages. But support for > PGP/MIME messages (where the signature is in a separate attachment) > is only available through a plugin (plugin has been translated as > "Modul" in the German translation). Read the howto at kmail.kde.org > if you want to know how to install the appropriate plugin. Went there, done that, no t-shirt. Did not work. In detail: I downloaded all the files, did the 3-step waltz on them and the test $ echo "test" | gpg -ase -r 0xDEADBEEF | gpg worked all right (of course with my key-id). All '.configure/make/make check/make install' returned no error so I=20 assumed the installation went allright. Now I wanted to fill in the plugin into KMail but there is no plugin! According to the website there should be a directory=20 /usr/local/lib/cryptplug with the file gpgme-openpgp.so but there=20 isn't. slocate (after updatedb) returns nothing with this name. I looked at the config.log in /misc/cryptplug-0.3.15 and found: =2E.. configure:7762: checking for gpgme-config configure:7793: result: no configure:7959: creating ./config.status =2E.. =2E.. config.status:988: executing depfiles commands configure:9156: CryptPlug v0.3.15 has been configured as follows: CryptPlug GPGME: no =2E.. This may be the problem. But how do I solve it? I'm not knowledgeable=20 enough to solve this although I can do the normal installation of a=20 =2Etar.gz package. wobo =2D-=20 Public GnuPG key available at keyserver www.mandrakesecure.net From malsyned@cif.rochester.edu Wed May 14 05:14:01 2003 From: malsyned@cif.rochester.edu (Dennis Lambe Jr.) Date: Wed May 14 04:14:01 2003 Subject: [Fwd: Re: [Q] DSA 1024-bit limit.] Message-ID: <1052878513.2487.1.camel@dennisx.cif.rochester.edu> --=-VWm5mXQGV89HoRJAqR3Y Content-Type: text/plain Content-Transfer-Encoding: quoted-printable I responded to Daniel's questions and forgot to reply-to-all. woops!=20 Here's that email. -----Forwarded Message----- > From: Dennis Lambe Jr. > To: Daniel Carrera > Subject: Re: [Q] DSA 1024-bit limit. > Date: 13 May 2003 20:12:25 -0400 >=20 > On Tue, 2003-05-13 at 18:29, Daniel Carrera wrote: > > > You can have more than one key pair on your keyring. To create a key > > > like that of David Shaw (or mine) you create a new key choosing the > > > option (5) RSA (sign only). Then you add the other (sub) keys: > >=20 > > Thanks. Now I have a 2048-bit RSA key as well. > >=20 > > Where can I learn more about how subkeys work? I just tried to do=20 > > something and I goofed. These are my current keys: > >=20 > > Command> list daniel > > pub 1024D/0FEBCEC3 created: 2003-05-10 expires: 2005-05-09 trust: u/u > > sub 2048g/0D1C25EC created: 2003-05-10 expires: 2005-05-09 > > sub 2048R/E3CA8FAE created: 2003-05-13 expires: 2006-05-12 > > (1). Daniel Carrera (PhD Student, Math) > >=20 > > I tried to change the expire date of the ElGamal key to 2006, but inste= ad=20 > > it changed that of the DSA key: > >=20 > > Command> expire 0D1C25EC > > [snip] =20 > > pub 1024D/0FEBCEC3 created: 2003-05-10 expires: 2006-05-12 trust: u/u > > sub 2048g/0D1C25EC created: 2003-05-10 expires: 2005-05-09 > > sub 2048R/E3CA8FAE created: 2003-05-13 expires: 2006-05-12 > >=20 > >=20 > > What just happened there? >=20 > (read this carefully, the information you need doesn't make an > appearance until the second paragraph.) >=20 > On the command line, GnuPG treats the KeyIDs of all subkeys as synonyms > for the primary signing key (for better or for worse). You can tell > GnuPG that you really do mean what you say by postfixing the KeyID with > an exclamation point (which requires escaping on the command line) like > so: E3CA8FAE! >=20 > However! This is /not/ the behavior in the edit-key menu. According to > the FM:=20 > expire Change the key expiration time. If a subkey is selected, the > expiration time of this subkey will be changed. With no selection, the > key expiration of the primary key is changed. >=20 > This means that the "expire" command at the edit-keys prompt takes no > arguments (silently ignoring them), and acts on the selected key. To > select a subkey, use the "key" command, which takes one numeric index.=20 > If you wanted to set the expiration of the ElGamal subkey, the proper > command sequence would be: > key 1 > expire >=20 > >=20 > > > You can have either DSA (sign) and ElGamal (encrypt), or stay with RS= A, > > > which will allow you to have a bigger signing subkey (2048 bits for > > > example). > >=20 > > Great. How do I do that? I don't mean to ask too many RTFM questions. = I=20 > > am reading the FM, but I don't always find the information I want there= . > > For instance, the man page tells me how to sign keys, but not how to us= e=20 > > an alternate key for signing. >=20 > When generating a key, you are given the choices: > (1) DSA and ElGamal (default) > (2) DSA (sign only) > (5) RSA (sign only) >=20 > Selecting 5 will generate an RSA sign-only key, onto which you can later > add a DSA signing subkey, an ElGamel encryption subkey, or whatever else > you'd like. If you use the --expert flag with --gen-key, you get two > more options, which for one reason or another aren't recommended to > average users: > (4) ElGamal (sign and encrypt) > (7) RSA (sign and encrypt) >=20 > I believe (but check me on it) that (7) will allow you to create an old > sign-and-encrypt RSA key a-la pre-OpenPGP versions of PGP. >=20 > One option that the previous responder didn't take into account, but > which David Shaw recommends and which makes sense to me and the > paranoid, standards-conscious folks with which I consort is: >=20 > Strong (2048 or above) RSA Primary signing key > for collecting signatures and being long-term reliable > for signing other keys > Standard (1024) DSA signing subkey > for (legally?) signing documents and emails > (signing subkeys are automatically used in favor of primary keys by > gnupg for this) > Strong (2048 or above) ElGamal encryption subkey >=20 > The proper sequence of --gen-key and --edit-key/addkey commands is left > as an excercise to the reader, unless the reader objects in a future > post ;-) >=20 > By the way, do any of the experts know if it's possible, and how it's > possible, to sign someone else's ID with a DSA subkey? I know it's not > possible to self-sign IDs with it for security purposes, but what about > signing other people's? >=20 > --Dennis Lambe --=-VWm5mXQGV89HoRJAqR3Y Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: My public key is available at http://cif.rochester.edu/~malsyned/public_key.html iD8DBQA+waax+yh/ThbejSgRAnuaAKCGAUmZhAEdw1fQi6OVIthZnXrVPwCdGDy6 WS0vPqo2rcuh6Wyhfz6dAx4= =sqzq -----END PGP SIGNATURE----- --=-VWm5mXQGV89HoRJAqR3Y-- From malsyned@cif.rochester.edu Wed May 14 05:41:02 2003 From: malsyned@cif.rochester.edu (Dennis Lambe Jr.) Date: Wed May 14 04:41:02 2003 Subject: [Q] Multiple signing keys (was: DSA 1024-bit limit) In-Reply-To: <20030514013435.GA10204@math.umd.edu> References: <20030513034820.GF9658@jabberwocky.com> <20030513144541.GA1301@math.umd.edu> <20030513114718.DC06.DENISMCCAULEY@ifrance.com> <20030513222948.GA9909@math.umd.edu> <1052871144.1584.36.camel@dennisx.cif.rochester.edu> <20030514013435.GA10204@math.umd.edu> Message-ID: <1052880152.2487.30.camel@dennisx.cif.rochester.edu> --=-3wwYt7S4QOLHveSIxy98 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable > 1) When I sign, how do I specify a non-default signing key? If you have signing subkeys, the one with the most recent self-signature will be used to sign documents and emails. As far as I can tell, your primary key is the only one which can be used to sign other keys, but I'd like to hear from some more knowledgable people on that point. > 2) I don't fully understand the role of the primary key. Signatures, as you probably know, are made on hashes of data, not the data itself. When a key is signed, what the signature is certifying is that a particular person owns a particular key. In order to do that, the signature must bind a public key to an ID. To accomplish this, OpenPGP specifies that a key signature should be made by combining the public key and the ID (with concatination, I think), hashing that, and signing the hash. When a person "signs your key", they're actually signing all (or some) of the identities attached to it. they're certifying that your /primary/ signing key belongs to the identity it claims to. Remembering that PGP data of all sorts is made up of packets, here's what that part of the key looks like: :primary public key packet (P1): :and identity(I1): :a self-signature(S1): signed hash of the primary public key(P1) and the identity(I1) made by the secret part of the primary key :another identity(I2): :a self-signature(S2): signed hash of P1 and the other identity(I2) :someone else's signature(S3): signed hash of P1 and I2 made by someone who verified that I2, but not necessarily I1, is the owner of P1. Subkeys are attached to a primary keypair by being signed by the secret part of that keypair. They are known to belong to the owner of the primary keypair so long as the assumption that he's the only one who with access to the secret key holds. So the primary key is more important than any of the subkeys. The reasons are that it collects signatures, that it signs the subkeys (subkeys aren't trusted to sign eachother), and that it signs other keys (right? somebody back me up on this last point?). Yes, it should be at least as secure as any signing subkeys, and there is a case to be made both for and against making it as secure as encryption subkeys. The for argument is the same, and I think you've already got the RSA vs. DSA OpenPGP FAQ that makes the argument against. The summary is: >> A 1024-bit signature is unlikely to be forged because that forgery would serve as proof that 1024-bit PK encryption has been broken, and whoever broke it wouldn't want to tip their hand and lose the ability to decrypt with impunity just to forge signatures, so they won't forge your signature even if they could. << It was based on this information that I made the decision to create my key as follows: pub 4096R/F53BA904 2003-04-21 Dennis Patrick Lambe Jr. [...snipped other IDs...] sub 1024D/16DE8D28 2003-04-21 sub 4096g/BCE387ED 2003-04-21 I believe David Shaw has a similar rationale for his key, which has the same structure. Is that right, David? --Dennis Lambe --=-3wwYt7S4QOLHveSIxy98 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: My public key is available at http://cif.rochester.edu/~malsyned/public_key.html iD8DBQA+wa0Y+yh/ThbejSgRAl27AJ9NWOOnNf0dM2DhkZdES2SBAr85GQCfTSU7 DrEKY93v5aszVpaKSS6nfg4= =355O -----END PGP SIGNATURE----- --=-3wwYt7S4QOLHveSIxy98-- From wbo@mandrakesoft.com Wed May 14 06:03:02 2003 From: wbo@mandrakesoft.com (Wolfgang Bornath) Date: Wed May 14 05:03:02 2003 Subject: Problem: OpenPGP Module not listed In-Reply-To: <200305140359.05794.wbo@mandrakesoft.com> References: <200305131800.20136.wbo@mandrakesoft.com> <200305140014.58261@erwin.ingo-kloecker.de> <200305140359.05794.wbo@mandrakesoft.com> Message-ID: <200305140459.50566.wbo@mandrakesoft.com> More: ** Wolfgang Bornath (Mittwoch, 14. Mai 2003 03:58) > Now I wanted to fill in the plugin into KMail but there is no plugin! > According to the website there should be a directory > /usr/local/lib/cryptplug with the file gpgme-openpgp.so but there > isn't. slocate (after updatedb) returns nothing with this name. Before I added 'use-agent' in my gpg.conf With this option I cannot sign any messages. Looks like with the agent active KMail needs the plugin to work. wobo -- Public GnuPG key available at keyserver www.mandrakesecure.net From b.buerger@penguin.de Wed May 14 13:58:02 2003 From: b.buerger@penguin.de (Bjoern Buerger) Date: Wed May 14 12:58:02 2003 Subject: [Q] Sending a key to a keyserver In-Reply-To: References: <3EC18174.9080706@nahrath.de> Message-ID: <20030514105829.GA782@susie.penguin.de> Am Die, 13 Mai 2003 schrieb Eugene Smiley: > There has been discussion on the PGP-Users mailinglist by some > PGP employees about dealing with the keyserver issue. They know > it exists, but the are interested in improving the quality of > the keyserver vs. synchronizing a bunch of unused keys. Creating > a solution to the existing problems is not an overnight thing. In fact, it is. It takes ~5-10 hours to set up a full =20 synchronized sks keyserver from scratch. They could also just get a current keyring from one of the synchronized keyserver-admins and feed it into their own server. =20 If you ask me, it is pretty unprofessional to sell pgp with {keyserver,certserver,etc}.pgp.com as predefined Default and not providing reliable service under those addresses. Even the two preconfigured pgp.com servers were not=20 synchronized with each other about two weeks ago... If they are not able to set up a simple keyserver, they should just fill the default keyserver list of PGP with some of the open keyservers. That would solve most of the current problems. > > Gives me plenty of trouble, since I made a friend change from > > PGP to GPG and now he can't find his other PGP using friends any > > more ... Michael is right. It's a pain. To be clear, the whole keyserver=20 system is a pain at the moment. When I did a survey about OpenPGP=20 usage at our Linux User Group, the keyserver system was the=20 big showstopper for most people.=20 > I tend to send my keys to multiple servers whether I am using PGP > or GPG to mitigate the issue of people not finding it. =20 Yes, many people do so. But this is a very bad solution. =20 Ciao, Bj=F8rn =20 -- +-----------+ OpenPGP Keyserver |\ O--vm /| -------------------------------- |/`-------'\| http://sks.keyserver.penguin.de +-----------+ From gnupg-users@nahrath.de Wed May 14 16:00:04 2003 From: gnupg-users@nahrath.de (Michael Nahrath) Date: Wed May 14 15:00:04 2003 Subject: [Q] Sending a key to a keyserver In-Reply-To: <20030514011922.GE25493@jabberwocky.com> References: <20030511195706.GA1352@math.umd.edu> <20030511203631.GA4414@jabberwocky.com> <3EC1030B.9040302@nahrath.de> <20030513211502.GB25493@jabberwocky.com> <3EC18174.9080706@nahrath.de> <20030514011922.GE25493@jabberwocky.com> Message-ID: <3EC23DF5.3040106@nahrath.de> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigC34079BE1F6C35CA3B58B196 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit David Shaw wrote: >>>>OTOH all GPG applications default to the HKP network and GPG can't even >>>>fully access the LDAP keyservers. After current test results I have to take that back. >>[michi@localhost]~$ gpg --keyserver ldap://keyserver.pgp.com --send-keys >>99242560 >>gpgkeys: error adding key 99242560 to keyserver: Already exists >>gpg: keyserver internal error >> >>Currently I don't have a key to change, but next time I have to sign a key >>I'll try to check if tis is simply an errouros error-message. > > Not erroneous - that is an actual error. You tried to add 99242560 to > the keyserver, and it's already there. It's not what I'd call a > terribly *serious* error... ;) Usually sending a key is not only for the first time upload but also to update it with new signatures, UIDs etc. But strangely this seems to be special for David's key (sorry for using and uploading it as an example - I was too quick in copy&paste). I can upload my own key to the ldap keyserver several times without any answer or warning: $ gpg --keyserver ldap://keyserver.pgp.com --send-keys 9A4C704C I checked $ gpg --keyserver ldap://keyserver.pgp.com --no-default-keyring \ --keyring test --recv-key 9A4C704C $ gpg --keyserver ldap://keyserver.pgp.com --no-default-keyring \ --keyring test --list-sigs 9A4C704C My key is complete so it seems that the upload has been successfull. Nice suprise at least! >> Gives me plenty of trouble, since I made a friend change from PGP to GPG and >> now he can't find his other PGP using friends any more ... > > Tell your friend to put "keyserver ldap://keyserver.pgp.com" in his > gpg.conf file and he's done. That is what I did. But it is one step further from 'works out of the box' and 'works for everyone' :-( Understanding public key krypto is hard enough for the users. Flaws in the infrastructure make it even harder - unneccesarily. Greeting, Michi --------------enigC34079BE1F6C35CA3B58B196 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) Comment: http://www.biglumber.com/x/web?qs=0x9A4C704C iEYEARECAAYFAj7CPf4ACgkQ19dRf5pMcEy9DgCdE5Hp6h0zS5mlyo7IZq2p9kZm Gw8AnicrXdjpa8f9PNQEYCvcftTeQ2U7 =uTSW -----END PGP SIGNATURE----- --------------enigC34079BE1F6C35CA3B58B196-- From gnupg-users@nahrath.de Wed May 14 16:23:04 2003 From: gnupg-users@nahrath.de (Michael Nahrath) Date: Wed May 14 15:23:04 2003 Subject: [Q] Sending a key to a keyserver In-Reply-To: <20030514105829.GA782@susie.penguin.de> References: <3EC18174.9080706@nahrath.de> <20030514105829.GA782@susie.penguin.de> Message-ID: <3EC2435F.9040308@nahrath.de> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigB370E96E0F9CA57A2B882146 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Bjoern Buerger wrote: > When I did a survey about OpenPGP > usage at our Linux User Group, the keyserver system was the > big showstopper for most people. Oh, this is even the case in a LUG. I always thought they are the tough technical guys. Usually I have to deal with Mac users ... ;-) Greeting, Michi --------------enigB370E96E0F9CA57A2B882146 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) Comment: http://www.biglumber.com/x/web?qs=0x9A4C704C iEYEARECAAYFAj7CQ2gACgkQ19dRf5pMcEzqdQCgqKaCZ/bpzQfVVT1Peyl3jDE6 RW4AoMIplJS4A6+mL5XfjZzgBpMJ0MPe =e179 -----END PGP SIGNATURE----- --------------enigB370E96E0F9CA57A2B882146-- From mwood@IUPUI.Edu Wed May 14 16:36:04 2003 From: mwood@IUPUI.Edu (Mark H. Wood) Date: Wed May 14 15:36:04 2003 Subject: Opportunistic Encryption [Was: Keys not trusted] In-Reply-To: <20030513171840.GC87246@pm1.ric-30.lft.widomaker.com> Message-ID: On Tue, 13 May 2003, Jason Harris wrote: > On Tue, May 13, 2003 at 05:52:47PM +0400, Yenot wrote: [snip] > > Advertising e-mail addresses combined with a list of your closest > > contacts (via signatures) works well for an authentication > > protocol, but it's not a good privacy protocol. > > Privacy and anonymity are two separate things. Hear, hear. I'm often surprised at the variety of things which get lumped together these days under the heading "privacy", still more under "security". > Assume we didn't, but still wanted to encrypt email. At a keysigning, > we'd have to provide our email addresses anyway. (Photo IDs might be > irrelevant if we're not certifying everyone's real name for any > auxiliary purposes.) We could take everyone's word that they own the > keys they claim to own, or we could email them encrypted challenges. > In our MUAs, we'd probably manually associate key with email addresses. > This gives us keys which can't be harvested for their email addresses > and can't be attached to a real person unless you've met them at a > keysigning or do traffic analysis on their email. (If needed, use > --throw-keyid so that anyone doing traffic analysis can't attribute > a specific key[id] to that person.) > > (If you need even more anonymity, wear masks at the keysigning and > communicate through anonymous channels.) > > The WoT doesn't cease to exist for "anonymous" keys. In fact, it > becomes purer. If you don't have a trust path to an "anonymous" key, > you can't even put any trust into it based on a name or email address > that you might be willing to trust. I need a little help here. What, exactly, would an "anonymous" key *mean*? To what would a document signed by such a key be bound, and why would I care? (I'm always swimming against the current. While it seems everyone else wants to become invisible, I've been wondering how to go about getting really high-quality identity documents, both paper and electronic. I *want* to be well-known, *on my terms*.) -- Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu MS Windows *is* user-friendly, but only for certain values of "user". From claws@thewildbeast.co.uk Wed May 14 17:58:03 2003 From: claws@thewildbeast.co.uk (Paul) Date: Wed May 14 16:58:03 2003 Subject: Keys not trusted In-Reply-To: <200305111455.24901@erwin.ingo-kloecker.de> References: <200305060203.30183.wbo@mandrakesoft.com> <200305090151.56006.yenot@sec.to> <200305111455.24901@erwin.ingo-kloecker.de> Message-ID: <20030514160201.4c425838.claws@thewildbeast.co.uk> On Sun, 11 May 2003 14:55:23 +0200 Ingo Kl=F6cker wrote:=20 > > Do the developers of Kmail, Sylpheed, and/or Enigmail have a vision > > of how the mail agent of the future can increase the use of PGP for > > casual Internet communications without making major compromises on > > the security of more serious communications with known entities? > > IMO KMail is already almost there. The only thing which is missing is an= =20 > easy way to download missing keys. And in KDE 3.2 there will be KGpg=20 > which allows easy key management. If you think KMail is missing a=20 > useful feature then please file a wish at bugs.kde.org. IMO Sylpheed(-Claws) is already almost there too. It does already have an=20 easy way to download missing keys (via the Actions feature), but is still=20 lacking support for the encapsulation method. best regards Paul From Todd Wed May 14 18:51:05 2003 From: Todd (Todd) Date: Wed May 14 17:51:05 2003 Subject: Opportunistic Encryption [Was: Keys not trusted] In-Reply-To: <20030513171840.GC87246@pm1.ric-30.lft.widomaker.com> References: <200305060203.30183.wbo@mandrakesoft.com> <200305090151.56006.yenot@sec.to> <200305111455.24901@erwin.ingo-kloecker.de> <200305131719.26463.yenot@sec.to> <20030513171840.GC87246@pm1.ric-30.lft.widomaker.com> Message-ID: <20030514155114.GY32053@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jason Harris wrote: > On Tue, May 13, 2003 at 05:52:47PM +0400, Yenot wrote: >> In order to protect the masses, we need opportunistic encryption. > > Protect them asses from what and/or whom? Them asses or the masses? (I know, often there isn't a difference. :) > If they don't have a threat model, maybe they have nothing to defend. One thing that opportunistic encryption helps stop is the passive (and massive) eavesdropping that is a favorite of police states (e.g. carnivore). Sure, it doesn't stop MITM attacks, but it does severely limit who can see your email contents and what it will cost them to try. Plus, in general, the increase in encrypted traffic is a benefit to all. It takes effort for the eavesdroppers to figure out which messages and users are using weak (or non-existent) trust models/policies and which users are not. This slows them down. If major governments want to spy on everyone, why not make it as hard for them as possible? - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ============================================================================ Choose in marriage only a woman whom you would choose as a friend if she were a man. -- Joubert -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iD8DBQE+wmXxuv+09NZUB1oRApjkAJ9GWgqlTXkMlQoVaZmpxFHjOJ5NLgCfYRoK gRHKocbGZJ2KHy+acjw7Q/c= =4jDF -----END PGP SIGNATURE----- From jharris@widomaker.com Wed May 14 19:43:02 2003 From: jharris@widomaker.com (Jason Harris) Date: Wed May 14 18:43:02 2003 Subject: Opportunistic Encryption [Was: Keys not trusted] In-Reply-To: References: <20030513171840.GC87246@pm1.ric-30.lft.widomaker.com> Message-ID: <20030514164425.GE87246@pm1.ric-30.lft.widomaker.com> --cPi+lWm09sJ+d57q Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 14, 2003 at 08:36:54AM -0500, Mark H. Wood wrote: > On Tue, 13 May 2003, Jason Harris wrote: > > The WoT doesn't cease to exist for "anonymous" keys. In fact, it > > becomes purer. If you don't have a trust path to an "anonymous" key, > > you can't even put any trust into it based on a name or email address > > that you might be willing to trust. >=20 > I need a little help here. What, exactly, would an "anonymous" key > *mean*? To what would a document signed by such a key be bound, and why > would I care? It depends on your signature path to the key. If you have one hop through a trusted friend who knows the keyholder and will tell you lots of things about the keyholder except their name and email address, you might not care that you don't know the person's real name. A signature from the keyholder would be just as useful as one from someone your friend knows who put their name on their key. If you have 4 hops to the key but you wore masks at the keysigning that established the signature path and you know that the "secret society" that held the keysigning is really strict about proper PGP usage, you can be pretty sure the keyholder is a member. Also read: http://www.cryptnet.net/fdp/crypto/guerrilla-devl.html where it starts talking about "software written pseudonymously." > (I'm always swimming against the current. While it seems everyone else > wants to become invisible, I've been wondering how to go about getting > really high-quality identity documents, both paper and electronic. I > *want* to be well-known, *on my terms*.) Typically governments issue "paper" identity documents to you (birth certificate, SSN card, driver's license, passport). You then use a DL and/or passport at PGP keysignings (see my website) to prove to others that your paper identity matches your electronic one. --=20 Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com | web: http://jharris.cjb.net/ --cPi+lWm09sJ+d57q Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+wnJoSypIl9OdoOMRAgnOAKDAUNt60rTUW08eVSuri6gDFwOhTgCgiore CBwBmISIFlZ0r0MseeG5260= =nPG4 -----END PGP SIGNATURE----- --cPi+lWm09sJ+d57q-- From wk@gnupg.org Wed May 14 20:00:03 2003 From: wk@gnupg.org (Werner Koch) Date: Wed May 14 19:00:03 2003 Subject: [Q] DSA 1024-bit limit. In-Reply-To: <20030513114718.DC06.DENISMCCAULEY@ifrance.com> (Denis McCauley's message of "Tue, 13 May 2003 11:53:42 -1000") References: <20030513034820.GF9658@jabberwocky.com> <20030513144541.GA1301@math.umd.edu> <20030513114718.DC06.DENISMCCAULEY@ifrance.com> Message-ID: <871xz1bh0k.fsf@alberti.g10code.de> On Tue, 13 May 2003 11:53:42 -1000, Denis McCauley said: > IMO, the real worry with the 1024-bit limit on regular DSA keys is that > they are the primary keys on which you collect the signatures that > construct your web of trust. If you have to revoke them because they are Please consider all facts relevant to the security of your key. The length of the key is not that important as long as it has a sound size (i.e. > 768 bits). Speculating about when it can be broken and not considering facts with a much higher chance of a key compromise is shortsighted. It can't be said often enough: Cryptography is only as strong as the weakest subsystem. So compare the probabilities of, say: * a new and really fast way to solve the DLP (and there can't be any certainty that the size of the key is always a major parameter). This might be a new algorithm or a new hardware design. * breaking of the hash algorithm (SHA-256 is still quite new) * physical access to your key (rubber hose attack or a hired burgler) * a BIOS of your box or a clever CPU (think Transmeta) identifying secret keys and posting them to a newsgroup. * a rogue OS * a trojan * a bug in the compiler, linker etc. * A malicious compiler (remember Dennis Ritchie). * a bug in GnuPG * a user error If you can truly indentify the length of the key as a worrisome fact, you may want to give up the nice short DSA signature for large RSA signature blobs. If you evaluate that, take your attach scenario in account: A key used as a top level CA may need other properties as one used everyday on your machine with millions - of easy to subvert - code lines. Shalom-Salam, Werner -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From wk@gnupg.org Wed May 14 21:40:02 2003 From: wk@gnupg.org (Werner Koch) Date: Wed May 14 20:40:02 2003 Subject: [ERROR] gpg: waiting for lock In-Reply-To: <20030513211931.GB2552@math.umd.edu> (Daniel Carrera's message of "Tue, 13 May 2003 17:19:32 -0400") References: <20030513210147.GA2552@math.umd.edu> <20030513211931.GB2552@math.umd.edu> Message-ID: <87u1bx9xou.fsf@alberti.g10code.de> On Tue, 13 May 2003 17:19:32 -0400, Daniel Carrera said: > Alright. I now know that this error is because GnuPG creates the file > ~/.gnupg/secring.gpg.lock and should remove it when its done. For some > reason it hasn't done that a few times. Is this something I should worry > about? Is it safe to just delete this file and move on? There is probably a reason that the file has not been removed. It is not easy to tell why; strace-ing it might yield an answer. It is safe to remove these files as long as no other gpg processes are active. -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From wk@gnupg.org Wed May 14 21:40:35 2003 From: wk@gnupg.org (Werner Koch) Date: Wed May 14 20:40:35 2003 Subject: [OT?] No more financial support for GnuPG In-Reply-To: (Juergen Fenn's message of "Tue, 13 May 2003 22:46:14 +0200") References: Message-ID: <87wugt9xry.fsf@alberti.g10code.de> On Tue, 13 May 2003 22:46:14 +0200, Juergen Fenn said: > According to German IT news service heise.de the German Federal > Government will no longer sponsor development of GnuPG: Well, it says that there won't be any direct funding[1]. The reason is that they want to foster competition and not finance a few projects. The problem is that a Free Software project won't be able to compete against a proprietary product as long as the long term values of Free Software are not understood by most people responsible for IT decisions. Software development is expensive and whether it is proprietary or free doesn't change much of the actual development costs. There are other costs involved with commercial products (e.g. advertising) which a Free Software project can't afford because there is no way of re-financing this utilizing the money printing machinery of license fees (if you are one of the not so many with a "killer" application). Thus, any competition between a Free Software project and a proprietary product will be unfair. The big advantages of Free Software are the avoidance of vendor lock-in, the in general better standard compliance, the abstain of unneeded gadgets for marketing reasons and the huge base of valuable testers and other helpers. Still this can't compete with a commercial and proprietary product. Taking me as an example, I spend a lot of my time with general GnuPG maintenance and trying to find additional time to do new developments - only a very small amount of this gets paid for by consulting/support/development. This is a hard business and I recall several times when I considered to give it all up and take a straight coder job somewhere. As long as the perception of Free Software is directed towards the free as in beer aspect, I doubt that it will change. Advertised bidding with fair treatment of Free Software companies are of course a good solution to foster the development of Free Software. In my experience, those tenders often stress too often the money saving factor and do not consider the extra value given by non-vendor lock-in and better standard compliance. Support contracts are also a good revenue source but there are too many answers already available on the net .-) so that companies might not consider to seek for commercial support. > I would like to ask what will be the implications from this? Support > worth millions of Euros has been put on halt, heise.de says. German That is in so-far not true, as the article from last fall talking about this has to be considered a fake - according to German officials. > platforms unless there would have been some sponsoring. So will this > change of policy slow down or even threaten further development of > GnuPG for Windows? I can only speak for me and my company: Without financial support we won't be able to do much for Windows; so it is up to the volunteer to do this in their spare time or with other companies resources. Salam-Shalom, Werner [1] Regarding the funding activities: There used to be the GnuPG funding of the BMWi in 1999/2000 with a total amount of 140kEuro (where we learned a lot on how not to spend money for ;-) and the GnuPP CD + manual project in early 2002; I don't know any details about the latter. -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From wk@gnupg.org Wed May 14 21:45:03 2003 From: wk@gnupg.org (Werner Koch) Date: Wed May 14 20:45:03 2003 Subject: [Q] Multiple signing keys In-Reply-To: <1052880152.2487.30.camel@dennisx.cif.rochester.edu> ("Dennis Lambe Jr."'s message of "13 May 2003 22:42:32 -0400") References: <20030513034820.GF9658@jabberwocky.com> <20030513144541.GA1301@math.umd.edu> <20030513114718.DC06.DENISMCCAULEY@ifrance.com> <20030513222948.GA9909@math.umd.edu> <1052871144.1584.36.camel@dennisx.cif.rochester.edu> <20030514013435.GA10204@math.umd.edu> <1052880152.2487.30.camel@dennisx.cif.rochester.edu> Message-ID: <87r8719xf2.fsf@alberti.g10code.de> On 13 May 2003 22:42:32 -0400, Dennis Lambe said: > As far as I can tell, your primary key is the only one which can be used > to sign other keys, but I'd like to hear from some more knowledgable > people on that point. Correct. The primary key is used to bound the user IDs as well as secondary keys to the primary key. So it is _kind of_ a master key. > OpenPGP specifies that a key signature should be made by combining the > public key and the ID (with concatination, I think), hashing that, and Correct. There is some canonicalization, though. Shalom-Salam, Werner -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From linux@codehelp.co.uk Wed May 14 22:56:02 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Wed May 14 21:56:02 2003 Subject: [Q] DSA 1024-bit limit. In-Reply-To: <20030513222948.GA9909@math.umd.edu> References: <20030513034820.GF9658@jabberwocky.com> <20030513114718.DC06.DENISMCCAULEY@ifrance.com> <20030513222948.GA9909@math.umd.edu> Message-ID: <200305141944.56640.linux@codehelp.co.uk> --Boundary-02=_o6ow+VsL1JMt8z7 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Description: signed data Content-Disposition: inline On Tuesday 13 May 2003 11:29 pm, Daniel Carrera wrote: > Thanks. Now I have a 2048-bit RSA key as well. (sent to Keyserver?) I'm only kidding, if this is a test key, you'd be best keeping it off a keyserver for now until you've got your expiry dates etc. sorted. > Where can I learn more about how subkeys work? I just tried to do > something and I goofed. These are my current keys: > > Command> list daniel > pub 1024D/0FEBCEC3 created: 2003-05-10 expires: 2005-05-09 trust: u/u > sub 2048g/0D1C25EC created: 2003-05-10 expires: 2005-05-09 > sub 2048R/E3CA8FAE created: 2003-05-13 expires: 2006-05-12 > (1). Daniel Carrera (PhD Student, Math) > > I tried to change the expire date of the ElGamal key to 2006, but instead > it changed that of the DSA key: If it's anything like other edit-key options, you need to SELECT the subkey first: sub 1 (I think) similar to the uid selection command. Until it gets to a keyserver, it's easy to change the expiry date back and keep playing with the options. -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.wewantbroadband.co.uk/ --Boundary-02=_o6ow+VsL1JMt8z7 Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+wo6oiAEJSii8s+MRAmquAJ9T1GsoiOtOd/2fbgiNCo8+qVSv0ACgipDD M0rdnJr+fztRJMTAQkfqafo= =lxBj -----END PGP SIGNATURE----- --Boundary-02=_o6ow+VsL1JMt8z7-- From Johan.Parin@abc.se Wed May 14 22:59:02 2003 From: Johan.Parin@abc.se (Johan Parin) Date: Wed May 14 21:59:02 2003 Subject: Using GnuPG on Windows/Linux Message-ID: Hi all, I'm sure this has been asked before, but I couldn't find anything in the HOWTO, Guide or FAQ. I am dual booting Linux and Windows XP and I want to use GnuPG on both systems. Of course I want to use the same keyrings etc. This means things needs to be stored on a Windows (FAT) partition. The problem is how to set up things on the Linux side so it uses the files on the FAT partition. My first approach was to set the keyring and secret-keyring variables in the options file. The problem with this is that when the keyrings are updated GnuPG wants to lock those files, which is not possible on the FAT partitions. Also, this approach doesn't take care of the trustdb file. My second approach was to make symlinks in my ~/.gnupg to the keyrings and the trustdb on the FAT partition. The problem with this is that when the keyrings are updated, they are *recreated*, thus destroying the symlinks. I think the best approach would probably be to set the GNUPGHOME variable to the directory on the FAT partition, bc really all files should be shared, right? But this means the file locking problem needs to be solved. I noticed there is a `lock-never' option but it doesn't feel quite safe. What would be the best way to set this up? Any suggestions welcome. -- Johan Parin From burns@runbox.com Thu May 15 00:14:02 2003 From: burns@runbox.com (Burns) Date: Wed May 14 23:14:02 2003 Subject: [OT?] No more financial support for GnuPG Message-ID: <20030514211519.6437.qmail@web10503.mail.yahoo.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Does GnuPG have a donations page? If it does, I haven't noticed it. Some examples of what I mean: Ways to Support KDE http://www.kde.org/support/support.php Contributing to The Apache Software Foundation http://www.apache.org/foundation/contributing.html The FreeBSD Foundation http://www.freebsdfoundation.org/index.html#donations Friends of GNOME http://www.gnome.org/friends/ Randy - --- Werner Koch wrote: > On Tue, 13 May 2003 22:46:14 +0200, Juergen Fenn said: > > > According to German IT news service heise.de the German Federal > > Government will no longer sponsor development of GnuPG: > > Well, it says that there won't be any direct funding[1]. The reason > is that they want to foster competition and not finance a few > projects. > > The problem is that a Free Software project won't be able to compete > against a proprietary product as long as the long term values of Free > Software are not understood by most people responsible for IT > decisions. Software development is expensive and whether it is > proprietary or free doesn't change much of the actual development > costs. There are other costs involved with commercial products > (e.g. advertising) which a Free Software project can't afford because > there is no way of re-financing this utilizing the money printing > machinery of license fees (if you are one of the not so many with a > "killer" application). Thus, any competition between a Free Software > project and a proprietary product will be unfair. > > The big advantages of Free Software are the avoidance of vendor > lock-in, the in general better standard compliance, the abstain of > unneeded gadgets for marketing reasons and the huge base of valuable > testers and other helpers. Still this can't compete with a commercial > and proprietary product. Taking me as an example, I spend a lot of my > time with general GnuPG maintenance and trying to find additional time > to do new developments - only a very small amount of this gets paid > for by consulting/support/development. This is a hard business and I > recall several times when I considered to give it all up and take a > straight coder job somewhere. As long as the perception of Free > Software is directed towards the free as in beer aspect, I doubt that > it will change. > > Advertised bidding with fair treatment of Free Software companies are > of course a good solution to foster the development of Free Software. > In my experience, those tenders often stress too often the money > saving factor and do not consider the extra value given by non-vendor > lock-in and better standard compliance. Support contracts are also a > good revenue source but there are too many answers already available > on the net .-) so that companies might not consider to seek for > commercial support. > > > I would like to ask what will be the implications from this? Support > > worth millions of Euros has been put on halt, heise.de says. German > > That is in so-far not true, as the article from last fall talking > about this has to be considered a fake - according to German > officials. > > > platforms unless there would have been some sponsoring. So will this > > change of policy slow down or even threaten further development of > > GnuPG for Windows? > > I can only speak for me and my company: Without financial support we > won't be able to do much for Windows; so it is up to the volunteer to > do this in their spare time or with other companies resources. > > > Salam-Shalom, > > Werner > > > [1] Regarding the funding activities: There used to be the GnuPG > funding of the BMWi in 1999/2000 with a total amount of 140kEuro > (where we learned a lot on how not to spend money for ;-) and the > GnuPP CD + manual project in early 2002; I don't know any details > about the latter. > -----BEGIN PGP SIGNATURE----- iD8DBQE+wrDChNLaTSzsrh8RArDzAJ9ek0ODtTyeGbMSWWvx3ZXlC94tAgCfQ+Xc zQuA8H/mPdlB5/sjtH+DqEY= =HPKp -----END PGP SIGNATURE----- From dcarrera@math.umd.edu Thu May 15 00:24:02 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Wed May 14 23:24:02 2003 Subject: [Q] DSA 1024-bit limit. In-Reply-To: <871xz1bh0k.fsf@alberti.g10code.de> References: <20030513034820.GF9658@jabberwocky.com> <20030513144541.GA1301@math.umd.edu> <20030513114718.DC06.DENISMCCAULEY@ifrance.com> <871xz1bh0k.fsf@alberti.g10code.de> Message-ID: <20030514212508.GA3205@math.umd.edu> --opJtzjQTFsWo+cga Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 14, 2003 at 07:00:11PM +0200, Werner Koch wrote: > It can't be said often enough: Cryptography is only as strong as the > weakest subsystem. So compare the probabilities of, say: >=20 > * breaking of the hash algorithm (SHA-256 is still quite new) Does RSA signing use the same hash algorithm? Is the security of SHA-256 believed to be comparable to 1024-bit ElGamal=20 (as the second component of DSA)? > * physical access to your key (rubber hose attack or a hired > burgler) Since my key is encrypted in my hard drive, getting access to it should=20 not compromise my key, correct? So a hired burgler shouldn't do much good, right? (assuming I have a good= =20 enough password of course). > * a BIOS of your box or a clever CPU (think Transmeta) identifying > secret keys and posting them to a newsgroup. >=20 > * a rogue OS >=20 > * a trojan Doesn't the encryption of the key take care of these? > If you can truly indentify the length of the key as a worrisome fact, > you may want to give up the nice short DSA signature for large RSA > signature blobs. I'm still hoping to learn how I can use two different signing keys. Once I have my two keys, how can I switch from signing with one to the=20 other. --=20 Daniel Carrera | OpenPGP fingerprint: Graduate TA, Math Dept | C678 4F28 6418 6A62 F186 98FC 9E04 B9A0 0FEB CEC3 UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp/key.html --opJtzjQTFsWo+cga Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (SunOS) iQEVAwUBPsK0MZMuikfjyo+uAQIKYwf/SDKr7dFCuLquJ70l0V7xLq+e1tRvOs5Q 7cQoCSv5+mi1vQ6qleiuDYQspQ34yuyEoGMR4Fp6oTz/grQ7X0arTGzF0/vEawrq nQ+c9YY3sDYbpMJPCv5zyU4TWeAxTt/s5ds+lTzU6dQ8r4as9VXVDbK6du/l+Ltl xYvIwmDbw8QR42lfPdpNAg6JxeOfeTbDcaA+m4jD9R0DfiYndmZyVlHx7V1snuoc 7vwiZ56l2E5JESFqJUGyQZNnt8hw78P2tmyIokOO8w3MJf53jL0BB8KCv3ILyCCa 7vvHjQFVD/FRsVU2UMMGfNyU4B/VYaQJxCcD8Ky5e+mf1OizgziPjw== =92MX -----END PGP SIGNATURE----- --opJtzjQTFsWo+cga-- From vedaal@hush.com Thu May 15 00:59:02 2003 From: vedaal@hush.com (vedaal@hush.com) Date: Wed May 14 23:59:02 2003 Subject: Opportunistic Encryption [Was: Keys not trusted] Message-ID: <200305142159.h4ELxNPa052705@mailserver2.hushmail.com> {if this doesn't verify, it's hush's fault ;-) } -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 >Message: 4 >Date: Wed, 14 May 2003 08:36:54 -0500 (EST) >From: "Mark H. Wood" >To: GNU Privacy Guard users >Subject: Re: Opportunistic Encryption [Was: Keys not trusted] [...] >I need a little help here. What, exactly, would an "anonymous" >key >*mean*? To what would a document signed by such a key be bound, > and why >would I care? [...] consider the case of an anonymous user/poster on the net, who consistently signs posts with a certain key depending on the content of the posts, whether accurate, informative, civil, or just plain interesting, knowing that a post, article, or file, has been signed my that key, can be useful in determining how to consider the information there. {ignore it as irrelevant, downloading it and read it as an informative resource, or just casually checking it because 'the person who signs with that key usually has an interesting take on things' } it provides a very nice forum for an individual's ideas to be considered on their objective merits, and to be able to build a reputation based on those ideas, while still maintaining a comfortable barrier of anonymity, between the person's interests and hobbies, and the person's personal and professional life. [...] >(I'm always swimming against the current. While it seems everyone >else >wants to become invisible, I've been wondering how to go about getting >really high-quality identity documents, both paper and electronic. > I >*want* to be well-known, *on my terms*.) [...] having your preferred key signed by other already 'well-known' respected people in your area of interest, might be a simple practical start ... with Respect, -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1-nr1 (Windows 98) - WinPT 0.7.96rc2-cvs Comment: Acts of Kindness better the World, and protect the Soul iQEVAwUBPsK75WoFoLeFMG0lAQNKCgf+K1IPeWLDp6fH4UguUxTTfK9TB4Nk13rr 5eMC3yVxR6/AyQ9QhEEqBffkK1ITNthU5ohHtPRcBa2NhcPWQK3WZEEqqT443iNr K9YsKIA1FEYbP79AWECEBHBEH09/zYJctqQv90lPWhruHj7w4aBiwGh2lhf9f9aI Z1pA8HTicJGIFd+616PxJ9g03G1ReMNjmV4TwYuoa2aSJayfUMPzFWp5MVIs/JkK sNrm4hhbjHHgob6xpNHDCKgNrX1fVUd03CDJsSuf9BYSyTabPlr0DwWFeHzgvcxq ruj46gYx797Bx89dQZzBRfaMBQ5gyJC1k8Sm7CYcm5J5z62i4XR4Ig== =bzic -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 From ingo.kloecker@epost.de Thu May 15 01:04:02 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Thu May 15 00:04:02 2003 Subject: Problem: OpenPGP Module not listed In-Reply-To: <200305140359.05794.wbo@mandrakesoft.com> References: <200305131800.20136.wbo@mandrakesoft.com> <200305140014.58261@erwin.ingo-kloecker.de> <200305140359.05794.wbo@mandrakesoft.com> Message-ID: <200305142304.35208@erwin.ingo-kloecker.de> --Boundary-02=_i9qw+vJfnuvKEUi Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Wednesday 14 May 2003 03:58, Wolfgang Bornath wrote: > ** Ingo Kl=F6cker (Mittwoch, 14. Mai 2003 00:14) > > > KMail has built-in support for clearsigned messages. But support > > for PGP/MIME messages (where the signature is in a separate > > attachment) is only available through a plugin (plugin has been > > translated as "Modul" in the German translation). Read the howto at > > kmail.kde.org if you want to know how to install the appropriate > > plugin. > > Went there, done that, no t-shirt. Did not work. > In detail: > I downloaded all the files, did the 3-step waltz on them and the test > > $ echo "test" | gpg -ase -r 0xDEADBEEF | gpg > > worked all right (of course with my key-id). What do you mean by "worked all right"? Did the pinentry program pop up?=20 Or did you simply enter the passphrase on the command line? If the=20 latter is the case then it did not work all right. > All '.configure/make/make check/make install' returned no error so I > assumed the installation went allright. > > Now I wanted to fill in the plugin into KMail but there is no plugin! > According to the website there should be a directory > /usr/local/lib/cryptplug with the file gpgme-openpgp.so but there > isn't. slocate (after updatedb) returns nothing with this name. > > I looked at the config.log in /misc/cryptplug-0.3.15 and found: > > ... > configure:7762: checking for gpgme-config > configure:7793: result: no > configure:7959: creating ./config.status > ... > ... > config.status:988: executing depfiles commands > configure:9156: > CryptPlug v0.3.15 has been configured as follows: > > CryptPlug GPGME: no > ... > > This may be the problem. But how do I solve it? I'm not knowledgeable > enough to solve this although I can do the normal installation of a > .tar.gz package. Well, obviously gpgme-config is missing for some reason (it should be in=20 /usr/local/bin if you didn't change the install prefix with the=20 =2D-prefix option). Did installing gpgme really work? Regards, Ingo --Boundary-02=_i9qw+vJfnuvKEUi Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+wq9iGnR+RTDgudgRAtXNAJ9OPGcp+WD0lX7dlXKu7woDTXHKuQCgyYVO Vpy+gFq13UUNU19jZBFAtzk= =Uqwo -----END PGP SIGNATURE----- --Boundary-02=_i9qw+vJfnuvKEUi-- From ingo.kloecker@epost.de Thu May 15 01:04:31 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Thu May 15 00:04:31 2003 Subject: Problem: OpenPGP Module not listed In-Reply-To: <200305140459.50566.wbo@mandrakesoft.com> References: <200305131800.20136.wbo@mandrakesoft.com> <200305140359.05794.wbo@mandrakesoft.com> <200305140459.50566.wbo@mandrakesoft.com> Message-ID: <200305142305.18458@erwin.ingo-kloecker.de> --Boundary-02=_O+qw+cdfS6uLNlo Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Description: signed data Content-Disposition: inline On Wednesday 14 May 2003 04:59, Wolfgang Bornath wrote: > More: > > ** Wolfgang Bornath (Mittwoch, 14. Mai 2003 03:58) > > > Now I wanted to fill in the plugin into KMail but there is no > > plugin! According to the website there should be a directory > > /usr/local/lib/cryptplug with the file gpgme-openpgp.so but there > > isn't. slocate (after updatedb) returns nothing with this name. > > Before I added 'use-agent' in my gpg.conf > With this option I cannot sign any messages. Looks like with the > agent active KMail needs the plugin to work. This will be fixed in KMail 1.5.2. Regards, Ingo --Boundary-02=_O+qw+cdfS6uLNlo Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+wq+OGnR+RTDgudgRAo9IAKDjPU6nbpAHYqegVI4pFhlS0ErukQCguN5+ yIXJkngzpFvuCXSvi+Wme8I= =IZ3f -----END PGP SIGNATURE----- --Boundary-02=_O+qw+cdfS6uLNlo-- From lovecraftesque@yahoo.com Thu May 15 01:07:21 2003 From: lovecraftesque@yahoo.com (JC) Date: Thu May 15 00:07:21 2003 Subject: Endianness issues with GPG Message-ID: <20030514220756.97093.qmail@web11405.mail.yahoo.com> In my naivete, I assumed that a file encrypted with GPG, using whatever symmetric algorithm kicks in by default, on a little endian machine could not be appropriately decrypted on a big endian machine, unless it is generated with an ASCII armor. Having checked out that the binary files produced by GPG-encrypting a file without ASCII armor in a little endian platform can be decrypted in a big endian one, without any other provisos (i.e. my assumption was wrong) I wonder if anyone could provide a rigorous justification for this? Please, forgive me and my ignorance if this is a trivial issue. __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com From malsyned@dennisx.cif.rochester.edu Thu May 15 02:06:02 2003 From: malsyned@dennisx.cif.rochester.edu (malsyned@dennisx.cif.rochester.edu) Date: Thu May 15 01:06:02 2003 Subject: Endianness issues with GPG In-Reply-To: <20030514220756.97093.qmail@web11405.mail.yahoo.com> References: <20030514220756.97093.qmail@web11405.mail.yahoo.com> Message-ID: > Having checked out that the binary files produced > by GPG-encrypting a file without ASCII armor in a > little endian platform can be decrypted in a big > endian one, without any other provisos (i.e. my > assumption was wrong) I wonder if anyone could provide > a rigorous justification for this? Please, forgive me > and my ignorance if this is a trivial issue. Most of the data in any OpenPGP message is treated as a sequence of octets (8-bit bytes), and so there wouldn't be any more endianness trouble with those parts of the message than their would with everyone's favorite type of octet stream, the ASCII text file. Some chunks of data in an OpenPGP message, however, do deal in multi-byte chunks, and so endianness issues do become relavent. However, the OpenPGP standard, RFC 2440, disambiguates this issue by requiring all multi-byte data to be in big-endian. Here are some of the relavent sections from the RFC: --- 3.1. Scalar numbers Scalar numbers are unsigned, and are always stored in big-endian format. Using n[k] to refer to the kth octet being interpreted, the value of a two-octet scalar is ((n[0] << 8) + n[1]). The value of a four-octet scalar is ((n[0] << 24) + (n[1] << 16) + (n[2] << 8) + n[3]). 3.2. Multi-Precision Integers Multi-Precision Integers (also called MPIs) are unsigned integers used to hold large integers such as the ones used in cryptographic calculations. An MPI consists of two pieces: a two-octet scalar that is the length of the MPI in bits followed by a string of octets that contain the actual integer. These octets form a big-endian number; a big-endian number can be made into an MPI by prefixing it with the appropriate length. --- Most standards, especially Internet RFCs, address the endianness issue so that crossplatform interoperability can be ensured. I hope that clears up your confusion. --Dennis Lambe From dcarrera@math.umd.edu Thu May 15 02:17:02 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Thu May 15 01:17:02 2003 Subject: Signature sizes (was: DSA 1024-bit limit) In-Reply-To: <20030514221503.GC22094@postfix.dyndns.org> References: <20030513034820.GF9658@jabberwocky.com> <20030513144541.GA1301@math.umd.edu> <20030513114718.DC06.DENISMCCAULEY@ifrance.com> <871xz1bh0k.fsf@alberti.g10code.de> <20030514212508.GA3205@math.umd.edu> <20030514221503.GC22094@postfix.dyndns.org> Message-ID: <20030514231819.GA2818@math.umd.edu> --xHFwDpU9dbj6ez1V Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable That's not quite what I wanted to know, but you pointed me in the right=20 direction. Thanks. I just compared a DSA and an RSA signature. I don't see the what the=20 problem with RSA signatures is. It doesn't look that big to me. For a=20 sample text the DSA signature is 3 lines and the RSA is 7 lines (see=20 further below). Is the signature size the main drawback of RSA signing? Also, another queston: Do RSA signatures use the same hash as DSA? Does the hash limit the security of RSA signatures? Thanks for the help, DSA: iD8DBQE+wsuNngS5oA/rzsMRAgRVAJ0dcNxcKoxfwfnnZsDfESQgsarSVACeIjN6 Dw+Z/HLTRe2ECQWl95j1Ms0=3D =3DpP/2 RSA: iQEVAwUBPsLLxpMuikfjyo+uAQIc5QgAlNbSVTNZEQkXrbUXsqj7Z9USa7aCU5eW e7k8qfQzGINmr1RICapqkj/rzoO8Jdm0hXvZS2YBcNg3YZ/AZqiQorVrBE8cfme7 ZKNjOjZBSmL26E/8rVk2jmiMt+ZhkOa3kaITn6K+HekK18NHluyTv+IZpj8CaVEm Ep+pKNQHRRTkZFRYccqUorsgte/ZEbLF1tlO/gIWnGi/9v98531CyAMT3iM2O3n0 a1MngZcGuVb+I50nm4QWGOu8BhfgT8MXZThiJiHuDYObJgFqW4sP04rmIx5cG270 i9OcgacTrgRUrFA59oxXYRuhAVs7JTIPvUfXbQBhJtgosxVAHHDDfw=3D=3D =3D3qYV On Thu, May 15, 2003 at 12:15:03AM +0200, Manuel Samper wrote: > Daniel Carrera, on Wednesday, May 14 2003 at 23:25, wrote: > > I'm still hoping to learn how I can use two different signing keys. > > Once I have my two keys, how can I switch from signing with one to the= =20 > > other. >=20 > That depends on the software which calls gpg, i.e., if you want to sign > emails, and you use mutt, select "sign (a)s" in the compose menu. You > may want to set a "pgp_sign_as=3D" and to replace the > default "pgp_(encrypt_)sign_command" settings (adding a exclamation in > "%?a?-u %a!?"), but this is a mutt/whatever MUA/software issue, of > course. >=20 > --=20 > Manuel Samper > PGP/GPG KeyID: FFFD5DA0 >=20 > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users --=20 Daniel Carrera | OpenPGP fingerprint: Graduate TA, Math Dept | C678 4F28 6418 6A62 F186 98FC 9E04 B9A0 0FEB CEC3 UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp/key.html --xHFwDpU9dbj6ez1V Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (SunOS) iQEVAwUBPsLOuJMuikfjyo+uAQJW8QgAqfdJwxDykZRj5nyfZcX9fFoUOnXhK8a2 duAzhB0MDOhxsTa6QDMZUzuBBGrzBnUzlHQih09n/lrTh+fr+bSdOBu02L8QWwwx GmOwobXGZR0C/Inv5LftDaxKO06qjphxvBKKJtzRGgNzhqQ06+slKTYA0saqRId2 A8pFKhtYpZU9RbYdKhFovVs07qxN/W9/4Ee0iblUED6LJhYtHcqKpN0mjO1x7oSO csQ4bDotpfBIja9FQiZRZcw5vAdWYDFMNGBrjHOrK5CskGThW+vYPHQgND2KdmHu B7hYHfa5MzjNq1aMoJNi4vB4qfk2ZPbOqJ6NQk5ycWAqJ6bVLhAU+Q== =l4ue -----END PGP SIGNATURE----- --xHFwDpU9dbj6ez1V-- From dcarrera@math.umd.edu Thu May 15 03:13:02 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Thu May 15 02:13:02 2003 Subject: Trouble exporting keys. Message-ID: <20030515001424.GA2956@math.umd.edu> --MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi all, I don't know what I just did, but I think that now GPG is exporting my RSA= =20 public key instead of my DSA one and I don't know how to switch back. I=20 thought that I could do it with the -u option, but it doesn't make any=20 difference. I guess I shouldn't expect it to, the man page says that -u=20 is for encrypting and signing: pub 1024D/0FEBCEC3 created: 2003-05-10 expires: 2006-05-12 trust: u/u sub 2048g/0D1C25EC created: 2003-05-10 expires: 2006-05-13 sub 2048R/E3CA8FAE created: 2003-05-13 expires: 2006-05-12 (1). Daniel Carrera (PhD Student, Math) dcarrera ~/keys $ gpg --armor --output DSA.asc --export -u 0x0FEBCEC3 dcarrera ~/keys $ gpg --armor --output RSA.asc --export -u 0xE3CA8FAE dcarrera ~/keys $ diff DSA.asc RSA.asc=20 dcarrera ~/keys $ The --default-key option doesn't help either: dcarrera ~/keys $ gpg --armor --output DSA.asc --export --default-key=20 0x0FEBCEC3 File `DSA.asc' exists. Overwrite (y/N)? y dcarrera ~/keys $ diff DSA.asc RSA.asc=20 dcarrera ~/keys $ I think that it's exporting the RSA one because the key it exports now is= =20 different (much bigger) from the one it exported before. Any thoughts? Thanks. --=20 Daniel Carrera | OpenPGP fingerprint: Graduate TA, Math Dept | C678 4F28 6418 6A62 F186 98FC 9E04 B9A0 0FEB CEC3 UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp/key.html --MGYHOYXEY6WxJCY8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (SunOS) iQEVAwUBPsLb3ZMuikfjyo+uAQJDaAf+OV4/kW79zzxmC5UL2S6xuD48D7mm9c/u JjqcGE+aDQlvNSwYxB04UguJuwuV2gFN7sUJNcrSwgpmcbfwwmnoxb1y+ykY8AQU 73c4u3w/H4BwZRP6dtU3vif4x/xJeo3D5KOSQpepERQZmOYKOjGVznvTlsgSB2So yO+/fmPnyO7ENxoFhM2X2iHltEbfZ+cq1gHiRDqibPqOBHxVZMcR9TA0XqKqEIji NTXGD6PGrFEfLUOQIlgp8BTs78wpfShvBU2/yMMqNojvNUbF9xIw5uMen5DdGHp9 eqyCPqoNE9Y4X5aNcDKBxMMKiBT09/Hrgk91D2EXtISRCMgjv9qtsw== =C3QC -----END PGP SIGNATURE----- --MGYHOYXEY6WxJCY8-- From gnupg-users@nahrath.de Thu May 15 03:46:02 2003 From: gnupg-users@nahrath.de (Michael Nahrath) Date: Thu May 15 02:46:02 2003 Subject: localisations and charsets Message-ID: <3EC2E373.9060908@nahrath.de> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigD7C4ADE27330A92ECF5C653A Content-Type: multipart/mixed; boundary="------------050603040308030001080502" This is a multi-part message in MIME format. --------------050603040308030001080502 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit On macgpg-users@ I have been told that this is not a Mac issue and was asked to repost my message here. Some explanations for those who don't know MacOS X: "Terminal.app" is the standard terminal application - like "xterm" in X11. "PGPPreferences" is a Mac GUI application to edit the ./gnupg/gpg.conf file. "BBEdit" is a commercial text editor. I tried to doublecheck in Debian-Linux but unfortunately the installations I have access to (mainly Knoppix) don't include localisation support. -------- Original Message -------- Subject: [Macgpg-users] UTF8 or ISO-Latin-1 for localised shell version Date: Tue, 13 May 2003 18:11:22 +0200 From: Michael Nahrath To: macgpg-users@lists.sourceforge.net Usually I use MacOS X in German Language. I included "export LANG=de_DE" inside my ~/.profile (bash is my standard shell) and thus have GPG speak German in Terminal.app I tried to follow PGPPreferences' recommendations and included "charset utf8" in my ~/.gnupg/gpg.conf and switched Terminal.app to use UTF8 as default charset. So everything works fine as long as key data is concerned. [0x307D56ED is a fine test key] Unfortunately all localised UI texts of GPG _don't_ display well in UTF8: pub 1024D/307D56ED erstellt: 2001-05-17 verf?llt: niemals Vertrauen: f/f sub 2048g/B9A65282 erstellt: 2001-05-17 verf?llt: niemals (1). Noèl Köthe (2) Noèl Köthe ... ["verf?llt" should read "verfällt" with the a-Umlaut] I took a look at /usr/local/share/locale/de/LC_MESSAGES/gnupg.mo which seems to contain all localised text. If I open it in BBEdit as utf8 I get an error message ("malformed"). If I open it in BBEdit as MacRoman all Umlauts are broken. If I open it in BBEdit as ISO Latin 1 everything reads right. So I removed "charset utf8" from my ~/.gnupg/gpg.conf and switched Terminal.app to use ISO Latin 1 and everything is displayed correctly. Only GPGPreferences annoys sometimes with the warning that I should switch everything to UTF8, but I know why I prefer to ignore this ;-) Either the localised files should be converted to UTF8 or these silly warnings should end and the Latin-1 (ISO-8859-1) charset should become the default. I am not shure if this is a Mac specific issue or if I should rather have posted it to the gnupg-users list. If it is of interest: I compiled GPG from the sources - but I know that other people who used the MacOS installer package have the same problem. Version is: [michi@localhost]~$ gpg --version gpg (GnuPG) 1.2.2 Copyright (C) 2003 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: ~/.gnupg Unterstützte Verfahren: Öff.Schlüssel: RSA, RSA-E, RSA-S, ELG-E, DSA, ELG Verschlü.: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256 Komprimierung: Uncompressed, ZIP, ZLIB Greeting, Michi --------------050603040308030001080502 Content-Type: text/plain; x-mac-type="0"; x-mac-creator="0"; name="file:///tmp/nsmail.tmp" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="file:///tmp/nsmail.tmp" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) Comment: http://www.biglumber.com/x/web?qs=0x9A4C704C iEYEARECAAYFAj7BGTUACgkQ19dRf5pMcEz05gCg/liETtZ5Ob6AT5Dl6eijRpzf LLQAoLz9LoUOQCYmwi3NIQ/hmC2P+mKF =MnVy -----END PGP SIGNATURE----- --------------050603040308030001080502-- --------------enigD7C4ADE27330A92ECF5C653A Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) Comment: http://www.biglumber.com/x/web?qs=0x9A4C704C iEYEARECAAYFAj7C43wACgkQ19dRf5pMcEwiKgCg4eh0j4/a7SffZRROkTbFP58V sfIAn2zyFSbmBgqZ1B2qkPFsv8G4+IXA =rk4x -----END PGP SIGNATURE----- --------------enigD7C4ADE27330A92ECF5C653A-- From johanw@vulcan.xs4all.nl Thu May 15 03:46:31 2003 From: johanw@vulcan.xs4all.nl (Johan Wevers) Date: Thu May 15 02:46:31 2003 Subject: Using GnuPG on Windows/Linux In-Reply-To: from Johan Parin at "May 14, 2003 09:59:30 pm" Message-ID: <200305150116.DAA00784@vulcan.xs4all.nl> Johan Parin wrote: > want to use GnuPG on both systems. Of course I want to use the same > keyrings etc. This means things needs to be stored on a Windows (FAT) > partition. Unless you can find ext2/ext3/Reiser drivers for XP (I only have some ro ext2 drivers for 95/98, I don't know if they even exist for XP). Unfortunately the NTFS driver for Linux is still ro. :-( Why is locking impossible on FAT32? > to be solved. I noticed there is a `lock-never' option but it doesn't > feel quite safe. If you can't lock you'll have to. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From johanw@vulcan.xs4all.nl Thu May 15 03:47:00 2003 From: johanw@vulcan.xs4all.nl (Johan Wevers) Date: Thu May 15 02:47:00 2003 Subject: Endianness issues with GPG In-Reply-To: <20030514220756.97093.qmail@web11405.mail.yahoo.com> from JC at "May 14, 2003 03:07:56 pm" Message-ID: <200305150109.DAA00750@vulcan.xs4all.nl> JC wrote: > Having checked out that the binary files produced > by GPG-encrypting a file without ASCII armor in a > little endian platform can be decrypted in a big > endian one, without any other provisos (i.e. my > assumption was wrong) I wonder if anyone could provide > a rigorous justification for this? That's simple: you have to store the file in a fixed format with a the same endianness on all machines. The decryption then can take care of the endianness when decrypting a textfile on a specific machine, since gnupg knows the endianness on the machine it's running on. Textfiles can then be converted to the same endianness as the target machine after decryption. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From dcarrera@math.umd.edu Thu May 15 03:52:02 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Thu May 15 02:52:02 2003 Subject: Trouble signing (was: Trouble exporting keys) In-Reply-To: <1052959441.20758.7.camel@dennisx.cif.rochester.edu> References: <20030515001424.GA2956@math.umd.edu> <1052959441.20758.7.camel@dennisx.cif.rochester.edu> Message-ID: <20030515005321.GA3079@math.umd.edu> --UugvWAfsgieZRqgk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > The --export command exports all of this to one big ugly chunk, which is > exactly what you want. You're exporting the RSA key, and the DSA > signing subkey, and the ElGamal encryption subkey.=20 But, for instance, the people who have my older key can still authenticate= =20 messages signed with my DSA key (which they have). Correct? Do people just update keys every once in a while? This would make sense. = =20 And it'd also explain why the primary key can't change -- you use it to=20 authenticate changes in the "big" key. This is making more sense now. But clearly, I'm still doing things wrong. It looks like my GPG just=20 decided to only sign with the RSA key regardless of what I tell it. I=20 thought I could select the key using the -u option, but that worked only=20 once. :( My DSA KeyID is 0FEBCEC3. My RSA KeyID is E3CA8FAE : dcarrera ~/keys $ gpg --output file.asc -u 0x0FEBCEC3 --clearsign file You need a passphrase to unlock the secret key for user: "Daniel Carrera (PhD Student, Math) " 2048-bit RSA key, ID E3CA8FAE, created 2003-05-13 (main key ID 0FEBCEC3) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ You see? I wants to use the RSA key even though I specified the DSA key. Did I just break something? Thanks. --=20 Daniel Carrera | OpenPGP fingerprint: Graduate TA, Math Dept | C678 4F28 6418 6A62 F186 98FC 9E04 B9A0 0FEB CEC3 UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp/key.html --UugvWAfsgieZRqgk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (SunOS) iQEVAwUBPsLk/pMuikfjyo+uAQJrTwf/c3+TGPAc0z5gclmHMwrUeErvJt0STAwg Hfic1A3nEs3ffzHB4/g5TKJHR/GikfdO1XmAISTHtyJZzSHcYc6OVVvJFPLXjqH7 QRzgamH7NqAjvrCtt0XaPjFXY6EF8WMXbgPIn3FkjES6hWBERQqp+6sGwbt2vrIJ 5QljfWmakqAl2/SwD02jscpznRGi3j4KSR7dGp1E5t+anrFloT1GdMs+AC14+UJ2 6aNjDg9C45WmDFuD9A4STHbE8qNaCfqtbclF/qH1TB5XDPOXzbuOd/Is5TvYUt1l KI05mOW2NH1bA1Fnz9eSrESvxuzXXBjxdtjiU2E0kT+dZrjCQYtSWA== =2nxs -----END PGP SIGNATURE----- --UugvWAfsgieZRqgk-- From jbruni@mac.com Thu May 15 04:14:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Thu May 15 03:14:02 2003 Subject: [Q] Sending a key to a keyserver In-Reply-To: <3EC2435F.9040308@nahrath.de> Message-ID: <7B5ADA05-8671-11D7-874C-003065B1243E@mac.com> Hey! I resemble that remark. :) On Wednesday, May 14, 2003, at 06:23 AM, Michael Nahrath wrote: > Oh, this is even the case in a LUG. > I always thought they are the tough technical guys. > > Usually I have to deal with Mac users ... ;-) > From dshaw@jabberwocky.com Thu May 15 04:28:03 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Thu May 15 03:28:03 2003 Subject: [Q] DSA 1024-bit limit. In-Reply-To: <20030513114718.DC06.DENISMCCAULEY@ifrance.com> References: <20030513034820.GF9658@jabberwocky.com> <20030513144541.GA1301@math.umd.edu> <20030513114718.DC06.DENISMCCAULEY@ifrance.com> Message-ID: <20030515012906.GL25493@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, May 13, 2003 at 11:53:42AM -1000, Denis McCauley wrote: > > Is there a limit on now large an RSA signing key can be? > > 4096 bits with GPG, though there are some unofficial versions of PGP > which can create RSA keys up to 16k. Note that GnuPG can use those monster keys. The restriction is only on generating them (for the sake of sanity and interoperability). David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+wu1i4mZch0nhy8kRAoksAKCqmm7DMpb6qLa1jjMIfKQ002TkiACfdYFK Ur0DaFa0kGF40oWQfUElUio= =6ABK -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Thu May 15 04:33:03 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Thu May 15 03:33:03 2003 Subject: [Q] Multiple signing keys (was: DSA 1024-bit limit) In-Reply-To: <1052880152.2487.30.camel@dennisx.cif.rochester.edu> References: <20030513034820.GF9658@jabberwocky.com> <20030513144541.GA1301@math.umd.edu> <20030513114718.DC06.DENISMCCAULEY@ifrance.com> <20030513222948.GA9909@math.umd.edu> <1052871144.1584.36.camel@dennisx.cif.rochester.edu> <20030514013435.GA10204@math.umd.edu> <1052880152.2487.30.camel@dennisx.cif.rochester.edu> Message-ID: <20030515013318.GM25493@jabberwocky.com> --WfZ7S8PLGjBY9Voh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 13, 2003 at 10:42:32PM -0400, Dennis Lambe Jr. wrote: > It was based on this information that I made the decision to create my > key as follows: >=20 > pub 4096R/F53BA904 2003-04-21 Dennis Patrick Lambe Jr. > [...snipped other IDs...] > sub 1024D/16DE8D28 2003-04-21 > sub 4096g/BCE387ED 2003-04-21 >=20 > I believe David Shaw has a similar rationale for his key, which has the > same structure. Is that right, David? That is correct. I use a large RSA key as the primary, with an encryption subkey, and a DSA signing subkey for day to day use. The RSA primary is stored offline, so in a disaster scenario, I can just revoke the subkeys and not lose the entire key. David --WfZ7S8PLGjBY9Voh Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+wu5e4mZch0nhy8kRAsQ1AKDjlUYCrXfkBAbi2E833uZFGp/mJACgzP1d QBaDv4HZ1eDcMqBFLcmg2hs= =JFuK -----END PGP SIGNATURE----- --WfZ7S8PLGjBY9Voh-- From eugene@esmiley.net Thu May 15 05:12:02 2003 From: eugene@esmiley.net (Eugene Smiley) Date: Thu May 15 04:12:02 2003 Subject: Using GnuPG on Windows/Linux In-Reply-To: <200305150116.DAA00784@vulcan.xs4all.nl> Message-ID: Johan Wevers wrote:=20 > Johan Parin wrote: >=20 >> want to use GnuPG on both systems. Of course I want to use the >> same keyrings etc. This means things needs to be stored on a >> Windows (FAT) partition. >=20 > Unless you can find ext2/ext3/Reiser drivers for XP (I only have > some ro ext2 drivers for 95/98, I don't know if they even exist > for XP). Unfortunately the NTFS driver for Linux is still ro. :-( >=20 > Why is locking impossible on FAT32? FAT32 is basically an extended version of the old MS-DOS and as=20 such is designed under the premise that the PC is a single user PC. Locking is/was limited and permissions are nonexistent. From dshaw@jabberwocky.com Thu May 15 05:15:01 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Thu May 15 04:15:01 2003 Subject: Using GnuPG on Windows/Linux In-Reply-To: <200305150116.DAA00784@vulcan.xs4all.nl> References: <200305150116.DAA00784@vulcan.xs4all.nl> Message-ID: <20030515021553.GN25493@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, May 15, 2003 at 03:16:44AM +0200, Johan Wevers wrote: > Johan Parin wrote: > > > want to use GnuPG on both systems. Of course I want to use the same > > keyrings etc. This means things needs to be stored on a Windows (FAT) > > partition. > > Unless you can find ext2/ext3/Reiser drivers for XP (I only have some ro > ext2 drivers for 95/98, I don't know if they even exist for XP). > Unfortunately the NTFS driver for Linux is still ro. :-( > > Why is locking impossible on FAT32? It's not impossible technically, but the locking scheme GnuPG uses at the moment isn't compatible with a FAT filesystem. It uses link(). David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD4DBQE+wvhZ4mZch0nhy8kRAhG0AJd/jJtsVY3Hdpsfy5GybvQvrN+/AJ9lzDvI QaOeDC1mOJrHVxCTVRHemQ== =DpIP -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Thu May 15 06:05:03 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Thu May 15 05:05:03 2003 Subject: Signature sizes (was: DSA 1024-bit limit) In-Reply-To: <20030514231819.GA2818@math.umd.edu> References: <20030513034820.GF9658@jabberwocky.com> <20030513144541.GA1301@math.umd.edu> <20030513114718.DC06.DENISMCCAULEY@ifrance.com> <871xz1bh0k.fsf@alberti.g10code.de> <20030514212508.GA3205@math.umd.edu> <20030514221503.GC22094@postfix.dyndns.org> <20030514231819.GA2818@math.umd.edu> Message-ID: <20030515030551.GO25493@jabberwocky.com> --2iBwrppp/7QCDedR Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 14, 2003 at 07:18:19PM -0400, Daniel Carrera wrote: > That's not quite what I wanted to know, but you pointed me in the right= =20 > direction. Thanks. >=20 > I just compared a DSA and an RSA signature. I don't see the what the=20 > problem with RSA signatures is. It doesn't look that big to me. For a= =20 > sample text the DSA signature is 3 lines and the RSA is 7 lines (see=20 > further below). The larger the RSA key is, the larger the signature is. > Is the signature size the main drawback of RSA signing? >=20 > Also, another queston: > Do RSA signatures use the same hash as DSA? They can, but do not have to. DSA must use a 160-bit hash, which means either SHA-1 or RIPEMD/160 in GnuPG. RSA can use any hash. > Does the hash limit the security of RSA signatures? The hash limits the security of all signatures whenever the key is stronger than the hash. David --2iBwrppp/7QCDedR Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+wwQP4mZch0nhy8kRAozsAJ4/mPH8MuMF9qqpQEZ39YWJGgaMEgCg1Lns TZqQRRh9kyqjeilC7UG9htw= =D101 -----END PGP SIGNATURE----- --2iBwrppp/7QCDedR-- From dshaw@jabberwocky.com Thu May 15 07:15:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Thu May 15 06:15:02 2003 Subject: localisations and charsets In-Reply-To: <3EC2E373.9060908@nahrath.de> References: <3EC2E373.9060908@nahrath.de> Message-ID: <20030515041529.GQ25493@jabberwocky.com> --oFbHfjnMgUMsrGjO Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, May 15, 2003 at 02:46:43AM +0200, Michael Nahrath wrote: > Usually I use MacOS X in German Language. >=20 > I included "export LANG=3Dde_DE" inside my ~/.profile (bash is my standard > shell) and thus have GPG speak German in Terminal.app >=20 > I tried to follow PGPPreferences' recommendations and included > "charset utf8" in my ~/.gnupg/gpg.conf and switched Terminal.app to use U= TF8 > as default charset. >=20 > So everything works fine as long as key data is concerned. > [0x307D56ED is a fine test key] >=20 > Unfortunately all localised UI texts of GPG _don't_ display well in UTF8: >=20 > pub 1024D/307D56ED erstellt: 2001-05-17 verf?llt: niemals Vertrauen: f= /f > sub 2048g/B9A65282 erstellt: 2001-05-17 verf?llt: niemals > (1). No=E8l K=F6the > (2) No=E8l K=F6the > ... >=20 > ["verf?llt" should read "verf=E4llt" with the a-Umlaut] Try "export LANG=3Dde_DE.utf8" with the UTF8 Terminal.app. I don't know about the OSX gettext, but it works here. David --oFbHfjnMgUMsrGjO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+wxRh4mZch0nhy8kRAsF7AJwLNG330E9lsNxNxmkMnYppb475NwCgtud7 1cHU2YFUbZe1K4AmVr8njYo= =/gTh -----END PGP SIGNATURE----- --oFbHfjnMgUMsrGjO-- From avbidder@fortytwo.ch Thu May 15 09:45:02 2003 From: avbidder@fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Thu May 15 08:45:02 2003 Subject: Opportunistic Encryption [Was: Keys not trusted] In-Reply-To: References: Message-ID: <200305150846.13241@fortytwo.ch> --Boundary-02=_1ezw+ka6SxVMS2C Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Wednesday 14 May 2003 15:36, Mark H. Wood wrote: > On Tue, 13 May 2003, Jason Harris wrote: > > The WoT doesn't cease to exist for "anonymous" keys. In fact, it > > becomes purer. If you don't have a trust path to an "anonymous" key, > > you can't even put any trust into it based on a name or email address > > that you might be willing to trust. > > I need a little help here. What, exactly, would an "anonymous" key > *mean*? To what would a document signed by such a key be bound, and why > would I care? One use is: somebody wants to be anonymous, but wants to publish some (hot)= =20 information. He signs it, so that when he ever needs to post a followup=20 (correction, additional info on this issue, or to counter some statement so= me=20 other party has made about the info he's posted), he can sign *that* again.= =20 So, nobody can come and say 'I have published that document' since he=20 wouldn't be able to proof it by signing a challenge. I don't see where this would tie into the WoT - presumably, nobody can sign= =20 that key, and the keyholder will not be interested in signing anybody's key= =20 when he wants to stay anonymous, but I think this is a good application of= =20 anonymous keys. > (I'm always swimming against the current. While it seems everyone else > wants to become invisible, I've been wondering how to go about getting > really high-quality identity documents, both paper and electronic. I > *want* to be well-known, *on my terms*.) I think I can understand this feeling.=20 =2D- vbi =2D-=20 Available for key signing in Z=FCrich and Basel, Switzerland (what's this? Look at http://fortytwo.ch/gpg/intro) --Boundary-02=_1ezw+ka6SxVMS2C Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iKcEABECAGcFAj7DN7VgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjQmbWQ1c3VtPTgxNjMwYmFhYmU5YTA2NzBi YjE5YzFmYTg1MjdhN2FiAAoJEIukMYvlp/fW39QAoM/ZY73YkfZmMQRtT5Ltaiee 4Xh4AJ9K+loaipYLjc74QDRhscWw3uosGA== =BBUy -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.4&md5sum=81630baabe9a0670bb19c1fa8527a7ab --Boundary-02=_1ezw+ka6SxVMS2C-- From pt@radvis.nu Thu May 15 10:09:01 2003 From: pt@radvis.nu (Per Tunedal) Date: Thu May 15 09:09:01 2003 Subject: [OT?] No more financial support for GnuPG In-Reply-To: <87wugt9xry.fsf@alberti.g10code.de> References: Message-ID: <5.1.0.14.2.20030515084353.02dcd8e0@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, At 20:41 2003-05-14 +0200, you wrote: >On Tue, 13 May 2003 22:46:14 +0200, Juergen Fenn said: > >> According to German IT news service heise.de the German Federal >> Government will no longer sponsor development of GnuPG: > > >Advertised bidding with fair treatment of Free Software companies are >of course a good solution to foster the development of Free Software. >In my experience, those tenders often stress too often the money >saving factor and do not consider the extra value given by non-vendor >lock-in and better standard compliance. Support contracts are also a >good revenue source but there are too many answers already available >on the net .-) so that companies might not consider to seek for >commercial support. The Swedish government is actively working for more use of free software in the administration, mainly because MS Office licenses costs them to much. They recently have made a public list of all Swedish companies offering any kind of products or services related to free software. I have offered support for GnuPG and related programs and for some other free software through one of my businesses: Clipanish. Now I am on the official list. I am waiting for orders and invitations to public tenders! If I succeed I will a) have more time to spend on translations etc b) forward some revenue to the GnuPG project. > > >Salam-Shalom, > > Werner > Yours, Per Tunedal -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) - GPGrelay v0.92 iD8DBQE+wz0h2Jp9Z++ji2YRAgsvAKCMDVdw0fndqLqW/VlmCDN/3k+8fQCdFALR ZKsdhgwb2ERZnUK1yRItTTM= =XhDX -----END PGP SIGNATURE----- From malsyned@cif.rochester.edu Thu May 15 10:39:02 2003 From: malsyned@cif.rochester.edu (Dennis Lambe Jr.) Date: Thu May 15 09:39:02 2003 Subject: Trouble signing (was: Trouble exporting keys) In-Reply-To: <20030515005321.GA3079@math.umd.edu> References: <20030515001424.GA2956@math.umd.edu> <1052959441.20758.7.camel@dennisx.cif.rochester.edu> <20030515005321.GA3079@math.umd.edu> Message-ID: <1052984399.20759.29.camel@dennisx.cif.rochester.edu> --=-LnKHERv9G6dyINti0VXI Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Wed, 2003-05-14 at 20:53, Daniel Carrera wrote: > > The --export command exports all of this to one big ugly chunk, which i= s > > exactly what you want. You're exporting the RSA key, and the DSA > > signing subkey, and the ElGamal encryption subkey.=20 >=20 > But, for instance, the people who have my older key can still authenticat= e=20 > messages signed with my DSA key (which they have). Correct? > Do people just update keys every once in a while? This would make sense.= =20 > And it'd also explain why the primary key can't change -- you use it to=20 > authenticate changes in the "big" key. >=20 > This is making more sense now. This is all exactly right so far. As soon as you start seeing your key as a changing collection of constant, verifiable packets, OpenPGP starts making a lot more sense. > But clearly, I'm still doing things wrong. It looks like my GPG just=20 > decided to only sign with the RSA key regardless of what I tell it. I=20 > thought I could select the key using the -u option, but that worked only=20 > once. :( >=20 > My DSA KeyID is 0FEBCEC3. My RSA KeyID is E3CA8FAE : >=20 > dcarrera ~/keys $ gpg --output file.asc -u 0x0FEBCEC3 --clearsign file >=20 > You need a passphrase to unlock the secret key for > user: "Daniel Carrera (PhD Student, Math) " > 2048-bit RSA key, ID E3CA8FAE, created 2003-05-13 (main key ID 0FEBCEC3) > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ OK, I'm doing a lot of educated guessing, so if I make any incorrect assumptions, let me know. Here's what I think is going on: 1. You have a DSA primary key, ID 0FEBCEC3. (I know this to be true, I've got an older version of it with only an ElGamal encryption subkey.) 2. You recently attached an RSA signing subkey to it with subkey ID E3CA8FAE. 3. You're trying to sign things with the DSA key, but the RSA subkey keeps getting used instead. OK. Now I have two issues to address. One is why what you want to happen isn't happening, and the other is why you might not be doing what you mean to anyway. Both topics contain useful information, so I'll cover them in order. WHY WHAT YOU WANT TO HAPPEN ISN'T HAPPENING: The -u flag (and all other flags which take a KeyID as a parameter) is intended to allow you to specify a full PGP key, complete with IDs, subkeys, signatures, and all the trimmings. You can use the primary KeyID, a unique piece of any ID string, or any subkey ID. The effect is always the same: pointing out which key on the keyring should be used.=20 So -u E3CA8FAE is (for better or worse) synonymous with -u 0FEBCEC3. GnuPG's signing behavior is: once it's found a key on the keyring, it signs with the most recently created/modified signing subkey attached to that key. In your case, that's the RSA signing subkey. Overriding this default behavior, which is what it seems you'd like to do, is accomplished by postfixing the keyID with an exclamation point.=20 so, -u 0FEBCEC3! means "really sign with my primary key, not my most current signing subkey". WHY WHAT YOU'RE TRYING TO DO MIGHT NOT BE WHAT YOU WANT TO DO If your goal in having both an RSA and a DSA signing key is to have a long-term-secure primary key on which to collect signatures, and a standards-compliant day-to-day document-signing DSA key, you've got them backwards. the RSA key should be the primary key, since it can be big, and the DSA key should be the signing subkey, since it is trusted by the government to sign documents. This does require that you completely revoke your current primary key and start from scratch, though. I hope this helps. --Dennis Lambe --=-LnKHERv9G6dyINti0VXI Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: My public key is available at http://cif.rochester.edu/~malsyned/public_key.html iD8DBQA+w0RP+yh/ThbejSgRAolMAKC4ompz3TmE9uI1Ue3VSPgpQ6KwkACgnZV0 4pbJvf/zUe0QbkVjonslsNc= =Ene/ -----END PGP SIGNATURE----- --=-LnKHERv9G6dyINti0VXI-- From malsyned@cif.rochester.edu Thu May 15 10:41:02 2003 From: malsyned@cif.rochester.edu (Dennis Lambe Jr.) Date: Thu May 15 09:41:02 2003 Subject: [Q] Multiple signing keys In-Reply-To: <87r8719xf2.fsf@alberti.g10code.de> References: <20030513034820.GF9658@jabberwocky.com> <20030513144541.GA1301@math.umd.edu> <20030513114718.DC06.DENISMCCAULEY@ifrance.com> <20030513222948.GA9909@math.umd.edu> <1052871144.1584.36.camel@dennisx.cif.rochester.edu> <20030514013435.GA10204@math.umd.edu> <1052880152.2487.30.camel@dennisx.cif.rochester.edu> <87r8719xf2.fsf@alberti.g10code.de> Message-ID: <1052984535.20758.31.camel@dennisx.cif.rochester.edu> --=-9CqsvMVtQlr9wnsXQFCM Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Wed, 2003-05-14 at 14:48, Werner Koch wrote: > On 13 May 2003 22:42:32 -0400, Dennis Lambe said: >=20 > > As far as I can tell, your primary key is the only one which can be use= d > > to sign other keys, but I'd like to hear from some more knowledgable > > people on that point. >=20 > Correct. The primary key is used to bound the user IDs as well as > secondary keys to the primary key. So it is _kind of_ a master key. Yes. This I already knew. What I'm curious about is whether it's possible to use a subkey to sign /other people's/ keys. --Dennis Lambe --=-9CqsvMVtQlr9wnsXQFCM Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: My public key is available at http://cif.rochester.edu/~malsyned/public_key.html iD8DBQA+w0TX+yh/ThbejSgRAhb6AJ9RQjJuZPaNzB5a+jo/3YxRPXoNHQCdEUio xDt5ED08LS+WmrHCDiA3vd0= =Su9i -----END PGP SIGNATURE----- --=-9CqsvMVtQlr9wnsXQFCM-- From wobo@wolf-b.de Thu May 15 11:27:02 2003 From: wobo@wolf-b.de (Wolfgang Bornath) Date: Thu May 15 10:27:02 2003 Subject: Problem: OpenPGP Module not listed In-Reply-To: <200305142304.35208@erwin.ingo-kloecker.de> References: <200305131800.20136.wbo@mandrakesoft.com> <200305140359.05794.wbo@mandrakesoft.com> <200305142304.35208@erwin.ingo-kloecker.de> Message-ID: <200305150117.21129.wobo@wolf-b.de> ** Ingo Kl=F6cker (Mittwoch, 14. Mai 2003 23:04) > On Wednesday 14 May 2003 03:58, Wolfgang Bornath wrote: > > > > Went there, done that, no t-shirt. Did not work. > > In detail: > > I downloaded all the files, did the 3-step waltz on them and the > > test > > > > $ echo "test" | gpg -ase -r 0xDEADBEEF | gpg > > > > worked all right (of course with my key-id). > > What do you mean by "worked all right"? Did the pinentry program pop > up? Yes it did. > Well, obviously gpgme-config is missing for some reason (it should be > in /usr/local/bin if you didn't change the install prefix with the > --prefix option). Did installing gpgme really work? Yes, without errors (make returned '0') Hey, I deserve a second chance, nicht wahr? Is it dangerous to delete the config.logs and do it all over again? And=20 should I give an option to './configure gpgme....' like=20 '--with-gpgme-config' or something? wobo =2D-=20 Public GnuPG key available at keyserver www.mandrakesecure.net From gnupg-users@nahrath.de Thu May 15 12:21:02 2003 From: gnupg-users@nahrath.de (Michael Nahrath) Date: Thu May 15 11:21:02 2003 Subject: localisations and charsets In-Reply-To: <20030515041529.GQ25493@jabberwocky.com> References: <3EC2E373.9060908@nahrath.de> <20030515041529.GQ25493@jabberwocky.com> Message-ID: <3EC35C4B.1020302@nahrath.de> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig97846DA233F069EE8F1C25FA Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit David Shaw wrote: >>I included "export LANG=de_DE" inside my ~/.profile (bash is my standard >>shell) and thus have GPG speak German in Terminal.app >> >>I tried to follow PGPPreferences' recommendations and included >>"charset utf8" in my ~/.gnupg/gpg.conf and switched Terminal.app to use UTF8 >>as default charset. >>["verf?llt" should read "verfällt" with the a-Umlaut] > > > Try "export LANG=de_DE.utf8" with the UTF8 Terminal.app. I don't know > about the OSX gettext, but it works here. I tried your advice and switched Terminal.app to utf8: [michi@localhost]~$ echo $LANG de_DE.utf8 [michi@localhost]~$ gettext --version gettext (GNU gettext) 0.10.40 Copyright � 1995-1997, 2000, 2001 Free Software Foundation, Inc. Dies ist freie Software; in den Quellen befindet sich die Lizenzbedingung. Es gibt KEINERLEI Garantie; nicht einmal f�r die TAUGLICHKEIT oder die VERWENDBARKEIT ZU EINEN ANGEGEBENEN ZWECK. Geschrieben von Ulrich Drepper. So "export LANG=de_DE.utf8" doesn't help (there are two errors "?" in this text), but it seems to be a general MacOS X gettext problem and not GPG specific. Greeting Michi --------------enig97846DA233F069EE8F1C25FA Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) Comment: http://www.biglumber.com/x/web?qs=0x9A4C704C iEYEARECAAYFAj7DXFcACgkQ19dRf5pMcEyMDACgxYVXZLyab2xIsWr5O4vOQv46 wbsAoOffYEjoXUdC0HPU5KND7kWgO5gC =zYaA -----END PGP SIGNATURE----- --------------enig97846DA233F069EE8F1C25FA-- From jam@jamux.com Thu May 15 15:15:02 2003 From: jam@jamux.com (John A. Martin) Date: Thu May 15 14:15:02 2003 Subject: [OT?] No more financial support for GnuPG In-Reply-To: <87wugt9xry.fsf@alberti.g10code.de> (Werner Koch's message of "Wed, 14 May 2003 20:41:05 +0200") References: <87wugt9xry.fsf@alberti.g10code.de> Message-ID: <87he7wv1zw.fsf@athene.jamux.com> --=-=-= Content-Transfer-Encoding: quoted-printable >>>>> "wk" =3D=3D Werner Koch >>>>> "Re: [OT?] No more financial support for GnuPG" >>>>> Wed, 14 May 2003 20:41:05 +0200 wk> On Tue, 13 May 2003 22:46:14 +0200, Juergen Fenn said: >> According to German IT news service heise.de the German Federal >> Government will no longer sponsor development of GnuPG: wk> The big advantages of Free Software are the avoidance of wk> vendor lock-in, the in general better standard compliance, the wk> abstain of unneeded gadgets for marketing reasons and the huge wk> base of valuable testers and other helpers. For dramatic evidence on the above, see Bruce Schneier in today's Cryptogram: Encryption and Wiretapping, . jam --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iD8DBQA+w4UoUEvv1b/iXy8RAjKyAJ4ux89aZm/leQ6nz6BRHV0DBNelEwCfUtwx VJgkheM/DOlNalCiW+5ALPk= =hblL -----END PGP SIGNATURE----- --=-=-=-- From dshaw@jabberwocky.com Thu May 15 15:23:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Thu May 15 14:23:02 2003 Subject: [Q] Multiple signing keys In-Reply-To: <1052984535.20758.31.camel@dennisx.cif.rochester.edu> References: <20030513034820.GF9658@jabberwocky.com> <20030513144541.GA1301@math.umd.edu> <20030513114718.DC06.DENISMCCAULEY@ifrance.com> <20030513222948.GA9909@math.umd.edu> <1052871144.1584.36.camel@dennisx.cif.rochester.edu> <20030514013435.GA10204@math.umd.edu> <1052880152.2487.30.camel@dennisx.cif.rochester.edu> <87r8719xf2.fsf@alberti.g10code.de> <1052984535.20758.31.camel@dennisx.cif.rochester.edu> Message-ID: <20030515122334.GT25493@jabberwocky.com> --qM81t570OJUP5TU/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, May 15, 2003 at 03:42:15AM -0400, Dennis Lambe Jr. wrote: > On Wed, 2003-05-14 at 14:48, Werner Koch wrote: > > On 13 May 2003 22:42:32 -0400, Dennis Lambe said: > >=20 > > > As far as I can tell, your primary key is the only one which can be u= sed > > > to sign other keys, but I'd like to hear from some more knowledgable > > > people on that point. > >=20 > > Correct. The primary key is used to bound the user IDs as well as > > secondary keys to the primary key. So it is _kind of_ a master key. >=20 > Yes. This I already knew. What I'm curious about is whether it's > possible to use a subkey to sign /other people's/ keys. Technically yes. A signing subkey can sign any data, and a key is just data underneath it all. However, in reality such signatures are not part of the web of trust and are not generated. Key signatures are made only with the primary key. David --qM81t570OJUP5TU/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+w4bG4mZch0nhy8kRAmWmAJ0VZF+yPex4EFJuUz+Ai5pE2L7LYACfTSFU UB9Qu+Et3NbVtUpye/aF3E8= =KhP6 -----END PGP SIGNATURE----- --qM81t570OJUP5TU/-- From wk@gnupg.org Thu May 15 15:35:02 2003 From: wk@gnupg.org (Werner Koch) Date: Thu May 15 14:35:02 2003 Subject: [OT?] No more financial support for GnuPG In-Reply-To: <20030514211519.6437.qmail@web10503.mail.yahoo.com> (Burns's message of "Wed, 14 May 2003 14:15:19 -0700 (PDT)") References: <20030514211519.6437.qmail@web10503.mail.yahoo.com> Message-ID: <87llx88jz2.fsf@alberti.g10code.de> On Wed, 14 May 2003 14:15:19 -0700 (PDT), Burns said: > Does GnuPG have a donations page? If it does, I haven't noticed it. > Some examples of what I mean: No, there is no legal entity to collect donations specific for GnuPG. However the FSF and the FSF Europe do have donation programs: http://fsfeurope.org/help/donate.en.html http://fsf.org However, these donations are in general not used for any specific software. They are important anyway because these organisations help to foster the knowledge about Free Software. My own company provides a way to donate to GnuPG development at https://order.kagi.com/?P3G but we can't guarantee that all active developers get their share. Currently we employ Marcus Brinkmann working on GPGME, Moritz Schulte working on Libgcrypt and me. There are plans to sell email aliases under gnupg.net as well as simple key certifications. However I have not yet figured out the deatils and don't know whether there would be enough interest to actually lauch this. Salam-Shalom, Werner -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From wk@gnupg.org Thu May 15 15:46:02 2003 From: wk@gnupg.org (Werner Koch) Date: Thu May 15 14:46:02 2003 Subject: [Q] DSA 1024-bit limit. In-Reply-To: <20030514212508.GA3205@math.umd.edu> (Daniel Carrera's message of "Wed, 14 May 2003 17:25:08 -0400") References: <20030513034820.GF9658@jabberwocky.com> <20030513144541.GA1301@math.umd.edu> <20030513114718.DC06.DENISMCCAULEY@ifrance.com> <871xz1bh0k.fsf@alberti.g10code.de> <20030514212508.GA3205@math.umd.edu> Message-ID: <87issc8jhe.fsf@alberti.g10code.de> On Wed, 14 May 2003 17:25:08 -0400, Daniel Carrera said: > Does RSA signing use the same hash algorithm? > Is the security of SHA-256 believed to be comparable to 1024-bit ElGamal > (as the second component of DSA)? As quite usual in cryptography: We don't know exactly. We can only guess. SHA-256 is much newer than SHA-1 and thus not as well matured. It is however believed to be strong enough and it increases the possibilty of a birthday attack (which limits the useful length of SHA-1 to 80 bits. SHA-256 et al are required to match the capabilities of AES. > Since my key is encrypted in my hard drive, getting access to it should > not compromise my key, correct? > So a hired burgler shouldn't do much good, right? (assuming I have a good > enough password of course). It is unlikely that your passphrase is good enough to be compared against a 1024 bit DSA key. We are humans and must type them in. Anyway, the three letter agencies usually visit your place two times: to install a key logger and later to collect what it has gathered. >> * a BIOS of your box or a clever CPU (think Transmeta) identifying >> secret keys and posting them to a newsgroup. >> >> * a rogue OS >> >> * a trojan > Doesn't the encryption of the key take care of these? The CPU decrypts the key and thus at some point it is available in plaintext. A good passphrase in general gives you some time to detect a compromised key and to distribute a revocation. Trojans can easily log all keystrokes. Shalom-Salam, Werner -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From wk@gnupg.org Thu May 15 15:56:02 2003 From: wk@gnupg.org (Werner Koch) Date: Thu May 15 14:56:02 2003 Subject: localisations and charsets In-Reply-To: <3EC35C4B.1020302@nahrath.de> (Michael Nahrath's message of "Thu, 15 May 2003 11:22:19 +0200") References: <3EC2E373.9060908@nahrath.de> <20030515041529.GQ25493@jabberwocky.com> <3EC35C4B.1020302@nahrath.de> Message-ID: <87fzng8j27.fsf@alberti.g10code.de> On Thu, 15 May 2003 11:22:19 +0200, Michael Nahrath said: > Dies ist freie Software; in den Quellen befindet sich die Lizenzbedingung. > Es gibt KEINERLEI Garantie; nicht einmal f�r die TAUGLICHKEIT oder ^^ Your terminal does not support UTF-8. gpg has already translated the Latin-1 encoded text to utf-8 before printing it out. --charset=latin-1 might help -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From wk@gnupg.org Thu May 15 16:01:02 2003 From: wk@gnupg.org (Werner Koch) Date: Thu May 15 15:01:02 2003 Subject: [Q] Multiple signing keys In-Reply-To: <1052984535.20758.31.camel@dennisx.cif.rochester.edu> ("Dennis Lambe Jr."'s message of "15 May 2003 03:42:15 -0400") References: <20030513034820.GF9658@jabberwocky.com> <20030513144541.GA1301@math.umd.edu> <20030513114718.DC06.DENISMCCAULEY@ifrance.com> <20030513222948.GA9909@math.umd.edu> <1052871144.1584.36.camel@dennisx.cif.rochester.edu> <20030514013435.GA10204@math.umd.edu> <1052880152.2487.30.camel@dennisx.cif.rochester.edu> <87r8719xf2.fsf@alberti.g10code.de> <1052984535.20758.31.camel@dennisx.cif.rochester.edu> Message-ID: <87d6ik8iti.fsf@alberti.g10code.de> On 15 May 2003 03:42:15 -0400, Dennis Lambe said: > Yes. This I already knew. What I'm curious about is whether it's > possible to use a subkey to sign /other people's/ keys. No. An old buggy version of GnuPG accidently did this, so you might find a very few signatures which won't verify anymore. -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From dlc@users.sourceforge.net Thu May 15 20:15:02 2003 From: dlc@users.sourceforge.net (darren chamberlain) Date: Thu May 15 19:15:02 2003 Subject: Opportunistic Encryption [Was: Keys not trusted] In-Reply-To: References: <20030513171840.GC87246@pm1.ric-30.lft.widomaker.com> Message-ID: <20030515-6c88e105e1f1443a44870f7ae5f30c4d@tumbleweed.boston.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 * Mark H. Wood [2003-05-15 08:46]: > On Tue, 13 May 2003, Jason Harris wrote: > > The WoT doesn't cease to exist for "anonymous" keys. In fact, it > > becomes purer. If you don't have a trust path to an "anonymous" > > key, you can't even put any trust into it based on a name or email > > address that you might be willing to trust. > > I need a little help here. What, exactly, would an "anonymous" key > *mean*? To what would a document signed by such a key be bound, and > why would I care? An anonymous key could be used to establish that multiple messages came from the same user (or didn't). It would let you know that the person you were corresponding with was the same person from message to message, even though it won't tell you who that person is. It would (or could, at least) prevent someone other than the owner of the key from claiming to be that person in the future. (darren) - -- Every thought you think is contributing its share to the ultimate result of your life. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+w8qgzsinjrVhZaoRAgzpAJ9Gp00rQfnBDfpeNGBivsiDYvevfgCdFkJY 6aqGKrlC44p3hrQwmTg0xmY= =RTIk -----END PGP SIGNATURE----- From dcarrera@math.umd.edu Thu May 15 20:17:02 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Thu May 15 19:17:02 2003 Subject: Trouble signing (was: Trouble exporting keys) In-Reply-To: <1052984399.20759.29.camel@dennisx.cif.rochester.edu> References: <20030515001424.GA2956@math.umd.edu> <1052959441.20758.7.camel@dennisx.cif.rochester.edu> <20030515005321.GA3079@math.umd.edu> <1052984399.20759.29.camel@dennisx.cif.rochester.edu> Message-ID: <20030515171833.GA1175@math.umd.edu> --a8Wt8u1KmwUX3Y2C Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > OK, I'm doing a lot of educated guessing, so if I make any incorrect > assumptions, let me know. Here's what I think is going on: Your educated guesses are all correct. [snip] > WHY WHAT YOU WANT TO HAPPEN ISN'T HAPPENING: > The -u flag (and all other flags which take a KeyID as a parameter) is > intended to allow you to specify a full PGP key, complete with IDs, > subkeys, signatures, and all the trimmings. You can use the primary > KeyID, a unique piece of any ID string, or any subkey ID. The effect is > always the same: pointing out which key on the keyring should be used.=20 > So -u E3CA8FAE is (for better or worse) synonymous with -u 0FEBCEC3. >=20 > GnuPG's signing behavior is: once it's found a key on the keyring, it > signs with the most recently created/modified signing subkey attached to > that key. In your case, that's the RSA signing subkey. >=20 > Overriding this default behavior, which is what it seems you'd like to > do, is accomplished by postfixing the keyID with an exclamation point.=20 > so, -u 0FEBCEC3! means "really sign with my primary key, not my most > current signing subkey". >=20 > WHY WHAT YOU'RE TRYING TO DO MIGHT NOT BE WHAT YOU WANT TO DO > If your goal in having both an RSA and a DSA signing key is to have a > long-term-secure primary key on which to collect signatures, and a > standards-compliant day-to-day document-signing DSA key, you've got them > backwards. the RSA key should be the primary key, since it can be big, > and the DSA key should be the signing subkey, since it is trusted by the > government to sign documents. This does require that you completely > revoke your current primary key and start from scratch, though. >=20 > I hope this helps. >=20 > --Dennis Lambe Thank you so much Dennis. Yes, this helps a great deal. This is=20 precisely the information I was looking for. =20 I have no problem starting from scratch. Indeed, it's to do that now=20 since I'm just getting started, instead of later. I'll revoke my current key later today, and start over with a 4096-bit RSA= =20 primary signing key. Later I'll create a 1024-bit DSA key and a 2048-bit= =20 ElGamal key. And this will do exactly what I want: - Long-term security through the 4096-bit primary key. - GPG defaults to DSA for signing. - If I ever want more security, I can use ! to sign with the RSA. Thanks again. --=20 Daniel Carrera | OpenPGP fingerprint: Graduate TA, Math Dept | C678 4F28 6418 6A62 F186 98FC 9E04 B9A0 0FEB CEC3 UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html --a8Wt8u1KmwUX3Y2C Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (SunOS) iQEVAwUBPsPL55Muikfjyo+uAQICagf/WwnF1oMezKDo1tLmDZ9BmuI6c6IvgxgN fQpeEqDbhedW0I5gCmKWh94ByRhDg+6zuGMR1kPG2fbiSYEPvJK+MkyXNSC8yb2T k+RJmvuZ1RaQTQdRxiQJ709jFYaS77WudG5V5N+mxdQ3hc5O6EN+OxsTcC8mdS6h Lk22nn+3U/N3EmzjGcIcYEcQr9IYjLjjxpS47O0qpn7EQ29k2a3PeImyHgO6CK0T RN9wW/VuWEEeG2uN74l/3g4oFCgbxeEaS6l3qNt2PBLVwrJE9SR9e5on7VozFFZE SjlgbVMxyUzh2z1CtBOTYbzjtZvehQz0ER0EYdl6+/MyP7E3XlRdZQ== =sLFn -----END PGP SIGNATURE----- --a8Wt8u1KmwUX3Y2C-- From erwan@rail.eu.org Thu May 15 21:31:03 2003 From: erwan@rail.eu.org (Erwan David) Date: Thu May 15 20:31:03 2003 Subject: Opportunistic Encryption [Was: Keys not trusted] In-Reply-To: <20030515-6c88e105e1f1443a44870f7ae5f30c4d@tumbleweed.boston.com> References: <20030513171840.GC87246@pm1.ric-30.lft.widomaker.com> <20030515-6c88e105e1f1443a44870f7ae5f30c4d@tumbleweed.boston.com> Message-ID: <20030515183203.GA20263@bretagne.rail.eu.org> Le Thu 15/05/2003, darren chamberlain disait > An anonymous key could be used to establish that multiple messages came > from the same user (or didn't). It would let you know that the person > you were corresponding with was the same person from message to message, > even though it won't tell you who that person is. It would (or could, > at least) prevent someone other than the owner of the key from claiming > to be that person in the future. Since you cannot trust this person for not giving its private key, your assumptions are blind trust. -- Erwan From johanw@vulcan.xs4all.nl Thu May 15 22:12:02 2003 From: johanw@vulcan.xs4all.nl (Johan Wevers) Date: Thu May 15 21:12:02 2003 Subject: Using GnuPG on Windows/Linux In-Reply-To: <20030515021553.GN25493@jabberwocky.com> from David Shaw at "May 14, 2003 10:15:54 pm" Message-ID: <200305151047.MAA02280@vulcan.xs4all.nl> David Shaw wrote: >It's not impossible technically, but the locking scheme GnuPG uses at >the moment isn't compatible with a FAT filesystem. It uses link(). Ah, OK. I assumed it used a lockfile, where it would be up to gpg itself to look at it. However, opened files on windows systems can be a pain: they can much less share files between apps than Linux can, sharing violation is almost impossible to override on windows. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From Johan.Parin@abc.se Thu May 15 22:55:02 2003 From: Johan.Parin@abc.se (Johan Parin) Date: Thu May 15 21:55:02 2003 Subject: Using GnuPG on Windows/Linux In-Reply-To: <20030515021553.GN25493@jabberwocky.com> (David Shaw's message of "Wed, 14 May 2003 22:15:54 -0400") References: <200305150116.DAA00784@vulcan.xs4all.nl> <20030515021553.GN25493@jabberwocky.com> Message-ID: David Shaw writes: David> On Thu, May 15, 2003 at 03:16:44AM +0200, Johan Wevers wrote: >> Why is locking impossible on FAT32? David> It's not impossible technically, but the locking scheme GnuPG David> uses at the moment isn't compatible with a FAT filesystem. David> It uses link(). So what does the Windows version of GnuPG do, if like me one has their homedir on a FAT32 partition? -- Johan Parin From linux@codehelp.co.uk Fri May 16 00:11:02 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Thu May 15 23:11:02 2003 Subject: Opportunistic Encryption [Was: Keys not trusted] In-Reply-To: <20030515-6c88e105e1f1443a44870f7ae5f30c4d@tumbleweed.boston.com> References: <20030513171840.GC87246@pm1.ric-30.lft.widomaker.com> <20030515-6c88e105e1f1443a44870f7ae5f30c4d@tumbleweed.boston.com> Message-ID: <200305152212.25359.linux@codehelp.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 15 May 2003 6:13 pm, darren chamberlain wrote: > > I need a little help here. What, exactly, would an "anonymous" key > > *mean*? To what would a document signed by such a key be bound, and > > why would I care? > > An anonymous key could be used to establish that multiple messages came > from the same user (or didn't). But then it's no longer anonymous. The key can be assigned to a particular user or more likely from your scenario, from a particular email account which we ASSUME is in use by one person. With no details in the key description to identify one unique individual it is also possible (even likely) that the anonymous key in question has a blank (or well known) passphrase and is in use by many people all operating behind the same email account. A kind of corporate key - like the keys that already exist and being used by e.g. RedHat and Mandrake. So seeing as this ability already exists, where's the need? > It would let you know that the person > you were corresponding with was the same person from message to message, > even though it won't tell you who that person is. It would (or could, > at least) prevent someone other than the owner of the key from claiming > to be that person in the future. > > (darren) But just what happens when hundreds or thousands of these anonymous keys build up? There would be no way of correlating how many people could be using them. I would not trust anyone using an anonymous key - I'd be tempted to treat all messages signed with such a key as spam! - -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.wewantbroadband.co.uk/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+xAK2iAEJSii8s+MRAle8AKCCM31fdERb9R5Geh+27Pz0OnhuDgCeJkiA QlVMZN8Rn2CZ4NLf/KWpflo= =Ocw1 -----END PGP SIGNATURE----- From juam@arnet.com.ar Fri May 16 00:55:02 2003 From: juam@arnet.com.ar (Juan F. Codagnone) Date: Thu May 15 23:55:02 2003 Subject: [Q] gpgme: changing keyring Message-ID: <200305151854.05996.juam@arnet.com.ar> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi all! In the last days I had been looking at the capabilities of gpgme. I couldn't find howto change the path for the current keyring. Do I need eyes glasses? Best Regards, Juan. (i didn't find anything related in the archives) =2D -- Buenos Aires, Argentina 17=B0C with winds at 46 km/= h ESE Thu May 15 18:54:27 ART 2003 =2D----BEGIN PGP SIGNATURE----- iD8DBQE+xAy0jSlJEriOToYRArqPAKC2EBM/GI2F4XP/X6XOgKEDk6V7vQCgz+fY VwcAvA6Hg2bKO3Tmg13/2nw=3D =3DTrAf =2D----END PGP SIGNATURE----- From yenot@sec.to Fri May 16 01:09:02 2003 From: yenot@sec.to (Yenot) Date: Fri May 16 00:09:02 2003 Subject: Opportunistic Encryption In-Reply-To: <200305140053.49973@erwin.ingo-kloecker.de> References: <200305060203.30183.wbo@mandrakesoft.com> <200305131719.26463.yenot@sec.to> <200305140053.49973@erwin.ingo-kloecker.de> Message-ID: <200305160155.10564.yenot@sec.to> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 14 May 2003 02:53 am, Ingo Klöcker wrote: > > Trust is the principle the WoT is built upon. Without trust the WoT > can't exist. And trust can't really co-exist with anonymity. You > have to know who the key owner is before you can tell GnuPG how > much trust you want to put in the key owner. I'm not proposing an anonymous system. I'm proposing a system that isn't dependant on public keyservers. I'm also proposing a simpler system. An example may be the best description, so I've written a rough draft. I've broken OpenPGP use into 3 levels of sophistication. Each level can be attacked at the user's own pace. Level 1: Opportunistic Encryption =-------------------------------- For this level, the user just generates a key. After that, the e-mail client software does the following: A) All outbound messages are signed. Mail is encrypted whenever the recipient's public key is available. (See my previous post for algorithms on key selection when multiple untrusted keys exist.) B) When a signed message with an attached key is received, we verify that the attached key matches the key used to sign the message. If so, the key is automatically added to the local keyring. C) If a received message is signed but not encrypted, any reply to the signature owner should have our public key automatically included as an attachment. Eavesdropping protection is achieved after one round trip and no user interaction or keyservers are required! Level 2: User authenticates important communication links =-------------------------------------------------------- Chances are, the user personally knows his/her most important communication contacts. The user calls these contacts on the phone and exchanges fingerprints. For this, the mail client provides a simple (non-confusing) pop-up for fingerprint verification and the creation of local signatures. Once an e-mail contact has been verified, the client software rewards the user for this important step with a beautiful secure lock icon and feel-good colors on authenticated mail (see KMail for examples of such feel-good colors). Level 3: Use of WoT and CAs (optional) =-------------------------------------- Sophisticated users and users with support from IT staff can use WoT and CA schemes. Keysigning parties can be thrown. People can install personal trust calculation plugins for their favorite OpenPGP implementation and so on. Less sophisticated users can just continue direct key exchanges with important contacts. They need not loose sleep at night thinking about complicated graphs of key relationships and what trust calculation algorithm best meets their security needs. > > Any proposals for how these clever icons should look like? I was really hoping people on this list would have some good ideas. IMO: Whoever came up with the excellent color schemes used by KMail on signed and encrypted messages should be asked for advice. Also, I encourage everyone to read and think about the problem with web-browsers and self-signed certificates. Here's the link again: http://marc.theaimsgroup.com/?l=cryptography&m=104774889818071&w=2 Since web browsers and e-mail clients are tightly coupled these days, some idea sharing on user-interfaces might be warranted. - Yenot -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+xA4FP247TY29IxARAi6uAKCNl5ZEzukQI4HTcB9FVQ/jEMYeHQCfXSDm OCWqiyAcfgxWaAYA2VIucQM= =8PDx -----END PGP SIGNATURE----- From linux@codehelp.co.uk Fri May 16 01:20:02 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Fri May 16 00:20:02 2003 Subject: Merging keys? Message-ID: <200305152321.10805.linux@codehelp.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 With all this talk of using a private primary RSA key and then public subkeys, I created a third key to test some ideas and I began to wonder if it is worth considering if keys can be merged. If both secret keys are available and both passphrases given, is there scope to merge two keys?? The carefully built-up signature list could be retained - perhaps the merge operation could ask which key would be the new primary and 'attach' the second key as a new subkey? or a new UID? It could offer a way to migrate older keys with long signature lists. - -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.wewantbroadband.co.uk/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+xBLWiAEJSii8s+MRApHXAKDYftJdUgaPDpk7GwgHAhTDHbM0PQCgudKO L03QbqMNDL6APNNMlALhQ/o= =lfkE -----END PGP SIGNATURE----- From linux@codehelp.co.uk Fri May 16 01:20:36 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Fri May 16 00:20:36 2003 Subject: Trouble signing (was: Trouble exporting keys) In-Reply-To: <20030515171833.GA1175@math.umd.edu> References: <20030515001424.GA2956@math.umd.edu> <1052984399.20759.29.camel@dennisx.cif.rochester.edu> <20030515171833.GA1175@math.umd.edu> Message-ID: <200305152259.00159.linux@codehelp.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 15 May 2003 6:18 pm, Daniel Carrera wrote: > I'll revoke my current key later today, and start over with a 4096-bit RSA > primary signing key. Later I'll create a 1024-bit DSA key and a 2048-bit > ElGamal key. And this will do exactly what I want: > > - Long-term security through the 4096-bit primary key. > - GPG defaults to DSA for signing. > - If I ever want more security, I can use ! to sign with the RSA. I haven't revoked any keys, just started with a completely new one, generated exactly as above. 4096 RSA, 1024 DSA and 2048 ElGamal. (I added a photoid for fun too but generating that 4096RSA took an age!!) pub 4096R/48C5F366 2003-05-15 Neil Williams uid [image of size 4569] sub 1024D/F3C504D8 2003-05-15 [expires: 2004-05-14] sub 2048g/E819E0B7 2003-05-15 [expires: 2004-05-14] (A test key only - this will never reach a keyserver or be used on public messages/files/keys) Did you mean signing documents / emails with the DSA? gpg -u f3c504d8 --detach --sign lug.sql gpg --verify lug.sql.sig gpg: Signature made Thu 15 May 2003 22:49:03 BST using DSA key ID F3C504D8 gpg: Good signature from "Neil Williams " gpg: aka "[image of size 4569]" That works. But I couldn't get it to work for keysigning. gpg -u f3c504d8! --sign-key a897fd02 or gpg -u f3c504d8 --sign-key a897fd02 Makes no odds: pub 1024D/A897FD02 2002-01-27 Neil Williams (laptop) sig!3 A897FD02 2002-01-27 Neil Williams (laptop) sig!3 48C5F366 2003-05-15 Neil Williams sub 1024g/4D6D2952 2002-01-27 sig! A897FD02 2002-01-27 Neil Williams (laptop) Note the new sig by the primary RSA key 48c5f366 not f3c504d8 as in the command. (test sig on this key later deleted, again without updating a keyserver.) Did I miss a stage? If not, won't this cause confusion with regard to keysignings? The KeyID everyone has gotten used to on the mailings wouldn't appear in the list of signatures on keys. GnuPG can make sense of it, but it doesn't look very intuitive in the listings. If the KeyID is the only identifier used (for anonymous keys) it'll be even harder to understand key signatures. - -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.wewantbroadband.co.uk/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+xA2jiAEJSii8s+MRAknKAJwPYajVLRey/k7BJ+e9YQuzH2ravQCfSfCV v6JPywUUxLZa6p4khomWfCU= =quEz -----END PGP SIGNATURE----- From manuel@samper.dyndns.org Fri May 16 02:16:03 2003 From: manuel@samper.dyndns.org (Manuel Samper) Date: Fri May 16 01:16:03 2003 Subject: Trouble signing (was: Trouble exporting keys) In-Reply-To: <200305152259.00159.linux@codehelp.co.uk> References: <20030515171833.GA1175@math.umd.edu> <200305152259.00159.linux@codehelp.co.uk> Message-ID: <20030515231656.GE17005@postfix.dyndns.org> Neil Williams, on Thu, May 15 2003 at 23:58, wrote: > I haven't revoked any keys, just started with a completely new one, generated > exactly as above. 4096 RSA, 1024 DSA and 2048 ElGamal. (I added a photoid > for fun too but generating that 4096RSA took an age!!) Try to generate a 4096 Elgamal one... in an offline, only one user, machine (so no much activity to get entropy from). > gpg -u f3c504d8 --detach --sign lug.sql > > gpg --verify lug.sql.sig > gpg: Signature made Thu 15 May 2003 22:49:03 BST using DSA key ID F3C504D8 > gpg: Good signature from "Neil Williams " > gpg: aka "[image of size 4569]" ^^^^^^^^^^^^^^^^^^^^^^^^^^ This looks ugly. Feature request: it's so hard to allow a name being attched to these photoids? Or it's required this way by the standard? > That works. > > But I couldn't get it to work for keysigning. > > gpg -u f3c504d8! --sign-key a897fd02 > or > gpg -u f3c504d8 --sign-key a897fd02 > > Makes no odds: You cannot sign keys with subkeys. See recent posts on the list. -- Manuel Samper OpenPGP Key ID: FFFD5DA0 From gnupg-users@nahrath.de Fri May 16 02:58:02 2003 From: gnupg-users@nahrath.de (Michael Nahrath) Date: Fri May 16 01:58:02 2003 Subject: localisations and charsets In-Reply-To: <87fzng8j27.fsf@alberti.g10code.de> References: <3EC2E373.9060908@nahrath.de> <20030515041529.GQ25493@jabberwocky.com> <3EC35C4B.1020302@nahrath.de> <87fzng8j27.fsf@alberti.g10code.de> Message-ID: <3EC429D5.70009@nahrath.de> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigDEBF8CD5EADB7851B6B7248D Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Werner Koch wrote: > On Thu, 15 May 2003 11:22:19 +0200, Michael Nahrath said: > > >>Dies ist freie Software; in den Quellen befindet sich die Lizenzbedingung. >>Es gibt KEINERLEI Garantie; nicht einmal f�r die TAUGLICHKEIT oder > > ^^ > Your terminal does not support UTF-8. Actually my terminal does support UTF-8, at least some times. Otherwise [michi@localhost]~$ gpg --charset utf8 --edit 307D56ED pub 1024D/307D56ED erstellt: 2001-05-17 verf?llt: niemals sub 2048g/B9A65282 erstellt: 2001-05-17 verf?llt: niemals (1). Noèl Köthe ... wouldn't display the name correctly. UTF8 output from GPG is no problem, only the localised UI is. > gpg has already translated the > Latin-1 encoded text to utf-8 before printing it out. > --charset=latin-1 might help Please note that the posted output of "gettext --version" had nothing to do with gpg but only with gettext. Maybe my terminal fails in giving gettext the needed information. I'll try to find out more about this in news:de.comp.sys.mac.misc Greeting, Michi --------------enigDEBF8CD5EADB7851B6B7248D Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) Comment: http://www.biglumber.com/x/web?qs=0x9A4C704C iEYEARECAAYFAj7EKeEACgkQ19dRf5pMcEydlQCffhtURvPFN7bIbKNjmKZZMwmg +mYAnjhcaMu5WLz2S5jDQXPzx4BuQhlC =ggUD -----END PGP SIGNATURE----- --------------enigDEBF8CD5EADB7851B6B7248D-- From dshaw@jabberwocky.com Fri May 16 04:54:03 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Fri May 16 03:54:03 2003 Subject: Keys not trusted In-Reply-To: <200305111455.24901@erwin.ingo-kloecker.de> References: <200305060203.30183.wbo@mandrakesoft.com> <200305090151.56006.yenot@sec.to> <200305111455.24901@erwin.ingo-kloecker.de> Message-ID: <20030516015408.GB1191@jabberwocky.com> --+QahgC5+KEYLbs62 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, May 11, 2003 at 02:55:23PM +0200, Ingo Kl=F6cker wrote: > > One way to pick the best key for such e-mail only acquaintances would > > be for people within various communities to all use a single robot > > authentication authority (for example: > > http://www.toehold.com/robotca). Some members of this list, such as > > GnuPG developer David Shaw, consider this to be a bad idea. >=20 > The RobotCA simply verifies the email address. You can easily do this=20 > yourself by sending an encrypted challenge to the person you want to=20 > communicate with. (Yes, I know that an encrypted challenge will only=20 > verify the encryption key.) >=20 > > Shaw=20 > > proposes that when no trust path to an e-mail exists, the mail client > > should encrypt to all available keys for the given e-mail address > > (warning the user appropriately). Then when/if the party you sent to > > replies, you can set the definitive key based on the key they use in > > their reply. >=20 > This isn't really a good idea. You encrypt with a valid and with a=20 > forged key. The message is intercepted, decrypted and answered by the=20 > forger. You have been fooled. Yes. To give context here, both the robot CA and my proposal were presented in the context of "if we drop the requirement to be resistant against man-in-the-middle, can we make things easier to use?". It is most emphatically NOT as secure as using the web of trust properly. For some people though, the tradeoff is worth it... and of course, for some, it isn't. It's one of those eternal questions whether it is better if a system is perfectly secure, but not many people use it, or if it is less secure, and many people use it. One way to put this is to ask whether it is better to encrypt and be vulnerable to a man in the middle attack... or to not encrypt and be vulnerable to everything ;) David --+QahgC5+KEYLbs62 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+xETA4mZch0nhy8kRAiSaAJ9699cz5OSeyfUlEFSBB7jSzFLoXgCfdjAW 8T9BQwcT8Bc2Rxtv0uLH/ko= =WQaL -----END PGP SIGNATURE----- --+QahgC5+KEYLbs62-- From dshaw@jabberwocky.com Fri May 16 04:54:39 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Fri May 16 03:54:39 2003 Subject: Keys not trusted In-Reply-To: <200305101027.51808@fortytwo.ch> References: <200305060203.30183.wbo@mandrakesoft.com> <200305091755.48203.graham.todd@ntlworld.com> <20030509-57c41a1cb88bf5d499d6ca1536e4f287@tumbleweed.boston.com> <200305101027.51808@fortytwo.ch> Message-ID: <20030515210645.GD1523@jabberwocky.com> --X1bOJ3K7DJ5YkBrT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, May 10, 2003 at 10:27:47AM +0200, Adrian 'Dagurashibanipal' von Bid= der wrote: > On Friday 09 May 2003 19:24, darren chamberlain wrote: > > * Graham [2003-05-09 13:17]: >=20 > [keyring maintenance] >=20 > > How do you know which keys you don't need? Do you simply eyeball the > > userids and delete the ones you don't recognize, or is there a more > > efficient way? I currently have over 300 public keys on my keyring (I > > also have the auto-retrieve option set), and I'm very sure I don't need > > most of those, but how can I tell which ones I actually need? >=20 > Yo! >=20 > 300 keys sounds about right :-) >=20 > I have a little script that just presents me with 5 random keys. I > then delete those where I don't recognize the name (either from > mailing lists, or privately) - I do this more or less weekly > (sometimes less). It's far from perfect, but I don't want to go > through the whole keyring. Of course I occasionally delete a key > that is then downloaded again when I read mail, but as those aren't > people I know, I don't think this is a problem. Another trick that you can use is to have more than one public keyring. Some people have one keyring that contains the keys they know personally or have signed, and a larger keyring that auto-key-retrieve imports into. Then, they can just quickly blast through the larger automatic keyring every now and then without accidentally losing an important key. David --X1bOJ3K7DJ5YkBrT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+xAFl4mZch0nhy8kRAqJaAJ9B3LopjjhJVm0J3YlBKYlZrFQGeACg4yxr q/boHfXO8EmA8psHHwTmE78= =EOwO -----END PGP SIGNATURE----- --X1bOJ3K7DJ5YkBrT-- From dshaw@jabberwocky.com Fri May 16 04:55:13 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Fri May 16 03:55:13 2003 Subject: SDA (was: mobile GPG installation) In-Reply-To: <20030512183435.GO32053@psilocybe.teonanacatl.org> References: <87r874cl3r.fsf@alberti.g10code.de> <20030512171928.53543.qmail@web10508.mail.yahoo.com> <20030512183435.GO32053@psilocybe.teonanacatl.org> Message-ID: <20030515212810.GE1523@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, May 12, 2003 at 02:34:35PM -0400, Todd wrote: > Burns wrote: > > You can achieve some protection if the recipient (someone without > > gpg/pgp) has a md5 hash application, to check for the proper hash > > value (previously given over the phone?) before they opened it. > > That's not a standard part of any Windows OS though (as far as I know, but I > don't use windows if I can avoid it so I could be wrong). So the user you > want to send the SDA to still has to install some software. They might as > well install an OpenPGP application if they want to decrypt OpenPGP data. Yes. I once toyed with the idea of making a small decrypt-only OpenPGP program for this sort of thing. The idea was to be something like gpgv - no trustdb, no key management, just decrypt symmetrically encrypted messages. I didn't do it because the regular 'gpg' binary is already pretty lightweight, and doesn't need a complex installation to run anyway. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+xAZq4mZch0nhy8kRAr6kAJwMCTXLFD2JBN0IijmakXTlPsRvngCgu3HY IbrW+V46Fd60RuPzrPSyLdY= =h5YJ -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Fri May 16 04:55:48 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Fri May 16 03:55:48 2003 Subject: Cracking AES In-Reply-To: <000d01c31843$ec10b820$0200000a@discovery> References: <000d01c31843$ec10b820$0200000a@discovery> Message-ID: <20030515204731.GC1523@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, May 12, 2003 at 12:04:00AM -0500, Adam Smith wrote: > I run a mixed Win32/OpenBSD environment but am far more familiar with > Windows. I set up a batch file like so: > > @echo off > echo GUESS1|gpg.exe -q --passphrase-fd 0 --output text.out --decrypt > text.pgp > echo GUESS2|gpg.exe -q --passphrase-fd 0 --output text.out --decrypt > text.pgp > ... > > This does not work for me, however, because GPG messes up when you try > to feed it a '&' through this method (I'm escaping all of the special > characters in echo using a '^' but can't find an escape character for > GPG). Any suggestions I'm curious why you're having a problem with '&'. The only character that should be a unusable via passphrase-fd is a newline. > Even if it did work, however, I'd still like to be able to do more than > 8 tries per second. With the right kind of coding I should be able to > easily get 10,000 tries/second but do not have any experience. Is > source code available for the Windows binary (I could not find it)? > Anyone ever done this before? The source code for all versions of GnuPG is available at ftp://ftp.gnupg.org. The Windows code is the same as the Unix code (more or less). Read the code in g10/seckey-cert.c and g10/passphrase.c, in particular, for the code that handles secret key decryption. You should be able to hotwire it to do what you want. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+w/zj4mZch0nhy8kRArVuAJ98MosM/jRbMMj9Jcswr4SM75drggCgmwTJ wg9fGrrb+zj6jx26SjEDgMM= =MVt5 -----END PGP SIGNATURE----- From johanw@vulcan.xs4all.nl Fri May 16 05:02:02 2003 From: johanw@vulcan.xs4all.nl (Johan Wevers) Date: Fri May 16 04:02:02 2003 Subject: Opportunistic Encryption [Was: Keys not trusted] In-Reply-To: <200305152212.25359.linux@codehelp.co.uk> from Neil Williams at "May 15, 2003 10:12:20 pm" Message-ID: <200305160033.CAA00642@vulcan.xs4all.nl> Neil Williams wrote: >But then it's no longer anonymous. The key can be assigned to a particular >user or more likely from your scenario, from a particular email account >which we ASSUME is in use by one person. Communication need not go through ordinary email adresses. There are things like anonymous servers and newsgroups. I remember that the guy(s?) who broke some MS DRM scheme posted sample code and explainations signed with a PGP key under the pseudonym "Beale Screamer". If you wanted to communicate with him you could post an encrypted message in sci.crypt. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From dshaw@jabberwocky.com Fri May 16 06:01:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Fri May 16 05:01:02 2003 Subject: Using GnuPG on Windows/Linux In-Reply-To: References: <200305150116.DAA00784@vulcan.xs4all.nl> <20030515021553.GN25493@jabberwocky.com> Message-ID: <20030516030051.GC1191@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, May 15, 2003 at 09:56:16PM +0200, Johan Parin wrote: > > > David Shaw writes: > > David> On Thu, May 15, 2003 at 03:16:44AM +0200, Johan Wevers wrote: > > > > >> Why is locking impossible on FAT32? > > David> It's not impossible technically, but the locking scheme GnuPG > David> uses at the moment isn't compatible with a FAT filesystem. > David> It uses link(). > > So what does the Windows version of GnuPG do, if like me one has their > homedir on a FAT32 partition? I believe it doesn't lock at all. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+xFRj4mZch0nhy8kRAoPaAKCpK1Gx+CmPO6VsCZPr8lzQ7wnXagCeMQ9a Uizx5vaN54TKKXBYRKJeNW0= =hqwG -----END PGP SIGNATURE----- From avbidder@fortytwo.ch Fri May 16 09:15:02 2003 From: avbidder@fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Fri May 16 08:15:02 2003 Subject: Keys not trusted In-Reply-To: <20030516015408.GB1191@jabberwocky.com> References: <200305060203.30183.wbo@mandrakesoft.com> <200305111455.24901@erwin.ingo-kloecker.de> <20030516015408.GB1191@jabberwocky.com> Message-ID: <200305160816.10644@fortytwo.ch> --Boundary-02=_qIIx+RM6+V7yWGj Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Friday 16 May 2003 03:54, David Shaw wrote: > It's one of those eternal questions whether it is better if a system > is perfectly secure, but not many people use it, or if it is less > secure, and many people use it. One way to put this is to ask whether > it is better to encrypt and be vulnerable to a man in the middle > attack... or to not encrypt and be vulnerable to everything ;) I guess for some the big is that the people using a security-made-easy syst= em=20 =2D where some vulnerabilities are traded against convenience - won't be aw= are=20 of these vulnerabilities but just assume that their system is absolutely 10= 0%=20 secure. So, when the first attack comes that uses this well known (amongst= =20 those who care to know) vulnerability, people will yell 'but you promised u= s=20 a secure system' - and there's nothing you can do. Telling them that it=20 wasn't designed to be secure in this way will not help you, then. cheers =2D- vbi =2D-=20 featured link: http://fortytwo.ch/smtp --Boundary-02=_qIIx+RM6+V7yWGj Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iKcEABECAGcFAj7EgipgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjQmbWQ1c3VtPTgxNjMwYmFhYmU5YTA2NzBi YjE5YzFmYTg1MjdhN2FiAAoJEIukMYvlp/fW4tEAmgNKtbItLMxg9gu0V8dgXW0s fGSqAJ0feWVhQANpzHo2mPJCf3PbI7hs9Q== =xdlr -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.4&md5sum=81630baabe9a0670bb19c1fa8527a7ab --Boundary-02=_qIIx+RM6+V7yWGj-- From avbidder@fortytwo.ch Fri May 16 09:29:02 2003 From: avbidder@fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Fri May 16 08:29:02 2003 Subject: Opportunistic Encryption [Was: Keys not trusted] In-Reply-To: <20030515-6c88e105e1f1443a44870f7ae5f30c4d@tumbleweed.boston.com> References: <20030513171840.GC87246@pm1.ric-30.lft.widomaker.com> <20030515-6c88e105e1f1443a44870f7ae5f30c4d@tumbleweed.boston.com> Message-ID: <200305160830.21560@fortytwo.ch> --Boundary-02=_9VIx+9iK/4lI5V8 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Thursday 15 May 2003 19:13, darren chamberlain wrote: > An anonymous key could be used to establish that multiple messages came > from the same user (or didn't). It would let you know that the person > you were corresponding with was the same person from message to message, > even though it won't tell you who that person is. It would (or could, > at least) prevent someone other than the owner of the key from claiming > to be that person in the future. This only gives security to the *sender* of the messages. The recipients=20 cannot know that he didn't post his secret key to misc.test or something. But the sender can easily ask proof if anybody tries to impersonate him (as= =20 far you can impersonate an anonymous person :-) (yes, as noted, it also gives the sender a return path for people to answer= in=20 secret). cheers =2D- vbi =2D-=20 featured link: http://fortytwo.ch/time --Boundary-02=_9VIx+9iK/4lI5V8 Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iKcEABECAGcFAj7EhX1gGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjQmbWQ1c3VtPTgxNjMwYmFhYmU5YTA2NzBi YjE5YzFmYTg1MjdhN2FiAAoJEIukMYvlp/fW3hkAnjVnsBSY5cJ5Lb6Q9hDGHUky PK9wAKCtWy+AFHzhum28w17FhZWB91zGZg== =qnfp -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.4&md5sum=81630baabe9a0670bb19c1fa8527a7ab --Boundary-02=_9VIx+9iK/4lI5V8-- From bruce@semiotica.co.uk Fri May 16 11:31:02 2003 From: bruce@semiotica.co.uk (Bruce Robbins) Date: Fri May 16 10:31:02 2003 Subject: server signing with php Message-ID: <8115F55D-86D8-11D7-A7EB-000393872B3C@semiotica.co.uk> --Apple-Mail-14--464080897 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed We are attempting to build an application which stores keys on the server and allows users to sign documents assembled on the server. system() exec() et al will give access to the shell but will not permit signing as the user can not be changed. Has anyone got any ideas on this or a workaround? Bruce Robbins semioticaNewMedia Ltd Digital Media Solutions PO box 13 Ashton U Lyne Lancashire OL7 9FY e bruce@semiotica.co.uk w http://www.semiotica.co.uk (This e mail may contain my digital signature To verify its authenticity my public key is available from keyservers and from http://www.keyserver.net/) For maximum confidentiality you may send encrypted and signed e mails to me using my public key. Confidentiality Notice: The information contained in this e-mail is for the intended recipient(s) alone. It may contain privileged and confidential information that is exempt from disclosure under English law and if you are not an intended recipient, you must not copy, distribute or take any action in reliance on it. If you have received this e-mail in error, please notify us immediately. If this message is being transmitted over the Internet, be aware that it may be intercepted by third parties. --Apple-Mail-14--464080897 Content-Transfer-Encoding: 7bit Content-Type: text/enriched; charset=US-ASCII We are attempting to build an application which stores keys on the server and allows users to sign documents assembled on the server. system() exec() et al will give access to the shell but will not permit signing as the user can not be changed. Has anyone got any ideas on this or a workaround? Bruce Robbins semioticaNewMedia Ltd Digital Media Solutions PO box 13 Ashton U Lyne Lancashire OL7 9FY e bruce@semiotica.co.uk w http://www.semiotica.co.uk (This e mail may contain my digital signature To verify its authenticity my public key is available from keyservers and from http://www.keyserver.net/) For maximum confidentiality you may send encrypted and signed e mails to me using my public key. Confidentiality Notice: The information contained in this e-mail is for the intended recipient(s) alone. It may contain privileged and confidential information that is exempt from disclosure under English law and if you are not an intended recipient, you must not copy, distribute or take any action in reliance on it. If you have received this e-mail in error, please notify us immediately. If this message is being transmitted over the Internet, be aware that it may be intercepted by third parties. --Apple-Mail-14--464080897-- From xavier.nodet@free.fr Fri May 16 11:38:03 2003 From: xavier.nodet@free.fr (Xavier Nodet) Date: Fri May 16 10:38:03 2003 Subject: Unable to retrieve keys automatically Message-ID: --=_HDAn.1IbKCwVVhyys9zNJvzLRQficZ Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-Disposition: INLINE content-transfer-encoding: quoted-printable Hi, I have some problem retrieving keys from servers. My mailer = uses the following kind of command when it determines that I do not have= a given key in my keyring, and it always fails with the same error messages: C:\tmp>gpg.exe -v --keyserver http://wwwkeys.pgp.net:11371=20 --recv-keys 2696462A4980C4F7 gpg: system error while calling external program: No such file = or directory gpg: WARNING: unable to remove tempfile (out)=20 `C:\DOCUME~1\nodet\LOCALS~1\Temp\gpg-B2227C\tempout.txt':=20 No such file or directory gpg: no handler for keyserver scheme "http" I'm using Windows XP SP1. The command also fails when I try it = directly on the command line. The `C:\DOCUME~1\nodet\LOCALS~1\Temp' = directory exists, and I have full rights on it. The directory `C:\DOCUME~1\nodet\LOCALS~1\Temp\gpg-B2227C' does not exist = after GPG exited (and I do not know if it ever existed). The message comes whatever the value of GNUPGHOME, and even if I empty my = gpg.conf file. Which program does GPG try to launch? Would it be possible that= its name is displayed with the error message? Thanks for your help. --=20 Xavier Nodet "They that can give up essential liberty to obtain a little = temporary safety deserve neither liberty nor safety." - Benjamin = Franklin, 1759. --=_HDAn.1IbKCwVVhyys9zNJvzLRQficZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) - GPGrelay v0.92 iD8DBQA+xKNRFK6OUIeqvjQRArv/AJ4ls3IzyUZAxBf76CbZRFynZQLfpgCfcsoO EwnnjQar0eMSfVwTAFfOXeo= =jsFE -----END PGP SIGNATURE----- --=_HDAn.1IbKCwVVhyys9zNJvzLRQficZ-- From wk@gnupg.org Fri May 16 12:10:02 2003 From: wk@gnupg.org (Werner Koch) Date: Fri May 16 11:10:02 2003 Subject: Cracking AES In-Reply-To: <20030515204731.GC1523@jabberwocky.com> (David Shaw's message of "Thu, 15 May 2003 16:47:32 -0400") References: <000d01c31843$ec10b820$0200000a@discovery> <20030515204731.GC1523@jabberwocky.com> Message-ID: <87he7v6ytf.fsf@alberti.g10code.de> On Thu, 15 May 2003 16:47:32 -0400, David Shaw said: >> echo GUESS1|gpg.exe -q --passphrase-fd 0 --output text.out --decrypt >> text.pgp >> echo GUESS2|gpg.exe -q --passphrase-fd 0 --output text.out --decrypt >> text.pgp BTW, I did some benchmarks to see how long the actual code runs without initial overhead: On a 1.7 Ghz Celereon I got 3.8ms for the S2K part (converting the passphrase to a key) and 0.02ms for the decryption. This would allow for about 260 tests per seond. If on the other side the old PGP2 method (S2K mode 0) was used for the encryption, the S2K part takes only 0.03ms and thus allows for 20000 tests per second. Shalom-Salam, Werner -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From wk@gnupg.org Fri May 16 12:15:02 2003 From: wk@gnupg.org (Werner Koch) Date: Fri May 16 11:15:02 2003 Subject: Merging keys? In-Reply-To: <200305152321.10805.linux@codehelp.co.uk> (Neil Williams's message of "Thu, 15 May 2003 23:21:07 +0100") References: <200305152321.10805.linux@codehelp.co.uk> Message-ID: <87el2z6yl0.fsf@alberti.g10code.de> On Thu, 15 May 2003 23:21:07 +0100, Neil Williams said: > With all this talk of using a private primary RSA key and then > public subkeys, I created a third key to test some ideas and I began > to wonder if it is worth considering if keys can be merged. If both > secret keys are available and both passphrases given, is there scope > to merge two keys?? gpgsplit can help here but you need to calculate a new subkey binding signature. There is no tool for this instantly available. Now that PGP is able to very signatures made with a subkey, I considered to merge my cert-only key with my working key but I won't do that because it will be easier to create new subkeys for the cert-only key and keep the old working key around for decrypting old stuff. -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From wk@gnupg.org Fri May 16 12:21:02 2003 From: wk@gnupg.org (Werner Koch) Date: Fri May 16 11:21:02 2003 Subject: localisations and charsets In-Reply-To: <3EC429D5.70009@nahrath.de> (Michael Nahrath's message of "Fri, 16 May 2003 01:59:17 +0200") References: <3EC2E373.9060908@nahrath.de> <20030515041529.GQ25493@jabberwocky.com> <3EC35C4B.1020302@nahrath.de> <87fzng8j27.fsf@alberti.g10code.de> <3EC429D5.70009@nahrath.de> Message-ID: <87addn6y8s.fsf@alberti.g10code.de> On Fri, 16 May 2003 01:59:17 +0200, Michael Nahrath said: > [michi@localhost]~$ gpg --charset utf8 --edit 307D56ED > pub 1024D/307D56ED erstellt: 2001-05-17 verf?llt: niemals > sub 2048g/B9A65282 erstellt: 2001-05-17 verf?llt: niemals > (1). Noèl Köthe > ... > wouldn't display the name correctly. > UTF8 output from GPG is no problem, only the localised UI is. I see. Do you need to use the charset option of GnuPG to make your name printed correctly? It should work without because the default is to use the current locale for selecting the charset. I guess that it does not work and thus gettext won't work either. I assume that you did set your LANG environmet variable correctly. What does a grep HAVE_LANGINFO_CODESET gnupg-1.2.2/config.h print? -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From pt@radvis.nu Fri May 16 13:20:03 2003 From: pt@radvis.nu (Per Tunedal) Date: Fri May 16 12:20:03 2003 Subject: Opportunistic Encryption Message-ID: <5.1.0.14.2.20030516121927.021e0668@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 02:00 2003-05-16 +0400, you wrote: > >An example may be the best description, so I've written a rough draft. >I've broken OpenPGP use into 3 levels of sophistication. Each level >can be attacked at the user's own pace. > > >Level 1: Opportunistic Encryption >=-------------------------------- >For this level, the user just generates a key. After that, the e-mail >client software does the following: > >A) All outbound messages are signed. Mail is encrypted whenever the > recipient's public key is available. (See my previous post for > algorithms on key selection when multiple untrusted keys exist.) > >B) When a signed message with an attached key is received, we verify > that the attached key matches the key used to sign the message. > If so, the key is automatically added to the local keyring. > >C) If a received message is signed but not encrypted, any reply to > the signature owner should have our public key automatically > included as an attachment. > >Eavesdropping protection is achieved after one round trip and no user >interaction or keyservers are required! > > - Yenot I would like to add automatic use of robot-CA:s to the scheme. It's a simple way of tieing a key to an e-mail address: - - the user just generates a key - - the client sends it to a robot-CA - - the robot CA signs the key, encrypts it with the same key and returns it to all e-mail addresses used in the userid. - - the encrypted message from the robot-CA is received, decrypted, the signed key is imported to the keyring and sent to at least one keyserver. The rest as you proposed. Yours, Per Tunedal -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) - GPGrelay v0.92 iD8DBQE+xLtJ2Jp9Z++ji2YRAoBmAJ0Y2qzfxWhmI5ZkPXTJwDofli/m+gCeJUsu hnu3wSeY3Rv0z4lbg9unftA= =eF4P -----END PGP SIGNATURE----- From manuel@samper.dyndns.org Fri May 16 15:31:04 2003 From: manuel@samper.dyndns.org (Manuel Samper) Date: Fri May 16 14:31:04 2003 Subject: Duplicated self-signatures on keyservers Message-ID: <20030516123157.GA6012@postfix.dyndns.org> Hi, this maybe also a keyserver issue, but I'm sure some keyserver folks are reading this list, so I will ask here. I recently created a keypair (fffd5da0), and sent it to public keyservers. Later, I modified the preferences on their user ids (gpg --edit-key, setpref and updpref), and sent it again to keyserves. Now, when I search my key, I see now two self-signatures: http://keyserver.kjsl.com:11371/pks/lookup?op=vindex&search=0xfffd5da0 But in my keyring I only see one signature, so I made some tests: $ gpg --export fffd5da0|gpg --no-default-keyring --keyring local.gpg --import $ gpg --no-default-keyring --keyring servers.gpg --recv-key fffd5da The self-signatures of the first uid on the local and server keyring copies: $ gpg -v -v local.gpg :public key packet: version 4, algo 1, created 1052865492, expires 0 pkey[0]: [4096 bits] pkey[1]: [6 bits] :user ID packet: "Manuel Samper" :signature packet: algo 1, keyid AE5F2672FFFD5DA0 version 4, created 1052865494, md5len 0, sigclass 13 digest algo 2, begin of digest 6c 3e hashed subpkt 27 len 2 (key flags: 03) hashed subpkt 30 len 2 (features: 01) hashed subpkt 23 len 2 (key server preferences: 80) hashed subpkt 25 len 2 (primary user ID) hashed subpkt 11 len 6 (pref-sym-algos: 8 3 2 7 9) hashed subpkt 21 len 3 (pref-hash-algos: 3 2) hashed subpkt 22 len 3 (pref-zip-algos: 2 1) hashed subpkt 2 len 5 (sig created 2003-05-13) subpkt 16 len 9 (issuer key ID AE5F2672FFFD5DA0) data: [4096 bits] :trust packet: flag=00 sigcache=03 [...] $ gpg -v -v server.gpg [same as above, with the below aditional signature] :signature packet: algo 1, keyid AE5F2672FFFD5DA0 version 4, created 1052865493, md5len 0, sigclass 13 digest algo 2, begin of digest d6 c6 hashed subpkt 27 len 2 (key flags: 03) hashed subpkt 11 len 5 (pref-sym-algos: 3 2 7 9) hashed subpkt 21 len 3 (pref-hash-algos: 3 2) hashed subpkt 22 len 3 (pref-zip-algos: 2 1) hashed subpkt 30 len 2 (features: 01) hashed subpkt 23 len 2 (key server preferences: 80) hashed subpkt 25 len 2 (primary user ID) hashed subpkt 2 len 5 (sig created 2003-05-13) subpkt 16 len 9 (issuer key ID AE5F2672FFFD5DA0) data: [4095 bits] [...] Is here anything that I must worry about? Is this the normal behaviour, or another know keyserver bug? AFAIK, keyservers merge up everything and don't remove anything, and the gpg man page states: updpref Change the preferences of all user IDs (or just of the selected ones to the current list of preferences. The timestamp of all affected self-signatures will be advanced by one second. [...] So then, every time a userid preference list is updated, another selfsig is added to the key copy on keyservers? (when uploading the key, of course) It's safe to delete others people's duplicated selfigs? (I have seen some keys with more tha one selfsig, and I wondered at the time why). And if so, how to determine what's the last one issued? (other than using "gpg -v -v" on a keyring). It's always the first listed? Not worried specially about it, just imagining the case of a key bloated with a bunch of self-signatures... but in that case, it's better to fetch it directly from their owner and not from the keyservers, I think. -- Manuel Samper OpenPGP Key ID: FFFD5DA0 From manuel@samper.dyndns.org Fri May 16 16:19:02 2003 From: manuel@samper.dyndns.org (Manuel Samper) Date: Fri May 16 15:19:02 2003 Subject: Keys not trusted In-Reply-To: <20030515210645.GD1523@jabberwocky.com> References: <200305101027.51808@fortytwo.ch> <20030515210645.GD1523@jabberwocky.com> Message-ID: <20030516131921.GA17229@postfix.dyndns.org> David Shaw, on Thu, May 15 2003 at 23:06, wrote: > On Sat, May 10, 2003 at 10:27:47AM +0200, Adrian 'Dagurashibanipal' von Bidder wrote: > > I have a little script that just presents me with 5 random keys. I > > then delete those where I don't recognize the name (either from > > mailing lists, or privately) - I do this more or less weekly > > (sometimes less). It's far from perfect, but I don't want to go > > through the whole keyring. Of course I occasionally delete a key > > that is then downloaded again when I read mail, but as those aren't > > people I know, I don't think this is a problem. > > Another trick that you can use is to have more than one public > keyring. Some people have one keyring that contains the keys they > know personally or have signed, and a larger keyring that I use this setup (at least I'm experimenting with it). A secret keyring, revokation certs, etc. stored offline, a copy of the secret keyring on floppy with the primary secret key striped (only with subkeys), and no (empty) secret keyring on connected machines, with the following gpg.conf options: /floppy/gpg.conf: keyring ~/.gnupg/pubring.gpg ~/.gnupg/gpg.conf: secret-keyring /floppy/secring.gpg keyserver-options auto-key-retrieve ... And with a /floppy/pubring.gpg with only those keys (locally/ultimately) signed/trusted. And when I need to work on the floppy keyring, just use "gpg --homedir /floppy" (I have a shell alias for it) and/or "--no-default-keyring". And with autofs, I ever don't bother with mounting/umounting the floppy (it's a ext2fs; I refer here to a floppy for simplicity, but in fact is any removable media). > auto-key-retrieve imports into. Then, they can just quickly blast > through the larger automatic keyring every now and then without > accidentally losing an important key. A related question: there is some tool/script/whatever to automatically prune from the keyrings those keys with only self-signatures, or some way to list them (and only them) with gpg? TIA -- Manuel Samper OpenPGP Key ID: FFFD5DA0 From dshaw@jabberwocky.com Fri May 16 16:20:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Fri May 16 15:20:02 2003 Subject: Trouble signing (was: Trouble exporting keys) In-Reply-To: <20030515231656.GE17005@postfix.dyndns.org> References: <20030515171833.GA1175@math.umd.edu> <200305152259.00159.linux@codehelp.co.uk> <20030515231656.GE17005@postfix.dyndns.org> Message-ID: <20030516031824.GD1191@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, May 16, 2003 at 01:16:57AM +0200, Manuel Samper wrote: > > gpg --verify lug.sql.sig > > gpg: Signature made Thu 15 May 2003 22:49:03 BST using DSA key ID F3C504D8 > > gpg: Good signature from "Neil Williams " > > gpg: aka "[image of size 4569]" > ^^^^^^^^^^^^^^^^^^^^^^^^^^ > This looks ugly. > > Feature request: it's so hard to allow a name being attched to these > photoids? Or it's required this way by the standard? I'm not quite sure what you mean here. That user attribute contains an image, so it says so. Do you mean a name in addition to the image, rather like the HTML "alt" tag, so nongraphical displays can still give a text line? David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+xFiA4mZch0nhy8kRAqr3AKCuGZJmPIaFZX1WDyT90Srg3bsEwgCcDnzH BRSYxZCozedXUVn+AteHYPA= =NXH7 -----END PGP SIGNATURE----- From manuel@samper.dyndns.org Fri May 16 17:08:03 2003 From: manuel@samper.dyndns.org (Manuel Samper) Date: Fri May 16 16:08:03 2003 Subject: Trouble signing (was: Trouble exporting keys) In-Reply-To: <20030516031824.GD1191@jabberwocky.com> References: <20030515171833.GA1175@math.umd.edu> <200305152259.00159.linux@codehelp.co.uk> <20030515231656.GE17005@postfix.dyndns.org> <20030516031824.GD1191@jabberwocky.com> Message-ID: <20030516140911.GB17229@postfix.dyndns.org> David Shaw, on Fri, May 16 2003 at 05:18, wrote: > On Fri, May 16, 2003 at 01:16:57AM +0200, Manuel Samper wrote: > > > > gpg --verify lug.sql.sig > > > gpg: Signature made Thu 15 May 2003 22:49:03 BST using DSA key ID F3C504D8 > > > gpg: Good signature from "Neil Williams " > > > gpg: aka "[image of size 4569]" > > ^^^^^^^^^^^^^^^^^^^^^^^^^^ > > This looks ugly. > > > > Feature request: it's so hard to allow a name being attched to these > > photoids? Or it's required this way by the standard? > > I'm not quite sure what you mean here. That user attribute contains > an image, so it says so. Do you mean a name in addition to the image, > rather like the HTML "alt" tag, so nongraphical displays can still > give a text line? Yes, something like: $ gpg --list-key samper pub 4096R/FFFD5DA0 2003-05-13 Manuel Samper uid Manuel Samper uid Manuel Samper [jpeg image of size 1234] ... That is, at the time of attaching a photo id (had never done it, not sure what gpg ask) being asked for a real name like normal uids. But I don't known if this is a fool pretension or what problems may arise to implement it. Or perhaps change only the gpg output when verifying signatures (this may be accomplished also by the MUA). But anything else is better than "also know as [image of size X]" :) -- Manuel Samper OpenPGP Key ID: FFFD5DA0 From dcarrera@math.umd.edu Fri May 16 18:53:03 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Fri May 16 17:53:03 2003 Subject: [Q] How do I revoke my old key? Message-ID: <20030516155443.GC1234@math.umd.edu> --1SQmhf2mF2YjsYvc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Alright. I have my cool, brand-new key-ring, and I have made a revocation= =20 certificate for my old key. Now that I have the revocation certificate, how do I actually revoke it? I guess I must send it to a key-server. How do I do that? Do I need to go over every key-server I sent my key to? I'm not sure I=20 can remember them all. Or is it enough to send the revocation to one HKP= =20 and one LDAP key server? I have made backups of everything I had encrypted with my old key. Is it= =20 safe to delete the key now? Thanks for the help. --=20 Daniel Carrera | OpenPGP fingerprint: Graduate TA, Math Dept | 9B32 660B 0557 7D7D 5892 0036 D591 4D05 2938 1B7E UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html --1SQmhf2mF2YjsYvc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (SunOS) iD8DBQE+xQnD1/ZKhTQTHLARAu+nAKC6RD9pyFnHP3frVw81ET4Dn2AdHwCg0T1S UFZ6WnAWDnV2nVRtnGL8svU= =7ayk -----END PGP SIGNATURE----- --1SQmhf2mF2YjsYvc-- From eroosenmaallen@cogeco.ca Fri May 16 19:33:03 2003 From: eroosenmaallen@cogeco.ca (Eddie Roosenmaallen) Date: Fri May 16 18:33:03 2003 Subject: [Q] How do I revoke my old key? In-Reply-To: <20030516155443.GC1234@math.umd.edu> References: <20030516155443.GC1234@math.umd.edu> Message-ID: <3EC51220.9020305@cogeco.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Daniel, First you have to actually use the revocation certificate: $ gpg --import revcert.asc This will mark the key as revoked in your keyring. Next, you send the revoked key to keyservers. As a bare minimum, one LDAP and one HKP keyserver should suffice. You're as well off to hang onto the revoked key - you can decrypt with it, even after it's revoked, and it's possible to end up with old copies of it kicking around, which someone may use to encrypt to you. Peace, Eddie Daniel Carrera wrote: > Alright. I have my cool, brand-new key-ring, and I have made a revocation > certificate for my old key. > > Now that I have the revocation certificate, how do I actually revoke it? > I guess I must send it to a key-server. How do I do that? > > Do I need to go over every key-server I sent my key to? I'm not sure I > can remember them all. Or is it enough to send the revocation to one HKP > and one LDAP key server? > > I have made backups of everything I had encrypted with my old key. Is it > safe to delete the key now? > > Thanks for the help. - -- OpenPGP KeyID: 0xCC1aCD05 Get my key from keyserver.kjsl.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+xRIetGGqbMwazQURAga2AJ9Ro2gzOpwaHWQykjW9zszXiiDS+wCgoDb6 c9l3mjhJc9yK3Xe0Pu9D9I0= =pl9f -----END PGP SIGNATURE----- From mykeolson@usa.net Fri May 16 20:11:02 2003 From: mykeolson@usa.net (Myke Olson) Date: Fri May 16 19:11:02 2003 Subject: Interesting issue with empty files Message-ID: I am signing and encrypting an empty file using 'gpg -se -r profile filename' and sending to over to someone else. When they decrypt it using PGP, they don't get any errors or warnings or anything, but also, no empty file... Has anyone run into this before? Any work-arounds? TIA, Myke -- ~ ~ ~ m y k e e r i c s c o t t o l s o n ~ ~ ~ myke@olson.name http://myke.olson.name/ "If I had to live my life again, I'd make the same mistakes, only sooner." -- Tallulah Bankhead From jharris@widomaker.com Fri May 16 21:12:02 2003 From: jharris@widomaker.com (Jason Harris) Date: Fri May 16 20:12:02 2003 Subject: Duplicated self-signatures on keyservers In-Reply-To: <20030516123157.GA6012@postfix.dyndns.org> References: <20030516123157.GA6012@postfix.dyndns.org> Message-ID: <20030516181126.GF87246@pm1.ric-30.lft.widomaker.com> --AH+kv8CCoFf6qPuz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, May 16, 2003 at 02:31:57PM +0200, Manuel Samper wrote: > I recently created a keypair (fffd5da0), and sent it to public > keyservers. Later, I modified the preferences on their user ids (gpg > --edit-key, setpref and updpref), and sent it again to keyserves. Now, > when I search my key, I see now two self-signatures:=20 > http://keyserver.kjsl.com:11371/pks/lookup?op=3Dvindex&search=3D0xfffd5da0 keyserver.kjsl.com and newer pks keyservers (I think my keyserver list is current enough to show them all, see my website), as well as the LDAP and SKS (http://sks.sf.net/), and perhaps OKS (keyserver.net), keyservers store all versions of all signatures. > AFAIK, keyservers merge up everything and don't remove anything, and the Older pks keyservers keep only the most recent signature. > Not worried specially about it, just imagining the case of a key bloated > with a bunch of self-signatures... but in that case, it's better to > fetch it directly from their owner and not from the keyservers, I think. Use the older pks servers then, until you find a key with a bad selfsig and want to see what other selfsigs are available on the keyservers that keep all signatures. --=20 Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com | web: http://jharris.cjb.net/ --AH+kv8CCoFf6qPuz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+xSnNSypIl9OdoOMRAohdAKDXDnAaJGvAyVpcFVuUv8HV6CYI3wCgstBc 46uDoLj24QNMuSBTYPfoNww= =sUK1 -----END PGP SIGNATURE----- --AH+kv8CCoFf6qPuz-- From dshaw@jabberwocky.com Fri May 16 21:26:01 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Fri May 16 20:26:01 2003 Subject: Keys not trusted In-Reply-To: <200305160816.10644@fortytwo.ch> References: <200305060203.30183.wbo@mandrakesoft.com> <200305111455.24901@erwin.ingo-kloecker.de> <20030516015408.GB1191@jabberwocky.com> <200305160816.10644@fortytwo.ch> Message-ID: <20030516155536.GA3635@jabberwocky.com> --liOOAslEiF7prFVr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, May 16, 2003 at 08:16:06AM +0200, Adrian 'Dagurashibanipal' von Bid= der wrote: > On Friday 16 May 2003 03:54, David Shaw wrote: >=20 > > It's one of those eternal questions whether it is better if a system > > is perfectly secure, but not many people use it, or if it is less > > secure, and many people use it. One way to put this is to ask whether > > it is better to encrypt and be vulnerable to a man in the middle > > attack... or to not encrypt and be vulnerable to everything ;) >=20 > I guess for some the big is that the people using a > security-made-easy system - where some vulnerabilities are traded > against convenience - won't be aware of these vulnerabilities but > just assume that their system is absolutely 100% secure. So, when > the first attack comes that uses this well known (amongst those who > care to know) vulnerability, people will yell 'but you promised us a > secure system' - and there's nothing you can do. Telling them that > it wasn't designed to be secure in this way will not help you, then. Yes, this is absolutely true. I'm not sure what the answer is for that except perhaps education... and we all know that users don't read the manuals ;) David --liOOAslEiF7prFVr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+xQn44mZch0nhy8kRAvs0AKCxtJzhkoe//IOEenj7RU13KRoxlQCgsuaL Ci6gDxarLMdyMuVKo+5hC8M= =zgc+ -----END PGP SIGNATURE----- --liOOAslEiF7prFVr-- From dshaw@jabberwocky.com Fri May 16 21:26:33 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Fri May 16 20:26:33 2003 Subject: Unable to retrieve keys automatically In-Reply-To: References: Message-ID: <20030516160606.GB3635@jabberwocky.com> --bCsyhTFzCvuiizWE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, May 16, 2003 at 10:37:24AM +0200, Xavier Nodet wrote: > Hi, >=20 > I have some problem retrieving keys from servers. My mailer uses the > following kind of command when it determines that I do not have a given k= ey in > my keyring, and it always fails with the same error messages: >=20 > C:\tmp>gpg.exe -v --keyserver http://wwwkeys.pgp.net:11371=20 > --recv-keys 2696462A4980C4F7 > gpg: system error while calling external program: No such file or directo= ry > gpg: WARNING: unable to remove tempfile (out)=20 > `C:\DOCUME~1\nodet\LOCALS~1\Temp\gpg-B2227C\tempout.txt':=20 > No such file or directory > gpg: no handler for keyserver scheme "http" >=20 > I'm using Windows XP SP1. The command also fails when I try it directly > on the command line. The `C:\DOCUME~1\nodet\LOCALS~1\Temp' directory > exists, and I have full rights on it. The directory > `C:\DOCUME~1\nodet\LOCALS~1\Temp\gpg-B2227C' does not exist after GPG > exited (and I do not know if it ever existed). The message comes > whatever the value of GNUPGHOME, and even if I empty my gpg.conf file. >=20 > Which program does GPG try to launch? Would it be possible that its > name is displayed with the error message? The problem is there is no "http" handler. The handler for wwwkeys.pgp.net is "hkp". Use --keyserver hkp://wwwkeys.pgp.net David --bCsyhTFzCvuiizWE Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+xQxu4mZch0nhy8kRAmyWAJ92Yrz3+4KJy7gkbCfhbbtFlS7BaACfV1+q 6+CZ2U5FNQmFEDxi347mYy8= =swhK -----END PGP SIGNATURE----- --bCsyhTFzCvuiizWE-- From dshaw@jabberwocky.com Fri May 16 21:27:03 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Fri May 16 20:27:03 2003 Subject: User attributes and audio IDs (was: Trouble signing) In-Reply-To: <20030516140911.GB17229@postfix.dyndns.org> References: <20030515171833.GA1175@math.umd.edu> <200305152259.00159.linux@codehelp.co.uk> <20030515231656.GE17005@postfix.dyndns.org> <20030516031824.GD1191@jabberwocky.com> <20030516140911.GB17229@postfix.dyndns.org> Message-ID: <20030516182420.GD3635@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, May 16, 2003 at 04:09:11PM +0200, Manuel Samper wrote: > David Shaw, on Fri, May 16 2003 at 05:18, wrote: > > On Fri, May 16, 2003 at 01:16:57AM +0200, Manuel Samper wrote: > > > > > > gpg --verify lug.sql.sig > > > > gpg: Signature made Thu 15 May 2003 22:49:03 BST using DSA key ID F3C504D8 > > > > gpg: Good signature from "Neil Williams " > > > > gpg: aka "[image of size 4569]" > > > ^^^^^^^^^^^^^^^^^^^^^^^^^^ > > > This looks ugly. > > > > > > Feature request: it's so hard to allow a name being attched to these > > > photoids? Or it's required this way by the standard? > > > > I'm not quite sure what you mean here. That user attribute contains > > an image, so it says so. Do you mean a name in addition to the image, > > rather like the HTML "alt" tag, so nongraphical displays can still > > give a text line? > > Yes, something like: > > $ gpg --list-key samper > pub 4096R/FFFD5DA0 2003-05-13 Manuel Samper > uid Manuel Samper > uid Manuel Samper [jpeg image of size 1234] > ... > > That is, at the time of attaching a photo id (had never done it, not > sure what gpg ask) being asked for a real name like normal uids. Ah. There are a few ways to do this, but probably the best way doesn't exist in the standard yet. ;) The "user attribute" sort of ID can actually contain more than just photos as it is a general storage medium for any sort of data. There is no reason why it cannot also store a "text" attribute. The catch, of course, is there is no text attribute defined in the standard yet. I've been making a list of potentially useful attributes (images other than JPEG, audio clips ("Hello! My name is XXXX and my fingerprint is XXXXXXXX"), and the like. Perhaps it would be reasonable to add a text attribute to that as well for use when the other attributes were not usable (i.e. non-graphical display, no sound card, etc.) I'd be interested to hear comments about whether people would make good use of something like an audio ID or not. It certainly has the potential to make keys very very large, though perhaps that is the problem and choice of the key holder. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+xSzU4mZch0nhy8kRApb8AJ9dBvNrzaD9PFmr06CccSnCIo8mPgCg0JZb N5zRwwsZufO5bEKx5PdNY5U= =/hKZ -----END PGP SIGNATURE----- From malte_gell@t-online.de Fri May 16 22:55:02 2003 From: malte_gell@t-online.de (Malte Gell) Date: Fri May 16 21:55:02 2003 Subject: [OT?] No more financial support for GnuPG In-Reply-To: <87llx88jz2.fsf@alberti.g10code.de> References: <20030514211519.6437.qmail@web10503.mail.yahoo.com> <87llx88jz2.fsf@alberti.g10code.de> Message-ID: <200305162155.33870.malte_gell@t-online.de> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Am Donnerstag, 15. Mai 2003 14:36 schrieb Werner Koch: > There are plans to sell email aliases under gnupg.net as well as > simple key certifications. However I have not yet figured out the > deatils and don't know whether there would be enough interest to > actually lauch this. That sounds nice. What about a survey on this list to figure out how=20 many people would make use of this ? Oh, if heise.de and its "crypto=20 campaign" site would make some advertising on its site there would be=20 probably many folks asking for a key certification, even if it's jus a=20 simple one, the name "GnuPG" itself is a synonym for privacy and=20 security. Just look at the many people asking for a c't PGP key=20 certification. [For people not knowing what's it all about: c't is a well known=20 computer technology magazine in Germany and they offer a service for=20 getting ones OpenPGP key certified http://www.heise.de/ct/pgpCA/ and=20 this service is really popular they sign key on exhibitions so personal=20 contact is always required] Malte =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iEYEAREDAAYFAj7FQjEACgkQGzg12gD8wBaLvwCeMmrQq2kmARDYZ/VlSgFGK7hA RhsAn1R9hheRAq71Efy2c3U77z9XCtD3 =3DRS5c =2D----END PGP SIGNATURE----- From jam@jamux.com Fri May 16 22:56:02 2003 From: jam@jamux.com (John A. Martin) Date: Fri May 16 21:56:02 2003 Subject: Keys not trusted In-Reply-To: <20030516155536.GA3635@jabberwocky.com> (David Shaw's message of "Fri, 16 May 2003 11:55:36 -0400") References: <200305060203.30183.wbo@mandrakesoft.com> <200305111455.24901@erwin.ingo-kloecker.de> <20030516015408.GB1191@jabberwocky.com> <200305160816.10644@fortytwo.ch> <20030516155536.GA3635@jabberwocky.com> Message-ID: <871xyy1x8n.fsf@athene.jamux.com> --=-=-= Content-Transfer-Encoding: quoted-printable >>>>> "ds" =3D=3D David Shaw "Re: Keys not trusted" >>>>> Fri, 16 May 2003 11:55:36 -0400 ds> On Fri, May 16, 2003 at 08:16:06AM +0200, Adrian ds> 'Dagurashibanipal' von Bidder wrote: >> On Friday 16 May 2003 03:54, David Shaw wrote: >> >> > It's one of those eternal questions whether it is better if a >> > system is perfectly secure, but not many people use it, or if >> > it is less secure, and many people use it. One way to put >> > this is to ask whether it is better to encrypt and be >> > vulnerable to a man in the middle attack... or to not encrypt >> > and be vulnerable to everything ;) >> >> I guess for some the big is that the people using a >> security-made-easy system [...] >> when the first attack comes that uses this [...] >> will yell ds> Yes, this is absolutely true. I'm not sure what the answer is ds> for that except perhaps education... and we all know that ds> users don't read the manuals ;) We lock flimsy doors with weak locks so that it becomes _breaking and entering_ when someone enters by forcing a door. jam --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iD8DBQA+xUKAUEvv1b/iXy8RAsBbAKCarLq6nEvlupGx9YJDuAKT0/TXiQCfXu56 6oxxpT2SnyPsrWpCo9Qwfjo= =2+QT -----END PGP SIGNATURE----- --=-=-=-- From dcarrera@math.umd.edu Fri May 16 23:43:02 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Fri May 16 22:43:02 2003 Subject: [Q] How do I revoke my old key? In-Reply-To: <3EC51220.9020305@cogeco.ca> References: <20030516155443.GC1234@math.umd.edu> <3EC51220.9020305@cogeco.ca> Message-ID: <20030516204404.GA1147@math.umd.edu> --ReaqsoxgOBHFXBhH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > This will mark the key as revoked in your keyring. Next, you send the > revoked key to keyservers. As a bare minimum, one LDAP and one HKP keyser= ver > should suffice. Yeah, but how do I do that? How do I send the revocation certificate to a keyserver? > > Now that I have the revocation certificate, how do I actually revoke it? > > I guess I must send it to a key-server. How do I do that? --=20 Daniel Carrera | OpenPGP fingerprint: Graduate TA, Math Dept | 9B32 660B 0557 7D7D 5892 0036 D591 4D05 2938 1B7E UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html --ReaqsoxgOBHFXBhH Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (SunOS) iD8DBQE+xU2T1/ZKhTQTHLARAvO5AKDVR9LzoLxLnpsqh8qHbWFXqQl8YACfZUD4 /qlD/tv1q0aQe40IZmzHjm0= =isCy -----END PGP SIGNATURE----- --ReaqsoxgOBHFXBhH-- From Todd Sat May 17 00:22:02 2003 From: Todd (Todd) Date: Fri May 16 23:22:02 2003 Subject: [Q] How do I revoke my old key? In-Reply-To: <20030516204404.GA1147@math.umd.edu> References: <20030516155443.GC1234@math.umd.edu> <3EC51220.9020305@cogeco.ca> <20030516204404.GA1147@math.umd.edu> Message-ID: <20030516212316.GZ32053@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Daniel Carrera wrote: >> This will mark the key as revoked in your keyring. Next, you send the >> revoked key to keyservers. As a bare minimum, one LDAP and one HKP keyserver >> should suffice. > > Yeah, but how do I do that? > How do I send the revocation certificate to a keyserver? Just like you'd send any key to the keyserver. :) At the risk of badly mangling the terminology and details, a revoked key is just a regular public key with a special signature attached to it, more or less. - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ============================================================================ Pray: To ask that the laws of the universe be annulled in behalf of a single petitioner confessedly unworthy. -- Ambrose Bierce -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iD8DBQE+xVbEuv+09NZUB1oRAkBgAKDGU1H5skluvO2dBxzQruhtxEbvGQCfc0cE rSXlezPQGb8j3H0pc0ovLt4= =s02P -----END PGP SIGNATURE----- From jharris@widomaker.com Sat May 17 00:25:02 2003 From: jharris@widomaker.com (Jason Harris) Date: Fri May 16 23:25:02 2003 Subject: Searching for subkeys In-Reply-To: <20030516203923.GB4552@jabberwocky.com> References: <20030515155502.GB1253@jabberwocky.com> <001e01c31b0a$4c3572e0$2ac52609@transarc.ibm.com> <20030515180353.GD1253@jabberwocky.com> <003201c31b16$0feb1180$2ac52609@transarc.ibm.com> <20030516015216.GA1191@jabberwocky.com> <000401c31b69$c775ad80$c23fa8c0@transarc.ibm.com> <20030516145824.GE1191@jabberwocky.com> <3EC50EC7.9060803@pre-secure.de> <002101c31bdc$4b5ac1e0$c23fa8c0@transarc.ibm.com> <20030516203923.GB4552@jabberwocky.com> Message-ID: <20030516212619.GG87246@pm1.ric-30.lft.widomaker.com> --gvF4niNJ+uBMJnEh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, May 16, 2003 at 04:39:23PM -0400, David Shaw wrote: > I don't think it's artificial. GnuPG supports showing subkey IDs, and > even subkey fingerprints. The reason is the same - if a user > (admittedly, a user with special needs) wants to tell someone to > encrypt to his key, it does not always make sense to go through the > primary key fingerprint -> primary key -> binding signature -> > pick-a-subkey path when the user can jump right to the exact subkey > desired. [NB: CC'd to gnupg-users] I continue to maintain that I would take this one step further and say that when a subkey is specified by the "fingerprint!" syntax, it can also be used without any (valid) binding signatures (but probably only in --expert mode). --=20 Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com | web: http://jharris.cjb.net/ --gvF4niNJ+uBMJnEh Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+xVd5SypIl9OdoOMRAmXzAKCWRs2t6lBCacxuZSmHFt9YP3SzugCfRgIk GG85c8dP5Y172x5AJOxm48E= =GNjQ -----END PGP SIGNATURE----- --gvF4niNJ+uBMJnEh-- From manuel@samper.dyndns.org Sat May 17 00:49:02 2003 From: manuel@samper.dyndns.org (Manuel Samper) Date: Fri May 16 23:49:02 2003 Subject: Duplicated self-signatures on keyservers In-Reply-To: <20030516181126.GF87246@pm1.ric-30.lft.widomaker.com> References: <20030516123157.GA6012@postfix.dyndns.org> <20030516181126.GF87246@pm1.ric-30.lft.widomaker.com> Message-ID: <20030516214933.GA1470@postfix.dyndns.org> Jason Harris, on Fri, May 16 2003 at 20:11, wrote: > On Fri, May 16, 2003 at 02:31:57PM +0200, Manuel Samper wrote: > > > I recently created a keypair (fffd5da0), and sent it to public > > keyservers. Later, I modified the preferences on their user ids (gpg > > --edit-key, setpref and updpref), and sent it again to keyserves. Now, > > when I search my key, I see now two self-signatures: > > http://keyserver.kjsl.com:11371/pks/lookup?op=vindex&search=0xfffd5da0 > > keyserver.kjsl.com and newer pks keyservers (I think my keyserver list > is current enough to show them all, see my website), as well as the LDAP I know, and BTW a great resource your keyanalyze statistics, and your work on fixing the hpk keyserver bugs, thanks. > and SKS (http://sks.sf.net/), and perhaps OKS (keyserver.net), keyservers > store all versions of all signatures. Yes, I have seen the same behaviour in a sks keyserver. I see now that it laso store multiple signatures for subkeys also, due to changing the expiration time, I guess. See: http://keyserver.bu.edu:11371/pks/lookup?search=0xfffd5da0&op=vindex > > AFAIK, keyservers merge up everything and don't remove anything, and the > > Older pks keyservers keep only the most recent signature. Ah, that's what confused me... And I should have write "multiple self-signatures", rather than "duplicate". > > Not worried specially about it, just imagining the case of a key bloated > > with a bunch of self-signatures... but in that case, it's better to > > fetch it directly from their owner and not from the keyservers, I think. > > Use the older pks servers then, until you find a key with a bad selfsig > and want to see what other selfsigs are available on the keyservers that > keep all signatures. But older servers are buggy and don't handle properly multiple subkeys among other things (again, AFAIK). Thinking about this (and that's where gpg come into play), if older versions of self-signatures are of no practical use, and may only bloat the public key, it should be stripped at download time by the "keyclient" (gpg in our case), although it are preserved in the keyserver for some reasons (you should known better). -- Manuel Samper OpenPGP Key ID: FFFD5DA0 From manuel@samper.dyndns.org Sat May 17 01:05:02 2003 From: manuel@samper.dyndns.org (Manuel Samper) Date: Sat May 17 00:05:02 2003 Subject: User attributes and audio IDs (was: Trouble signing) In-Reply-To: <20030516182420.GD3635@jabberwocky.com> References: <20030515171833.GA1175@math.umd.edu> <200305152259.00159.linux@codehelp.co.uk> <20030515231656.GE17005@postfix.dyndns.org> <20030516031824.GD1191@jabberwocky.com> <20030516140911.GB17229@postfix.dyndns.org> <20030516182420.GD3635@jabberwocky.com> Message-ID: <20030516220542.GB1470@postfix.dyndns.org> David Shaw, on Fri, May 16 2003 at 20:24, wrote: > On Fri, May 16, 2003 at 04:09:11PM +0200, Manuel Samper wrote: > > Yes, something like: > > > > $ gpg --list-key samper > > pub 4096R/FFFD5DA0 2003-05-13 Manuel Samper > > uid Manuel Samper > > uid Manuel Samper [jpeg image of size 1234] > > ... > > > > That is, at the time of attaching a photo id (had never done it, not > > sure what gpg ask) being asked for a real name like normal uids. > > Ah. There are a few ways to do this, but probably the best way > doesn't exist in the standard yet. ;) > > The "user attribute" sort of ID can actually contain more than just > photos as it is a general storage medium for any sort of data. There > is no reason why it cannot also store a "text" attribute. The catch, > of course, is there is no text attribute defined in the standard yet. I suspected something similar. > I've been making a list of potentially useful attributes (images other > than JPEG, audio clips ("Hello! My name is XXXX and my fingerprint is Cool! But appart from this, I cannot see much more utility right now... > XXXXXXXX"), and the like. Perhaps it would be reasonable to add a > text attribute to that as well for use when the other attributes were > not usable (i.e. non-graphical display, no sound card, etc.) hmmm... yes, it should be, thinking on visually/audio impaired people. Also, you may want to put not only your portrait/voice, but some other stuff like a image of your real (not digital) signature, or anything you can imagine will be useful. And then a description of what you can expect is a must. > I'd be interested to hear comments about whether people would make > good use of something like an audio ID or not. It certainly has the > potential to make keys very very large, though perhaps that is the > problem and choice of the key holder. If no aditional security is apported, then I prefer other enhancements in gpg rather than some funny capabilities. But who knowns how useful may become... -- Manuel Samper OpenPGP Key ID: FFFD5DA0 From manuel@samper.dyndns.org Sat May 17 01:17:01 2003 From: manuel@samper.dyndns.org (Manuel Samper) Date: Sat May 17 00:17:01 2003 Subject: [Q] How do I revoke my old key? In-Reply-To: <20030516212316.GZ32053@psilocybe.teonanacatl.org> References: <20030516155443.GC1234@math.umd.edu> <3EC51220.9020305@cogeco.ca> <20030516204404.GA1147@math.umd.edu> <20030516212316.GZ32053@psilocybe.teonanacatl.org> Message-ID: <20030516221733.GC1470@postfix.dyndns.org> Todd, on Fri, May 16 2003 at 23:23, wrote: > Daniel Carrera wrote: > > How do I send the revocation certificate to a keyserver? Import the certificate into your keyring, then send your (now revoked) key to a keyserver: $ gpg --import < revocation.asc $ gpg --send-key KEYID > Just like you'd send any key to the keyserver. :) > > At the risk of badly mangling the terminology and details, a revoked key is > just a regular public key with a special signature attached to it, more or > less. A direct key signature, of type 0x20? Search for a "rev:..." line after importing the certificate, with the following command: $ gpg --list-sig --with-colons KEYID -- Manuel Samper OpenPGP Key ID: FFFD5DA0 From linux@codehelp.co.uk Sat May 17 01:30:02 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Sat May 17 00:30:02 2003 Subject: [Q] How do I revoke my old key? In-Reply-To: <20030516204404.GA1147@math.umd.edu> References: <20030516155443.GC1234@math.umd.edu> <3EC51220.9020305@cogeco.ca> <20030516204404.GA1147@math.umd.edu> Message-ID: <200305162331.03104.linux@codehelp.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday 16 May 2003 9:44 pm, Daniel Carrera wrote: > > This will mark the key as revoked in your keyring. Next, you send the > > revoked key to keyservers. As a bare minimum, one LDAP and one HKP > > keyserver should suffice. > > Yeah, but how do I do that? > How do I send the revocation certificate to a keyserver? Import the revocation certificate on top of the key you want to revoke and send the changed key. Import the certificate like any other key. Make sure the old key to be revoked is still in your public keyring. Import the revocation certificate into your public keyring. That will overwrite the old key with the revocation certificate. The key is now revoked and can be sent to keyservers - causing the copies on the keyservers to import the certificate and show as revoked. gpg --import revoke.asc gpg --send-key keyid - -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.wewantbroadband.co.uk/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+xWamiAEJSii8s+MRAjRNAKCSEc7QRZjVLZ1zJrOnesV08WXHoACfVXbp 3xWo9CWimcseCTbWTUuN7n0= =umE9 -----END PGP SIGNATURE----- From ingo.kloecker@epost.de Sat May 17 02:02:02 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Sat May 17 01:02:02 2003 Subject: Opportunistic Encryption In-Reply-To: <200305160155.10564.yenot@sec.to> References: <200305060203.30183.wbo@mandrakesoft.com> <200305140053.49973@erwin.ingo-kloecker.de> <200305160155.10564.yenot@sec.to> Message-ID: <200305170031.52554@erwin.ingo-kloecker.de> --Boundary-02=_YbWx+E3+voFSM23 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Friday 16 May 2003 00:00, Yenot wrote: > On Wednesday 14 May 2003 02:53 am, Ingo Kl=F6cker wrote: > > Any proposals for how these clever icons should look like? > > I was really hoping people on this list would have some good ideas. > IMO: Whoever came up with the excellent color schemes used by KMail > on signed and encrypted messages should be asked for advice. Well, that was me. I may be good at choosing colors but I definitely=20 suck at drawing icons. ;-) Regards, Ingo --Boundary-02=_YbWx+E3+voFSM23 Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+xWbYGnR+RTDgudgRAkdbAJ96KyijcimhbxxdJhb1RmiZdMdhUACgo4aF 4Dw2B6qhM+qs8vulnhG3HBQ= =H4Ji -----END PGP SIGNATURE----- --Boundary-02=_YbWx+E3+voFSM23-- From ingo.kloecker@epost.de Sat May 17 02:02:35 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Sat May 17 01:02:35 2003 Subject: Problem: OpenPGP Module not listed In-Reply-To: <200305150117.21129.wobo@wolf-b.de> References: <200305131800.20136.wbo@mandrakesoft.com> <200305142304.35208@erwin.ingo-kloecker.de> <200305150117.21129.wobo@wolf-b.de> Message-ID: <200305170021.13368@erwin.ingo-kloecker.de> --Boundary-02=_ZRWx+dAEJcXAdQO Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Thursday 15 May 2003 01:17, Wolfgang Bornath wrote: > ** Ingo Kl=F6cker (Mittwoch, 14. Mai 2003 23:04) > > Well, obviously gpgme-config is missing for some reason (it should > > be in /usr/local/bin if you didn't change the install prefix with > > the --prefix option). Did installing gpgme really work? > > Yes, without errors (make returned '0') > > Hey, I deserve a second chance, nicht wahr? > Is it dangerous to delete the config.logs and do it all over again? No. > And should I give an option to './configure gpgme....' like > '--with-gpgme-config' or something? gpgme-config will be installed automatically together with the rest of=20 gpgme. Is is really missing from /usr/local/bin? Maybe /usr/local/bin=20 is for some reason not in your $PATH? Regards, Ingo --Boundary-02=_ZRWx+dAEJcXAdQO Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+xWRZGnR+RTDgudgRAg08AKDRgjDN49PSIiywtC968BpWQxtJygCgkhhl +UfEsmSLZM7vFTf94f7yL4o= =u9jQ -----END PGP SIGNATURE----- --Boundary-02=_ZRWx+dAEJcXAdQO-- From ingo.kloecker@epost.de Sat May 17 02:03:06 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-15?q?Kl=F6cker?=) Date: Sat May 17 01:03:06 2003 Subject: Problem with encoding of po files Message-ID: <200305170050.27704@erwin.ingo-kloecker.de> --Boundary-02=_zsWx+ZfFStxixep Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline Hi, there's a problem with the encoding which is used for the po=20 (translation) files. For example the German translations are encoded in=20 latin1. But some of those strings are passed to the pinentry programs=20 and at least pinentry-qt expects the strings to be in utf-8. BTW, I found a small bug in the German translation: Index: de.po =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /cvs/gnupg/gnupg/po/de.po,v retrieving revision 1.82.2.4 diff -u -3 -p -r1.82.2.4 de.po =2D-- de.po 7 Jan 2003 08:48:20 -0000 1.82.2.4 +++ de.po 8 Apr 2003 15:14:27 -0000 @@ -3656,7 +3656,7 @@ msgid "" "%u-bit %s key, ID %08lX, created %s%s\n" msgstr "" "Sie ben=F6tigen ein Mantra, um den geheimen Schl=FCssel zu entsperren.\n" =2D"Benutzer: \"\"%.*s\"\n" +"Benutzer: \"%.*s\"\n" "%u-bit %s Schl=FCssel, ID %08lX, erzeugt %s%s\n" #: g10/passphrase.c:662 Regards, Ingo --Boundary-02=_zsWx+ZfFStxixep Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+xWszGnR+RTDgudgRApUYAJ9Aq3KQRCP4r/ng77qAuBEFieNocwCg5AJX z/9oaewmAu69q7+T2j9rM5c= =xM1Z -----END PGP SIGNATURE----- --Boundary-02=_zsWx+ZfFStxixep-- From dshaw@jabberwocky.com Sat May 17 02:17:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sat May 17 01:17:02 2003 Subject: User attributes and audio IDs (was: Trouble signing) In-Reply-To: <20030516220542.GB1470@postfix.dyndns.org> References: <20030515171833.GA1175@math.umd.edu> <200305152259.00159.linux@codehelp.co.uk> <20030515231656.GE17005@postfix.dyndns.org> <20030516031824.GD1191@jabberwocky.com> <20030516140911.GB17229@postfix.dyndns.org> <20030516182420.GD3635@jabberwocky.com> <20030516220542.GB1470@postfix.dyndns.org> Message-ID: <20030516231726.GC4552@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, May 17, 2003 at 12:05:42AM +0200, Manuel Samper wrote: > David Shaw, on Fri, May 16 2003 at 20:24, wrote: > > I've been making a list of potentially useful attributes (images other > > than JPEG, audio clips ("Hello! My name is XXXX and my fingerprint is > > Cool! But appart from this, I cannot see much more utility right now... > > I'd be interested to hear comments about whether people would make > > good use of something like an audio ID or not. It certainly has the > > potential to make keys very very large, though perhaps that is the > > problem and choice of the key holder. > > If no aditional security is apported, then I prefer other enhancements > in gpg rather than some funny capabilities. But who knowns how useful > may become... Yes. It doesn't lower security (it's just a different sort of ID), but I can't think of any really good uses for it except the coolness factor. Then again, it could be argued that photo ID is just a cool trick also. Since you can't actually select a key via a photo ID, it isn't really a good user ID. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+xXGG4mZch0nhy8kRAkcQAKCIJVh6ENnMIagGHqxH7rELWtKKzwCdGwZB 3kLxNdhZkJi7t4wGn2GZk+M= =Gxgl -----END PGP SIGNATURE----- From rlaager@wiktel.com Sat May 17 05:06:04 2003 From: rlaager@wiktel.com (Richard Laager) Date: Sat May 17 04:06:04 2003 Subject: User attributes and audio IDs (was: Trouble signing) In-Reply-To: <20030516231726.GC4552@jabberwocky.com> Message-ID: <003f01c31c0e$318f4a60$da7620d1@umcrookston.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shaw wrote: > On Sat, May 17, 2003 at 12:05:42AM +0200, Manuel Samper wrote: > > David Shaw, on Fri, May 16 2003 at 20:24, wrote: > > > > I've been making a list of potentially useful attributes > (images other > > > than JPEG, audio clips ("Hello! My name is XXXX and my > fingerprint is > > > > Cool! But appart from this, I cannot see much more utility > right now... Well, this could be useful for voice verification of fingerprints. One could then match the user on the phone to the key or something like that. ;-) I don't know how much it would be worth though. > Yes. It doesn't lower security (it's just a different sort of ID), > but I can't think of any really good uses for it except the coolness > factor. Then again, it could be argued that photo ID is just a cool > trick also. Since you can't actually select a key via a photo ID, it > isn't really a good user ID. There's no reason you couldn't select a key by a photo id in a GUI environment. Simply show a bunch of photos and let the user choose. Personally, I'd really like to see a keyserver interface that shows things like this. I think that would be a great application of photo IDs. =========== | | pub 1024D/5E1F1BCE 2000-12-01 Richard James Laager (...) | <...> | | Key fingerprint = 03D4 AED7 0990 0162 EDF5 5183 6DF5 | 5E1F 1BCE | | uid Richard James Laager (...) | <...> | PHOTO | uid Richard James Laager (...) | <...> | | uid Laager, Richard James <...> | | uid LAAG0007 <...> | | =========== BTW David, did you happen to have any thoughts on the handling of photo IDs with revoked self-signatures, etc. as I talked about in a message a few days ago? The same issues would likely apply to the other types of non-traditional uids. Richard Laager -----BEGIN PGP SIGNATURE----- Version: 6.5.8ckt http://www.ipgpp.com/ iQA/AwUBPsWHGW31OrleHxvOEQIoaACcCLABEosUOkc6Lyb4NE+K74niDXcAniuX H93B3e6v896Qs0GjnPipV/6z =7qdP -----END PGP SIGNATURE----- From dcarrera@math.umd.edu Sat May 17 05:37:02 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Sat May 17 04:37:02 2003 Subject: User attributes and audio IDs (was: Trouble signing) In-Reply-To: <20030516231726.GC4552@jabberwocky.com> References: <20030515171833.GA1175@math.umd.edu> <200305152259.00159.linux@codehelp.co.uk> <20030515231656.GE17005@postfix.dyndns.org> <20030516031824.GD1191@jabberwocky.com> <20030516140911.GB17229@postfix.dyndns.org> <20030516182420.GD3635@jabberwocky.com> <20030516220542.GB1470@postfix.dyndns.org> <20030516231726.GC4552@jabberwocky.com> Message-ID: <20030517023750.GA4166@math.umd.edu> --0OAP2g/MAC+5xKAE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > Then again, it could be argued that photo ID is just a cool trick also. = =20 > Since you can't actually select a key via a photo ID, it isn't really a= =20 > good user ID. I thought that the photo IDs helped to verify the authencity of the person= =20 (assuming that you have another means of knowing what they look like). Or= =20 perhaps you could post something else about you, like a JPEG of your=20 (real, not digital) fingerprints. Then again, I guess that what ever you put on the JPEG becomes public=20 data and anyone can copy those and put them on a fake signature. So, on a= =20 second thought, the photo ID doesn't seem to have much security use. --=20 Daniel Carrera | OpenPGP fingerprint: Graduate TA, Math Dept | 9B32 660B 0557 7D7D 5892 0036 D591 4D05 2938 1B7E UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html --0OAP2g/MAC+5xKAE Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (SunOS) iD4DBQE+xaB+1/ZKhTQTHLARAjUyAKCr97lWYDzqRMHfp03W+d2wESNQxgCY05Kw i74Z+jH/GOp7ZCLrJU7/9w== =mPsE -----END PGP SIGNATURE----- --0OAP2g/MAC+5xKAE-- From rlaager@wiktel.com Sat May 17 06:50:03 2003 From: rlaager@wiktel.com (Richard Laager) Date: Sat May 17 05:50:03 2003 Subject: User attributes and audio IDs (was: Trouble signing) In-Reply-To: <20030517023750.GA4166@math.umd.edu> Message-ID: <003c01c31c27$8f8cd6a0$da7620d1@umcrookston.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Daniel Carrera wrote: > Then again, I guess that what ever you put on the JPEG becomes public > data and anyone can copy those and put them on a fake > signature. So, on a > second thought, the photo ID doesn't seem to have much security use. Well, it does provide a little security. If I found a key with a photo ID with a valid self-signature and met the key's purported owner at a keysigning, he or she had better look something like the photo. In other words, if the key's real owner (the owner of the private key that made the self-sig on the photo) claims to be the person in a certain picture, then nobody who can't be the person in the picture should claim to be the key's owner. Also, while I'm on the topic of keysignings and photo IDs, the photo IDs are handy if you make plans to meet someone in a public place for a keysigning. If you have their key in advance and it has a photo ID, you can tell who to look for! :-) Richard Laager -----BEGIN PGP SIGNATURE----- Version: 6.5.8ckt http://www.ipgpp.com/ iQA/AwUBPsWxqG31OrleHxvOEQIaRwCg/s9/rKMHJl3lpLK2xWbjKyRcLmwAnR9E Udw/XODdzkw89AiPhKoBRdwM =Z5EL -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Sat May 17 07:09:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sat May 17 06:09:02 2003 Subject: User attributes and audio IDs (was: Trouble signing) In-Reply-To: <003f01c31c0e$318f4a60$da7620d1@umcrookston.edu> References: <20030516231726.GC4552@jabberwocky.com> <003f01c31c0e$318f4a60$da7620d1@umcrookston.edu> Message-ID: <20030517041000.GE4552@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, May 16, 2003 at 07:49:37PM -0500, Richard Laager wrote: > David Shaw wrote: > > Yes. It doesn't lower security (it's just a different sort of ID), > > but I can't think of any really good uses for it except the coolness > > factor. Then again, it could be argued that photo ID is just a cool > > trick also. Since you can't actually select a key via a photo ID, it > > isn't really a good user ID. > > There's no reason you couldn't select a key by a photo id in a GUI > environment. Simply show a bunch of photos and let the user choose. True, but no software exists (whether GnuPG or PGP) to do this today. In both cases you need to select the key in question, and then view the photo. It's sort of a backwards way to select a key as normally the user ID is used to get to the key. I can see photos being used more as a "select a key, then look at the photo to confirm it's the right one" rather than a "encrypt to that photo". It would be interesting to see a GUI that did what you suggest. It could be very helpful to people who were not particularly crypto-savvy. > Personally, I'd really like to see a keyserver interface that shows things > like this. I think that would be a great application of photo IDs. > > =========== > | | pub 1024D/5E1F1BCE 2000-12-01 Richard James Laager (...) > | <...> > | | Key fingerprint = 03D4 AED7 0990 0162 EDF5 5183 6DF5 > | 5E1F 1BCE > | | uid Richard James Laager (...) > | <...> > | PHOTO | uid Richard James Laager (...) > | <...> > | | uid Laager, Richard James <...> > | | uid LAAG0007 <...> > | | > =========== I quite agree. I think that would be a wonderful keyserver enhancement. Since the photo is actually a straight JPEG with some OpenPGP header bytes that can be ignored, it should be fairly straightforward for a keyserver to feed the JPEG data back to the browser. > BTW David, did you happen to have any thoughts on the handling of photo IDs > with revoked self-signatures, etc. as I talked about in a message a few > days ago? The same issues would likely apply to the other types of > non-traditional uids. I responded a few days ago. Didn't you see it? http://lists.gnupg.org/pipermail/gnupg-users/2003-May/018130.html David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+xbYY4mZch0nhy8kRApGZAKDDEqz6b/p9q5CodR2VKTJJZoi5cwCgp4aq i9Mtve1rxh1fO0czhxNFQik= =GnoL -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Sat May 17 07:16:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sat May 17 06:16:02 2003 Subject: User attributes and audio IDs (was: Trouble signing) In-Reply-To: <20030517023750.GA4166@math.umd.edu> References: <20030515171833.GA1175@math.umd.edu> <200305152259.00159.linux@codehelp.co.uk> <20030515231656.GE17005@postfix.dyndns.org> <20030516031824.GD1191@jabberwocky.com> <20030516140911.GB17229@postfix.dyndns.org> <20030516182420.GD3635@jabberwocky.com> <20030516220542.GB1470@postfix.dyndns.org> <20030516231726.GC4552@jabberwocky.com> <20030517023750.GA4166@math.umd.edu> Message-ID: <20030517041704.GF4552@jabberwocky.com> --J2SCkAp4GZ/dPZZf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, May 16, 2003 at 10:37:50PM -0400, Daniel Carrera wrote: > > Then again, it could be argued that photo ID is just a cool trick also.= =20 > > Since you can't actually select a key via a photo ID, it isn't really a= =20 > > good user ID. >=20 > I thought that the photo IDs helped to verify the authencity of the perso= n=20 > (assuming that you have another means of knowing what they look like). O= r=20 > perhaps you could post something else about you, like a JPEG of your=20 > (real, not digital) fingerprints. >=20 > Then again, I guess that what ever you put on the JPEG becomes public=20 > data and anyone can copy those and put them on a fake signature. So, on = a=20 > second thought, the photo ID doesn't seem to have much security use. It's useful to determine that the key owner is really the person you met at a keysigning party. You can actually sign photo IDs just like any other user ID, so if you trust the signers, then theoretically you can trust that the person looks like that. David --J2SCkAp4GZ/dPZZf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+xbfA4mZch0nhy8kRAmraAJ9exGbpOCVnqF/fzeh3t6cmeXRKGgCgjnw6 a62Ry/HfgpLzMoTbRX1gPwc= =a/ml -----END PGP SIGNATURE----- --J2SCkAp4GZ/dPZZf-- From jbruni@mac.com Sat May 17 07:39:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Sat May 17 06:39:02 2003 Subject: server signing with php In-Reply-To: <8115F55D-86D8-11D7-A7EB-000393872B3C@semiotica.co.uk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You could write a small program in C that is setuid-root. That program =0D= could call setreuid() in order to switch user ID to perform the =0D signing. If you don't like the idea of your PHP web server directly =0D running something as root, build it client-server to decouple the =0D elevated privilege side from the web server. Even further, the database =0D= and key manipulation program could then run on a second system isolated =0D= via a firewall.=0D =0D This may be more work than your project requires, but you will need to =0D= decide what amount of security is appropriate.=0D =0D =0D On Thursday, May 15, 2003, at 06:24 AM, Bruce Robbins wrote:=0D =0D > We are attempting to build an application which stores keys on the =0D > server and allows users to sign documents assembled on the server.=0D > system() exec() et al will give access to the shell but will not =0D > permit signing as the user can not be changed. Has anyone got any =0D > ideas on this or a workaround?=0D >=0D - -- =0D Let us think the unthinkable, let us do the undoable. Let us prepare to =0D= grapple with the ineffable itself, and see if we may not eff it after =0D= all. =E2=80=94 Douglas Adams=0D -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) iEYEARECAAYFAj7Fu+4ACgkQ4rg/mXNDweOKdQCfelykh116QUdOKZj6Id88FZix kAgAoJEjucDOWMuprbpYi1jawiARMYpO =3DbOlU -----END PGP SIGNATURE----- From DenisMcCauley@ifrance.com Sat May 17 08:53:02 2003 From: DenisMcCauley@ifrance.com (Denis McCauley) Date: Sat May 17 07:53:02 2003 Subject: [Q] DSA 1024-bit limit. In-Reply-To: <871xz1bh0k.fsf@alberti.g10code.de> References: <20030513114718.DC06.DENISMCCAULEY@ifrance.com> <871xz1bh0k.fsf@alberti.g10code.de> Message-ID: <20030516193014.7F68.DENISMCCAULEY@ifrance.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 14 May 2003 19:00:11 +0200 Werner Koch wrote: > On Tue, 13 May 2003 11:53:42 -1000, Denis McCauley said: > > > IMO, the real worry with the 1024-bit limit on regular DSA keys is that > > they are the primary keys on which you collect the signatures that > > construct your web of trust. If you have to revoke them because they are > > Please consider all facts relevant to the security of your key. The > length of the key is not that important as long as it has a sound size > (i.e. > 768 bits). Speculating about when it can be broken and not > considering facts with a much higher chance of a key compromise is > shortsighted. > Agreed, key size is only one factor to be taken into account, and not the most urgent, but from my reading I see that I'm not alone in considering the 1024-bit limit as a possible weak point in a not-so-distant future. > If you can truly indentify the length of the key as a worrisome fact, > you may want to give up the nice short DSA signature for large RSA > signature blobs. If you evaluate that, take your attach scenario in > account: A key used as a top level CA may need other properties as one > used everyday on your machine with millions - of easy to subvert - > code lines. > My comment which you cite in introduction was made in the context of a key with multiple subkeys (RSA 4096 with DSA/ElGamal subkeys). This solution seems to me to have many advantages, apart from that of using a stronger primary key for collecting signatures and signing keys. My secret keyring is encrypted with a 256-bit algo and hash, which needs a password of 40 random characters to be fully effective. If I split the top-level CA and everyday functions on to two different keys, I would need two such passwords -- one I can handle, but two?? Following the procedure for stripping secret keys outlined by Adrian von Bidder (http://fortytwo.ch/gpg/subkey), I can have only one secret key stored on my machine: that of the signing subkey I use daily, which has a different password (20 random characters) than that of the primary key. The secret key for the primary key and the encryption subkey can be kept in safe deposit, and when they are used, it's with a Linux system that boots off a CD and runs in RAM, and not necessarily on my own machine. As far as I can see this leaves only the problems of physical access to my machine and radiation snooping as areas of concern. But maybe I've still overlooked something so any comments are welcome. Cheers, - - -- ===================================== Denis McCauley GPG/PGP keys at http://www.djmccauley.tk ===================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1-nr1 (Windows 2000) - GPGshell v2.70 Comment: Key ID: 0x578247B4 (using signature subkey 0x4980C4F7) Comment: 3C0A D97D 5FC5 A250 20BC EBC6 EB0E 9716 5782 47B4 iD8DBQE+xc4dJpZGKkmAxPcRAmMpAKCQQcKyTR/fJYnZu9TGin9H2gNCSACdF98f pdd0wZ4p5wj52d7vcPmphEw= =d3Mp -----END PGP SIGNATURE----- From eleuteri@myrealbox.com Sat May 17 09:50:02 2003 From: eleuteri@myrealbox.com (David Picon Alvarez) Date: Sat May 17 08:50:02 2003 Subject: User attributes and audio IDs (was: Trouble signing) References: <20030515171833.GA1175@math.umd.edu> <200305152259.00159.linux@codehelp.co.uk> <20030515231656.GE17005@postfix.dyndns.org> <20030516031824.GD1191@jabberwocky.com> <20030516140911.GB17229@postfix.dyndns.org> <20030516182420.GD3635@jabberwocky.com> Message-ID: <003c01c31c40$1bdc8f70$f92489c3@enterprise> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I'd be interested to hear comments about whether people would make > good use of something like an audio ID or not. It certainly has the > potential to make keys very very large, though perhaps that is the > problem and choice of the key holder. I'd really like to have audio IDs, and with the right compression it shouldn't make the keys too big. I'm somewhat biased here, though, since I'm a blind user. - --David. -----BEGIN PGP SIGNATURE----- Comment: This message is digitally signed and can be verified for authenticity. iQIVAwUBPsXa66YOp7uFKb/EAQI55Q/8Cg3ocApN5Hq0iASt8Khv95LQ2y+yiliB hiBkcA6Qrl9N3zbVvQJrLz7tJqhe9XiSYA0wBlAlirQUQi+oMzmiQbOOBb2CQKI0 BJU/4csAN5nJSWtfqwgnEXXGuIKsRQlx7GvMl9Vai7CagWKjeF9TDpidkavOvC1V 7up+veMbubcrNjmDaWePA/wgQIbxUesfTXuaCCwla017meXicVOR1WO+N65wdIpl +bvJqbdIIFc4+lHZqwIbuVL0hQIyQMC6FqCB9/XaG38Q3whfxVgcZsR8tHab1LRz 5m/Q5xh784LjASNQSjfPjt2AjDTjnSinmSXMHau7hJAHMqlGNOstJ1WbL/JcTgrv zeLY9y25MWxwQpH1fxOfJRJU6uDtPs3qwQjz2rEUQVaRmv2+s2KG5qU1tHBtSO5e Wfz7VbWJmM1olyxS8pdnptmnSNIT618SpcMhccbyDtMJd4tyRxlf2XJiichMECAT N+jnjhaLfHm4OzFoTrnCgcJwKz3vebWUIXLNqz/XO2GFxg5mg6tCGn0Bz2EBMpCo Wo1u08zd2vqgDFMdwEV/hhlc+r8/+PahI2A0rM/y1+y8aeZfRS4G7nkotjLZ03/W ryeugtsLlpux6UBrjUVrt9QlpF1wUZAMTveHXjLp1X4YknhclX4BqFGvgY5BLbR4 K6BZQWcRZ3Q= =6bTC -----END PGP SIGNATURE----- From xavier.nodet@free.fr Sat May 17 11:24:01 2003 From: xavier.nodet@free.fr (Xavier Nodet) Date: Sat May 17 10:24:01 2003 Subject: Unable to retrieve keys automatically In-Reply-To: <20030516160606.GB3635@jabberwocky.com> References: <20030516160606.GB3635@jabberwocky.com> Message-ID: --=_O7Vn.1EWnlkgk.RFefFHCoGWl3uNUt Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-Disposition: INLINE content-transfer-encoding: quoted-printable On Fri, 16 May 2003 12:06:06 -0400 David Shaw = wrote: > On Fri, May 16, 2003 at 10:37:24AM +0200, Xavier Nodet wrote: > > I have some problem retrieving keys from servers. > The problem is there is no "http" handler. The handler for > wwwkeys.pgp.net is "hkp". Use --keyserver = hkp://wwwkeys.pgp.net It works. Thanks. --=20 Xavier Nodet "They that can give up essential liberty to obtain a little = temporary safety deserve neither liberty nor safety." - Benjamin = Franklin, 1759. --=_O7Vn.1EWnlkgk.RFefFHCoGWl3uNUt Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) - GPGrelay v0.92 iD8DBQA+xfGYFK6OUIeqvjQRAiiuAJ4tWie2ZkV98IHDPdpOTpm6TfuB/QCfTYMO 7cN3HCqyCxH+AMWlk3s6wBU= =0PYx -----END PGP SIGNATURE----- --=_O7Vn.1EWnlkgk.RFefFHCoGWl3uNUt-- From dshaw@jabberwocky.com Sat May 17 15:16:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sat May 17 14:16:02 2003 Subject: Duplicated self-signatures on keyservers In-Reply-To: <20030516214933.GA1470@postfix.dyndns.org> References: <20030516123157.GA6012@postfix.dyndns.org> <20030516181126.GF87246@pm1.ric-30.lft.widomaker.com> <20030516214933.GA1470@postfix.dyndns.org> Message-ID: <20030517035316.GD4552@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, May 16, 2003 at 11:49:33PM +0200, Manuel Samper wrote: > Jason Harris, on Fri, May 16 2003 at 20:11, wrote: > > > Not worried specially about it, just imagining the case of a key bloated > > > with a bunch of self-signatures... but in that case, it's better to > > > fetch it directly from their owner and not from the keyservers, I think. > > > > Use the older pks servers then, until you find a key with a bad selfsig > > and want to see what other selfsigs are available on the keyservers that > > keep all signatures. > > But older servers are buggy and don't handle properly multiple subkeys > among other things (again, AFAIK). > > Thinking about this (and that's where gpg come into play), if older > versions of self-signatures are of no practical use, and may only bloat > the public key, it should be stripped at download time by the > "keyclient" (gpg in our case), although it are preserved in the > keyserver for some reasons (you should known better). Yes, that is what happens now. GnuPG automatically strips an older self signature if a newer valid self signature is already available. On the other hand, a newer self signature is accepted for import, but the old one is not deleted. This is occasionally reported as a bug. It isn't a bug, but it can be confusing. It is a very good thing that the keyservers do not do this since they do not have cryptographic support to know whether the "new" signature is valid (or indeed, whether it is really new or not). David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+xbIs4mZch0nhy8kRAlxxAJ0So1TV/sTVDfHpdqo+YvjaOdALVACgxAeq HnzOaoaPpEXhjuk7JR/j/Xs= =7E2c -----END PGP SIGNATURE----- From manuel@samper.dyndns.org Sat May 17 16:22:02 2003 From: manuel@samper.dyndns.org (Manuel Samper) Date: Sat May 17 15:22:02 2003 Subject: Duplicated self-signatures on keyservers In-Reply-To: <20030517035316.GD4552@jabberwocky.com> References: <20030516123157.GA6012@postfix.dyndns.org> <20030516181126.GF87246@pm1.ric-30.lft.widomaker.com> <20030516214933.GA1470@postfix.dyndns.org> <20030517035316.GD4552@jabberwocky.com> Message-ID: <20030517132222.GA27072@postfix.dyndns.org> On Sat, May 17, 2003 at 05:53 CEST, David Shaw wrote: > On Fri, May 16, 2003 at 11:49:33PM +0200, Manuel Samper wrote: > > Thinking about this (and that's where gpg come into play), if older > > versions of self-signatures are of no practical use, and may only bloat > > the public key, it should be stripped at download time by the > > "keyclient" (gpg in our case), although it are preserved in the > > keyserver for some reasons (you should known better). > > Yes, that is what happens now. GnuPG automatically strips an older > self signature if a newer valid self signature is already available. Not if you retrieve a new key (at least with gpg 1.2.1; perhaps it's different in 1.2.2): $ gpg --no-default-keyring --keyring test --recv-key 0xfffd5da0 gpg: keyring `/home/users/manuel/.gnupg/test' created gpg: key FFFD5DA0: public key "Manuel Samper" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) $ gpg --no-default-keyring --keyring test --list-sigs 0xfffd5da0 pub 4096R/FFFD5DA0 2003-05-13 Manuel Samper sig 3 FFFD5DA0 2003-05-13 Manuel Samper sig 3 FFFD5DA0 2003-05-13 Manuel Samper uid Manuel Samper sig 1 P C521097E 2003-05-14 [User id not found] Signature policy: http://www.toehold.com/robotca/ sig 3 FFFD5DA0 2003-05-13 Manuel Samper sig 3 FFFD5DA0 2003-05-13 Manuel Samper sub 4096g/0AC11943 2003-05-13 sig FFFD5DA0 2003-05-13 Manuel Samper sub 1024D/2D16624C 2003-05-13 [expires: 2007-05-13] sig FFFD5DA0 2003-05-14 Manuel Samper But don't import older self signatures if the key is already in the public keyring: $ gpg --recv-key 0xfffd5da0 gpg: key FFFD5DA0: "Manuel Samper" not changed gpg: Total number processed: 1 gpg: unchanged: 1 $ gpg --list-sigs 0xfffd5da0 pub 4096R/FFFD5DA0 2003-05-13 Manuel Samper sig 3 FFFD5DA0 2003-05-13 Manuel Samper uid Manuel Samper sig 3 FFFD5DA0 2003-05-13 Manuel Samper sig 1 P C521097E 2003-05-14 Robot CA (http://www.toehold.com/robotca/) Signature policy: http://www.toehold.com/robotca/ sub 4096g/0AC11943 2003-05-13 sig FFFD5DA0 2003-05-13 Manuel Samper sub 1024D/2D16624C 2003-05-13 [expires: 2007-05-13] sig FFFD5DA0 2003-05-14 Manuel Samper > On the other hand, a newer self signature is accepted for import, but > the old one is not deleted. This is occasionally reported as a bug. > It isn't a bug, but it can be confusing. > > It is a very good thing that the keyservers do not do this since they > do not have cryptographic support to know whether the "new" signature > is valid (or indeed, whether it is really new or not). Yes, it's better if they don't try to be too smart and begin to mangle keys. -- Manuel Samper OpenPGP Key ID: FFFD5DA0 From manuel@samper.dyndns.org Sat May 17 16:37:02 2003 From: manuel@samper.dyndns.org (Manuel Samper) Date: Sat May 17 15:37:02 2003 Subject: User attributes and audio IDs (was: Trouble signing) In-Reply-To: <20030516231726.GC4552@jabberwocky.com> References: <20030516220542.GB1470@postfix.dyndns.org> <20030516231726.GC4552@jabberwocky.com> Message-ID: <20030517133727.GB27072@postfix.dyndns.org> On Sat, May 17, 2003 at 01:17 CEST, David Shaw wrote: > On Sat, May 17, 2003 at 12:05:42AM +0200, Manuel Samper wrote: > > David Shaw, on Fri, May 16 2003 at 20:24, wrote: > > > I'd be interested to hear comments about whether people would make > > > good use of something like an audio ID or not. It certainly has the > > > potential to make keys very very large, though perhaps that is the > > > problem and choice of the key holder. > > > > If no aditional security is apported, then I prefer other enhancements > > in gpg rather than some funny capabilities. But who knowns how useful > > may become... > > Yes. It doesn't lower security (it's just a different sort of ID), > but I can't think of any really good uses for it except the coolness > factor. Then again, it could be argued that photo ID is just a cool > trick also. Since you can't actually select a key via a photo ID, it > isn't really a good user ID. What I think would we really useful, is to allow this sort of "attribute" (image,audio,..) in normal user id, so you can create a normal uid with their real name, comment and email address _and_ attach some data to it (like a photo), mainly if you create a user id without email address, so you can collect other's people signatures here (obviously, no email challenge is possible) and don't worry about lossing it when you revoke a uid due to lossing the email address. But AFAIK this isn't possible whitout breaking compliance with the standard, right? -- Manuel Samper OpenPGP Key ID: FFFD5DA0 From dshaw@jabberwocky.com Sat May 17 17:35:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sat May 17 16:35:02 2003 Subject: Duplicated self-signatures on keyservers In-Reply-To: <20030517132222.GA27072@postfix.dyndns.org> References: <20030516123157.GA6012@postfix.dyndns.org> <20030516181126.GF87246@pm1.ric-30.lft.widomaker.com> <20030516214933.GA1470@postfix.dyndns.org> <20030517035316.GD4552@jabberwocky.com> <20030517132222.GA27072@postfix.dyndns.org> Message-ID: <20030517143458.GH4552@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, May 17, 2003 at 03:22:22PM +0200, Manuel Samper wrote: > On Sat, May 17, 2003 at 05:53 CEST, David Shaw wrote: > > On Fri, May 16, 2003 at 11:49:33PM +0200, Manuel Samper wrote: > > > Thinking about this (and that's where gpg come into play), if older > > > versions of self-signatures are of no practical use, and may only bloat > > > the public key, it should be stripped at download time by the > > > "keyclient" (gpg in our case), although it are preserved in the > > > keyserver for some reasons (you should known better). > > > > Yes, that is what happens now. GnuPG automatically strips an older > > self signature if a newer valid self signature is already available. > > Not if you retrieve a new key (at least with gpg 1.2.1; perhaps it's > different in 1.2.2): Yes, that is correct. The signature check only happens when an existing signature (and hence an existing key) is already in your keyring. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+xkiS4mZch0nhy8kRArKuAJ0W7a+SdFGnESFi6u4IE7FQUf7JmwCg1o8P ONsByR6XCYmSjXtdQkEfarU= =hffT -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Sat May 17 17:37:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sat May 17 16:37:02 2003 Subject: User attributes and audio IDs (was: Trouble signing) In-Reply-To: <20030517133727.GB27072@postfix.dyndns.org> References: <20030516220542.GB1470@postfix.dyndns.org> <20030516231726.GC4552@jabberwocky.com> <20030517133727.GB27072@postfix.dyndns.org> Message-ID: <20030517143737.GI4552@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, May 17, 2003 at 03:37:27PM +0200, Manuel Samper wrote: > On Sat, May 17, 2003 at 01:17 CEST, David Shaw wrote: > > On Sat, May 17, 2003 at 12:05:42AM +0200, Manuel Samper wrote: > > > David Shaw, on Fri, May 16 2003 at 20:24, wrote: > > > > I'd be interested to hear comments about whether people would make > > > > good use of something like an audio ID or not. It certainly has the > > > > potential to make keys very very large, though perhaps that is the > > > > problem and choice of the key holder. > > > > > > If no aditional security is apported, then I prefer other enhancements > > > in gpg rather than some funny capabilities. But who knowns how useful > > > may become... > > > > Yes. It doesn't lower security (it's just a different sort of ID), > > but I can't think of any really good uses for it except the coolness > > factor. Then again, it could be argued that photo ID is just a cool > > trick also. Since you can't actually select a key via a photo ID, it > > isn't really a good user ID. > > What I think would we really useful, is to allow this sort of > "attribute" (image,audio,..) in normal user id, so you can create a > normal uid with their real name, comment and email address _and_ attach > some data to it (like a photo), mainly if you create a user id without > email address, so you can collect other's people signatures here > (obviously, no email challenge is possible) and don't worry about > lossing it when you revoke a uid due to lossing the email address. > > But AFAIK this isn't possible whitout breaking compliance with the > standard, right? If the standard got a "text" attribute tag, then this would be no problem. It's essentially the same thing we were discussing before. Even if the standard didn't have a text attribute tag, it is possible to use one of the experimental tags for this purpose, but of course then only GnuPG would be able to use such user attribute IDs. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+xkkx4mZch0nhy8kRAsnYAKDiPfAfvG9Xes4F+t2xXtkqW1NZEACeNgg+ V1covwB3xuaemmvryX0NSfg= =fHfm -----END PGP SIGNATURE----- From ingo.kloecker@epost.de Sat May 17 18:34:02 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Sat May 17 17:34:02 2003 Subject: User attributes and audio IDs (was: Trouble signing) In-Reply-To: <20030517041000.GE4552@jabberwocky.com> References: <20030516231726.GC4552@jabberwocky.com> <003f01c31c0e$318f4a60$da7620d1@umcrookston.edu> <20030517041000.GE4552@jabberwocky.com> Message-ID: <200305171607.00845@erwin.ingo-kloecker.de> --Boundary-02=_EIkx+/3EYWswhgh Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Saturday 17 May 2003 06:10, David Shaw wrote: > On Fri, May 16, 2003 at 07:49:37PM -0500, Richard Laager wrote: > > David Shaw wrote: > > > Yes. It doesn't lower security (it's just a different sort of > > > ID), but I can't think of any really good uses for it except the > > > coolness factor. Then again, it could be argued that photo ID is > > > just a cool trick also. Since you can't actually select a key > > > via a photo ID, it isn't really a good user ID. > > > > There's no reason you couldn't select a key by a photo id in a GUI > > environment. Simply show a bunch of photos and let the user choose. > > True, but no software exists (whether GnuPG or PGP) to do this today. > In both cases you need to select the key in question, and then view > the photo. It's sort of a backwards way to select a key as normally > the user ID is used to get to the key. I can see photos being used > more as a "select a key, then look at the photo to confirm it's the > right one" rather than a "encrypt to that photo". > > It would be interesting to see a GUI that did what you suggest. It > could be very helpful to people who were not particularly > crypto-savvy. Even people how are not crypto-savvy will know the name of the person=20 they want to send an encrypted message to. But it might be useful for=20 illiterates. > > Personally, I'd really like to see a keyserver interface that shows > > things like this. I think that would be a great application of > > photo IDs. > > I quite agree. I think that would be a wonderful keyserver > enhancement. Since the photo is actually a straight JPEG with some > OpenPGP header bytes that can be ignored, it should be fairly > straightforward for a keyserver to feed the JPEG data back to the > browser. Biglumber isn't a real keyserver. But it already shows the photo ids. So=20 it doesn't seem to be that difficult. Regards, Ingo --Boundary-02=_EIkx+/3EYWswhgh Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+xkIEGnR+RTDgudgRAvBGAJ9wrT6LVHplJHpxb5oUIqskllslCQCfbIEw 5FfpjIyDTr1tL9MbCt2nspI= =LzKG -----END PGP SIGNATURE----- --Boundary-02=_EIkx+/3EYWswhgh-- From michael@silicontao.com Sat May 17 19:34:03 2003 From: michael@silicontao.com (Michael Weiss) Date: Sat May 17 18:34:03 2003 Subject: Help importing non-self-signed keys Message-ID: <0HF1002OAHTRF4@l-daemon> Hello all, I am developing an automated secure data transfer system using email and gnupg (gpgme) I get an error no-user-id somtimes when I import a key, and somtimes I dont. I cannot tell what causes it to fail somtimes and not others. I read previous posts in this list and found that the error 'no user id' is because the key is not self signed. The post mentioned an option that could be passed to gpg to override the default behaviour of not accepting non self signed keys, but this does not help me as I am using gpgme and can't pass options to gpg (that I know of!). What really gets me is that it works fine sometime and not others. Should it not fail consistantly or pass consistantly? I am using: Mandrake 8.2 gnupg 1.2.2 gpgme 0.3.15 I am trying to figure out how to sign the key when I am exporting it as this seems to be to correct way of fixing the problem... This is my new high level algorithm so far (It doesnt work) On the mobile end: ---------------------- I export the public key to a file with ASCII armor on. Then I sign the file with my private key Then I encrypt and email the key to the recipient On the server end: --------------------- I decrpyt the file with my public key Then I run verify to convert the signed file to plaintext Then I import the plaintext Could anyone tell me if I am going about this the right way? Am I doing things in the wrong order? Is there a better way? Thanks, Michael Weiss From wk@gnupg.org Sat May 17 20:31:02 2003 From: wk@gnupg.org (Werner Koch) Date: Sat May 17 19:31:02 2003 Subject: Problem with encoding of po files In-Reply-To: <200305170050.27704@erwin.ingo-kloecker.de> (Ingo =?iso-8859-1?q?Kl=F6cker's?= message of "Sat, 17 May 2003 00:50:26 +0200") References: <200305170050.27704@erwin.ingo-kloecker.de> Message-ID: <87k7cp5vka.fsf@alberti.g10code.de> On Sat, 17 May 2003 00:50:26 +0200, Ingo Klöcker said: > there's a problem with the encoding which is used for the po > (translation) files. For example the German translations are encoded in > latin1. But some of those strings are passed to the pinentry programs Did you tested this with 1.2.2? I added code to make sure the translations are passed as utf-8 to the agent: /* The Assuan agent protol requires us to trasnmit utf-8 strings */ orig_codeset = bind_textdomain_codeset (PACKAGE, NULL); #ifdef HAVE_LANGINFO_CODESET if (!orig_codeset) orig_codeset = nl_langinfo (CODESET); #endif if (orig_codeset) { /* We only switch when we are able to restore the codeset later. */ orig_codeset = m_strdup (orig_codeset); if (!bind_textdomain_codeset (PACKAGE, "utf-8")) orig_codeset = NULL; } -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From pitrp@wg78.de Sat May 17 21:08:02 2003 From: pitrp@wg78.de (Peter Prohaska) Date: Sat May 17 20:08:02 2003 Subject: User attributes and audio IDs (was: Trouble signing) In-Reply-To: <003c01c31c40$1bdc8f70$f92489c3@enterprise> References: <20030515171833.GA1175@math.umd.edu> <200305152259.00159.linux@codehelp.co.uk> <20030515231656.GE17005@postfix.dyndns.org> <20030516031824.GD1191@jabberwocky.com> <20030516140911.GB17229@postfix.dyndns.org> <20030516182420.GD3635@jabberwocky.com> <003c01c31c40$1bdc8f70$f92489c3@enterprise> Message-ID: <20030517180859.GC16270@wg78.homeunix.net> --t0UkRYy7tHLRMCai Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, May 17, 2003 at 07:46:55AM +0100, David Picon Alvarez wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 >=20 > > I'd be interested to hear comments about whether people would make > > good use of something like an audio ID or not. It certainly has the > > potential to make keys very very large, though perhaps that is the > > problem and choice of the key holder. >=20 > I'd really like to have audio IDs, and with the right compression it > shouldn't make the keys too big. I'm somewhat biased here, though, since = I'm > a blind user. Agreed. Though i'm not biased that way, i like cli environments more than guis and an ascii art representation of an image is of no use here. Mayde the xiph.org's speex codec could be of some use here. At least if the audio ID shall be a voice sample. But probably availability etc. are a problem here. --t0UkRYy7tHLRMCai Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+xnq7iZPv0z34YecRAq4nAJ9RAJAlClqo28oydjj1ev7xg5sYWgCfVwUk yPGQ9ND064A6ddNGqh1Vlqk= =HRzQ -----END PGP SIGNATURE----- --t0UkRYy7tHLRMCai-- From michael@silicontao.com Sat May 17 21:53:03 2003 From: michael@silicontao.com (Michael Weiss) Date: Sat May 17 20:53:03 2003 Subject: How do I sign a key with gpgme? Message-ID: <0HF100C1AOIQ98@l-daemon> Hello All, I can't seem to figure out how to sign a key with gpgme. Is it possible? Michael Weiss From filebot@tcob1.net Sun May 18 01:10:01 2003 From: filebot@tcob1.net (Sean Rima) Date: Sun May 18 00:10:01 2003 Subject: Fetching keys with Windows console Message-ID: =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Is there anyway to get gnupg to read the options file in the gnupg directory as I have a keyserver line in it, but it still asks for the keyserver option Sean =2D --=20 Q: Because it reverses the logical flow of conversation. A: Why is top posting frowned upon? Normal Email sean AT tcob1 DOT net GPG Key Id 7DA70294 ICQ: 679813 Jabber: tcobone@jabber.org=20 =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (MingW32) iD8DBQE+xrNJHMnSWn2nApQRAsDpAKCsLgMHu0giqg/bkgbZ0cmgTMF1ZQCbBYyH Qe5TSHbo3CD3BCCMlViS4ag=3D =3Dyciw =2D----END PGP SIGNATURE----- From dcarrera@math.umd.edu Sun May 18 02:41:02 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Sun May 18 01:41:02 2003 Subject: Encouraging email security. Message-ID: <20030517234222.GA16303@math.umd.edu> --qDbXVdCdHGoSgWSk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I was thinking about how most people have no understanding or interest in= =20 email security. OpenPGP is hard enough to understand and use that getting= =20 the majority of the population to use it seems a formidable task. I thought of a compromise that might be a step forward. I was hoping that= =20 those who know more about this than I could offer an opinion. There could be a mail client with the following properties: 1) Automatically creates a pre-defined key setup (e.g. 4096 RSA, 1024 DSA, 2048 ElGamal). 2) Automatically signs, and encrypts emails (when the pub key is=20 available). 3) Here is the big one: It stores the user's password in the hard disk, in the style of Mozilla, so that the user doesn't have to type it. It all happens automatically. This would be a significant down compared to the proper use of OpenPGP,=20 but a significant up compared to what exists today. Now emails would go=20 around signed and encrypted. In order to read a message an attacker would= =20 have to get the password from the recipient's hard drive. A determined=20 attacker could certainly do that, but the casual one would not. Today's email system is about as secure as a postcard. This alternative would raise the bar somewhat bit above sending mail in a= =20 sealed envelope. It raises the effort needed to eavesdrop in a=20 conversation or impersonate someone. Any thoughts? --=20 Daniel Carrera | OpenPGP fingerprint: Graduate TA, Math Dept | 9B32 660B 0557 7D7D 5892 0036 D591 4D05 2938 1B7E UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html --qDbXVdCdHGoSgWSk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (SunOS) iD8DBQE+xsje1/ZKhTQTHLARAl8RAKDF3ECNKaKyy055GRIUim3y8QRsTQCfa5BC NYaDXBVxLE6Ug2YzZ0M+8NY= =Ne8M -----END PGP SIGNATURE----- --qDbXVdCdHGoSgWSk-- From jdbeyer@exit109.com Sun May 18 04:30:02 2003 From: jdbeyer@exit109.com (Jean-David Beyer) Date: Sun May 18 03:30:02 2003 Subject: Encouraging email security. References: <20030517234222.GA16303@math.umd.edu> Message-ID: <3EC6E252.6030406@exit109.com> This is a cryptographically signed message in MIME format. --------------ms070909050004080002060209 Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Daniel Carrera wrote: > I was thinking about how most people have no understanding or > interest in email security. OpenPGP is hard enough to understand and > use that getting the majority of the population to use it seems a > formidable task. > > I thought of a compromise that might be a step forward. I was hoping > that those who know more about this than I could offer an opinion. > > There could be a mail client with the following properties: > > 1) Automatically creates a pre-defined key setup (e.g. 4096 RSA, 1024 > DSA, 2048 ElGamal). 2) Automatically signs, and encrypts emails (when > the pub key is available). 3) Here is the big one: It stores the > user's password in the hard disk, in the style of Mozilla, so that > the user doesn't have to type it. It all happens automatically. Well, Mozilla can do both the VeriSign kind of S/MIME signatures and the GnuPG kind (with Enigmail, though Enigmail does not work with my Mozilla) already. And mutt can do GnuPG signatures just fine. But in each case, the user must type in a passphrase. I suppose they would both accept a NULL passphrase, so you could just press "Enter" or something, but it would sure expose the user to risk. I imagine the programs could be setup to notice NULL passphrases and not even prompt for a password. N.B.: I am sure not requesting this! > > This would be a significant down compared to the proper use of > OpenPGP, but a significant up compared to what exists today. Now > emails would go around signed and encrypted. Well, perhaps so, but AOL users and msn.com users seem to get all kinds of problems with MIME attachments, which is where the signatures normally go. True, you can stick them in inline, but that seems to be getting passe'. AOL seems to assume that if there is any MIME, that all attachments are of the same type as the first, and this is generally false. msn.com users apparently get it that the e-mails are all attachments and they see nothing unless they open the various attachments. So there will be a lot of resistance to people sending out anything in MIME and that includes signatures. I am not sure what AOL would do if confronted with an encrypted e-mail: probably bounce it as a virus. ;-( > In order to read a > message an attacker would have to get the password from the > recipient's hard drive. A determined attacker could certainly do > that, but the casual one would not. That is rather difficult with some systems. There is a large software manufacturer with a reputation for delivering products that are easy to infiltrate, though. > > Today's email system is about as secure as a postcard. This > alternative would raise the bar somewhat bit above sending mail in a > sealed envelope. It raises the effort needed to eavesdrop in a > conversation or impersonate someone. > > Any thoughts? > It is interesting, but it has taken about 10 years for MIME to not be accepted by some large ISPs. I think digital signing and encryption will take at least as long, since so few users see any point in it. I think your analogy is not quite correct. Present e-mail is about as secure as a postcard. Signing and encrypting would be more secure than using an envelope: it would be using a steel strongbox with a good lock, but where the intruder knows where the key is and can break in and get it with varying amounts of effort depending on OS, sophistication of the user, etc. The biggest minuses, as far as I am concerned, is that people will get a false sense of security when their e-mails are signed and encrypted, but their private keys too easily available. When you get a signed and encrypted e-mail, you tend to believe you know who sent it and that it has not been tampered with or read. But if all someone need do is hijack (remotely, even) a machine and get the private key, you are in big trouble with identity theft, etc. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ Registered Machine 73926. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 9:05pm up 2 days, 23:00, 3 users, load average: 2.21, 2.13, 2.10 --------------ms070909050004080002060209 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINvjCC A2IwggLLoAMCAQICEAvaCxfBP4mOqwl0erTOLjMwDQYJKoZIhvcNAQECBQAwXzELMAkGA1UE BhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1Ymxp YyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk4MDUxMjAwMDAwMFoXDTA4 MDUxMjIzNTk1OVowgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJp U2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRv cnkvUlBBIEluY29ycC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2ln biBDbGFzcyAxIENBIEluZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0 ZWQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALtaRIoEFrtV/QN6ii2UTxV4NrgNSrJv nFS/vOh3Kp258Gi7ldkxQXB6gUu5SBNWLccI4YRCq8CikqtEXKpC8IIOAukv+8I7u77JJwpd trA2QjO1blSIT4dKvxna+RXoD4e2HOPMxpqOf2okkuP84GW6p7F+78nbN2rISsgJBuSZAgMB AAGjgbAwga0wDwYDVR0TBAgwBgEB/wIBADBHBgNVHSAEQDA+MDwGC2CGSAGG+EUBBwEBMC0w KwYIKwYBBQUHAgEWH3d3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEwMQYDVR0fBCow KDAmoCSgIoYgaHR0cDovL2NybC52ZXJpc2lnbi5jb20vcGNhMS5jcmwwCwYDVR0PBAQDAgEG MBEGCWCGSAGG+EIBAQQEAwIBBjANBgkqhkiG9w0BAQIFAAOBgQACfZ5vRUs4oLje6VNkIbzk TCuPHv6SQKzYCjlqoTIhLAebq1n+0mIafVU4sDdz3PQHZmNiveFTcFKH56jYUulbLarh3s+s MVTUixnI2COo7wQrMn0sGBzIfImoLnfyRNFlCk10te7TG5JzdC6JOzUTcudAMZrTssSr51a+ i+P7FTCCBSgwggSRoAMCAQICEGlfAhgT5dD2IHApDrAaq5owDQYJKoZIhvcNAQEEBQAwgcwx FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3 b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBIEluY29ycC4g QnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAxIENBIElu ZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQwHhcNMDIwNjAyMDAw MDAwWhcNMDMwNjE2MjM1OTU5WjCCARYxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYD VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29t L3JlcG9zaXRvcnkvUlBBIEluY29ycC4gYnkgUmVmLixMSUFCLkxURChjKTk4MR4wHAYDVQQL ExVQZXJzb25hIE5vdCBWYWxpZGF0ZWQxMzAxBgNVBAsTKkRpZ2l0YWwgSUQgQ2xhc3MgMSAt IE5ldHNjYXBlIEZ1bGwgU2VydmljZTEZMBcGA1UEAxQQSmVhbi1EYXZpZCBCZXllcjEiMCAG CSqGSIb3DQEJARYTamRiZXllckBleGl0MTA5LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAMv38/uuxXth9gQ9TcEZMARz9Ju+c2l0hzW2vpYYJUcQig/uCLJqmYLzsdoB faSMHN8UlnHk1FC4MQ3r3l58v0iIz6ERC4RLWKFvntQNvk5teCqZ0Tmf9DdFNzh4gkffdhL8 Un9CsRrHogviVReyTXfzH039X/UjODAcvyRVTDpMVpNQ81bhR/VWxR7esbm1ewHVj+KOGxqr rl2PD412TxxIXEAzVTACqVR/CCOBQZ7BrrztKXomz9ePav/ZTjdybWFve5p1NAUawFcl1ajA JiEGL2Ug4qq26x4Z2cOosQCx9tJt0tpPy3qwORYbepKBDhkXicPBZVkzx7Lm7a961isCAwEA AaOCATgwggE0MAkGA1UdEwQCMAAwgawGA1UdIASBpDCBoTCBngYLYIZIAYb4RQEHAQEwgY4w KAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9DUFMwYgYIKwYBBQUHAgIw VjAVFg5WZXJpU2lnbiwgSW5jLjADAgEBGj1WZXJpU2lnbidzIENQUyBpbmNvcnAuIGJ5IHJl ZmVyZW5jZSBsaWFiLiBsdGQuIChjKTk3IFZlcmlTaWduMBEGCWCGSAGG+EIBAQQEAwIHgDAw BgpghkgBhvhFAQYHBCIWIDMxYzVhODdmZDYxNjdhY2NlY2NmNWFhMjcxNjIyOTE5MDMGA1Ud HwQsMCowKKAmoCSGImh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL2NsYXNzMS5jcmwwDQYJKoZI hvcNAQEEBQADgYEAZLD9KTpkxdd6cjpK6vjIkieu6V5o0PngC/Y6is1waG0nSRcnLrVn/ped OlLtkViedt0kRuVcr/TmphHO34zAfLA0n6BNzYRN3QS4vYmvsIeJkDtyP13xd7TQIq3lJQsI KewOFKr46/W5/RbESZ0StZ86TTvMIwYJB+nWF1KuaA4wggUoMIIEkaADAgECAhBpXwIYE+XQ 9iBwKQ6wGquaMA0GCSqGSIb3DQEBBAUAMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEf MB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWdu LmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYG A1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29u YSBOb3QgVmFsaWRhdGVkMB4XDTAyMDYwMjAwMDAwMFoXDTAzMDYxNjIzNTk1OVowggEWMRcw FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y azFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIGJ5 IFJlZi4sTElBQi5MVEQoYyk5ODEeMBwGA1UECxMVUGVyc29uYSBOb3QgVmFsaWRhdGVkMTMw MQYDVQQLEypEaWdpdGFsIElEIENsYXNzIDEgLSBOZXRzY2FwZSBGdWxsIFNlcnZpY2UxGTAX BgNVBAMUEEplYW4tRGF2aWQgQmV5ZXIxIjAgBgkqhkiG9w0BCQEWE2pkYmV5ZXJAZXhpdDEw OS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDL9/P7rsV7YfYEPU3BGTAE c/SbvnNpdIc1tr6WGCVHEIoP7giyapmC87HaAX2kjBzfFJZx5NRQuDEN695efL9IiM+hEQuE S1ihb57UDb5ObXgqmdE5n/Q3RTc4eIJH33YS/FJ/QrEax6IL4lUXsk138x9N/V/1IzgwHL8k VUw6TFaTUPNW4Uf1VsUe3rG5tXsB1Y/ijhsaq65djw+Ndk8cSFxAM1UwAqlUfwgjgUGewa68 7Sl6Js/Xj2r/2U43cm1hb3uadTQFGsBXJdWowCYhBi9lIOKqtuseGdnDqLEAsfbSbdLaT8t6 sDkWG3qSgQ4ZF4nDwWVZM8ey5u2vetYrAgMBAAGjggE4MIIBNDAJBgNVHRMEAjAAMIGsBgNV HSAEgaQwgaEwgZ4GC2CGSAGG+EUBBwEBMIGOMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52 ZXJpc2lnbi5jb20vQ1BTMGIGCCsGAQUFBwICMFYwFRYOVmVyaVNpZ24sIEluYy4wAwIBARo9 VmVyaVNpZ24ncyBDUFMgaW5jb3JwLiBieSByZWZlcmVuY2UgbGlhYi4gbHRkLiAoYyk5NyBW ZXJpU2lnbjARBglghkgBhvhCAQEEBAMCB4AwMAYKYIZIAYb4RQEGBwQiFiAzMWM1YTg3ZmQ2 MTY3YWNjZWNjZjVhYTI3MTYyMjkxOTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLnZl cmlzaWduLmNvbS9jbGFzczEuY3JsMA0GCSqGSIb3DQEBBAUAA4GBAGSw/Sk6ZMXXenI6Sur4 yJInruleaND54Av2OorNcGhtJ0kXJy61Z/6XnTpS7ZFYnnbdJEblXK/05qYRzt+MwHywNJ+g Tc2ETd0EuL2Jr7CHiZA7cj9d8Xe00CKt5SULCCnsDhSq+Ov1uf0WxEmdErWfOk07zCMGCQfp 1hdSrmgOMYIDtTCCA7ECAQEwgeEwgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYD VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29t L3JlcG9zaXRvcnkvUlBBIEluY29ycC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQD Ez9WZXJpU2lnbiBDbGFzcyAxIENBIEluZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5v dCBWYWxpZGF0ZWQCEGlfAhgT5dD2IHApDrAaq5owCQYFKw4DAhoFAKCCAagwGAYJKoZIhvcN AQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDMwNTE4MDEzMDU4WjAjBgkqhkiG 9w0BCQQxFgQUGJgvDdAze2p2RMNSD3bsZnnMES4wUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG 9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcN AwICASgwgfQGCyqGSIb3DQEJEAILMYHkoIHhMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5j LjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlz aWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFI MEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVy c29uYSBOb3QgVmFsaWRhdGVkAhBpXwIYE+XQ9iBwKQ6wGquaMA0GCSqGSIb3DQEBAQUABIIB ADqT3bP4qCR8Rh402IKnJLWVGGOuoV23WdieErMZb0NrWRPzYBouJqPYCFP4fEnMhv81/PUi tmsdcJuMFApg3uYXjjFK6s5b9i/3zlGu/AsSBLIVigKmX6L1+eJ+uMOmTzOcWbFPWmISoNJG a2qhxWD56aDCPA9lD5xyvPUjspeKhrtVdvV+hQ+cjacrwom5xFYwJOOZK4rWMJRD4HMV0Vul vFM4+HA7gCE/eseZxZiMFj7xNkYZI5uyM1MMl4DBwmftiEZBdtwPpuCIfs8XzwlMoeRQ1gnY oEq0g/6hYo5GaNKazRGwmaONy4vs3hzs+1mqXPsAfmiHwRa7k3mJA1cAAAAAAAA= --------------ms070909050004080002060209-- From tony.kwok@3web.net Sun May 18 05:18:01 2003 From: tony.kwok@3web.net (tk) Date: Sun May 18 04:18:01 2003 Subject: Encouraging email security. In-Reply-To: <20030517234222.GA16303@math.umd.edu> References: <20030517234222.GA16303@math.umd.edu> Message-ID: <3EC6EDA9.4070402@3web.net> Daniel Carrera wrote: > I was thinking about how most people have no understanding > or interest in email security. OpenPGP is hard enough to > understand and use... Absolutely! (The only thing I'd venture to correct in the above post is the 'interest' part: they *have* the interest, but it's - for the vast majority - simply to hard to do...) I'd bet dollars to donuts that therefore the proportion of encrypted email is actually dropping, an extremely undesirable trend (for many obvious reasons). *Something* ought to be done. From my observation of "real users", the hardest part is not at all remembering (and typing) the password/phrase, it's the understanding of the concept of web-of-trust, dealing with the wrinkled interface to it and suffereing constant error conditions that it generates (quick survey of this list's archive should convince anyone). Additionally, most "real users" I've seen have real desire (and thus real motivation!) to keep ther messages from unauthorized inspection, but they only rearly require message signatures - i.e., evasdropping is a common problem, impersonation simply isn't. Large proportion of e-mail users communicate mostly in their own "small-world" communities and they have absolutely no problem whatsoever exchanging, authenticating, revoking, etc. their public keys. It is also most likely that communication with fellow members of such communities will need to be protected (as opposed to the communication with strangers). I would thus suggest that a simplified GPG version (GPG-lite?) should be constructed and deployed, where the system does not even attempt to assist (let alone control) the dissemanation, authentication and revocation of public keys. The security of such system would remain as strong as the "real thing", provided that the key is exchanged in person (its finger verified over phone, printed on a business card etc. etc.). Also, while at it, I would strongly suggest "one-key-one-file" (text, base64 encoded) instead of the opaque and hard to understand and deal with "keyrings". As suggested by the original poster, pre-selected, unchangable ciphers and key-widths are an obvious necessity. For those who need it (and are prepared to learn how to properly use it), "full" GPG would alway be there. (just my .02...) tk From dcarrera@math.umd.edu Sun May 18 06:29:02 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Sun May 18 05:29:02 2003 Subject: Encouraging email security. In-Reply-To: <3EC6EDA9.4070402@3web.net> References: <20030517234222.GA16303@math.umd.edu> <3EC6EDA9.4070402@3web.net> Message-ID: <20030518033026.GB16442@math.umd.edu> --ADZbWkCsHQ7r3kzd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > Absolutely! (The only thing I'd venture to correct in > the above post is the 'interest' part: they *have* the > interest, but it's - for the vast majority - simply to > hard to do...) I hope you're right about the interest part. > From my observation of "real users", the hardest part is > not at all remembering (and typing) the password/phrase, > it's the understanding of the concept of web-of-trust, Definitelly, I only have a partial understanding myself. > Large proportion of e-mail users communicate mostly > in their own "small-world" communities and they have > absolutely no problem whatsoever exchanging, authenticating, > revoking, etc. their public keys. It is also most likely > that communication with fellow members of such communities > will need to be protected (as opposed to the communication > with strangers). I would thus suggest that a simplified > GPG version (GPG-lite?) should be constructed and deployed, > where the system does not even attempt to assist (let alone > control) the dissemanation, authentication and revocation > of public keys. The security of such system would remain > as strong as the "real thing", provided that the key is > exchanged in person (its finger verified over phone, > printed on a business card etc. etc.). Also, while at it, > I would strongly suggest "one-key-one-file" (text, base64 > encoded) instead of the opaque and hard to understand > and deal with "keyrings". How about we just drop the concept of web-of-trust entirely? Ofcourse, it'll still exist. I mean, make it so that people can use GPG=20 without ever hearing the concept. We can make OpenPGP really simple by having people only swap key IDs, and= =20 making it look similar to Instant Messaging. Just as people casually ask= =20 "what's your IM?", they could ask "what's your PGP?". To that, your=20 friend would give you the key ID. They don't even need to know that the=20 ID is only an identifyier for the actual key. If impersonation is not a huge problem, the fact that you are getting the= =20 key ID from someone you know will be authentication enough. When you go home, just type-in the "PGP" your friend gave you, and you're= =20 done. From then on, whenever you email that address the mail will be=20 encrypted. We can improve authentication while making it look "cool": When you type the Key ID the software automatically shows you the JPEG=20 photo of the owner. To further facilitate key exchange, the mail client could: - Always send signed messages. - Have a button to download the key ID whenever it gets a signed message. This will cause a natural tendency for the GPG usage to rise. --=20 Daniel Carrera | OpenPGP fingerprint: Graduate TA, Math Dept | 9B32 660B 0557 7D7D 5892 0036 D591 4D05 2938 1B7E UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html --ADZbWkCsHQ7r3kzd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (SunOS) iD8DBQE+xv5S1/ZKhTQTHLARAgDAAKC6afmMD5wpG8F7voe80vLOFq/dOQCZAbSh FQ5fJW9OCwWKLCoj95J3IUs= =QkzA -----END PGP SIGNATURE----- --ADZbWkCsHQ7r3kzd-- From eleuteri@myrealbox.com Sun May 18 07:13:03 2003 From: eleuteri@myrealbox.com (David Picon Alvarez) Date: Sun May 18 06:13:03 2003 Subject: Encouraging email security. References: <20030517234222.GA16303@math.umd.edu> <3EC6EDA9.4070402@3web.net> Message-ID: <016301c31cf3$33b61ef0$f92489c3@enterprise> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Quoting from an e-mail I got from a real user(tm): "but what is there to be encrypted? fine if we were doing something critical" This is the most often encountered reaction to digital signatures I get from my friends, some of which are quite computer-literate yet not willing to go through the trouble of encrypting and signing e-mail. Simply, I think it's time to admit people in general don't care whether an obscure sysadmin somewhere can read their mail. Most people sign acceptable use policies that give sysadmins powers to monitor all of their traffic, and yet it is also true that most often sysadmins seemt to be either honest or careful. The OpenPGP threat model is not appropriate for most people, and expecting to make people fit into it is not very productive. I used to think along the same lines, but now I just think it's useless to try to convince people to use crypto. Today's interfaces (gpgrelay for example) are incredibly easy to use, and their is PGP which AFAIK has a polished UI. I don't think it's a question of UI any more, I think it's a question of needs and threat models. If you don't need something and it carries a cost you're not likely to use it. Perhaps the only way to get people to use encryption is to have a so-called "zero-UI solution" but even so, unless it would come incorporated in the MUA, I don't see people bothering to install it. - --David. -----BEGIN PGP SIGNATURE----- Comment: This message is digitally signed and can be verified for authenticity. iQIVAwUBPscHZKYOp7uFKb/EAQJGDg/9GE8yDvMVU4cqikip+Ytdwq/mvDV7QX+d +jNmhZDpkFGxuFmNlrQR7E6xbCrZ6DXU1YrHpF3rRMic2rnk36Z8B0Ygaj1iXJYk w+A0BZWl3j1Jc8l7eZ+MxC6Dnb7+8D6kr/Ut0ma1aEH9wnNV9Dftnskq7vN3H/T/ IP08NI8KVbyMgY10j9tVBwdAdCicwCKijXyAdTr2PAgnZfssafgXdVp8mPRB9gLX ZRNCc1SnBuwVw/6WJGok/VmRRut9hp/kOiLPN8JQxqm9QgbADKQ/SeAIaYfbLsWA +A/aCbO/etuR3gy4OIDX2YjLDMzMiA2JjkErhDV4ChQOH9tVKzYjwGjsdvVbgOlg mCaQ99tlHRBXyTalJ1k9vzcMY7LXVN+FFCa2OKrETKFRqJDaUek2/SLsbUFSSrPb 16C2xtm8EMPiW17X+bzkFX10e3Gfvvs1s4wigGZLYrFXPb7zNRtI9ogeOtH5fAUz hUhpy12+miqB/hIIuKLP8hDAY0zYf1Mw/KMv/LdQmSMK8g9i4aFcsoY7tBp85kGw zdhmlavhSrQBfNgPYdKsNw07VrhkE3QRyw2nkQgim9DfRNnKRuudupQ0XIsUkKoo GY2MytHgSXoPhbNm1Vy9Mej4clhdmODt4wkWiZtxs+msRvcr1XJUHGec8Vmf70UH EmE6PYgH34g= =DODh -----END PGP SIGNATURE----- From graham.todd@ntlworld.com Sun May 18 07:27:06 2003 From: graham.todd@ntlworld.com (Graham) Date: Sun May 18 06:27:06 2003 Subject: Encouraging email security. In-Reply-To: <20030517234222.GA16303@math.umd.edu> References: <20030517234222.GA16303@math.umd.edu> Message-ID: <200305180533.42476.graham.todd@ntlworld.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 18 May 2003 12:42 am, Daniel Carrera wrote: [snipped] > There could be a mail client with the following properties: > > 1) Automatically creates a pre-defined key setup (e.g. 4096 RSA, > 1024 DSA, 2048 ElGamal). > 2) Automatically signs, and encrypts emails (when the pub key is > available). > 3) Here is the big one: > It stores the user's password in the hard disk, in the style of > Mozilla, so that the user doesn't have to type it. It all happens > automatically. There is such a client, in the form of Mozilla Mail with Enigmail, which=20 has been set up to make it easy for those unused to GPG to use it, but=20 you can alter the defaults to make email handling more powerful. =20 However, it does require GPG to be installed on your system and it is=20 NOT a GUI front end for key management. You do have to type in your passphrase, but then you can set it to be=20 cached for any length of idle time. Personally, this is the minimum I=20 would accept and if you want anything else, use S/MIME. - --=20 Graham GPG Keys at encryption.keys@ntlworld.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Please sign and encrypt for internet privacy iD8DBQE+xw0kIwtBZOk1250RAkgNAKDb9PhzKdEt5xVq3Ll+F4ct8eM98QCgjBCQ gFzuNdH0fKloDHgGw8jdMII=3D =3D0rKX -----END PGP SIGNATURE----- From graham.todd@ntlworld.com Sun May 18 08:25:02 2003 From: graham.todd@ntlworld.com (Graham) Date: Sun May 18 07:25:02 2003 Subject: Encouraging email security. In-Reply-To: <016301c31cf3$33b61ef0$f92489c3@enterprise> References: <20030517234222.GA16303@math.umd.edu> <3EC6EDA9.4070402@3web.net> <016301c31cf3$33b61ef0$f92489c3@enterprise> Message-ID: <200305180632.04854.graham.todd@ntlworld.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 18 May 2003 5:06 am, David Picon Alvarez wrote: > I don't think it's a > question of UI any more, I think it's a question of needs and threat > models. [snipped] I don't: I think its more to do with the nature of users. Most people I know get a computer for access to the internet and they do=20 not want to bother with much else. New Windows users are blissfully=20 unaware that there is any other OS and they simply want the machine to=20 do everything it is capable of from power up: they do not want to=20 bother with the "how". Linux users and Mac users are generally more=20 questioning because they have decided that they are not going to accept=20 the defaults offered. Even so, it is remarkable how many people are=20 convinced AOL is "the internet"..... Most users wouldn't recognise a "threat model" if it jumped up and bit=20 them, and the majority don't care and have no interest in finding out. =20 Here in the UK, ISPs are required to monitor all internet traffic and=20 to pass on anything which is flagged as suspicious to the "relevant=20 authorities". Most computer users in the UK do not see this as an=20 attack on personal liberty or their right to privacy, just part and=20 parcel of using the internet. Many MUAs have encryption installed,=20 even if it is only S/MIME, and this certainly applies to Outlook=20 Express and even the Netscape email client. Very few people use it=20 even so. The most we can do is help that minority of users who do want to use GPG=20 and know of it even, to use it more effectively. But we are fooling=20 ourselves if we believe that they will ever be a significant number of=20 users or anything less than a minority. - --=20 Graham GPG Keys at encryption.keys@ntlworld.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Please sign and encrypt for internet privacy iD8DBQE+xxrTIwtBZOk1250RAqxDAKCF/UpgnfHX4LZab8fjeZV37L5UjACg0GIR 2kdwEHNwK2sAkBGUMFXggyM=3D =3DHNCJ -----END PGP SIGNATURE----- From lgonze@panix.com Sun May 18 08:45:02 2003 From: lgonze@panix.com (Lucas Gonze) Date: Sun May 18 07:45:02 2003 Subject: Encouraging email security. In-Reply-To: <20030517234222.GA16303@math.umd.edu> References: <20030517234222.GA16303@math.umd.edu> Message-ID: A good idea. On Sat, 17 May 2003, Daniel Carrera wrote: > I was thinking about how most people have no understanding or interest in > email security. OpenPGP is hard enough to understand and use that getting > the majority of the population to use it seems a formidable task. > > I thought of a compromise that might be a step forward. I was hoping that > those who know more about this than I could offer an opinion. > > There could be a mail client with the following properties: > > 1) Automatically creates a pre-defined key setup (e.g. 4096 RSA, > 1024 DSA, 2048 ElGamal). > 2) Automatically signs, and encrypts emails (when the pub key is > available). > 3) Here is the big one: > It stores the user's password in the hard disk, in the style of > Mozilla, so that the user doesn't have to type it. It all happens > automatically. > > This would be a significant down compared to the proper use of OpenPGP, > but a significant up compared to what exists today. Now emails would go > around signed and encrypted. In order to read a message an attacker would > have to get the password from the recipient's hard drive. A determined > attacker could certainly do that, but the casual one would not. > > Today's email system is about as secure as a postcard. > This alternative would raise the bar somewhat bit above sending mail in a > sealed envelope. It raises the effort needed to eavesdrop in a > conversation or impersonate someone. > > Any thoughts? > > -- > Daniel Carrera | OpenPGP fingerprint: > Graduate TA, Math Dept | 9B32 660B 0557 7D7D 5892 0036 D591 4D05 2938 1B7E > UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html > From eleuteri@myrealbox.com Sun May 18 09:44:02 2003 From: eleuteri@myrealbox.com (David Picon Alvarez) Date: Sun May 18 08:44:02 2003 Subject: Encouraging email security. References: <20030517234222.GA16303@math.umd.edu> <3EC6EDA9.4070402@3web.net> <016301c31cf3$33b61ef0$f92489c3@enterprise> <200305180632.04854.graham.todd@ntlworld.com> Message-ID: <005701c31d08$58b4be90$f92489c3@enterprise> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I don't: I think its more to do with the nature of users. > Most people I know get a computer for access to the internet and they do > not want to bother with much else. New Windows users are blissfully > unaware that there is any other OS and they simply want the machine to > do everything it is capable of from power up: they do not want to > bother with the "how". Linux users and Mac users are generally more > questioning because they have decided that they are not going to accept > the defaults offered. Even so, it is remarkable how many people are > convinced AOL is "the internet"..... Well, a couple of things here. 1) we're mostly agreeing here about the fact that encryption is unlikely to be widely used unless it comes by default. 2) you claim it's not about needs and threat models, but essentially about lazyness and ignorance. 3) I claim that if users don't value their privacy (which is IMO the reason why they don't use crypto) is not because they're lazy or they don't know better or the software is hard to set up, but simply they have different values and they aren't terribly bothered by writing e-mail in the clear. Just annecdotally, most of my friends know what the Internet is, but not AOL. I guess that might have to do with market penetration of AOL in my country. > Most users wouldn't recognise a "threat model" if it jumped up and bit > them, and the majority don't care and have no interest in finding out. Which means they have no threat model. > Here in the UK, ISPs are required to monitor all internet traffic and > to pass on anything which is flagged as suspicious to the "relevant > authorities". Most computer users in the UK do not see this as an > attack on personal liberty or their right to privacy, just part and > parcel of using the internet. Many MUAs have encryption installed, > even if it is only S/MIME, and this certainly applies to Outlook > Express and even the Netscape email client. Very few people use it > even so. With this, you further prove my point that the users' "by default" threat model is the cause. Users don't care about privacy thus they don't use crypto. That was my point in the first place. OTOH, S/MIME crypto under OE doesn't seem very easy to set up to me, since you have to get a certificate, but I wouldn't know since I use OpenPGP anyway. > The most we can do is help that minority of users who do want to use GPG > and know of it even, to use it more effectively. But we are fooling > ourselves if we believe that they will ever be a significant number of > users or anything less than a minority. 100% agree with you. As I said, the only way to see widespread use of crypto is if it would be included by default in the default MUA, which isn't happenning any time soon, if ever. - --David. -----BEGIN PGP SIGNATURE----- Comment: This message is digitally signed and can be verified for authenticity. iQIVAwUBPscq46YOp7uFKb/EAQJbPhAA0MacsCasAfuUNtJoNCc9NHrM5QyaC8sS OTtH/k5VE4OJJD9nrmpScnZroPwl97qEfYGP2LXkOrqfszkURPQ5rj/PXHVjBvdt wEit9mFwpBM3rLMkdDU8/ckTK+20imgboxSVaOONaezzkwtyy4djK9//85KrsGLh uFutGrrkL5vSbEqUKBV5ShXYk/TQT4Centt6DgQdNMOQmt+IT0zWcYpx6BvtSM4a /TKanSA+5zNL4YFedM5khZ5iLiKmS4AZ7J7qLoKWXd6bBiTrpM3excsDE3Wd5sQT JHxiokt52yNVkAOruLEtEMV0UuvrCp2wga4zi9Rp7D5SeghwdjY97Nl5MTNEHTSl kojG6kwzKj/dRPGlSiIe0D9fYfwMRr7Kj09jVGMV//XOh3uYY+1xGb8eoMxxo9nb zZaKDjK2TAZLoa9aNjpC0fz/n5SpIAo4X0XjmxQxl8wQh5CDU3Z8ayAjLggBswQo zzYwex80fntRgYqcao/J0qdO5RY3DO2YuZBHQSQjvAehan7brtJCvY00T7btUJfy xuU9tBwICu9PpViPJRIXvLabugDpZ3+ggskWgP9GTiQ4E4s4KcrrizG8TZ7BUnw1 l0EZ6pEU2q5CRWlsyUD9HAr8Df6z9pS9fIQJrtfxvg8nhlBezUu4+c43wysUwLkE rck+T9Zm9Sg= =99U/ -----END PGP SIGNATURE----- From jdbeyer@exit109.com Sun May 18 14:18:02 2003 From: jdbeyer@exit109.com (Jean-David Beyer) Date: Sun May 18 13:18:02 2003 Subject: Encouraging email security. References: <20030517234222.GA16303@math.umd.edu> <3EC6EDA9.4070402@3web.net> <016301c31cf3$33b61ef0$f92489c3@enterprise> <200305180632.04854.graham.todd@ntlworld.com> <005701c31d08$58b4be90$f92489c3@enterprise> Message-ID: <3EC76C1C.9090106@exit109.com> This is a cryptographically signed message in MIME format. --------------ms050105010408030707040509 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit David Picon Alvarez wrote (in part): > With this, you further prove my point that the users' "by default" > threat model is the cause. Users don't care about privacy thus they > don't use crypto. That was my point in the first place. OTOH, S/MIME > crypto under OE doesn't seem very easy to set up to me, since you > have to get a certificate, but I wouldn't know since I use OpenPGP > anyway. > Well, I have both the S/MIME (mine is from VeriSign) that I use with Mozilla and GnuPG that I use with mutt. I used to use Enigmail with Mozilla 0.99, but it does not work with Mozilla 1.01 or whatever I have now. Getting a certificate from VeriSign and installing it in Netscape or Mozilla is much easier than generating a private-public pair with GnuPG (the easy part) and getting into a web of trust (the hard part). Even installing GPG into mutt was tricky and required help from others on this mailing list to do it. But for me, all this is useless, and I am very sad about it. Because of all the people I know, only one has the slightest interest in it, and she is willing to check a box somewhere once to get it, but nothing more. So if she could check a box in whatever msn.com uses for a mailer saying: use encryption, she would, but not otherwise. I do not know how to get around this cultural gap. But until the majority start using encryption for everything, not just sensitive stuff, those of us who do will just attract the attention of the very busybodies whose attention we wish to avoid. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ Registered Machine 73926. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 7:10am up 3 days, 9:05, 3 users, load average: 2.06, 2.09, 2.08 --------------ms050105010408030707040509 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINvjCC A2IwggLLoAMCAQICEAvaCxfBP4mOqwl0erTOLjMwDQYJKoZIhvcNAQECBQAwXzELMAkGA1UE BhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1Ymxp YyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk4MDUxMjAwMDAwMFoXDTA4 MDUxMjIzNTk1OVowgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJp U2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRv cnkvUlBBIEluY29ycC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2ln biBDbGFzcyAxIENBIEluZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0 ZWQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALtaRIoEFrtV/QN6ii2UTxV4NrgNSrJv nFS/vOh3Kp258Gi7ldkxQXB6gUu5SBNWLccI4YRCq8CikqtEXKpC8IIOAukv+8I7u77JJwpd trA2QjO1blSIT4dKvxna+RXoD4e2HOPMxpqOf2okkuP84GW6p7F+78nbN2rISsgJBuSZAgMB AAGjgbAwga0wDwYDVR0TBAgwBgEB/wIBADBHBgNVHSAEQDA+MDwGC2CGSAGG+EUBBwEBMC0w KwYIKwYBBQUHAgEWH3d3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEwMQYDVR0fBCow KDAmoCSgIoYgaHR0cDovL2NybC52ZXJpc2lnbi5jb20vcGNhMS5jcmwwCwYDVR0PBAQDAgEG MBEGCWCGSAGG+EIBAQQEAwIBBjANBgkqhkiG9w0BAQIFAAOBgQACfZ5vRUs4oLje6VNkIbzk TCuPHv6SQKzYCjlqoTIhLAebq1n+0mIafVU4sDdz3PQHZmNiveFTcFKH56jYUulbLarh3s+s MVTUixnI2COo7wQrMn0sGBzIfImoLnfyRNFlCk10te7TG5JzdC6JOzUTcudAMZrTssSr51a+ i+P7FTCCBSgwggSRoAMCAQICEGlfAhgT5dD2IHApDrAaq5owDQYJKoZIhvcNAQEEBQAwgcwx FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3 b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBIEluY29ycC4g QnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAxIENBIElu ZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQwHhcNMDIwNjAyMDAw MDAwWhcNMDMwNjE2MjM1OTU5WjCCARYxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYD VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29t L3JlcG9zaXRvcnkvUlBBIEluY29ycC4gYnkgUmVmLixMSUFCLkxURChjKTk4MR4wHAYDVQQL ExVQZXJzb25hIE5vdCBWYWxpZGF0ZWQxMzAxBgNVBAsTKkRpZ2l0YWwgSUQgQ2xhc3MgMSAt IE5ldHNjYXBlIEZ1bGwgU2VydmljZTEZMBcGA1UEAxQQSmVhbi1EYXZpZCBCZXllcjEiMCAG CSqGSIb3DQEJARYTamRiZXllckBleGl0MTA5LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAMv38/uuxXth9gQ9TcEZMARz9Ju+c2l0hzW2vpYYJUcQig/uCLJqmYLzsdoB faSMHN8UlnHk1FC4MQ3r3l58v0iIz6ERC4RLWKFvntQNvk5teCqZ0Tmf9DdFNzh4gkffdhL8 Un9CsRrHogviVReyTXfzH039X/UjODAcvyRVTDpMVpNQ81bhR/VWxR7esbm1ewHVj+KOGxqr rl2PD412TxxIXEAzVTACqVR/CCOBQZ7BrrztKXomz9ePav/ZTjdybWFve5p1NAUawFcl1ajA JiEGL2Ug4qq26x4Z2cOosQCx9tJt0tpPy3qwORYbepKBDhkXicPBZVkzx7Lm7a961isCAwEA AaOCATgwggE0MAkGA1UdEwQCMAAwgawGA1UdIASBpDCBoTCBngYLYIZIAYb4RQEHAQEwgY4w KAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9DUFMwYgYIKwYBBQUHAgIw VjAVFg5WZXJpU2lnbiwgSW5jLjADAgEBGj1WZXJpU2lnbidzIENQUyBpbmNvcnAuIGJ5IHJl ZmVyZW5jZSBsaWFiLiBsdGQuIChjKTk3IFZlcmlTaWduMBEGCWCGSAGG+EIBAQQEAwIHgDAw BgpghkgBhvhFAQYHBCIWIDMxYzVhODdmZDYxNjdhY2NlY2NmNWFhMjcxNjIyOTE5MDMGA1Ud HwQsMCowKKAmoCSGImh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL2NsYXNzMS5jcmwwDQYJKoZI hvcNAQEEBQADgYEAZLD9KTpkxdd6cjpK6vjIkieu6V5o0PngC/Y6is1waG0nSRcnLrVn/ped OlLtkViedt0kRuVcr/TmphHO34zAfLA0n6BNzYRN3QS4vYmvsIeJkDtyP13xd7TQIq3lJQsI KewOFKr46/W5/RbESZ0StZ86TTvMIwYJB+nWF1KuaA4wggUoMIIEkaADAgECAhBpXwIYE+XQ 9iBwKQ6wGquaMA0GCSqGSIb3DQEBBAUAMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEf MB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWdu LmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYG A1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29u YSBOb3QgVmFsaWRhdGVkMB4XDTAyMDYwMjAwMDAwMFoXDTAzMDYxNjIzNTk1OVowggEWMRcw FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y azFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIGJ5 IFJlZi4sTElBQi5MVEQoYyk5ODEeMBwGA1UECxMVUGVyc29uYSBOb3QgVmFsaWRhdGVkMTMw MQYDVQQLEypEaWdpdGFsIElEIENsYXNzIDEgLSBOZXRzY2FwZSBGdWxsIFNlcnZpY2UxGTAX BgNVBAMUEEplYW4tRGF2aWQgQmV5ZXIxIjAgBgkqhkiG9w0BCQEWE2pkYmV5ZXJAZXhpdDEw OS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDL9/P7rsV7YfYEPU3BGTAE c/SbvnNpdIc1tr6WGCVHEIoP7giyapmC87HaAX2kjBzfFJZx5NRQuDEN695efL9IiM+hEQuE S1ihb57UDb5ObXgqmdE5n/Q3RTc4eIJH33YS/FJ/QrEax6IL4lUXsk138x9N/V/1IzgwHL8k VUw6TFaTUPNW4Uf1VsUe3rG5tXsB1Y/ijhsaq65djw+Ndk8cSFxAM1UwAqlUfwgjgUGewa68 7Sl6Js/Xj2r/2U43cm1hb3uadTQFGsBXJdWowCYhBi9lIOKqtuseGdnDqLEAsfbSbdLaT8t6 sDkWG3qSgQ4ZF4nDwWVZM8ey5u2vetYrAgMBAAGjggE4MIIBNDAJBgNVHRMEAjAAMIGsBgNV HSAEgaQwgaEwgZ4GC2CGSAGG+EUBBwEBMIGOMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52 ZXJpc2lnbi5jb20vQ1BTMGIGCCsGAQUFBwICMFYwFRYOVmVyaVNpZ24sIEluYy4wAwIBARo9 VmVyaVNpZ24ncyBDUFMgaW5jb3JwLiBieSByZWZlcmVuY2UgbGlhYi4gbHRkLiAoYyk5NyBW ZXJpU2lnbjARBglghkgBhvhCAQEEBAMCB4AwMAYKYIZIAYb4RQEGBwQiFiAzMWM1YTg3ZmQ2 MTY3YWNjZWNjZjVhYTI3MTYyMjkxOTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLnZl cmlzaWduLmNvbS9jbGFzczEuY3JsMA0GCSqGSIb3DQEBBAUAA4GBAGSw/Sk6ZMXXenI6Sur4 yJInruleaND54Av2OorNcGhtJ0kXJy61Z/6XnTpS7ZFYnnbdJEblXK/05qYRzt+MwHywNJ+g Tc2ETd0EuL2Jr7CHiZA7cj9d8Xe00CKt5SULCCnsDhSq+Ov1uf0WxEmdErWfOk07zCMGCQfp 1hdSrmgOMYIDtTCCA7ECAQEwgeEwgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYD VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29t L3JlcG9zaXRvcnkvUlBBIEluY29ycC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQD Ez9WZXJpU2lnbiBDbGFzcyAxIENBIEluZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5v dCBWYWxpZGF0ZWQCEGlfAhgT5dD2IHApDrAaq5owCQYFKw4DAhoFAKCCAagwGAYJKoZIhvcN AQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDMwNTE4MTExODUzWjAjBgkqhkiG 9w0BCQQxFgQUC8lE4TVnSWYNQAYEjSusagCF3DEwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG 9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcN AwICASgwgfQGCyqGSIb3DQEJEAILMYHkoIHhMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5j LjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlz aWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFI MEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVy c29uYSBOb3QgVmFsaWRhdGVkAhBpXwIYE+XQ9iBwKQ6wGquaMA0GCSqGSIb3DQEBAQUABIIB AA7vriIppZYFOwbItHI6U37H/d1e2Nz7UuxvSR0XIZuuYPGOvybvmyYUN3a49lUGpAuaXJhh 6z/TyG1OCo5v3mf6SpsbuK8+tPPIZaoduvNDgEB3g4+wZ5sNh2MBPCc9m+xji1lYTxq4sXIb NYHI0Vtss1ZUY/SVMMqc+0IXxiIUKpig0ckCwgbM7gbzx8V/UDQIElukAMhLTDYRtYBwBDgn eu6lWJN6flg7D3mguFpwMWRTl0xFMtBv+7VbqUyaj/ym3w3H1GkHUnYrLVmgu4P/jP/j/n3s az3fBYy2l+svfyohGNwlmgQq5WaVDSg7pEc1A5t0KdQiODZKzBnC4EoAAAAAAAA= --------------ms050105010408030707040509-- From graham.todd@ntlworld.com Sun May 18 16:06:02 2003 From: graham.todd@ntlworld.com (Graham) Date: Sun May 18 15:06:02 2003 Subject: Encouraging email security. In-Reply-To: <3EC76C1C.9090106@exit109.com> References: <20030517234222.GA16303@math.umd.edu> <005701c31d08$58b4be90$f92489c3@enterprise> <3EC76C1C.9090106@exit109.com> Message-ID: <200305181412.47854.graham.todd@ntlworld.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 18 May 2003 12:18 pm, Jean-David Beyer wrote: [snipped] > I do not know how to get around this cultural gap. But until the > majority start using encryption for everything, not just sensitive > stuff, those of us who do will just attract the attention of the very > busybodies whose attention we wish to avoid. This is the very point that Phil Zimmerman underlined in the early days=20 of PGP. By encrypting only sensitive stuff you single out the=20 sensitive stuff and people only need to use their resources to tackle=20 those emails. If you encrypt everything then you do not single out the=20 sensitive stuff. But this requires encryption technology to be used by the recipient, be=20 it PGP, GnuPG or S/MIME, and most don't bother. Its not a matter of=20 difficulty (from my perspective PGP and GnuPG are easy to use, and=20 S/MIME is freely available and even the certificates are free [from=20 Trustcenter.GB and Thawte]); they just can't be bothered to use the=20 tools and to understand how they work. So the encrypted emails can't=20 be read and are ignored. Its not so much a cultural gap, as computer illiteracy. Many users just=20 want to press the power button and instantly be in touch with email,=20 usenet, or the web; even my wife gets frustrated waiting for files to=20 download and we're on cable broadband! These users don't want to know=20 the hows and whys, they want everything available at the flip of a=20 switch. This is (after all) how they are sold their computer systems:=20 all completely ready to go once they've pressed the power button, even=20 though it might not be completely accurate. ALL security software, from firewalls through virus checkers, and=20 encryption software are often seen by this type of user as complicating=20 the issue. They don't really care about privacy, or securing their=20 system from outside eyes, because the internet is seen as a system they=20 access, not one of which they are intimately a part like a node on a=20 vast computer network. That is the problem. [I hereby end my rant :-)] - --=20 Graham GPG Keys at encryption.keys@ntlworld.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Please sign and encrypt for internet privacy iD8DBQE+x4a5IwtBZOk1250RAo/HAJ9rSTj79DOueSpYuaBxoPfF+hbZoACeJ0sy o/doegyv4OoEAukxkd/Jdk0=3D =3DXtXz -----END PGP SIGNATURE----- From malte_gell@t-online.de Sun May 18 19:53:01 2003 From: malte_gell@t-online.de (Malte Gell) Date: Sun May 18 18:53:01 2003 Subject: S/MIME with GnuPG Message-ID: <200305181833.09907.malte_gell@t-online.de> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hi, when installing the Aegypten project software to get PGP/MIME support=20 it's recommended to compile gpgme with=20 "cd gpgme && ./configure --without-gpgsm ..." (according to=20 http://kmail.kde.org/kmail-pgpmime-howto.html ), but doesn't=20 without-gpgsm mean, that S/MIME support is skipped ? According to http://www.gnupg.org/aegypten S/MIME is already working, so=20 I'd like to have KMail to support it besides PGP/MIME. So if gpgme is=20 compiled again without the "--without-gpgsm" flag does this mean that=20 S/MIME support will be available ? Thanx Malte =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iEYEAREDAAYFAj7HtukACgkQGzg12gD8wBb+9QCeOurSdHeWAfj/5Y2OHrpP/Z/z M8cAoJMfeeKOTX76gUMzwfCmKqicODCm =3De9RS =2D----END PGP SIGNATURE----- From malte_gell@t-online.de Sun May 18 19:53:32 2003 From: malte_gell@t-online.de (Malte Gell) Date: Sun May 18 18:53:32 2003 Subject: Encouraging email security. In-Reply-To: <200305180533.42476.graham.todd@ntlworld.com> References: <20030517234222.GA16303@math.umd.edu> <200305180533.42476.graham.todd@ntlworld.com> Message-ID: <200305181854.22269.malte_gell@t-online.de> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Am Sonntag, 18. Mai 2003 06:33 schrieb Graham: > On Sunday 18 May 2003 12:42 am, Daniel Carrera wrote: > > [snipped] > > > There could be a mail client with the following properties: > > > > 1) Automatically creates a pre-defined key setup (e.g. 4096 RSA, > > 1024 DSA, 2048 ElGamal). > > 2) Automatically signs, and encrypts emails (when the pub key is > > available). > > 3) Here is the big one: > > It stores the user's password in the hard disk, in the style of > > Mozilla, so that the user doesn't have to type it. It all > > happens automatically. > > There is such a client, in the form of Mozilla Mail with Enigmail, > which has been set up to make it easy for those unused to GPG to use > it, but you can alter the defaults to make email handling more > powerful. However, it does require GPG to be installed on your system > and it is NOT a GUI front end for key management. The last sentence is absolutely true. But Daniel's approach has=20 something promising I think. Imagine, most popular email clients would=20 come up with a notice "Dear, XXX you have not yet created a private key=20 for secure email communication. It is strongly recommended..." if=20 started first ! Maybe this could be a way to encourage email encryption. Under GNU/Linux=20 many people come in contact with encryption when using e.g. rpm -v=20 =2D --checksig to check RPM files. A normal Windows user never gets in contact or cares about encryption, I=20 think some education is needed. Mozilla could be a start, it is so big, it wouldn't make a big=20 difference if GnuPG and enigmail would become part of it. For many=20 Windows users it may be the first time to install an OpenPGP compliant=20 product and to get in contact with email encryption. And if Mozilla=20 would "complain" "Dear, XXX, you have not yet..." I think this would be=20 a big step forward. How large is Mozilla for both, Linux or a Windows user ? !8,19 or 20=20 MB's ? Now, if GnuPG would be part of it, the additional 1 or 1.5 MB's=20 wouldn't be much addtional "bloat". I'm especially thinking of the=20 Windows users at this point, because under GNU/Linux GnuPG is already a=20 de facto standard and GNU/Linux users are used to use GnuPG. Wouldn't=20 this be a nice approach ? =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iEYEAREDAAYFAj7HuroACgkQGzg12gD8wBYZkQCeLw9wm1Ss7mZiR22WmOoXKAKq sRIAoJucxWL8GAJzY3EU5zCbWwPIMPC+ =3DMRij =2D----END PGP SIGNATURE----- From dcarrera@math.umd.edu Sun May 18 22:00:02 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Sun May 18 21:00:02 2003 Subject: Encouraging email security. In-Reply-To: <200305181854.22269.malte_gell@t-online.de> References: <20030517234222.GA16303@math.umd.edu> <200305180533.42476.graham.todd@ntlworld.com> <200305181854.22269.malte_gell@t-online.de> Message-ID: <20030518190052.GA1295@math.umd.edu> --J/dobhs11T7y2rNN Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Graham wrote: > > There is such a client, in the form of Mozilla Mail with Enigmail, > > which has been set up to make it easy for those unused to GPG to use > > it, but you can alter the defaults to make email handling more > > powerful. However, it does require GPG to be installed on your system > > and it is NOT a GUI front end for key management. I'll take a closer look at Enigmail. I can try to encourage my friends to use it. It seems that there are some ways in which Enigmail could be improved: - It could have a front-end for key creation. - It could come with GPG, like Malte Gell suggested. - It could provide a mechanism to import/export keys. For instance, when it gets a signed email it could prompt the user to download the public key from a keyserver. How does this sound? Malte Gell wrote: > The last sentence is absolutely true. But Daniel's approach has=20 > something promising I think. Imagine, most popular email clients would=20 > come up with a notice "Dear, XXX you have not yet created a private key= =20 > for secure email communication. It is strongly recommended..." if=20 > started first ! > Maybe this could be a way to encourage email encryption. Exactly. If the mail client: - Encourages the user to create a key. - Automatically signs messages. - Automatically downloads a key when it gets a signed message. There will be a natural push towards email encryption. > A normal Windows user never gets in contact or cares about encryption, I= =20 > think some education is needed. Agreed. On this note, what can we do about hotmail users? AFAIK hotmail doesn't offer POP3 or IMAP. Suppose, for the sake of=20 argument, that a hotmail user becomes interested in using GPG. Is there=20 any way for the he or she to start using GPG with their hotmail address? I guess that they could send GPG attachments, but that's a highly=20 non-optimal solution. In general. Is there a way for a user with web-based email to start using= =20 GPG? It just happens that I know a medium-sized group of people who have a=20 non-trivial motivation to use encrypted communication. For some of them I= =20 can suggest Enigmail. But many of them use web-based email systems. What= =20 can I do about them? Cheers, --=20 Daniel Carrera | OpenPGP fingerprint: Graduate TA, Math Dept | 9B32 660B 0557 7D7D 5892 0036 D591 4D05 2938 1B7E UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html --J/dobhs11T7y2rNN Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (SunOS) iD8DBQE+x9hk1/ZKhTQTHLARAp0XAKDSVRaXa59QcjxvWcndIpZ22IT3IwCeJAqw bO+mqioFiXnK7w304idlMB8= =v0RP -----END PGP SIGNATURE----- --J/dobhs11T7y2rNN-- From tony.kwok@3web.net Sun May 18 23:20:02 2003 From: tony.kwok@3web.net (tk) Date: Sun May 18 22:20:02 2003 Subject: Encouraging email security. In-Reply-To: <200305181412.47854.graham.todd@ntlworld.com> References: <20030517234222.GA16303@math.umd.edu> <005701c31d08$58b4be90$f92489c3@enterprise> <3EC76C1C.9090106@exit109.com> <200305181412.47854.graham.todd@ntlworld.com> Message-ID: <3EC7EB3D.9010107@3web.net> > >>I do not know how to get around this cultural gap... > > Its not so much a cultural gap, as computer illiteracy. I believe this to be an extremely important point, as it determines what (if anything) is worth undertaking. I subscribe to the "cultural gap" school. Stated simply, those that have no interest in keeping their mail private now will not change their mind anytime soon. But there is (from my observation) a significant pool of those that would like to keep it private, but find it simply to be beyond practical for them to do so. And it is wrong (if not outright arogant) to conisider them stupid or lazy. Their cost/benefit point of ballance is simply not met by the current crop of public key systems. The solution is not a more automated force-feeding of the same complex system onto unwilling and unprepared, the solution is a simpler, easier to use and understand public key encryption program, targeting an entirely diferent cost/benefit point of ballance. In a very rough form, the salient characteristics of such program would IMHO be: Only encryption/decryption, no message signing/authentication. No cipher/key width choice. No control of public key exchange and authentication. Public keys are simply computer files, passed around as one would pass around (for instance) his digital photos. Medium (instead of computer) resident, no installation, mobile-use-friendly. Cross-platform command-line 'base' and Linux AND Win32 GUI front ends, independent of any mail clients. No attempt of protection from attacks involving network-compromised or multi-user computer. Ascii text only, for both plaintext and ciphertext. Autonomous operation. (i.e. fully operational without the need for any network connection or resource (key directoies/servers etc.) Functions that a user of such program would be able to perform would be limited to 4 (four): 1) Generate key-pair. 2) Generate and display human-readable key hash. 3) Encrypt text. 4) Decrypt text. (and absolutely, ABSOLUTELY, nothing else... :) PS. Let's also decide to give up on this "false sense of security" admonition. There is no absolute security anyways, and if the risks are explained in simple, understandable words to the user - he or she is the best one to decide on what is adequate and what is not. For those that need more security, and are prepared to invest time and effort, there is no shotrage of good choices. All that this program would reasonable ensure, is that the messages captured in transit will not be readable any easier than current-variety GPG message. If anybody asked me what to do to be more secure, I would seriously propose to run this same program on an air-gapped laptop that is never left unattended, before I would suggest anything else. Networked computer just should not be trusted... tk From mcoca@gnu.org Sun May 18 23:26:02 2003 From: mcoca@gnu.org (Miguel Coca) Date: Sun May 18 22:26:02 2003 Subject: How do I sign a key with gpgme? In-Reply-To: <0HF100C1AOIQ98@l-daemon> References: <0HF100C1AOIQ98@l-daemon> Message-ID: <20030518202646.GC861@mycroft> --z4+8/lEcDcG5Ke9S Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, May 17, 2003 at 12:54:35 -0400, Michael Weiss wrote: > Hello All, Hi, > I can't seem to figure out how to sign a key with gpgme. >=20 > Is it possible? Yes it is. But it's not simple, though. There is no "automatic" way to do it. GPA does it using gpgme_op_edit to access the edit menu, but that feature is undocumented and the developers have said in the past that it's kind of private to GPA. Anyway, if you need to do it, you can see how I implemented it for GPA in it's source code (in gpgmeedit.c, I think). Regards, --=20 Miguel Coca (mcoca@gnu.org) http://zipi.fi.upm.es/~e970095/ OpenPGP: E60A CBF4 5C6F 914E B6C1 C402 8C4D C7B6 27FC 3CA8 --z4+8/lEcDcG5Ke9S Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) iD8DBQE+x+yGjE3Htif8PKgRAmjlAKChBlwFJWSyavgHEEU19vJIb/fIvgCgyUBC mZyPhHtqS9ZEPtUq8d3HDfo= =M0Ji -----END PGP SIGNATURE----- --z4+8/lEcDcG5Ke9S-- From pt@radvis.nu Sun May 18 23:31:03 2003 From: pt@radvis.nu (Per Tunedal) Date: Sun May 18 22:31:03 2003 Subject: Encouraging email security. Message-ID: <5.1.0.14.2.20030518223116.03576208@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 05:06 2003-05-18 +0100, you wrote: > >Quoting from an e-mail I got from a real user(tm): >"but what is there to be encrypted? fine if we were doing something >critical" > - --- >Today's interfaces (gpgrelay for example) are incredibly easy to >use, and their is PGP which AFAIK has a polished UI. I don't think it's a >question of UI any more, I think it's a question of needs and threat models. >If you don't need something and it carries a cost you're not likely to use >it. > >- --David. > This is an interesting approach! It's about marketing ... A lot of people might have a need for "our" product encryption, in our eyes. But they don't have the same feeling. Maybe we would have to focus some more urgent need of our prospect customers? Any marketing Guru's around? BTW Identification and digital signatures with competing certificate techniques are "sold" in Sweden by e.g. the tax authorities: You need a certificate to be able to communicate with the tax agencies etc I suppose it will eventually be widespread, because it's more easy than filling forms by hand. The certificates are offered by the banks (easy because internet banking is widespread) and the Post (the snail mails doesn't produce any revenue). Most certificates are soft (file) certificates, but you can by an "electronic ID-card" at one bank (Nordea) or at a postoffice. Yours, Per Tunedal -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) - GPGrelay v0.92 iD8DBQE+x+3v2Jp9Z++ji2YRAvo+AJ0ak8qKzSXuR0hoXV1wVJQnZYLyaACfRbmU RjHGF1p0ZIuL6qMQMcYNJYw= =Qv1L -----END PGP SIGNATURE----- From pt@radvis.nu Sun May 18 23:31:40 2003 From: pt@radvis.nu (Per Tunedal) Date: Sun May 18 22:31:40 2003 Subject: Encouraging email security. Message-ID: <5.1.0.14.2.20030518223130.035bd760@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 06:31 2003-05-18 +0100, you wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > > >The most we can do is help that minority of users who do want to use GPG >and know of it even, to use it more effectively. But we are fooling >ourselves if we believe that they will ever be a significant number of >users or anything less than a minority. >- -- > >Graham No, that is not sufficient! On one earlier post someone told that encryption decreases! And I believe he might be right. This is really serious. There will not be any GPG or PGP in 10 years if it doesn't proliferate. Something has to be done! Per Tunedal -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) - GPGrelay v0.92 iD8DBQE+x+3w2Jp9Z++ji2YRAl5WAJ9gvlW6+PFKBoojqko201G7bKIW3wCeMMw/ +YAhE9CpGLJ0CBWwDUKjnK4= =fWt5 -----END PGP SIGNATURE----- From pt@radvis.nu Sun May 18 23:32:16 2003 From: pt@radvis.nu (Per Tunedal) Date: Sun May 18 22:32:16 2003 Subject: Encouraging email security. Message-ID: <5.1.0.14.2.20030518223148.035ba7f8@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Agree! The details might have to be modified somewhat. I would personally prefer to add some key verification by automatic use of robot-CA:s, as I have told in previous discussions. Anyhow it's important to work in the direction of a very easy to use tool for users that are not interested in the technical matters. All projects working in that direction are wellcome! It would be fine if some teams would form that could try developing extremely easy to use encryption software. I suppose in the end a winner will evolve. It might be the marketing that makes the winner rather than the technical solution. Think of a successful software company with an unstable operative ;-)> Per Tunedal At 01:46 2003-05-18 -0400, you wrote: > >A good idea. > >On Sat, 17 May 2003, Daniel Carrera wrote: > >> I was thinking about how most people have no understanding or interest in >> email security. OpenPGP is hard enough to understand and use that getting >> the majority of the population to use it seems a formidable task. >> >> I thought of a compromise that might be a step forward. I was hoping that >> those who know more about this than I could offer an opinion. >> >> There could be a mail client with the following properties: >> >> 1) Automatically creates a pre-defined key setup (e.g. 4096 RSA, >> 1024 DSA, 2048 ElGamal). >> 2) Automatically signs, and encrypts emails (when the pub key is >> available). >> 3) Here is the big one: >> It stores the user's password in the hard disk, in the style of >> Mozilla, so that the user doesn't have to type it. It all happens >> automatically. >> >> This would be a significant down compared to the proper use of OpenPGP, >> but a significant up compared to what exists today. Now emails would go >> around signed and encrypted. In order to read a message an attacker would >> have to get the password from the recipient's hard drive. A determined >> attacker could certainly do that, but the casual one would not. >> >> Today's email system is about as secure as a postcard. >> This alternative would raise the bar somewhat bit above sending mail in a >> sealed envelope. It raises the effort needed to eavesdrop in a >> conversation or impersonate someone. >> >> Any thoughts? >> >> -- >> Daniel Carrera | OpenPGP fingerprint: >> Graduate TA, Math Dept | 9B32 660B 0557 7D7D 5892 0036 D591 4D05 2938 1B7E >> UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html >> > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) - GPGrelay v0.92 iD8DBQE+x+3x2Jp9Z++ji2YRAnEpAKCXfByo1Qw4As1aWYGOA4X8OIh7hwCgn6o3 mXJ3K97edXZBlE9+3ndHb/s= =EIXr -----END PGP SIGNATURE----- From pt@radvis.nu Sun May 18 23:33:02 2003 From: pt@radvis.nu (Per Tunedal) Date: Sun May 18 22:33:02 2003 Subject: Encouraging email security. Message-ID: <5.1.0.14.2.20030518223205.035bfef0@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 07:18 2003-05-18 -0400, you wrote: >David Picon Alvarez wrote (in part): > > > With this, you further prove my point that the users' "by default" > > threat model is the cause. Users don't care about privacy thus they > > don't use crypto. That was my point in the first place. OTOH, S/MIME > > crypto under OE doesn't seem very easy to set up to me, since you > > have to get a certificate, but I wouldn't know since I use OpenPGP > > anyway. > > >Well, I have both the S/MIME (mine is from VeriSign) that I use with >Mozilla and GnuPG that I use with mutt. I used to use Enigmail with >Mozilla 0.99, but it does not work with Mozilla 1.01 or whatever I have now. > >Getting a certificate from VeriSign and installing it in Netscape or >Mozilla is much easier than generating a private-public pair with GnuPG >(the easy part) and getting into a web of trust (the hard part). Even >installing GPG into mutt was tricky and required help from others on >this mailing list to do it. > >But for me, all this is useless, and I am very sad about it. Because of >all the people I know, only one has the slightest interest in it, and >she is willing to check a box somewhere once to get it, but nothing >more. So if she could check a box in whatever msn.com uses for a mailer >saying: use encryption, she would, but not otherwise. > >I do not know how to get around this cultural gap. But until the >majority start using encryption for everything, not just sensitive >stuff, those of us who do will just attract the attention of the very >busybodies whose attention we wish to avoid. > >-- > .~. Jean-David Beyer Agree. Most people doesn't care. They even send strictly confidential information unencrypted in e-mails i.e. people with "obvious" needs of encryption doesn't use it. I am astonished. Per Tunedal -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) - GPGrelay v0.92 iD8DBQE+x+3y2Jp9Z++ji2YRAqGSAJ9Vk9B5bxj21n02ug4OKPqX7hiVTACgj3MS XfJFp1T+HDrMPa8Wtf7pB2o= =ZVbJ -----END PGP SIGNATURE----- From pt@radvis.nu Sun May 18 23:33:44 2003 From: pt@radvis.nu (Per Tunedal) Date: Sun May 18 22:33:44 2003 Subject: Encouraging email security. Message-ID: <5.1.0.14.2.20030518223223.035a4b68@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Imagine, most popular email clients would >come up with a notice "Dear, XXX you have not yet created a private key >for secure email communication. It is strongly recommended..." if >started first ! Great! >Mozilla could be a start, it is so big, it wouldn't make a big >difference if GnuPG and enigmail would become part of it. For many >Windows users it may be the first time to install an OpenPGP compliant >product and to get in contact with email encryption. And if Mozilla >would "complain" "Dear, XXX, you have not yet..." I think this would be >a big step forward. An excellent idea! Go ahead! Per Tunedal -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) - GPGrelay v0.92 iD8DBQE+x+3z2Jp9Z++ji2YRAqN4AKDMkcHwPnmc05TQXYB8jeut8HHHpgCbB/PI xgQEw3QFQJrPLMoAfL8Tcbc= =vsdF -----END PGP SIGNATURE----- From jdbeyer@exit109.com Sun May 18 23:51:01 2003 From: jdbeyer@exit109.com (Jean-David Beyer) Date: Sun May 18 22:51:01 2003 Subject: Encouraging email security. References: <20030517234222.GA16303@math.umd.edu> <005701c31d08$58b4be90$f92489c3@enterprise> <3EC76C1C.9090106@exit109.com> <200305181412.47854.graham.todd@ntlworld.com> Message-ID: <3EC7F272.8030800@exit109.com> Graham wrote: > On Sunday 18 May 2003 12:18 pm, Jean-David Beyer wrote: > > [snipped] > >> I do not know how to get around this cultural gap. But until the >> majority start using encryption for everything, not just sensitive >> stuff, those of us who do will just attract the attention of the >> very busybodies whose attention we wish to avoid. > > > This is the very point that Phil Zimmerman underlined in the early > days of PGP. By encrypting only sensitive stuff you single out the > sensitive stuff and people only need to use their resources to tackle > those emails. If you encrypt everything then you do not single out > the sensitive stuff. > > But this requires encryption technology to be used by the recipient, > be it PGP, GnuPG or S/MIME, and most don't bother. Its not a matter > of difficulty (from my perspective PGP and GnuPG are easy to use, and > S/MIME is freely available and even the certificates are free [from > Trustcenter.GB and Thawte]); they just can't be bothered to use the > tools and to understand how they work. So the encrypted emails can't > be read and are ignored. > > Its not so much a cultural gap, as computer illiteracy. Many users > just want to press the power button and instantly be in touch with > email, usenet, or the web; even my wife gets frustrated waiting for > files to download and we're on cable broadband! These users don't > want to know the hows and whys, they want everything available at the > flip of a switch. This is (after all) how they are sold their > computer systems: all completely ready to go once they've pressed the > power button, even though it might not be completely accurate. Well, they think they have privacy with paper mail, telephones, etc., a delusion I admint, so it never occurs that they do not have it with e-mail. > > ALL security software, from firewalls through virus checkers, and > encryption software are often seen by this type of user as > complicating the issue. They don't really care about privacy, or > securing their system from outside eyes, because the internet is seen > as a system they access, not one of which they are intimately a part > like a node on a vast computer network. That is the problem. > > [I hereby end my rant :-)] > They WILL CARE the first time someone hijacks some very private information and gets it on the front page of their local newspaper, blackmails them, or turns it over to the FBI or something. But by then it will be too late. Perhaps our politicians will start using it, preferably before they first run for office. ;-) -- .~. Jean-David Beyer Registered Linux User 85642. /V\ Registered Machine 73926. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 4:45pm up 32 min, 2 users, load average: 0.45, 0.49, 0.45 From wbo@mandrakesoft.com Mon May 19 00:37:03 2003 From: wbo@mandrakesoft.com (Wolfgang Bornath) Date: Sun May 18 23:37:03 2003 Subject: Encouraging email security. In-Reply-To: <3EC7F272.8030800@exit109.com> References: <20030517234222.GA16303@math.umd.edu> <200305181412.47854.graham.todd@ntlworld.com> <3EC7F272.8030800@exit109.com> Message-ID: <200305182334.21309.wbo@mandrakesoft.com> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ** Jean-David Beyer (Sonntag, 18. Mai 2003 22:52) > > They WILL CARE the first time someone hijacks some very private > information and gets it on the front page of their local newspaper, > blackmails them, or turns it over to the FBI or something. But by > then it will be too late. I'm one of Joes or Harrys of the unwashed masses. Most of my friends and=20 aquaintances are. We exchange mails, we post to newsgroups and/or=20 mailing lists. In 99% of all cases those mails and postings never=20 consisted of 'sensitive' or even 'embarrassing' material. It is very=20 difficult to reason with something which is not there. I used PGP and am now using GnuPG in Linux. But just the other week I=20 tried to convince a neighbor to use signing and en-/decryption. "Why=20 should I? Everybody can read what I'm writing. There's nothing I have=20 to hide! I'm not a crook or such!" > Perhaps our politicians will start using it, preferably before they > first run for office. ;-) Our politicians don't use mail! (Most of them don't!) wobo =2D --=20 Public GnuPG key available at keyserver www.mandrakesecure.net =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+x/xTXpTF6eCkAF0RAvIrAJ9s0b1pa2APj5XEhj7wf2w9x5DRTQCglagP WMg7Wl3kSgTz0vhVMa2SEok=3D =3DOoh/ =2D----END PGP SIGNATURE----- From dcarrera@math.umd.edu Mon May 19 00:44:02 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Sun May 18 23:44:02 2003 Subject: Encouraging email security. In-Reply-To: <3EC7EB3D.9010107@3web.net> References: <20030517234222.GA16303@math.umd.edu> <005701c31d08$58b4be90$f92489c3@enterprise> <3EC76C1C.9090106@exit109.com> <200305181412.47854.graham.todd@ntlworld.com> <3EC7EB3D.9010107@3web.net> Message-ID: <20030518214525.GA2010@math.umd.edu> --lrZ03NoBR/3+SXJZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > >>I do not know how to get around this cultural gap... > > > >Its not so much a cultural gap, as computer illiteracy. >=20 > I believe this to be an extremely important point, as it determines > what (if anything) is worth undertaking. I subscribe to the > "cultural gap" school. Stated simply, those that have no interest > in keeping their mail private now will not change their mind > anytime soon. As with most things, there is a continuum of interest. The smaller the=20 effort required to use encryption the more people will use it. > The solution is not a more automated force-feeding of the same complex=20 > system onto unwilling and unprepared, the solution is a simpler, easier= =20 > to use and understand public key encryption program, targeting an=20 > entirely diferent cost/benefit point of ballance. I agree, 100%. Indeed, I know of a certain group of people who would JUMP at GPG if it=20 were easily accessible to them. Allow me to elaborate: I am a Christian. Some times, some of my Christian friends go to the=20 third world to perform humanitarian work in places where Christians are=20 persecuted. Just last month someone I know departed to a "secure" region= =20 of the world where, if her faith were discovered, her life would be in=20 danger. Furthermore, the email comming into this particular place is routinely=20 screened for Christian words. The need for secure communication is nowhere as obvious as here. Because of this, she gave everyone a "theasorous" which maps Christian=20 words to other words, some of them made up, that shouldn't be picked up by= =20 the screening computers. When I heard her describe this I was shocked. What she is describing is=20 the most archaic type of encryption possible. I talked to her after the=20 talk. She actually does know about encryption, she knows what PGP is and= =20 she uses it with a tiny group of people. She explained to me that it just= =20 wasn't a viable option for the bulk of the population who have no=20 knowledge of it. If GPG were more popular, we could all just have given her our=20 fingerprints (or just key IDs!) and ensured a much more secure form of=20 communication. I intend to converse with my pastor at some point, so that future=20 missionaries will be able to use GPG when they try to do humanitarian work= =20 in sensitive areas of the world. But first, I want to find the easiest=20 way to get them to use GPG. The problem is that for this to work we'd=20 need to get ALL of the prayer partners (~40 people) using it. That's part of why I'm keen on finding the path of least resistance=20 towards encrypted communication. > In a very rough form, the salient characteristics of such > program would IMHO be: >=20 > Only encryption/decryption, no message signing/authentication. I don't see how signing/authentication complicates anything. The concept is really simple, and if it happens automatically it requires= =20 no extra effort. Simply have the MUA sign all email, and verify all=20 signed email, period. > No cipher/key width choice. >=20 > No control of public key exchange and authentication. > Public keys are simply computer files, passed around as one > would pass around (for instance) his digital photos. I agree. We also need to find an easy way to pass the keys around. =20 That's why I advocate the keyID-based method. Pass around key IDs and=20 have the MUA download the keys from a server. > Medium (instead of computer) resident, no installation, > mobile-use-friendly. I'm not sure I understand this one. > Functions that a user of such program would be able to > perform would be limited to 4 (four): >=20 > 1) Generate key-pair. >=20 > 2) Generate and display human-readable key hash. >=20 > 3) Encrypt text. >=20 > 4) Decrypt text. >=20 > (and absolutely, ABSOLUTELY, nothing else... :) I would add signing/authentication, but since it happens automatically=20 there is no "sign" or "authenticate" function. No added complication. It= =20 just does it. We can simplify (2) by simply making the MUA display the Key ID=20 somewhere on the UI automatically. No option. Just as it displays my=20 name and address when I'm writing an email, it would display my key ID. Cheers, --=20 Daniel Carrera | OpenPGP fingerprint: Graduate TA, Math Dept | 9B32 660B 0557 7D7D 5892 0036 D591 4D05 2938 1B7E UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html --lrZ03NoBR/3+SXJZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (SunOS) iD8DBQE+x/711/ZKhTQTHLARAt9bAJ4uqq/tIZ/qNQyp+HXSR1QaNZIyjACgpiq6 2g3Bjw4pX0OOdW8x6vH6/wo= =9wXP -----END PGP SIGNATURE----- --lrZ03NoBR/3+SXJZ-- From dcarrera@math.umd.edu Mon May 19 00:53:03 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Sun May 18 23:53:03 2003 Subject: Encouraging email security. In-Reply-To: <200305182334.21309.wbo@mandrakesoft.com> References: <20030517234222.GA16303@math.umd.edu> <200305181412.47854.graham.todd@ntlworld.com> <3EC7F272.8030800@exit109.com> <200305182334.21309.wbo@mandrakesoft.com> Message-ID: <20030518215410.GA2020@math.umd.edu> --UlVJffcvxoiEqYs2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > I used PGP and am now using GnuPG in Linux. But just the other week I=20 > tried to convince a neighbor to use signing and en-/decryption. "Why=20 > should I? Everybody can read what I'm writing. There's nothing I have=20 > to hide! I'm not a crook or such!" Sigh, that kind of reasoning is probably very common. Phil Zimmermann has= =20 a good response to that: http://www.pgpi.org/doc/whypgp/en/ =46rom that site: Perhaps you think your E-mail is legitimate enough that encryption is=20 unwarranted. If you really are a law-abiding citizen with nothing to=20 hide, then why don't you always send your paper mail on postcards? Why= =20 not submit to drug testing on demand? Why require a warrant for police= =20 searches of your house? Are you trying to hide something? You must be a= =20 subversive or a drug dealer if you hide your mail inside envelopes. Or= =20 maybe a paranoid nut. Do law-abiding citizens have any need to encrypt= =20 their E-mail?=20 There is a name for countries that follow your neighbour's line of=20 reasoning. The countries where people cannot assert their privacy (so,=20 for instance, the police can search your house without a warrant) are=20 usually called "police states". --=20 Daniel Carrera | OpenPGP fingerprint: Graduate TA, Math Dept | 9B32 660B 0557 7D7D 5892 0036 D591 4D05 2938 1B7E UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html --UlVJffcvxoiEqYs2 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (SunOS) iD8DBQE+yAEC1/ZKhTQTHLARAvSzAJ96N9zQCCt1ArogK7xTzoNcibQvJACgtcqX Ymv7gLHQaX9nt81FIuTKc7M= =7NJO -----END PGP SIGNATURE----- --UlVJffcvxoiEqYs2-- From ingo.kloecker@epost.de Mon May 19 00:56:02 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Sun May 18 23:56:02 2003 Subject: Encouraging email security. In-Reply-To: <20030517234222.GA16303@math.umd.edu> References: <20030517234222.GA16303@math.umd.edu> Message-ID: <200305182306.10221@erwin.ingo-kloecker.de> --Boundary-02=_BX/x+DFP4C+oBvz Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Sunday 18 May 2003 01:42, Daniel Carrera wrote: > I was thinking about how most people have no understanding or > interest in email security. OpenPGP is hard enough to understand and > use that getting the majority of the population to use it seems a > formidable task. > > I thought of a compromise that might be a step forward. I was hoping > that those who know more about this than I could offer an opinion. > > There could be a mail client with the following properties: > > 1) Automatically creates a pre-defined key setup (e.g. 4096 RSA, > 1024 DSA, 2048 ElGamal). That's not really the task of a mail client. At least I would rather=20 make KMail call an external OpenPGP key manager then to add any code to=20 create keys to KMail. > 2) Automatically signs, and encrypts emails (when the pub key is > available). KMail already does this. > 3) Here is the big one: > It stores the user's password in the hard disk, in the style of > Mozilla, so that the user doesn't have to type it. It all happens > automatically. KMail will never do this (as long as I'm the maintainer). If you don't=20 want to type a passphrase then enter an empty passphrase. BTW, KMail=20 has the option to keep the passphrase in memory as long as it's running=20 and by using gpg-agent any application can cache the passphrase for a=20 specific amount of time. So it's not necessary that the user enters the=20 passphrase everytime it's needed. Last but not least, I want to add that it's a nice idea to make email=20 clients encourage encryption. But as long as the most widely used (and=20 I might add the most insecure) mail client doesn't support OpenPGP=20 natively encryption will never be used by a significant number of=20 people. OTOH, according to c't (a German computer magazine), Microsoft just=20 demonstrated (on WinHEC 2003) the usage of Windows Rights Management=20 for email. They added a security policy to an email message which made=20 it impossible for the recipient to forward the message, to copy it to=20 the clipboard or to make a screenshot (!) of it. (Anyone remembers the=20 "for you eyes only" option in PGP?) Don't ask me how they want to=20 guarantee this but be prepared to receive email messages in the not so=20 far future which can't be read with anything else than Outlook on a=20 Palladium-secured Windows system. Regards, Ingo --Boundary-02=_BX/x+DFP4C+oBvz Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+x/XBGnR+RTDgudgRAnWbAJ9h5hNn/6hRJn0VNU/Kh6+SAtLWQgCffYBI CuYavAwEaEBOKW5bOiRzsVo= =f2d6 -----END PGP SIGNATURE----- --Boundary-02=_BX/x+DFP4C+oBvz-- From ingo.kloecker@epost.de Mon May 19 00:57:02 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Sun May 18 23:57:02 2003 Subject: S/MIME with GnuPG In-Reply-To: <200305181833.09907.malte_gell@t-online.de> References: <200305181833.09907.malte_gell@t-online.de> Message-ID: <200305182312.15315@erwin.ingo-kloecker.de> --Boundary-02=_vc/x+3swpIVZu1L Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Sunday 18 May 2003 18:37, Malte Gell wrote: > Hi, > when installing the Aegypten project software to get PGP/MIME support > it's recommended to compile gpgme with > "cd gpgme && ./configure --without-gpgsm ..." (according to > http://kmail.kde.org/kmail-pgpmime-howto.html ), but doesn't > without-gpgsm mean, that S/MIME support is skipped ? Yes. The PGP/MIME with KMail howto includes this option because for=20 using the S/MIME plugin you have to install a few more libraries than=20 the few that are mentioned in the howto. The howto is only there for=20 people who want to use PGP/MIME but who don't need S/MIME. > According to http://www.gnupg.org/aegypten S/MIME is already working, > so I'd like to have KMail to support it besides PGP/MIME. So if gpgme > is compiled again without the "--without-gpgsm" flag does this mean > that S/MIME support will be available ? If you installed all the other libraries which are required for S/MIME=20 then compiling gpgme without this flag should enable S/MIME support.=20 Read http://www.gnupg.org/aegypten/development.en.html if you want to=20 install the PGP/MIME and the S/MIME plugin for KMail. Regards, Ingo --Boundary-02=_vc/x+3swpIVZu1L Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+x/cvGnR+RTDgudgRAgKBAKDj2x3c1Crgmpl16dBsxSxQk/oLXQCg0dDZ RIEAruXOmzh9s1tBLcZccxE= =oAh1 -----END PGP SIGNATURE----- --Boundary-02=_vc/x+3swpIVZu1L-- From graham.todd@ntlworld.com Mon May 19 01:08:02 2003 From: graham.todd@ntlworld.com (Graham) Date: Mon May 19 00:08:02 2003 Subject: Encouraging email security. In-Reply-To: <20030518190052.GA1295@math.umd.edu> References: <20030517234222.GA16303@math.umd.edu> <200305181854.22269.malte_gell@t-online.de> <20030518190052.GA1295@math.umd.edu> Message-ID: <200305182314.10960.graham.todd@ntlworld.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 18 May 2003 8:00 pm, Daniel Carrera wrote: > I'll take a closer look at Enigmail. > I can try to encourage my friends to use it. Good :-) > > It seems that there are some ways in which Enigmail could be > improved: > > - It could have a front-end for key creation. You can already creat keys from within Enigmail. It simply passes the=20 command through to GPG. > - It could come with GPG, like Malte Gell suggested. It won't. Period. Its not in the design roadmap. Enigmail is simply a=20 tool to enable you to use GPG to encrypt and sign mozilla Mail=20 messages. > - It could provide a mechanism to import/export keys. > For instance, when it gets a signed email it could prompt the > user to download the public key from a keyserver. It does import already. Click on the pen icon and a key is called from=20 the predefined keyserver. But it is not within the design parameters=20 to be another GUI to GPG, so no export facilities are provided. - --=20 Graham GPG Keys at encryption.keys@ntlworld.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Please sign and encrypt for internet privacy iD8DBQE+yAWvIwtBZOk1250RAmJmAKDX7grNjf1+Z9uH59Ks7T3tByQroACfXUiP kUfw51AyIKiKblOVxN0/S0U=3D =3DowX3 -----END PGP SIGNATURE----- From graham.todd@ntlworld.com Mon May 19 01:16:02 2003 From: graham.todd@ntlworld.com (Graham) Date: Mon May 19 00:16:02 2003 Subject: Encouraging email security. In-Reply-To: <3EC7EB3D.9010107@3web.net> References: <20030517234222.GA16303@math.umd.edu> <200305181412.47854.graham.todd@ntlworld.com> <3EC7EB3D.9010107@3web.net> Message-ID: <200305182322.38897.graham.todd@ntlworld.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 18 May 2003 9:21 pm, tk wrote: > But there is (from my observation) a significant pool > of those that would like to keep it private, but find it simply to > be beyond practical for them to do so. And it is wrong (if not > outright arogant) to conisider them stupid or lazy. [snipped] I never suggested otherwise. Those that have an interest will find out=20 the information, and those that are not computer illiterate will be=20 able to put it into practice. Personally, I find GPG, PGP and S/MIME=20 all easy to use. When I explain how to use these systems to others I=20 find a (very) small minority that understand the concept but do not=20 wish to use them. Fair enough, that is the freedom to chose what you=20 want to do. But more prevalent are the users (mainly Windows users that this applies=20 to) that can't be bothered and have no interest in finding out. Its a pity, but this is my experience. - --=20 Graham GPG Keys at encryption.keys@ntlworld.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Please sign and encrypt for internet privacy iD8DBQE+yAerIwtBZOk1250RAtbbAJ9zMmwGjVR0vfF06YDp4Bp06FkOVQCePytj gGRP55wCGpSup122MNAkMOM=3D =3DbJoL -----END PGP SIGNATURE----- From ingo.kloecker@epost.de Mon May 19 01:47:02 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Mon May 19 00:47:02 2003 Subject: Encouraging email security. In-Reply-To: <5.1.0.14.2.20030518223223.035a4b68@localhost> References: <5.1.0.14.2.20030518223223.035a4b68@localhost> Message-ID: <200305190013.03226@erwin.ingo-kloecker.de> --Boundary-02=_vVAy+r8nLDshvHD Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline Per, please don't remove the line which identifies the person you reply=20 to (like the "On Sunday... Per Tunedal wrote" below). Furthermore, if=20 possible, please configure your email client to add the name of the=20 person you reply to to this line. "At ... you wrote" doesn't really=20 help that much on a mailing list, especially because your replies don't=20 have headers which would allow mail clients to correctly sort your=20 replies into a discussion thread. On Sunday 18 May 2003 22:32, Per Tunedal wrote: > >Mozilla could be a start, it is so big, it wouldn't make a big > >difference if GnuPG and enigmail would become part of it. For many > >Windows users it may be the first time to install an OpenPGP > > compliant product and to get in contact with email encryption. And > > if Mozilla would "complain" "Dear, XXX, you have not yet..." I > > think this would be a big step forward. > > An excellent idea! Go ahead! I just want to note that currently the Mozilla developers are splitting=20 Mozilla into several smaller applications because it's so big. I don't=20 think that they would have much interest in adding GnuPG to Mozilla=20 Mail. OTOH, enigmail should definitely become part of Mozilla Mail=20 (unless enigmail becomes obsolete because of native OpenPGP support in=20 Mozilla Mail). Anyway, who needs Mozilla Mail on Linux/Unix if he can=20 use KMail. Regards, Ingo --Boundary-02=_vVAy+r8nLDshvHD Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD4DBQA+yAVvGnR+RTDgudgRAnsXAJ9cfmum9A8iFspEsMs4PSpud1PRqACY0/Ww bMXjHPjk03NUtluBOnZP+Q== =rLcc -----END PGP SIGNATURE----- --Boundary-02=_vVAy+r8nLDshvHD-- From ingo.kloecker@epost.de Mon May 19 01:47:39 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Mon May 19 00:47:39 2003 Subject: Encouraging email security. In-Reply-To: <3EC7EB3D.9010107@3web.net> References: <20030517234222.GA16303@math.umd.edu> <200305181412.47854.graham.todd@ntlworld.com> <3EC7EB3D.9010107@3web.net> Message-ID: <200305190025.25946@erwin.ingo-kloecker.de> --Boundary-02=_VhAy+BOoU7dy1AA Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Sunday 18 May 2003 22:21, tk wrote: > If anybody asked me what to do to be more secure, > I would seriously propose to run this same program on an > air-gapped laptop that is never left unattended, before I > would suggest anything else. Networked computer just should > not be trusted... Using an air-gapped laptop sounds like a weird suggestion now that=20 wireless LAN gets popular. In the future non-air-gapped laptops will be=20 the exception and most air-gapped laptops will be equipped with=20 wireless LAN. Regards, Ingo --Boundary-02=_VhAy+BOoU7dy1AA Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+yAhVGnR+RTDgudgRAgZTAJ4p2Hmf9eXJcJR5KSbIApGIgbeNbQCdFG6k dRL8SN55dw7jki0oWGlvEqc= =z3lC -----END PGP SIGNATURE----- --Boundary-02=_VhAy+BOoU7dy1AA-- From jdbeyer@exit109.com Mon May 19 02:11:03 2003 From: jdbeyer@exit109.com (Jean-David Beyer) Date: Mon May 19 01:11:03 2003 Subject: Encouraging email security. References: <20030517234222.GA16303@math.umd.edu> <005701c31d08$58b4be90$f92489c3@enterprise> <3EC76C1C.9090106@exit109.com> <200305181412.47854.graham.todd@ntlworld.com> <3EC7EB3D.9010107@3web.net> <20030518214525.GA2010@math.umd.edu> Message-ID: <3EC81341.3050903@exit109.com> Daniel Carrera wrote (in part): >>>> I do not know how to get around this cultural gap... >>> >>> Its not so much a cultural gap, as computer illiteracy. >> >> I believe this to be an extremely important point, as it determines >> what (if anything) is worth undertaking. I subscribe to the >> "cultural gap" school. Stated simply, those that have no interest >> in keeping their mail private now will not change their mind >> anytime soon. > > As with most things, there is a continuum of interest. The smaller > the effort required to use encryption the more people will use it. > >> The solution is not a more automated force-feeding of the same >> complex system onto unwilling and unprepared, the solution is a >> simpler, easier to use and understand public key encryption >> program, targeting an entirely diferent cost/benefit point of >> ballance. > > I agree, 100%. > > Indeed, I know of a certain group of people who would JUMP at GPG if > it were easily accessible to them. Allow me to elaborate: > > I am a Christian. Some times, some of my Christian friends go to the > third world to perform humanitarian work in places where Christians > are persecuted. Just last month someone I know departed to a > "secure" region of the world where, if her faith were discovered, her > life would be in danger. > > Furthermore, the email comming into this particular place is > routinely screened for Christian words. > > The need for secure communication is nowhere as obvious as here. > > Because of this, she gave everyone a "theasorous" which maps > Christian words to other words, some of them made up, that shouldn't > be picked up by the screening computers. > > When I heard her describe this I was shocked. What she is describing > is the most archaic type of encryption possible. I talked to her > after the talk. She actually does know about encryption, she knows > what PGP is and she uses it with a tiny group of people. She > explained to me that it just wasn't a viable option for the bulk of > the population who have no knowledge of it. > > If GPG were more popular, we could all just have given her our > fingerprints (or just key IDs!) and ensured a much more secure form > of communication. > > I intend to converse with my pastor at some point, so that future > missionaries will be able to use GPG when they try to do humanitarian > work in sensitive areas of the world. But first, I want to find the > easiest way to get them to use GPG. The problem is that for this to > work we'd need to get ALL of the prayer partners (~40 people) using > it. > > That's part of why I'm keen on finding the path of least resistance > towards encrypted communication. > If I were running a police state, I would prohibit encrypted e-mail, and anyone using it would be presumed, ipso facto, to have something to hide and I would chop off their heads. Now if everyone used encryption for every email; i.e., if encryption were a standard instead of something people who were just paranoid flakes like me, or conspiracies of criminals, they would have a tougher time prohibiting it. E.g., if Microsoft made encryption the rule, impossible to disable, the police state would not be able to stop it, because Microsoft is probably more powerful than the average police state. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ Registered Machine 73926. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 7:05pm up 40 min, 2 users, load average: 1.34, 1.15, 0.77 From ingo.kloecker@epost.de Mon May 19 02:23:02 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Mon May 19 01:23:02 2003 Subject: Encouraging email security. In-Reply-To: <200305182334.21309.wbo@mandrakesoft.com> References: <20030517234222.GA16303@math.umd.edu> <3EC7F272.8030800@exit109.com> <200305182334.21309.wbo@mandrakesoft.com> Message-ID: <200305190118.31801@erwin.ingo-kloecker.de> --Boundary-02=_HTBy+Ffi4lhhoK5 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Sunday 18 May 2003 23:34, Wolfgang Bornath wrote: > ** Jean-David Beyer (Sonntag, 18. Mai 2003 22:52) > > > They WILL CARE the first time someone hijacks some very private > > information and gets it on the front page of their local newspaper, > > blackmails them, or turns it over to the FBI or something. But by > > then it will be too late. > > I'm one of Joes or Harrys of the unwashed masses. Most of my friends > and aquaintances are. We exchange mails, we post to newsgroups and/or > mailing lists. In 99% of all cases those mails and postings never > consisted of 'sensitive' or even 'embarrassing' material. It is very > difficult to reason with something which is not there. > > I used PGP and am now using GnuPG in Linux. But just the other week I > tried to convince a neighbor to use signing and en-/decryption. "Why > should I? Everybody can read what I'm writing. There's nothing I have > to hide! I'm not a crook or such!" Does your neighbor know that making backups of "copy-protected" CDs is=20 illegal in some states (e.g. U.S.A., Germany, Denmark, Malaysia)? Did=20 he never backup any CDs for nor share any files with his friends? Did=20 he never use an unauthorized backup copy of a piece of software? Is he=20 sure that he never spoke in an email message about any of this? Did he=20 never write anything impolite about another person (his wife, his=20 superiors, a politician)? Did he never forward a picture or a joke that=20 could be considered non-PC? He must be a new-born. Today making backups of CDs and DVDs is illegal. What's next? Nobody=20 knows. So one better makes sure that as few people as possible know=20 what you write in your email messages. Better be paranoid (or cautious)=20 today than in jail tomorrow. Regards, Ingo --Boundary-02=_HTBy+Ffi4lhhoK5 Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+yBTHGnR+RTDgudgRAoX2AJ9gp0ayqpXrBvVGv8h5BVQLHnAjdQCgpZ83 r5trUWbYehO1iY3dvjAca+M= =sPgI -----END PGP SIGNATURE----- --Boundary-02=_HTBy+Ffi4lhhoK5-- From pitrp@wg78.de Mon May 19 03:22:02 2003 From: pitrp@wg78.de (Peter Prohaska) Date: Mon May 19 02:22:02 2003 Subject: Encouraging email security. In-Reply-To: <200305182314.10960.graham.todd@ntlworld.com> References: <20030517234222.GA16303@math.umd.edu> <200305181854.22269.malte_gell@t-online.de> <20030518190052.GA1295@math.umd.edu> <200305182314.10960.graham.todd@ntlworld.com> Message-ID: <20030519002309.GA17401@wg78.homeunix.net> --T4sUOijqQbZv57TR Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, May 18, 2003 at 11:13:54PM +0100, Graham wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 >=20 > On Sunday 18 May 2003 8:00 pm, Daniel Carrera wrote: >=20 > > - It could come with GPG, like Malte Gell suggested. >=20 > It won't. Period. Its not in the design roadmap. Enigmail is simply a= =20 > tool to enable you to use GPG to encrypt and sign mozilla Mail=20 > messages. I belive it is the right way to keep the tools seperated. But the problem is to know which tools you need and where to find them. A friend just asked me what he has to do to get mail encryption and auto signig to work on windows. Since i'm not using windows, and don't know the tools, i can't help him. What could solve that problem is if mozilla would load a webpage that tells me where to find the tools after installation. "If you want to use gnupg to encrypt you mail, please install the following tools... [list of liks]" Or if i could tell him to point his browser to "about:pgp" or to click at the "About encryption/pgp" entry in the help menu. thanks for naming enigmail, peter. --T4sUOijqQbZv57TR Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+yCPtiZPv0z34YecRAhViAJ9Ft/HfAaeN/if68BCE8rhKkxoXkACeNaP+ y6rWGB3Uq6liTdc5NfEfvLM= =Gj7s -----END PGP SIGNATURE----- --T4sUOijqQbZv57TR-- From tony.kwok@3web.net Mon May 19 03:58:02 2003 From: tony.kwok@3web.net (tk) Date: Mon May 19 02:58:02 2003 Subject: Encouraging email security. In-Reply-To: <20030518214525.GA2010@math.umd.edu> References: <20030517234222.GA16303@math.umd.edu> <005701c31d08$58b4be90$f92489c3@enterprise> <3EC76C1C.9090106@exit109.com> <200305181412.47854.graham.todd@ntlworld.com> <3EC7EB3D.9010107@3web.net> <20030518214525.GA2010@math.umd.edu> Message-ID: <3EC82C63.5010001@3web.net> >>No control of public key exchange and authentication. >>Public keys are simply computer files, passed around as one >>would pass around (for instance) his digital photos. > > > I agree. We also need to find an easy way to pass the keys around. > That's why I advocate the keyID-based method. Pass around key > IDs and have the MUA download the keys from a server. > No download. I assume that the computer is not connected to the 'net (while the mail is composed, crypted, or read). It might only be conected to upload and download the mail, but not even that is to be assumed let alone required. Note that I assume no integration with the mail client - the text is transfered via files (and clipboard?). (Of course, nothing prevents the mail client programmer to offer some level of integration - but the crypto program makes no such assumption and can be used without it. > > >>Medium (instead of computer) resident, no installation, >>mobile-use-friendly. > > > I'm not sure I understand this one. > The program requires no "installation". (there were many discussions on this list about the "mobile use" of GPG). The program can be executed from floppy, CD, USB drive... A large percentage of problems that users experience are caused by unresolved or ill-resolved components residing (or assumed to be residing) on the computer. I assume single-executable, single-file program; thus nothing to "install", nothing that can be wrong with installation, nothing to prevent the user from using it on any number of computers interchangibly (on "work" computer during the day, "home" computer at night...). The design simply assumes that both the program and the key files may reside on removable media, with no state-preserving items between invocations of the program. > > I would add signing/authentication, but since it happens automatically > there is no "sign" or "authenticate" function. No added complication. I believe that anything that imposes formatting rules and assumption on the message text is a significant complication and source of errors. (see many line-wrapping related snafu's reported on this mail-list). And as stated previously, I see signing of only marginal value, to a very small number of users. Such users should turn to GPG and full public key infrastructure it offers. > We can simplify (2) by simply making the MUA display the Key ID > somewhere on the UI automatically. Key-id is the name of the key file; there are no other "identifiers". If a certain community wants to introduce key file naming conventions, it is free to do so. But there is no global id name-space control. (Remenber CB handles..? see the hypothetical sig below). Again, those that need better should turn to GPG. What I propose here pretty well defines the extreme low end of the simplicity scale. tony abalony GPGsimple: http://rumba.ohnemuhe.net/gpgsimple/tonyabalony.pubkey key fingerprint: b7.02.de.8f.04.38.42.7c From tony.kwok@3web.net Mon May 19 05:05:02 2003 From: tony.kwok@3web.net (tk) Date: Mon May 19 04:05:02 2003 Subject: Encouraging email security. In-Reply-To: <200305190025.25946@erwin.ingo-kloecker.de> References: <20030517234222.GA16303@math.umd.edu> <200305181412.47854.graham.todd@ntlworld.com> <3EC7EB3D.9010107@3web.net> <200305190025.25946@erwin.ingo-kloecker.de> Message-ID: <3EC83C21.5020904@3web.net> Ingo Klöcker wrote: > On Sunday 18 May 2003 22:21, tk wrote: > >>If anybody asked me what to do to be more secure, >>I would seriously propose to run this same program on an >>air-gapped laptop that is never left unattended.. > > Using an air-gapped laptop sounds like a weird suggestion > now that wireless LAN gets popular... Misundersyanding. To me "air gap" means a computer with no network connection whatsoever (let alone wireless!), and the transfer of data files only via read/write media; floppy, zip-drive, USB flash "disk" etc. Laptop was only mentioned since it is portable, and thus easier to keep from being left unattended (for an attacker to gain surepetitious access to and install a hardware key-logger on, for instance). An old MSDOS laptop with floppies that are destoyed after each use makes a near-perfect "geheimeschreiber". tk From dcarrera@math.umd.edu Mon May 19 06:21:03 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Mon May 19 05:21:03 2003 Subject: NULL passphrase. Secure? Message-ID: <20030519032206.GC14815@math.umd.edu> --UPT3ojh+0CqEDtpF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi all, While we are on the topic of simplifying GPG for average users, I have a=20 question. For the purposes of the average user, who doesn't really have=20 much to hide and need not worry about impersonation, how bad would it be=20 to have a null passphrase? A null passphrase means that all an attacker needs to do is obtain the=20 private key from the victim's hard drive. How difficult is that? Is it=20 difficult enough that regular users can afford to not worry about it? Thanks. --=20 Daniel Carrera | OpenPGP fingerprint: Graduate TA, Math Dept | 9B32 660B 0557 7D7D 5892 0036 D591 4D05 2938 1B7E UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html --UPT3ojh+0CqEDtpF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (SunOS) iD8DBQE+yE3e1/ZKhTQTHLARApbYAJ40o5/j7y+k3YFKHq7yqFd/2rbZYgCgo1YU yr4xNc+Q4zGTr9ObGGT2J9s= =zljX -----END PGP SIGNATURE----- --UPT3ojh+0CqEDtpF-- From jbruni@mac.com Mon May 19 07:39:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Mon May 19 06:39:02 2003 Subject: NULL passphrase. Secure? In-Reply-To: <20030519032206.GC14815@math.umd.edu> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Users are confronted with the need for passwords/passphrases everywhere, whether it is for dialing in to their ISP via PPP, accessing email, etc. The only time one needs to use a passphrase is for decrypting and for signing. Asking for a passphrase to decrypt an email is not asking too much, I think. On the other hand, I do understand your position, however. I know that my mother's iMac is quite secure and the odds of someone stealing her secret key are close to nil. I think I'd have better odds at winning the Powerball. The worst case should someone steal her secret key would be that they could read the email I send her, since I'm the only person that sends her encrypted email. I think a lot of this depends on each situation (and individual) and needs to be evaluated on a case-by-case basis. If the odds are higher that someone would forget their passphrase compared with the odds of having their secret key stolen, it might be more appropriate to leave the passphrase empty. - -Joe On Sunday, May 18, 2003, at 08:22 PM, Daniel Carrera wrote: > Hi all, > > While we are on the topic of simplifying GPG for average users, I have > a > question. For the purposes of the average user, who doesn't really > have > much to hide and need not worry about impersonation, how bad would it > be > to have a null passphrase? > > A null passphrase means that all an attacker needs to do is obtain the > private key from the victim's hard drive. How difficult is that? Is > it > difficult enough that regular users can afford to not worry about it? > > Thanks. > -- > Daniel Carrera | OpenPGP fingerprint: > Graduate TA, Math Dept | 9B32 660B 0557 7D7D 5892 0036 D591 4D05 2938 > 1B7E > UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) iEYEARECAAYFAj7IYAoACgkQ4rg/mXNDweOFDgCgp+D8fRMmbS4msN3YWOELPAP7 ttQAoKd8WrlfM9k7vAd9Jx1QH3RIwkQ/ =cHLN -----END PGP SIGNATURE----- From avbidder@fortytwo.ch Mon May 19 09:40:01 2003 From: avbidder@fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Mon May 19 08:40:01 2003 Subject: [Q] How do I revoke my old key? In-Reply-To: <3EC51220.9020305@cogeco.ca> References: <20030516155443.GC1234@math.umd.edu> <3EC51220.9020305@cogeco.ca> Message-ID: <200305190841.23410@fortytwo.ch> --Boundary-02=_TyHy+y5mui4Ga1S Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Friday 16 May 2003 18:30, Eddie Roosenmaallen wrote: > Next, you send the > revoked key to keyservers. As a bare minimum, one LDAP and one HKP > keyserver should suffice. Hmm. As far as I know, the HKP keyservers are still divided into at least t= wo=20 'networks': the wwwkeys.pgp.net part and the keyserver.net part.=20 Synchronisation works only rarely, so better send to belgium.keyserver.net,= =20 too. greetings =2D- vbi =2D-=20 This is Unix we're talking about, remember. It's not supposed to be nice for the applications programmer. -- Matthew Danish on debian-devel --Boundary-02=_TyHy+y5mui4Ga1S Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iKcEABECAGcFAj7IfJNgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjQmbWQ1c3VtPTgxNjMwYmFhYmU5YTA2NzBi YjE5YzFmYTg1MjdhN2FiAAoJEIukMYvlp/fWysoAoKa99P2incCeiekFHBcpfwy5 RpHQAKCV+EHm5KxllynwulP7KdZvpo7C6A== =IS+f -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.4&md5sum=81630baabe9a0670bb19c1fa8527a7ab --Boundary-02=_TyHy+y5mui4Ga1S-- From avbidder@fortytwo.ch Mon May 19 09:50:02 2003 From: avbidder@fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Mon May 19 08:50:02 2003 Subject: NULL passphrase. Secure? In-Reply-To: <20030519032206.GC14815@math.umd.edu> References: <20030519032206.GC14815@math.umd.edu> Message-ID: <200305190851.24187@fortytwo.ch> --Boundary-02=_s7Hy+4jsaasoDsN Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Monday 19 May 2003 05:22, Daniel Carrera wrote: > A null passphrase means that all an attacker needs to do is obtain the > private key from the victim's hard drive. How difficult is that? Is it > difficult enough that regular users can afford to not worry about it? As it is now, I'd say on a non-networked, non-telnettable etc. machine, the= =20 chances of anybody getting the private key is quite low. As soon as a significant number of people start using convenience encryptio= n=20 like that with some popular mailer, key theft will appear on the script=20 kiddie radar and some trojan will be modified to collect private keys. I ra= te=20 the chance of this happening to almost 100% Of course, AOL putting up big signs saying 'AOL will never ask for your=20 password' doesn't stop some people from sending their passwords to any=20 passing stranger, so even with password protected secret keys, there'll be= =20 some attack to reap keys+passphrases, so you can argue that using unprotect= ed=20 pricate keys does no greater damage... =2D- vbi =2D-=20 "Eat, drink, and be merry, for tomorrow you may work." --Boundary-02=_s7Hy+4jsaasoDsN Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iKcEABECAGcFAj7IfuxgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjQmbWQ1c3VtPTgxNjMwYmFhYmU5YTA2NzBi YjE5YzFmYTg1MjdhN2FiAAoJEIukMYvlp/fWbsEAnirgn3P+WP/OzuFLMm8dRWtW NCnFAJ9dUlP2aiPiwIYvKsgzpey9/MTyDA== =6XLG -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.4&md5sum=81630baabe9a0670bb19c1fa8527a7ab --Boundary-02=_s7Hy+4jsaasoDsN-- From avbidder@fortytwo.ch Mon May 19 09:56:01 2003 From: avbidder@fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Mon May 19 08:56:01 2003 Subject: Keys not trusted In-Reply-To: <871xyy1x8n.fsf@athene.jamux.com> References: <200305060203.30183.wbo@mandrakesoft.com> <20030516155536.GA3635@jabberwocky.com> <871xyy1x8n.fsf@athene.jamux.com> Message-ID: <200305190857.29299@fortytwo.ch> --Boundary-02=_ZBIy+gPA8aC8Glu Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Friday 16 May 2003 21:56, John A. Martin wrote: [trading vulnerabilities against security] > We lock flimsy doors with weak locks so that it becomes _breaking and > entering_ when someone enters by forcing a door. Yes, but on a house, I can *see* that it is easy to smash the windows. Peop= le=20 know and fully understand that a locked door can be kicked in.=20 Computers are still mysterious to many people (and probably always will be)= ,=20 they don't understand what's happening, and thus they can't understand what= =20 can go wrong. They have to trust the experts. There is no easy way to look = at=20 a computer and tell how easy it is to break in. cheers =2D- vbi =2D-=20 Available for key signing in Z=C3=BCrich and Basel, Switzerland (what's this? Look at http://fortytwo.ch/gpg/intro) --Boundary-02=_ZBIy+gPA8aC8Glu Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iKcEABECAGcFAj7IgFlgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjQmbWQ1c3VtPTgxNjMwYmFhYmU5YTA2NzBi YjE5YzFmYTg1MjdhN2FiAAoJEIukMYvlp/fWXKYAoL1UkayFNU3MwTmDeDQ1SMsN nWOcAKD1W2pvdgHDT93GXyJ6xQnhEU83Ng== =O3ZW -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.4&md5sum=81630baabe9a0670bb19c1fa8527a7ab --Boundary-02=_ZBIy+gPA8aC8Glu-- From bfg@noviforum.si Mon May 19 13:25:03 2003 From: bfg@noviforum.si (Branko F. Graènar) Date: Mon May 19 12:25:03 2003 Subject: storing keyrings into SQL database? Message-ID: <00e801c31df1$12960010$fac8a8c0@mordor> Hi there! I would like to store keyrings into SQL database. Is this doable? Would be hard to code such gpg hack ? Any directions, etc? Brane From wbo@mandrakesoft.com Mon May 19 13:34:03 2003 From: wbo@mandrakesoft.com (Wolfgang Bornath) Date: Mon May 19 12:34:03 2003 Subject: Problem: OpenPGP Module not listed In-Reply-To: <200305170021.13368@erwin.ingo-kloecker.de> References: <200305131800.20136.wbo@mandrakesoft.com> <200305150117.21129.wobo@wolf-b.de> <200305170021.13368@erwin.ingo-kloecker.de> Message-ID: <200305191231.30095.wbo@mandrakesoft.com> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ** Ingo Kl=F6cker (Samstag, 17. Mai 2003 00:21) > On Thursday 15 May 2003 01:17, Wolfgang Bornath wrote: > > ** Ingo Kl=F6cker (Mittwoch, 14. Mai 2003 23:04) > > > > > Well, obviously gpgme-config is missing for some reason (it > > > should be in /usr/local/bin if you didn't change the install > > > prefix with the --prefix option). Did installing gpgme really > > > work? > > > > Yes, without errors (make returned '0') > > gpgme-config will be installed automatically together with the rest > of gpgme. Is is really missing from /usr/local/bin? Maybe > /usr/local/bin is for some reason not in your $PATH? The file gpgme-config really *is* in /usr/local/bin and: [wobo@molch wobo]$ echo $PATH /bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin:/usr/games:/home/wobo/bin So it should be found. Hmm, I guess I'll just give it another try. wobo =2D --=20 Public GnuPG key available at keyserver www.mandrakesecure.net =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+yLJ9XpTF6eCkAF0RAgrUAKCKLf4FIQ7zwQwhe4nVPFkNCqOkqwCfXNem VsrW0zjQYI1GV01J6OknyMo=3D =3DXDmv =2D----END PGP SIGNATURE----- From debug Mon May 19 13:54:03 2003 From: debug (DeBug) Date: Mon May 19 12:54:03 2003 Subject: Re[2]: Encouraging email security. In-Reply-To: <3EC82C63.5010001@3web.net> References: <20030517234222.GA16303@math.umd.edu> <005701c31d08$58b4be90$f92489c3@enterprise> <3EC76C1C.9090106@exit109.com> <200305181412.47854.graham.todd@ntlworld.com> <3EC7EB3D.9010107@3web.net> <20030518214525.GA2010@math.umd.edu> <3EC82C63.5010001@3web.net> Message-ID: <14012258974.20030519135522@centras.lt> t> I assume that the computer is not connected to the 'net (while t> the mail is composed, crypted, or read). It might only be conected t> to upload and download the mail, but not even that is to be assumed t> let alone required. Is there a way to submit my public key via e-mail (i have only email access - SMTP and POP3 ports open) -- Best regards, DeBug mailto:debug@centras.lt -- From patrick.brunschwig@gmx.net Mon May 19 15:01:01 2003 From: patrick.brunschwig@gmx.net (Patrick Brunschwig) Date: Mon May 19 14:01:01 2003 Subject: Mime Type for Encrypted Attachments Message-ID: <3EC8C7DE.9060703@gmx.net> What would be the correct content type for encrypted attachments if the mail is sent as inline PGP (i.e. multipart/mixed)? I have found a number of content types that seem to be in use, so I'm not sure what would be the "best". I know that e.g. Outlook uses "application/octet-stream", but I think this is a rather bad default. What about "application/pgp" or "application/pgp-encrypted", any idea? -Patrick From wk@gnupg.org Mon May 19 16:46:02 2003 From: wk@gnupg.org (Werner Koch) Date: Mon May 19 15:46:02 2003 Subject: storing keyrings into SQL database? In-Reply-To: <00e801c31df1$12960010$fac8a8c0@mordor> ("Branko F. =?iso-8859-1?q?Gra=E8nar"'s?= message of "Mon, 19 May 2003 12:26:12 +0200") References: <00e801c31df1$12960010$fac8a8c0@mordor> Message-ID: <87smrb2gj9.fsf@alberti.g10code.de> On Mon, 19 May 2003 12:26:12 +0200, Branko F Graènar said: > I would like to store keyrings into SQL database. Is this doable? It does not make much sense. keyrings are internal to gpg and their internals may change without notice. Also an SQL DB is far too slow for gpg's purposes - frankly, the current code to handle keyrings is too slow. You may want to stopre some selected information of the keys in your DB; most notable the fingerprint. Salam-Shalom, Werner -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From eleuteri@myrealbox.com Mon May 19 17:35:02 2003 From: eleuteri@myrealbox.com (David Picon Alvarez) Date: Mon May 19 16:35:02 2003 Subject: storing keyrings into SQL database? References: <00e801c31df1$12960010$fac8a8c0@mordor> <87smrb2gj9.fsf@alberti.g10code.de> Message-ID: <001401c31e13$48089600$f92489c3@enterprise> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > It does not make much sense. keyrings are internal to gpg and their > internals may change without notice. Also an SQL DB is far too slow > for gpg's purposes - frankly, the current code to handle keyrings is > too slow. Somewhat off-topic, but is this slowness accidental or essential? Is it likely to go away in the future? - --David. -----BEGIN PGP SIGNATURE----- Comment: This message is digitally signed and can be verified for authenticity. iQIVAwUBPsjqu6YOp7uFKb/EAQK40A/+LHK1GkQw4cibOnw9I5LJXbaqQNIzUTAO oodnQdlADMpwmS4vtb2JDtewkdLrm9UtG1IPXVrdYd828qgC1fCOdwkEaI25+smk lsgc5DXPMwQg7TUDSgrChNPPaBxP5Q2f5I8QBfK0SrvQwdMTVFVC9yxuc14LDKLr dBxxDZGBrP2QtOH+vTQYceE/v9q1G/MHbaHBnYsEApgRzMMesNwC75qLtRn0zHXR RfIGEFjS++bZVUjJikcPxFczqryRjPb9jYl+F6GiLNpUI2egdZ1grs2YaZoPoG/O zQyprr1GNLaMrJNHDQfliaSW/lkEeQcWIvBBOOKPpPnOiwJ67qROeJ0JYB6Dz9tS udHPKIyeQKPukEFtZmusspr1CmGq3Mgz1Z6huoi/CxsAwsprR2HEqzORN+JjFy3l YU1Xn5p7H7mpU5Lcs50g0zU93luKYJDliMXHBoBlj1hgrQOLZEniYqe9d1W6UQmE 2FSRKctBLVqYjNSriiY3XE+XtjpYUPI9ModFGDMdnVWifpy7ufdKacHKjP6nfwOv wD/1to6NhFRZAEHFx+08rwEI/KpBoeqmBaiFj8p58cxCoTAPo2x+lQuOeBhhX5SF 26rRERY2Xe+StBMluuPuaMo4D6yl0KzxsWODyP4xAglDLlaMmGFW6xlw/8oCWVB9 EMJlzcZELRI= =JtJp -----END PGP SIGNATURE----- From bfg@noviforum.si Mon May 19 18:17:02 2003 From: bfg@noviforum.si (Branko F. Gracnar) Date: Mon May 19 17:17:02 2003 Subject: storing keyrings into SQL database? References: <00e801c31df1$12960010$fac8a8c0@mordor> <87smrb2gj9.fsf@alberti.g10code.de> Message-ID: <020901c31e19$ce287740$fac8a8c0@mordor> i would like to write horde imp (free webmail) extension which would support gpg for encrypting messages. I know, i can create directory for each user on webmail server and then call gpg binary using different env settings, but this logic will break up if imp would run on multiple servers simultanely without shared FS. It would be much easier to implement such thing using SQL database. Too bad. Any ideas how to implement such thing? Brane From wk@gnupg.org Wed May 21 15:03:50 2003 From: wk@gnupg.org (Werner Koch) Date: Wed May 21 14:03:50 2003 Subject: storing keyrings into SQL database? In-Reply-To: <001401c31e13$48089600$f92489c3@enterprise> ("David Picon Alvarez"'s message of "Mon, 19 May 2003 15:30:39 +0100") References: <00e801c31df1$12960010$fac8a8c0@mordor> <87smrb2gj9.fsf@alberti.g10code.de> <001401c31e13$48089600$f92489c3@enterprise> Message-ID: <87iss72bt3.fsf@alberti.g10code.de> On Mon, 19 May 2003 15:30:39 +0100, David Picon Alvarez said: > Somewhat off-topic, but is this slowness accidental or essential? Is it > likely to go away in the future? This is due to the fact that the keyring is not indexed and thus we have to do a sequentiell search for each key we need while traversing the web-of-trust. Furthermore we don't store any meta information like fingerprint or keyID, so we have to calculate them on the fly :-( I have a new storage format ready which allows for better random access and makes searching by fingerprint really fast. gpgsm already uses this format. This is the reason why I always stress that --import and --export are the only defined interfaces to the keys. Salam-Shalom, Werner -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From Todd Wed May 21 15:05:04 2003 From: Todd (Todd) Date: Wed May 21 14:05:04 2003 Subject: Mime Type for Encrypted Attachments In-Reply-To: <3EC8C7DE.9060703@gmx.net> References: <3EC8C7DE.9060703@gmx.net> Message-ID: <20030519155433.GA14818@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Patrick Brunschwig wrote: > What would be the correct content type for encrypted attachments if the > mail is sent as inline PGP (i.e. multipart/mixed)? > > I have found a number of content types that seem to be in use, so I'm > not sure what would be the "best". I know that e.g. Outlook uses > "application/octet-stream", but I think this is a rather bad default. > > What about "application/pgp" or "application/pgp-encrypted", any idea? I think it would be one of: application/pgp-encrypted application/pgp-signature application/pgp-keys Those are the content types defined in ftp://ftp.isi.edu/in-notes/iana/assignments/media-types/media-types - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ============================================================================ Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know. -- Sam Simpson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iD8DBQE+yP45uv+09NZUB1oRAjUAAJ94aqIJaUNmmiPpqZhCEOsY9jD5+wCggyDT EsMPxbOk9u9bts39YR3y3sk= =iOIT -----END PGP SIGNATURE----- From rmalayter@bai.org Wed May 21 15:06:34 2003 From: rmalayter@bai.org (Ryan Malayter) Date: Wed May 21 14:06:34 2003 Subject: storing keyrings into SQL database? Message-ID: <792DE28E91F6EA42B4663AE761C41C2AEA51@cliff.bai.org> From: Branko F. Gracnar [mailto:bfg@noviforum.si]=20 >Any ideas how to implement such thing? You could certainly store keyring files in a SQL database, then extract them from to a unique temporary filename when need. Use random hex characters of something to preface the temporary file name. Then you can call GPG like this: gpg --keyring 0431265474Fpubring.gpg --secret-kering 0431265474Fsecring.gpg Then set up a background thread that cleans up old keyring files / directories based on date. You should have a sufficient number of random characters in your prefix to prevent any possible collisions for security's sake. I would suggest at least 32 random hex digits, or 22 characters if you use base64 encoding. Ryan _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From johanw@vulcan.xs4all.nl Wed May 21 15:07:43 2003 From: johanw@vulcan.xs4all.nl (Johan Wevers) Date: Wed May 21 14:07:43 2003 Subject: NULL passphrase. Secure? In-Reply-To: <200305190851.24187@fortytwo.ch> from "Adrian 'Dagurashibanipal' von Bidder" at "May 19, 2003 08:51:20 am" Message-ID: <200305191123.NAA01211@vulcan.xs4all.nl> Adrian 'Dagurashibanipal' von Bidder, wrote: > As soon as a significant number of people start using convenience > encryption like that with some popular mailer, key theft will appear on > the script kiddie radar and some trojan will be modified to collect > private keys. I rate the chance of this happening to almost 100% You don't have to wait for that, such a virus exists already for a long time. Since the virus I read from is rather old I doubt it can also find GnuPG keys, but I agree that that's only a matter of time. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From dvgevers@xs4all.nl Wed May 21 15:09:42 2003 From: dvgevers@xs4all.nl (Dick Gevers) Date: Wed May 21 14:09:42 2003 Subject: Using GnuPG on Windows/Linux In-Reply-To: References: Message-ID: <20030519211549.19fdf840.dvgevers@xs4all.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 14 May 2003 21:59:30 +0200, Johan Parin wrote about Using GnuPG on Windows/Linux: > What would be the best way to set this up? Any suggestions welcome. Hi Johan and others, This is not exactly the answer you asked for, but my suggestion is to set it up under Win the Windows way (preferably on NTFS) and under Linux the Linux way. If you want to share your key ring I suggest you take your keyring(s) with you via a FAT(32) partition during reboot time. In Linux you can gpg (--interactive) --import myother_pubring.gpg and I am sure this will work in Windows too. Secret keys too. When I upgraded my Windows box at long last to a multiboot box running Linux (~99% of 24/7 hours) I took my keys with me and hardly use those in Windows anymore. HTH, Regards, =Dick Gevers= - -- Registered Linux user # 309037 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Encryption is an envelope; the contents are private. iD8DBQE+yUmBwC/zk+cxEdMRAinjAKDCr3OBKuPNnT/U4dOqdQUNJiY+rACgszTm 9u8QNtfgO8nGDt7fOJNyKc4= =QfyX -----END PGP SIGNATURE----- From ingo.kloecker@epost.de Wed May 21 15:10:39 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Wed May 21 14:10:39 2003 Subject: Mime Type for Encrypted Attachments In-Reply-To: <3EC8C7DE.9060703@gmx.net> References: <3EC8C7DE.9060703@gmx.net> Message-ID: <200305192100.55127@erwin.ingo-kloecker.de> --Boundary-02=_nnSy+0IFhRITjR+ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Monday 19 May 2003 14:02, Patrick Brunschwig wrote: > What would be the correct content type for encrypted attachments if > the mail is sent as inline PGP (i.e. multipart/mixed)? > > I have found a number of content types that seem to be in use, so I'm > not sure what would be the "best". I know that e.g. Outlook uses > "application/octet-stream", but I think this is a rather bad default. > > What about "application/pgp" or "application/pgp-encrypted", any > idea? application/pgp-encrypted is definitely the wrong choice because that's=20 the content type of the message part which holds the version number of=20 a PGP/MIME encrypted message. Here's a short example of such a message: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =46rom: xyz To: abc Date: ... Subject: secret MIME-version: 1.0 Content-type: multipart/encrypted; charset=3Diso-8859-15; boundary=3D"Boundary-02=3D_0guk++/xisah7Wk"; protocol=3D"application/pgp-encrypted" Content-transfer-encoding: 7bit =2D-Boundary-02=3D_0guk++/xisah7Wk Content-Type: application/pgp-encrypted Content-Description: version code Content-Disposition: attachment Version: 1 =2D-Boundary-02=3D_0guk++/xisah7Wk Content-Type: application/octet-stream Content-Description: encrypted data Content-Disposition: inline; filename=3D"msg.asc" =2D----BEGIN PGP MESSAGE----- Version: GnuPG v1.2.1 (GNU/Linux) hQIOAzDP3ccyMZU4EAf/Q3tO7Iziro8/NUs+7Lqk76poiPY8fza5AOdL7kB4fkWJ =2E.. =3D1WYw =2D----END PGP MESSAGE----- =2D-Boundary-02=3D_0guk++/xisah7Wk-- =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D And IIRC application/pgp was used for inline encrypted messages before=20 PGP/MIME was developed. I'd say using application/octet-stream is the correct choice. You could=20 add Content-Description and Content-Disposition as in the above=20 PGP/MIME message. But since probably no email client will understand=20 such a non-standard message it doesn't really matter. Regards, Ingo --Boundary-02=_nnSy+0IFhRITjR+ Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+ySnnGnR+RTDgudgRAj49AKCDCD2ha0ZO8vohNBqVXw5AfgsWhQCg38u0 Rkmaz529zK02mYJi5XS37RM= =au84 -----END PGP SIGNATURE----- --Boundary-02=_nnSy+0IFhRITjR+-- From dshaw@jabberwocky.com Wed May 21 15:11:41 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Wed May 21 14:11:41 2003 Subject: Encouraging email security. In-Reply-To: <14012258974.20030519135522@centras.lt> References: <20030517234222.GA16303@math.umd.edu> <005701c31d08$58b4be90$f92489c3@enterprise> <3EC76C1C.9090106@exit109.com> <200305181412.47854.graham.todd@ntlworld.com> <3EC7EB3D.9010107@3web.net> <20030518214525.GA2010@math.umd.edu> <3EC82C63.5010001@3web.net> <14012258974.20030519135522@centras.lt> Message-ID: <20030519210828.GC3486@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, May 19, 2003 at 01:55:22PM +0300, DeBug wrote: > t> I assume that the computer is not connected to the 'net (while > t> the mail is composed, crypted, or read). It might only be conected > t> to upload and download the mail, but not even that is to be assumed > t> let alone required. > > Is there a way to submit my public key via e-mail > (i have only email access - SMTP and POP3 ports open) Many of the keyservers have an email keyserver component. GnuPG can use them: gpg --keyserver mailto:pgp-public-keys@keys.pgp.net --send-key (thekey) David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+yUfM4mZch0nhy8kRAsxFAKCO1SuEgS9YEaFcMBKtTAoL++ZJhQCgpaZM tXyY/PAhvbIcrFt4rjUozQo= =Rzua -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Wed May 21 15:12:37 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Wed May 21 14:12:37 2003 Subject: [Q] How do I revoke my old key? In-Reply-To: <200305190841.23410@fortytwo.ch> References: <20030516155443.GC1234@math.umd.edu> <3EC51220.9020305@cogeco.ca> <200305190841.23410@fortytwo.ch> Message-ID: <20030519210551.GB3486@jabberwocky.com> --J2SCkAp4GZ/dPZZf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, May 19, 2003 at 08:41:14AM +0200, Adrian 'Dagurashibanipal' von Bid= der wrote: Content-Description: signed data > On Friday 16 May 2003 18:30, Eddie Roosenmaallen wrote: > > Next, you send the > > revoked key to keyservers. As a bare minimum, one LDAP and one HKP > > keyserver should suffice. >=20 > Hmm. As far as I know, the HKP keyservers are still divided into at least= two=20 > 'networks': the wwwkeys.pgp.net part and the keyserver.net part.=20 > Synchronisation works only rarely, so better send to belgium.keyserver.ne= t,=20 > too. Note that the keyserver.net software doesn't work very well with GnuPG. I'd use the pgp.net servers instead. Wow, I sound like a broken record... a few months ago, that's what I was saying about pgp.net. Of course, pgp.net is being fixed now. :) David --J2SCkAp4GZ/dPZZf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+yUcu4mZch0nhy8kRAuh/AKDM1Xc49BKVfJIFg/btWGfbF/pgcwCgw0Zk 3bVpfUMtjVsz6ChXUG35fMY= =n4PF -----END PGP SIGNATURE----- --J2SCkAp4GZ/dPZZf-- From dshaw@jabberwocky.com Wed May 21 15:13:43 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Wed May 21 14:13:43 2003 Subject: Encouraging email security. In-Reply-To: <3EC6EDA9.4070402@3web.net> References: <20030517234222.GA16303@math.umd.edu> <3EC6EDA9.4070402@3web.net> Message-ID: <20030519214534.GD3486@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, May 18, 2003 at 02:19:21AM +0000, tk wrote: > Large proportion of e-mail users communicate mostly in their own > "small-world" communities and they have absolutely no problem > whatsoever exchanging, authenticating, revoking, etc. their public > keys. It is also most likely that communication with fellow members > of such communities will need to be protected (as opposed to the > communication with strangers). I would thus suggest that a > simplified GPG version (GPG-lite?) should be constructed and > deployed, where the system does not even attempt to assist (let > alone control) the dissemanation, authentication and revocation of > public keys. The security of such system would remain as strong as > the "real thing", provided that the key is exchanged in person (its > finger verified over phone, printed on a business card etc. etc.). This is a fairly frequent request, but the functionality you desire is built into every copy of GnuPG. GnuPG is extremely configurable. For example, to completely disable the web of trust, put: always-trust in your gpg.conf file. That makes all keys fully valid and ignores all signatures on them. A slightly less drastic way to disable the web of trust is: max-cert-depth 1 That makes GnuPG trust any key you have signed yourself, but no others. If you want certain ciphers to be used, try: default-preference-list "" That makes the key use only 3DES, SHA1, and ZIP (or none) compression. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+yVB94mZch0nhy8kRAuxCAKCd+0Q2xROG38651OVDVlgIgwMCNwCfW40/ u/w0VUkCVafHXW4PBfRc9F8= =JlIo -----END PGP SIGNATURE----- From johanw@vulcan.xs4all.nl Wed May 21 15:14:49 2003 From: johanw@vulcan.xs4all.nl (Johan Wevers) Date: Wed May 21 14:14:49 2003 Subject: storing keyrings into SQL database? In-Reply-To: <020901c31e19$ce287740$fac8a8c0@mordor> from "Branko F. Gracnar" at "May 19, 2003 05:17:47 pm" Message-ID: <200305192210.AAA01311@vulcan.xs4all.nl> Branko F. Gracnar wrote: > It would be much easier to implement such thing using SQL database. Why? For extracting the keys and displaying information you can use the gpg binary. I think the speed problem can be solved by ignoring all thrust issues, what I understand from discussions here the thrust database is the sllowing factor for large keyrings. I don't know if that's acceptable for your application. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From jharris@widomaker.com Wed May 21 15:15:57 2003 From: jharris@widomaker.com (Jason Harris) Date: Wed May 21 14:15:57 2003 Subject: new (2003-05-18) keyanalyze results Message-ID: <20030519233903.GI87246@pm1.ric-30.lft.widomaker.com> --MFZs98Tklfu0WsCO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2003-05-18/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ --=20 Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com | web: http://jharris.cjb.net/ --MFZs98Tklfu0WsCO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+yWsWSypIl9OdoOMRAoOfAKDBjhca8XXe7evEpE1mNdI/UWdh3QCgkJPs aL8sA+0DiYu7eat/hOKShOs= =E8pv -----END PGP SIGNATURE----- --MFZs98Tklfu0WsCO-- From yenot@sec.to Wed May 21 15:17:39 2003 From: yenot@sec.to (Yenot) Date: Wed May 21 14:17:39 2003 Subject: Opportunistic Encryption In-Reply-To: <5.1.0.14.2.20030516121927.021e0668@localhost> References: <5.1.0.14.2.20030516121927.021e0668@localhost> Message-ID: <200305200416.32088.yenot@sec.to> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday 16 May 2003 02:19 pm, Per Tunedal wrote: > > I would like to add automatic use of robot-CA:s to the scheme. It's > a simple way of tieing a key to an e-mail address: > - the user just generates a key > - the client sends it to a robot-CA > - the robot CA signs the key, encrypts it with the same key and > returns it to all e-mail addresses used in the userid. > - the encrypted message from the robot-CA is received, decrypted, > the signed key is imported to the keyring and sent to at least one > keyserver. I intentionally left the robot-CA out of my proposal. Original post here: http://marc.theaimsgroup.com/?l=gnupg-users&m=105303925223294&w=2 With the public keyservers, robot verification serves a greater purpose. Any moron can upload 1000 bogus keys for your e-mail address to the public keyservers. Those keys will stay on the servers forever. The robot-CA provides a way of getting around this non-temporary DOS attack. The main objection people had to the robot-CA, was that it added more risk and complexity to an already complex system. To me, this is/was a valid complaint, so I protocol I sketched out reduces complexity and infrastructure by eliminating the problematic public keyservers altogether. Since full key exchange occurs over the course of 3 messages (1.5 round trips I should have written in the original message), your assurance that addresses and keys correlate is already high. For further assurance, key exchange was made as simple as possible. - Yenot -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+yXPTP247TY29IxARAprGAJ9sGXspH7DVFQL1CzA/QbPlcl6yLgCfW8ma umC0msetKTmdgNk6QJ1IK+g= =hcqn -----END PGP SIGNATURE----- From yenot@sec.to Wed May 21 15:19:34 2003 From: yenot@sec.to (Yenot) Date: Wed May 21 14:19:34 2003 Subject: Encouraging email security. In-Reply-To: <016301c31cf3$33b61ef0$f92489c3@enterprise> References: <20030517234222.GA16303@math.umd.edu> <3EC6EDA9.4070402@3web.net> <016301c31cf3$33b61ef0$f92489c3@enterprise> Message-ID: <200305200424.31184.yenot@sec.to> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 18 May 2003 08:06 am, David Picon Alvarez wrote: > I don't think it's a question of UI any more, I > think it's a question of needs and threat models. If you don't need > something and it carries a cost you're not likely to use it. > Perhaps the only way to get people to use encryption is to have a > so-called "zero-UI solution" but even so, unless it would come > incorporated in the MUA, I don't see people bothering to install > it. That's the wrong attitude. Cost is the problem -- clever UI is the solution! The lower the cost of encryption (workload and monetary costs), the more people will use it. I've followed PGP for many years, and I'm more optimistic about it now than ever before. Secure e-mail *can* be reborn. The reason: A new class of *free*, full featured, e-mail clients with fully integrated OpenPGP support *has* appeared. These OpenPGP enabled clients do not require expensive S/MIME certificates and their implementations are interoperable. (Certificate cost being the dead-birth of S/MIME and interoperability being a major holdback for both S/MIME and OpenPGP in the past.) If we can lower the cost of key distribution and authentication via innovative software design, rebirth of OpenPGP *can* happen. Thanks to KMail and the latest commercial PGP, I am sending more encrypted e-mail than ever before! I'm borderline paranoid. I've had my e-mail read numerous times and I've read others mail (by orders from superiors no less). Even for a user like myself, OpenPGP was nothing but a toy until KMail came to my rescue. For me, KMail removed the pain of encrypted e-mail. But even now the cost is too high, we need to lower it further. - Yenot -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+yXWFP247TY29IxARAkkSAJ4oNjtP/oyI3dESMVJUQ+Q3APAOvQCgiFbk 0pmrcbF3ekqu2t54Gc/evxE= =0tCP -----END PGP SIGNATURE----- From bfg@noviforum.si Wed May 21 15:23:49 2003 From: bfg@noviforum.si (=?ISO-8859-1?Q?=22Branko_F=2E_Grac=28nar=22?=) Date: Wed May 21 14:23:49 2003 Subject: storing keyrings into SQL database? In-Reply-To: <792DE28E91F6EA42B4663AE761C41C2AEA51@cliff.bai.org> References: <792DE28E91F6EA42B4663AE761C41C2AEA51@cliff.bai.org> Message-ID: <3EC9ECF6.7010106@noviforum.si> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 |You could certainly store keyring files in a SQL database, then extract |them from to a unique temporary filename when need. Use random hex |characters of something to preface the temporary file name. Then you can |call GPG like this: | gpg --keyring 0431265474Fpubring.gpg --secret-kering |0431265474Fsecring.gpg Uf. This is ugly and possibly unsecure, but it's doable. Brane -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD4DBQE+yez1Upzh9iszIGARAqTdAJ4/fNb/dRqYg8VTAI/92/8D0q/1uQCY17IH lBM58yC4FoDU3T5TDW+LjA== =L9HI -----END PGP SIGNATURE----- From dlc@users.sourceforge.net Wed May 21 15:26:02 2003 From: dlc@users.sourceforge.net (darren chamberlain) Date: Wed May 21 14:26:02 2003 Subject: Encouraging email security. In-Reply-To: <14012258974.20030519135522@centras.lt> References: <20030517234222.GA16303@math.umd.edu> <005701c31d08$58b4be90$f92489c3@enterprise> <3EC76C1C.9090106@exit109.com> <200305181412.47854.graham.todd@ntlworld.com> <3EC7EB3D.9010107@3web.net> <20030518214525.GA2010@math.umd.edu> <3EC82C63.5010001@3web.net> <14012258974.20030519135522@centras.lt> Message-ID: <20030519-f972a0b51dbf165428de5c080f4c06f7@tumbleweed.boston.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 * DeBug [2003-05-19 08:51]: > Is there a way to submit my public key via e-mail > (i have only email access - SMTP and POP3 ports open) Most keyservers do have email interfaces; take a look at, e.g., pgp.mit.edu for details. (darren) - -- I was thrown out of college for cheating on the metaphysics exam; I looked into the soul of the boy sitting next to me. -- Woody Allen -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: This message is digitally signed and can be verified for authenticity. iD8DBQE+yXahzsinjrVhZaoRAnq+AJ4oHDY5WrPyZFXKEG5bQ33nnPvzUACglRyf qs5nkaaj1H9EnE2B8JMUDnw= =ZWw1 -----END PGP SIGNATURE----- From dlc@users.sourceforge.net Wed May 21 15:26:58 2003 From: dlc@users.sourceforge.net (darren chamberlain) Date: Wed May 21 14:26:58 2003 Subject: Encouraging email security. In-Reply-To: <20030519002309.GA17401@wg78.homeunix.net> References: <20030517234222.GA16303@math.umd.edu> <200305181854.22269.malte_gell@t-online.de> <20030518190052.GA1295@math.umd.edu> <200305182314.10960.graham.todd@ntlworld.com> <20030519002309.GA17401@wg78.homeunix.net> Message-ID: <20030519-fd1e4d1ce9bb994d39d40e43d26a996b@tumbleweed.boston.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 * Peter Prohaska [2003-05-19 08:50]: > Or if i could tell him to point his browser to "about:pgp" or to click > at the "About encryption/pgp" entry in the help menu. The "about:pgp" is a great suggestion, and one that could probably be easily implemented in both mozilla and enigmail. Under mozilla, it could be a basic intro, with a download link for enigmail, and under enigmail it could be a quick start quide. (darren) - -- Judge a man by his questions rather than his answers. -- Voltaire -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: This message is digitally signed and can be verified for authenticity. iD8DBQE+yXNmzsinjrVhZaoRAs4jAJ9uFrSPCWMM+kQ9v654L8hf2wT0mgCfQQfG j51kx8v5zlH9mn2XQOZs8Cw= =/HgA -----END PGP SIGNATURE----- From dlc@users.sourceforge.net Wed May 21 15:27:56 2003 From: dlc@users.sourceforge.net (darren chamberlain) Date: Wed May 21 14:27:56 2003 Subject: Encouraging email security. In-Reply-To: <200305190013.03226@erwin.ingo-kloecker.de> References: <5.1.0.14.2.20030518223223.035a4b68@localhost> <200305190013.03226@erwin.ingo-kloecker.de> Message-ID: <20030519-d0d98d5a1992e7ba80de629a4beaeced@tumbleweed.boston.com> --Nq2Wo0NMKNjxTN9z Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable * Ingo Kl=F6cker [2003-05-19 08:50]: > Anyway, who needs Mozilla Mail on Linux/Unix if he can=20 > use KMail. =2E..And here, I think, is the crux of the problem -- different mail clients have varying levels of support for interfacing with an encryption program. In order to make this easy to use, ubiquitous encryption system work, this discussion has mostly postulated a specific email client with fully integrated, native support for GPG. But, as I'm sure we all realize, getting everyone to use the same mail client will be just as difficult as getting everyone to use encryption, with a lot of the same difficulties (e.g., people who just don't understand the need, even when it's been explained to them). Anyway, who needs KMail/Mozilla mail/etc when mutt works just as well (better, I'd argue ;), and is smaller, faster, and more portable, too? (darren) --=20 If I worked as much as others I would do as little as they. --Nq2Wo0NMKNjxTN9z Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: This message is digitally signed and can be verified for authenticity. iD8DBQE+yYxxzsinjrVhZaoRAqK9AJ42aKWhCJxYsBryoMUCcqfyywG4fACfbdeV u4pKM0B8vm2+oWOzaHN//fg= =jAIV -----END PGP SIGNATURE----- --Nq2Wo0NMKNjxTN9z-- From JPClizbe@attbi.com Wed May 21 15:28:59 2003 From: JPClizbe@attbi.com (John Clizbe) Date: Wed May 21 14:28:59 2003 Subject: NULL passphrase. Secure? In-Reply-To: <20030519032206.GC14815@math.umd.edu> References: <20030519032206.GC14815@math.umd.edu> Message-ID: <3ECA3796.8020205@attbi.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Daniel Carrera wrote: > > A null passphrase means that all an attacker needs to do is obtain the > private key from the victim's hard drive. How difficult is that? Is it > difficult enough that regular users can afford to not worry about it? How difficult? Not at all, all you have to do is ask. See Adrian von Bidder's post to the keyserver-folk list from August 2002 (This was discussing PGP specifically, but is applicable to all encryption - even X.509 certs). - -------- Original Message -------- Subject: [Pgp-keyserver-folk] Re: pgp.com Date: 29 Aug 2002 08:47:53 +0200 From: Adrian 'Dagurashibanipal' von Bidder To: pgp-keyserver-folk@flame.org I guess after 9-11 and with the right paranoia marketing (they should hire some marketing freak from mcaffee etc.), I guess you could get quite a number of mainstream users get to use pgp, iff the user interface is simple enough. Problem of course that these users would have absolutely no clue about how to use a cryptosystem in a safe manner, so I'd expect the number of 'exploits' against the openpgp system to be comparable to the number of msword macro viruses. Yes, I can definitely see it coming... ANALYZE YOUR PGP KEY SECURITY Hi! As you may have heard, a research institute made a huge mathematical breakthrough in prime number computation a few weeks a ago. As prime numbers are the basics of encryption systems like PGP, this may affect the security of your encrypted or signed documents and emails. WATERTIGHTKEYS Inc., offers you the unique possibility to have your PGP key analyzed, and provides a CERTIFICATE OF SECURITY in the likely event that your key is not made vulnerable through this new discovery. To analyze your key, we will unfortunately need both your private and your public key, but luckily the password of your private key is not needed, so you can be ensured that your key will never be compromised. Furthermore, WATERTIGHTKEYS Inc. guarantees that your key is only stored as long as needed for the analysis, and completely deleted from all our systems after sending you the certificate. To get your FREE CERTIFICATE RIGHT NOW, mail your public and private key pair to PRIMENUMBERATTACK@WATERTIGHTKEYS.COM, or visit http://www.watertightkeys.com for more information. Respectfully yous, Dr. Howard J.E.R.K. Watson CEO WATERTIGHTKEYS, Inc. - -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+yjeVHQSsSmCNKhARAhe5AJ0WWMlZHD0gP602wF16oMgW3HzhHwCg66Ou 2LnlcXe2+HYCwAGlRO0571g= =cW/N -----END PGP SIGNATURE----- From mwood@IUPUI.Edu Wed May 21 15:30:02 2003 From: mwood@IUPUI.Edu (Mark H. Wood) Date: Wed May 21 14:30:02 2003 Subject: Encouraging email security. In-Reply-To: <5.1.0.14.2.20030518223116.03576208@localhost> Message-ID: On Sun, 18 May 2003, Per Tunedal wrote: > -----pgpenvelope processed message > > At 05:06 2003-05-18 +0100, you wrote: > > > >Quoting from an e-mail I got from a real user(tm): > >"but what is there to be encrypted? fine if we were doing something > >critical" > > > --- > >Today's interfaces (gpgrelay for example) are incredibly easy to > >use, and their is PGP which AFAIK has a polished UI. I don't think it's a > >question of UI any more, I think it's a question of needs and threat models. > >If you don't need something and it carries a cost you're not likely to use > >it. > > > >- --David. > > > This is an interesting approach! It's about marketing ... A lot of people > might have a need for "our" product encryption, in our eyes. But they don't > have the same feeling. > > Maybe we would have to focus some more urgent need of our prospect customers? > Any marketing Guru's around? Well, over here in .us people are beginning to get upset about identity theft. Unsecured email certainly sounds like an easy target for identity thieves, to me. Anybody see how to link the two and get some press coverage? > BTW Identification and digital signatures with competing certificate > techniques are "sold" in Sweden by e.g. the tax authorities: You need a > certificate to be able to communicate with the tax agencies etc I suppose > it will eventually be widespread, because it's more easy than filling forms > by hand. > > The certificates are offered by the banks (easy because internet banking is > widespread) and the Post (the snail mails doesn't produce any revenue). > Most certificates are soft (file) certificates, but you can by an > "electronic ID-card" at one bank (Nordea) or at a postoffice. That sounds a lot like what I'd like to see here. I'd also like to see the medical industry take up encrypted electronic comm.s. I could email notes to be dropped into my medical record for the doctor to review *before* my next visit. I could receive test results more conveniently *and* more securely. We could move away from this insecure and error-prone system of ordering drugs via hand-scrawled notes on little scraps of paper. Want more? How about setting your community's school up with secure, authenticated access and transmission of grade reports, disciplinary summaries, events, etc. Lots of people get really worked up about the privacy of educational records and notices, yet we hand these over to children to carry home in their bookbags. In our community we can email our kids' teachers informally, but we could go a lot further with secure communication. Lately our utilities all want me to switch over to electronic monthly statements. I don't want to give up paper copy, though, until they will provide me with *signed* statements that I can take to small-claims court as proof of what they said, if need be. I'd like to quash "slamming" by asking my phone company to accept change orders for my service *only* on signed media. Maybe they'd even sell lists of accounts that *cannot* be accessed by telemarketers, so the latter would know better than to waste their time by wasting mine. It could save the telco some money too, by avoiding the investigation and reversal of unwanted changes. There's no end to the things we could do more conveniently and more reliably if we had a really pervasive PKI. -- Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu MS Windows *is* user-friendly, but only for certain values of "user". From mwood@IUPUI.Edu Wed May 21 15:30:47 2003 From: mwood@IUPUI.Edu (Mark H. Wood) Date: Wed May 21 14:30:47 2003 Subject: Encouraging email security. In-Reply-To: <200305182334.21309.wbo@mandrakesoft.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, 18 May 2003, Wolfgang Bornath wrote: > I'm one of Joes or Harrys of the unwashed masses. Most of my friends and > aquaintances are. We exchange mails, we post to newsgroups and/or > mailing lists. In 99% of all cases those mails and postings never > consisted of 'sensitive' or even 'embarrassing' material. It is very > difficult to reason with something which is not there. This points indirectly to part of the problem: people tend to associate cryptography with secrecy only. But OpenPGP and S/MIME also do signing. Maybe you don't send sensitive or embarrassing material, but what if someone else sent embarrassing statements, and put your name at the bottom and your address in the header? I usually don't have any secrets to hide, but I don't want to be misrepresented, and I'd sign everything I send if I wasn't embarrassed to have you all find out that I haven't yet collected a single nonself signature on my key -- oops! :-/ > I used PGP and am now using GnuPG in Linux. But just the other week I > tried to convince a neighbor to use signing and en-/decryption. "Why > should I? Everybody can read what I'm writing. There's nothing I have > to hide! I'm not a crook or such!" I'm not a crook either; I want to use encryption to give the crooks a hard time! - -- Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu MS Windows *is* user-friendly, but only for certain values of "user". -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/ iD8DBQE+ykVOs/NR4JuTKG8RAsswAKCYU4gHST9UJBN7UVAgssI9ZnPtEQCfb+ue NFTqsculjlh2rYkKuyYbeyo= =rh2P -----END PGP SIGNATURE----- From JPClizbe@attbi.com Wed May 21 15:31:38 2003 From: JPClizbe@attbi.com (John Clizbe) Date: Wed May 21 14:31:38 2003 Subject: Encouraging email security. In-Reply-To: <20030518190052.GA1295@math.umd.edu> References: <20030517234222.GA16303@math.umd.edu> <200305180533.42476.graham.todd@ntlworld.com> <200305181854.22269.malte_gell@t-online.de> <20030518190052.GA1295@math.umd.edu> Message-ID: <3ECA4B8F.2030308@attbi.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Daniel Carrera wrote: > > On this note, what can we do about hotmail users? > AFAIK hotmail doesn't offer POP3 or IMAP. Suppose, for the sake of > argument, that a hotmail user becomes interested in using GPG. Is there > any way for the he or she to start using GPG with their hotmail address? > Oh dear, Hotmail. I can see this scenario unfolding... Encryption/Signing starts to catch on with "The Masses". MicroSoft in their usual style of "innovation" writes a check and buys PGP Corp. The "technology" is then "Bolted-onto" Hotmail and offered to HotMail users as _Secure_HotMail"®_ for $9.95/yr. Secure Hotmail will also offer "Secure Certificate Storage"®" so that you may access your private key and commonly-used encryption keys from anywhere on the Web, just by signing-in to your SecurePassPort"® account... The mind reels from the possibilities. On a more serious note, would YOU feel secure communicating on a platform 'engineered and secured' by Microsoft? Oh yes, and then to /further/ "innovate", Microsoft proposes a series of proprietary enhancements to fork and subvert the OpenPGP standard. The GPG-devel community, working on providing a compatibility-mode, is threatened with persecution under the reverse-engineering clauses of the DMCA. Still I have to wonder if SecureYahoo! would be any better. For the time being, a Win32 user could install either the canonical or Nullify builds of GPG along with one of the GUI frontends for Win32 (WinPT or GPGshell); or the freeware or licensed PGP 8.02. And then encrypt/decrypt/sign/verify using the clipboard and "current window" mechanisms. The headache with this approach is that it is still nonportable -- you're tied to your main PC -- unless that's a laptop that travels with you all the time. - -- John P. Clizbe Inet: JPClizbe at attbi dot com Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Most men take the straight and narrow. A few take the road less traveled. I chose to cut through the woods." 9:00PM Tonight on _REAL_IRONY_: Vegetarian Man Eaten by Cannibals -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+ykuOHQSsSmCNKhARAjfiAKDsLgMONWS34VsFEULZPyt2VRl2+gCfShL6 ecWOhPLjnIqQCMkRyGkaFrs= =1xLf -----END PGP SIGNATURE----- From dcarrera@math.umd.edu Wed May 21 15:33:46 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Wed May 21 14:33:46 2003 Subject: GPG under Windows/Mac Message-ID: <20030520201249.GA2139@math.umd.edu> --M9NhX3UHpAaciwkO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, I am not a Windows or Mac user. Could someone please tell me the simplest= =20 way to install and use GPG in these platforms? If you use GPG in one of those systems, what would you recommend in order= =20 to get a "regular user" to start using GPG. I am interested in both=20 installation and daily use. I know of a group of people who would probably be really interested in=20 GPG. I want to make it as accessible to them as possible. Thanks a lot. --=20 Daniel Carrera | OpenPGP fingerprint: Graduate TA, Math Dept | 9B32 660B 0557 7D7D 5892 0036 D591 4D05 2938 1B7E UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html --M9NhX3UHpAaciwkO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (SunOS) iD8DBQE+yoxB1/ZKhTQTHLARAgfPAKDHLQgBJdpXJQqqU3G42UmthmkQLACgqRrK gb4KSj3BB0D+LslrROG3v14= =5nnb -----END PGP SIGNATURE----- --M9NhX3UHpAaciwkO-- From wbo@mandrakesoft.com Wed May 21 15:39:56 2003 From: wbo@mandrakesoft.com (Wolfgang Bornath) Date: Wed May 21 14:39:56 2003 Subject: Listtest -- pls ignore! Message-ID: <200305210648.31885.wbo@mandrakesoft.com> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Have not received any message from this list since Monday. Is everybody=20 gone fishing or do I have a problem? Houston? Mom? wobo =2D --=20 Public GnuPG key available at keyserver www.mandrakesecure.net =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+ywUaXpTF6eCkAF0RAiD1AJ9UBDDfC8JXHBvfvY4qpgsYTVgHLACgluDE tVkc0XdA6pSytV2+3gFojk8=3D =3DSwIY =2D----END PGP SIGNATURE----- From colstar@iprimus.com.au Wed May 21 15:43:28 2003 From: colstar@iprimus.com.au (Colin Brown) Date: Wed May 21 14:43:28 2003 Subject: trouble signing a message Message-ID: <000001c31f80$7870a8f0$731832d2@WORK> This is a multi-part message in MIME format. ------=_NextPart_000_0001_01C31FC3.86956F90 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable HI all, I am writing a windows front end to GnuPG so I can take it mobile = without the hassles of setting it up on each machine=20 and am having trouble signing a message. When I sign I get the sig but my output does not look like -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 blah blah blah blah -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (MingW32) iD8DBQE+y0qaa7XhVS1wirkRAoXqAKCbw62ScNRFfXnLtzytnx7e1S2YawCfQ4wp W9IJJ+0IWgpj9LUbuaH8siA=3D =3DQAc7 -----END PGP SIGNATURE----- Instead I am getting with option -s =C2=A3=01=E2=80=BA=C3=80=C3=8B=C3=8C=C3=80$=CB=9C=C2=BD=C3=B5a=C2=A8nA=C3= =97N=C3=86=C3=93=C3=B5Iv=C2=A7=C2=BD=C2=BEy*$=C3=A6*=14=C3=A7=17=15U*x*d$= =E2=80=93=C2=A5*=C2=A4=C3=A4=C3=A7=C2=A5*=E2=80=9Ddd=16+=18)=E2=80=9D*$=C3= =A6=C2=A5(=C3=A4=C2=A4=C2=A6=E2=80=A2(=E2=80=9D=C3=A4+=E2=80=9D=14=01=C3=A5= s=C3=B4x=C2=B9=C3=8A3=E2=80=B932=C3=B3=C3=92=C3=81:R=14=C3=8A=133KRS=14J=C3= =B3J2s=E2=82=AC:=E2=80=99=C3=B3KsR F%=C3=A7=C3=A7=02=C2=8D=C3=8A=C3=8F = j=C3=A1=C3=A5 =C3=8EIM-P(O=C3=8D=C3=89QHJLJ=C3=AD=C2=B0gf=05=C2=BB = =C3=A6$A=C2=A6=03M=C3=B3]g=E2=80=A1GK=1Dv;=18=C3=80=C2=AC=C2=B7Ky=C2=A6=C3= =B5=1F=C2=A5/=C3=8B=19=16=C3=9C=E2=80=A2=C2=AC=C3=BAlz=E2=80=A0=C3=91=C3=BD= =C2=B0=C3=BEC=C2=8D=C3=A7=E2=80=BAO=C3=9B=C3=BFz=C2=AE5=1F=20 Or if I asc it option -a -s -----BEGIN PGP MESSAGE----- Version: GnuPG v1.2.2 (MingW32) owGbwMvMwCSYvfVhqG5B107G041JDHanfa95KiTmKhTnFxVVKngqZCSWpSqk5Oel KpRkZBYrGCmUKiTmpSjkpKaVKJTkK5QUAeVz9Hi5yjOLMzLz0sE6UhTKEzNLUlMU SvNKMnOAOpLzS3NSIEYl5+cCjcrPB2rh5QrOSU0tUChPzclRSEpMSuXl6rBnZgW5 4RbMUYJM37kZ5plVWjiUz3dSD3OrFlvt8rGJOeBrO8M8W2vVxmWruPffWP1iySav khM6wlVyAA=3D=3D =3DMwZt -----END PGP MESSAGE----- What options do I need to use to get it to produce the first output. I am getting the data from the clipboard then writing it back to the = clipboard Any help appreciated Colin Taking the easy way out=20 "Windows 95 is a=20 32-bit shell for a=20 16-bit extension to an=20 8-bit operating system designed for a=20 4-bit microprocessor by a=20 2-bit company that can't stand one bit of competition." Pgp key: http://home.iprimus.com.au/colstar/pgpkey/colstar.asc ------=_NextPart_000_0001_01C31FC3.86956F90 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable trouble signing a message

HI all,
I am writing a windows front end to = GnuPG so I can take it mobile without the hassles of setting it up on = each machine
and am having trouble signing a = message.
When I sign I get the sig but my = output does not look like


-----BEGIN PGP SIGNED = MESSAGE-----
Hash: SHA1

blah blah blah blah

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)

iD8DBQE+y0qaa7XhVS1wirkRAoXqAKCbw62ScNRFfXnLtzytnx7e1S2Yaw= CfQ4wp
W9IJJ+0IWgpj9LUbuaH8siA=3D
=3DQAc7
-----END PGP SIGNATURE-----



Instead I am getting with option = -s


=C2=A3=01=E2=80=BA=C3=80=C3=8B=C3=8C=C3=80$=CB=9C=C2=BD=C3= =B5a=C2=A8nA=C3=97N=C3=86=C3=93=C3=B5Iv=C2=A7=C2=BD=C2=BEy*$=C3=A6*=14=C3= =A7=17=15U*x*d$=E2=80=93=C2=A5*=C2=A4=C3=A4=C3=A7=C2=A5*=E2=80=9Ddd=16+=18= )=E2=80=9D*$=C3=A6=C2=A5(=C3=A4=C2=A4=C2=A6=E2=80=A2(=E2=80=9D=C3=A4+=E2=80= =9D=14=01=C3=A5s=C3=B4x=C2=B9=C3=8A3=E2=80=B932=C3=B3=C3=92=C3=81:R=14=C3= =8A=133KRS=14J=C3=B3J2s=E2=82=AC:=E2=80=99=C3=B3KsR = F%=C3=A7=C3=A7=02=C2=8D=C3=8A=C3=8F j=C3=A1=C3=A5

=C3=8EIM-P(O=C3=8D=C3=89QHJLJ=C3=AD=C2=B0gf=05=C2=BB = =C3=A6$A=C2=A6=03M=C3=B3]g=E2=80=A1GK=1Dv;=18=C3=80=C2=AC=C2=B7Ky=C2= =A6=C3=B5=1F=C2=A5/=C3=8B=19=16=C3=9C=E2=80=A2=C2=AC=C3=BAlz=E2=80=A0=C3=91= =C3=BD=C2=B0=C3=BEC=C2=8D=C3=A7=E2=80=BAO=C3=9B=C3=BFz=C2=AE5=1F



Or if I asc it option -a -s

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.2.2 (MingW32)

owGbwMvMwCSYvfVhqG5B107G041JDHanfa95KiTmKhTnFxVVKngqZCSWpS= qk5Oel
KpRkZBYrGCmUKiTmpSjkpKaVKJTkK5QUAeVz9Hi5yjOLMzLz0sE6UhTKEz= NLUlMU
SvNKMnOAOpLzS3NSIEYl5+cCjcrPB2rh5QrOSU0tUChPzclRSEpMSuXl6r= BnZgW5
4RbMUYJM37kZ5plVWjiUz3dSD3OrFlvt8rGJOeBrO8M8W2vVxmWruPffWP= 1iySav
khM6wlVyAA=3D=3D
=3DMwZt
-----END PGP MESSAGE-----



What options do I need to use to get it = to produce the first output.
I am getting the data from the = clipboard then writing it back to the clipboard

Any help appreciated
Colin


Taking the easy way out
"Windows 95 is a
32-bit shell for a
16-bit extension to an
8-bit operating system designed for a
4-bit microprocessor by a
2-bit company that can't stand one bit of competition."

Pgp key: http://home.iprimus.com.au/colstar/pgpkey/colstar.asc


------=_NextPart_000_0001_01C31FC3.86956F90-- From patrick.brunschwig@gmx.net Wed May 21 16:15:03 2003 From: patrick.brunschwig@gmx.net (Patrick Brunschwig) Date: Wed May 21 15:15:03 2003 Subject: trouble signing a message In-Reply-To: <000001c31f80$7870a8f0$731832d2@WORK> References: <000001c31f80$7870a8f0$731832d2@WORK> Message-ID: <3ECB7C0D.2030109@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 you should use --clearsign - -Patrick Colin Brown wrote: | HI all, | I am writing a windows front end to GnuPG so I can take it mobile without the hassles of setting it up on each machine | and am having trouble signing a message. | When I sign I get the sig but my output does not look like | | | blah blah blah blah | Instead I am getting with option -s =C2=A3=01=E2=80=BA=C3=80=C3=8B=C3=8C=C3=80$=CB=9C=C2=BD=C3=B5a=C2=A8nA=C3= =97N=C3=86=C3=93=C3=B5Iv=C2=A7=C2=BD=C2=BEy*$=C3=A6*=14=C3=A7=17=15U*x*d$= =E2=80=93=C2=A5*=C2=A4=C3=A4=C3=A7=C2=A5*=E2=80=9Ddd=16+=18)=E2=80=9D*$=C3= =A6=C2=A5(=C3=A4=C2=A4=C2=A6=E2=80=A2(=E2=80=9D=C3=A4+=E2=80=9D=14=01=C3=A5= s=C3=B4x=C2=B9=C3=8A3=E2=80=B932=C3=B3=C3=92=C3=81:R=14=C3=8A=133KRS=14J=C3= =B3J2s=E2=82=AC:=E2=80=99=C3=B3KsR F%=C3=A7=C3=A7=02=C2=8D=C3=8A=C3=8F j=C3=A1=C3=A5 =C3=8EIM-P(O=C3=8D=C3=89QHJLJ=C3=AD=C2=B0gf=05=C2=BB =C3=A6$A=C2=A6=03M=C3= =B3]g=E2=80=A1GK=1Dv;=18=C3=80=C2=AC=C2=B7Ky=C2=A6=C3=B5=1F=C2=A5/=C3=8B=19= =16=C3=9C=E2=80=A2=C2=AC=C3=BAlz=E2=80=A0=C3=91=C3=BD=C2=B0=C3=BEC=C2=8D=C3= =A7=E2=80=BAO=C3=9B=C3=BFz=C2=AE5=1F Or if I asc it option -a -s - -----BEGIN PGP MESSAGE----- Version: GnuPG v1.2.2 (MingW32) owGbwMvMwCSYvfVhqG5B107G041JDHanfa95KiTmKhTnFxVVKngqZCSWpSqk5Oel KpRkZBYrGCmUKiTmpSjkpKaVKJTkK5QUAeVz9Hi5yjOLMzLz0sE6UhTKEzNLUlMU SvNKMnOAOpLzS3NSIEYl5+cCjcrPB2rh5QrOSU0tUChPzclRSEpMSuXl6rBnZgW5 4RbMUYJM37kZ5plVWjiUz3dSD3OrFlvt8rGJOeBrO8M8W2vVxmWruPffWP1iySav khM6wlVyAA=3D=3D =3DMwZt - -----END PGP MESSAGE----- What options do I need to use to get it to produce the first output. I am getting the data from the clipboard then writing it back to the clipboard Any help appreciated Colin Taking the easy way out "Windows 95 is a 32-bit shell for a 16-bit extension to an 8-bit operating system designed for a 4-bit microprocessor by a 2-bit company that can't stand one bit of competition." Pgp key: http://home.iprimus.com.au/colstar/pgpkey/colstar.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+y3wM2KgHx8zsInsRAqYBAKD9hG/YFrsrtEIz05EwYXVKE+2ufwCgs7sm zoedTwLG8sTyG4ZHGjizPx8=3D =3DcDpi -----END PGP SIGNATURE----- From mwood@IUPUI.Edu Wed May 21 16:40:02 2003 From: mwood@IUPUI.Edu (Mark H. Wood) Date: Wed May 21 15:40:02 2003 Subject: Encouraging email security. In-Reply-To: <20030519-d0d98d5a1992e7ba80de629a4beaeced@tumbleweed.boston.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 19 May 2003, darren chamberlain wrote: [snip good point about embracing the diversity of email clients] > Anyway, who needs KMail/Mozilla mail/etc when mutt works > just as well (better, I'd argue ;), and is smaller, faster, and more > portable, too? And who needs mutt when we have pine? :-) (See, I agree with you.) BTW pine works just fine with gpg, thanks to pgpenvelope (or pgp4pine, but I've switched). Now if I could find a way to make pine handle S/MIME as well, without giving up OpenPGP, I'd be all set. (A brief look at the gaggle of RFCs required to describe S/MIME suggests that it won't be quite so easy.) - -- Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu MS Windows *is* user-friendly, but only for certain values of "user". -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/ iD8DBQE+y4Hrs/NR4JuTKG8RAkM5AJ9IOBo3DHcFuSQ0PAmGfTrLjyQ/ewCfXOdY Wo/cPub1oJyMM6XbPj1z2h4= =rUeI -----END PGP SIGNATURE----- From eroosenmaallen@cogeco.ca Wed May 21 16:44:01 2003 From: eroosenmaallen@cogeco.ca (Eddie Roosenmaallen) Date: Wed May 21 15:44:01 2003 Subject: Encouraging email security. In-Reply-To: <20030518190052.GA1295@math.umd.edu> References: <20030517234222.GA16303@math.umd.edu> <200305180533.42476.graham.todd@ntlworld.com> <200305181854.22269.malte_gell@t-online.de> <20030518190052.GA1295@math.umd.edu> Message-ID: <3ECB80B7.7080105@cogeco.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Daniel, There are a couple options for Hotmail. The easiest is to use Outlook Express and GPGOE (assuming OE can still access Hotmail). This makes it reasonably painless to send/receive inline PGP messages. The more complicated version is to use a GUI frontend like WinPT. Set hotkeys to encrypt, sign, and sign/encrypt the current window, then when one is done entering a message in the text box on the hotmail site, hit the hotkey, and it'll usually GPG the text in the box (depends on the browser). Peace, Eddie Daniel Carrera wrote: > On this note, what can we do about hotmail users? > AFAIK hotmail doesn't offer POP3 or IMAP. Suppose, for the sake of > argument, that a hotmail user becomes interested in using GPG. Is there > any way for the he or she to start using GPG with their hotmail address? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+y4C2tGGqbMwazQURAuLQAJ9GN9m+mGdE6c/Q3l42JQXX0Hy4hQCglEuy Yj3WvH7k+AJJD4Yy+LzeN0E= =2BRY -----END PGP SIGNATURE----- From eroosenmaallen@cogeco.ca Wed May 21 16:57:02 2003 From: eroosenmaallen@cogeco.ca (Eddie Roosenmaallen) Date: Wed May 21 15:57:02 2003 Subject: GPG under Windows/Mac In-Reply-To: <20030520201249.GA2139@math.umd.edu> References: <20030520201249.GA2139@math.umd.edu> Message-ID: <3ECB83C7.1050409@cogeco.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Daniel, I use GPG on Windows. The easy way to start using it is to download WinPT. WinPT is a GUI frontend for GPG, and it comes with both the standard W32 build and the Nullify build. WinPT lets you handle .gpg and .pgp files, detached sigs, etc. from the Windows Explorer, lets you encrypt and/or sign text you're entering, etc. The easiest and most effective mailer for W32 I've found is Mozilla with the Enigmail plugin. It makes things pretty painless, and handles PGP/MIME properly (It is, to my knowledge, the /only/ W32 mailer that fully supports PGP/MIME). Peace, Eddie Daniel Carrera wrote: > Hello, > > I am not a Windows or Mac user. Could someone please tell me the simplest > way to install and use GPG in these platforms? - -- OpenPGP KeyID: 0xCC1aCD05 Get my key from keyserver.kjsl.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+y4PGtGGqbMwazQURAkjGAJwJpsnuS51H3qdA7z/qR7vlXyjBVQCfe7Sr IZLRtRNn5wnM/HvWdgoPVC0= =AytX -----END PGP SIGNATURE----- From wk@gnupg.org Wed May 21 17:06:02 2003 From: wk@gnupg.org (Werner Koch) Date: Wed May 21 16:06:02 2003 Subject: Listtest -- pls ignore! In-Reply-To: <200305210648.31885.wbo@mandrakesoft.com> (Wolfgang Bornath's message of "Wed, 21 May 2003 06:48:16 +0200") References: <200305210648.31885.wbo@mandrakesoft.com> Message-ID: <87ptmcxuir.fsf@alberti.g10code.de> On Wed, 21 May 2003 06:48:16 +0200, Wolfgang Bornath said: > Have not received any message from this list since Monday. Is everybody > gone fishing or do I have a problem? Houston? Mom? mailman jammed on a spam messages wrongly formatted MIME boandaries. -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From juam@arnet.com.ar Wed May 21 17:14:03 2003 From: juam@arnet.com.ar (Juan F. Codagnone) Date: Wed May 21 16:14:03 2003 Subject: Encouraging email security. In-Reply-To: References: Message-ID: <200305211113.45260.juam@arnet.com.ar> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 20 May 2003 12:10, Mark H. Wood wrote: > I usually don't have any secrets to hide, but I don't want to be > misrepresented, and I'd sign everything I send if I wasn't embarrassed to > have you all find out that I haven't yet collected a single nonself > signature on my key -- oops! :-/ Another problem i see with email signing, is that the signature only valida= tes=20 the body, and someone can take ambiguous signed messages and give them=20 another sense (out of the original context). If the people start signing=20 _all_ theirs mails, and sends bodies like `The deal is off', `I love you',= =20 `Meet me at the bar at 15.00' then a 3rd party can fake the email headers a= nd=20 forward it. The new recipient will think that the message is valid. IIRC, [= 1]=20 talked about that.=20 While this is not an issue when replying emails, as the original body and=20 sender usually is quoted, it is a possible issue with new emails. Regards, Juan. [1] http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.ps =2D --=20 Buenos Aires, Argentina 18=B0C with winds at 9 km= /h NE =2D----BEGIN PGP SIGNATURE----- iD8DBQE+y4mYjSlJEriOToYRAvj3AJ4o92I6i96qQ++Bgq3He/fG9YmWWACg1LLC gAz9lXJEjsKEvseUz04yhVY=3D =3DqW1q =2D----END PGP SIGNATURE----- From dlc@users.sourceforge.net Wed May 21 17:16:03 2003 From: dlc@users.sourceforge.net (darren chamberlain) Date: Wed May 21 16:16:03 2003 Subject: Encouraging email security. In-Reply-To: References: <20030519-d0d98d5a1992e7ba80de629a4beaeced@tumbleweed.boston.com> Message-ID: <20030521-bd24f4b268c0c94e9bba41594aa66ea8@tumbleweed.boston.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 * Mark H. Wood [2003-05-21 10:08]: > BTW pine works just fine with gpg, thanks to pgpenvelope (or pgp4pine, > but I've switched). Now if I could find a way to make pine handle > S/MIME as well, without giving up OpenPGP, I'd be all set. (A brief > look at the gaggle of RFCs required to describe S/MIME suggests that > it won't be quite so easy.) Mutt does S/MIME... (darren) - -- Capitalism interprets regulation as damage, and routes around it. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: This message is digitally signed and can be verified for authenticity. iD8DBQE+y4kVzsinjrVhZaoRAmYxAJwIFdtWK/iEFrdZDE9MP1w36QEUkACgg5V5 Yo+xtEz2gNiUCcaUXpiumP0= =5GMS -----END PGP SIGNATURE----- From wbo@mandrakesoft.com Wed May 21 17:18:04 2003 From: wbo@mandrakesoft.com (Wolfgang Bornath) Date: Wed May 21 16:18:04 2003 Subject: Listtest -- pls ignore! In-Reply-To: <87ptmcxuir.fsf@alberti.g10code.de> References: <200305210648.31885.wbo@mandrakesoft.com> <87ptmcxuir.fsf@alberti.g10code.de> Message-ID: <200305211615.30356.wbo@mandrakesoft.com> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ** Werner Koch (Mittwoch, 21. Mai 2003 16:07) > On Wed, 21 May 2003 06:48:16 +0200, Wolfgang Bornath said: > > Have not received any message from this list since Monday. Is > > everybody gone fishing or do I have a problem? Houston? Mom? > > mailman jammed on a spam messages wrongly formatted MIME boandaries. Thanks Werner, Just received the whole bunch. wobo =2D --=20 Public GnuPG key available at keyserver www.mandrakesecure.net =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+y4oAXpTF6eCkAF0RAtzyAJ0W02j39/ONgoggZtrzxywGrHH79wCgkaXy yF/YWpeLY92x7ak4eAW9qvo=3D =3D60PO =2D----END PGP SIGNATURE----- From rene@clerc.nl Wed May 21 17:35:02 2003 From: rene@clerc.nl (=?iso-8859-1?Q?Ren=E9?= Clerc) Date: Wed May 21 16:35:02 2003 Subject: Encouraging email security. In-Reply-To: References: <20030519-d0d98d5a1992e7ba80de629a4beaeced@tumbleweed.boston.com> Message-ID: <20030521143255.GA564@clerc.nl> --W/nzBZO5zC0uMSeA Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable * Mark H. Wood [21-05-2003 16:23]: > On Mon, 19 May 2003, darren chamberlain wrote: > [snip good point about embracing the diversity of email clients] > > Anyway, who needs KMail/Mozilla mail/etc when mutt works > > just as well (better, I'd argue ;), and is smaller, faster, and more > > portable, too? >=20 > And who needs mutt when we have pine? :-) (See, I agree with you.) Well, we need mutt for... (read on) > BTW pine works just fine with gpg, thanks to pgpenvelope (or pgp4pine, > but I've switched). Now if I could find a way to make pine handle S/MIME > as well, without giving up OpenPGP, I'd be all set. S/MIME support ;-) > (A brief look at the gaggle of RFCs required to describe S/MIME > suggests that it won't be quite so easy.) IIRC, the addition of S/MIME support to mutt wasn't too much a hassle; mutt already used OpenSSL anyway... --=20 Ren=E9 Clerc - (rene@clerc.nl) 30. All bumbling conjurers, clumsy squires, no-talent bards, and cowardly thieves in the land will be preemptively put to death. My foes will surely give up and abandon their quest if they have no source of comic relief. -"Peter Anspach's list of things to do as an Evil Overlord" --W/nzBZO5zC0uMSeA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+y44Xwja9HprOCscRAqN1AJ9N5Oz6cwovTwKMCUFOwRx8pdcfrACfYQU+ ItXWUFZSubDQmI72TZDp79Y= =+LXU -----END PGP SIGNATURE----- --W/nzBZO5zC0uMSeA-- From dshaw@jabberwocky.com Wed May 21 18:29:03 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Wed May 21 17:29:03 2003 Subject: GPG under Windows/Mac In-Reply-To: <20030520201249.GA2139@math.umd.edu> References: <20030520201249.GA2139@math.umd.edu> Message-ID: <20030521152949.GC1248@jabberwocky.com> --EeQfGwPcQSOJBaQU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 20, 2003 at 04:12:50PM -0400, Daniel Carrera wrote: > Hello, >=20 > I am not a Windows or Mac user. Could someone please tell me the simples= t=20 > way to install and use GPG in these platforms? >=20 > If you use GPG in one of those systems, what would you recommend in order= =20 > to get a "regular user" to start using GPG. I am interested in both=20 > installation and daily use. >=20 > I know of a group of people who would probably be really interested in=20 > GPG. I want to make it as accessible to them as possible. I see you already have a good answer for Windows. See http://macgpg.sourceforge.net/ for the Mac solution. David --EeQfGwPcQSOJBaQU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+y5tt4mZch0nhy8kRAmUnAJ9nd0kA3yU/mmXcssyqFLlg3kmFqwCgjQZP jedd2f6fW2UKYZA/Q+NmyEA= =aYPG -----END PGP SIGNATURE----- --EeQfGwPcQSOJBaQU-- From shavital@netbox.com Thu May 22 10:06:11 2003 From: shavital@netbox.com (Charly Avital) Date: Thu May 22 09:06:11 2003 Subject: MacGPG (was: GPG under Windows/Mac) In-Reply-To: <20030520201249.GA2139@math.umd.edu> References: <20030520201249.GA2139@math.umd.edu> Message-ID: --============_-1158591489==_ma============ Content-Type: text/plain; charset="us-ascii" ; format="flowed" Daniel, about installing/building and running GPG in MacOS X, you will find all relevant information, HOWTOs, support mailing lists, plug-ins and scripts to have GPG interact with Apple's Mail.app, Qualcomm's Eudora, Microsoft's Entourage, Barebones' MailSmith, and GUI applications and tools for key management, file management, GPG configuration, at: System requirements: MacOS X (commercial) Apple's Developer's Kit freely downloadable from Apple's Developer web site, registration is free. Charly At 4:12 PM -0400 5/20/03, Daniel Carrera wrote: >Mime-Version: 1.0 >Content-Type: multipart/signed; micalg=pgp-sha1; > protocol="application/pgp-signature"; >boundary="M9NhX3UHpAaciwkO" > >Hello, > >I am not a Windows or Mac user. Could someone please tell me the simplest >way to install and use GPG in these platforms? > >If you use GPG in one of those systems, what would you recommend in order >to get a "regular user" to start using GPG. I am interested in both >installation and daily use. > >I know of a group of people who would probably be really interested in >GPG. I want to make it as accessible to them as possible. > >Thanks a lot. >-- >Daniel Carrera | OpenPGP fingerprint: >Graduate TA, Math Dept | 9B32 660B 0557 7D7D 5892 0036 D591 4D05 2938 1B7E >UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html --============_-1158591489==_ma============ Content-Type: text/html; charset="us-ascii" MacGPG (was: GPG under Windows/Mac)
Daniel,

about installing/building and running GPG in MacOS X, you will find all relevant  information, HOWTOs, support mailing lists, plug-ins and scripts to have GPG interact with Apple's Mail.app, Qualcomm's Eudora, Microsoft's Entourage, Barebones' MailSmith, and GUI applications and tools for key management, file management, GPG configuration, at:
<http://macgpg.sourceforge.net/>

System requirements:
MacOS X (commercial)
Apple's Developer's Kit freely downloadable from Apple's Developer web site, registration is free.

Charly



At 4:12 PM -0400 5/20/03, Daniel Carrera wrote:
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;       protocol="application/pgp-signature"; boundary="M9NhX3UHpAaciwkO"

Hello,

I am not a Windows or Mac user.  Could someone please tell me the simplest
way to install and use GPG in these platforms?

If you use GPG in one of those systems, what would you recommend in order
to get a "regular user" to start using GPG.  I am interested in both
installation and daily use.

I know of a group of people who would probably be really interested in
GPG.  I want to make it as accessible to them as possible.

Thanks a lot.
--
Daniel Carrera         | OpenPGP fingerprint:
Graduate TA, Math Dept | 9B32 660B 0557 7D7D 5892 0036 D591 4D05 2938 1B7E
UMD  (301) 405-5137    | http://www.math.umd.edu/~dcarrera/pgp.html
--============_-1158591489==_ma============-- From shavital@netbox.com Thu May 22 10:07:08 2003 From: shavital@netbox.com (Charly Avital) Date: Thu May 22 09:07:08 2003 Subject: MacGPG (was: GPG under Windows/Mac) Message-ID: --============_-1158587944==_ma============ Content-Type: text/plain; charset="us-ascii" ; format="flowed" Daniel, about installing/building and running GPG in MacOS X, you will find all relevant information, HOWTOs, support mailing lists, plug-ins and scripts to have GPG interact with Apple's Mail.app, Qualcomm's Eudora, Microsoft's Entourage, Barebones' MailSmith, and GUI applications and tools for key management, file management, GPG configuration, at: System requirements: MacOS X (commercial) Apple's Developer's Kit freely downloadable from Apple's Developer web site, registration is free. Charly At 4:12 PM -0400 5/20/03, Daniel Carrera wrote: >Mime-Version: 1.0 >Content-Type: multipart/signed; micalg=pgp-sha1; > protocol="application/pgp-signature"; >boundary="M9NhX3UHpAaciwkO" > >Hello, > >I am not a Windows or Mac user. Could someone please tell me the simplest >way to install and use GPG in these platforms? > >If you use GPG in one of those systems, what would you recommend in order >to get a "regular user" to start using GPG. I am interested in both >installation and daily use. > >I know of a group of people who would probably be really interested in >GPG. I want to make it as accessible to them as possible. > >Thanks a lot. >-- >Daniel Carrera | OpenPGP fingerprint: >Graduate TA, Math Dept | 9B32 660B 0557 7D7D 5892 0036 D591 4D05 2938 1B7E >UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html --============_-1158587944==_ma============ Content-Type: text/html; charset="us-ascii" MacGPG (was: GPG under Windows/Mac)
Daniel,

about installing/building and running GPG in MacOS X, you will find all relevant  information, HOWTOs, support mailing lists, plug-ins and scripts to have GPG interact with Apple's Mail.app, Qualcomm's Eudora, Microsoft's Entourage, Barebones' MailSmith, and GUI applications and tools for key management, file management, GPG configuration, at:
<http://macgpg.sourceforge.net/>

System requirements:
MacOS X (commercial)
Apple's Developer's Kit freely downloadable from Apple's Developer web site, registration is free.

Charly



At 4:12 PM -0400 5/20/03, Daniel Carrera wrote:
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;       protocol="application/pgp-signature"; boundary="M9NhX3UHpAaciwkO"

Hello,

I am not a Windows or Mac user.  Could someone please tell me the simplest
way to install and use GPG in these platforms?

If you use GPG in one of those systems, what would you recommend in order
to get a "regular user" to start using GPG.  I am interested in both
installation and daily use.

I know of a group of people who would probably be really interested in
GPG.  I want to make it as accessible to them as possible.

Thanks a lot.
--
Daniel Carrera         | OpenPGP fingerprint:
Graduate TA, Math Dept | 9B32 660B 0557 7D7D 5892 0036 D591 4D05 2938 1B7E
UMD  (301) 405-5137    | http://www.math.umd.edu/~dcarrera/pgp.html
--============_-1158587944==_ma============-- From rmalayter@bai.org Thu May 22 10:07:52 2003 From: rmalayter@bai.org (Ryan Malayter) Date: Thu May 22 09:07:52 2003 Subject: storing keyrings into SQL database? Message-ID: <792DE28E91F6EA42B4663AE761C41C2AEA65@cliff.bai.org> From: "Branko F. Grac(nar" [mailto:bfg@noviforum.si]=20 ||You could certainly store keyring files in a SQL database, then extract ||them from to a unique temporary filename when need. Use random hex |Uf. This is ugly and possibly unsecure, but it's doable. It's at least as secure as storing each user's key in a separate directory on the server. All you need to do is make sure your random temporary filename space is large enough that there are no collisions, your random numbers are generated well (with GnuPG itself?), and the user's SSL session is protected from hijacking using best practices. It is of course uglier than using the data directly from the DB; however, I've seen loads of commercial and purpose-built web apps that use per-session temporary files. Some times it's the only way to interface with a particular program on the web server. Your other option is to use the GnuPG source or the GPGme library to build a special version that accesses the keyrings directly from a database. This is what open source software is all about. And finally, what in the heck does "Uf." mean? -ryan- From wk@gnupg.org Thu May 22 10:09:42 2003 From: wk@gnupg.org (Werner Koch) Date: Thu May 22 09:09:42 2003 Subject: Encouraging email security. In-Reply-To: <200305211113.45260.juam@arnet.com.ar> ("Juan F. Codagnone"'s message of "Wed, 21 May 2003 11:13:39 -0300") References: <200305211113.45260.juam@arnet.com.ar> Message-ID: <873cj8xkmp.fsf@alberti.g10code.de> On Wed, 21 May 2003 11:13:39 -0300, Juan F Codagnone said: > Another problem i see with email signing, is that the signature only validates > the body, and someone can take ambiguous signed messages and give them That is no prblem. It is the same in the real world: Removing the envelope and replacing it with a different one is pretty easy, changing the actual letter and the signature is harder. People know that they can not trust whats on an envelope; maybe except for the timestamp of the postal service. Salam-Shalom, Werner -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From wk@gnupg.org Thu May 22 10:10:34 2003 From: wk@gnupg.org (Werner Koch) Date: Thu May 22 09:10:34 2003 Subject: Encouraging email security. In-Reply-To: <20030521143255.GA564@clerc.nl> =?iso-8859-1?q?(Ren=E9?= Clerc's message of "Wed, 21 May 2003 16:32:55 +0200") References: <20030519-d0d98d5a1992e7ba80de629a4beaeced@tumbleweed.boston.com> <20030521143255.GA564@clerc.nl> Message-ID: <87znlgw5zz.fsf@alberti.g10code.de> On Wed, 21 May 2003 16:32:55 +0200, René Clerc said: > IIRC, the addition of S/MIME support to mutt wasn't too much a hassle; > mutt already used OpenSSL anyway... And violates the GPL this way. One of the reasons I wrote new S/MIME support for Mutt. Shalom-Salam, Werner -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From ingo.kloecker@epost.de Thu May 22 10:13:59 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Thu May 22 09:13:59 2003 Subject: Encouraging email security. In-Reply-To: <200305211113.45260.juam@arnet.com.ar> References: <200305211113.45260.juam@arnet.com.ar> Message-ID: <200305212157.54868@erwin.ingo-kloecker.de> --Boundary-02=_Cp9y+Ab22v7HBd5 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Wednesday 21 May 2003 16:13, Juan F. Codagnone wrote: > On Tuesday 20 May 2003 12:10, Mark H. Wood wrote: > > I usually don't have any secrets to hide, but I don't want to be > > misrepresented, and I'd sign everything I send if I wasn't > > embarrassed to have you all find out that I haven't yet collected a > > single nonself signature on my key -- oops! :-/ > > Another problem i see with email signing, is that the signature only > validates the body, and someone can take ambiguous signed messages > and give them another sense (out of the original context). If the > people start signing _all_ theirs mails, and sends bodies like `The > deal is off', `I love you', `Meet me at the bar at 15.00' then a 3rd > party can fake the email headers and forward it. The new recipient > will think that the message is valid. IIRC, [1] talked about that. This was brought up before. There are several things that can be done: 1.) The date of the email and the date of the signature are compared. If=20 the signature is significantly older than the email then the mail=20 client should issue a warning. 2.) The mail client could automatically add a copy of the From:, To: and=20 Subject: header to the signed message body. 3.) The PGP/MIME standard could be extended to allow putting the From:,=20 To: and Subject: header into a second body part similar to the=20 application/pgp-encrypted message part which contains the version code. Regards, Ingo --Boundary-02=_Cp9y+Ab22v7HBd5 Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+y9pCGnR+RTDgudgRApNNAKCKGtcUR4pCIklvtItPadkBwnjtcQCgrYHI tjss0GzjyuelKyXMuETjVSE= =HSaN -----END PGP SIGNATURE----- --Boundary-02=_Cp9y+Ab22v7HBd5-- From ingo.kloecker@epost.de Thu May 22 10:14:49 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Thu May 22 09:14:49 2003 Subject: Encouraging email security. In-Reply-To: <20030519-d0d98d5a1992e7ba80de629a4beaeced@tumbleweed.boston.com> References: <5.1.0.14.2.20030518223223.035a4b68@localhost> <200305190013.03226@erwin.ingo-kloecker.de> <20030519-d0d98d5a1992e7ba80de629a4beaeced@tumbleweed.boston.com> Message-ID: <200305212140.32942@erwin.ingo-kloecker.de> --Boundary-02=_wY9y+T8+zzvIpR8 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Tuesday 20 May 2003 04:01, darren chamberlain wrote: > Anyway, who needs KMail/Mozilla mail/etc when mutt works > just as well (better, I'd argue ;), and is smaller, faster, and more > portable, too? Sorry, but I thought we were talking about encouraging normal users to=20 use encryption. People who use mutt won't have any problems with using=20 encryption. They won't fear running gpg on the command line. But people=20 who barely know how to handle a computer won't use mutt. They will use=20 KMail or Mozilla Mail or Evolution or some Windows mail client.=20 Encryption has to be made easy with those mail clients and not with=20 geek-only mail clients like mutt or pine. Regards, Ingo --Boundary-02=_wY9y+T8+zzvIpR8 Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+y9YwGnR+RTDgudgRApIdAJ0WETn9+bAoulZyoeVAZLyZJ7J4DACgp9Yy ngYi3YR56q8ADjjn2ckpaOc= =T05e -----END PGP SIGNATURE----- --Boundary-02=_wY9y+T8+zzvIpR8-- From ingo.kloecker@epost.de Thu May 22 10:15:41 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Thu May 22 09:15:41 2003 Subject: Mime Type for Encrypted Attachments In-Reply-To: <20030519155433.GA14818@psilocybe.teonanacatl.org> References: <3EC8C7DE.9060703@gmx.net> <20030519155433.GA14818@psilocybe.teonanacatl.org> Message-ID: <200305212203.23594@erwin.ingo-kloecker.de> --Boundary-02=_Lu9y+XTRwkt9A+8 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Monday 19 May 2003 17:54, Todd wrote: > Patrick Brunschwig wrote: > > What would be the correct content type for encrypted attachments if > > the mail is sent as inline PGP (i.e. multipart/mixed)? > > > > I have found a number of content types that seem to be in use, so > > I'm not sure what would be the "best". I know that e.g. Outlook > > uses "application/octet-stream", but I think this is a rather bad > > default. > > > > What about "application/pgp" or "application/pgp-encrypted", any > > idea? > > I think it would be one of: > > application/pgp-encrypted > application/pgp-signature > application/pgp-keys Definitely not. Those content types are used for completely different=20 things. Regards, Ingo --Boundary-02=_Lu9y+XTRwkt9A+8 Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+y9uLGnR+RTDgudgRAi0RAKCUHHvmywBWp54iizPi/Hng2IzGGgCgvVUf 0JEf+vs0Yjp9Tz0piooXbq0= =1Vs0 -----END PGP SIGNATURE----- --Boundary-02=_Lu9y+XTRwkt9A+8-- From dvgevers@xs4all.nl Thu May 22 10:17:34 2003 From: dvgevers@xs4all.nl (Dick Gevers) Date: Thu May 22 09:17:34 2003 Subject: Consider a feature request? Message-ID: <20030521215954.32fb7614.dvgevers@xs4all.nl> Hi all, The separate discussion on keystorage in an SQL database made me think of the possibility to add a bit of room for internal notes on every key in the local public keyring (internal meaning not exportable) which should be searchable via the existing gpg routines. For example I might have a lot of people called John, Johnny, Johnson, Johnsson etc. on my pubring and typing =B4gpg --list-key john=B4 could turn into an uncomfortably long list. But if I could add a note of =B4cousin=B4 in the notespace, it would, ideally, give only one entry for=20 =B4gpg --list-key cousin=B4. (Unless I had more noted cousins than *john* in my pubring. Another example: allow a note like =A8gnupg-users tennis previous-job=A8. So it could, IMHO, be a nice tool to search keys much more efficiently if a little maintenance is done by the interested user. Thanks for your consideration. Best regards, =3DDick Gevers=3D - - -- Registered Linux user # 309037 From wbo@mandrakesoft.com Thu May 22 10:22:35 2003 From: wbo@mandrakesoft.com (Wolfgang Bornath) Date: Thu May 22 09:22:35 2003 Subject: Pan and GnuPG Message-ID: <200305220402.31704.wbo@mandrakesoft.com> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I'm testing pan as newsreader and of course I'd like to use gpg with it=20 to sign my postings. I did not find any docs on how to do that apart=20 from using the clipboard and/or external editor (vim). Searched google and the pan site. Pls don't recommend gnupgme. I tried several times - following the=20 instructions of the website - but I could not get it to work even with=20 kmail. wobo =2D --=20 Public GnuPG key available at keyserver pgp.mit.edu =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+zC+zXpTF6eCkAF0RAhHYAJ4xCe3qY+KoFMVq6RHJfUi5sruIIQCfe55Z K2WKpW2mdtp34mypIg5Fwn0=3D =3DKBRd =2D----END PGP SIGNATURE----- From wk@gnupg.org Thu May 22 12:31:02 2003 From: wk@gnupg.org (Werner Koch) Date: Thu May 22 11:31:02 2003 Subject: Mime Type for Encrypted Attachments In-Reply-To: <200305212203.23594@erwin.ingo-kloecker.de> (Ingo =?iso-8859-1?q?Kl=F6cker's?= message of "Wed, 21 May 2003 22:03:22 +0200") References: <3EC8C7DE.9060703@gmx.net> <20030519155433.GA14818@psilocybe.teonanacatl.org> <200305212203.23594@erwin.ingo-kloecker.de> Message-ID: <87ptmbwckz.fsf@alberti.g10code.de> On Wed, 21 May 2003 22:03:22 +0200, Ingo Klöcker said: >> application/pgp-encrypted >> application/pgp-signature >> application/pgp-keys > Definitely not. Those content types are used for completely different > things. I don't see a problem using pgp-encrypted or pgp-keys as the top MIME type. The processing is not different to the RFC3156 case where they are encpasulated in multipart/encrypted. pgp-signature should only be used for a detached signature though. Shalom-Salam, Werner -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From jerger@jerger.org Thu May 22 15:12:02 2003 From: jerger@jerger.org (jerger) Date: Thu May 22 14:12:02 2003 Subject: pgp 8 compatibility Message-ID: <200305221415.44828.jerger@jerger.org> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, im trying to communicate with some pgp8 users. My question now is: Is it possible to decrypt pgp8 mails including encrypted attachments with=20 gnupg (and with kmail) ? cheers=20 micha =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+zL9lGizPrwyMK7YRAlX6AKDoVZG9jPjMl5gupcerDYyv8psDmgCgt5d/ 1LcbHXzjQh3LTOlxKrqu88w=3D =3DLYbk =2D----END PGP SIGNATURE----- From dshaw@jabberwocky.com Thu May 22 15:36:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Thu May 22 14:36:02 2003 Subject: Consider a feature request? In-Reply-To: <20030521215954.32fb7614.dvgevers@xs4all.nl> References: <20030521215954.32fb7614.dvgevers@xs4all.nl> Message-ID: <20030522123620.GI1248@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, May 21, 2003 at 09:59:54PM +0000, Dick Gevers wrote: > Hi all, > > The separate discussion on keystorage in an SQL database made me think > of the possibility to add a bit of room for internal notes on every key in > the local public keyring (internal meaning not exportable) which > should be searchable via the existing gpg routines. > > For example I might have a lot of people called John, Johnny, Johnson, > Johnsson etc. on my pubring and typing ?gpg --list-key john? could turn > into an uncomfortably long list. But if I could add a note of ?cousin? > in the notespace, it would, ideally, give only one entry for > ?gpg --list-key cousin?. (Unless I had more noted cousins than *john* in > my pubring. Put in your config file: group cousins = 0xABCDABCD 0x12345678 0xDEADBEEF Then encrypting to "cousins" encrypts to the specified keyids. It doesn't work for --list-keys: only --recipient (-r). David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+zMRE4mZch0nhy8kRAryGAKCvlc4fkJCoAPPRmkBS/osZSABD9QCgiFW4 oE6XAz4IRX6XrszweEX4kiw= =kIGa -----END PGP SIGNATURE----- From graham.todd@ntlworld.com Thu May 22 16:56:03 2003 From: graham.todd@ntlworld.com (Graham) Date: Thu May 22 15:56:03 2003 Subject: pgp 8 compatibility In-Reply-To: <200305221415.44828.jerger@jerger.org> References: <200305221415.44828.jerger@jerger.org> Message-ID: <200305221500.52891.graham.todd@ntlworld.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 22 May 2003 1:15 pm, jerger wrote: > Hi all, > > im trying to communicate with some pgp8 users. My question now is: > Is it possible to decrypt pgp8 mails including encrypted attachments > with gnupg (and with kmail) ? You should have no trouble communicating with PGP 8.0 users when you use GPG and KMail. However, the MUA they use might not support PGP/MIME to=20 the latest standards, so it is best to avoid using PGP/MIME unless you KNOW the MUA supports it. Later versions of KMail (with KDE=20 3.1.1) also support PGP/MIME but I can't as yet check the compatibility=20 as I'm still chugging along using KDE 3.0 :-) Graham -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Please sign and encrypt for internet privacy iD8DBQE+zNiQIwtBZOk1250RAlm3AKCuVZBqRg//CqZEBy9ErJq1x5V5ggCfVR8y O1zWIkFWkLJZWV3KyP/MP2c=3D =3DB/14 -----END PGP SIGNATURE----- From colstar@iprimus.com.au Thu May 22 17:57:03 2003 From: colstar@iprimus.com.au (Colin Brown) Date: Thu May 22 16:57:03 2003 Subject: Gpg.exe and long dir names Message-ID: <000001c32072$99f92b30$e26c32d2@WORK> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, I am having a bit of trouble with GnuPG and was wondering if anyone can = help. I am trying to feed a file into gpg.exe inside a front end I am writing, = the problem being gpg does not like=20 the full path name for the file=20 eg. C:\Documents and Settings\Person Here\My Documents\Visual Studio = Projects\WindowsApplication2\bin\Debug\file.txt And seems to fallover, It is fine when it is just the root dir C:\file.txt I can *hack* around this by copying the file to the root dir before = encrypting and then copy it back prefer not to do that. Any help appreciated Col. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (MingW32) iD8DBQE+zOWQa7XhVS1wirkRAoGIAJ4q8Xae+lQipk1hyR+pd75mFAVz2ACg2egb hixESLx32Pjv/uOOLGSkIVU=3D =3DYlvE -----END PGP SIGNATURE----- From rmalayter@bai.org Thu May 22 18:08:03 2003 From: rmalayter@bai.org (Ryan Malayter) Date: Thu May 22 17:08:03 2003 Subject: Encouraging email security. Message-ID: <792DE28E91F6EA42B4663AE761C41C2AEA70@cliff.bai.org> From: Werner Koch [mailto:wk@gnupg.org]=20 >People know that they can not trust whats on an envelope;=20 >maybe except for the timestamp of the postal service. Ah, but people actually *don't* know this about email. An executive here was recently shocked when I sent him a message from Bill Gates. My mother would be shocked by the same thing. Average people don't think about forged mail headers, because their mail client was set up for them by someone else. This is why viruses that are supposed coming from "suppport@microsoft.com" spread so rapidly. Educating users about these things never seems to work. Well, maybe average people will think about SMTP headers in 20 years, when the non-internet generation is out of the workforce. I hope we're still not using SMTP by then, but we probably will be. -ryan- From sathishkumarbt@yahoo.com Thu May 22 18:18:02 2003 From: sathishkumarbt@yahoo.com (sathish kumar) Date: Thu May 22 17:18:02 2003 Subject: encryption Message-ID: <20030522151935.74171.qmail@web14609.mail.yahoo.com> hi, >i have a problem regarding encryption of the message. > i want know how to maintain public key generated by client in server (daemon) maintained database. and using that key i want to encrypt the message. without using recipient name related to that.(gpg encuryption command uses reciepient name) >since it is not possible to import or export key in a peer to peer network. >is it possible to send public key through network(LAN or peer to peer). >also tell the document to embed these facilate in a c-code so any one can help on this __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com From sathishkumarbt@yahoo.com Thu May 22 18:28:03 2003 From: sathishkumarbt@yahoo.com (sathish kumar) Date: Thu May 22 17:28:03 2003 Subject: encryption Message-ID: <20030522152933.9216.qmail@web14603.mail.yahoo.com> hi, >i have a problem regarding encryption of the message. > i want know how to maintain public key generated by client in server (daemon) maintained database. and using that key i want to encrypt the message. without using recipient name related to that.(gpg encuryption command uses reciepient name) >since it is not possible to import or export key in a peer to peer network. >is it possible to send public key through network(LAN or peer to peer). >also tell the document to embed these facilate in a c-code so any one can help on this __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com From jbruni@mac.com Thu May 22 18:46:03 2003 From: jbruni@mac.com (Joseph Bruni) Date: Thu May 22 17:46:03 2003 Subject: Gpg.exe and long dir names Message-ID: <2025060.1053618412629.JavaMail.jbruni@mac.com> Have you tried putting quotes around the name? It might not like the spaces. Maybe you need to use the short "~" names? On Thursday, May 22, 2003, at 08:58AM, Colin Brown wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > > > >Hi all, > > I am having a bit of trouble with GnuPG and was wondering if anyone can help. >I am trying to feed a file into gpg.exe inside a front end I am writing, the problem being gpg does not like >the full path name for the file >eg. C:\Documents and Settings\Person Here\My Documents\Visual Studio Projects\WindowsApplication2\bin\Debug\file.txt >And seems to fallover, >It is fine when it is just the root dir C:\file.txt > >I can *hack* around this by copying the file to the root dir before encrypting and then copy it back prefer not to do that. > >Any help appreciated > >Col. > > > > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.2.2 (MingW32) > >iD8DBQE+zOWQa7XhVS1wirkRAoGIAJ4q8Xae+lQipk1hyR+pd75mFAVz2ACg2egb >hixESLx32Pjv/uOOLGSkIVU= >=YlvE >-----END PGP SIGNATURE----- > > > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users > > -- PGP Fingerprint: 886F 6A8A 68A1 5E90 EF3F 8EFA E2B8 3F99 7343 C1E3 From pt@radvis.nu Thu May 22 19:07:04 2003 From: pt@radvis.nu (Per Tunedal) Date: Thu May 22 18:07:04 2003 Subject: Gpg.exe and long dir names In-Reply-To: <000001c32072$99f92b30$e26c32d2@WORK> Message-ID: <5.1.0.14.2.20030522180337.029e22a8@localhost> Hi, this is a problem on WinNT,Win 2000 and WinXP that work differently on Win95 and Win98. Maybe you can have some ideas from looking at my simple batchfiles for daily tasks: http://www.clipanish.com/English/Download/Batch-files/batch-files.html Per Tunedal At 22:58 2003-05-22 +0800, you wrote: >problem being gpg does not like >the full path name for the file >eg. C:\Documents and Settings\Person Here\My Documents\Visual Studio >Projects\WindowsApplication2\bin\Debug\file.txt >And seems to fallover, >It is fine when it is just the root dir C:\file.txt > >Col. > From JPClizbe@attbi.com Thu May 22 19:53:03 2003 From: JPClizbe@attbi.com (John Clizbe) Date: Thu May 22 18:53:03 2003 Subject: Gpg.exe and long dir names In-Reply-To: <000001c32072$99f92b30$e26c32d2@WORK> References: <000001c32072$99f92b30$e26c32d2@WORK> Message-ID: <3ECD00AF.7000205@attbi.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Colin Brown wrote: > > I am having a bit of trouble with GnuPG and was wondering if anyone can help. > I am trying to feed a file into gpg.exe inside a front end I am writing, the problem being gpg does not like > the full path name for the file > eg. C:\Documents and Settings\Person Here\My Documents\Visual Studio Projects\WindowsApplication2\bin\Debug\file.txt > And seems to fallover, > It is fine when it is just the root dir C:\file.txt > > I can *hack* around this by copying the file to the root dir before encrypting and then copy it back prefer not to do that. > The trouble is the spaces in the file/path names. A few ideas from my own battle scars using unix/Gnu/OpenSource stuff in a Win32 world: 1) Put entire filename and path in quotes - "C:\Documents and Settings\Person Here\My Documents\Visual Studio Projects\WindowsApplication2\bin\Debug\file.txt" 2) use 'old-style (8.3)' file and folder names - C:\Docume~1\%USERNAME%\MyDocu~1\Visual~1\Window~2\bin\debug\file.txt 3) If not already using it, try the Nullify build of GnuPG (http://www.nullify.org) 4) I agree using the root dir is a 'not good' hack. What about using %TEMP%\file.txt? 5) Unix-fy the path - ie replace '\' with '/' and escape the spaces with '\' - "C:/Documents\ and\ Settings/Person\ Here/My\ Documents/Visual\ Studio\ Projects/WindowsApplication2/bin/Debug/file.txt" Though I think this only works under Cygwin, MinGW32, or Services for Unix's Interix environments and quotes around the name would be easier. There may be other hints on MSDN. Try http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnucmg/html/ucmglp.asp - -- John P. Clizbe Inet: JPClizbe AT attbi DOT com Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Most men take the straight and narrow. A few take the road less traveled. I chose to cut through the woods." "There is safety in Numbers... *VERY LARGE PRIME* Numbers 9:00PM Tonight on _REAL_IRONY_: Vegetarian Man Eaten by Cannibals -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-nr1 (Windows 2000) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+zQCuHQSsSmCNKhARAsqhAJ0fV0Y9pLPZUbR9rXwmbarGnfFV9gCgjOXZ r1RyzgwZbawHWtjSyd/ztho= =hRI3 -----END PGP SIGNATURE----- From j@erf.sh Thu May 22 20:51:03 2003 From: j@erf.sh (J Irving) Date: Thu May 22 19:51:03 2003 Subject: Encouraging email security. In-Reply-To: <792DE28E91F6EA42B4663AE761C41C2AEA70@cliff.bai.org> References: <792DE28E91F6EA42B4663AE761C41C2AEA70@cliff.bai.org> Message-ID: <20030522175209.GA18664@harriet.lollyshouse.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 * Ryan Malayter [2003.05.22 10:08 -0500]: > From: Werner Koch [mailto:wk@gnupg.org] > >People know that they can not trust whats on an envelope; > >maybe except for the timestamp of the postal service. > > Ah, but people actually *don't* know this about email. I agree. I was recently in a "sexual harassment" class where the teacher, a lawyer, virtually rolled his eyes and laughed at the "I didn't send that email" defense. I suggested that it was trivial to spoof the origin of an email; he said that it doesn't matter what you can do, it only matters what a jury of your peers think you can do. He clearly thought that the claim held no credibility in any sensible person's mind. cheers j - -- I must review my disbelief in angels. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (SunOS) Comment: Hail Eris! iD8DBQE+zQ5IUMt2z+iZNdMRAklIAKCPcY/TvqZOkhwwKSHW02hiiu1L9QCgqmvK QmdkfDQtxYIjMdJkxr2fxZc= =zDc2 -----END PGP SIGNATURE----- From dvgevers@xs4all.nl Thu May 22 21:39:02 2003 From: dvgevers@xs4all.nl (Dick Gevers) Date: Thu May 22 20:39:02 2003 Subject: Consider a feature request? In-Reply-To: <20030522123620.GI1248@jabberwocky.com> References: <20030521215954.32fb7614.dvgevers@xs4all.nl> <20030522123620.GI1248@jabberwocky.com> Message-ID: <20030522184013.3641226e.dvgevers@xs4all.nl> On Thu, 22 May 2003 08:36:20 -0400, David Shaw wrote about Re: Consider a feature request?: > Put in your config file: > > group cousins =3D 0xABCDABCD 0x12345678 0xDEADBEEF > > Then encrypting to "cousins" encrypts to the specified keyids. It > doesn't work for --list-keys: only --recipient (-r). Thanks for your answer David. It=B4s not precisely what I had in mind, because I never realised that it would be useful to create groups of one: since I never felt the need to encrypt to 1+ I knew the option was there but never tried it. I added a few groups to the tail of my gpg.conf so the tail command will be sufficient for lookup for the moment. Best regards, =3DDick Gevers=3D - -- Registered Linux user # 309037 From Tony_Mione@peoplesoft.com Fri May 23 01:55:02 2003 From: Tony_Mione@peoplesoft.com (Tony_Mione@peoplesoft.com) Date: Fri May 23 00:55:02 2003 Subject: GPGme supported platforms Message-ID: Is there any definitive list of platforms for which GPGme is supported? Looking at the 'configure' file, the host_os case statements list about everything except Apple DOS 3.3 and OS390 (Gaaccck!) In general, does the process spawning and IPC support work well on most of the unix and windows platforms? Thanks. Antonino N. Mione PeopleTools Security and Infrastructure PeopleSoft, Inc., 4411 PeopleSoft Pkwy., Pleasanton, Ca. 94588 Antonino_Mione@peoplesoft.com +1-(925)-694-6118 got Crypto? From johanw@vulcan.xs4all.nl Fri May 23 02:10:02 2003 From: johanw@vulcan.xs4all.nl (Johan Wevers) Date: Fri May 23 01:10:02 2003 Subject: Encouraging email security. In-Reply-To: <3ECA4B8F.2030308@attbi.com> from John Clizbe at "May 20, 2003 10:36:47 am" Message-ID: <200305221252.OAA00842@vulcan.xs4all.nl> John Clizbe wrote: >The mind reels from the possibilities. On a more serious note, would YOU >feel secure communicating on a platform 'engineered and secured' by >Microsoft? No. But I would worry MUCH more when my secret keys would be in a server not into my control, especially if it's located in a country with a government with a not so good reputation in respection people's privacy and a reputation of being bribed by big companies, like the US regime. >Oh yes, and then to /further/ "innovate", Microsoft proposes a series of >proprietary enhancements to fork and subvert the OpenPGP standard. The >GPG-devel community, working on providing a compatibility-mode, is >threatened with persecution under the reverse-engineering clauses of the >DMCA. Fortunately the GnuPG development is located outside the USA. The DMCA doesn't apply in Germany. But that didn't stop the Hollywood police either when they had the Norwegian teenager arrested for publishing the DVD encryption algorithm and a crack for it. :-( -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From ingo.kloecker@epost.de Fri May 23 02:53:02 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Fri May 23 01:53:02 2003 Subject: Mime Type for Encrypted Attachments In-Reply-To: <87ptmbwckz.fsf@alberti.g10code.de> References: <3EC8C7DE.9060703@gmx.net> <200305212203.23594@erwin.ingo-kloecker.de> <87ptmbwckz.fsf@alberti.g10code.de> Message-ID: <200305230056.45358@erwin.ingo-kloecker.de> --Boundary-02=_sWVz+XOi9SHKfMh Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Thursday 22 May 2003 11:33, Werner Koch wrote: > On Wed, 21 May 2003 22:03:22 +0200, Ingo Kl=F6cker said: > >> application/pgp-encrypted > >> application/pgp-signature > >> application/pgp-keys > > > > Definitely not. Those content types are used for completely > > different things. > > I don't see a problem using pgp-encrypted or pgp-keys as the top MIME > type. The processing is not different to the RFC3156 case where they > are encpasulated in multipart/encrypted. pgp-signature should only > be used for a detached signature though. Are you not confusing something? The encrypted and armored message is=20 not in the application/pgp-encrypted but in the=20 application/octet-stream message part. Typical message (the same as in=20 my first reply): =3D=3D=3D=3D=3D =2D-Boundary-02=3D_0guk++/xisah7Wk Content-Type: application/pgp-encrypted Content-Description: version code Content-Disposition: attachment Version: 1 =2D-Boundary-02=3D_0guk++/xisah7Wk Content-Type: application/octet-stream Content-Description: encrypted data Content-Disposition: inline; filename=3D"msg.asc" =2D----BEGIN PGP MESSAGE----- Version: GnuPG v1.2.1 (GNU/Linux) hQIOAzDP3ccyMZU4EAf/Q3tO7Iziro8/NUs+7Lqk76poiPY8fza5AOdL7kB4fkWJ =2E.. =3D=3D=3D=3D=3D And using pgp-keys is IMO also wrong because this will confuse MUAs=20 which provide an Import Key functionality for pgp-keys attachments and=20 it will confuse users who receive an attachment which claims to be an=20 armored OpenPGP key but is in fact an encrypted file. Only viruses lie=20 about the content-type. The correct content-type is application/octet-stream with=20 Content-Description: encrypted data. But that's what I already wrote in=20 my first reply. Regards, Ingo --Boundary-02=_sWVz+XOi9SHKfMh Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+zVWsGnR+RTDgudgRAgOMAJ0VM8fiwN6dlMht0sr26HVjHOvJ7QCeI0NR s4khGfEC9L77g+zWpAhjwpE= =QtG/ -----END PGP SIGNATURE----- --Boundary-02=_sWVz+XOi9SHKfMh-- From dshaw@jabberwocky.com Fri May 23 03:23:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Fri May 23 02:23:02 2003 Subject: storing keyrings into SQL database? In-Reply-To: <792DE28E91F6EA42B4663AE761C41C2AEA65@cliff.bai.org> References: <792DE28E91F6EA42B4663AE761C41C2AEA65@cliff.bai.org> Message-ID: <20030523002358.GF29646@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, May 21, 2003 at 11:33:12AM -0500, Ryan Malayter wrote: > From: "Branko F. Grac(nar" [mailto:bfg@noviforum.si] > > ||You could certainly store keyring files in a SQL database, then > extract > ||them from to a unique temporary filename when need. Use random hex > > |Uf. This is ugly and possibly unsecure, but it's doable. > > It's at least as secure as storing each user's key in a separate > directory on the server. All you need to do is make sure your random > temporary filename space is large enough that there are no collisions, > your random numbers are generated well (with GnuPG itself?), and the > user's SSL session is protected from hijacking using best practices. Instead of storing each key with a random temporary filename, use a filename derived from the fingerprint of the key. It's deterministic, plus if two keys have the same fingerprint, they are treated as the same key for many purposes anyway. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+zWoe4mZch0nhy8kRAkTKAKCcYOymvYq6lg/SkWFIgshVCsav3gCgtALK Zxvs+Nk7sizXupabcl4r0Eg= =6yIy -----END PGP SIGNATURE----- From jbruni@mac.com Fri May 23 05:34:23 2003 From: jbruni@mac.com (Joseph Bruni) Date: Fri May 23 04:34:23 2003 Subject: storing keyrings into SQL database? In-Reply-To: <20030523002358.GF29646@jabberwocky.com> Message-ID: <315FF209-8CC7-11D7-A874-003065B1243E@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Has anyone ever calculated the odds of a fingerprint collision? Sometimes its kind of nice to know just for perspective. On Thursday, May 22, 2003, at 05:23 PM, David Shaw wrote: > Instead of storing each key with a random temporary filename, use a > filename derived from the fingerprint of the key. It's deterministic, > plus if two keys have the same fingerprint, they are treated as the > same key for many purposes anyway. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) iEYEARECAAYFAj7NiNsACgkQ4rg/mXNDweMcuACguDfbDXSMWt4RoaQV8i1oDQIY 27sAoIBpRHXtehpEoUoWoRQzqBIRuPBH =fztN -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Fri May 23 06:56:03 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Fri May 23 05:56:03 2003 Subject: Fingerprint security (was Re: storing keyrings into SQL database?) In-Reply-To: <315FF209-8CC7-11D7-A874-003065B1243E@mac.com> References: <20030523002358.GF29646@jabberwocky.com> <315FF209-8CC7-11D7-A874-003065B1243E@mac.com> Message-ID: <20030523035706.GB13423@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, May 22, 2003 at 07:35:18PM -0700, Joseph Bruni wrote: > Has anyone ever calculated the odds of a fingerprint collision? > Sometimes its kind of nice to know just for perspective. A natural collision? Very, very unlikely. V4 keys use SHA1 to fingerprint, and the effective size of that hash due to the birthday paradox is 80 bits. V3/PGP 2.x keys are a different story altogether. There is a weakness in the key format that means you can play fingerprint games with fairly little effort. You can fake a keyid easily as well, but V3 fingerprints are not secure either. This isn't a MD5 hash issue (though MD5 has issues): it is a flaw in the fingerprinting specification. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+zZwS4mZch0nhy8kRAnzjAJsEvyJoEo5mA3BXuHSyhkCX/210bACg5QXN 9HAuVTX1VCZqDVKMGuNc7fI= =MSI9 -----END PGP SIGNATURE----- From jacob@oztechsystems.com Fri May 23 08:29:02 2003 From: jacob@oztechsystems.com (Jacob Solomon) Date: Fri May 23 07:29:02 2003 Subject: decrypt errors Message-ID: <00c701c320ec$954e1940$0201a8c0@ibm> This is a multi-part message in MIME format. ------=_NextPart_000_00C4_01C320B1.E859B800 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit I am having a problem related to decrypting gpg encrypted files. The error occurs only during decryption. Here is the command we rung: gpg --batch --passphrase-fd 0 --output xx.tar --decrypt mail.NGuWWe75wM < cipher_file gpg: AES256 encrypted data gpg: [don't know]: invalid packet (ctb=14) The interesting part is that the above does produce an out file which is identical to the source file, we verified this by doing md5 checksum on the original file and the decrypted file. Most of the time we have no problems, however, every so often, which can be every 1,000 or 30,000 crypt/decrypt operations we get the above error/message. Also, once we get such error, if we take the original file crypt it then decrypt we get the same error every time. In addition, a similar error occurs when we try different ciphers. Any ideas what is going on? Thanks, Jacob ------=_NextPart_000_00C4_01C320B1.E859B800 Content-Type: text/x-vcard; name="Jacob Solomon.vcf" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="Jacob Solomon.vcf" BEGIN:VCARD VERSION:2.1 N:Solomon;Jacob FN:Jacob Solomon ORG:OZtech Systems, Inc. TITLE:President & CEO TEL;WORK;VOICE:(650) 344-4409 TEL;CELL;VOICE:(650) 533-8833 TEL;PAGER;VOICE:(800) 433-2132 TEL;WORK;FAX:(650) 344-4439 ADR;WORK:;;2888 Canyon Rd.;Burlingame;CA;94010-6015;USA LABEL;WORK;ENCODING=3DQUOTED-PRINTABLE:2888 Canyon = Rd.=3D0D=3D0ABurlingame, CA 94010-6015=3D0D=3D0AUSA URL;WORK:http://www.oztechsystems.com EMAIL;PREF;INTERNET:jacob@oztechsystems.com REV:20030523T053137Z END:VCARD ------=_NextPart_000_00C4_01C320B1.E859B800-- From svwright+lists@amtp.liv.ac.uk Fri May 23 10:04:03 2003 From: svwright+lists@amtp.liv.ac.uk (Stewart V. Wright) Date: Fri May 23 09:04:03 2003 Subject: MDC Confusion Message-ID: <20030523070511.GA28492@liv.ac.uk> Hi, I am having some confusion with modification detection code (MDC). I'm using the 1.2.3-cvs version (from the 7th of May) of GnuPG. I just changed my gpg.conf file and changed from no-force-v3-sigs to openpgp Which should make my signatures/encryptions entirely OpenPGP compatible. Unfortunately when I decrypt anything I get the following warning: gpg: WARNING: message was not integrity protected I don't get the warning when I go back to no-force-v3-sigs. This isn't an issue with my key (AFAIK) as I generated (another) test key which has the following preferences: Command> showpref pub 1024D/6DA6A7C3 created: 2003-05-20 expires: never trust: u/u (1). Test Key Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA1, RIPEMD160 Compression: ZLIB, ZIP, Uncompressed Features: MDC The command I used for my testing was: gpg --armor -u 6DA6A7C3 --sign --output msg1.asc --encrypt -r 6DA6A7C3 msg (i.e. sign and encrypt to self...) My gpg.conf is *********************************************************** #no-force-v3-sigs openpgp keyserver x-hkp://wwwkeys.eu.pgp.net keyserver-options honor-http-proxy no-secmem-warning set-policy-url http://www.liv.ac.uk/~svwright/security/gpg-policy.html show-policy-url *********************************************************** Any ideas??? Cheers, S. From wk@gnupg.org Fri May 23 10:11:02 2003 From: wk@gnupg.org (Werner Koch) Date: Fri May 23 09:11:02 2003 Subject: Encouraging email security. In-Reply-To: <792DE28E91F6EA42B4663AE761C41C2AEA70@cliff.bai.org> ("Ryan Malayter"'s message of "Thu, 22 May 2003 10:08:38 -0500") References: <792DE28E91F6EA42B4663AE761C41C2AEA70@cliff.bai.org> Message-ID: <87r86quof6.fsf@alberti.g10code.de> On Thu, 22 May 2003 10:08:38 -0500, Ryan Malayter said: > Ah, but people actually *don't* know this about email. An executive here Good MUAs display markers in bold letters like: [Begin signed message] ... [End signed message] If that is not enough, well UI designers should suggest something better. -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From wk@gnupg.org Fri May 23 10:16:02 2003 From: wk@gnupg.org (Werner Koch) Date: Fri May 23 09:16:02 2003 Subject: encryption In-Reply-To: <20030522152933.9216.qmail@web14603.mail.yahoo.com> (sathish kumar's message of "Thu, 22 May 2003 08:29:33 -0700 (PDT)") References: <20030522152933.9216.qmail@web14603.mail.yahoo.com> Message-ID: <87llwyuo7d.fsf@alberti.g10code.de> On Thu, 22 May 2003 08:29:33 -0700 (PDT), sathish kumar said: > without using recipient name related to that.(gpg > encuryption command uses reciepient name) Please read the README file. There are several ways to specify the recipient's key. I suggest to use the fingerprint. -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From wk@gnupg.org Fri May 23 10:16:42 2003 From: wk@gnupg.org (Werner Koch) Date: Fri May 23 09:16:42 2003 Subject: Gpg.exe and long dir names In-Reply-To: <2025060.1053618412629.JavaMail.jbruni@mac.com> (Joseph Bruni's message of "Thu, 22 May 2003 09:46:52 -0600") References: <2025060.1053618412629.JavaMail.jbruni@mac.com> Message-ID: <87of1uuoaj.fsf@alberti.g10code.de> On Thu, 22 May 2003 09:46:52 -0600, Joseph Bruni said: > Have you tried putting quotes around the name? It might not like the spaces. Maybe you need to use the short "~" names? Indeed, spaces are argument delimiters and gpg somehow must know how many agumenst are on the command line. -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From wk@gnupg.org Fri May 23 10:21:02 2003 From: wk@gnupg.org (Werner Koch) Date: Fri May 23 09:21:02 2003 Subject: GPGme supported platforms In-Reply-To: (Tony_Mione@peoplesoft.com's message of "Thu, 22 May 2003 15:53:49 -0700") References: Message-ID: <87iss2uo0y.fsf@alberti.g10code.de> On Thu, 22 May 2003 15:53:49 -0700, Tony Mione said: > Is there any definitive list of platforms for which GPGme is supported? > Looking at the 'configure' file, the host_os case statements list about > everything > except Apple DOS 3.3 and OS390 (Gaaccck!) I guess you mean config.sub: That is a generic file, used with all GNU program. The file gets updated from time to time. > In general, does the process spawning and IPC support work well on most > of the unix and windows platforms? It should work on all POISX systems and most other Unix systems. Windows is a bit different and we have an extra internal gpgme interface for that (w32-io.c). It used to work, but the current version might not yet work. -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From wk@gnupg.org Fri May 23 10:26:02 2003 From: wk@gnupg.org (Werner Koch) Date: Fri May 23 09:26:02 2003 Subject: Mime Type for Encrypted Attachments In-Reply-To: <200305230056.45358@erwin.ingo-kloecker.de> (Ingo =?iso-8859-1?q?Kl=F6cker's?= message of "Fri, 23 May 2003 00:56:38 +0200") References: <3EC8C7DE.9060703@gmx.net> <200305212203.23594@erwin.ingo-kloecker.de> <87ptmbwckz.fsf@alberti.g10code.de> <200305230056.45358@erwin.ingo-kloecker.de> Message-ID: <87fzn6unoq.fsf@alberti.g10code.de> On Fri, 23 May 2003 00:56:38 +0200, Ingo Klöcker said: > Are you not confusing something? The encrypted and armored message is > not in the application/pgp-encrypted but in the > application/octet-stream message part. Typical message (the same as in Oops. You are of course right. > And using pgp-keys is IMO also wrong because this will confuse MUAs > which provide an Import Key functionality for pgp-keys attachments and Of course only for message containing a key. > The correct content-type is application/octet-stream with > Content-Description: encrypted data. But that's what I already wrote in If you use MIME, use it correctly: rfc3156 ;-) If you don't want that, don't indicate that it is a MIME message. If attachments are to be encrypted separately, use text/plain and let the user check whether he can figure out what to do when noticing the BEGIN PGP line. -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From wk@gnupg.org Fri May 23 12:01:03 2003 From: wk@gnupg.org (Werner Koch) Date: Fri May 23 11:01:03 2003 Subject: MDC Confusion In-Reply-To: <20030523070511.GA28492@liv.ac.uk> ("Stewart V. Wright"'s message of "Fri, 23 May 2003 08:05:12 +0100") References: <20030523070511.GA28492@liv.ac.uk> Message-ID: <87addeujas.fsf@alberti.g10code.de> On Fri, 23 May 2003 08:05:12 +0100, Stewart V Wright said: > Unfortunately when I decrypt anything I get the following warning: > gpg: WARNING: message was not integrity protected --openpgp currently disables MDC generation because rfc2440 does not specify MDC yet. As soon as a new OpenPPG RFC is out we will change that of course. Simply leave out --openpgp and you get the default GnuPG behaviour. The CVS version has also an --gnupg option to force use of the GnuPG defaults (i.e. rfc2440bis). -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From Tony_Mione@peoplesoft.com Fri May 23 17:21:03 2003 From: Tony_Mione@peoplesoft.com (Tony_Mione@peoplesoft.com) Date: Fri May 23 16:21:03 2003 Subject: GPGme supported platforms Message-ID: |---------+----------------------------> | | "Werner Koch" | | | | | | Sent by: | | | gnupg-users-admin| | | @gnupg.org | | | | | | | | | 05/23/2003 12:21 | | | AM | | | | |---------+----------------------------> >------------------------------------------------------------------------------------------------------------------------------| | | | To: Tony_Mione@peoplesoft.com | | cc: gnupg-users@gnupg.org | | Subject: Re: GPGme supported platforms | >------------------------------------------------------------------------------------------------------------------------------| On Thu, 22 May 2003 15:53:49 -0700, Tony Mione said: > Is there any definitive list of platforms for which GPGme is supported? > Looking at the 'configure' file, the host_os case statements list about > everything > except Apple DOS 3.3 and OS390 (Gaaccck!) I guess you mean config.sub: That is a generic file, used with all GNU program. The file gets updated from time to time. > In general, does the process spawning and IPC support work well on most > of the unix and windows platforms? It should work on all POISX systems and most other Unix systems. Windows is a bit different and we have an extra internal gpgme interface for that (w32-io.c). It used to work, but the current version might not yet work. ... It is pretty important for us that we know if windows platform support works. Has anyone else used GPGme on windows (without cygwin, etc.) and can they confirm that it works reasonably well. Thanks. Antonino N. Mione PeopleTools Security and Infrastructure PeopleSoft, Inc., 4411 PeopleSoft Pkwy., Pleasanton, Ca. 94588 Antonino_Mione@peoplesoft.com +1-(925)-694-6118 got Crypto? From rmalayter@bai.org Fri May 23 18:28:02 2003 From: rmalayter@bai.org (Ryan Malayter) Date: Fri May 23 17:28:02 2003 Subject: storing keyrings into SQL database? Message-ID: <792DE28E91F6EA42B4663AE761C41C2AEA80@cliff.bai.org> From: Joseph Bruni [mailto:jbruni@mac.com]=20 >Has anyone ever calculated the odds of a fingerprint collision?=20 >Sometimes its kind of nice to know just for perspective. An OpenPGP fingerprint is 80 bits, the chances of a collision between any two fingerprints is about 1 in 2^80, and I think you would need a collection of about 2^40 fingerprints to have a better-than-50% chance of collision. Ryan Malayter Sr. Network & Database Administrator Bank Administration Institute Chicago, Illinois, USA PGP Key: http://www.malayter.com/pgp-public.txt ::::::::::::::::::::::::::::::: Twas a woman who drove me to drink. I never had the courtesy to thank her. -W.C. Fields From reza@malekzadeh.com Fri May 23 19:46:14 2003 From: reza@malekzadeh.com (Reza Malekzadeh) Date: Fri May 23 18:46:14 2003 Subject: Newbie question - importing PGP keys Message-ID: Hello, I am sorry if this has already been discussed. I am new to the list. I have existing PGP keys created with PGP for Windows version 8.0. I just installed gpg on my Mac OS X. I would like to use the same keys. How can I import those keys? Many thanks in advance. -reza From jdbeyer@exit109.com Fri May 23 20:03:03 2003 From: jdbeyer@exit109.com (Jean-David Beyer) Date: Fri May 23 19:03:03 2003 Subject: storing keyrings into SQL database? References: <792DE28E91F6EA42B4663AE761C41C2AEA80@cliff.bai.org> Message-ID: <3ECE549F.406@exit109.com> This is a cryptographically signed message in MIME format. --------------ms060305020407060003050804 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Ryan Malayter wrote: > From: Joseph Bruni [mailto:jbruni@mac.com] > >> Has anyone ever calculated the odds of a fingerprint collision? >> Sometimes its kind of nice to know just for perspective. > > > An OpenPGP fingerprint is 80 bits, the chances of a collision between > any two fingerprints is about 1 in 2^80, and I think you would need > a collection of about 2^40 fingerprints to have a better-than-50% > chance of collision. > That calculation did not seem right, but I guess it is. By analogy with the problem in Freshman statistics class, I paraphrase you ... A year of days is between 8 and 9 bits, and I think you would need a collection of about 2^4.5 people to have a better-than-50% chance of collision. IIRC, it takes about 23 people to get that 50% chance. 2^4.5 is 22.6274 on my dinky calculator. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ Registered Machine 73926. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 12:55pm up 4 days, 18:29, 2 users, load average: 2.22, 2.34, 2.38 --------------ms060305020407060003050804 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINvjCC A2IwggLLoAMCAQICEAvaCxfBP4mOqwl0erTOLjMwDQYJKoZIhvcNAQECBQAwXzELMAkGA1UE BhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1Ymxp YyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk4MDUxMjAwMDAwMFoXDTA4 MDUxMjIzNTk1OVowgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJp U2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRv cnkvUlBBIEluY29ycC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2ln biBDbGFzcyAxIENBIEluZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0 ZWQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALtaRIoEFrtV/QN6ii2UTxV4NrgNSrJv nFS/vOh3Kp258Gi7ldkxQXB6gUu5SBNWLccI4YRCq8CikqtEXKpC8IIOAukv+8I7u77JJwpd trA2QjO1blSIT4dKvxna+RXoD4e2HOPMxpqOf2okkuP84GW6p7F+78nbN2rISsgJBuSZAgMB AAGjgbAwga0wDwYDVR0TBAgwBgEB/wIBADBHBgNVHSAEQDA+MDwGC2CGSAGG+EUBBwEBMC0w KwYIKwYBBQUHAgEWH3d3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEwMQYDVR0fBCow KDAmoCSgIoYgaHR0cDovL2NybC52ZXJpc2lnbi5jb20vcGNhMS5jcmwwCwYDVR0PBAQDAgEG MBEGCWCGSAGG+EIBAQQEAwIBBjANBgkqhkiG9w0BAQIFAAOBgQACfZ5vRUs4oLje6VNkIbzk TCuPHv6SQKzYCjlqoTIhLAebq1n+0mIafVU4sDdz3PQHZmNiveFTcFKH56jYUulbLarh3s+s MVTUixnI2COo7wQrMn0sGBzIfImoLnfyRNFlCk10te7TG5JzdC6JOzUTcudAMZrTssSr51a+ i+P7FTCCBSgwggSRoAMCAQICEGlfAhgT5dD2IHApDrAaq5owDQYJKoZIhvcNAQEEBQAwgcwx FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3 b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBIEluY29ycC4g QnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAxIENBIElu ZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQwHhcNMDIwNjAyMDAw MDAwWhcNMDMwNjE2MjM1OTU5WjCCARYxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYD VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29t L3JlcG9zaXRvcnkvUlBBIEluY29ycC4gYnkgUmVmLixMSUFCLkxURChjKTk4MR4wHAYDVQQL ExVQZXJzb25hIE5vdCBWYWxpZGF0ZWQxMzAxBgNVBAsTKkRpZ2l0YWwgSUQgQ2xhc3MgMSAt IE5ldHNjYXBlIEZ1bGwgU2VydmljZTEZMBcGA1UEAxQQSmVhbi1EYXZpZCBCZXllcjEiMCAG CSqGSIb3DQEJARYTamRiZXllckBleGl0MTA5LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAMv38/uuxXth9gQ9TcEZMARz9Ju+c2l0hzW2vpYYJUcQig/uCLJqmYLzsdoB faSMHN8UlnHk1FC4MQ3r3l58v0iIz6ERC4RLWKFvntQNvk5teCqZ0Tmf9DdFNzh4gkffdhL8 Un9CsRrHogviVReyTXfzH039X/UjODAcvyRVTDpMVpNQ81bhR/VWxR7esbm1ewHVj+KOGxqr rl2PD412TxxIXEAzVTACqVR/CCOBQZ7BrrztKXomz9ePav/ZTjdybWFve5p1NAUawFcl1ajA JiEGL2Ug4qq26x4Z2cOosQCx9tJt0tpPy3qwORYbepKBDhkXicPBZVkzx7Lm7a961isCAwEA AaOCATgwggE0MAkGA1UdEwQCMAAwgawGA1UdIASBpDCBoTCBngYLYIZIAYb4RQEHAQEwgY4w KAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9DUFMwYgYIKwYBBQUHAgIw VjAVFg5WZXJpU2lnbiwgSW5jLjADAgEBGj1WZXJpU2lnbidzIENQUyBpbmNvcnAuIGJ5IHJl ZmVyZW5jZSBsaWFiLiBsdGQuIChjKTk3IFZlcmlTaWduMBEGCWCGSAGG+EIBAQQEAwIHgDAw BgpghkgBhvhFAQYHBCIWIDMxYzVhODdmZDYxNjdhY2NlY2NmNWFhMjcxNjIyOTE5MDMGA1Ud HwQsMCowKKAmoCSGImh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL2NsYXNzMS5jcmwwDQYJKoZI hvcNAQEEBQADgYEAZLD9KTpkxdd6cjpK6vjIkieu6V5o0PngC/Y6is1waG0nSRcnLrVn/ped OlLtkViedt0kRuVcr/TmphHO34zAfLA0n6BNzYRN3QS4vYmvsIeJkDtyP13xd7TQIq3lJQsI KewOFKr46/W5/RbESZ0StZ86TTvMIwYJB+nWF1KuaA4wggUoMIIEkaADAgECAhBpXwIYE+XQ 9iBwKQ6wGquaMA0GCSqGSIb3DQEBBAUAMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEf MB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWdu LmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYG A1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29u YSBOb3QgVmFsaWRhdGVkMB4XDTAyMDYwMjAwMDAwMFoXDTAzMDYxNjIzNTk1OVowggEWMRcw FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y azFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIGJ5 IFJlZi4sTElBQi5MVEQoYyk5ODEeMBwGA1UECxMVUGVyc29uYSBOb3QgVmFsaWRhdGVkMTMw MQYDVQQLEypEaWdpdGFsIElEIENsYXNzIDEgLSBOZXRzY2FwZSBGdWxsIFNlcnZpY2UxGTAX BgNVBAMUEEplYW4tRGF2aWQgQmV5ZXIxIjAgBgkqhkiG9w0BCQEWE2pkYmV5ZXJAZXhpdDEw OS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDL9/P7rsV7YfYEPU3BGTAE c/SbvnNpdIc1tr6WGCVHEIoP7giyapmC87HaAX2kjBzfFJZx5NRQuDEN695efL9IiM+hEQuE S1ihb57UDb5ObXgqmdE5n/Q3RTc4eIJH33YS/FJ/QrEax6IL4lUXsk138x9N/V/1IzgwHL8k VUw6TFaTUPNW4Uf1VsUe3rG5tXsB1Y/ijhsaq65djw+Ndk8cSFxAM1UwAqlUfwgjgUGewa68 7Sl6Js/Xj2r/2U43cm1hb3uadTQFGsBXJdWowCYhBi9lIOKqtuseGdnDqLEAsfbSbdLaT8t6 sDkWG3qSgQ4ZF4nDwWVZM8ey5u2vetYrAgMBAAGjggE4MIIBNDAJBgNVHRMEAjAAMIGsBgNV HSAEgaQwgaEwgZ4GC2CGSAGG+EUBBwEBMIGOMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52 ZXJpc2lnbi5jb20vQ1BTMGIGCCsGAQUFBwICMFYwFRYOVmVyaVNpZ24sIEluYy4wAwIBARo9 VmVyaVNpZ24ncyBDUFMgaW5jb3JwLiBieSByZWZlcmVuY2UgbGlhYi4gbHRkLiAoYyk5NyBW ZXJpU2lnbjARBglghkgBhvhCAQEEBAMCB4AwMAYKYIZIAYb4RQEGBwQiFiAzMWM1YTg3ZmQ2 MTY3YWNjZWNjZjVhYTI3MTYyMjkxOTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLnZl cmlzaWduLmNvbS9jbGFzczEuY3JsMA0GCSqGSIb3DQEBBAUAA4GBAGSw/Sk6ZMXXenI6Sur4 yJInruleaND54Av2OorNcGhtJ0kXJy61Z/6XnTpS7ZFYnnbdJEblXK/05qYRzt+MwHywNJ+g Tc2ETd0EuL2Jr7CHiZA7cj9d8Xe00CKt5SULCCnsDhSq+Ov1uf0WxEmdErWfOk07zCMGCQfp 1hdSrmgOMYIDtTCCA7ECAQEwgeEwgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYD VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29t L3JlcG9zaXRvcnkvUlBBIEluY29ycC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQD Ez9WZXJpU2lnbiBDbGFzcyAxIENBIEluZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5v dCBWYWxpZGF0ZWQCEGlfAhgT5dD2IHApDrAaq5owCQYFKw4DAhoFAKCCAagwGAYJKoZIhvcN AQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDMwNTIzMTcwNDMxWjAjBgkqhkiG 9w0BCQQxFgQU3AGXqZ0vw9/tGB+xi93y2Q3c9ywwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG 9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcN AwICASgwgfQGCyqGSIb3DQEJEAILMYHkoIHhMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5j LjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlz aWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFI MEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVy c29uYSBOb3QgVmFsaWRhdGVkAhBpXwIYE+XQ9iBwKQ6wGquaMA0GCSqGSIb3DQEBAQUABIIB AH67izE/t0m7TchQBZiHE3fRWRnYoVlP0/Ld/W6jibD2nTcewHaCi9uy5qP36RGTB16LM4/p INrYOqRpeIfAvuJTX7ma5kVjjUhErAGnPUdEFo0xcO7bKjZ6CbAb6fhoWV5joXYgL/n/AIsa E82e5+cMxrWmpYWNCDkv6dxr+bze5uVKi+gpDyfV/YYpPebl0pu5UrS77lpaPXaSxuLPouXY mjKl8vGF5uOtLUTNGRiIyfsnD3nH6+It5tqKOQTmPM4475x9c2FZ6jKe0EcCBDTrCkuiy2qk tmn0QnhgjWoTLm5iv0bniBohUG5d9soDXpgitbFY+by2YrcLfRQkGpUAAAAAAAA= --------------ms060305020407060003050804-- From servie_platon@yahoo.com Fri May 23 20:36:04 2003 From: servie_platon@yahoo.com (Servie Platon) Date: Fri May 23 19:36:04 2003 Subject: Problem with tar ball Message-ID: <20030523173620.4165.qmail@web41007.mail.yahoo.com> --0-665279029-1053711380=:1683 Content-Type: text/plain; charset=us-ascii Hi everyone, I have downloaded gnupg-1.2.2.tar.gz from your site. I use the HowTo document as my reference and in doing this procedure. However, when I did: # tar xvzf gnu-1.2.2.tar.gz I got an Archive contains obsolescent base-64 headers and invalid compressed data--crc error as well as invalid compressed data--length error which eventually exited from the process. Does this mean that the tar that I have downloaded is corrupted or is there something that I should have done before issuing the tar command? Or should I just download the gnupg-1.2.2-1mdk91.i586.rpm instead and run the rpm command? I use RH 9 with minimum installation. Hope to hear from anyone soon. Thanks in advance. Best regards, Servie --------------------------------- Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. --0-665279029-1053711380=:1683 Content-Type: text/html; charset=us-ascii
Hi everyone,
 
I have downloaded gnupg-1.2.2.tar.gz from your site. I use the HowTo document as my reference and in doing this procedure. However, when I did:
 
# tar xvzf gnu-1.2.2.tar.gz
 
I got an Archive contains obsolescent base-64 headers and invalid compressed data--crc error as well as invalid compressed data--length error which eventually exited from the process.
 
Does this mean that the tar that I have downloaded is corrupted or is there something that I should have done before issuing the tar command? Or should I just download the gnupg-1.2.2-1mdk91.i586.rpm instead and run the rpm command?
 
I use RH 9 with minimum installation. Hope to hear from anyone soon. Thanks in advance.
 
Best regards,
Servie

Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo. --0-665279029-1053711380=:1683-- From douggorley@shaw.ca Fri May 23 20:52:02 2003 From: douggorley@shaw.ca (douggorley@shaw.ca) Date: Fri May 23 19:52:02 2003 Subject: Problem with tar ball Message-ID: Check the md5sum of the tarball you downloaded with the command: md5sum gnupg-1.2.2.tar.gz As stated on the "Integrity Check" page at gnupg.org, the md5sum for that file is 4e1b357b22e1d45d14d340ce03d39b63. If you get something different, you've got a corrupted tarball; try again. Doug Gorley | douggorley@shaw.ca ----- Original Message ----- From: Servie Platon Date: Friday, May 23, 2003 10:36 am Subject: Problem with tar ball > Hi everyone, > > I have downloaded gnupg-1.2.2.tar.gz from your site. I use the > HowTo document as my reference and in doing this procedure. > However, when I did: > > # tar xvzf gnu-1.2.2.tar.gz > > I got an Archive contains obsolescent base-64 headers and invalid > compressed data--crc error as well as invalid compressed data-- > length error which eventually exited from the process. > > Does this mean that the tar that I have downloaded is corrupted or > is there something that I should have done before issuing the tar > command? Or should I just download the gnupg-1.2.2-1mdk91.i586.rpm > instead and run the rpm command? > > I use RH 9 with minimum installation. Hope to hear from anyone > soon. Thanks in advance. > > Best regards, > Servie > > > --------------------------------- > Do you Yahoo!? > The New Yahoo! Search - Faster. Easier. Bingo. From colstar@iprimus.com.au Fri May 23 20:53:03 2003 From: colstar@iprimus.com.au (Colin Brown) Date: Fri May 23 19:53:03 2003 Subject: Gpg.exe and long dir names In-Reply-To: <3ECD00AF.7000205@attbi.com> Message-ID: <000701c32154$4dc76af0$9c6832d2@WORK> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks, Putting the entire filename and path in quotes worked a treat :) The problem had me stumped for a while.=20 Thanks again. Colin B. - -----Original Message----- From: gnupg-users-admin@gnupg.org [mailto:gnupg-users-admin@gnupg.org] = On Behalf Of John Clizbe Sent: Friday, 23 May 2003 12:54 AM To: Colin Brown; GnuPG Users Subject: Re: Gpg.exe and long dir names - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Colin Brown wrote: > > I am having a bit of trouble with GnuPG and was wondering if anyone can help. > I am trying to feed a file into gpg.exe inside a front end I am writing, the problem being gpg does not like > the full path name for the file > eg. C:\Documents and Settings\Person Here\My Documents\Visual Studio Projects\WindowsApplication2\bin\Debug\file.txt > And seems to fallover, > It is fine when it is just the root dir C:\file.txt > > I can *hack* around this by copying the file to the root dir before encrypting and then copy it back prefer not to do that. > The trouble is the spaces in the file/path names. A few ideas from my = own battle scars using unix/Gnu/OpenSource stuff in a Win32 world: 1) Put entire filename and path in quotes - "C:\Documents and = Settings\Person Here\My Documents\Visual Studio = Projects\WindowsApplication2\bin\Debug\file.txt" 2) use 'old-style (8.3)' file and folder names - = C:\Docume~1\%USERNAME%\MyDocu~1\Visual~1\Window~2\bin\debug\file.txt 3) If not already using it, try the Nullify build of GnuPG (http://www.nullify.org) 4) I agree using the root dir is a 'not good' hack. What about using = %TEMP%\file.txt? 5) Unix-fy the path - ie replace '\' with '/' and escape the spaces with = '\' - "C:/Documents\ and\ Settings/Person\ Here/My\ Documents/Visual\ = Studio\ Projects/WindowsApplication2/bin/Debug/file.txt" Though I think this only works under Cygwin, MinGW32, or Services for = Unix's Interix environments and quotes around the name would be easier. There may be other hints on MSDN. Try = http://msdn.microsoft.com/library/default.asp?url=3D/library/en-us/dnucmg= /html/ucmglp.asp - - -- John P. Clizbe Inet: JPClizbe AT attbi DOT com Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Most men take the straight and narrow. A few take the road less = traveled. I chose to cut through the woods." "There is safety in Numbers... *VERY LARGE PRIME* Numbers 9:00PM = Tonight on _REAL_IRONY_: Vegetarian Man Eaten by Cannibals -----BEGIN = PGP SIGNATURE----- Version: GnuPG v1.2.2-nr1 (Windows 2000) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+zQCuHQSsSmCNKhARAsqhAJ0fV0Y9pLPZUbR9rXwmbarGnfFV9gCgjOXZ r1RyzgwZbawHWtjSyd/ztho=3D =3DhRI3 - -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org = http://lists.gnupg.org/mailman/listinfo/gnupg-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (MingW32) iD8DBQE+zmA5a7XhVS1wirkRApMQAJ9/trXYVr3nHMOyn2WvJL8JTkHc2QCg1uB5 bIsLdAvAO1y64IqvHUDxIsk=3D =3DgCsl -----END PGP SIGNATURE----- From rmalayter@bai.org Fri May 23 21:32:02 2003 From: rmalayter@bai.org (Ryan Malayter) Date: Fri May 23 20:32:02 2003 Subject: storing keyrings into SQL database? Message-ID: <792DE28E91F6EA42B4663AE761C41C2AEA8A@cliff.bai.org> From: Jean-David Beyer [mailto:jdbeyer@exit109.com]=20 >A year of days is between 8 and 9 bits, and I think you=20 >would need a collection of about 2^4.5 people to have a=20 >better-than-50% chance of collision. Gotta love the old "birthday" paradox... it is the reason why SHA-1 only offers 80 bits of effective security (collision resistance), even though the hash is 160 bits long. Since a PGP fingerprint is only 80 bits of an SHA-1 hash, it offers just 40 bits of collision resistance. Of course, 2^40 PGP keys is an awful lot, so using the fingerprint as a temp file name will work in practice on any conceivable system. (Even a web PGP mail server with a million (2^20) simultaneous users would only have about a 1 in a million (2^20) chance of a collision.) From dcarrera@math.umd.edu Fri May 23 21:40:01 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Fri May 23 20:40:01 2003 Subject: Newbie question - importing PGP keys In-Reply-To: References: Message-ID: <20030523184058.GK1031@math.umd.edu> --NqNl6FRZtoRUn5bW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I don't use Mac. But assuming that gpg for Mac works the same as for=20 Linux/Unix, this is what you'd do: - On Windows: export the keys to 'mykeys.asc' - On Mac: Open a terminal and type: gpg --import mykeys.asc I'm not yet familiar with the Mac GUI for gpg, so I can't tell you how to= =20 do it on the GUI. I hope this helps. Daniel. On Fri, May 23, 2003 at 09:46:39AM -0700, Reza Malekzadeh wrote: > Hello, >=20 > I am sorry if this has already been discussed. I am new to the list. >=20 > I have existing PGP keys created with PGP for Windows version 8.0. > I just installed gpg on my Mac OS X. I would like to use the same keys. > How can I import those keys? >=20 > Many thanks in advance. >=20 > -reza >=20 >=20 >=20 >=20 > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users --=20 Daniel Carrera | OpenPGP fingerprint: Graduate TA, Math Dept | 9B32 660B 0557 7D7D 5892 0036 D591 4D05 2938 1B7E UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html --NqNl6FRZtoRUn5bW Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (SunOS) iD8DBQE+zms51/ZKhTQTHLARAjrCAJ4pBXBUC0MQ42iXPqjr/HB5xuqZEgCbB040 5O4FhANWtlz72GlRPpbQCnA= =2aan -----END PGP SIGNATURE----- --NqNl6FRZtoRUn5bW-- From jbruni@mac.com Fri May 23 21:41:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Fri May 23 20:41:02 2003 Subject: Problem with tar ball Message-ID: <1187779.1053715338710.JavaMail.jbruni@mac.com> ------=_Part_24_3821786.1053715338692 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit It sounds more like your download program blew up the tarball. If you type "file " unix can tell you what kind of file it thinks it is. It should say something like "gzip compressed data" with maybe more info after that depending on which version of the "file" command your system has. On Friday, May 23, 2003, at 11:36AM, Servie Platon wrote: > ><> -- PGP Fingerprint: 886F 6A8A 68A1 5E90 EF3F 8EFA E2B8 3F99 7343 C1E3 ------=_Part_24_3821786.1053715338692 Content-Type: text/html; charset=us-ascii
Hi everyone,
 
I have downloaded gnupg-1.2.2.tar.gz from your site. I use the HowTo document as my reference and in doing this procedure. However, when I did:
 
# tar xvzf gnu-1.2.2.tar.gz
 
I got an Archive contains obsolescent base-64 headers and invalid compressed data--crc error as well as invalid compressed data--length error which eventually exited from the process.
 
Does this mean that the tar that I have downloaded is corrupted or is there something that I should have done before issuing the tar command? Or should I just download the gnupg-1.2.2-1mdk91.i586.rpm instead and run the rpm command?
 
I use RH 9 with minimum installation. Hope to hear from anyone soon. Thanks in advance.
 
Best regards,
Servie

Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo. ------=_Part_24_3821786.1053715338692-- From dshaw@jabberwocky.com Fri May 23 23:01:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Fri May 23 22:01:02 2003 Subject: storing keyrings into SQL database? In-Reply-To: <792DE28E91F6EA42B4663AE761C41C2AEA8A@cliff.bai.org> References: <792DE28E91F6EA42B4663AE761C41C2AEA8A@cliff.bai.org> Message-ID: <20030523200137.GE13423@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, May 23, 2003 at 01:32:50PM -0500, Ryan Malayter wrote: > From: Jean-David Beyer [mailto:jdbeyer@exit109.com] > >A year of days is between 8 and 9 bits, and I think you > >would need a collection of about 2^4.5 people to have a > >better-than-50% chance of collision. > > Gotta love the old "birthday" paradox... it is the reason why SHA-1 only > offers 80 bits of effective security (collision resistance), even though > the hash is 160 bits long. Since a PGP fingerprint is only 80 bits of an > SHA-1 hash, it offers just 40 bits of collision resistance. This is not correct. PGP uses all 160 bits of the SHA1 fingerprint, giving 80 bits of collision resistance. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+zn4h4mZch0nhy8kRAsGCAJ9l7uPErg3oE+4vZ2upEgAl70WqdgCdFC6N 4G3RVP9vq6iAX7Vh/i0TWwE= =wheK -----END PGP SIGNATURE----- From johanw@vulcan.xs4all.nl Sat May 24 00:17:02 2003 From: johanw@vulcan.xs4all.nl (Johan Wevers) Date: Fri May 23 23:17:02 2003 Subject: Problem with tar ball In-Reply-To: <20030523173620.4165.qmail@web41007.mail.yahoo.com> from Servie Platon at "May 23, 2003 10:36:20 am" Message-ID: <200305231929.VAA05766@vulcan.xs4all.nl> Servie Platon wrote: Please keep your line length <= 78 chars. > I got an Archive contains obsolescent base-64 headers and invalid > compressed data--crc error as well as invalid compressed data--length > error which eventually exited from the process. Probably your download client (a webwser?) already decompressed it. Try "file gnupg-1.2.2.tar.gz" and see what it says. If it says "POSIX tar archive" it's only a tar file, if it says something like "gzip compressed data...", than the compression is still OK. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From rmalayter@bai.org Sat May 24 00:31:02 2003 From: rmalayter@bai.org (Ryan Malayter) Date: Fri May 23 23:31:02 2003 Subject: storing keyrings into SQL database? Message-ID: <792DE28E91F6EA42B4663AE761C41C2AEA95@cliff.bai.org> From: David Shaw [mailto:dshaw@jabberwocky.com]=20 >This is not correct. PGP uses all 160 bits of=20 >the SHA1 fingerprint, giving 80 bits of collision=20 >resistance. Hmm... You're right. 40 hex digits is 160 bits. My brain seems to be cramping more and more often these days. From servie_platon@yahoo.com Sat May 24 02:54:02 2003 From: servie_platon@yahoo.com (Servie Platon) Date: Sat May 24 01:54:02 2003 Subject: GNUPG FOR WINDOWS WITH GUI Message-ID: <20030523235421.42887.qmail@web41013.mail.yahoo.com> --0-975481471-1053734061=:42423 Content-Type: text/plain; charset=us-ascii Hi everyone, Is there a gnupg that runs on windows that has a GUI functionality? I found one at the gnupg.org site but it's via command line. And I couldn't find the installation and command howto for windows. It will be too hard for ordinary windows users to use this. Any other options? Thanks in advance. Best regards, Servie --------------------------------- Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. --0-975481471-1053734061=:42423 Content-Type: text/html; charset=us-ascii
Hi everyone,
 
Is there a gnupg that runs on windows that has a GUI functionality? 
 
I found one at the gnupg.org site but it's via command line. And I couldn't find the installation and command howto for windows. It will be too hard for ordinary windows users to use this. Any other options?
 
Thanks in advance.
 
Best regards,
Servie
 
 

Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo. --0-975481471-1053734061=:42423-- From jbruni@mac.com Sat May 24 03:48:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Sat May 24 02:48:02 2003 Subject: GNUPG FOR WINDOWS WITH GUI In-Reply-To: <20030523235421.42887.qmail@web41013.mail.yahoo.com> Message-ID: <6D472648-8D81-11D7-A4B1-003065B1243E@mac.com> Look in the section on front ends: http://www.gnupg.org/related_software/frontends.html On Friday, May 23, 2003, at 04:54 PM, Servie Platon wrote: > Hi everyone, > =A0 > Is there a gnupg that runs on windows=A0that has a GUI functionality?=A0= > =A0 > I found one at the gnupg.org site but it's via command line.=A0And I=20= > couldn't find the installation and command howto for windows.=A0It = will=20 > be too hard for ordinary windows users=A0to use this. Any other = options? > =A0 > Thanks in advance. > =A0 > Best regards, > Servie > =A0 > =A0 > > > > > Do you Yahoo!? > The New Yahoo! Search - Faster. Easier. Bingo.= From jbruni@mac.com Sat May 24 03:58:03 2003 From: jbruni@mac.com (Joseph Bruni) Date: Sat May 24 02:58:03 2003 Subject: Newbie question - importing PGP keys In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Export the keys from PGP for Windows; remember to include your secret key. In the Terminal, use the following command: % gpg --import If you want to use GPG for Mail.app, there is a really nice plug-in available here: http://www.sente.ch/software/GPGMail/ There are some GUI tools available as well, but none are (IMHO) as nice as those done by PGP, Inc. They are still a bit rough. On Friday, May 23, 2003, at 09:46 AM, Reza Malekzadeh wrote: > Hello, > > I am sorry if this has already been discussed. I am new to the list. > > I have existing PGP keys created with PGP for Windows version 8.0. > I just installed gpg on my Mac OS X. I would like to use the same keys. > How can I import those keys? > > Many thanks in advance. > > -reza > > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) iEYEARECAAYFAj7Ow5oACgkQ4rg/mXNDweNCVgCgvZGqnmjEb9hmxPlm0JEtImzL +s4AoIUX+R9yjGvDcSwlA+0dIwjolXJx =MUhm -----END PGP SIGNATURE----- From Burns Sat May 24 04:28:03 2003 From: Burns (Burns) Date: Sat May 24 03:28:03 2003 Subject: GNUPG FOR WINDOWS WITH GUI In-Reply-To: <20030523235421.42887.qmail@web41013.mail.yahoo.com> References: <20030523235421.42887.qmail@web41013.mail.yahoo.com> Message-ID: <1868223049.20030523202938@runbox.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 See: http://groups.google.com/groups?selm=b5d14fa9.0304291355.1cf21 30a%40posting.google.com Randy > Hi everyone, > > Is there a gnupg that runs on windows that has a GUI functionality? > > I found one at the gnupg.org site but it's via command line. And I > couldn't find the installation and command howto for windows. It > will be too hard for ordinary windows users to use this. Any other > options? > > Thanks in advance. > > Best regards, > Servie > -----BEGIN PGP SIGNATURE----- iD8DBQE+zspjhNLaTSzsrh8RAoVmAJ4nGV/73XYRAwxRttb9P4iIRPDq1QCgpqVz 5vmDeQ+bqRS50XQhRGo1D3w= =X8DO -----END PGP SIGNATURE----- _ From jbruni@mac.com Sat May 24 04:34:03 2003 From: jbruni@mac.com (Joseph Bruni) Date: Sat May 24 03:34:03 2003 Subject: Newbie question - importing PGP keys In-Reply-To: Message-ID: Remember to mark your key with ultimate trust or you won't be able to use it (easily). % gpg --edit-key Command> trust Choose option #5 = I trust ultimately On Friday, May 23, 2003, at 06:26 PM, Reza Malekzadeh wrote: > Thanks a lot Joseph. It worked! > > reza > > > On Friday, May 23, 2003, at 05:57 PM, Joseph Bruni wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Export the keys from PGP for Windows; remember to include your secret >> key. >> >> In the Terminal, use the following command: >> >> % gpg --import >> >> If you want to use GPG for Mail.app, there is a really nice plug-in >> available here: >> >> http://www.sente.ch/software/GPGMail/ >> >> There are some GUI tools available as well, but none are (IMHO) as >> nice as those done by PGP, Inc. They are still a bit rough. >> >> >> On Friday, May 23, 2003, at 09:46 AM, Reza Malekzadeh wrote: >> >>> Hello, >>> >>> I am sorry if this has already been discussed. I am new to the list. >>> >>> I have existing PGP keys created with PGP for Windows version 8.0. >>> I just installed gpg on my Mac OS X. I would like to use the same >>> keys. >>> How can I import those keys? >>> >>> Many thanks in advance. >>> >>> -reza >>> >>> >>> >>> >>> _______________________________________________ >>> Gnupg-users mailing list >>> Gnupg-users@gnupg.org >>> http://lists.gnupg.org/mailman/listinfo/gnupg-users >>> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.2.2 (Darwin) >> >> iEYEARECAAYFAj7Ow5oACgkQ4rg/mXNDweNCVgCgvZGqnmjEb9hmxPlm0JEtImzL >> +s4AoIUX+R9yjGvDcSwlA+0dIwjolXJx >> =MUhm >> -----END PGP SIGNATURE----- > From dshaw@jabberwocky.com Sat May 24 04:37:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sat May 24 03:37:02 2003 Subject: GNUPG FOR WINDOWS WITH GUI In-Reply-To: <20030523235421.42887.qmail@web41013.mail.yahoo.com> References: <20030523235421.42887.qmail@web41013.mail.yahoo.com> Message-ID: <20030524013748.GH13423@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, May 23, 2003 at 04:54:21PM -0700, Servie Platon wrote: > Hi everyone, > > Is there a gnupg that runs on windows that has a GUI functionality? > > I found one at the gnupg.org site but it's via command line. And I > couldn't find the installation and command howto for windows. It > will be too hard for ordinary windows users to use this. Any other > options? Check out Windows Privacy Tray. It is a graphical interface to GnuPG. http://winpt.sourceforge.net/ David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+zszs4mZch0nhy8kRAsL2AJ9MCwAtVLBFqH21BiehoC4PwqqqBgCgk0X9 2691VpTaSEozO+5suBKwJdA= =XlnU -----END PGP SIGNATURE----- From JPClizbe@attbi.com Sat May 24 05:21:03 2003 From: JPClizbe@attbi.com (John Clizbe) Date: Sat May 24 04:21:03 2003 Subject: GNUPG FOR WINDOWS WITH GUI In-Reply-To: <20030523235421.42887.qmail@web41013.mail.yahoo.com> References: <20030523235421.42887.qmail@web41013.mail.yahoo.com> Message-ID: <3ECED727.5080604@attbi.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Servie Platon wrote: > Hi everyone, > > Is there a gnupg that runs on windows that has a GUI functionality? > > I found one at the gnupg.org site but it's via command line. And I > couldn't find the installation and command howto for windows. It will be > too hard for ordinary windows users to use this. Any other options? > WinPT or GPGshell. WinPT is opensource. GPGshell isn't. WinPT will do a full install of GPG (Canonical build). GPGshell takes a bit more effort. GPGshell is closest in functionality to PGP. You DID look a the PGP Freeware distro, right? And while you're at it, you may as well look at the Nullify build of GPG -- it's more tuned for Win32. Links: GnuPG http://www.gnupg.org/ Nullify GPG http://www.nullify.org PGP Freeware http://www.pgp.com/products/freeware.html GPGshell http://www.jumaros.de/rsoft/gpgshell.html WinPT http://www.winpt.org/ (will redirect to SourceForge) Hope these help. - -John -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-nr1 (Windows 2000) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+ztcmHQSsSmCNKhARAozqAKCvKT3WfmWibHOzQiuMo0//1DZ9AwCfQ5jd PJy21wuOHSIJIbx+Jgh/SX4= =MM1d -----END PGP SIGNATURE----- From Yochanon@tds.net Sat May 24 08:59:02 2003 From: Yochanon@tds.net (John B) Date: Sat May 24 07:59:02 2003 Subject: GNUPG FOR WINDOWS WITH GUI In-Reply-To: <3ECED727.5080604@attbi.com> References: <20030523235421.42887.qmail@web41013.mail.yahoo.com> <3ECED727.5080604@attbi.com> Message-ID: <200305240102.16503.Yochanon@tds.net> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday 23 May 2003 21:21, John Clizbe wrote: > Servie Platon wrote: > > Hi everyone, > > > > Is there a gnupg that runs on windows that has a GUI functionality? > > > > I found one at the gnupg.org site but it's via command line. And I > > couldn't find the installation and command howto for windows. It will be > > too hard for ordinary windows users to use this. Any other options? > > WinPT or GPGshell. WinPT is opensource. GPGshell isn't. WinPT will do a > full install of GPG (Canonical build). GPGshell takes a bit more effort. > GPGshell is closest in functionality to PGP. You DID look a the PGP > Freeware distro, right? And while you're at it, you may as well look at > the Nullify build of GPG -- it's more tuned for Win32. > > Links: > GnuPG http://www.gnupg.org/ > Nullify GPG http://www.nullify.org > PGP Freeware http://www.pgp.com/products/freeware.html > GPGshell http://www.jumaros.de/rsoft/gpgshell.html > WinPT http://www.winpt.org/ (will redirect to SourceForge) > > Hope these help. > > -John Or, PGP 6.5.8 can still be had for free (and has PGP VPN also in it), wor= ks=20 extremely well, has super documentation and help, and is easy to use with=20 it's GUI. He can get it here http://web.mit.edu/network/pgp.html I still have it on my M$ partition (got it from the same exact website th= e=20 day it was made available there). John =2D --=20 "You will bring ussss.....A SHRUBBERY!" These guys looked dangerous...and hungry, so to placate them until I found a shrubber, I fed them an MSN butterfly. They dined quite happily it seemed. =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQE+zwrnH5oDXyLKXKQRAi9XAJ9cOZDfmJckhPQbFc/YWQLJuN9CiwCghdj7 3lOz0jLI9zv3cQFj5dVmQyQ=3D =3DvOZ9 =2D----END PGP SIGNATURE----- From Thomas.Arend@t-online.de Sat May 24 09:04:02 2003 From: Thomas.Arend@t-online.de (Thomas Arend) Date: Sat May 24 08:04:02 2003 Subject: Newbie question - importing PGP keys In-Reply-To: References: Message-ID: <200305240804.37672.thomas.arend@t-online.de> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am Freitag, 23. Mai 2003 18:46 schrieb Reza Malekzadeh: > Hello, > > I am sorry if this has already been discussed. I am new to the list. > > I have existing PGP keys created with PGP for Windows version 8.0. > I just installed gpg on my Mac OS X. I would like to use the same keys. > How can I import those keys? > > Many thanks in advance. > > -reza > You must export the public keys and the private keys into a file and than=20 import with gpg. I=B4m not familiar with PGP so I can=B4t tell you howto do= it in=20 PGP. gpg has an special export command --export-secret-keys mayb PGP also. To import secret and private keys use: % gpp --import Best regards Thomas =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+zwt12TqsmTFMxwkRAixVAJ46lhOie/7wh2Ij/24W6AziTXTndgCeIEtN 0Sa9KXlU5P2AgrfbvuJt+TU=3D =3DDaiB =2D----END PGP SIGNATURE----- From wk@gnupg.org Sat May 24 17:31:02 2003 From: wk@gnupg.org (Werner Koch) Date: Sat May 24 16:31:02 2003 Subject: GNUPG FOR WINDOWS WITH GUI In-Reply-To: <200305240102.16503.Yochanon@tds.net> (John B's message of "Sat, 24 May 2003 01:02:07 -0500") References: <20030523235421.42887.qmail@web41013.mail.yahoo.com> <3ECED727.5080604@attbi.com> <200305240102.16503.Yochanon@tds.net> Message-ID: <87smr4tnu8.fsf@alberti.g10code.de> On Sat, 24 May 2003 01:02:07 -0500, John B said: > Or, PGP 6.5.8 can still be had for free (and has PGP VPN also in it), works However, that version is not OpenPGP compliant and has some annoting bugs. For example it can't verify a signature made by a subkey. -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From jharris@widomaker.com Sat May 24 18:32:02 2003 From: jharris@widomaker.com (Jason Harris) Date: Sat May 24 17:32:02 2003 Subject: Encouraging email security. In-Reply-To: <20030522175209.GA18664@harriet.lollyshouse.net> References: <792DE28E91F6EA42B4663AE761C41C2AEA70@cliff.bai.org> <20030522175209.GA18664@harriet.lollyshouse.net> Message-ID: <20030524153251.GD459@pm1.ric-26.lft.widomaker.com> --NklN7DEeGtkPCoo3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, May 22, 2003 at 10:52:09AM -0700, J Irving wrote: > I agree. I was recently in a "sexual harassment" class where the > teacher, a lawyer, virtually rolled his eyes and laughed at the > "I didn't send that email" defense. I suggested that it was > trivial to spoof the origin of an email; he said that it doesn't > matter what you can do, it only matters what a jury of your peers > think you can do. He clearly thought that the claim held no > credibility in any sensible person's mind. Obviously that FUD suited his position as a teacher in the class. Sensible people would use and believe expert witnesses. --=20 Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com | web: http://jharris.cjb.net/ --NklN7DEeGtkPCoo3 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+z5ChSypIl9OdoOMRAqG7AJ4rAN4BZ0AhdpXQzvABgk/QXJj6FACfR91u w4BNTjm8ftrhIJF0BvM7Z98= =PC7D -----END PGP SIGNATURE----- --NklN7DEeGtkPCoo3-- From Yochanon@tds.net Sat May 24 19:41:02 2003 From: Yochanon@tds.net (John B) Date: Sat May 24 18:41:02 2003 Subject: GNUPG FOR WINDOWS WITH GUI In-Reply-To: <87smr4tnu8.fsf@alberti.g10code.de> References: <20030523235421.42887.qmail@web41013.mail.yahoo.com> <200305240102.16503.Yochanon@tds.net> <87smr4tnu8.fsf@alberti.g10code.de> Message-ID: <200305241144.35289.Yochanon@tds.net> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 24 May 2003 09:34, you scribbled: > On Sat, 24 May 2003 01:02:07 -0500, John B said: > > Or, PGP 6.5.8 can still be had for free (and has PGP VPN also in it), > > works > > However, that version is not OpenPGP compliant and has some annoting > bugs. For example it can't verify a signature made by a subkey. I don't think that's correct. I had my ex-girlfriend install it on her XP= ee=20 box, while I use Linux with kgpg and/or GPA, and we were able to=20 encrypt/decrypt/whatever back and forth all we wanted to. I also never=20 noticed any problems with it while I was still using windoze, no 'bugs' eve= r=20 seemed to bother me any. As for the sub-key thing, I have no clue. I just used a single generated= =20 pair, and that was it, same as now with gpg. YMMV of course, but for the=20 everyday plain 'Joe', 6.5.8 is just fine IMO, and it *does* work with=20 opengpg/gpg. I don't know about the VPN part either, since I never used it, I just=20 mentioned that it had it in it, that's all. One can always use a different= =20 VPN anyway and still use pgp as their main encryption/keyring/gui. John =2D --=20 "You will bring ussss.....A SHRUBBERY!" These guys looked dangerous...and hungry, so to placate them until I found a shrubber, I fed them an MSN butterfly. They dined quite happily it seemed. =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+z6FyH5oDXyLKXKQRAnylAJ47CPI0UYGIseGCsMn/mtpfeQTZAwCgqCtM a/MEuxaO9+G6oaUZ8IcA7ds=3D =3DRxL4 =2D----END PGP SIGNATURE----- From dvgevers@xs4all.nl Sat May 24 21:42:03 2003 From: dvgevers@xs4all.nl (Dick Gevers) Date: Sat May 24 20:42:03 2003 Subject: Newbie question - importing PGP keys In-Reply-To: References: Message-ID: <20030524184235.356263b9.dvgevers@xs4all.nl> --=.NIMRHZyu:2GGc= Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Fri, 23 May 2003 09:46:39 -0700 (PDT), Reza Malekzadeh wrote about Newbie question - importing PGP keys: > I have existing PGP keys created with PGP for Windows version 8.0. > I just installed gpg on my Mac OS X. I would like to use the same keys. > How can I import those keys? Hello Reza and others, There have been two answers on the official way to do this, but there is another `easy` way to do it as well (based on my Win > Lin experience, should work Win > OSX): if there are no secret keys in your Mac keyring try to replace your secring (if any) with that from windows. Worked for me :-) YMMV Best regards, =Dick Gevers= --=.NIMRHZyu:2GGc= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+z70gwC/zk+cxEdMRAue0AKDGtBIhqObvA3gtC2FqW6gPVKImUQCfbksn BWNrUYtMdZM+B4ep2KCYYYI= =jTNK -----END PGP SIGNATURE----- --=.NIMRHZyu:2GGc=-- From bwpearre@alumni.princeton.edu Sat May 24 23:03:03 2003 From: bwpearre@alumni.princeton.edu (Benjamin Weste Pearre) Date: Sat May 24 22:03:03 2003 Subject: Encouraging email security. In-Reply-To: References: <20030519-d0d98d5a1992e7ba80de629a4beaeced@tumbleweed.boston.com> Message-ID: <20030524200314.GP7001@shostakovich.client.attbi.com> --qXPE+6hUsFlDAc0e Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I originally switched to Mutt because it threads discussions properly. Pine didn't at the time, although I'm sure it must by now... PGP things that Pine still doesn't seem to understand, and that Mutt does: * S/MIME * Encrypts attachments too! (in fact, Pine sometimes has trouble even encrypting the bodies of messages with attachments) * Message body search knows how to decrypt messages on the fly * Can do detached signatures, etc... Thing Mutt doesn't do well, that I'd like it to: * Encrypt automatically if every recipient has a valid key in the keyring I have a few friends who try to use encryption with Pine. It doesn't ever seem entirely happy, even with every hack that I know about, including procmail hacks on my end as well. Switching to Mutt is trivial... you won't regret it! --=20 Ben Pearre http://hebb.mit.edu/~ben --qXPE+6hUsFlDAc0e Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+z9AC+CWfKs/abNoRAl89AKC44weSEhBNL3sYaVjb5Mne1kt+UwCdGpSC hjV9ZKi17w35uyRTt7Myc5A= =IH7H -----END PGP SIGNATURE----- --qXPE+6hUsFlDAc0e-- From bwpearre@alumni.princeton.edu Sat May 24 23:10:02 2003 From: bwpearre@alumni.princeton.edu (Benjamin Weste Pearre) Date: Sat May 24 22:10:02 2003 Subject: Encouraging email security. In-Reply-To: <792DE28E91F6EA42B4663AE761C41C2AEA70@cliff.bai.org> References: <792DE28E91F6EA42B4663AE761C41C2AEA70@cliff.bai.org> Message-ID: <20030524200955.GQ7001@shostakovich.client.attbi.com> --Sr/1Pkwuhjf1+ztR Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I'd almost welcome the day when you need to be licensed to buy a computer... =2E..as long as I control the licensing board ;) "Question 17: make emacs bootable on x86"... --=20 Ben Pearre http://hebb.mit.edu/~ben --Sr/1Pkwuhjf1+ztR Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+z9GT+CWfKs/abNoRAvFbAJ4kG0wxiVSK77mxYOaCxJ7bmly6HACgwcvA ilZwPWax+j1jkZ5qhI+aqHo= =Kwnh -----END PGP SIGNATURE----- --Sr/1Pkwuhjf1+ztR-- From dvgevers@xs4all.nl Sun May 25 18:47:02 2003 From: dvgevers@xs4all.nl (Dick Gevers) Date: Sun May 25 17:47:02 2003 Subject: To share or not share, that is the question. Message-ID: <20030525154818.618840ed.dvgevers@xs4all.nl> --=.Q7tn9HG6dC3.pz Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Hi all, A few days ago I suggested to take one`s windows files (e.g. secring; same applies also to pubring & trustdb) to linux or vice versa via a fat(32) partition at reboot time. For good order`s sake, I should like to add that, if asked, I would advise against putting such files in a shared directory on any box, particularly if this box is accessible via LAN, WAN, VPN or Internet. One might even consider wiping the fat partition in case caution is required or to do such carriage via trustworthy removable media: this depends upon one`s security needs and sense of `paranoia`. Thank you and regards, =Dick Gevers= --=.Q7tn9HG6dC3.pz Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+0OXIwC/zk+cxEdMRAiHIAJ900Odz2+HOaDP96ep4/H+IlPU7zACg0EQM +/Z4HqKBKvzFJqMtrDHuH34= =jJG5 -----END PGP SIGNATURE----- --=.Q7tn9HG6dC3.pz-- From dcarrera@math.umd.edu Mon May 26 02:08:03 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Mon May 26 01:08:03 2003 Subject: Forgot my passphrase. Message-ID: <20030525230916.GD1138@math.umd.edu> Ggrrrr I forgot my passphrase. I was experimenting with diceware, I made a new=20 passphrase but now I can't retype it. I don't understand, I even wrote it= =20 down! It's no use, I've tried every possible error I could have made when= =20 typing it. Well, at least I have a revocation certificate, and I wasn't dependent on= =20 this key yet. I just wanted to double check that I have revoked my key correctly. I've= =20 sent the revoked key to 4 HPK servers and one LDAP: ~ $ gpg --import 29381B7E_revoke.asc=20 gpg: key 29381B7E: "Daniel Carrera " revocation=20 certificate imported gpg: Total number processed: 1 gpg: new key revocations: 1 ~ $ gpg --keyserver search.keyserver.net --send-keys 0x29381B7E gpg: success sending to `search.keyserver.net' (status=3D200) ~ $ gpg --keyserver keyserver.kjsl.com --send-keys 0x29381B7E gpg: success sending to `keyserver.kjsl.com' (status=3D200) ~ $ gpg --keyserver pgp.mit.edu --send-keys 0x29381B7E gpg: success sending to `pgp.mit.edu' (status=3D200) ~ $ gpg --keyserver wwwkeys.pgp.net --send-keys 0x29381B7E gpg: success sending to `wwwkeys.pgp.net' (status=3D200) ~ $ gpg --keyserver ldap://keyserver.pgp.com --send-keys=20 0x29381B7E ~ $=20 Have I done everything correctly? Thanks. I'll make a new key-pair and I'll be VERY CAREFUL with the=20 passphrase. --=20 Daniel Carrera | OpenPGP fingerprint: Graduate TA, Math Dept | 9B32 660B 0557 7D7D 5892 0036 D591 4D05 2938 1B7E UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html From DenisMcCauley@ifrance.com Mon May 26 04:37:03 2003 From: DenisMcCauley@ifrance.com (Denis McCauley) Date: Mon May 26 03:37:03 2003 Subject: Forgot my passphrase. In-Reply-To: <20030525230916.GD1138@math.umd.edu> References: <20030525230916.GD1138@math.umd.edu> Message-ID: <20030525153015.244C.DENISMCCAULEY@ifrance.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, 25 May 2003 19:09:16 -0400 Daniel Carrera wrote: > Ggrrrr > > I forgot my passphrase. I was experimenting with diceware, I made a new > passphrase but now I can't retype it. I don't understand, I even wrote it > down! It's no use, I've tried every possible error I could have made when > typing it. > It's too late now, as you've revoked the key, but I just wonder whether you did in fact change the passphrase. If you omitted the "save" command at the end of the process the passphrase would not have been changed. It's also a good lesson on the value of keeping backups, which would enable you to return to a version of the key with the old passphrase Cheers - -- ===================================== Denis McCauley GPG/PGP keys at http://www.djmccauley.tk ===================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-nr1 (Windows 2000) - GPGshell v2.70 Comment: Key ID: 0x578247B4 (using signature subkey 0x4980C4F7) Comment: 3C0A D97D 5FC5 A250 20BC EBC6 EB0E 9716 5782 47B4 iD8DBQE+0W84JpZGKkmAxPcRAmzUAJsG1yW/nNKhbaN5JDoel2VdVAvhXgCeIRcg ei0HZ7nrEQKpnGHZyo5QJJo= =mAG2 -----END PGP SIGNATURE----- _____________________________________________________________________ Envie de discuter en "live" avec vos amis ? Télécharger MSN Messenger http://www.ifrance.com/_reloc/m la 1ère messagerie instantanée de France From jdbeyer@exit109.com Mon May 26 04:40:02 2003 From: jdbeyer@exit109.com (Jean-David Beyer) Date: Mon May 26 03:40:02 2003 Subject: Forgot my passphrase. References: <20030525230916.GD1138@math.umd.edu> Message-ID: <3ED170A5.1060609@exit109.com> Daniel Carrera wrote: > Ggrrrr > > I forgot my passphrase. I was experimenting with diceware, I made a > new passphrase but now I can't retype it. I don't understand, I even > wrote it down! It's no use, I've tried every possible error I could > have made when typing it. When I had Red Hat Linux 5.0, I had that problem just logging onto the machine until I discovered that it interpreted the numbers across the top of the keyboard as different from the numbers on the number pad. I have not seen that since the login-password part of that version of Linux, but perhaps something like that was happening to you??? > > Well, at least I have a revocation certificate, and I wasn't > dependent on this key yet. > > I just wanted to double check that I have revoked my key correctly. > I've sent the revoked key to 4 HPK servers and one LDAP: > > ~ $ gpg --import 29381B7E_revoke.asc gpg: key 29381B7E: "Daniel > Carrera " revocation certificate imported gpg: > Total number processed: 1 gpg: new key revocations: 1 ~ $ gpg > --keyserver search.keyserver.net --send-keys 0x29381B7E gpg: success > sending to `search.keyserver.net' (status=200) ~ $ gpg --keyserver > keyserver.kjsl.com --send-keys 0x29381B7E gpg: success sending to > `keyserver.kjsl.com' (status=200) ~ $ gpg --keyserver pgp.mit.edu > --send-keys 0x29381B7E gpg: success sending to `pgp.mit.edu' > (status=200) ~ $ gpg --keyserver wwwkeys.pgp.net --send-keys > 0x29381B7E gpg: success sending to `wwwkeys.pgp.net' (status=200) ~ $ > gpg --keyserver ldap://keyserver.pgp.com --send-keys 0x29381B7E ~ $ > > Have I done everything correctly? > > Thanks. I'll make a new key-pair and I'll be VERY CAREFUL with the > passphrase. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ Registered Machine 73926. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 9:35pm up 7 days, 3:09, 2 users, load average: 2.00, 2.02, 2.00 From dcarrera@math.umd.edu Mon May 26 05:05:02 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Mon May 26 04:05:02 2003 Subject: Forgot my passphrase. In-Reply-To: <20030525153015.244C.DENISMCCAULEY@ifrance.com> References: <20030525230916.GD1138@math.umd.edu> <20030525153015.244C.DENISMCCAULEY@ifrance.com> Message-ID: <20030526020633.GB1315@math.umd.edu> On Sun, May 25, 2003 at 03:37:05PM -1000, Denis McCauley wrote: > It's too late now, as you've revoked the key, but I just wonder whether > you did in fact change the passphrase. If you omitted the "save" > command at the end of the process the passphrase would not have been > changed. I tried that. The passphrase was definitelly changed. > It's also a good lesson on the value of keeping backups, which would > enable you to return to a version of the key with the old passphrase Good idea. I'll do that in the future. -- Daniel Carrera | OpenPGP fingerprint: Graduate TA, Math Dept | 9B32 660B 0557 7D7D 5892 0036 D591 4D05 2938 1B7E UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html From dcarrera@math.umd.edu Mon May 26 05:07:02 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Mon May 26 04:07:02 2003 Subject: Forgot my passphrase. In-Reply-To: <3ED170A5.1060609@exit109.com> References: <20030525230916.GD1138@math.umd.edu> <3ED170A5.1060609@exit109.com> Message-ID: <20030526020843.GC1315@math.umd.edu> On Sun, May 25, 2003 at 09:40:53PM -0400, Jean-David Beyer wrote: > Daniel Carrera wrote: > > Ggrrrr > > > > I forgot my passphrase. I was experimenting with diceware, I made a > > new passphrase but now I can't retype it. I don't understand, I even > > wrote it down! It's no use, I've tried every possible error I could > > have made when typing it. >=20 > When I had Red Hat Linux 5.0, I had that problem just logging onto the > machine until I discovered that it interpreted the numbers across the=20 > top of the keyboard as different from the numbers on the number pad. I=20 > have not seen that since the login-password part of that version of=20 > Linux, but perhaps something like that was happening to you??? Nope. I never use the number pad, only the top row. --=20 Daniel Carrera | OpenPGP fingerprint: Graduate TA, Math Dept | 9B32 660B 0557 7D7D 5892 0036 D591 4D05 2938 1B7E UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html From jbruni@mac.com Mon May 26 05:58:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Mon May 26 04:58:02 2003 Subject: Forgot my passphrase. In-Reply-To: <20030526020633.GB1315@math.umd.edu> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Daniel, If you are on a Unix system, it might make sense to do an in-place backup using something like RCS. This would simply check-in a revision of the key ring files into a revision controlled ",v" file. You could keep it in your ~/.gnupg directory as a matter of convenience. Revision control is not just for software development. Joe On Sunday, May 25, 2003, at 07:06 PM, Daniel Carrera wrote: > >> It's also a good lesson on the value of keeping backups, which would >> enable you to return to a version of the key with the old passphrase > > Good idea. I'll do that in the future. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) iEYEARECAAYFAj7RgpoACgkQ4rg/mXNDweNLjgCfY89kXB50QNjqo/rrV4RSTyGZ sR0AoMd9pYf53rQGC65dQOuyxSsmd9Zk =mFZV -----END PGP SIGNATURE----- From dcarrera@math.umd.edu Mon May 26 06:05:03 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Mon May 26 05:05:03 2003 Subject: Forgot my passphrase. In-Reply-To: References: <20030526020633.GB1315@math.umd.edu> Message-ID: <20030526030609.GD1315@math.umd.edu> On Sun, May 25, 2003 at 07:57:26PM -0700, Joseph Bruni wrote: > Daniel, > > If you are on a Unix system, it might make sense to do an in-place > backup using something like RCS. This would simply check-in a revision > of the key ring files into a revision controlled ",v" file. You could > keep it in your ~/.gnupg directory as a matter of convenience. Revision > control is not just for software development. > > Joe Yes, I'm on Unix. I'm not really familiar with revision control. At least, not beyond using CVS a few times. Tell me if I understand RCS correctly: RCS would keep track of all changes made over a period of time. So I could bring my keyring back to a previous keyring with the old password. Did I get it right? In that case, doesn't that miss the point of changing the passphrase? Since my hard drive would still contain a copy of my keyring with the old passphrase. Or... can I use RCS along with some removable media? Where can I learn about RCS? Thanks a lot. -- Daniel Carrera | OpenPGP fingerprint: Graduate TA, Math Dept | 6643 8C8B 3522 66CB D16C D779 2FDD 7DAC 9AF7 7A88 UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html From jbruni@mac.com Mon May 26 07:32:08 2003 From: jbruni@mac.com (Joseph Bruni) Date: Mon May 26 06:32:08 2003 Subject: Forgot my passphrase. In-Reply-To: <20030526030609.GD1315@math.umd.edu> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It would keep a copy of the secret key with the old passphrase, but you can store the file anywhere you want. Removable media makes sense for this as well. It all really depends on how secure your system is, or how secure the removable medium is. The RCS commands of interest are "ci" and "co". See the man pages for details. Notably, "rcsintro(1)" is probably a good place to start. You can also use the "rcs" command along with "ci" and "co" for some additional features, (such as location of repository). If the removable medium is secure, then maybe it would make sense to put an unencrypted secret key on it? That's up to you to decide, but at least then you'd never have to worry about losing your passphrase. On Sunday, May 25, 2003, at 08:06 PM, Daniel Carrera wrote: > On Sun, May 25, 2003 at 07:57:26PM -0700, Joseph Bruni wrote: >> Daniel, >> >> If you are on a Unix system, it might make sense to do an in-place >> backup using something like RCS. This would simply check-in a revision >> of the key ring files into a revision controlled ",v" file. You could >> keep it in your ~/.gnupg directory as a matter of convenience. >> Revision >> control is not just for software development. >> >> Joe > > Yes, I'm on Unix. I'm not really familiar with revision control. At > least, not beyond using CVS a few times. > > Tell me if I understand RCS correctly: > RCS would keep track of all changes made over a period of time. So I > could bring my keyring back to a previous keyring with the old > password. > Did I get it right? > > In that case, doesn't that miss the point of changing the passphrase? > Since my hard drive would still contain a copy of my keyring with the > old > passphrase. > > Or... can I use RCS along with some removable media? > > Where can I learn about RCS? > > Thanks a lot. > -- > Daniel Carrera | OpenPGP fingerprint: > Graduate TA, Math Dept | 6643 8C8B 3522 66CB D16C D779 2FDD 7DAC 9AF7 > 7A88 > UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) iD8DBQE+0ZhX4rg/mXNDweMRAjggAKDAO15F8AHc9rqa30bOBnxoIj667gCZAYqJ RddFlyERw1NqXDVaXwpBBWM= =r7jz -----END PGP SIGNATURE----- From wobo@wolf-b.de Mon May 26 12:34:02 2003 From: wobo@wolf-b.de (Wolfgang Bornath) Date: Mon May 26 11:34:02 2003 Subject: Problem: OpenPGP Module not listed In-Reply-To: <200305170021.13368@erwin.ingo-kloecker.de> References: <200305131800.20136.wbo@mandrakesoft.com> <200305150117.21129.wobo@wolf-b.de> <200305170021.13368@erwin.ingo-kloecker.de> Message-ID: <200305182056.54943.wobo@wolf-b.de> ** Ingo Kl=F6cker (Samstag, 17. Mai 2003 00:21) > On Thursday 15 May 2003 01:17, Wolfgang Bornath wrote: > > > And should I give an option to './configure gpgme....' like > > '--with-gpgme-config' or something? > > gpgme-config will be installed automatically together with the rest > of gpgme. Is is really missing from /usr/local/bin? Maybe > /usr/local/bin is for some reason not in your $PATH? gpgmime-config is in /usr/local/bin and /usr/local/bin is in root's and=20 user's $PATH. =20 wobo =2D-=20 Public GnuPG key available at keyserver www.mandrakesecure.net From bfg@noviforum.si Mon May 26 12:34:37 2003 From: bfg@noviforum.si (Branko F. Graènar) Date: Mon May 26 11:34:37 2003 Subject: storing keyrings into SQL database Message-ID: <00cb01c31df0$6d08b6b0$fac8a8c0@mordor> Hi there! I would like to store keyrings into SQL database. Is this doable? Would be hard to code such gpg hack ? Any directions, etc? Brane From cripto@ecn.org Mon May 26 12:35:11 2003 From: cripto@ecn.org (Anonymous) Date: Mon May 26 11:35:11 2003 Subject: Encouraging email security. Message-ID: <0efa67189d4504e8609ecbba1a7c691a@ecn.org> Daniel Carrera [18/05/2003]: > It just happens that I know a medium-sized group of people who have a > non-trivial motivation to use encrypted communication. For some of them I > can suggest Enigmail. But many of them use web-based email systems. What > can I do about them? Assuming text-only communications: cut compose/view window contents to clipboard encrypt/decrypt clipboard contents paste clipboard contents back to compose/view window Attachments could be encrypted/decrypted locally (ie. copies on hard disk) before/after sending/receiving. From svwright@liverpool.ac.uk Mon May 26 12:35:45 2003 From: svwright@liverpool.ac.uk (Stewart V. Wright) Date: Mon May 26 11:35:45 2003 Subject: MDC confusion. Message-ID: <20030520145028.GB23377@liv.ac.uk> --5I6of5zJg18YgZEa Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, I am having some confusion with modification detection code (MDC). I'm using the 1.2.3-cvs version (from the 7th of May) of GnuPG. I just changed my gpg.conf file and changed from no-force-v3-sigs to=20 openpgp Which should make my signatures/encryptions entirely OpenPGP compatible. Unfortunately when I decrypt anything I get the following warning: gpg: WARNING: message was not integrity protected I don't get the warning when I go back to no-force-v3-sigs. This isn't an issue with my key (AFAIK) as I generated (another) test key which has the following preferences: Command> showpref pub 1024D/6DA6A7C3 created: 2003-05-20 expires: never trust: u/u (1). Test Key Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA1, RIPEMD160 Compression: ZLIB, ZIP, Uncompressed Features: MDC =20 The command I used for my testing was: gpg --armor -u 6DA6A7C3 --sign --output msg1.asc --encrypt -r 6DA6A7C3 msg (i.e. sign and encrypt to self...) My gpg.conf is *********************************************************** #no-force-v3-sigs openpgp keyserver x-hkp://wwwkeys.eu.pgp.net keyserver-options honor-http-proxy no-secmem-warning set-policy-url http://www.liv.ac.uk/~svwright/security/gpg-policy.html show-policy-url *********************************************************** Any ideas??? Cheers, S. --=20 OpenPGP: It's not just a good idea, it's a Human Right! --5I6of5zJg18YgZEa Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) iH8EARECAD8FAj7KQLM4Gmh0dHA6Ly93d3cubGl2LmFjLnVrL35zdndyaWdodC9z ZWN1cml0eS9ncGctcG9saWN5Lmh0bWwACgkQaBqfzTXbdHKgawCfcRKjjEGMj5Z7 dSvy3H1UfIn0U2AAn2yoyulGtuGpfCOrgW5VokFcKVsP =E2n1 -----END PGP SIGNATURE----- Signature policy: http://www.liv.ac.uk/~svwright/security/gpg-policy.html --5I6of5zJg18YgZEa-- From smilde@terrasys.de Mon May 26 12:36:19 2003 From: smilde@terrasys.de (Peter L. Smilde) Date: Mon May 26 11:36:19 2003 Subject: no-permission-warning in options-file Message-ID: <3ECB5FB6.6090105@terrasys.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Using the option "--no-permission-warning" on the commandline of gpg 1.2.1 and 1.2.2 suppresses successfully warning messages. But when "no-permission-warning" is inserted into the file gpg.conf (or options) I still get a warning about unsafe file permissions. I know how to avoid this message the better way, but it would be nice if I could get this option working. What could be the reason for this behaviour? - -- Peter L. Smilde OpenPGP-Key: 0xB0E4BF99 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+y1+2FCtQzrDkv5kRAj+NAJ9mck9AAYfLd+EQE8pZWF2QnJCPAwCgiDYF R0aZKo/sQNGA2s47lt7s4IM= =qRsc -----END PGP SIGNATURE----- From svwright+list@amtp.liv.ac.uk Mon May 26 12:36:53 2003 From: svwright+list@amtp.liv.ac.uk (Stewart V. Wright) Date: Mon May 26 11:36:53 2003 Subject: MDC confusion Message-ID: <20030521140705.GA743@liv.ac.uk> --EVF5PPMfhYS0aIcm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable (Apologies if this appears twice. Problems with my mail server at the moment.) Hi, I am having some confusion with modification detection code (MDC). I'm using the 1.2.3-cvs version (from the 7th of May) of GnuPG. I just changed my gpg.conf file and changed from no-force-v3-sigs to=20 openpgp Which should make my signatures/encryptions entirely OpenPGP compatible. Unfortunately when I decrypt anything I get the following warning: gpg: WARNING: message was not integrity protected I don't get the warning when I go back to no-force-v3-sigs. This isn't an issue with my key (AFAIK) as I generated (another) test key which has the following preferences: Command> showpref pub 1024D/6DA6A7C3 created: 2003-05-20 expires: never trust: u/u (1). Test Key Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA1, RIPEMD160 Compression: ZLIB, ZIP, Uncompressed Features: MDC =20 The command I used for my testing was: gpg --armor -u 6DA6A7C3 --sign --output msg1.asc --encrypt -r 6DA6A7C3 msg (i.e. sign and encrypt to self...) My gpg.conf is *********************************************************** #no-force-v3-sigs openpgp keyserver x-hkp://wwwkeys.eu.pgp.net keyserver-options honor-http-proxy no-secmem-warning set-policy-url http://www.liv.ac.uk/~svwright/security/gpg-policy.html show-policy-url *********************************************************** Any ideas??? Cheers, S. --EVF5PPMfhYS0aIcm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) iH8EARECAD8FAj7LiAk4Gmh0dHA6Ly93d3cubGl2LmFjLnVrL35zdndyaWdodC9z ZWN1cml0eS9ncGctcG9saWN5Lmh0bWwACgkQaBqfzTXbdHLOIwCgp/9h+DeToTVY jvVHo+btdh6fLkAAnRjhhsrWm0HOH7GAuX7NvFCHW+J9 =QU4Y -----END PGP SIGNATURE----- Signature policy: http://www.liv.ac.uk/~svwright/security/gpg-policy.html --EVF5PPMfhYS0aIcm-- From mark@summersault.com Mon May 26 12:37:27 2003 From: mark@summersault.com (Mark Stosberg) Date: Mon May 26 11:37:27 2003 Subject: help: Sorry, no terminal at all requested - can't get input Message-ID: Hello, I'm receiving the following output when trying to generate a key on FreeBSD 4.8, and don't know how to debug this further. I've googled for answers as well as checked the included and web-based documentation. Thanks! Mark The screenshot: ############ $ gpg --gen-key gpg (GnuPG) 1.2.1; Copyright (C) 2002 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. gpg: Sorry, no terminal at all requested - can't get input From stephan.stapel@web.de Mon May 26 12:38:01 2003 From: stephan.stapel@web.de (Stephan Stapel) Date: Mon May 26 11:38:01 2003 Subject: Question to german users/ Frage an deutsche Benutzer Message-ID: <002401c32095$34963120$0a0200c0@athome.de> Dear list, this question only concerns german users, so I'm writing in german, I hope that's ok. Ich habe zwei Fragen bezueglich der Nutzung in Deutschland. Die erste Frage ist, welche Instanzen Schluessel signieren, d.h. rechtlich eindeutig gueltig machen. Auf der CeBit gibt es/ gab es ja ab und an solche Aktionen, aber wie erfolgt diese Prozedur waehrend des restlichen Jahres? Die zweite Frage bezieht sich auf die Rechtsgueltigkeit von GnuPG-Schluesseln. Fuer das Finanzamt muss gewisser Datenverkehr signiert werden, um den Ursprung und die Gueltigkeit der empfangenen Daten zu gewaehrleisten. Hier kamen Bedenken, ob seitens der Behoerden hier weitere Anforderungen gestellt wuerden, d.h. auch noch vorgeschrieben wird, welche Werkzeuge nutzbar sind bzw. ausscheiden. Ist dem so, und wenn ja, darf man GnuPG verwenden? Leider stecke ich ein wenig in der Bredouille, da ich zu beiden Themen keine Informationen im Netz finden kann.... Vielen Dank im voraus, Stephan From cripto@ecn.org Mon May 26 12:38:38 2003 From: cripto@ecn.org (Anonymous) Date: Mon May 26 11:38:38 2003 Subject: GPG under Windows/Mac Message-ID: Eddie Roosenmaallen [21/05/2003]: > The easiest and most effective mailer for W32 I've found is Mozilla with the > Enigmail plugin. It makes things pretty painless, and handles PGP/MIME > properly (It is, to my knowledge, the /only/ W32 mailer that fully supports > PGP/MIME). Wrong. 'Becky2' supports PGP/MIME (by means of plugin) just fine. From smilde@terrasys.de Mon May 26 12:39:16 2003 From: smilde@terrasys.de (Peter L. Smilde) Date: Mon May 26 11:39:16 2003 Subject: no-permission-warning in options file Message-ID: <3ECDD246.9070706@terrasys.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Using the option "--no-permission-warning" on the commandline of gpg 1.2.1 and 1.2.2 suppresses successfully warning messages. But when "no-permission-warning" is inserted into the file gpg.conf (or options) I still get a warning about unsafe file permissions. I know how to avoid this message the better way, but it would be nice if I could get this option working. What could be the reason for this behaviour? - -- Peter L. Smilde OpenPGP-Key: 0xB0E4BF99 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+zdJGFCtQzrDkv5kRAsyGAJ9dNKOiexDbnrCxhBwlO+f+ulM9vgCgvrSr +q2jbVzzDhIiK60Y4UH8c3w= =41e4 -----END PGP SIGNATURE----- From patrick.brunschwig@gmx.net Mon May 26 12:39:50 2003 From: patrick.brunschwig@gmx.net (Patrick Brunschwig) Date: Mon May 26 11:39:50 2003 Subject: Mime Type for Encrypted Attachments Message-ID: <3ECE3B34.3050702@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 | On Fri, 23 May 2003 00:56:38 +0200, Ingo Kl=F6cker said: | |> Are you not confusing something? The encrypted and armored message is |> not in the application/pgp-encrypted but in the |> application/octet-stream message part. Typical message (the same as in | | Oops. You are of course right. | |> And using pgp-keys is IMO also wrong because this will confuse MUAs |> which provide an Import Key functionality for pgp-keys attachments and | | Of course only for message containing a key. | |> The correct content-type is application/octet-stream with |> Content-Description: encrypted data. But that's what I already wrote i= n | | If you use MIME, use it correctly: rfc3156 ;-) If you don't want that, | don't indicate that it is a MIME message. If attachments are to be | encrypted separately, use text/plain and let the user check whether he | can figure out what to do when noticing the BEGIN PGP line. Thanks for all the answers! In fact I'm quite aware of PGP/MIME and what is correct there. I think I will use application/octet-stream as suggested, and which many other mail clients use anyway if you attach pre-encrypted files. The point is that I would like mail clients to be able to detect the PGP encrypted attachments (and possibly act accordingly), but this will usually fail if I'd use text/plain. - -Patrick -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+zjsz2KgHx8zsInsRAtqTAJ9m0IrCfTALFitcXfkUJUVSNe1wBACeLnt0 23J6dz0su1Zo1bAF8XrXdtw=3D =3DWFSs -----END PGP SIGNATURE----- From rene@clerc.nl Mon May 26 14:03:03 2003 From: rene@clerc.nl (=?iso-8859-1?Q?Ren=E9?= Clerc) Date: Mon May 26 13:03:03 2003 Subject: MDC confusion In-Reply-To: <20030521140705.GA743@liv.ac.uk> References: <20030521140705.GA743@liv.ac.uk> Message-ID: <20030526110051.GK342@clerc.nl> --a7XSrSxqzVsaECgU Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable * Stewart V. Wright [26-05-2003 12:26]: > Hi, >=20 > I am having some confusion with modification detection code (MDC). >=20 > I'm using the 1.2.3-cvs version (from the 7th of May) of GnuPG. >=20 > I just changed my gpg.conf file and changed from > no-force-v3-sigs > to=20 > openpgp >=20 > Which should make my signatures/encryptions entirely OpenPGP > compatible. >=20 > Unfortunately when I decrypt anything I get the following warning: > gpg: WARNING: message was not integrity protected >=20 > I don't get the warning when I go back to no-force-v3-sigs. Does adding "force-mdc" to your gpg.conf help? --=20 Ren=E9 Clerc - (rene@clerc.nl) 87. My vats of hazardous chemicals will be covered when not in use. Also, I will not construct walkways above them. -"Peter Anspach's list of things to do as an Evil Overlord" --a7XSrSxqzVsaECgU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+0fPjwja9HprOCscRAlyNAJ0VMrQDax6B3Ws/uQhWo6PXW92J+wCfYo9h czS08kPyrD+05OqV2YLs2KQ= =gyJl -----END PGP SIGNATURE----- --a7XSrSxqzVsaECgU-- From wk@gnupg.org Mon May 26 15:06:02 2003 From: wk@gnupg.org (Werner Koch) Date: Mon May 26 14:06:02 2003 Subject: help: Sorry, no terminal at all requested - can't get input In-Reply-To: (Mark Stosberg's message of "Wed, 21 May 2003 16:36:28 +0000 (UTC)") References: Message-ID: <87vfvxj4kq.fsf@alberti.g10code.de> On Wed, 21 May 2003 16:36:28 +0000 (UTC), Mark Stosberg said: > gpg: Sorry, no terminal at all requested - can't get input Remove the line no-tty from ~/.gnupg/gpg.conf or ~/.gnupg/options -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From dlc@users.sourceforge.net Mon May 26 15:14:02 2003 From: dlc@users.sourceforge.net (darren chamberlain) Date: Mon May 26 14:14:02 2003 Subject: Problem with tar ball In-Reply-To: <20030523173620.4165.qmail@web41007.mail.yahoo.com> References: <20030523173620.4165.qmail@web41007.mail.yahoo.com> Message-ID: <20030523-c24a3385093bba66c9571bb130a643f3@tumbleweed.boston.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 * Servie Platon [2003-05-23 14:03]: > I have downloaded gnupg-1.2.2.tar.gz from your site. I use the HowTo > document as my reference and in doing this procedure. However, when I > did: > > # tar xvzf gnu-1.2.2.tar.gz > > I got an Archive contains obsolescent base-64 headers and invalid > compressed data--crc error as well as invalid compressed data--length > error which eventually exited from the process. Did you check the md5 of the tarball? It should be 01cf9c6b949603d0511f6fc07bc758d2, as http://www.gnupg.org/(en)/download/index.html says. Use the md5sum program to verify that the tarball is not corrupted. It's possible that, if you downloaded it using a web browser, that the browser uncompressed it for you, and you have a regular tar file. Use the file command to tell you what type of file it is: $ md5sum gnupg-1.2.2.tar.gz 01cf9c6b949603d0511f6fc07bc758d2 gnupg-1.2.2.tar.gz $ file gnupg-1.2.2.tar.gz gnupg-1.2.2.tar.gz: gzip compressed data, deflated, last modified: Thu May 1 10:39:14 2003, max compression, os: Unix $ gunzip gnupg-1.2.2.tar.gz $ file gnupg-1.2.2.tar gnupg-1.2.2.tar: tar archive (darren) - -- I don't mow lawns for the reason that I don't shave. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: This message is digitally signed and can be verified for authenticity. iD8DBQE+zmQRzsinjrVhZaoRAphrAKCbaSkc5Ktq+ZGjl/HEIwjLEEs0+wCfZOLz Jf4KngRSxoDT4HHueEGwRLk= =rdKC -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Mon May 26 15:59:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Mon May 26 14:59:02 2003 Subject: no-permission-warning in options file In-Reply-To: <3ECDD246.9070706@terrasys.de> References: <3ECDD246.9070706@terrasys.de> Message-ID: <20030526130014.GB9123@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, May 23, 2003 at 09:48:22AM +0200, Peter L. Smilde wrote: > Hi, > > Using the option "--no-permission-warning" on the commandline of gpg > 1.2.1 and 1.2.2 suppresses successfully warning messages. But when > "no-permission-warning" is inserted into the file gpg.conf (or options) > I still get a warning about unsafe file permissions. > > I know how to avoid this message the better way, but it would be nice if > I could get this option working. > > What could be the reason for this behaviour? GnuPG checks for permissions in three places: the --homedir, the gpg.conf file, and any extensions (i.e. the IDEA module). The check for the homedir happens *before* reading the gpg.conf file so that anything in the gpg.conf file cannot disable it. This is because an unsafe (and possibly hacked) gpg.conf file might contain a "no-permission-warning" flag specifically to turn off the warnings so you don't know it was hacked. This isn't clear in the documentation. I'll fix that. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+0g/e4mZch0nhy8kRAi36AJ9VMh8fqy2UxojGiLsCRS5cuk5yswCeOgsQ r6DzwXuWw/M09LBRrTn8m/w= =q5nx -----END PGP SIGNATURE----- From rdmyers@pe.net Mon May 26 18:40:03 2003 From: rdmyers@pe.net (Rodney D. Myers) Date: Mon May 26 17:40:03 2003 Subject: keyserver Message-ID: <20030526084220.6c70e756.rdmyers@pe.net> --=.Ow?,knA_6ErLnn Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit I know I've sent my gpg key to wwwkeys.pgp.net, but Today, I've been attempting to check may keys, as listed in the news group, and this server comes up blank. Is there a web page that show key servers, along with their status, etc? Thanks -- Rodney D. Myers regisetered Linux user #96112 ICQ#: AIM#: YAHOO: 18002350 mailman452 mailman42_5 They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Ben Franklin - 1759 --=.Ow?,knA_6ErLnn Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+0jXfRzSENXJW+i8RAn4zAJ4gIZ37V1JjzgnmcusMo5oSG/3rXQCfdxr6 8orZj0ud5R0mHag/xd1tb00= =h0bf -----END PGP SIGNATURE----- --=.Ow?,knA_6ErLnn-- From rdmyers@pe.net Mon May 26 18:46:03 2003 From: rdmyers@pe.net (Rodney D. Myers) Date: Mon May 26 17:46:03 2003 Subject: key server Message-ID: <20030526084758.4cd92a03.rdmyers@pe.net> --=..nd)AIc4czqQJ6 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit That's real weird. I just logged off, and back on, and the search works. I was browsing during the other session, so I have no idea what is going on. Sorry about that. -- Rodney D. Myers regisetered Linux user #96112 ICQ#: AIM#: YAHOO: 18002350 mailman452 mailman42_5 They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Ben Franklin - 1759 --=..nd)AIc4czqQJ6 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+0jcxRzSENXJW+i8RAjgAAJ9x2sqTqMI5O2v9CVHpK+Y0OM6ZQACfWPjX vUjuaF3GRsZbYAQoxb1Sf0I= =jpcQ -----END PGP SIGNATURE----- --=..nd)AIc4czqQJ6-- From Yochanon@tds.net Mon May 26 19:30:02 2003 From: Yochanon@tds.net (John B) Date: Mon May 26 18:30:02 2003 Subject: GPG under Windows/Mac In-Reply-To: References: Message-ID: <200305261134.13537.Yochanon@tds.net> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 22 May 2003 17:20, Anonymous wrote: > Eddie Roosenmaallen [21/05/2003]: > > The easiest and most effective mailer for W32 I've found is Mozilla with > > the Enigmail plugin. It makes things pretty painless, and handles > > PGP/MIME properly (It is, to my knowledge, the /only/ W32 mailer that > > fully supports PGP/MIME). > > Wrong. > > 'Becky2' supports PGP/MIME (by means of plugin) just fine. IIRR, PocoMail does too (but it's been so long since I've been in my M$=20 partition, I can't be sure). John =2D --=20 "You will bring ussss.....A SHRUBBERY!" These guys looked dangerous...and hungry, so to placate them until I found a shrubber, I fed them an MSN butterfly. They dined quite happily it seemed. =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+0kIEH5oDXyLKXKQRAl2HAKCiJoESl8kEH9et09MP8QgOYJpmzQCgvoNQ Jx4B8q+c/6Oj3lxeJFXyR9E=3D =3DPU47 =2D----END PGP SIGNATURE----- From Yochanon@tds.net Mon May 26 19:34:03 2003 From: Yochanon@tds.net (John B) Date: Mon May 26 18:34:03 2003 Subject: keyserver In-Reply-To: <20030526084220.6c70e756.rdmyers@pe.net> References: <20030526084220.6c70e756.rdmyers@pe.net> Message-ID: <200305261138.13609.Yochanon@tds.net> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 26 May 2003 10:42, Rodney D. Myers wrote: > I know I've sent my gpg key to wwwkeys.pgp.net, but > > Today, I've been attempting to check may keys, as listed in the news > group, and this server comes up blank. > > Is there a web page that show key servers, along with their status, etc? > > Thanks Are you using kgpg? Do you have a photo in your public key? I was having = the=20 same trouble. I had a picture of me in my key, and exporting it to keyserve= rs=20 wasn't working, it would be fine if I sent the public key as an attachment = to=20 whomever requested it, but the servers would not accept it, so I took the=20 photo out, then resent the key to some servers, and they finally took it. John =2D --=20 "You will bring ussss.....A SHRUBBERY!" These guys looked dangerous...and hungry, so to placate them until I found a shrubber, I fed them an MSN butterfly. They dined quite happily it seemed. =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+0kL1H5oDXyLKXKQRAjCqAJ4n7baULdbsU3V2uOHMWrz4A6sgIQCgvlKk NYnvuPChGs+67zGjfx5LFng=3D =3DovIg =2D----END PGP SIGNATURE----- From graham.todd2@ntlworld.com Mon May 26 21:04:02 2003 From: graham.todd2@ntlworld.com (Graham) Date: Mon May 26 20:04:02 2003 Subject: GPG under Windows/Mac In-Reply-To: References: Message-ID: <200305261910.39654.graham.todd2@ntlworld.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 22 May 2003 11:20 pm, Anonymous wrote: > Wrong. > > 'Becky2' supports PGP/MIME (by means of plugin) just fine. Unless there's been a new version of the BkGPG plugin recently for=20 Becky2, that plugin recognises PGP/MIME to RFC2015 only and NOT to RFC=20 3156 as well. This causes a verification error in those messages=20 produced by MUAs that support both RFCs and the BkGPG plugin used to do=20 just this. Again, unless there are some MUAs with an updated PGP/MIME=20 compatibility, the only two in Windows that I know that supports=20 PGP/MIME to RFC2015 and RFC3156 are Mozilla Mail with the Enigmail=20 plugin, and Pegasus with the appropriate GPG plugin. RFCs are the internet standards in this regard and when I last looked,=20 only Pegasus and Mozilla Mail could be regarded as standards compliant=20 with regard to PGP/MIME. - --=20 Graham GPG Keys at gpg.keys@ntlworld.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Please sign and encrypt for internet privacy iD8DBQE+0lidIwtBZOk1250RAvv9AJwJp9fgeZ5tN2+LmyN1yJK4ioi3zQCgz4B7 Jg69CarDWgfJd4zDIiN2CzY=3D =3D78De -----END PGP SIGNATURE----- From jharris@widomaker.com Mon May 26 23:18:03 2003 From: jharris@widomaker.com (Jason Harris) Date: Mon May 26 22:18:03 2003 Subject: keyserver In-Reply-To: <200305261138.13609.Yochanon@tds.net> References: <20030526084220.6c70e756.rdmyers@pe.net> <200305261138.13609.Yochanon@tds.net> Message-ID: <20030526201836.GA1137@pm1.ric-39.lft.widomaker.com> --uAKRQypu60I7Lcqm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, May 26, 2003 at 11:38:06AM -0500, John B wrote: > Are you using kgpg? Do you have a photo in your public key? I was having = the=20 > same trouble. I had a picture of me in my key, and exporting it to keyser= vers=20 > wasn't working, it would be fine if I sent the public key as an attachmen= t to=20 > whomever requested it, but the servers would not accept it, so I took the= =20 > photo out, then resent the key to some servers, and they finally took it. [BCC'd to the keyserver list in case Yaron has any corrections] Send it to the SKS keyservers, http://sks.sf.net/ , with the photo. One of them should send it to keyserver.kjsl.com which strips the photo and sends it to most of the rest of the keyservers. Or send it to keyserver.kjsl.com directly and let it propagate without the photo. Also, you can have GPG upload keys to keyservers without uploading the photos by using "--export-options no-include-attributes." --=20 Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com | web: http://jharris.cjb.net/ --uAKRQypu60I7Lcqm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+0nabSypIl9OdoOMRAlYcAJ4rFrE7pmBSeyHukuLHysYxDqQnSQCgkaM7 F1QUy+pD+d4k2FcVDXo60Oc= =4At3 -----END PGP SIGNATURE----- --uAKRQypu60I7Lcqm-- From dshaw@jabberwocky.com Mon May 26 23:58:01 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Mon May 26 22:58:01 2003 Subject: keyserver In-Reply-To: <20030526201836.GA1137@pm1.ric-39.lft.widomaker.com> References: <20030526084220.6c70e756.rdmyers@pe.net> <200305261138.13609.Yochanon@tds.net> <20030526201836.GA1137@pm1.ric-39.lft.widomaker.com> Message-ID: <20030526205905.GD12751@jabberwocky.com> --nVMJ2NtxeReIH9PS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, May 26, 2003 at 04:18:37PM -0400, Jason Harris wrote: > On Mon, May 26, 2003 at 11:38:06AM -0500, John B wrote: >=20 > > Are you using kgpg? Do you have a photo in your public key? I was havin= g the=20 > > same trouble. I had a picture of me in my key, and exporting it to keys= ervers=20 > > wasn't working, it would be fine if I sent the public key as an attachm= ent to=20 > > whomever requested it, but the servers would not accept it, so I took t= he=20 > > photo out, then resent the key to some servers, and they finally took i= t. >=20 > [BCC'd to the keyserver list in case Yaron has any corrections] >=20 > Send it to the SKS keyservers, http://sks.sf.net/ , with the photo. > One of them should send it to keyserver.kjsl.com which strips the > photo and sends it to most of the rest of the keyservers. Or send it > to keyserver.kjsl.com directly and let it propagate without the photo. >=20 > Also, you can have GPG upload keys to keyservers without uploading the > photos by using "--export-options no-include-attributes." That should be "--keyserver-options no-include-attributes". "--export-options" applies only to the --export command. David --nVMJ2NtxeReIH9PS Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+0oAZ4mZch0nhy8kRAqLSAJ43jaDyrtA5mp5UlvklnaWJhEJ93wCgwsXj e51YLHn+ApsgcpjgDth2bmQ= =bTvq -----END PGP SIGNATURE----- --nVMJ2NtxeReIH9PS-- From dcarrera@math.umd.edu Tue May 27 00:40:03 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Mon May 26 23:40:03 2003 Subject: [Q] Diceware password size Message-ID: <20030526214051.GB1445@math.umd.edu> --4SFOXa2GPu3tIq4H Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello all, I want to have an idea of how secure a diceware password is. http://world.std.com/~reinhold/diceware.html The diceware FAQ says: * Four words are breakable with a hundred or so PCs. * Five words are only breakable by an organization with a large budget. * Six words appear unbreakable for the near future, thought they may be=20 within the range of large governments. * Seven words and longer are unbreakable with any known technology. * Eight words should be completely secure for some time to come. Now, I don't know when this page was last updated, so I don't know how=20 accurate these statements would be. Given current technology, are these=20 statements still reasonably correct? I'd like some help figuring out the security of a diceware passphrase. The diceware word list contains 7776 words. =3D> There are (7776)^5 possible 5-word passphrases. =3D> There is a probability 'p' that the passphrase will be discovered within the first p*(7776)^5 trials. If I knew the number of trials 'n' that can be performed each minute I=20 could estimate the security of a diceware passphrase. Of course, the=20 value of 'n' depends on the attacker. Could someone help me figure out the value of 'n' given knowledge of=20 current technology and the resourcefulness of the attacker? =20 (for instance, an attacker with 500 computers at 3GHZ). Thanks for the help. --=20 Daniel Carrera | OpenPGP fingerprint: Graduate TA, Math Dept | 6643 8C8B 3522 66CB D16C D779 2FDD 7DAC 9AF7 7A88 UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html --4SFOXa2GPu3tIq4H Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (SunOS) iD8DBQE+0onjnxE8DWHf+OcRAnqEAKCiLiNwcQ8uEbh5qFbM79ADyajLoQCcDLua lBvIPqUIvtZcrOfwOiwC/6Q= =3SSj -----END PGP SIGNATURE----- --4SFOXa2GPu3tIq4H-- From ingo.kloecker@epost.de Tue May 27 01:01:01 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Tue May 27 00:01:01 2003 Subject: Question to german users/ Frage an deutsche Benutzer In-Reply-To: <002401c32095$34963120$0a0200c0@athome.de> References: <002401c32095$34963120$0a0200c0@athome.de> Message-ID: <200305262153.20187@erwin.ingo-kloecker.de> --Boundary-02=_vCn0+MMnJvhV+OF Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Thursday 22 May 2003 21:06, Stephan Stapel wrote: > Dear list, > > this question only concerns german users, so I'm writing in german, I > hope that's ok. No, it's not okay. This question concerns at least all members of the=20 EU. > Ich habe zwei Fragen bezueglich der Nutzung in Deutschland. Die erste > Frage ist, welche Instanzen Schluessel signieren, d.h. rechtlich > eindeutig gueltig machen. Auf der CeBit gibt es/ gab es ja ab und an > solche Aktionen, aber wie erfolgt diese Prozedur waehrend des > restlichen Jahres? You are probably thinking about the c't magazine. But OpenPGP keys don't=20 have any legal relevance regardless of the institution that signed=20 them. > Die zweite Frage bezieht sich auf die Rechtsgueltigkeit von > GnuPG-Schluesseln. Fuer das Finanzamt muss gewisser Datenverkehr > signiert werden, um den Ursprung und die Gueltigkeit der empfangenen > Daten zu gewaehrleisten. AFAIK signing the stuff you sent them isn't necessary. > Hier kamen Bedenken, ob seitens der=20 > Behoerden hier weitere Anforderungen gestellt wuerden, d.h. auch noch > vorgeschrieben wird, welche Werkzeuge nutzbar sind bzw. ausscheiden. > Ist dem so, und wenn ja, darf man GnuPG verwenden? No, you can't use OpenPGP keys (yet). OpenPGP doesn't fulfill the=20 requirements for a qualified certificate AFAIK. (One reason is that=20 there is no centralized PKI for OpenPGP.) Currently only S/MIME keys on=20 smartcards which are issued by two or three companies in Germany=20 fulfill these requirements. I'm pretty sure that you can find more information about qualified=20 certificates on the homepage of the BSI. Regards, Ingo --Boundary-02=_vCn0+MMnJvhV+OF Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+0nCvGnR+RTDgudgRApnPAKDem7r7VREFXwhugUlggzy6MAPqaQCg1awX TiablmYQRbXfpytv3XtBh5k= =AN7h -----END PGP SIGNATURE----- --Boundary-02=_vCn0+MMnJvhV+OF-- From dvgevers@xs4all.nl Tue May 27 01:11:02 2003 From: dvgevers@xs4all.nl (Dick Gevers) Date: Tue May 27 00:11:02 2003 Subject: Forgot my passphrase. In-Reply-To: <20030525153015.244C.DENISMCCAULEY@ifrance.com> References: <20030525230916.GD1138@math.umd.edu> <20030525153015.244C.DENISMCCAULEY@ifrance.com> Message-ID: <20030526221240.0089f7fb.dvgevers@xs4all.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, 25 May 2003 15:37:05 -1000, Denis McCauley wrote about Re: Forgot my passphrase.: > GPG/PGP keys at http://www.djmccauley.tk Hello Denis, I visited your webpage, but I am not very amicable to execute a java script for importing directly a key without being able to see what will happen if I do. Although I must sayi the page looks very good I will not make use of the `Import key` buttons. BTW, give my best regards to Maxine Brandt if you should speak to her :-)) Kind regards, =Dick Gevers= -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Encryption is an envelope; the contents are private. iD8DBQE+0pFRwC/zk+cxEdMRAge5AJ9GW3cjmLszQudcxSo7zKVBYYPHvQCg2sfs j0XMUdmtxLzvPABIE7+smlI= =Opha -----END PGP SIGNATURE----- From rdmyers@pe.net Tue May 27 01:24:02 2003 From: rdmyers@pe.net (Rodney D. Myers) Date: Tue May 27 00:24:02 2003 Subject: keyserver In-Reply-To: <200305261138.13609.Yochanon@tds.net> References: <20030526084220.6c70e756.rdmyers@pe.net> <200305261138.13609.Yochanon@tds.net> Message-ID: <20030526152622.42f43293.rdmyers@pe.net> --=.KqvkSZA'aAEFz9 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Mon, 26 May 2003 11:38:06 -0500 John B wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Monday 26 May 2003 10:42, Rodney D. Myers wrote: > > I know I've sent my gpg key to wwwkeys.pgp.net, but > > > > Today, I've been attempting to check may keys, as listed in the news > > group, and this server comes up blank. > > > > Is there a web page that show key servers, along with their status, > > etc? > > > > Thanks > > Are you using kgpg? Do you have a photo in your public key? I was > having the > same trouble. I had a picture of me in my key, and exporting it to > keyservers wasn't working, it would be fine if I sent the public key > as an attachment to whomever requested it, but the servers would not > accept it, so I took the photo out, then resent the key to some > servers, and they finally took it. > > John Nope regular key. the server didn't show anything on any of the keys I know are good. -- Rodney D. Myers regisetered Linux user #96112 ICQ#: AIM#: YAHOO: 18002350 mailman452 mailman42_5 They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Ben Franklin - 1759 --=.KqvkSZA'aAEFz9 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+0pSRRzSENXJW+i8RAheoAJ4kXAvwj8fFk2eym0IT2Gahb8vHagCfYZTh rVuozovRuoq9p6tw1+pN+yk= =ya0f -----END PGP SIGNATURE----- --=.KqvkSZA'aAEFz9-- From DenisMcCauley@ifrance.com Tue May 27 03:10:03 2003 From: DenisMcCauley@ifrance.com (Denis McCauley) Date: Tue May 27 02:10:03 2003 Subject: Forgot my passphrase. In-Reply-To: <20030526221240.0089f7fb.dvgevers@xs4all.nl> References: <20030525153015.244C.DENISMCCAULEY@ifrance.com> <20030526221240.0089f7fb.dvgevers@xs4all.nl> Message-ID: <20030526135123.A133.DENISMCCAULEY@ifrance.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Dick, On Mon, 26 May 2003 22:12:40 +0000 you wrote: > Hello Denis, > > I visited your webpage, but I am not very amicable to execute a java > script for importing directly a key without being able to see what will > happen if I do. Although I must sayi the page looks very good I will not > make use of the `Import key` buttons. > There's no javascript, only HTML, but I see your point and l'll rework the page just to avoid any confusion. What happens when you use the buttons depends on your browser. Using Mozilla/Netscape (on Windows, anyway) you just get a text page of the key which you can copy to clipboard or disk. With IE or Opera you get the choice to open the file or save it to disk. If you have PGP and you choose to open the file then it IS imported in the regular PGP fashion. > BTW, give my best regards to Maxine Brandt if you should speak to her :-)) > Will do. Cheers - - -- ===================================== Denis McCauley GPG/PGP keys at http://www.djmccauley.tk ===================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-nr1 (Windows 2000) - GPGshell v2.70 Comment: Key ID: 0x578247B4 (using signature subkey 0x4980C4F7) Comment: 3C0A D97D 5FC5 A250 20BC EBC6 EB0E 9716 5782 47B4 iD8DBQE+0qxkJpZGKkmAxPcRArxoAJ9EGgXD2m98+hBTX8GcEN6I8Vy6hwCg0Xhv p3oJgaKtqo/FMUnZ5AgAiZ8= =vRx7 -----END PGP SIGNATURE----- _____________________________________________________________________ Envie de discuter en "live" avec vos amis ? Télécharger MSN Messenger http://www.ifrance.com/_reloc/m la 1ère messagerie instantanée de France From dvgevers@xs4all.nl Tue May 27 04:48:02 2003 From: dvgevers@xs4all.nl (Dick Gevers) Date: Tue May 27 03:48:02 2003 Subject: Forgot my passphrase. In-Reply-To: <20030526135123.A133.DENISMCCAULEY@ifrance.com> References: <20030525153015.244C.DENISMCCAULEY@ifrance.com> <20030526221240.0089f7fb.dvgevers@xs4all.nl> <20030526135123.A133.DENISMCCAULEY@ifrance.com> Message-ID: <20030527014943.1dc29e93.dvgevers@xs4all.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Denis and others, On Mon, 26 May 2003 14:09:12 -1000, Denis McCauley wrote about Re: Forgot my passphrase.: First of all my very serious apologies about sending my previous message to this list. I mistakenly sent it here, having intended it for you direct only. I made a stupid mistake not changing the address. Moreover I did send a direct apology to you right afterwards, but that message was returned. Again, I am sorry, I think it was inappropriate for sending to this forum. > There's no javascript, only HTML, but I see your point and l'll rework > the page just to avoid any confusion. Thank you! > What happens when you use the > buttons depends on your browser. Using Mozilla/Netscape (on Windows, > anyway) you just get a text page of the key which you can copy to > clipboard or disk. With IE or Opera you get the choice to open the file > or save it to disk. Sounds very good :-) > If you have PGP and you choose to open the file then > it IS imported in the regular PGP fashion. When I rarely still use Windows it`s usually for offline banking or something else not provided to Linux users, but should I use PGP again I believe I would indeed not want to manage my keys in such a fashion as you did enable. Thank you for your understanding. Kind regards, =Dick Gevers= -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Encryption is an envelope; the contents are private. iD8DBQE+0sQ1wC/zk+cxEdMRAuikAKDcwpE/4EsI6LRx/x7Gdhx/VGe16gCggRQk di0WtKThMGC3ubd2/ewlUPY= =S771 -----END PGP SIGNATURE----- From jbruni@mac.com Tue May 27 05:51:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Tue May 27 04:51:02 2003 Subject: [Q] Diceware password size In-Reply-To: <20030526214051.GB1445@math.umd.edu> Message-ID: <2BA11E98-8FEE-11D7-999B-003065B1243E@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cool. I scored a Yahtzee on my first roll! I like this game. ;) On Monday, May 26, 2003, at 02:40 PM, Daniel Carrera wrote: > Hello all, > > I want to have an idea of how secure a diceware password is. > > http://world.std.com/~reinhold/diceware.html > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) iEYEARECAAYFAj7S0swACgkQ4rg/mXNDweOZZQCgyRhg32Hr+4DHXt5NTsMymwyV 30wAoLaPzlGp55F2/W1GtFzOOyioKM7d =ytdg -----END PGP SIGNATURE----- From wk@gnupg.org Tue May 27 10:56:02 2003 From: wk@gnupg.org (Werner Koch) Date: Tue May 27 09:56:02 2003 Subject: Question to german users/ Frage an deutsche Benutzer In-Reply-To: <200305262153.20187@erwin.ingo-kloecker.de> ( =?iso-8859-1?q?Ingo_Kl=F6cker's_message_of?= "Mon, 26 May 2003 21:53:14 +0200") References: <002401c32095$34963120$0a0200c0@athome.de> <200305262153.20187@erwin.ingo-kloecker.de> Message-ID: <87add8hlf5.fsf@alberti.g10code.de> On Mon, 26 May 2003 21:53:14 +0200, Ingo Klöcker said: > No, it's not okay. This question concerns at least all members of the > EU. To a very different level. Signature laws (if they exist at all) are different from country to country. > You are probably thinking about the c't magazine. But OpenPGP keys don't > have any legal relevance regardless of the institution that signed > them. Given a signed paper contract about the use of signatures between the parties, OpenPGP signed documents can be enforcable to the same grade as those with a handwritten signature. > No, you can't use OpenPGP keys (yet). OpenPGP doesn't fulfill the > requirements for a qualified certificate AFAIK. (One reason is that > there is no centralized PKI for OpenPGP.) Currently only S/MIME keys on > smartcards which are issued by two or three companies in Germany A qualified signature requires some technical features (most notably a trusted device - a smartcard is sufficient for this) as well as a certificate by an accredited CA. There is nothing in the SigV regulations which demands the use of X.509 or S/MIME. Even the DINSIG is a draft standard and about all implementations create non-interchangeable messages (on purpose, I bet) So, to create a SigV compliant qualified signature (which is by law treated the same way as a handwritten one) you basically need a Smartcard and application licensed by the German RegTP and an accredited CA willing to issue certificates (i.e. a key signature) for an OpenPGP key. Shalom-Salam, Werner -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From Jan Dirnberger Tue May 27 11:16:01 2003 From: Jan Dirnberger (Jan Dirnberger) Date: Tue May 27 10:16:01 2003 Subject: Validity period of GPG-keys Message-ID: <20030527101721.O36081@Space.Net> Hi! I'm working on a school project, including Public Key Infrastrucure (PKI). We are instructed to get out how long the validity period of a GPG-key should be set in a company or other organisations the info-material we collect is for in. First I wanted to advise a unrestricted validity, but then I remembered that organisations or enterprises might have often changing memebers. So I'm caught between the devil and the deep blue sea what to advise... I tried to find out with Google, but there aren't any publications including these informations. Thanks for any advises or experiences! Greetings, Jan From debug Tue May 27 12:49:12 2003 From: debug (DeBug) Date: Tue May 27 11:49:12 2003 Subject: Re[2]: Question to german users/ Frage an deutsche Benutzer In-Reply-To: <87add8hlf5.fsf@alberti.g10code.de> References: <002401c32095$34963120$0a0200c0@athome.de> <200305262153.20187@erwin.ingo-kloecker.de> <87add8hlf5.fsf@alberti.g10code.de> Message-ID: <4315973521.20030527125108@centras.lt> WK> Given a signed paper contract about the use of signatures between the WK> parties, OpenPGP signed documents can be enforcable to the same grade WK> as those with a handwritten signature. Bah! really ? digital keys can be stolen, and personal features can't or at least are much harder to mimic/ to copy Isn't it the principal difference ? -- Best regards, DeBug mailto:debug@centras.lt -- From konrad@crunchy-frog.org Tue May 27 16:47:01 2003 From: konrad@crunchy-frog.org (Konrad Podloucky) Date: Tue May 27 15:47:01 2003 Subject: Re[2]: Question to german users/ Frage an deutsche Benutzer In-Reply-To: <4315973521.20030527125108@centras.lt> References: <002401c32095$34963120$0a0200c0@athome.de> <200305262153.20187@erwin.ingo-kloecker.de> <87add8hlf5.fsf@alberti.g10code.de> <4315973521.20030527125108@centras.lt> Message-ID: <1054043395.689.7.camel@muaddib.podl> --=-Ev6cjX7CEBtLi0FzV3Sm Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Tue, 2003-05-27 at 11:51, DeBug wrote: > WK> Given a signed paper contract about the use of signatures between the > WK> parties, OpenPGP signed documents can be enforcable to the same grade > WK> as those with a handwritten signature. >=20 > Bah! really ? > digital keys can be stolen, > and > personal features can't or at least are much harder to mimic/ to copy > Isn't it the principal difference ? There is an excellent article on that topic from Bruce Schneier: http://www.thestandard.com/article/display/0,1151,19485,00.html This article was written in 2000 and unfortunately lawmakers obviously haven't done their homework yet (surprise, surprise). Konrad --=20 "Free people are free to make mistakes and commit crimes and do bad things." =20 -- Donald Rumsfeld on the chaos after the "liberation" of Iraq --=-Ev6cjX7CEBtLi0FzV3Sm Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Comment: For key usage policy see http://www.crunchy-frog.org/pgp/policy.html iQEVAwUAPtNtAyV8Kic3b+OjAQKA1wgAwR9KiTb/OudGqG7QPiEFZuVhn8LhVBTw CrF9wRP2p2EqGaXZmXEM9lk5Ses5WRs4IIANAIlynofqjJtff5HlnuH9AZilrkcy ekP9qjSxgGVdfCmMZqlPtLLk7BBoXrYOJj8A5GdFe0EDnJRGbJ5PbACxAR7hGVJB CoFNmrYuxmb34N7Mea/3plcK4/cdB2U/Ou8QPKw4hp3dFjlqJC3v6M3iYQuJA/RS q2gaWQx7YW0ZM/qxQnxwFrELYouBbwNZPIlB0Xaf2B14u74ifDaCrjxX2md5rSJS 668yg2wEFU7NoCl+HoF749wgFwn9MBazhJPSKNo9WQcyL2zgD7grQw== =gwDB -----END PGP SIGNATURE----- --=-Ev6cjX7CEBtLi0FzV3Sm-- From rmalayter@bai.org Tue May 27 17:28:02 2003 From: rmalayter@bai.org (Ryan Malayter) Date: Tue May 27 16:28:02 2003 Subject: [Q] Diceware password size Message-ID: <792DE28E91F6EA42B4663AE761C41C2AEA98@cliff.bai.org> From: Daniel Carrera [mailto:dcarrera@math.umd.edu]=20 >Could someone help me figure out the value of 'n' >given knowledge of current technology and the=20 >resourcefulness of the attacker? (for instance,=20 >an attacker with 500 computers at 3GHZ). Well, each diceware word represents 12.92 bits of entropy, so a 5-word passphrase is slightly more than 64 bits of entropy. There's a good model for a brute-force attack of this size: www.distributed.net broke the 64-bit version of the RC5 algorithm via brute force. Their statistics show that it would take the equivalent of 45,998 2GHz AMD Athlon XP machines 395 days (average) break the 64-bit keyspace. This is using hand-optimized client programs written in assembly language. Now, you want to be conservative in your estimates of security, so you'd have to assume that testing password hashes could be optimized to at least the rate of distributed.net's RC5 client program. You'd also have to make some assumtions about realative performance; some CPUs are better at certain tasks. But assuming a 3 GHz P4 is 50% faster than a 2-GHZ Athalon, it would take a network of ~30,000 3 GHz machines 395 days to break a 5-word diceware passphrase.=20 But all of this is much ado about nothing: any serious attacker who wanted your data would use a keystroke logging program, hidden camera, or rubber hose to get your passphrase from you rather than try to crack the encryption. Regards, -ryan- ::::::::::::::::::::::::::::::: Do not meddle in the affairs of dragons, for you are crunchy=20 and taste good with ketchup. From vedaal@hush.com Tue May 27 18:07:02 2003 From: vedaal@hush.com (vedaal@hush.com) Date: Tue May 27 17:07:02 2003 Subject: Diceware passphrase size Message-ID: <200305271507.h4RF7OUk018418@mailserver3.hushmail.com> >On Monday, May 26, 2003, at 02:40 PM, Daniel Carrera wrote: > >> Hello all, >> >> I want to have an idea of how secure a diceware password is. [...] can't give you any specifics on that, other than a vague qualitative statement that they will probably all still be secure in your lifetime, with all foreseeable computing advances, if you find it hard to type in a long diceware passphrase from the commandline without looking at it, then you might find this interesting: http://www.angelfire.com/pr/pgpf/pass-strings.html it is a way of using a random string of characters rather than a collection of words, initially harder to remember, but once memorized, much easier to type hth, vedaal Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 From avbidder@fortytwo.ch Tue May 27 18:32:07 2003 From: avbidder@fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Tue May 27 17:32:07 2003 Subject: Validity period of GPG-keys In-Reply-To: <20030527101721.O36081@Space.Net> References: <20030527101721.O36081@Space.Net> Message-ID: <200305271733.44535@fortytwo.ch> --Boundary-02=_YV40+wF3ZKnYqKr Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Tuesday 27 May 2003 10:17, Jan Dirnberger wrote: > Hi! > > I'm working on a school project, including Public Key Infrastrucure (PKI). > We are instructed to get out how long the validity period of a GPG-key > should be set in a company or other organisations the info-material we > collect is for in. > > First I wanted to advise a unrestricted validity, but then I remembered > that organisations or enterprises might have often changing memebers. So > I'm caught between the devil and the deep blue sea what to advise... I guess as both long and short validity periods have their (dis)advantages,= I=20 guess it boils down to what you like more. As you're targetting a corporate/institutional environment, where enforced= =20 trust like this is relatively easy to get: have you thought about the compa= ny=20 having the right to revoke keys of its members? Either by having revocation= =20 certificates of all keys stored, or (probably better, but afaik you break=20 backward compatibility with older PGP/GPG versions) by having a corporate k= ey=20 as designated revoker for all keys of the members. A different possibility is of course to give the keys a long validity, but= =20 limit the signature from the company key(s) to something like 1 or 2 years. greets =2D- vbi =2D-=20 pub 1024D/92082481 2002-02-22 Adrian von Bidder Key fingerprint =3D EFE3 96F4 18F5 8D65 8494 28FC 1438 5168 9208 2481 --Boundary-02=_YV40+wF3ZKnYqKr Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iKcEABECAGcFAj7ThVhgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjQmbWQ1c3VtPTgxNjMwYmFhYmU5YTA2NzBi YjE5YzFmYTg1MjdhN2FiAAoJEIukMYvlp/fWewYAoMg3/imJ9QoEPnJ6+zSzubT6 xVefAKCDDef/UotjK3KOPZ9BVszsG2k8uQ== =tWn4 -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.4&md5sum=81630baabe9a0670bb19c1fa8527a7ab --Boundary-02=_YV40+wF3ZKnYqKr-- From DenisMcCauley@ifrance.com Tue May 27 20:34:20 2003 From: DenisMcCauley@ifrance.com (Denis McCauley) Date: Tue May 27 19:34:20 2003 Subject: Validity period of GPG-keys In-Reply-To: <20030527101721.O36081@Space.Net> References: <20030527101721.O36081@Space.Net> Message-ID: <20030527064758.1846.DENISMCCAULEY@ifrance.com> On Tue, 27 May 2003 10:17:21 +0200 Jan Dirnberger wrote: > > I'm working on a school project, including Public Key Infrastrucure (PKI). > We are instructed to get out how long the validity period of a GPG-key > should be set in a company or other organisations the info-material we collect > is for in. > > First I wanted to advise a unrestricted validity, but then I remembered that > organisations or enterprises might have often changing memebers. So I'm caught > between the devil and the deep blue sea what to advise... > With GPG you can extend the expiry date of a key (although PGP apparently does not recognise an extended expiry date). Otherwise, you could revoke the keys of members who leave an organisation, either by creating revocation certificates when keys are created or by adding a designated revoker. Hope that helps. -- ===================================== Denis McCauley GPG/PGP keys at http://www.djmccauley.tk ===================================== _____________________________________________________________________ Envie de discuter en "live" avec vos amis ? Télécharger MSN Messenger http://www.ifrance.com/_reloc/m la 1ère messagerie instantanée de France From dshaw@jabberwocky.com Tue May 27 20:49:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Tue May 27 19:49:02 2003 Subject: [Announce] GnuPG 1.3.2 released (development) Message-ID: <20030527154715.GA1417@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello! The latest release from the development branch of GnuPG is ready for public consumption. This is a branch to create what will be GnuPG 1.4 someday. It will change much more frequently than the 1.2.x "stable" branch, which will mainly be updated for bug fix reasons. The more GnuPG-familiar user is encouraged try this release (and the ones that will follow in the 1.3.x branch), and report back any problems to gnupg-devel@gnupg.org. In return, you get the latest code with the latest features. Note that while this code is stable enough for many uses, it is still the development branch. Mission-critical applications should always use the 1.2.x stable branch. The files are available from: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.2.tar.gz (1617k) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.2.tar.gz.sig MD5 checksums for the files are: c984bfeb35fbc7bdc591bffb0d690d22 gnupg-1.3.2.tar.gz 8d6c476a9d972ee7c3436d5ba2029130 gnupg-1.3.2.tar.gz.sig Noteworthy changes in version 1.3.2 (2003-05-27) - ------------------------------------------------ * New "--gnupg" option (set by default) that disables --openpgp, and the various --pgpX emulation options. This replaces --no-openpgp, and --no-pgpX, and also means that GnuPG has now grown a --gnupg option to make GnuPG act like GnuPG. * A bug in key validation has been fixed. This bug only affects keys with more than one user ID (photo IDs do not count here), and results in all user IDs on a given key being treated with the validity of the most-valid user ID on that key. * Notation names that do not contain a '@' are no longer allowed unless --expert is set. This is to help prevent pollution of the (as yet unused) IETF notation namespace. * Multiple trust models are now supported via the --trust-model option. The options are "pgp" (web-of-trust plus trust signatures), "classic" (web-of-trust only), and "always" (identical to the --always-trust option). * The --personal-{cipher|digest|compression}-preferences are now consulted to get default algorithms before resorting to the last-ditch defaults of --s2k-cipher-algo, SHA1, and ZIP respectively. This allows a user to set algorithms to use in a safe manner so they are used when legal to do so, without forcing them on for all messages. * New --primary-keyring option to designate the keyring that the user wants new keys imported into. * --s2k-digest-algo is now used for all password mangling. Earlier versions used both --s2k-digest-algo and --digest-algo for passphrase mangling. * Handling of --hidden-recipient or --throw-keyid messages is now easier - the user only needs to give their passphrase once, and GnuPG will try it against all of the available secret keys. * Care is taken to prevent compiler optimization from removing memory wiping code. * New option --no-mangle-dos-filenames so that filenames are not truncated in the W32 version. * A "convert-from-106" script has been added. This is a simple script that automates the conversion from a 1.0.6 or earlier version of GnuPG to a 1.0.7 or later version. * Disabled keys are now skipped when selecting keys for encryption. If you are using the --with-colons key listings to detect disabled keys, please see doc/DETAILS for a minor format change in this release. * Minor trustdb changes to make the trust calculations match common usage. * New command "revuid" in the --edit-key menu to revoke a user ID. This is a simpler interface to the old method (which still works) of revoking the user ID self-signature. * Status VALIDSIG does now also print the primary key's fingerprint, as well as the signature version, pubkey algorithm, hash algorithm, and signature class. * Add read-only support for the SHA-256 hash, and optional read-only support for the SHA-384 and SHA-512 hashes. * New option --enable-progress-filter for use with frontends. * DNS SRV records are used in HKP keyserver lookups to allow administrators to load balance and select keyserver port automatically. This is as specified in draft-shaw-openpgp-hkp-00.txt. * When using the "keyid!" syntax during a key export, only that specified key is exported. If the key in question is a subkey, the primary key plus only that subkey is exported. * configure --disable-xxx options to disable individual algorithms at build time. This can be used to build a smaller gpg binary for embedded uses where space is tight. See the README file for the algorithms that can be used with this option, or use --enable-minimal to build the smallest gpg possible (disables all optional algorithms, disables keyserver access, and disables photo IDs). * The keyserver no-modify flag on a key can now be displayed and modified. * Note that the TIGER/192 digest algorithm is in the process of being dropped from the OpenPGP standard. While this release of GnuPG still contains it, it is disabled by default. To ensure you will still be able to use your messages with future versions of GnuPG and other OpenPGP programs, please do not use this algorithm. Happy Hacking, The GnuPG team (David, Stefan, Timo and Werner) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+04iD4mZch0nhy8kRAo7gAJ0Z0L+WfHl58A5M1rVELZD3mkhZ4QCgojp/ nf69QY8WAh2CjpYaXhzPKH0= =uQgK -----END PGP SIGNATURE----- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From malsyned@cif.rochester.edu Tue May 27 21:01:01 2003 From: malsyned@cif.rochester.edu (Dennis Lambe Jr.) Date: Tue May 27 20:01:01 2003 Subject: Validity period of GPG-keys In-Reply-To: <20030527101721.O36081@Space.Net> References: <20030527101721.O36081@Space.Net> Message-ID: <1054058579.23485.5.camel@dennisx.cif.rochester.edu> --=-gk8FQLOKFGl9WEtD4nK6 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Tue, 2003-05-27 at 04:17, Jan Dirnberger wrote: > I'm working on a school project, including Public Key Infrastrucure (PKI)= . > We are instructed to get out how long the validity period of a GPG-key > should be set in a company or other organisations the info-material we co= llect > is for in. >=20 > First I wanted to advise a unrestricted validity, but then I remembered t= hat > organisations or enterprises might have often changing memebers. So I'm c= aught > between the devil and the deep blue sea what to advise... Is it possible for a key signer to revoke it's signature on a key? This seems like a natural thing to want to do, but I've never seen it documented. I think it might solve this question as well. You designate a key, owned by the organization, to be a CA for the organization. It is used to sign every member's key, and when a member leaves an organization, the CA's signature is revoked on that key, indicating that it is no longer valid. If everyone syncs to the same keyserver, this appears to me to be a workable way to acheive Jan's goals. Is this possible, and if not, is there a security reason why not, or has it just not been implemented? --Dennis Lambe --=-gk8FQLOKFGl9WEtD4nK6 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: My public key is available at http://cif.rochester.edu/~malsyned/public_key.html iD8DBQA+06hT+yh/ThbejSgRAk2HAKCKsTnbTSunLEtmt/JhrLRAndcNEwCfcG/I sH/h5h17w+1EPSepR7kqpgo= =K93M -----END PGP SIGNATURE----- --=-gk8FQLOKFGl9WEtD4nK6-- From dcarrera@math.umd.edu Tue May 27 21:59:02 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Tue May 27 20:59:02 2003 Subject: Diceware passphrase size In-Reply-To: <200305271507.h4RF7OUk018418@mailserver3.hushmail.com> References: <200305271507.h4RF7OUk018418@mailserver3.hushmail.com> Message-ID: <20030527190038.GA1748@math.umd.edu> --3V7upXqbjpZ4EhLz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 27, 2003 at 08:07:24AM -0700, vedaal@hush.com wrote: > if you find it hard to type in a long diceware passphrase from the=20 > commandline without looking at it, then you might find this=20 > interesting: Well, that's not the reason why I was asking. I do type pretty fast. I=20 want to quantify the security of my passphrase. > http://www.angelfire.com/pr/pgpf/pass-strings.html >=20 > it is a way of using a random string of characters rather than a collecti= on > of words, >=20 > initially harder to remember, but once memorized, much easier to type It's an interesting idea. However, the keys generated by this method are=20 hard to type because: - You'd use the shift key for about half the characters. - About 29% of the characters would be in in remote places of the keyboard. I thin it could be improved: - If you disallow the shift-key, a 12-character password would be equivalent to a 5-word diceware passphrase. - If you disallow the top row also you'd need 13 characters. - If you only allow lowercase letters you'd need 14 characters. I'll think about this. My current passphrase has 35 characters. :) On the other hand, I can type pretty fast. Maybe the extra memmory effort= =20 is not worth the savings in typing time. Thanks for the link. --=20 Daniel Carrera | OpenPGP fingerprint: Graduate TA, Math Dept | 6643 8C8B 3522 66CB D16C D779 2FDD 7DAC 9AF7 7A88 UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html --3V7upXqbjpZ4EhLz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (SunOS) iD8DBQE+07XVnxE8DWHf+OcRAsY1AJ49mbfky7fdt4yMVjXibJRZadj3pwCg6oFC e5V6X54GOedrNNtlzkAOypA= =fdst -----END PGP SIGNATURE----- --3V7upXqbjpZ4EhLz-- From DenisMcCauley@ifrance.com Tue May 27 22:07:02 2003 From: DenisMcCauley@ifrance.com (Denis McCauley) Date: Tue May 27 21:07:02 2003 Subject: [Q] Diceware password size In-Reply-To: <20030526214051.GB1445@math.umd.edu> References: <20030526214051.GB1445@math.umd.edu> Message-ID: <20030527053331.B8D3.DENISMCCAULEY@ifrance.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 26 May 2003 17:40:52 -0400 Daniel Carrera wrote: > > I'd like some help figuring out the security of a diceware passphrase. > > The diceware word list contains 7776 words. > => There are (7776)^5 possible 5-word passphrases. > => There is a probability 'p' that the passphrase will be discovered > within the first p*(7776)^5 trials. > > If I knew the number of trials 'n' that can be performed each minute I > could estimate the security of a diceware passphrase. Of course, the > value of 'n' depends on the attacker. > In reality it's not that simple, I think. First, an attacker must know that Diceware was used. Otherwise he would try a dictionary attack with a much large word base. Second, there are two Diceware word lists (in English), which would mean combining the two and having more than 7776 possibilities. Third, you can include spaces between the words, or not, which would double the search time. Cheers, - -- ===================================== Denis McCauley GPG/PGP keys at http://www.djmccauley.tk ===================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-nr1 (Windows 2000) - GPGshell v2.70 Comment: Key ID: 0x578247B4 (using signature subkey 0x4980C4F7) Comment: 3C0A D97D 5FC5 A250 20BC EBC6 EB0E 9716 5782 47B4 iD8DBQE+04gcJpZGKkmAxPcRAmwMAKCfn9KP0dQgK5NyKGWxNAPJd1g1HQCg06Au X+R45ZrpjTZUHb3jN9/Gqmw= =TH7r -----END PGP SIGNATURE----- _____________________________________________________________________ Envie de discuter en "live" avec vos amis ? Télécharger MSN Messenger http://www.ifrance.com/_reloc/m la 1ère messagerie instantanée de France From dcarrera@math.umd.edu Tue May 27 22:20:01 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Tue May 27 21:20:01 2003 Subject: [Q] Diceware password size In-Reply-To: <792DE28E91F6EA42B4663AE761C41C2AEA98@cliff.bai.org> References: <792DE28E91F6EA42B4663AE761C41C2AEA98@cliff.bai.org> Message-ID: <20030527192109.GB1748@math.umd.edu> --MW5yreqqjyrRcusr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Thanks. This helps a lot. I do feel more confortable being able to=20 quantify the security of a passphrase instead of a hand-wavy guess. Now, I have a question: What is t6he RC5 algorithm? > But all of this is much ado about nothing: any serious attacker who > wanted your data would use a keystroke logging program, hidden camera, > or rubber hose to get your passphrase from you rather than try to crack > the encryption. Well... it depends on some other factors. If the attacker is (say) the=20 government of China, and I am in the Americas, and I take saftey=20 precautions, they would have to excert some effort to put a key-logger in= =20 my computer. If I make sure that breaking my passphrase is harder than putting a=20 key-logger, all I have to make sure is that putting a key-logger is more=20 expensive than the value of my data. Thanks for your help. I apprecaite it. On Tue, May 27, 2003 at 09:29:05AM -0500, Ryan Malayter wrote: > Well, each diceware word represents 12.92 bits of entropy, so a 5-word > passphrase is slightly more than 64 bits of entropy. There's a good > model for a brute-force attack of this size: www.distributed.net broke > the 64-bit version of the RC5 algorithm via brute force. Their > statistics show that it would take the equivalent of 45,998 2GHz AMD > Athlon XP machines 395 days (average) break the 64-bit keyspace. This is > using hand-optimized client programs written in assembly language. >=20 > Now, you want to be conservative in your estimates of security, so you'd > have to assume that testing password hashes could be optimized to at > least the rate of distributed.net's RC5 client program. You'd also have > to make some assumtions about realative performance; some CPUs are > better at certain tasks. But assuming a 3 GHz P4 is 50% faster than a > 2-GHZ Athalon, it would take a network of ~30,000 3 GHz machines 395 > days to break a 5-word diceware passphrase.=20 >=20 >=20 > Regards, > -ryan- > ::::::::::::::::::::::::::::::: > Do not meddle in the affairs of dragons, for you are crunchy=20 > and taste good with ketchup. >=20 --=20 Daniel Carrera | OpenPGP fingerprint: Graduate TA, Math Dept | 6643 8C8B 3522 66CB D16C D779 2FDD 7DAC 9AF7 7A88 UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html --MW5yreqqjyrRcusr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (SunOS) iD8DBQE+07qknxE8DWHf+OcRAtOYAJ9uZXuwR7PVQ6AMD9RsLbIj9wSIRgCbBdKK /voYGHdyoKehrblsFUpvNcM= =EmP2 -----END PGP SIGNATURE----- --MW5yreqqjyrRcusr-- From dcarrera@math.umd.edu Tue May 27 22:28:01 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Tue May 27 21:28:01 2003 Subject: [Q] Diceware password size In-Reply-To: <20030527053331.B8D3.DENISMCCAULEY@ifrance.com> References: <20030526214051.GB1445@math.umd.edu> <20030527053331.B8D3.DENISMCCAULEY@ifrance.com> Message-ID: <20030527192916.GA1837@math.umd.edu> --Kj7319i9nmIyA2yE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 27, 2003 at 05:46:42AM -1000, Denis McCauley wrote: > In reality it's not that simple, I think.=20 >=20 > First, an attacker must know that Diceware was used. Otherwise he would > try a dictionary attack with a much large word base. >=20 > Second, there are two Diceware word lists (in English), which would mean > combining the two and having more than 7776 possibilities. >=20 > Third, you can include spaces between the words, or not, which would > double the search time. Yes, I know. But it is best to be overly pesimistic about how much the=20 attcker knows. The whole point of diceware is that even if the attacker=20 knows *everything* about how you made your passphrase, he or she will not= =20 be able to obtain it. The idea is to stablish an lower bound on the safety of my passphrase. Cheers, --=20 Daniel Carrera | OpenPGP fingerprint: Graduate TA, Math Dept | 6643 8C8B 3522 66CB D16C D779 2FDD 7DAC 9AF7 7A88 UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html --Kj7319i9nmIyA2yE Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (SunOS) iD8DBQE+07yMnxE8DWHf+OcRAt07AJ9582/A7cUlDMJBxKFeDjKvE0WQ6gCgoAQI UX3Q/UODUBgDQXSh+F4A0/k= =/0bo -----END PGP SIGNATURE----- --Kj7319i9nmIyA2yE-- From rmalayter@bai.org Tue May 27 23:32:01 2003 From: rmalayter@bai.org (Ryan Malayter) Date: Tue May 27 22:32:01 2003 Subject: [Q] Diceware password size Message-ID: <792DE28E91F6EA42B4663AE761C41C2AEAA4@cliff.bai.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 From: Daniel Carrera [mailto:dcarrera@math.umd.edu]=20 >Thanks. This helps a lot. I do feel more confortable=20 >being able to quantify the security of a passphrase=20 >instead of a hand-wavy guess. >Now, I have a question: >What is the RC5 algorithm? RC5 is a block encryption algorithm similar to 3DES, AES, CAST, or Blowfish. It is patented by RSA Security, and is used via license in quite a few commercial products. RC5 is short for "Ron's Code No. 5", named for its creator Ron Rivest (he's the "R" is "RSA"). RC6, an update of RC5, was a finalist in the selection process for AES, however Rijendael was chosen instead for a number of reasons, none of which involved security. RC5 is not, to my knowledge, part of any IETF standards like OpenPGP. RC5 is interesting in that it can accept a variable key size, and RSA offers rewards for cracking it using various key lengths. Distributed.net received $10,000 for craking the 64-bit key, and is working on the 72-bit RC5 challenge now. (Note also that the amount of electricity used by the computers participating in the RC5-64 contest cost a *lot* more than $10,000). -ryan- ::::::::::::::::::::::::::::::: The greatest lesson in life is to know that even fools are right sometimes. -Sir Winston S. Churchill -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) - WinPT 0.7.94 iD8DBQE+08tE9wZiZHyXot4RAgC6AJ0T1VpARRaK4MKMbOH5WwO5kXt1EgCfXfHW SOQ1fuw8QI8hPsdqrDTqk5Y=3D =3Df/pF -----END PGP SIGNATURE----- From rmalayter@bai.org Tue May 27 23:56:02 2003 From: rmalayter@bai.org (Ryan Malayter) Date: Tue May 27 22:56:02 2003 Subject: [Q] Diceware password size Message-ID: <792DE28E91F6EA42B4663AE761C41C2AEAA5@cliff.bai.org> From: Daniel Carrera [mailto:dcarrera@math.umd.edu]=20 >If I make sure that breaking my passphrase is=20 >harder than putting a key-logger, all I have to=20 >make sure is that putting a key-logger is more=20 >expensive than the value of my data. This is going to be very hard for you to do. Almost every OS can be remotely compromised by a skilled hacker if you allow any connections from the Internet at all. There is undoubtedly a buffer overflow somewhere in the service you use. The "hack this box" contests security companies use to show of their wares routinely end in hours. A foreign attacker could easily bribe a local thief to break into your house for a few hundred dollars. They could write a virus, worm, patch, or game that includes a keystroke logger that you unwittingly install yourself. You may say, "I only use open-source software", but do you review each line of code yourself, or simply trust the PGP signature on the package came from someone trustworthy? Putting a keystroke logging program into your machine in this way is not too expensive or difficult for an organization with the right skills; the recent file-sharing viruses actually do this. This is why *really* secure systems need to be on isolated networks in extremely physically secure locations. The U.S. Department of Defense, CIA, FBI, and NSA, Britain's MI5, Russia's CSR, and the Israeli Mossad are probably still the leaders in this area. Regards, -ryan- From dcarrera@math.umd.edu Wed May 28 00:54:02 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Tue May 27 23:54:02 2003 Subject: [Q] Diceware password size In-Reply-To: <792DE28E91F6EA42B4663AE761C41C2AEAA5@cliff.bai.org> References: <792DE28E91F6EA42B4663AE761C41C2AEAA5@cliff.bai.org> Message-ID: <20030527215538.GA1925@math.umd.edu> --EeQfGwPcQSOJBaQU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Thanks for the info. It's good to be aware of possible avenues of=20 attack. What precautions would you suggest be used to protect one's data? I mean, if it's so easy to grab the passphrase as you say it is, why=20 bother with GnuPG at all? I can't protect from a hired thief breaking into my home/office and=20 attaching a key-logger to my keyboard. Perhaps I can protect from the=20 software-based attacks. I already use Unix/Linux where viruses and worms= =20 are less common, and I don't generally install software from unknown=20 sources. What advise would you offer? Thanks for the help. Daniel. On Tue, May 27, 2003 at 03:56:54PM -0500, Ryan Malayter wrote: > From: Daniel Carrera [mailto:dcarrera@math.umd.edu]=20 > >If I make sure that breaking my passphrase is=20 > >harder than putting a key-logger, all I have to=20 > >make sure is that putting a key-logger is more=20 > >expensive than the value of my data. >=20 > This is going to be very hard for you to do. Almost every OS can be > remotely compromised by a skilled hacker if you allow any connections > from the Internet at all. There is undoubtedly a buffer overflow > somewhere in the service you use. The "hack this box" contests security > companies use to show of their wares routinely end in hours. >=20 > A foreign attacker could easily bribe a local thief to break into your > house for a few hundred dollars. They could write a virus, worm, patch, > or game that includes a keystroke logger that you unwittingly install > yourself. You may say, "I only use open-source software", but do you > review each line of code yourself, or simply trust the PGP signature on > the package came from someone trustworthy? Putting a keystroke logging > program into your machine in this way is not too expensive or difficult > for an organization with the right skills; the recent file-sharing > viruses actually do this. >=20 > This is why *really* secure systems need to be on isolated networks in > extremely physically secure locations. The U.S. Department of Defense, > CIA, FBI, and NSA, Britain's MI5, Russia's CSR, and the Israeli Mossad > are probably still the leaders in this area. >=20 > Regards, > -ryan- >=20 >=20 >=20 --=20 Daniel Carrera | OpenPGP fingerprint: Graduate TA, Math Dept | 6643 8C8B 3522 66CB D16C D779 2FDD 7DAC 9AF7 7A88 UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html --EeQfGwPcQSOJBaQU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (SunOS) iD8DBQE+097anxE8DWHf+OcRAjXVAJ9WxlFbTAfucOWot+LLgQqxGGLb9ACfYnbQ mFxS1f0EamVkTTud6FAasN4= =EbUM -----END PGP SIGNATURE----- --EeQfGwPcQSOJBaQU-- From ingo.kloecker@epost.de Wed May 28 02:36:04 2003 From: ingo.kloecker@epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Wed May 28 01:36:04 2003 Subject: Question to german users/ Frage an deutsche Benutzer In-Reply-To: <87add8hlf5.fsf@alberti.g10code.de> References: <002401c32095$34963120$0a0200c0@athome.de> <200305262153.20187@erwin.ingo-kloecker.de> <87add8hlf5.fsf@alberti.g10code.de> Message-ID: <200305272347.31484@erwin.ingo-kloecker.de> --Boundary-02=_zz90+YttsBFuKqw Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Tuesday 27 May 2003 09:57, Werner Koch wrote: > On Mon, 26 May 2003 21:53:14 +0200, Ingo Kl=F6cker said: > > No, it's not okay. This question concerns at least all members of > > the EU. > > To a very different level. Signature laws (if they exist at all) are > different from country to country. Well, there is a EU-wide law (well, it's not really a law, but I don't=20 know the proper English word) for digital signatures since a few=20 months. So sooner or later (most likely later) all members of the EU=20 will have a corresponding law. > > You are probably thinking about the c't magazine. But OpenPGP keys > > don't have any legal relevance regardless of the institution that > > signed them. > > Given a signed paper contract about the use of signatures between the > parties, OpenPGP signed documents can be enforcable to the same grade > as those with a handwritten signature. Until the first court decision declares the opposite if one of the=20 parties suddenly decides not to accept OpenPGP signatures anymore. > > No, you can't use OpenPGP keys (yet). OpenPGP doesn't fulfill the > > requirements for a qualified certificate AFAIK. (One reason is that > > there is no centralized PKI for OpenPGP.) Currently only S/MIME > > keys on smartcards which are issued by two or three companies in > > Germany > > A qualified signature requires some technical features (most notably > a trusted device - a smartcard is sufficient for this) as well as a > certificate by an accredited CA. There is nothing in the SigV > regulations which demands the use of X.509 or S/MIME. Even the > DINSIG is a draft standard and about all implementations create > non-interchangeable messages (on purpose, I bet) > > So, to create a SigV compliant qualified signature (which is by law > treated the same way as a handwritten one) you basically need a > Smartcard and application licensed by the German RegTP and an > accredited CA willing to issue certificates (i.e. a key signature) > for an OpenPGP key. True. But I doubt there will ever be a qualified signature using OpenPGP=20 since S/MIME is favored by the government (-> SPHINX) and because it=20 would be too confusing if there were two competing types of qualified=20 signatures. Regards, Ingo --Boundary-02=_zz90+YttsBFuKqw Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+09zzGnR+RTDgudgRAphBAKDitU/uiNDMjf/lOYj8K+TbPP551gCg3gUF fmGHCeA0f21mT3/hkYjwOaA= =NAtc -----END PGP SIGNATURE----- --Boundary-02=_zz90+YttsBFuKqw-- From bminton@efn.org Wed May 28 03:07:02 2003 From: bminton@efn.org (Brian Minton) Date: Wed May 28 02:07:02 2003 Subject: [Q] Diceware password size In-Reply-To: <20030527053331.B8D3.DENISMCCAULEY@ifrance.com> References: <20030526214051.GB1445@math.umd.edu> <20030527053331.B8D3.DENISMCCAULEY@ifrance.com> Message-ID: <20030528000638.GA13509@bminton.dyn.cheapnet.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, May 27, 2003 at 05:46:42AM -1000, Denis McCauley wrote: > Third, you can include spaces between the words, or not, which would > double the search time. Yes, but this is not completely true. For instance, without spaces, some passphrases are equivalent: consider the following extremely insecure two-word passphrases the mice them ice now, if an attacker tries one of these, w/o spaces, the other one is free. This decreases the potential number of passphrases. It is therefore reccomended to use spaces. - -- Brian Minton | OpenPGP fingerprint: brian@minton.name | 81BE 3A84 A502 ABDD B2CC http://brian.minton.name | 4BFD 7227 8820 5703 7472 Live long, and prosper longer! KeyID: 0x57037472 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+0/2HcieIIFcDdHIRAphkAKDQDCbXy0VOXOrpfgqjXzsX04qKBACfZlIl qwP27SnHNbrHH+htgS+zIfI= =4Ul/ -----END PGP SIGNATURE----- From servie_platon@yahoo.com Wed May 28 05:56:04 2003 From: servie_platon@yahoo.com (Servie Platon) Date: Wed May 28 04:56:04 2003 Subject: WinPT Current Window Problem Message-ID: <20030528025717.74465.qmail@web41006.mail.yahoo.com> --0-605876654-1054090637=:70851 Content-Type: text/plain; charset=us-ascii Hi everyone, I have installed winpt-install-1.0rc2 on 2 client machines both running windows, XP and 2000 Professional. Actually, I have encountered problems on WinPT's Current Window option. If I go to WinPT - Current Window - Sign & Encrypt or just Sign only. I get an error message - WinPT Error: Make sure that the window contains text. Could not extract data from the current window. The window is currently active and I have no other windows open. I even go up to the extent of highlighting this whole message body and still get the same error message. However, if I copy these to the clipboard editor, I could encrypt and sign with no problem. Did I leave some stones unturned here or do I need some additional configuration options or preferences tweaks on WinPT and GPG? Or is this normal? Any help would be highly appreciated. Thanks in advance. Yours sincerely, Servie --------------------------------- Do you Yahoo!? Free online calendar with sync to Outlook(TM). --0-605876654-1054090637=:70851 Content-Type: text/html; charset=us-ascii
Hi everyone,
 
I have installed winpt-install-1.0rc2 on 2 client machines both running windows, XP and 2000 Professional.
 
Actually, I have encountered problems on WinPT's Current Window option.
 
If I go to WinPT - Current Window - Sign & Encrypt or just Sign only. I get an error message - WinPT Error: Make sure that the window contains text. Could not extract data from the current window.
 
The window is currently active and I have no other windows open. I even go up to the extent of highlighting this whole message body and still get the same error message.
 
However, if I copy these to the clipboard editor, I could encrypt and sign with no problem.
 
Did I leave some stones unturned here or do I need some additional configuration options or preferences tweaks on WinPT and GPG? Or is this normal?
 
Any help would be highly appreciated. Thanks in advance.
 
Yours sincerely,
Servie
 
 

Do you Yahoo!?
Free online calendar with sync to Outlook(TM). --0-605876654-1054090637=:70851-- From eroosenmaallen@cogeco.ca Wed May 28 07:37:02 2003 From: eroosenmaallen@cogeco.ca (Eddie Roosenmaallen) Date: Wed May 28 06:37:02 2003 Subject: WinPT Current Window Problem In-Reply-To: <20030528025717.74465.qmail@web41006.mail.yahoo.com> References: <20030528025717.74465.qmail@web41006.mail.yahoo.com> Message-ID: <3ED43D1D.9040706@cogeco.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Servie, I run into the same issue - I have with every past version of WinPT, as well as with PGPFreeware 7-point-something. Make sure the area you want WinPT to work with is selected - it isn't always immediately apparent. You can also try selecting the text before executing the command (sometimes works, sometimes doesn't). Also, some software is uncooperative - At some point, Opera started using custom widgets for many purposes, which simply won't work with the "current window" mode. For these programs, the only practical way to do it is to cut the text, work with it on the clipboard, then paste it. Peace, Eddie Roosenmaallen Servie Platon wrote: > If I go to WinPT - Current Window - Sign & Encrypt or just Sign only. I > get an error message - WinPT Error: Make sure that the window contains > text. Could not extract data from the current window. > > The window is currently active and I have no other windows open. I even > go up to the extent of highlighting this whole message body and still get > the same error message. - -- OpenPGP KeyID: 0xCC1aCD05 Get my key from keyserver.kjsl.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+1D0btGGqbMwazQURAtlaAKCviVsgz6DW2OUvpmmDSc9I0feSLwCg2CBu +H7G1J2ys6yOCqnejt39i3M= =4hG7 -----END PGP SIGNATURE----- From graham.todd2@ntlworld.com Wed May 28 08:24:02 2003 From: graham.todd2@ntlworld.com (Graham) Date: Wed May 28 07:24:02 2003 Subject: Question to german users/ Frage an deutsche Benutzer In-Reply-To: <200305272347.31484@erwin.ingo-kloecker.de> References: <002401c32095$34963120$0a0200c0@athome.de> <87add8hlf5.fsf@alberti.g10code.de> <200305272347.31484@erwin.ingo-kloecker.de> Message-ID: <200305280630.44508.graham.todd2@ntlworld.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 27 May 2003 10:47 pm, Ingo Kl=F6cker wrote: [snipped] > Well, there is a EU-wide law (well, it's not really a law, but I > don't know the proper English word) for digital signatures since a > few months. So sooner or later (most likely later) all members of the > EU will have a corresponding law. I think the word you are looking for is an EU "directive". This still=20 has to be enacted in Member states for it to become law in those=20 states, and of course providing the directive is implemented in full,=20 those states can add whatever they like when passing or not passing the=20 law. This has already led to confusion of laws for agricultural matters=20 enacted in Member states :-) But in this context, digital signatures=20 seemed to be defined as S/MIME signatures unless a Member state enacts=20 legislation to extend that. [snipped] > But I doubt there will ever be a qualified signature using OpenPGP > since S/MIME is favored by the government (-> SPHINX) and because it > would be too confusing if there were two competing types of qualified > signatures. I checked this with a lawyer since digital signatures are allowed to=20 authenticate documents as if they were signatures by recent legislation=20 in the UK. Apparently, the *type* of digital signatures is not=20 specified in the Act of Parliament and the guidance notes states that=20 signatures generated by PGP are allowed. This follows a recommendation=20 by a Committee dealing with e-commerce and is written in to the=20 Parliamentary proceedings in the various stages of the Bill before=20 Parliament before it became an Act (and therefore law). So if PGP signatures are allowed in UK law to authenticate documents,=20 then it follows logically that OpenPGP signatures are allowed. - --=20 Graham GPG Keys at gpg.keys@ntlworld.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Please sign and encrypt for internet privacy iD8DBQE+1ElsIwtBZOk1250RAh4EAJ9pPHgh0PDrCL3Hy/Zzd3WwHKMNRwCfdkjx GnzRT85wUUj8w+sKAddf+tk=3D =3Dyzsg -----END PGP SIGNATURE----- From twoaday@freakmail.de Wed May 28 10:06:31 2003 From: twoaday@freakmail.de (Timo Schulz) Date: Wed May 28 09:06:31 2003 Subject: WinPT Current Window Problem In-Reply-To: <20030528025717.74465.qmail@web41006.mail.yahoo.com> References: <20030528025717.74465.qmail@web41006.mail.yahoo.com> Message-ID: <20030528070937.GA1435@daredevil.joesixpack.net> On Tue May 27 2003; 19:57, Servie Platon wrote: > I have installed winpt-install-1.0rc2 on 2 client machines both running windows, XP and 2000 Professional. > > Actually, I have encountered problems on WinPT's Current Window option. The version (0.7.96rc1 I think) is broken. Try to get the new 0.7.96rc2 which fixes this and a lot of other problems. I'm not sure if the installer already updated the binary, so you should download the stand alone binary. Timo -- Windows Privacy Tools "Der Tugendhafte begnügt sich, von dem zu (http://winpt.sourceforge.net) träumen, was der Böse im Leben verwirklicht." OpenPGP Key 0xBF3DF9B4 -- Platon From wk@gnupg.org Wed May 28 10:16:02 2003 From: wk@gnupg.org (Werner Koch) Date: Wed May 28 09:16:02 2003 Subject: Question to german users/ Frage an deutsche Benutzer In-Reply-To: <4315973521.20030527125108@centras.lt> (debug@centras.lt's message of "Tue, 27 May 2003 12:51:08 +0300") References: <002401c32095$34963120$0a0200c0@athome.de> <200305262153.20187@erwin.ingo-kloecker.de> <87add8hlf5.fsf@alberti.g10code.de> <4315973521.20030527125108@centras.lt> Message-ID: <87isrvee2u.fsf@alberti.g10code.de> On Tue, 27 May 2003 12:51:08 +0300, DeBug said: WK> Given a signed paper contract about the use of signatures between the WK> parties, OpenPGP signed documents can be enforcable to the same grade WK> as those with a handwritten signature. > personal features can't or at least are much harder to mimic/ to copy > Isn't it the principal difference ? Yep. I expect a lot of interesting problems and funny things like faked banns as soon as qualified digital signatures are in widespread use. -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From wk@gnupg.org Wed May 28 10:31:02 2003 From: wk@gnupg.org (Werner Koch) Date: Wed May 28 09:31:02 2003 Subject: Question to german users/ Frage an deutsche Benutzer In-Reply-To: <200305272347.31484@erwin.ingo-kloecker.de> ( =?iso-8859-1?q?Ingo_Kl=F6cker's_message_of?= "Tue, 27 May 2003 23:47:30 +0200") References: <002401c32095$34963120$0a0200c0@athome.de> <200305262153.20187@erwin.ingo-kloecker.de> <87add8hlf5.fsf@alberti.g10code.de> <200305272347.31484@erwin.ingo-kloecker.de> Message-ID: <87el2jed9w.fsf@alberti.g10code.de> On Tue, 27 May 2003 23:47:30 +0200, Ingo Klöcker said: > months. So sooner or later (most likely later) all members of the EU > will have a corresponding law. The EU directive is still much more relaxed than the German signature law even after it has been adjusted to the directive. IIRC, the EU does not demand a dedicated hardware. > Until the first court decision declares the opposite if one of the > parties suddenly decides not to accept OpenPGP signatures anymore. You are free to do what you want in a contract; it should even be possible to agree that no signature at all is required for further contracts. OTOH, it is easier in court to prove things given using a handwritten signature or using a well-known digital signature protocol. If there are doubts the judge has to hear an advisor, be it for a hadnwritten signature or a digital one. > True. But I doubt there will ever be a qualified signature using OpenPGP > since S/MIME is favored by the government (-> SPHINX) and because it There is nothing in the EU directive, the German signature law (SigG) or its bylaw (SigV) which defines a specific protocol. The RegTP (telecomminications and postal regulation authority) merely needs to declare the system to be in compliance to the SigV. If a RegTP accredited CA decides to offer a OpenPGP signature card, it is very well possible to have a qualified digital signature based on OpenPGP. > would be too confusing if there were two competing types of qualified > signatures. Every German crypto vendor has its own idea on how to implement a digital signature protocol. The German DINSIG specification dies not specify every detail and as with all OSI protocols different implementations don't work very well together. SPHINX does not aim for SigV compliance. -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From wk@gnupg.org Wed May 28 10:46:01 2003 From: wk@gnupg.org (Werner Koch) Date: Wed May 28 09:46:01 2003 Subject: [Q] Diceware password size In-Reply-To: <20030527215538.GA1925@math.umd.edu> (Daniel Carrera's message of "Tue, 27 May 2003 17:55:39 -0400") References: <792DE28E91F6EA42B4663AE761C41C2AEAA5@cliff.bai.org> <20030527215538.GA1925@math.umd.edu> Message-ID: <87add7eckw.fsf@alberti.g10code.de> On Tue, 27 May 2003 17:55:39 -0400, Daniel Carrera said: > I mean, if it's so easy to grab the passphrase as you say it is, why > bother with GnuPG at all? GnuPG protects quite well against any non-targeted attack, e.g. Echelon. If you don't use a networked machine and instead copy your messages using a floppy disk to a networked machine (encrypted) it should also give a good security against any remote direct targeted attack. > software-based attacks. I already use Unix/Linux where viruses and worms > are less common, and I don't generally install software from unknown I would not count on this. For a skilled and motivated attacker or a government it should be easy to identify an exploitable bug in any involved software (OS or any of the installed applications) and keep that bug secret for their own use. -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From avbidder@fortytwo.ch Wed May 28 10:50:25 2003 From: avbidder@fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Wed May 28 09:50:25 2003 Subject: Validity period of GPG-keys In-Reply-To: <1054058579.23485.5.camel@dennisx.cif.rochester.edu> References: <20030527101721.O36081@Space.Net> <1054058579.23485.5.camel@dennisx.cif.rochester.edu> Message-ID: <200305280951.14505@fortytwo.ch> --Boundary-02=_ypG1+xUk7UW+VHa Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Tuesday 27 May 2003 20:02, Dennis Lambe Jr. wrote: > Is it possible for a key signer to revoke it's signature on a key? This > seems like a natural thing to want to do, but I've never seen it > documented. Yes, it's possible, and it's documented. I agree with you that this is a ve= ry=20 good solution to the problem. =2D- vbi =2D-=20 Hear me, my chiefs, I am tired; my heart is sick and sad. From where the sun now stands I Will Fight No More Forever. -- Chief Joseph of the Nez Perce --Boundary-02=_ypG1+xUk7UW+VHa Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iKcEABECAGcFAj7UanJgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjQmbWQ1c3VtPTgxNjMwYmFhYmU5YTA2NzBi YjE5YzFmYTg1MjdhN2FiAAoJEIukMYvlp/fWW84An23Lhocwzssk4R1fgICabaDm wSi2AJ42hci1/jGkqNPsYjxMQGhDbq9unQ== =sy/Q -----END PGP SIGNATURE----- Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.4&md5sum=81630baabe9a0670bb19c1fa8527a7ab --Boundary-02=_ypG1+xUk7UW+VHa-- From m.mansfeld@mansfeld-elektronik.de Wed May 28 12:18:02 2003 From: m.mansfeld@mansfeld-elektronik.de (Matthias Mansfeld) Date: Wed May 28 11:18:02 2003 Subject: Question to german users/ Frage an deutsche Benutzer In-Reply-To: <87el2jed9w.fsf@alberti.g10code.de> References: <200305272347.31484@erwin.ingo-kloecker.de> ( =?iso-8859-1?q?Ingo_Kl=F6cker's_message_of?= "Tue, 27 May 2003 23:47:30 +0200") Message-ID: On 28 May 2003 at 9:33, Werner Koch wrote: [...] > You are free to do what you want in a contract; it should even be > possible to agree that no signature at all is required for further > contracts. OTOH, it is easier in court to prove things given using a > handwritten signature or using a well-known digital signature > protocol. If there are doubts the judge has to hear an advisor, be it > for a hadnwritten signature or a digital one. [...] And, honestly said, in real life a handwritten signature can be spoofed 1000% easier than a OpenPGP or S/MIME or whatever digital signature. Regards Matthias From wobo@wolf-b.de Wed May 28 12:50:24 2003 From: wobo@wolf-b.de (Wolfgang Bornath) Date: Wed May 28 11:50:24 2003 Subject: Question to german users/ Frage an deutsche Benutzer In-Reply-To: <4315973521.20030527125108@centras.lt> References: <002401c32095$34963120$0a0200c0@athome.de> <87add8hlf5.fsf@alberti.g10code.de> <4315973521.20030527125108@centras.lt> Message-ID: <200305271242.52540.wobo@wolf-b.de> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ** DeBug (Dienstag, 27. Mai 2003 11:51) > WK> Given a signed paper contract about the use of signatures between=20 > WK> the parties, OpenPGP signed documents can be enforcable to the > WK> same grade as those with a handwritten signature. > > Bah! really ? > digital keys can be stolen, > and > personal features can't or at least are much harder to mimic/ to copy > Isn't it the principal difference ? With this you question the whole concept of Digital Signing. If this is your opinion you'd never trust a digitally signed message=20 like a hand-signed hardcopy. IMHO it's far easier to forge a real hand-signed letter than a digitally=20 signed email. But anyhow, as soon as communication between 2 different location is=20 involved you can't get 100% security. With a certain amount of criminal=20 energy you can forge averything. So in the end you *have* to put a little bit of trust into digital=20 signing and de-/encryption. Otherwise you have to stick to RL=20 encounters only. This is not a technical issue but a fundamental one. wobo =2D --=20 Public GnuPG key available at http://www.wolf-b.de/misc =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+00EqGJBF69bft5ARAqYDAJwOENPkBP64aNkiqH8LY8Ytsz8bhQCfRZQt OhEzuARGXgxtfFn17K4XkM0=3D =3DzWLd =2D----END PGP SIGNATURE----- From stephan.stapel@web.de Wed May 28 12:51:07 2003 From: stephan.stapel@web.de (Stephan Stapel) Date: Wed May 28 11:51:07 2003 Subject: Question to german users/ Frage an deutsche Benutzer References: <002401c32095$34963120$0a0200c0@athome.de> <200305262153.20187@erwin.ingo-kloecker.de> Message-ID: <007101c32474$2f473d30$0a0200c0@athome.de> >> this question only concerns german users, so I'm writing in german, I >> hope that's ok. > >No, it's not okay. This question concerns at least all members of the >EU. No need to be rude, though the law is german not european afaik. >> Die zweite Frage bezieht sich auf die Rechtsgueltigkeit von >> GnuPG-Schluesseln. Fuer das Finanzamt muss gewisser Datenverkehr >> signiert werden, um den Ursprung und die Gueltigkeit der empfangenen >> Daten zu gewaehrleisten. > >AFAIK signing the stuff you sent them isn't necessary. That's not the point and that's not what I was asking for. I don't send _them_ any signed messages but I need to send messages between business partners which have to sign the respective contents with a key that suites afaik paragraph 15, part 1 of SignaturG. But anyway, I don't want to start no flame here. I just wanted to know -- and I think that could be interesting for a lot of (maybe not only the german...) people on the list -- how to establish this defined-by-law "valid" data exchange. Thanks for the bsi info, there's indeed a list on their site :-))= But what I still don't understand is what Werner wrote, what applications are licensed by the german RegTP? Does this issue apply for GnuPG? Kind regards, Stephan From wk@gnupg.org Wed May 28 14:51:02 2003 From: wk@gnupg.org (Werner Koch) Date: Wed May 28 13:51:02 2003 Subject: Question to german users/ Frage an deutsche Benutzer In-Reply-To: <200305271242.52540.wobo@wolf-b.de> (Wolfgang Bornath's message of "Tue, 27 May 2003 12:42:24 +0200") References: <002401c32095$34963120$0a0200c0@athome.de> <87add8hlf5.fsf@alberti.g10code.de> <4315973521.20030527125108@centras.lt> <200305271242.52540.wobo@wolf-b.de> Message-ID: <87of1ncmns.fsf@alberti.g10code.de> On Tue, 27 May 2003 12:42:24 +0200, Wolfgang Bornath said: > So in the end you *have* to put a little bit of trust into digital > signing and de-/encryption. Otherwise you have to stick to RL ... and a lot of trust in the organizational issues. Salam-Shalom, Werner -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From wk@gnupg.org Wed May 28 14:51:38 2003 From: wk@gnupg.org (Werner Koch) Date: Wed May 28 13:51:38 2003 Subject: Question to german users/ Frage an deutsche Benutzer In-Reply-To: (Matthias Mansfeld's message of "Wed, 28 May 2003 11:19:45 +0200") References: <200305272347.31484@erwin.ingo-kloecker.de> Message-ID: <87smqzcmqs.fsf@alberti.g10code.de> On Wed, 28 May 2003 11:19:45 +0200, Matthias Mansfeld said: > And, honestly said, in real life a handwritten signature can be > spoofed 1000% easier than a OpenPGP or S/MIME or whatever digital It is not only the signature a judge or advisor takes into account. There is a lot more evidence, like circumstances when signing the document, the type of paper, printed letterheads. Furthermore it is possible to apply technical analysis to the ink and paper and compare it with others. And you can't automate signing documents with handwritten signatures; thus mass attacks are not possible. Furthermore, we know for several hundered years how to cope with signed documents on paper, out experience with digital signature is only a few years old if at all. IIRC, Russ Anderson has something to say about this in his Security Engineering book. Get it; is a really thrilling book and a MUST for everyone working on security. Shalom-Salam, Werner -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From wk@gnupg.org Wed May 28 15:06:02 2003 From: wk@gnupg.org (Werner Koch) Date: Wed May 28 14:06:02 2003 Subject: Question to german users/ Frage an deutsche Benutzer In-Reply-To: <007101c32474$2f473d30$0a0200c0@athome.de> (Stephan Stapel's message of "Tue, 27 May 2003 19:19:51 +0200") References: <002401c32095$34963120$0a0200c0@athome.de> <200305262153.20187@erwin.ingo-kloecker.de> <007101c32474$2f473d30$0a0200c0@athome.de> Message-ID: <87k7cbclxp.fsf@alberti.g10code.de> On Tue, 27 May 2003 19:19:51 +0200, Stephan Stapel said: > But what I still don't understand is what Werner wrote, what applications > are licensed by the german RegTP? Does this issue apply for GnuPG? To be able to issue a certificate useful for a qualified[1] digital signature a CA must be accredited by the RegTP and for that it is required that verified systems must be used for the certification, the used hardware tokens etc. See http://www.regtp.de/tech_reg_tele/start/in_06-02-05-00-00_m/index.html for a list of approved products. Having a compliant card is actual sufficient, because it won't be possible to check whether a suitable card reader has actually been used for creating the signature. However, it is in the user's own interest to use secure device and viewers etc. All the mainstream products are only available for Windows, so the certification of the software is a bit questionable because the OS isn't certified and the certification does not involve a code inspection. Shalom-Salam, Werner [1] "qualified" is a class of signatures as defined by the German signature laws. There are also "advanced" digital signatures, with the rule that suitable measures must be taken to prevent forging and "simple" digital signature where just signing the email with your name in plain text would be sufficient and in compliance to the law (without any real advantage of course). -- Nonviolence is the greatest force at the disposal of mankind. It is mightier than the mightiest weapon of destruction devised by the ingenuity of man. -Gandhi From sebastian@karotte.org Wed May 28 16:49:02 2003 From: sebastian@karotte.org (Sebastian Wiesinger) Date: Wed May 28 15:49:02 2003 Subject: View trust of key Message-ID: <20030528134952.GA29676@data.fire-world.de> --wac7ysb48OaltWcw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi! The ways to show the trust of a key are: Use --edit or --with-colons. These 2 aren't very comfortable when I just want to view the trust for myself on the commandline. Is there any other way? Perhaps you could include it somehow into the --list-keys output? --=20 GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) Wehret den Anfaengen: http://odem.org/informationsfreiheit/ 'But...I died,' said the shade of Unity. YES, said Death. THIS IS THE NEXT PART... - Terry Pratchett, Thief Of Time --wac7ysb48OaltWcw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD4DBQE+1L6AG2A09Ha3nyARAvN8AJ4o1wT3bqQRDyVIMCth5+adAiPvkgCYi5pG qL8eNVzCIn3VZiKNGzqgOQ== =B1bb -----END PGP SIGNATURE----- --wac7ysb48OaltWcw-- From jdbeyer@exit109.com Wed May 28 19:04:02 2003 From: jdbeyer@exit109.com (Jean-David Beyer) Date: Wed May 28 18:04:02 2003 Subject: Uploading keys. Message-ID: <3ED4DE2D.700@exit109.com> In the past I have uploaded my GnuPG public key to various keyservers. I forgot how that really works. I just added a new subkey to my key because the previous one is going to expire soon. I then did things like this: valinux:jdbeyer[~/.gnupg]$ gpg --keyserver pgpkeys.mit.edu --send-key whimsey gpg: success sending to `pgpkeys.mit.edu' (status=200) valinux:jdbeyer[~/.gnupg]$ But when I look at that key server, my old key is still there, not the new one. My new public key ends like this: iSL+lVDSPGaWjI+d34hMBBgRAgAMBQI+1MzqBQkCUUMAAAoJED7btl6aL8maVlMA n0t+8+tD12j666iZXWgrLIz3jO7SAKDHpgmsXaK9wirCAuTofwsAwv38dg== =dnNi -----END PGP PUBLIC KEY BLOCK----- and that is clearly not the same as my old public key that ends like this: RIhMBBgRAgAMBQI7rAjeBQkB4TOAAAoJED7btl6aL8mact4AnRH3Su9LJlFnqA8Q xvlkXcq8t6niAKCaqqaNDR23dmbVfvKDtg2Td9ooVg== =Bmof -----END PGP PUBLIC KEY BLOCK----- If I do gpg --edit-key whimsey, I get this: Secret key is available. pub 1024D/9A2FC99A created: 2001-09-22 expires: never trust: u/u sub 1024g/EEF02424 created: 2001-09-22 expires: 2002-09-22 sub 2048g/FE6BE54F created: 2002-03-02 expires: 2003-08-24 sub 2048g/D91C7C08 created: 2003-05-28 expires: 2004-08-20 (1). Jean-David Beyer (Institute for Regimented Whimsey) I guess my question is: do keyservers update their databases in batch mode and I should just have patience to see the update? (I am not talking about the change propagating to other keyservers: just the one where I updated the change.) Or is something wrong and the gpg: success sending to `pgpkeys.mit.edu' (status=200) message is somehow invalid? -- .~. Jean-David Beyer Registered Linux User 85642. /V\ Registered Machine 73926. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 11:55am up 9 days, 17:28, 4 users, load average: 2.23, 2.16, 2.10 From rmalayter@bai.org Wed May 28 20:17:02 2003 From: rmalayter@bai.org (Ryan Malayter) Date: Wed May 28 19:17:02 2003 Subject: [Q] Diceware password size Message-ID: <792DE28E91F6EA42B4663AE761C41C2AEAAE@cliff.bai.org> From: Daniel Carrera [mailto:dcarrera@math.umd.edu]=20 > What precautions would you suggest be used to protect one's data? >=20 > I mean, if it's so easy to grab the pass phrase as you say it is, why=20 > bother with GnuPG at all? GnuPG is good at protecting against the attacker without the means to target you specifically. For example, there are reliable source which sate that the FBI and NSA scan most unencrypted email on the internet by having filters installed at strategic choke points on the Internet.=20 GnuPG is also good for sharing information securely when another channel is unavailable. When I need to change a password or the configuration of a machine hosted off-site, I send the hosting service a signed and encrypted email with my configuration changes or password information. Voice mail or even plain telephone isn't secure enough, and I'm not driving over there every time. GnuPG is useful because it makes intercepting or forging messages orders of magnitude harder. It is very easy to do these things on unencrypted communications; using GnuPG takes out >>90% of your potential adversaries. A snoop or hacker that is not specifically after *you* will simply move on to an easier target. > What advise would you offer? Assume that anything you put on your PC is vulnerable to a determined attacker that is targeting you specifically, be it a skilled hacker, espionage agent, or police agency. There are analogs for GnuPG's shortcomings in the physical world: using a bank's safe deposit box protects you from 99% of the people who would want to get at your valuables. But someone could always mug you and take the key, or make a copy by breaking into the locker room in your health club and stealing your ID and the key. Of course a police agency can usually get a court order to look in the box.=20 But by using the safe deposit box, you reduce the spectrum of attackers to those who are especially skilled or powerful and want to target you specifically. -Ryan- ::::::::::::::::::::::::::::::: The inherent vice of capitalism is the unequal sharing of blessings; the inherent virtue of socialism is the equal sharing of miseries. -Sir Winston Churchill From servie_platon@yahoo.com Wed May 28 21:14:02 2003 From: servie_platon@yahoo.com (Servie Platon) Date: Wed May 28 20:14:02 2003 Subject: Could Not Register Hot Keys Message-ID: <20030528181442.61098.qmail@web41003.mail.yahoo.com> --0-1322438136-1054145682=:61021 Content-Type: text/plain; charset=us-ascii Hi everyone, I tried adding Hot Keys to Current Window Hot Key Management. But I am getting an error message: Could Not Register Hot Key. I did searched WinPT's Support Page and did exactly the suggestions, but still could not register the Keys. Encrypt: Alt + Shift + E Decrypt/verify: Alt + Shift + D Sign: Alt + Shift + S etc. Before I throw our Windows client machines to the trash. Any ideas on this? Thanks a lot. InHisGrip, Servie Platon OpenGPG Signature: 23D1 FD75 132B FF2A 332E 42A6 DC4B 0A7C 80A5 57EB --------------------------------- Do you Yahoo!? Free online calendar with sync to Outlook(TM). --0-1322438136-1054145682=:61021 Content-Type: text/html; charset=us-ascii
Hi everyone,
 
I tried adding Hot Keys to Current Window Hot Key Management. But I am getting an error message: Could Not Register Hot Key.
 
I did searched WinPT's Support Page and did exactly the suggestions, but still could not register the Keys.
 
Encrypt: Alt + Shift + E
Decrypt/verify: Alt + Shift + D
Sign: Alt + Shift + S
 
etc.
 
Before I throw our Windows client machines to the trash.  
 
Any ideas on this? Thanks a lot.
 



InHisGrip,                          
 
Servie Platon
OpenGPG Signature: 23D1 FD75 132B FF2A 332E  42A6 DC4B 0A7C 80A5 57EB

Do you Yahoo!?
Free online calendar with sync to Outlook(TM). --0-1322438136-1054145682=:61021-- From twoaday@freakmail.de Wed May 28 22:06:02 2003 From: twoaday@freakmail.de (Timo Schulz) Date: Wed May 28 21:06:02 2003 Subject: Could Not Register Hot Keys In-Reply-To: <20030528181442.61098.qmail@web41003.mail.yahoo.com> References: <20030528181442.61098.qmail@web41003.mail.yahoo.com> Message-ID: <20030528190905.GA948@daredevil.joesixpack.net> On Wed May 28 2003; 11:14, Servie Platon wrote: > I tried adding Hot Keys to Current Window Hot Key Management. But I am > getting an error message: Could Not Register Hot Key. Is it possible that another application already registered these hotkeys before? > Any ideas on this? Thanks a lot. Check if other applications already reserved the keys and if so, try to change the hotkeys to another key ("e" -> "p" for example). Timo -- Windows Privacy Tools "Der Tugendhafte begnügt sich, von dem zu (http://winpt.sourceforge.net) träumen, was der Böse im Leben verwirklicht." OpenPGP Key 0xBF3DF9B4 -- Platon From dcarrera@math.umd.edu Thu May 29 02:00:02 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Thu May 29 01:00:02 2003 Subject: [Q] "sign" vs "sign-locally" Message-ID: <20030528230055.GA1838@math.umd.edu> --azLHFNyN32YCQGCU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi all, I just realized that there are two ways of signing a key. You can "sign"= =20 it, or sign it it "locally". What's the difference? If I understand correctly, your signing a key means that you are=20 confident that the key belongs to the person you think it does. So, for=20 instance, I could meet the person face-to-face and get his or her key ID=20 for verification. I've looked at the man page. I think that "sign" is what I just described= =20 in the above paragraph. But I'm not sure I understand how "sign-locally"= =20 is different. Also, why would I ever want to sign a key "non-revocably"? Thanks for the help. --=20 Daniel Carrera | OpenPGP fingerprint: Graduate TA, Math Dept | 6643 8C8B 3522 66CB D16C D779 2FDD 7DAC 9AF7 7A88 UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html --azLHFNyN32YCQGCU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (SunOS) iD8DBQE+1T+nnxE8DWHf+OcRAsgTAJ9yAd9wn2/PLpimnYO+rOxauvclJQCdGOkw 8wXZP+BkfHH8JVPkVipK1Ww= =ShDD -----END PGP SIGNATURE----- --azLHFNyN32YCQGCU-- From jbruni@mac.com Thu May 29 03:04:02 2003 From: jbruni@mac.com (Joseph Bruni) Date: Thu May 29 02:04:02 2003 Subject: [Q] "sign" vs "sign-locally" Message-ID: <5454386.1054166701266.JavaMail.jbruni@mac.com> When you sign a key, you vouch for its authenticity. Your signature, being ultimately trusted, bestows validity to the key. Your signature is exported whenever you export this public key and pass it on to someone else. When you locally sign the key, your signature is not exported, but the key is still considered valid as far as you are concerned. On Wednesday, May 28, 2003, at 05:00PM, Daniel Carrera wrote: >Hi all, > >I just realized that there are two ways of signing a key. You can "sign" >it, or sign it it "locally". What's the difference? > >If I understand correctly, your signing a key means that you are >confident that the key belongs to the person you think it does. So, for >instance, I could meet the person face-to-face and get his or her key ID >for verification. > >I've looked at the man page. I think that "sign" is what I just described >in the above paragraph. But I'm not sure I understand how "sign-locally" >is different. > >Also, why would I ever want to sign a key "non-revocably"? > >Thanks for the help. >-- >Daniel Carrera | OpenPGP fingerprint: >Graduate TA, Math Dept | 6643 8C8B 3522 66CB D16C D779 2FDD 7DAC 9AF7 7A88 >UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html > > -- PGP Fingerprint: 886F 6A8A 68A1 5E90 EF3F 8EFA E2B8 3F99 7343 C1E3 From eroosenmaallen@cogeco.ca Thu May 29 03:42:02 2003 From: eroosenmaallen@cogeco.ca (Eddie Roosenmaallen) Date: Thu May 29 02:42:02 2003 Subject: [Q] "sign" vs "sign-locally" In-Reply-To: <5454386.1054166701266.JavaMail.jbruni@mac.com> References: <5454386.1054166701266.JavaMail.jbruni@mac.com> Message-ID: <3ED556E5.4010309@cogeco.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 (bottom-posted, unusual for me) Joseph Bruni wrote: > When you sign a key, you vouch for its authenticity. Your signature, > being ultimately trusted, bestows validity to the key. Your signature is > exported whenever you export this public key and pass it on to someone > else. When you locally sign the key, your signature is not exported, but > the key is still considered valid as far as you are concerned. To expand on Joseph's point, when you regularily "sign" a key, the signature is exported with the key. This means that if you then send the key to a keyserver, others downloading it will see your signature on the key. If they assign a level of trust to *your* key, then your signature adds a level of validity to the key, even if the person receiving it has not personally verified it. If you "locally sign" a key, your signature is not exported; it is only for you. That way, your sig never affects the validity of the key on someone else's keyring. Peace, Eddie Roosenmaallen - -- OpenPGP KeyID: 0xCC1aCD05 Get my key from keyserver.kjsl.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+1VbjtGGqbMwazQURAt0dAJ96Z/B5+8IRT31QgDeQ2uYES6HRMACfSo7Y 0qmp0A0MHPDtKoHXckmdCzQ= =jqZR -----END PGP SIGNATURE----- From Jewettkim@aol.com Thu May 29 12:06:03 2003 From: Jewettkim@aol.com (Jewettkim@aol.com) Date: Thu May 29 11:06:03 2003 Subject: GnuPG 1.2.2 and permission denied on trustdb.gpg Message-ID: <2E8A19F7.739C6215.02540AA8@aol.com> I just installed GnuPG 1.2.2 on a Solaris 2.7 system and have one minor problem. It won't work unless we make the trustdb.gpg world writable. The script that calls gpg is a non-root setuid program whose user also owns the trustdb.gpg. That user is the only user that works unless we change the trustdb.gpg to world writable (which we do not want to do). I tried the workaround posted on the user forum which states that you can use the options --no-auto-check-trustdb and --lock-never to get by the permission denied issue but we are still failing on permissions (see error messages below). http://marc.theaimsgroup.com/?l=gnupg-users&m=103165796026815&w=2 Any suggestions? Thanks so much, Kim Here are our error messages: Cmd=/prod/gnuc/bin/gpg --homedir /home/dcprod/.gnupg --no-auto-check-trustdb --lock-never -r ftidc -o /home/dcprod/tempdir/U45554/TEMP.COMPRESS.0.45554.GPG -e /home/faulkner/data/test.file > /home/dcprod/tempdir/gpg.err 2>&1 rc=512 after: ruid=153 euid=452 /home/dcprod/tempdir/U45554/TEMP.COMPRESS.0.45554.GPG: No such file or director 030527 15:28:00 DCSEND 45554 RC=3060 GPG encryption / signing failed gpg: WARNING: unsafe ownership on homedir "/home/dcprod/.gnupg" gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information From johanw@vulcan.xs4all.nl Thu May 29 22:27:03 2003 From: johanw@vulcan.xs4all.nl (Johan Wevers) Date: Thu May 29 21:27:03 2003 Subject: [Q] Diceware password size In-Reply-To: <20030527192109.GB1748@math.umd.edu> from Daniel Carrera at "May 27, 2003 03:21:09 pm" Message-ID: <200305291940.VAA15808@vulcan.xs4all.nl> Daniel Carrera wrote: > If I make sure that breaking my passphrase is harder than putting a > key-logger, all I have to make sure is that putting a key-logger is more > expensive than the value of my data. There are also other methods. You can be captured and tortured to have you give the passphrase. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From johanw@vulcan.xs4all.nl Thu May 29 22:27:41 2003 From: johanw@vulcan.xs4all.nl (Johan Wevers) Date: Thu May 29 21:27:41 2003 Subject: [Announce] GnuPG 1.3.2 released (development) In-Reply-To: <20030527154715.GA1417@jabberwocky.com> from David Shaw at "May 27, 2003 11:47:15 am" Message-ID: <200305291958.VAA16058@vulcan.xs4all.nl> David Shaw wrote: > The latest release from the development branch of GnuPG is ready for > public consumption. This is a branch to create what will be GnuPG 1.4 > someday. Are there already any ideas when "someday" is expected to be? > Noteworthy changes in version 1.3.2 (2003-05-27) [...] I see mostly things that were also on the 1.2.1 -> 1.2.2 list. Do I see it right when I say that 1.3.2 is mainly a version where the 1.2.2 changes were implemented? -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From dshaw@jabberwocky.com Fri May 30 06:34:03 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Fri May 30 05:34:03 2003 Subject: [Announce] GnuPG 1.3.2 released (development) In-Reply-To: <200305291958.VAA16058@vulcan.xs4all.nl> References: <20030527154715.GA1417@jabberwocky.com> <200305291958.VAA16058@vulcan.xs4all.nl> Message-ID: <20030530033501.GB13569@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, May 29, 2003 at 09:58:57PM +0200, Johan Wevers wrote: > David Shaw wrote: > > > The latest release from the development branch of GnuPG is ready for > > public consumption. This is a branch to create what will be GnuPG 1.4 > > someday. > > Are there already any ideas when "someday" is expected to be? > > > Noteworthy changes in version 1.3.2 (2003-05-27) > [...] > > I see mostly things that were also on the 1.2.1 -> 1.2.2 list. Do I see > it right when I say that 1.3.2 is mainly a version where the 1.2.2 changes > were implemented? 9 out of the 22 NEWS entries are new for 1.3.2. There are a few more changes that were not in the NEWS file, but these were not very user-visible changes. The diff between 1.2.1 and 1.2.2 was big enough (and had to be applied to 1.3.1 as well) that I wanted to get 1.3.2 out to get a nice clean working surface again. The changes that are in 1.3.2 and not in 1.2.2 are: * Multiple trust models are now supported via the --trust-model option. The options are "pgp" (web-of-trust plus trust signatures), "classic" (web-of-trust only), and "always" (identical to the --always-trust option). * The --personal-{cipher|digest|compression}-preferences are now consulted to get default algorithms before resorting to the last-ditch defaults of --s2k-cipher-algo, SHA1, and ZIP respectively. This allows a user to set algorithms to use in a safe manner so they are used when legal to do so, without forcing them on for all messages. * New --primary-keyring option to designate the keyring that the user wants new keys imported into. * --s2k-digest-algo is now used for all password mangling. Earlier versions used both --s2k-digest-algo and --digest-algo for passphrase mangling. * Handling of --hidden-recipient or --throw-keyid messages is now easier - the user only needs to give their passphrase once, and GnuPG will try it against all of the available secret keys. * DNS SRV records are used in HKP keyserver lookups to allow administrators to load balance and select keyserver port automatically. This is as specified in draft-shaw-openpgp-hkp-00.txt. * When using the "keyid!" syntax during a key export, only that specified key is exported. If the key in question is a subkey, the primary key plus only that subkey is exported. * configure --disable-xxx options to disable individual algorithms at build time. This can be used to build a smaller gpg binary for embedded uses where space is tight. See the README file for the algorithms that can be used with this option, or use --enable-minimal to build the smallest gpg possible (disables all optional algorithms, disables keyserver access, and disables photo IDs). * The keyserver no-modify flag on a key can now be displayed and modified. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-cvs (GNU/Linux) Comment: http://www.jabberwocky.com/david/keys.asc iD8DBQE+1tFl4mZch0nhy8kRAjP0AKCZ0NUVL1UZ8MZeGi5ZBUmlZY0WKwCdFHX2 EDMynSB/37E3zwEVR/stc0A= =NP9o -----END PGP SIGNATURE----- From dcarrera@math.umd.edu Sat May 31 07:47:02 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Sat May 31 06:47:02 2003 Subject: [Q] 128-bit symmetric encryption. Message-ID: <20030531044812.GE9064@math.umd.edu> --SFyWQ0h3ruR435lw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, I'm trying to figure out "how strong" 128-bit symmetric encryption is. Tel= l me=20 if I got it right: For a good algorithm, the only possible attack is brute force. From an ear= lier=20 discussion, we can (roughly) estimate that it might take 50,000 computers a= t=20 2GHz one year to break 64-bit encryption. Now, 128-bit encryption should t= ake=20 2^64 times more computing power to break. In other words, if I had a trillion computers each going a 1 TeraHertz, it= =20 would take them mover 1.8 billion years to break it. In conclusion, breaking 128-bit encryption by brute force is impossible. Is this correct? Note: I am not saying anything about security. I know that there are many= =20 other possible attacks. I know that the algorithm itself might be broken s= o=20 that brute force is not necessary. That's not what I'm asking about. =20 Ultimately, I want to conclude that there is no point in using more than=20 128-bits in symmetric algorithmw. Is this correct? Thanks for the help. --=20 Daniel Carrera | OpenPGP fingerprint: Graduate TA, Math Dept | 6643 8C8B 3522 66CB D16C D779 2FDD 7DAC 9AF7 7A88 UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html --SFyWQ0h3ruR435lw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (SunOS) iD8DBQE+2DQMnxE8DWHf+OcRAmJyAKDCZRY0nrM+HLoHboZtx4h88AEUOwCfZkUK fg1aSimutpdedp3exNJLpRo= =Li8Y -----END PGP SIGNATURE----- --SFyWQ0h3ruR435lw-- From holtzm@sonic.net Sat May 31 09:07:02 2003 From: holtzm@sonic.net (Bob Holtzman) Date: Sat May 31 08:07:02 2003 Subject: gpg usage w/ pine Message-ID: Hi, I'm running gnupg-1.0.7-7 and pine-4.44-7.73.0 under RH7.3 and after setting: [X] compose-send-offers-first-filter in pine and noting that the gpg install seems to have created: display-filters = "_LEADING(-----BEGIN PGP MESSAGE-----)_" /usr/bin/gpg-check "_LEADING(-----BEGIN PGP SIGNED MESSAGE-----)_" /usr/bin/gpg-check sending-filters = /usr/bin/gpg-sign /usr/bin/gpg-encrypt _RECIPIENTS_ /usr/bin/gpg-sign+encrypt _RECIPIENTS_ no filters are offered when I try to send. No opportunity to encrypt, sign, nothing. The only way I could get it to work was to install pgp4pine. This is an acceptable solution but I can't see why it's neccessary. Is there any way to get away from pgp4pine? I should mention that gpg works well as a stand alone. I can engrypt, decrypt and sign indidual files. Any ideas or pointers appreciated. Thanks. -- Bob Holtzman "If you think you're getting free lunch, ......check the price of the beer!" From Thomas.Arend@t-online.de Sat May 31 09:50:02 2003 From: Thomas.Arend@t-online.de (Thomas Arend) Date: Sat May 31 08:50:02 2003 Subject: [Q] "sign" vs "sign-locally" In-Reply-To: <20030528230055.GA1838@math.umd.edu> References: <20030528230055.GA1838@math.umd.edu> Message-ID: <200305310851.17543.thomas.arend@t-online.de> =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am Donnerstag, 29. Mai 2003 01:00 schrieb Daniel Carrera: > Hi all, > > I just realized that there are two ways of signing a key. You can "sign" > it, or sign it it "locally". What's the difference? local signs arn=B4t send to key-servers. They stay only in your key-ring.=20 > > If I understand correctly, your signing a key means that you are > confident that the key belongs to the person you think it does. So, for > instance, I could meet the person face-to-face and get his or her key ID > for verification. Correct > > I've looked at the man page. I think that "sign" is what I just described > in the above paragraph. But I'm not sure I understand how "sign-locally" > is different. > > Also, why would I ever want to sign a key "non-revocably"? I don=B4t know. Maybe never. > > Thanks for the help. Please Thomas =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+2FDl2TqsmTFMxwkRAo4OAJ4lSxkEFvv2ryWPDFN6QZ7kuxvDwgCeMhr5 9zKn12erUOlvePOSAQ1XhpU=3D =3DhTJ3 =2D----END PGP SIGNATURE----- From DenisMcCauley@ifrance.com Sat May 31 10:34:03 2003 From: DenisMcCauley@ifrance.com (Denis McCauley) Date: Sat May 31 09:34:03 2003 Subject: [Q] 128-bit symmetric encryption. In-Reply-To: <20030531044812.GE9064@math.umd.edu> References: <20030531044812.GE9064@math.umd.edu> Message-ID: <20030530211437.0131.DENISMCCAULEY@ifrance.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 31 May 2003 00:48:12 -0400 Daniel Carrera wrote: > Hello, > > I'm trying to figure out "how strong" 128-bit symmetric encryption is. Tell me > if I got it right: > > For a good algorithm, the only possible attack is brute force. From an earlier > discussion, we can (roughly) estimate that it might take 50,000 computers at > 2GHz one year to break 64-bit encryption. Now, 128-bit encryption should take > 2^64 times more computing power to break. > > In other words, if I had a trillion computers each going a 1 TeraHertz, it > would take them mover 1.8 billion years to break it. > > In conclusion, breaking 128-bit encryption by brute force is impossible. > > Is this correct? Strictly speaking, no. In reality a brute force attack would rarely, if ever, have to try 2^128 combinations to break the encryption because it's a question of probability. An attacker has a 50-50 chance of breaking it in half that number. But the probability of breaking the encryption in a lifetime is so remote that it's unlikely a pure brute force attack like that would be tried. > > Note: I am not saying anything about security. I know that there are many > other possible attacks. I know that the algorithm itself might be broken so > that brute force is not necessary. That's not what I'm asking about. > Ultimately, I want to conclude that there is no point in using more than > 128-bits in symmetric algorithmw. > > Is this correct? Assuming that the algorithm has no fault, there could be weaknesses to be exploited at the level of implementation of the algorith by a given application and in key generation. You can find some comments by Bruce Schneier on this at http://www.counterpane.com/crypto-gram-9910.html > - -- ===================================== Denis McCauley GPG/PGP keys at http://www.djmccauley.tk ===================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-nr1 (Windows 2000) - GPGshell v2.70 Comment: Key ID: 0x578247B4 (using signature subkey 0x4980C4F7) Comment: 3C0A D97D 5FC5 A250 20BC EBC6 EB0E 9716 5782 47B4 iD8DBQE+2FonJpZGKkmAxPcRAvYUAJwOK0UWKpeeoTTSxn+GrfgQ6P6J4QCfXg2l JYqPQTTHL8aU1yG10PP5/nk= =YasG -----END PGP SIGNATURE----- _____________________________________________________________________ Envie de discuter en "live" avec vos amis ? Télécharger MSN Messenger http://www.ifrance.com/_reloc/m la 1ère messagerie instantanée de France From graham.todd2@ntlworld.com Sat May 31 10:57:02 2003 From: graham.todd2@ntlworld.com (Graham) Date: Sat May 31 09:57:02 2003 Subject: [Q] "sign" vs "sign-locally" In-Reply-To: <20030528230055.GA1838@math.umd.edu> References: <20030528230055.GA1838@math.umd.edu> Message-ID: <200305310858.00937.graham.todd2@ntlworld.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 28 May 2003 11:00 pm, Daniel Carrera wrote: > Hi all, > > I just realized that there are two ways of signing a key. You can > "sign" it, or sign it it "locally". What's the difference? This is the equivalent of the exportable signature and non-exportable=20 signature in PGP. If you locally sign a key that signature cannot be=20 exported to another person or keyserver: in other words, it is a method=20 of allocating trust to a key on your keyring only. > > If I understand correctly, your signing a key means that you are > confident that the key belongs to the person you think it does. So, > for instance, I could meet the person face-to-face and get his or her > key ID for verification. Correct, and this in fact the purpose of "key signing parties". > > I've looked at the man page. I think that "sign" is what I just > described in the above paragraph. But I'm not sure I understand how > "sign-locally" is different. If you sign a key and then export the key, the signature goes with that=20 key. If you locally sign the key and export it, the signature does not=20 go with the key. > > Also, why would I ever want to sign a key "non-revocably"? Some keys are used for specific purposes, and one such purpose could be=20 to sign documents. Having a non-revocable key stops anybody revoking=20 that key and therefore stops the invalidation of the documents. - --=20 Graham GPG keys at: gpg.keys@ntlworld.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Please sign and encrypt for internet privacy iD8DBQE+2G6VVuf2qXLEdp4RArxiAJ9xuiYMHOcHKUs/3W7sfNZMHPeLTgCgt2Dg xWFqnnyCrc8AQ9PDPm9n1bI=3D =3DBLSO -----END PGP SIGNATURE----- From tito@rumford.de Sat May 31 11:10:02 2003 From: tito@rumford.de (tito@rumford.de) Date: Sat May 31 10:10:02 2003 Subject: Is a secret key compromised by known cleartext? Message-ID: <200305311014.17581.tito@rumford.de> I'm sorry if this is a faq: If I got an email with a message in cleartext immediately=20 followed by the same message encrypted to my public key --=20 would that change the status of my secret key (being secret)=20 abruptly to "being well known"? Wolfgang Tschauner From pgpgp@pollinger.org.uk Sat May 31 13:39:03 2003 From: pgpgp@pollinger.org.uk (Ben Pollinger) Date: Sat May 31 12:39:03 2003 Subject: WASTE - new 'secure' collaboration software Message-ID: <009201c32760$f3447740$adb587d9@linear> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all, An interesting new project by Nullsoft[1], the WinAmp developers. "WASTE is a software product and protocol that enables secure distributed communication for small (on the order of 10-50 nodes) trusted groups of users. WASTE is designed to enable small companies and small teams within larger companies to easily communicate and collaborate in a secure and efficient fashion, independent of physical network topology." It's a GPL'd project that combines IM, chat, file browsing/searching and transfer (upload and download). It uses RSA and Blowfish, and I thought some folk on this list might be interested. I found out about this from Need To Know[2] who report that Nullsoft have withdrawn the source. But it's out there[3], and it's hoped that others will take it forward, as they did with Gnutella[4]. [1] http://www.nullsoft.com [2] http://www.ntk.net/2003/05/30/#TRACKING [3] http://www.dhorrocks2003.pwp.blueyonder.co.uk/ [4] http://www.wikipedia.org/wiki/Gnutella Apologies for cross posting. cheers, Ben - -- www.pollinger.org.uk www.psyclick.org.uk PGP'd email welcome -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2 or GnuPG 1.2.2 Comment: Keys from www.pollinger.org.uk iQA/AwUBPtiGWGB6yoUweI/vEQJ+uQCdFFtfDsxOs6L/fH0kyfypZP4xSi4An0rY pBf6hB+obZqQi4fYtIpLXdyR =Cq34 -----END PGP SIGNATURE----- From johanw@vulcan.xs4all.nl Sat May 31 14:17:02 2003 From: johanw@vulcan.xs4all.nl (Johan Wevers) Date: Sat May 31 13:17:02 2003 Subject: Is a secret key compromised by known cleartext? In-Reply-To: <200305311014.17581.tito@rumford.de> from "tito@rumford.de" at "May 31, 2003 10:14:17 am" Message-ID: <200305311036.MAA00569@vulcan.xs4all.nl> tito@rumford.de wrote: > If I got an email with a message in cleartext immediately > followed by the same message encrypted to my public key -- > would that change the status of my secret key (being secret) > abruptly to "being well known"? No, the algorithms used in gpg are not sensible to this type of attack, which is known as a known-plaintext attack. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From jdbeyer@exit109.com Sat May 31 14:17:37 2003 From: jdbeyer@exit109.com (Jean-David Beyer) Date: Sat May 31 13:17:37 2003 Subject: Is a secret key compromised by known cleartext? References: <200305311014.17581.tito@rumford.de> Message-ID: <3ED88E87.2090604@exit109.com> tito@rumford.de wrote: > I'm sorry if this is a faq: > > If I got an email with a message in cleartext immediately followed by > the same message encrypted to my public key -- would that change the > status of my secret key (being secret) abruptly to "being well > known"? > I do not know that, but it seems in the same category, and possibly worse than, those who send an email encrypted to those whose public keys they know, and unencrypted to the rest of some mailing list. Or even if the sender does not make that mistake, one receiver could decrypt it and send it to others unencrypted. It seems to me you must really trust the person to whom you send encrypted e-mail, and to trust their computer systems as well. I could imagine myself being paranoid enough never to send encrypted stuff to people whose machines run Microsoft Windows, for example. As if I knew anyone who gave a hoot about security and encryption anyway. 8-( -- .~. Jean-David Beyer Registered Linux User 85642. /V\ Registered Machine 73926. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 7:05am up 12 days, 12:38, 3 users, load average: 2.20, 2.27, 2.12 From konrad@crunchy-frog.org Sat May 31 14:35:03 2003 From: konrad@crunchy-frog.org (Konrad Podloucky) Date: Sat May 31 13:35:03 2003 Subject: Is a secret key compromised by known cleartext? In-Reply-To: <200305311014.17581.tito@rumford.de> References: <200305311014.17581.tito@rumford.de> Message-ID: <1054381086.682.9.camel@muaddib.podl> --=-WpuN2j6YuE0kT1ir9Xh5 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Sat, 2003-05-31 at 10:14, tito@rumford.de wrote: [...] > If I got an email with a message in cleartext immediately=20 > followed by the same message encrypted to my public key --=20 > would that change the status of my secret key (being secret)=20 > abruptly to "being well known"? >=20 Actually no. If all it took to get the private key was a plaintext-ciphertext pair, the whole PGP concept would be pretty much doomed. Everybody who sends you encrypted mail, has access to the plaintext and ciphertext (because she/he generated both). gpg takes the plaintext and encrypts it with a symmetric cipher by using a random key. Then this random key is encrypted with your public key so that you can decrypt the message. The symmetric algorithms used by gpg are all immune against known-plaintext attacks. hth, Konrad --=-WpuN2j6YuE0kT1ir9Xh5 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Comment: For key usage policy see http://www.crunchy-frog.org/pgp/policy.html iQEVAwUAPtiUHiV8Kic3b+OjAQLVngf9HXEr0AEvM9Tfz96ylo8UUdXjbiBH64U1 FObBf3jwpd+VSzCOvNa7bUN7YZZvRtxhEIMQDJxVdXI9CzdR/c1cuFFSXxXNSlXX TvaRdrokPxCYYd8hrDdL99RPjiKmMiuki2ML1HY8eqS83rB+xpulqJO5ZdbrQbcl 9mH9W1zMNY6cNCF+cijVwrOYYiRAuEQBWSB0LR5E3J+WCCZ09ti8INNHWnKHoxAQ AMNQnw2EwgZQrMmW2gVl/n+mrrwspCEZwy627xERsgiCJGEz3BdJjqfoK1qc2kll tOeGMUyh2G8qFlVLzmCzmbemOCPIBvuc2RizOM5rPVOFQCu33+H8Mw== =Jk5C -----END PGP SIGNATURE----- --=-WpuN2j6YuE0kT1ir9Xh5-- From volker.gaibler@urz.uni-heidelberg.de Sat May 31 17:17:02 2003 From: volker.gaibler@urz.uni-heidelberg.de (Volker Gaibler) Date: Sat May 31 16:17:02 2003 Subject: Is a secret key compromised by known cleartext? In-Reply-To: <200305311014.17581.tito@rumford.de> References: <200305311014.17581.tito@rumford.de> Message-ID: <20030531141821.GA30532@aixterm5.urz.uni-heidelberg.de> On Sat, May 31, 2003 at 10:14:17AM +0200, tito@rumford.de wrote: > If I got an email with a message in cleartext immediately > followed by the same message encrypted to my public key -- > would that change the status of my secret key (being secret) > abruptly to "being well known"? No. Your public key is not secret and so is available to everybody (or could be, if you decide to publish it). So everybody can choose a cleartext and find the correspondent ciphertext. This is always possible with public key crypto and so the algorithm always has to resist this kind of attack. So finding lot's of plaintext-ciphertext pairs is no threat to GnuPG. Volker -- Volker Gaibler contact: http://www.volker-gaibler.de mail@volker-gaibler.de +---------------------------------------------------------------------+ From malsyned@cif.rochester.edu Sat May 31 22:07:02 2003 From: malsyned@cif.rochester.edu (Dennis Lambe Jr.) Date: Sat May 31 21:07:02 2003 Subject: Is a secret key compromised by known cleartext? In-Reply-To: <200305311014.17581.tito@rumford.de> References: <200305311014.17581.tito@rumford.de> Message-ID: <1054408145.8894.2.camel@dennisx.cif.rochester.edu> --=-I2xjFieWccZ6tMazLrPE Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Sat, 2003-05-31 at 04:14, tito@rumford.de wrote: > If I got an email with a message in cleartext immediately=20 > followed by the same message encrypted to my public key --=20 > would that change the status of my secret key (being secret)=20 > abruptly to "being well known"? If that were the case, all someone would have to do to discover your secret key would be to encrypt something with your public key and compare the result to the original. You could hardly call it a "secret key" if all it took to know the secret was to use the system as it was meant to be used. --Dennis Lambe --=-I2xjFieWccZ6tMazLrPE Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: My public key is available at http://cif.rochester.edu/~malsyned/public_key.html iD8DBQA+2P3R+yh/ThbejSgRAnRCAJ48FjqH3V4wp2RBVEx99PgJVKMYoQCgxCfF SaMlW6DnOTSuEEt+mwkdmU0= =gSXi -----END PGP SIGNATURE----- --=-I2xjFieWccZ6tMazLrPE-- From dcarrera@math.umd.edu Sat May 31 22:23:02 2003 From: dcarrera@math.umd.edu (Daniel Carrera) Date: Sat May 31 21:23:02 2003 Subject: [Q] 128-bit symmetric encryption. In-Reply-To: <20030530211437.0131.DENISMCCAULEY@ifrance.com> References: <20030531044812.GE9064@math.umd.edu> <20030530211437.0131.DENISMCCAULEY@ifrance.com> Message-ID: <20030531192422.GA1075@math.umd.edu> --d6Gm4EdcadzBjdND Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, May 30, 2003 at 09:33:25PM -1000, Denis McCauley wrote: > Strictly speaking, no. In reality a brute force attack would rarely, if > ever, have to try 2^128 combinations to break the encryption because > it's a question of probability. An attacker has a 50-50 chance of > breaking it in half that number. But the probability of breaking the > encryption in a lifetime is so remote that it's unlikely a pure brute > force attack like that would be tried. Yes, I'm aware of that. But what I said is that a 128-bit key takes 2**64= =20 times longer to crack by brute force than a a 64-bit key. The 50% factor= =20 gets accounted for in the time that it takes to brute force a 64-bit key. But that's getting a little off toppic. What I'm trying to find out is if= =20 there is any point at all in having a key length longer than 128 bits. In other words, the key length is not an issue. Any fault in the=20 encryption will be elsewhere (e.g. algorithm choice, implementation,=20 physical security, etc). Thanks. --=20 Daniel Carrera | OpenPGP fingerprint: Graduate TA, Math Dept | 6643 8C8B 3522 66CB D16C D779 2FDD 7DAC 9AF7 7A88 UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html --d6Gm4EdcadzBjdND Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (SunOS) iD8DBQE+2QFlnxE8DWHf+OcRArbqAKCjlC2mZhP3oVPUu2yVZKydb8SCtgCfZmst meCMl3FnVCOLD20Gyi7Zdrw= =cZDY -----END PGP SIGNATURE----- --d6Gm4EdcadzBjdND--