From chris@sebis.com Wed Oct 1 01:09:02 2003 From: chris@sebis.com (Chris Johnson) Date: Wed Oct 1 00:09:02 2003 Subject: Help adding the idea extension... Message-ID: <3F79FE01.7090504@sebis.com> Hi group, We recently got gnupg to compile on a SCO 5.0.5 box (No flames please. I wouldn't work with SCO if it were my choice). But I'm having a problem getting the idea extension to work. I've downloaded the idea.c.gz file and compiled it. I added the line to the ~/.gnupg/gpg.conf file that reads "load-extension idea". I had the compiled module in /usr/local/lib/ and in the ~/.gnupg/ directory and have put full paths ect.... I've tried to use the --load-extension option at the command line. I have some clients have been using idea to encrypt files they send us and would like to get this working. can anyone help with something I've missed? I've been through the FAQ and guides looking for my mistake but can't find it yet.... please help... TIA chrisj From dshaw@jabberwocky.com Wed Oct 1 01:42:01 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Wed Oct 1 00:42:01 2003 Subject: Help adding the idea extension... In-Reply-To: <3F79FE01.7090504@sebis.com> References: <3F79FE01.7090504@sebis.com> Message-ID: <20030930224420.GC9382@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Sep 30, 2003 at 05:04:49PM -0500, Chris Johnson wrote: > Hi group, > We recently got gnupg to compile on a SCO 5.0.5 box (No flames > please. I wouldn't work with SCO if it were my choice). But I'm having a > problem getting the idea extension to work. > I've downloaded the idea.c.gz file and compiled it. I added the line to > the ~/.gnupg/gpg.conf file that reads "load-extension idea". I had the > compiled module in /usr/local/lib/ and in the ~/.gnupg/ directory and > have put full paths ect.... > I've tried to use the --load-extension option at the command line. We need to see something a little more informative than "problem getting the idea extension to work" ;) What happens when you do "gpg --load-extension /path/to/idea -v --version" ? I don't know if SCO has some problems with dynamically loaded code. If it does, then --load-extension won't work. You could take the idea.c file and drop it into the GnuPG source cipher/ directory. Re-run ./configure, rebuild GnuPG, and you'll have IDEA built-in. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iHEEARECADEFAj96B0QqGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2Rhdmlk L2tleXMuYXNjAAoJEOJmXIdJ4cvJUA8AoKN+41Rathp8H8xn1cAYZLPZAGU6AKDZ /63Km9r4ngUpqwSDq2NLRtly0A== =TFpq -----END PGP SIGNATURE----- From chris@sebis.com Wed Oct 1 21:34:01 2003 From: chris@sebis.com (Chris Johnson) Date: Wed Oct 1 20:34:01 2003 Subject: Help adding the idea extension... In-Reply-To: <20030930224420.GC9382@jabberwocky.com> References: <3F79FE01.7090504@sebis.com> <20030930224420.GC9382@jabberwocky.com> Message-ID: <3F7B1CC0.5080004@sebis.com> Thanks for the reply Dave, By saying "won't work" I was meaning IDEA dosen't appear under ciphers when gpg --version is run. with or without (only in the .gnupg.conf file) the command line --load-extension. I'm thinking it must be a SCO problem but wanted to hear from the list to see if anyone else had had a problem. Here is the output: OK oper> gpg --load-extension /u/oper/.gnupg/idea --version gpg (GnuPG) 1.2.3 Copyright (C) 2003 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA, ELG Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256 Compression: Uncompressed, ZIP, ZLIB I really wanted to avoid rerunning configure and recompiling. We ran into problems with the assembler and the mpi files. again thanks for the quick reply. chrisj David Shaw wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On Tue, Sep 30, 2003 at 05:04:49PM -0500, Chris Johnson wrote: > > >>Hi group, >> We recently got gnupg to compile on a SCO 5.0.5 box (No flames >>please. I wouldn't work with SCO if it were my choice). But I'm having a >>problem getting the idea extension to work. >>I've downloaded the idea.c.gz file and compiled it. I added the line to >>the ~/.gnupg/gpg.conf file that reads "load-extension idea". I had the >>compiled module in /usr/local/lib/ and in the ~/.gnupg/ directory and >>have put full paths ect.... >>I've tried to use the --load-extension option at the command line. >> >> > >We need to see something a little more informative than "problem >getting the idea extension to work" ;) > >What happens when you do "gpg --load-extension /path/to/idea -v --version" ? > >I don't know if SCO has some problems with dynamically loaded code. >If it does, then --load-extension won't work. You could take the >idea.c file and drop it into the GnuPG source cipher/ directory. >Re-run ./configure, rebuild GnuPG, and you'll have IDEA built-in. > >David >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.3.3-cvs (GNU/Linux) >Comment: Key available at http://www.jabberwocky.com/david/keys.asc > >iHEEARECADEFAj96B0QqGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2Rhdmlk >L2tleXMuYXNjAAoJEOJmXIdJ4cvJUA8AoKN+41Rathp8H8xn1cAYZLPZAGU6AKDZ >/63Km9r4ngUpqwSDq2NLRtly0A== >=TFpq >-----END PGP SIGNATURE----- > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > From dshaw@jabberwocky.com Wed Oct 1 21:51:02 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Wed Oct 1 20:51:02 2003 Subject: Help adding the idea extension... In-Reply-To: <3F7B1CC0.5080004@sebis.com> References: <3F79FE01.7090504@sebis.com> <20030930224420.GC9382@jabberwocky.com> <3F7B1CC0.5080004@sebis.com> Message-ID: <20031001185244.GC18007@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Oct 01, 2003 at 01:28:16PM -0500, Chris Johnson wrote: > Thanks for the reply Dave, > By saying "won't work" I was meaning IDEA dosen't appear under > ciphers when gpg --version is run. with or without (only in the > .gnupg.conf file) the command line --load-extension. I'm thinking it > must be a SCO problem but wanted to hear from the list to see if anyone > else had had a problem. Interesting that there isn't even an error message here. What does: grep USE_DYNAMIC_LINKING config.h in the GnuPG build directory give? David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iHEEARECADEFAj97InwqGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2Rhdmlk L2tleXMuYXNjAAoJEOJmXIdJ4cvJqUEAoNkM/BzkpEf6Y88yMPXBqKi+au7HAJ43 ePqcizg+lHDI22MXY3F7h6SF6g== =SUMq -----END PGP SIGNATURE----- From chris@sebis.com Wed Oct 1 22:26:02 2003 From: chris@sebis.com (Chris Johnson) Date: Wed Oct 1 21:26:02 2003 Subject: Help adding the idea extension... In-Reply-To: <20031001185244.GC18007@jabberwocky.com> References: <3F79FE01.7090504@sebis.com> <20030930224420.GC9382@jabberwocky.com> <3F7B1CC0.5080004@sebis.com> <20031001185244.GC18007@jabberwocky.com> Message-ID: <3F7B2910.1060003@sebis.com> Hi Dave, grep USE_DYNAMIC_LINKING config.h shows the line commented out. /* #undef USE_DYNAMIC_LINKING */ must be a SCO thing. ( this is our theme song around here.). we run about 20 linux servers and two SCO boxes. and the majority of my time is unfortunately spent fixing the SCO machines. I did get it to recompile and it is working just now. for some reason the mpi/$files were "broken" (sorry I know that's not correct lingo but I'm an admin) one of the developers here know assembly and had to go through and fix about 6 of the files to have correct syntax. Luckily I had made a tar-ball of the files before I ran "make clean". If you'd like to see the tar-ball and the "broken files" let me know. Thanks for all your help, chrisj David Shaw wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On Wed, Oct 01, 2003 at 01:28:16PM -0500, Chris Johnson wrote: > > >>Thanks for the reply Dave, >> By saying "won't work" I was meaning IDEA dosen't appear under >>ciphers when gpg --version is run. with or without (only in the >>.gnupg.conf file) the command line --load-extension. I'm thinking it >>must be a SCO problem but wanted to hear from the list to see if anyone >>else had had a problem. >> >> > >Interesting that there isn't even an error message here. What does: > > grep USE_DYNAMIC_LINKING config.h > >in the GnuPG build directory give? > >David >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.3.3-cvs (GNU/Linux) >Comment: Key available at http://www.jabberwocky.com/david/keys.asc > >iHEEARECADEFAj97InwqGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2Rhdmlk >L2tleXMuYXNjAAoJEOJmXIdJ4cvJqUEAoNkM/BzkpEf6Y88yMPXBqKi+au7HAJ43 >ePqcizg+lHDI22MXY3F7h6SF6g== >=SUMq >-----END PGP SIGNATURE----- > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > From jonathan@simster.net Thu Oct 2 03:07:02 2003 From: jonathan@simster.net (Jonathan Goulding) Date: Thu Oct 2 02:07:02 2003 Subject: newbie question... Message-ID: <001801c38879$5da91bd0$33fafea9@GOULDINGJ> This is a multi-part message in MIME format. ------=_NextPart_000_0015_01C38857.D5C62210 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I am a law student learning VB for fun and getting a bit too involved. I = should be researching a brief right now.=20 In any event, I apoligize for asking an elementary question here but I = would appreciate any pointers...=20 I am trying to run gpg.exe from within a VB app (specifically, "gpg = --gen-key" at this point). I know one way to do this type of thing: = ProcID =3D Shell ("c:\gpg --gen-key"). But then gpg wants to know the = key size, my name, passphrase, etc. What I would like to know is how to = use the process ID (or anything else) to send that particular shell = first the key size, my name, etc. Oddly enough (to me anyway), = AppActivate (procID) returns an error code of 5 (i think this means the = process is supposedly no longer existing) and SendKeys (name, = passphrase,etc) creates about 7 command windows trying to run gpg = instead of sending the keys to the one open window. I know that, for = example, winpt manages gpg from within the app, so I know it is = possible. =20 In any event, any tips would be greatly appreciated or just pointers to = code examples doing similar things that I could look at. =20 Oh, I use windows xp. Sorry ;) -Jonathan ------=_NextPart_000_0015_01C38857.D5C62210 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
I am a law student learning VB for fun and getting a bit too = involved. I=20 should be researching a brief right now.

In any event, I = apoligize for=20 asking an elementary question here but I would appreciate any = pointers...=20

I am trying to run gpg.exe from within a VB app (specifically, = "gpg=20 --gen-key" at this point). I know one way to do this type of thing: = ProcID =3D=20 Shell ("c:\gpg --gen-key"). But then gpg wants to know the key size, my = name,=20 passphrase, etc. What I would like to know is how to use the process ID = (or=20 anything else) to send that particular shell first the key size, my = name, etc.=20 Oddly enough (to me anyway), AppActivate (procID) returns an error code = of 5 (i=20 think this means the process is supposedly no longer existing) and = SendKeys=20 (name, passphrase,etc) creates about 7 command windows trying to = run gpg=20 instead of sending the keys to the one open window. I know that, = for=20 example, winpt manages gpg from within the app, so I know it is = possible. =20

In any event, any tips would be greatly appreciated or just = pointers to=20 code examples doing similar things that I could look at.  =
Oh, I use windows xp.  Sorry = ;)
 

-Jonathan
------=_NextPart_000_0015_01C38857.D5C62210-- From jacob@cachevalley.com Thu Oct 2 04:19:01 2003 From: jacob@cachevalley.com (Jacob Anawalt) Date: Thu Oct 2 03:19:01 2003 Subject: Using GPG to create virtual email addresses In-Reply-To: <3F7768AA.30903@cachevalley.com> References: <3F7768AA.30903@cachevalley.com> Message-ID: <2406.192.168.1.4.1065057680.squirrel@scsi-burn.office> Jacob Anawalt said: > > Maybe there is some > 'light signature' option that would work better. Let me expand on this idea a little more. It seems that a signature must have something that says what encryption was used and some info that allows the unencoder to know who's signature it is and then an encoded hash of the data it is signing. When I sign a lot of data the signature is large. When I sign very little data, it is small. In either case there seems to be a substantial amount of header data. If we pre-agree on an algorithm and we know externally the claimed 'owner' of the signature by looking at the MAIL FROM value, how small can the signature be? Could it fit within (64 - size of GPG id + 1) and be only local-part compliant data? I would much prefer the double encrypted data idea, but if that is out of the question then I would at least want a piece of signed data accessable by the RCPT TO stage to help show the MAIL FROM was not forged. There hasn't been a response yet so I wonder if I'm asking in the wrong place or if people are reading this and rolling their eyes. Even a quick note to say I'm way off base or looking in the wrong direction would be appreciated. ;) -- Jacob Trying out SquirrelMail From Holger.Sesterhenn@smgwtest.aachen.utimaco.de Thu Oct 2 11:41:01 2003 From: Holger.Sesterhenn@smgwtest.aachen.utimaco.de (Holger Sesterhenn) Date: Thu Oct 2 10:41:01 2003 Subject: =?ISO-8859-1?Q?=5Bsign=5Fpgp}_Re=3A_newbie_question=2E=2E=2E_?= In-Reply-To: <001801c38879$5da91bd0$33fafea9@GOULDINGJ> References: <001801c38879$5da91bd0$33fafea9@GOULDINGJ> Message-ID: <3F7BE4C8.5080908@smgwtest.aachen.utimaco.de> Hi, > In any event, any tips would be greatly appreciated or just pointers to > code examples doing similar things that I could look at. > Oh, I use windows xp. Sorry ;) Take a look at the document doc/DETAILS, there is an example how to use --gen-key and --batch to create keys without user interaction. Some month ago I published a Bash shell script to do this easier (linux based). Just search the mailing list archives. Maybe you can transfer this script to VB. HTH. Best Regards, Holger Sesterhenn -- Internet http://www.utimaco.com From marc.jones@tesco.net Thu Oct 2 18:28:01 2003 From: marc.jones@tesco.net (Marc Jones) Date: Thu Oct 2 17:28:01 2003 Subject: Newbie - Error 512 Message-ID: <0de201c388fa$cbc62d70$5c00a8c0@dataserver> This is a multi-part message in MIME format. ------=_NextPart_000_0DDF_01C38903.2D05AE00 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi all, Please can anyone tell me what this error is, and how to fix it? I have a simple perl script that calls gpg via a system() call. This = script works fine when run via telnet - but when run via a browser - it = produces a 512 error. Any help would be greatfully received, marcus :o) ------=_NextPart_000_0DDF_01C38903.2D05AE00 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi all,
 
Please can anyone tell me what this = error is, and=20 how to fix it?
I have a simple perl script that calls = gpg via a=20 system() call. This script works fine when run via telnet - but when run = via a=20 browser - it produces a 512 error.
 
Any help would be greatfully = received,
 
marcus :o)
------=_NextPart_000_0DDF_01C38903.2D05AE00-- From vedaal@hush.com Thu Oct 2 20:13:02 2003 From: vedaal@hush.com (vedaal@hush.com) Date: Thu Oct 2 19:13:02 2003 Subject: 1.3.3 binary // for windows ? Message-ID: <200310021714.h92HEqmt099028@mailserver1.hushmail.com> would like to try out the 1.3.3 version where is it possible to download a binary for windows? (even if an alpha version) Tia, vedaal Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 From atom-gpg@suspicious.org Fri Oct 3 11:19:02 2003 From: atom-gpg@suspicious.org (Atom 'Smasher') Date: Fri Oct 3 10:19:02 2003 Subject: newbie question about identities Message-ID: i'm only a few years behind with gpg/pgp, but trying to get up to speed.... i like the idea of identities, but i'm not sure if i'm either missing something, or if that part of the system (or documentation) is flawed.... let's say i have 2 identities.... employee@big-corp radical@big-corp-sucks obviously, each of these identities should be kept *FAR* apart. according to the documentation [that i've found], all you have to do is use the gpg "edit-key" and "adduid" to add an ID to your key-pair, and then you can use one key-pair for multiple IDs. http://www.gnupg.org/gph/en/manual.html#AEN282 i see 2 problems with this: 1) the key-id is the same for both roles 2) when exporting the public key, both identities are part of it both of these factors make it too easy for one's "other" identity to be revealed... this could be bad (very bad, since keys are like viruses, and can't be removed from circulation). so the question is, am i missing something? or is this a fact of life if a single key-pair is used for multiple IDs? if one wants to use multiple IDs (and keep each ID isolated from all other IDs), is it necessary that each ID has it's own key-pair? ...atom ----------------Void-If-Detached---------------- http://smasher.suspicious.org/fs1r Yamaha FS1R Quidquid latine dictum sit, altum viditur. (Whatever is said in Latin sounds profound.) From erwan@rail.eu.org Fri Oct 3 11:25:02 2003 From: erwan@rail.eu.org (Erwan David) Date: Fri Oct 3 10:25:02 2003 Subject: newbie question about identities In-Reply-To: References: Message-ID: <20031003082715.GA17530@bretagne.rail.eu.org> Le Fri 3/10/2003, Atom 'Smasher' disait > i'm only a few years behind with gpg/pgp, but trying to get up to > speed.... > > i like the idea of identities, but i'm not sure if i'm either missing > something, or if that part of the system (or documentation) is flawed.... > > let's say i have 2 identities.... > employee@big-corp > radical@big-corp-sucks > > obviously, each of these identities should be kept *FAR* apart. > > according to the documentation [that i've found], all you have to do is > use the gpg "edit-key" and "adduid" to add an ID to your key-pair, and > then you can use one key-pair for multiple IDs. > http://www.gnupg.org/gph/en/manual.html#AEN282 > > i see 2 problems with this: > 1) the key-id is the same for both roles > 2) when exporting the public key, both identities are part of it > > both of these factors make it too easy for one's "other" identity to be > revealed... this could be bad (very bad, since keys are like viruses, > and can't be removed from circulation). > > so the question is, am i missing something? or is this a fact of life if a > single key-pair is used for multiple IDs? if one wants to use multiple > IDs (and keep each ID isolated from all other IDs), is it necessary that > each ID has it's own key-pair? What you're missing is that you want to keep things apart, but put them together. If you want nobody able to relate your boith IDs use different keys. You can have several keypairs. -- Erwan From atom-gpg@suspicious.org Fri Oct 3 11:45:01 2003 From: atom-gpg@suspicious.org (Atom 'Smasher') Date: Fri Oct 3 10:45:01 2003 Subject: newbie question about identities In-Reply-To: <20031003082715.GA17530@bretagne.rail.eu.org> References: <20031003082715.GA17530@bretagne.rail.eu.org> Message-ID: >> if one wants to use multiple IDs (and keep each ID isolated from all >> other IDs), is it necessary that each ID has it's own key-pair? > What you're missing is that you want to keep things apart, but put > them together. If you want nobody able to relate your boith IDs use > different keys. > > You can have several keypairs. ================================== yeah... i figured out that part... the question is whether or not that's the proper (or only) way to keep separate identities isolated from each other, or if there's another way. according to [my understanding of] the documentation, it says that you can have multiple identities sharing a key-pair (which is correct), and it seems to imply that that those identities are isolated from each other (which seems to be incorrect). i guess i'm trying to clarify whether the problem is in the implementation, the documentation, or just my understanding of it... it seems like the handbook is advocating something that's not quite right, and i'm trying to figure out which way(s) are right. i'm also trying to verify that the documentation is either incorrect or misleading. ...atom ----------------Void-If-Detached---------------- http://smasher.suspicious.org/fs1r Yamaha FS1R "I don't know anything about music. In my line you don't have to." -- Elvis Presley From erwan@rail.eu.org Fri Oct 3 12:06:02 2003 From: erwan@rail.eu.org (Erwan David) Date: Fri Oct 3 11:06:02 2003 Subject: newbie question about identities In-Reply-To: References: <20031003082715.GA17530@bretagne.rail.eu.org> Message-ID: <20031003090755.GB17530@bretagne.rail.eu.org> Le Fri 3/10/2003, Atom 'Smasher' disait > >> if one wants to use multiple IDs (and keep each ID isolated from all > >> other IDs), is it necessary that each ID has it's own key-pair? > > > > What you're missing is that you want to keep things apart, but put > > them together. If you want nobody able to relate your boith IDs use > > different keys. > > > > You can have several keypairs. > ================================== > > yeah... i figured out that part... the question is whether or not that's > the proper (or only) way to keep separate identities isolated from each > other, or if there's another way. > > according to [my understanding of] the documentation, it says that you can > have multiple identities sharing a key-pair (which is correct), and it > seems to imply that that those identities are isolated from each other > (which seems to be incorrect). > > i guess i'm trying to clarify whether the problem is in the > implementation, the documentation, or just my understanding of it... it > seems like the handbook is advocating something that's not quite right, > and i'm trying to figure out which way(s) are right. i'm also trying to > verify that the documentation is either incorrect or misleading. They can be technically separated, but each private key is assumed to have one only user. Thus if you use a key with ID A, then same key with ID B, people can easily deduce that ID A and ID B are IDs of the same physical personn. IDs are isolated inside th OpenPGP system, but you do not live in this system, you live in real world, where people can deduce thing from different sources. -- Erwan From JPClizbe@comcast.net Fri Oct 3 12:10:02 2003 From: JPClizbe@comcast.net (John Clizbe) Date: Fri Oct 3 11:10:02 2003 Subject: newbie question about identities In-Reply-To: References: Message-ID: <3F7D3D41.7050306@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Atom 'Smasher' wrote: > i'm only a few years behind with gpg/pgp, but trying to get up to > speed.... > > i like the idea of identities, but i'm not sure if i'm either missing > something, or if that part of the system (or documentation) is flawed.... > > let's say i have 2 identities.... > employee@big-corp > radical@big-corp-sucks > > obviously, each of these identities should be kept *FAR* apart. Yup > i see 2 problems with this: > 1) the key-id is the same for both roles > 2) when exporting the public key, both identities are part of it > > both of these factors make it too easy for one's "other" identity to be > revealed... this could be bad (very bad, since keys are like viruses, > and can't be removed from circulation). > > so the question is, am i missing something? or is this a fact of life if a > single key-pair is used for multiple IDs? if one wants to use multiple > IDs (and keep each ID isolated from all other IDs), is it necessary that > each ID has it's own key-pair? No, you got it right. Even if you kept two distinct keyrings: one with the employee ID keypair and the other with the radical ID keypair, assume the worst-case and conclude that the key material (c|w)ould eventually end up being posted to keyservers and be re-united into one key. Two roles && two VERY distinct identities ==> two keys. It would also be a very good idea not to sign each key with the other, that could also eventually lead back to both identities. Self-sign each key and leave it at that. If you use gpg/pgp at both home and work, it would be prudent to not have your radical key on your work machine along with your employee key, at least, not both secret keys (think: plausible deniability). There is nothing good or bad about having multiple keypairs. It just boils down to key management issues. Standard Disclaimer: IANAL. TINLA. IANAD. TINMA. UAYOR. YMMV. Do not try this at home. Professional Driver on Closed Course. - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Most men take the straight and narrow. A few take the road less traveled. I chose to cut through the woods." "The purpose of life is to achieve balance, in a continual cycle of gaining and retaining harmony. Walk in Beauty." - Navajo Proverb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-nr1 (Windows 2000) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/fT09HQSsSmCNKhARAh8eAJ9fGaJUsZIy13m752k0Aqf0pQXQUQCgoomr OtMQWL+ntMKYPRVbZrJJ9Lo= =7HVP -----END PGP SIGNATURE----- From svwright+lists@amtp.liv.ac.uk Fri Oct 3 12:12:01 2003 From: svwright+lists@amtp.liv.ac.uk (Stewart V. Wright) Date: Fri Oct 3 11:12:01 2003 Subject: newbie question about identities In-Reply-To: References: <20031003082715.GA17530@bretagne.rail.eu.org> Message-ID: <20031003091406.GD27044@amtp.liv.ac.uk> --3Pql8miugIZX0722 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable * Atom 'Smasher' [031003 10:01]:' > > You can have several keypairs. > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >=20 > yeah... i figured out that part... the question is whether or not that's > the proper (or only) way to keep separate identities isolated from each > other, or if there's another way. You need to stop thinking about identities identifying a key, and start thinking about the key fingerprint. The fingerprint 'gpg --fingerprint' remains constant, but you can change ids. Take my key for example. I have 4 different ids and at least 2 of them will not be valid in 12 months, but the key will be (for a while at least...) Also, there are umpteen keys on the key servers with my name (id) attached to them (really should have learnt about revoking all those years ago!) but only two are valid at the moment. =20 > according to [my understanding of] the documentation, it says that you can > have multiple identities sharing a key-pair (which is correct), and it > seems to imply that that those identities are isolated from each other > (which seems to be incorrect). Um, I don't remember seeing that or getting that impression, but if you can quote the section (and even rewrite it) I'm sure the doc maintainers would be interested... =20 > i guess i'm trying to clarify whether the problem is in the > implementation,=20 Nope. > the documentation, Nope. > or just my understanding of it... it Yup. ;-) > seems like the handbook is advocating something that's not quite right, > and i'm trying to figure out which way(s) are right. i'm also trying to > verify that the documentation is either incorrect or misleading. Nope. Just you! Hehehe... > http://smasher.suspicious.org/fs1r Yamaha FS1R >=20 > "I don't know anything about music. > In my line you don't have to." Naughty!!! http://learn.to/sign "Please keep it down to four lines and 70 columns at maximum!" "The format of the sigdashes line is "^-- $", ie it consists of two dashes and a trailing space *only*."=20 Cheers, S. =20 --=20 European Citizens: Please do a little work to convince the European Parliament to reject software patents. This page explains the issue and provides suggestions for action; take the time to participate. http://swpat.ffii.org/ --3Pql8miugIZX0722 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iH8EARECAD8FAj99Pd44Gmh0dHA6Ly93d3cubGl2LmFjLnVrL35zdndyaWdodC9z ZWN1cml0eS9ncGctcG9saWN5Lmh0bWwACgkQaBqfzTXbdHLqtACcCBkz8iZ6W+ak uhRmAzQa0ur5cNYAoJiZYoVjYvo5zQUHKM50pql6ILtg =sfZ1 -----END PGP SIGNATURE----- --3Pql8miugIZX0722-- From ben@benfinney.id.au Fri Oct 3 13:50:02 2003 From: ben@benfinney.id.au (Ben Finney) Date: Fri Oct 3 12:50:02 2003 Subject: newbie question about identities In-Reply-To: References: Message-ID: <20031003105203.GB15815@benfinney.id.au> --TakKZr9L6Hm6aLOc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 03-Oct-2003, Atom 'Smasher' wrote: > let's say i have 2 identities.... > employee@big-corp > radical@big-corp-sucks >=20 > obviously, each of these identities should be kept *FAR* apart. Indeed, they should not be seen to be the same person. > according to the documentation [that i've found], all you have to do > is use the gpg "edit-key" and "adduid" to add an ID to your key-pair, > and then you can use one key-pair for multiple IDs. This is the way to have multiple IDs one one key, so that all those different IDs can be clearly seen to be the same person (since they are on the same key). This is quite different to what you're asking. What you seem to want is for employee@big-corp to *not* be identifiable as the same person as radical*big-corp-sucks. In this case, they should not both use the same key, since each key is assumed to be used by one person only. My recommendation would be for radical@big-corp-sucks to (a) set up a separate keypair, and (b) use anonymising email networks to post anything he doesn't want easily traceable to himself. --=20 \ "I moved into an all-electric house. I forgot and left the | `\ porch light on all day. When I got home the front door wouldn't | _o__) open." -- Steven Wright | Ben Finney --TakKZr9L6Hm6aLOc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iEYEARECAAYFAj99VNMACgkQt6wuUb1BcUt8kwCgmB8Ryme9xFhR03mXOy679dtm VskAn1tAS/gXeoD3o7xbn0xs/VVwED3o =SkiH -----END PGP SIGNATURE----- --TakKZr9L6Hm6aLOc-- From bogus@does.not.exist.com Fri Oct 3 15:34:01 2003 From: bogus@does.not.exist.com (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Fri Oct 3 14:34:01 2003 Subject: Using GPG to create virtual email addresses In-Reply-To: <2406.192.168.1.4.1065057680.squirrel@scsi-burn.office> References: <3F7768AA.30903@cachevalley.com> <2406.192.168.1.4.1065057680.squirrel@scsi-burn.office> Message-ID: <200310031434.07914@erwin.ingo-kloecker.de> On Thursday 02 October 2003 03:21, Jacob Anawalt wrote: > Jacob Anawalt said: > > Maybe there is some > > 'light signature' option that would work better. > > Let me expand on this idea a little more. It seems that a signature > must have something that says what encryption was used and some info > that allows the unencoder to know who's signature it is and then an > encoded hash of the data it is signing. When I sign a lot of data the > signature is large. When I sign very little data, it is small. That's wrong. The signature has a fixed size because it's just a hash of fixed size, e.g. an MD5 hash is always 128 bit and a SHA-1 hash is always 160 bit. This means in base64 encoding (which has to be used because email header must only contain 7-bit ascii data) the size of the signature is at least 22 bytes (MD5) or 27 bytes (SHA-1). > In > either case there seems to be a substantial amount of header data. > > If we pre-agree on an algorithm and we know externally the claimed > 'owner' of the signature by looking at the MAIL FROM value, how small > can the signature be? Could it fit within (64 - size of GPG id + 1) > and be only local-part compliant data? See above. > I would much prefer the double encrypted data idea, but if that is > out of the question then I would at least want a piece of signed data > accessable by the RCPT TO stage to help show the MAIL FROM was not > forged. For each key that is used for encryption the session key has to be encrypted with this key. This means that for each encryption key you have to at least add the size of the session key (which is at least another 128 bit, i.e. 22 bytes in base64 encoding). > There hasn't been a response yet so I wonder if I'm asking in the > wrong place or if people are reading this and rolling their eyes. > Even a quick note to say I'm way off base or looking in the wrong > direction would be appreciated. ;) Check out http://www.ietf.org/rfc/rfc2440.txt for more information. Regards, Ingo From atom-gpg@suspicious.org Fri Oct 3 19:33:02 2003 From: atom-gpg@suspicious.org (Atom 'Smasher') Date: Fri Oct 3 18:33:02 2003 Subject: newbie question about identities In-Reply-To: <20031003091406.GD27044@amtp.liv.ac.uk> References: <20031003082715.GA17530@bretagne.rail.eu.org> <20031003091406.GD27044@amtp.liv.ac.uk> Message-ID: > > according to [my understanding of] the documentation, it says that you can > > have multiple identities sharing a key-pair (which is correct), and it > > seems to imply that that those identities are isolated from each other > > (which seems to be incorrect). > > Um, I don't remember seeing that or getting that impression, but if > you can quote the section (and even rewrite it) I'm sure the doc > maintainers would be interested... ============================================== http://www.gnupg.org/gph/en/manual.html#AEN282 Adding and deleting key components Additional user IDs are useful when you need multiple identities. For example, you may have an identity for your job and an identity for your work as a political activist. Coworkers will know you by your work user ID. Coactivists will know you by your activist user ID. Since those groups of people may not overlap, though, each group may not trust the other user ID. Both user IDs are therefore necessary. that's the part in the handbook that seems to imply that it's OK to just add an identity to an existing key-pair, and everything will work out fine. as i'm having my suspicions confirmed by the responses, that is not quite fine when identities have to be hidden from each other, although it is fine if the identities do not (socially) conflict with each other. maybe illustrating the concept of multiple UIDs (with one key-pair) using an employee and an activist is the problem... i think there should be some explicit mention in the handbook that any identities sharing a key-pair can easily be associated with each other, and if two (or more) identities have to remain isolated from each other they MUST NOT share a key-pair. in the current version of the manual (1.1) i don't see anything that explains that, but the example of the employee/activist really seems misleading.... ...atom ----------------Void-If-Detached---------------- http://smasher.suspicious.org/fs1r Yamaha FS1R "If Jesus Christ were to come today, people would not even crucify him. They would ask him to dinner, and hear what he had to say, and make fun of it." -- Thomas Carlyle From eugene@esmiley.net Fri Oct 3 20:21:01 2003 From: eugene@esmiley.net (Eugene Smiley) Date: Fri Oct 3 19:21:01 2003 Subject: newbie question about identities In-Reply-To: References: <20031003082715.GA17530@bretagne.rail.eu.org> <20031003091406.GD27044@amtp.liv.ac.uk> Message-ID: <3F7DB072.8010607@esmiley.net> This is a cryptographically signed message in MIME format. --------------ms000708070104060603080308 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Atom 'Smasher' wrote: >>Um, I don't remember seeing that or getting that impression, but if >>you can quote the section (and even rewrite it) I'm sure the doc >>maintainers would be interested... > > ============================================== > http://www.gnupg.org/gph/en/manual.html#AEN282 > > Adding and deleting key components > > Additional user IDs are useful when you need multiple identities. > For example, you may have an identity for your job and an identity > for your work as a political activist. Coworkers will know you by > your work user ID. Coactivists will know you by your activist user > ID. Since those groups of people may not overlap, though, each > group may not trust the other user ID. Both user IDs are therefore > necessary. > > that's the part in the handbook that seems to imply that it's OK to just > add an identity to an existing key-pair, and everything will work out fine. > as i'm having my suspicions confirmed by the responses, that is not quite > fine when identities have to be hidden from each other, although it is > fine if the identities do not (socially) conflict with each other. Here's the part that you are missing though: "each group may not trust the other user ID. Both user IDs are therefore necessary," (if you want both groups to trust both UIDs). It's all about the trust. In your case you don't care about the trust. The trust would be detrimental in that case. > maybe illustrating the concept of multiple UIDs (with one key-pair) using > an employee and an activist is the problem... It would be valid if you were an activist in the same area as your job, but not as an antagonist, e.g. a radio personality who also works as a lobbyist for the Recording Industry. It would be valid for any number of combinations, EXCEPT when the two (or more) identities conflict, as you say. > i think there should be some explicit mention in the handbook that any > identities sharing a key-pair can easily be associated with each other, > and if two (or more) identities have to remain isolated from each other > they MUST NOT share a key-pair. in the current version of the manual (1.1) ... SHOULD NOT, actually ... > i don't see anything that explains that, but the example of the > employee/activist really seems misleading.... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-nr2 (Windows XP) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/fbBw6QPtAqft/S8RAiYTAJ9hdpXAqxBzuA/BQmtwMbLi2xI1mQCgi29I kuO34sjyDGc6jSUsZjrBRxY= =4bjN -----END PGP SIGNATURE----- --------------ms000708070104060603080308 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJzjCC AzgwggKhoAMCAQICEGZFcrfMdPXPY3ZFhNAukQEwDQYJKoZIhvcNAQEEBQAwgdExCzAJBgNV BAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgG A1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vydmlj ZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkG CSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMDA4MzAwMDAw MDBaFw0wNDA4MjcyMzU5NTlaMIGSMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBD YXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UECxMUQ2Vy dGlmaWNhdGUgU2VydmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAyMDAw LjguMzAwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN4zMqZjxwklRT7SbngnZ4HF2ogZ gpcO40QpimM1Km1wPPrcrvfudG8wvDOQf/k0caCjbZjxw0+iZdsN+kvx1t1hpfmFzVWaNRqd knWoJ67Ycvm6AvbXsJHeHOmr4BgDqHxDQlBRh4M88Dm0m1SKE4f/s5udSWYALQmJ7JRr6aFp AgMBAAGjTjBMMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFiZWwxLTI5NzAS BgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQQFAAOBgQAxsUtH XfkBceX1U2xdedY9mMAmE2KBIqcS+CKV6BtJtyd7BDm6/ObyJOuR+r3sDSo491BVqGz3Da1M G7wD9LXrokefbKIMWI0xQgkRbLAaadErErJAXWr5edDqLiXdiuT82w0fnQLzWtvKPPZE6iZp h39Ins6ln+eE2MliYq0FxjCCA0UwggKuoAMCAQICAwpcNzANBgkqhkiG9w0BAQQFADCBkjEL MAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du MQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYD VQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwMB4XDTAzMDcxNjE4MDM1MVoX DTA0MDcxNTE4MDM1MVowYzEPMA0GA1UEBBMGU21pbGV5MRIwEAYDVQQqEwlULiBFdWdlbmUx GTAXBgNVBAMTEFQuIEV1Z2VuZSBTbWlsZXkxITAfBgkqhkiG9w0BCQEWEmV1Z2VuZUBlc21p bGV5Lm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMP+Nt46kXLdVxRRG9q2 k+Bxhvh3oelkBlCaIJXH+hr/FMl4GTWBXGc0wAXcHm2fRPJHnxVtHVEK/P/OLtvvv7gBrK3J +3/VrB8SU9KlGb+dxqQFRc7y3keKkb+jgVnlYB9snQeaLeRkgItSR8iwVOPZg6QZ02GevxtO AEF12cWhdIWYWeLCquMRztPwt0wY6iQo0AyBUBPpfLfJveINobKonPTV5QLdrs68YUHYr0dj cl53gMpqSSzTHLcrna04mcC5s8GXQBjJ+cKOvDRVkVXYZ4rYxgMPeJ4njB72RSs+ABL6gAII kc1tc4PQlwgwXk/XNIcCCQg2NnJ3GghvJOcCAwEAAaNTMFEwDwYDVR0PAQH/BAUDAwfpgDAR BglghkgBhvhCAQEEBAMCBaAwHQYDVR0RBBYwFIESZXVnZW5lQGVzbWlsZXkubmV0MAwGA1Ud EwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAUWKZs1Q+SPOXSGSFlm2v7kjFdC+HFnCqB1bP oCdVvnrK+sTQICA/yBciKm4O3zW02I+lCsJ4ZhBnjmforqmRjd9xZNfBY/4JbZRy2rzPkkvs dQV9ztduqv4A0rNU7Nmq7lTv1cg3o8PEl6FhR5V2m9kMiAJMaVCTOekGlPOlhB4wggNFMIIC rqADAgECAgMKXDcwDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxX ZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYD VQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwg UlNBIDIwMDAuOC4zMDAeFw0wMzA3MTYxODAzNTFaFw0wNDA3MTUxODAzNTFaMGMxDzANBgNV BAQTBlNtaWxleTESMBAGA1UEKhMJVC4gRXVnZW5lMRkwFwYDVQQDExBULiBFdWdlbmUgU21p bGV5MSEwHwYJKoZIhvcNAQkBFhJldWdlbmVAZXNtaWxleS5uZXQwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQDD/jbeOpFy3VcUURvatpPgcYb4d6HpZAZQmiCVx/oa/xTJeBk1 gVxnNMAF3B5tn0TyR58VbR1RCvz/zi7b77+4Aaytyft/1awfElPSpRm/ncakBUXO8t5HipG/ o4FZ5WAfbJ0Hmi3kZICLUkfIsFTj2YOkGdNhnr8bTgBBddnFoXSFmFniwqrjEc7T8LdMGOok KNAMgVAT6Xy3yb3iDaGyqJz01eUC3a7OvGFB2K9HY3Jed4DKakks0xy3K52tOJnAubPBl0AY yfnCjrw0VZFV2GeK2MYDD3ieJ4we9kUrPgAS+oACCJHNbXOD0JcIMF5P1zSHAgkINjZydxoI byTnAgMBAAGjUzBRMA8GA1UdDwEB/wQFAwMH6YAwEQYJYIZIAYb4QgEBBAQDAgWgMB0GA1Ud EQQWMBSBEmV1Z2VuZUBlc21pbGV5Lm5ldDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUA A4GBAFFimbNUPkjzl0hkhZZtr+5IxXQvhxZwqgdWz6AnVb56yvrE0CAgP8gXIipuDt81tNiP pQrCeGYQZ45n6K6pkY3fcWTXwWP+CW2Uctq8z5JL7HUFfc7Xbqr+ANKzVOzZqu5U79XIN6PD xJehYUeVdpvZDIgCTGlQkznpBpTzpYQeMYID1TCCA9ECAQEwgZowgZIxCzAJBgNVBAYTAlpB MRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMG VGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29u YWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMAIDClw3MAkGBSsOAwIaBQCgggIPMBgGCSqGSIb3 DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTAzMTAwMzE3MjI1OFowIwYJKoZI hvcNAQkEMRYEFJPqBmAEhv8HOrWxIatloeZnmxePMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZI hvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3 DQMCAgEoMIGrBgkrBgEEAYI3EAQxgZ0wgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxX ZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYD VQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwg UlNBIDIwMDAuOC4zMAIDClw3MIGtBgsqhkiG9w0BCRACCzGBnaCBmjCBkjELMAkGA1UEBhMC WkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQK EwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJz b25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMKXDcwDQYJKoZIhvcNAQEBBQAEggEATSu2 XLtJXDrk4C06iteaVUgyLbfOvouqFPOWVZKIZyuN6FjXynTgQACckixhCuU91Il4fFR8gX5a Lz4a9O3mm9/YWe8FS38uHlM0Iaj7QtTn0iXVlsffpM0sduVfQLIntvzPYVNkZasHeu0nahAS 3YRv7jXxbvedIifG7sdmZBMokHgoOaRU0ABJx6ygcTsY5jizj5zd+wOXivtXbOCZADZ2xVYa NzN0wLVeKx9Zi4ZPhZUaIHn4Aej8PFKK8ymnngBSuK02dszoMZKR2CHPNST2AsThAxPHKl4D rBkZsXgK6KGoQ1nVdJZ7zpEccvDQYVPXrCOfXLbs5ZCqBdMMaAAAAAAAAA== --------------ms000708070104060603080308-- From rhkelly@myrealbox.com Fri Oct 3 20:32:02 2003 From: rhkelly@myrealbox.com (rhkelly) Date: Fri Oct 3 19:32:02 2003 Subject: newbie question about identities In-Reply-To: References: Message-ID: <3F7DB32C.8010403@myrealbox.com> Atom 'Smasher' wrote: > let's say i have 2 identities.... > employee@big-corp > radical@big-corp-sucks > > obviously, each of these identities should be kept *FAR* apart. Perhaps it would be better to state the problem in a more fundamental form: the first identity requires no anonymity, the second does. If you think of it, the purpose of Public Key Infrastructure (PKI) is directly opposite to the notion of anonymity. (If I can be flippant here, that which is *public* can not be *anonymous*). Thus, no matter what the implementation details and protocols are, PKI will be detrimental to anonymity. Anything/anybody that requires anonymity should stear clear of PKI. (please note I said 'PKI', and *not* 'public key cryptosystems'). It is, IMHO, quite disturbing that many novices do not understand this, and that the problem of anonymity is never addressed by the extensive GPG documentation. Roger K. From atom-gpg@suspicious.org Fri Oct 3 20:58:01 2003 From: atom-gpg@suspicious.org (Atom 'Smasher') Date: Fri Oct 3 19:58:01 2003 Subject: newbie question about identities In-Reply-To: <3F7DB32C.8010403@myrealbox.com> References: <3F7DB32C.8010403@myrealbox.com> Message-ID: > > let's say i have 2 identities.... > > employee@big-corp > > radical@big-corp-sucks > > > > obviously, each of these identities should be kept *FAR* apart. > > Perhaps it would be better to state the problem in a more > fundamental form: the first identity requires no anonymity, > the second does. ========================= you raise a good point, but for this thread the concern is whether or not either identity can be deduced using a shared key-pair (which it can, although the handbook seems misleading on the subject), and what is the simplest way to avoid that (which seems to be that each identity has it's own key-pair). both identities may have a need for trusted (aka, not anonymous) secure email.... it's not that one party needs anonymity, it's really that both IDs have to remain isolated from each other.... obviously, if both IDs are sending mail from the same account on a server, that would be a way to determine that they belong to the same person... there are many places where a person can screw up, but i'm trying to find out how much of that rests in the keys... i agree that the documentation is lacking in all areas of anonymity, but that's not what i'm going after, here. there are many steps beyond the scope of this thread for keeping one (or more) identities anonymous. > If you think of it, the purpose of Public Key Infrastructure > (PKI) is directly opposite to the notion of anonymity. > (If I can be flippant here, that which is *public* can not > be *anonymous*). Thus, no matter what the implementation > details and protocols are, PKI will be detrimental to > anonymity. Anything/anybody that requires anonymity should > stear clear of PKI. (please note I said 'PKI', and *not* > 'public key cryptosystems'). > > It is, IMHO, quite disturbing that many novices do not > understand this, and that the problem of anonymity is > never addressed by the extensive GPG documentation. ...atom ----------------Void-If-Detached---------------- http://smasher.suspicious.org/fs1r Yamaha FS1R "God save the queen and her fascist regime" -- Sex Pistols From linux@codehelp.co.uk Fri Oct 3 21:12:02 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Fri Oct 3 20:12:02 2003 Subject: newbie question about identities In-Reply-To: <20031003091406.GD27044@amtp.liv.ac.uk> References: <20031003091406.GD27044@amtp.liv.ac.uk> Message-ID: <200310031915.39682.linux@codehelp.co.uk> --Boundary-02=_Lzbf/JsE/3MpPkv Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Friday 03 Oct 2003 10:14 am, Stewart V. Wright wrote: > --fingerprint' remains constant, but you can change ids. Take my key > for example. I have 4 different ids and at least 2 of them will not Which makes 0xb3334559 difficult to retrieve sometimes. It took a little=20 searching before I could find it to verify a signature declared initially a= s=20 0x35DB7472 which is a subkey. http://sks.dnsalias.net:11371/pks/lookup?search=3DStewart+V.+Wright&op=3Dvi= ndex and then searching for 35DB7472. It would be handy if you mentioned the public keyid 0xb3334559 in your=20 signature line in all signed emails - hkp:// keyservers don't contain the U= ID=20 that matches your current signature but at least it gives readers a headsta= rt=20 on finding your key. Better still would be a simple page on a website=20 mentioned in a sig or GnuPG comment allowing the full key to be downloaded = in=20 ascii armour. (Mine's on the codehelp.co.uk site but it's a plain key and doesn't have an= y=20 features that cause problems on hkp:// keyservers so I wouldn't think the=20 page is needed much.) There's no string specifying a location in the GnuPG signature comment, the= =20 subkey ID is not on hkp:// keyservers and your email address isn't found on= =20 sks.dnsalias.net keyserver either (which tends to be able to cope with keys= =20 that get corrupted/ignored by other keyservers). sks does have the key, but= =20 searching by name is always my least favourite option - there are so many=20 matches usually that it takes time to find out if you've got the right one. > Also, there are umpteen keys on the key servers with my name (id) > attached to them (really should have learnt about revoking all those > years ago!) but only two are valid at the moment. Some appear to be revoked but none match the signing subkeyID of this messa= ge. http://www.pgp.uk.demon.net:11371/pks/lookup?op=3Dindex&search=3DStewart+V.= +Wright =2D-=20 Neil Williams =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D http://www.codehelp.co.uk/ http://www.dclug.org.uk/ http://www.isbn.org.uk/ http://sourceforge.net/projects/isbnsearch/ http://www.biglumber.com/x/web?qs=3D0x8801094A28BCB3E3 --Boundary-02=_Lzbf/JsE/3MpPkv Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA/fbzLiAEJSii8s+MRApNPAJwN29MghCg1x0aKrT4CQ5FwMgIbvwCg9PDM 3SblRAYOl6XKdcu2fhcClYE= =fOJg -----END PGP SIGNATURE----- --Boundary-02=_Lzbf/JsE/3MpPkv-- From rhkelly@myrealbox.com Fri Oct 3 22:05:01 2003 From: rhkelly@myrealbox.com (rhkelly) Date: Fri Oct 3 21:05:01 2003 Subject: newbie question about identities In-Reply-To: References: <3F7DB32C.8010403@myrealbox.com> Message-ID: <3F7DC8E4.50609@myrealbox.com> Atom 'Smasher' wrote: >>>let's say i have 2 identities.... > you raise a good point, but... >...for this thread the concern is... If there are two 'abstract' identities (eg., id's in some computer/communication system) and neither of them is anonymous, they both (via some means, unimportant at the moment) 'point to' the same physical pearson's idenity, thus also to each other. Roger From jharris@widomaker.com Fri Oct 3 22:15:02 2003 From: jharris@widomaker.com (Jason Harris) Date: Fri Oct 3 21:15:02 2003 Subject: subkey lookups (was Re: newbie question about identities) In-Reply-To: <200310031915.39682.linux@codehelp.co.uk> References: <20031003091406.GD27044@amtp.liv.ac.uk> <200310031915.39682.linux@codehelp.co.uk> Message-ID: <20031003191654.GF924@pm1.ric-17.lft.widomaker.com> --ni93GHxFvA+th69W Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Oct 03, 2003 at 07:15:39PM +0100, Neil Williams wrote: > On Friday 03 Oct 2003 10:14 am, Stewart V. Wright wrote: > > --fingerprint' remains constant, but you can change ids. Take my key > > for example. I have 4 different ids and at least 2 of them will not >=20 > Which makes 0xb3334559 difficult to retrieve sometimes. It took a little= =20 > searching before I could find it to verify a signature declared initially= as=20 > 0x35DB7472 which is a subkey. >=20 > http://sks.dnsalias.net:11371/pks/lookup?search=3DStewart+V.+Wright&op=3D= vindex > and then searching for 35DB7472. (UIDs !=3D subkeys, but) you obviously haven't tried this recently: %gpg -v --keyserver keyserver.kjsl.com --recv-key 35DB7472 :) See also: http://lists.gnupg.org/pipermail/gnupg-users/2003-September/020160.html --=20 Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com | web: http://keyserver.kjsl.com/~jharris/ --ni93GHxFvA+th69W Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/fcslSypIl9OdoOMRAtoDAJ0Wahru5wyFEFOiVrfRnNNYN70jegCeI68O VgFD2CX6n8gn+9Qz84SNyGM= =R6Dt -----END PGP SIGNATURE----- --ni93GHxFvA+th69W-- From linux@codehelp.co.uk Fri Oct 3 23:35:02 2003 From: linux@codehelp.co.uk (Neil Williams) Date: Fri Oct 3 22:35:02 2003 Subject: subkey lookups (was Re: newbie question about identities) In-Reply-To: <20031003191654.GF924@pm1.ric-17.lft.widomaker.com> References: <200310031915.39682.linux@codehelp.co.uk> <20031003191654.GF924@pm1.ric-17.lft.widomaker.com> Message-ID: <200310032139.23655.linux@codehelp.co.uk> --Boundary-02=_75df/SAcqTnB1Im Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Friday 03 Oct 2003 8:16 pm, Jason Harris wrote: > On Fri, Oct 03, 2003 at 07:15:39PM +0100, Neil Williams wrote: > > On Friday 03 Oct 2003 10:14 am, Stewart V. Wright wrote: > > Which makes 0xb3334559 difficult to retrieve sometimes. It took a little > > searching before I could find it to verify a signature declared initial= ly > > as 0x35DB7472 which is a subkey. > > > > http://sks.dnsalias.net:11371/pks/lookup?search=3DStewart+V.+Wright&op= =3Dvind > >ex and then searching for 35DB7472. > > (UIDs !=3D subkeys,=20 Must be working too hard - "the more you learn the more you forget"? Old problem, doing two things at the same time and should have waited until= =20 I'd fixed the bug I was working on before replying. > but) you obviously haven't tried this recently: > > %gpg -v --keyserver keyserver.kjsl.com --recv-key 35DB7472 Thanks for the reminder. :-) > > :) See also: =2D-=20 Neil Williams =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D http://www.codehelp.co.uk/ http://www.dclug.org.uk/ http://www.isbn.org.uk/ http://sourceforge.net/projects/isbnsearch/ http://www.biglumber.com/x/web?qs=3D0x8801094A28BCB3E3 --Boundary-02=_75df/SAcqTnB1Im Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA/fd57iAEJSii8s+MRAm5rAKDCIUeDq3Pt2kCnU6Kpyscl8rcWoACgxO+S 58TDSYfiUnWk5SG+XJx3DWc= =90qn -----END PGP SIGNATURE----- --Boundary-02=_75df/SAcqTnB1Im-- From ben@benfinney.id.au Sat Oct 4 10:49:02 2003 From: ben@benfinney.id.au (Ben Finney) Date: Sat Oct 4 09:49:02 2003 Subject: newbie question about identities In-Reply-To: <3F7DB32C.8010403@myrealbox.com> References: <3F7DB32C.8010403@myrealbox.com> Message-ID: <20031004075037.GA1429@benfinney.id.au> --huq684BweRXVnRxX Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 03-Oct-2003, rhkelly wrote: > If you think of it, the purpose of Public Key Infrastructure (PKI) is > directly opposite to the notion of anonymity. Almost, but see below. > (If I can be flippant here, that which is *public* can not be > *anonymous*). On the contrary; PKI enables anonymity *and* trust, by giving assurance of continuity between anonymous messages. Anonymous remailer networks allow messages to be reliably sent without information traceable to a particular human being. This is great for anonymity, but not so good for integrity of the information or assurance of continuity between messages. If those messages are OpenPGP signed, however, it can be trivially determined, with a strong degree of assurance, that the same person did or did not send two separate anonymous messages. A single OpenPGP key, if we trust that it is handled properly, gives a good assurance of integrity; but it doesn't necessarily allow us to determine the person in the real world. Anonymity *and* continuity. For an active, practical implementation of this, see Invisiblog: --=20 \ "Tis more blessed to give than to receive; for example, wedding | `\ presents." -- Henry L. Mencken | _o__) | Ben Finney --huq684BweRXVnRxX Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iEYEARECAAYFAj9+e80ACgkQt6wuUb1BcUu5bQCeI1wT0fSFl7j7CLrcUyD9xuyd o3cAn3UBh8JQJUMl1UisuKBtWT6SBoV7 =c6Uz -----END PGP SIGNATURE----- --huq684BweRXVnRxX-- From jacob@cachevalley.com Sat Oct 4 11:41:01 2003 From: jacob@cachevalley.com (Jacob Anawalt) Date: Sat Oct 4 10:41:01 2003 Subject: Using GPG to create virtual email addresses In-Reply-To: <200310031434.07914@erwin.ingo-kloecker.de> References: <3F7768AA.30903@cachevalley.com> <2406.192.168.1.4.1065057680.squirrel@scsi-burn.office> <200310031434.07914@erwin.ingo-kloecker.de> Message-ID: <3F7E87EF.3060700@cachevalley.com> Ingo Klöcker wrote: >On Thursday 02 October 2003 03:21, Jacob Anawalt wrote: > > >>Jacob Anawalt said: >> >> >>>Maybe there is some >>>'light signature' option that would work better. >>> >>> >>Let me expand on this idea a little more. It seems that a signature >>must have something that says what encryption was used and some info >>that allows the unencoder to know who's signature it is and then an >>encoded hash of the data it is signing. When I sign a lot of data the >>signature is large. When I sign very little data, it is small. >> >> > >That's wrong. The signature has a fixed size because it's just a hash of >fixed size, e.g. an MD5 hash is always 128 bit and a SHA-1 hash is >always 160 bit. This means in base64 encoding (which has to be used >because email header must only contain 7-bit ascii data) the size of >the signature is at least 22 bytes (MD5) or 27 bytes (SHA-1). > You're right. I don't know how I thought I saw what I did. My test signature seems to have 64 characters, CRLF, 24 characters, CRLF, five characters. I have no idea which part is the hash and which is the key, or if it is all a key of the hash. If there were no data to hash, how small could this be? Only 22/27 bytes smaller? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/foF8vdaM6UF7o8YRAlNpAJ4yCyBmuBfCg3zUFMXIU2qe0MH4jwCfV3+e kvFfNHdoZSOTXm1aSxq2yK8= =f32U -----END PGP SIGNATURE----- > > > >>In >>either case there seems to be a substantial amount of header data. >> >>If we pre-agree on an algorithm and we know externally the claimed >>'owner' of the signature by looking at the MAIL FROM value, how small >>can the signature be? Could it fit within (64 - size of GPG id + 1) >>and be only local-part compliant data? >> >> > >See above. > > > >>I would much prefer the double encrypted data idea, but if that is >>out of the question then I would at least want a piece of signed data >>accessable by the RCPT TO stage to help show the MAIL FROM was not >>forged. >> >> > >For each key that is used for encryption the session key has to be >encrypted with this key. This means that for each encryption key you >have to at least add the size of the session key (which is at least >another 128 bit, i.e. 22 bytes in base64 encoding). > So at least 44 of the 64 total bytes are just for the session key. That doesn't leave much. In my first email I said that protection of the data is not the issue. I don't really care if my username is hidden, infact it may be advantageous if it is not hidden. What I am looking for is a virtual username (email address local-part) that is unique per sender/reciever pair, and the identity of that pair is some combination of the two's GPG information. Short of that, I would like a virtual username that has the recievers identity and the assurance that the sender is who they say they are built into it before making the decision to send a 4xx/5xx or say 250 OK and accept the data portion of the SMTP transaction. Somehow I would like to use or tie back into the PGP/GPG trust system. Maybe I need to think of some parallel system where virtual email mapings are stored and somehow those mappings are signed by the users. > > > >>There hasn't been a response yet so I wonder if I'm asking in the >>wrong place or if people are reading this and rolling their eyes. >>Even a quick note to say I'm way off base or looking in the wrong >>direction would be appreciated. ;) >> >> > >Check out http://www.ietf.org/rfc/rfc2440.txt for more information. > > This full scope of this document is a bit beyond my comprehension at the moment. That is why I asked on this list. I am having a hard time gleaning the answer to my question(s) from it. I did read that implementations should not assume that the key ID is unique, so I won't count on that. Am I just hoping for something that isn't going to work? -- Jacob From rhkelly@myrealbox.com Sat Oct 4 17:55:01 2003 From: rhkelly@myrealbox.com (rhkelly) Date: Sat Oct 4 16:55:01 2003 Subject: newbie question about identities In-Reply-To: <20031004075037.GA1429@benfinney.id.au> References: <3F7DB32C.8010403@myrealbox.com> <20031004075037.GA1429@benfinney.id.au> Message-ID: <3F7EDFFC.10601@myrealbox.com> Ben Finney wrote: > On 03-Oct-2003, rhkelly wrote: > >>If you think of it, the purpose of Public Key Infrastructure >>(PKI) is directly opposite to the notion of anonymity. > > Almost, but see below. > >>...that which is *public* can not be *anonymous*... > > On the contrary; PKI enables anonymity *and* trust, by giving > assurance of continuity between anonymous messages. (Whereby we introduce the notion of 'granularity of anonymity' :) I said just 'PKI' where I should have said PKI/WOT. (or perhaps just WOT - in context of gpg, PKI *is* WOT - I know, gpg /can/ be used without WOT; but it gets to be difficult to do so, since almost every component in it assumes otherwise. But this *is* a different topic). On the other hand, if I change your sentence above to replace PKI with PKC ('public key cryptosystems' - of which gpg *is* one), I agree completely. > Anonymous remailer networks... [and] ... > ...practical implementation of this, see Invisiblog: > Interesting reference, thanks. Roger From dshaw@jabberwocky.com Sat Oct 4 19:19:01 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sat Oct 4 18:19:01 2003 Subject: newbie question about identities In-Reply-To: <3F7EDFFC.10601@myrealbox.com> References: <3F7DB32C.8010403@myrealbox.com> <20031004075037.GA1429@benfinney.id.au> <3F7EDFFC.10601@myrealbox.com> Message-ID: <20031004162117.GF19969@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, Oct 04, 2003 at 02:58:04PM +0000, rhkelly wrote: > I said just 'PKI' where I should have said PKI/WOT. > (or perhaps just WOT - in context of gpg, PKI *is* WOT - > I know, gpg /can/ be used without WOT; but it gets to > be difficult to do so, since almost every component in > it assumes otherwise. But this *is* a different topic). Just a note - you use GnuPG without the WOT if you put: trust-model always in your gpg.conf file. This disables all trust calculations, and treats all keys (signed or not) equally. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iHEEARECADEFAj9+83wqGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2Rhdmlk L2tleXMuYXNjAAoJEOJmXIdJ4cvJfl4AoJrmylA/n630u+0BJZ4werjHY/vjAKC1 VjDuyi7TtF/VlsCczdryqt5k3A== =7OyW -----END PGP SIGNATURE----- From dshaw@jabberwocky.com Sat Oct 4 23:40:01 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Sat Oct 4 22:40:01 2003 Subject: 1.3.3 binary // for windows ? In-Reply-To: <200310021714.h92HEqmt099028@mailserver1.hushmail.com> References: <200310021714.h92HEqmt099028@mailserver1.hushmail.com> Message-ID: <20031004204114.GG19969@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Oct 02, 2003 at 10:14:52AM -0700, vedaal@hush.com wrote: > > would like to try out the 1.3.3 version > > where is it possible to download a binary for windows? > (even if an alpha version) 1.3.3 hasn't been released yet. It's only available from CVS, so you'd need to build it yourself with MingW32 or Cygwin. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iHEEARECADEFAj9/MGoqGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2Rhdmlk L2tleXMuYXNjAAoJEOJmXIdJ4cvJUWgAnA7nh4TxQI5sbIIruTZPtcd59/H6AKCg MgbEmXVC64au1iaiWqRAc4zraA== =w4dQ -----END PGP SIGNATURE----- From jeffm@iglou.com Sun Oct 5 03:09:01 2003 From: jeffm@iglou.com (Jeff McAdams) Date: Sun Oct 5 02:09:01 2003 Subject: gnupg: request for small change in output In-Reply-To: <87he2p862r.fsf@athene.jamux.com> References: <20031004022236.GC19969@jabberwocky.com> <20031004111301.GA1809@iglou.com> <87he2p862r.fsf@athene.jamux.com> Message-ID: <20031005001105.GB1809@iglou.com> --Bn2rw/3z4jIqBvZU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Also Sprach John A. Martin >Think of the ID as an arbitrary string that must match another >arbitrary string. The fact that the string happens to be a string of >hexadecimal characters is immaterial to the match. That's a better way to think of it...but its still inconsistent with what the rest of the world does and the way most people will think of it. For one data point, *I've* always found it confusing. Not so much that it has really hindered my use of pgp/gpg, but it has always bugged me. >One might argue that ornamenting the ID with '0x' might be deceptive >suggesting that is useful as an arithmetical quantity. It is. It is a hex number, it could be converted to octal, it *is* converted to binary (by the computer, though we don't typically take note of it), it can be converted to base 10, it can be sorted (which will basically work without treating it as a number, until you start dealing with people like myself being lazy and typing my keyid as 9992adfc, rather than 9992ADFC). Admittedly, there's not a *great* deal significant that is done with it as a number, but make no mistake, it most definitely *is* a number. That having been said...let me say again. This is really incredibly minor...probably not even worth burning the electons that have already been burned on it. --=20 Jeff McAdams "He who laughs last, thinks slowest." -- anonymous --Bn2rw/3z4jIqBvZU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iEYEARECAAYFAj9/YZkACgkQXkUmzpmSrfyUrACgueXjrKclJkr/SoLV8iWS4gvR ClYAnAo7yypXPrNo4tL9aAiZMWSP19J5 =9vni -----END PGP SIGNATURE----- --Bn2rw/3z4jIqBvZU-- From eroosenmaallen@cogeco.ca Sun Oct 5 05:26:01 2003 From: eroosenmaallen@cogeco.ca (Eddie Roosenmaallen) Date: Sun Oct 5 04:26:01 2003 Subject: Crash on encrypt - GnuPG Message-ID: <3F7F81AB.5070201@cogeco.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I'm having a new problem with GnuPG. I'm using a home-compiled (MinGW32) build of GnuPG 1.2.3 on Windows 98SE. When I attempt to encrypt, I get an illegal operation and GPG dies. I first noticed it using Mozilla+Enigmail, but it comes up even at the command line. The details from the error message are: > GPG caused an invalid page fault in > module GPG.EXE at 017f:0040c5e6. > Registers: > EAX=008f3a80 CS=017f EIP=0040c5e6 EFLGS=00010206 > EBX=00002000 SS=0187 ESP=007cddc0 EBP=007cddf8 > ECX=00000000 DS=0187 ESI=007cf350 FS=1ad7 > EDX=007ec888 ES=0187 EDI=00002000 GS=0000 > Bytes at CS:EIP: > 89 13 89 7b 04 50 6a 00 53 56 e8 cb f9 ff ff 89 > Stack dump: > bfbabcaf 00000000 00000008 007cddd0 00000000 00000200 00000000 008f3690 > 007ea884 00000000 007cde38 000000ab 008f3750 0000033d 007cde38 0048bb0b Any ideas? Thanks, Eddie Roosenmaallen - -- OpenPGP KeyID: 0xCC1aCD05 Get my key from keyserver.kjsl.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/f4GntGGqbMwazQURAjDWAJ9wwAxrmzeyfcAwPjPfLJ4f+Dw3QQCgubAH tGmrrlMPtblMh68lxKbuDUk= =CCm8 -----END PGP SIGNATURE----- From eroosenmaallen@cogeco.ca Sun Oct 5 06:02:01 2003 From: eroosenmaallen@cogeco.ca (Eddie Roosenmaallen) Date: Sun Oct 5 05:02:01 2003 Subject: Crash on encrypt - GnuPG In-Reply-To: <3F7F81AB.5070201@cogeco.ca> References: <3F7F81AB.5070201@cogeco.ca> Message-ID: <3F7F8A29.7020706@cogeco.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Upon further testing, it appears to be something broken with my build - replacing gpg.exe with the binary from gnupg.org appears to fix the problem. - -- OpenPGP KeyID: 0xCC1aCD05 Get my key from keyserver.kjsl.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/f4ootGGqbMwazQURAjgtAJ0R59JHESF01Kdt07b4/IhMhf0+AgCg02oh yO5XqtNh4pS/7IJHoV9mPXw= =QmaW -----END PGP SIGNATURE----- From jharris@widomaker.com Sun Oct 5 20:13:01 2003 From: jharris@widomaker.com (Jason Harris) Date: Sun Oct 5 19:13:01 2003 Subject: new (2003-10-05) keyanalyze results Message-ID: <20031005171503.GI924@pm1.ric-17.lft.widomaker.com> --zgY/UHCnsaNnNXRx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2003-10-05/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: a28fc61b7869d75d8b14ea39eccc1c7bc2d7590a 12401676 preprocess.= keys 858cb1f074d96631e503efcb58a826830bb41c58 10015927 othersets.t= xt cfe295fdd561848daf4fd009f610b0c9ada4dc4a 2266270 msd-sorted.txt 772dcd939e02add4ab8a053dd4f9db668a3e8f3a 1487 index.html 341ae91b4e824c3c89b059c4b54bd989d5949701 2287 keyring_stats de3fab4bed7bb4dccad40d8478b03f55972e0bca 897488 msd-sorted.txt.bz2 de1c6b784dc8c3f389eb09f0927537cf23343d40 26 other.txt 7d92486f5d11b7586cadf43ed7cb1f1ab0440c1c 1946869 othersets.txt.bz2 2fa25603a088eb3f2673cce32f6ccb3dd52e6419 5558456 preprocess.keys.bz2 ae5a8422b027511ea265114f6e1f26999731e409 12399 status.txt 3d35fc3f8e4ea18a11771c8bcc68b1e25c1117c1 212374 top1000table.html d39879fd2b694fce20025a22a93940ffc892425e 30812 top1000table.html.gz 69813c215e5da776c40eb32e4b38f345a8e687c8 11130 top50table.html 181724575311e4eb7cbc9d20f99c2eaaa977b38d 2074 D3/D39DA0E3 --=20 Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com | web: http://keyserver.kjsl.com/~jharris/ --zgY/UHCnsaNnNXRx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/gFGWSypIl9OdoOMRAud8AJ4mjwZaesxFWSocg2KIXYq7YfBzUACgopYZ aq/IaNNxPWxjaKULxvOfFtQ= =Kreb -----END PGP SIGNATURE----- --zgY/UHCnsaNnNXRx-- From svwright+lists@amtp.liv.ac.uk Mon Oct 6 14:31:01 2003 From: svwright+lists@amtp.liv.ac.uk (Stewart V. Wright) Date: Mon Oct 6 13:31:01 2003 Subject: newbie question about identities In-Reply-To: <200310031915.39682.linux@codehelp.co.uk> References: <20031003091406.GD27044@amtp.liv.ac.uk> <200310031915.39682.linux@codehelp.co.uk> Message-ID: <20031006113304.GB1226@amtp.liv.ac.uk> --ADZbWkCsHQ7r3kzd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable G'day Neil, * Neil Williams [031003 19:40]: > On Friday 03 Oct 2003 10:14 am, Stewart V. Wright wrote: > > for example. I have 4 different ids and at least 2 of them will not >=20 > Which makes 0xb3334559 difficult to retrieve sometimes. It took a little= =20 > searching before I could find it to verify a signature declared initially= as=20 > 0x35DB7472 which is a subkey. Indeed, this is a bit of a problem that has been bubbling away in my subconscious for some time. > It would be handy if you mentioned the public keyid 0xb3334559 in your=20 > signature line in all signed emails - hkp:// keyservers don't contain the= UID=20 > that matches your current signature but at least it gives readers a heads= tart=20 > on finding your key. Better still would be a simple page on a website=20 > mentioned in a sig or GnuPG comment allowing the full key to be downloade= d in=20 > ascii armour. > (Mine's on the codehelp.co.uk site but it's a plain key and doesn't have = any=20 > features that cause problems on hkp:// keyservers so I wouldn't think the= =20 > page is needed much.) I use Werner's suggested X-Request-PGP header... X-Request-PGP: http://www.liv.ac.uk/~svwright/security/keys.asc My regular (i.e. professional) .sig is four lines long already. Any longer and I'd be breaking the McQ "rules". > There's no string specifying a location in the GnuPG signature comment, t= he=20 > subkey ID is not on hkp:// keyservers and your email address isn't found = on=20 > sks.dnsalias.net keyserver either (which tends to be able to cope with ke= ys=20 > that get corrupted/ignored by other keyservers). sks does have the key, b= ut=20 > searching by name is always my least favourite option - there are so many= =20 > matches usually that it takes time to find out if you've got the right on= e. Ah. OK. I'm doing a key signing in the next week or so (anyone near Liverpool in the UK who wants to get involved?), so I'll spread it around further then. =20 =20 > > Also, there are umpteen keys on the key servers with my name (id) > > attached to them (really should have learnt about revoking all those > > years ago!) but only two are valid at the moment. >=20 > Some appear to be revoked but none match the signing subkeyID of this mes= sage. > http://www.pgp.uk.demon.net:11371/pks/lookup?op=3Dindex&search=3DStewart+= V.+Wright True. I was just indicating that one can have multiple keys associated with a single email address. Thus email/name "id" is not able to distinguish between keys, but fingerprint "id" is. Cheers, S. --=20 European Citizens: Please do a little work to convince the European Parliament to reject software patents. This page explains the issue and provides suggestions for action; take the time to participate. http://swpat.ffii.org/ --ADZbWkCsHQ7r3kzd Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iH8EARECAD8FAj+BUvA4Gmh0dHA6Ly93d3cubGl2LmFjLnVrL35zdndyaWdodC9z ZWN1cml0eS9ncGctcG9saWN5Lmh0bWwACgkQaBqfzTXbdHIGSwCghNUGnux570Nc pSCS02tPe4h662kAn11o6kRv6Agb8NOo0Z1aV6srMdpI =IapO -----END PGP SIGNATURE----- --ADZbWkCsHQ7r3kzd-- From lporter@hdsmith.com Mon Oct 6 20:53:01 2003 From: lporter@hdsmith.com (Lowell Porter) Date: Mon Oct 6 19:53:01 2003 Subject: questions In-Reply-To: <20030928134111.GA15278@jabberwocky.com> Message-ID: <001001c38c32$8c5b4130$d406a8c0@hdsmith.com> From apavelec@benefit-services.com Mon Oct 6 21:39:01 2003 From: apavelec@benefit-services.com (Adam Pavelec) Date: Mon Oct 6 20:39:01 2003 Subject: Was: questions; Now: answers References: <001001c38c32$8c5b4130$d406a8c0@hdsmith.com> Message-ID: <004801c38c39$7165fe40$2027a8c0@PAVELECA> From BPJenkins@delinvest.com Mon Oct 6 21:56:01 2003 From: BPJenkins@delinvest.com (Jenkins, Brian P.) Date: Mon Oct 6 20:56:01 2003 Subject: Automation of decryption Message-ID: This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C38C3B.AC332D20 Content-Type: text/plain Please help me understand how I can run GPG to decrypt a file without human intervention. Currently I can use the --yes to handle all questions but cannot feed in the passphrase. I'm using v1.2.3 for windows and am very new to the product. Brian This e-mail and any accompanying attachments are confidential. The information is intended solely for the use of the individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this message to the sender and delete all copies. Thank you for your cooperation. ------_=_NextPart_001_01C38C3B.AC332D20 Content-Type: text/html
Please help me understand how I can run GPG to decrypt a file without human intervention.  Currently I can use the --yes to handle all questions but cannot feed in the passphrase.  I'm using v1.2.3 for windows and am very new to the product.
 
Brian


This e-mail and any accompanying attachments are confidential. The information is intended solely for the use of the individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this message to the sender and delete all copies. Thank you for your cooperation. ------_=_NextPart_001_01C38C3B.AC332D20-- From lporter@hdsmith.com Mon Oct 6 22:18:02 2003 From: lporter@hdsmith.com (Lowell Porter) Date: Mon Oct 6 21:18:02 2003 Subject: Automation of decryption In-Reply-To: Message-ID: <000801c38c3e$72cc2bb0$d406a8c0@hdsmith.com> This is a multi-part message in MIME format. ------=_NextPart_000_0009_01C38C14.89F623B0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Without a hurclean programming effort to do it, the only "simple" way to do it is to not use a passphrase (but then this opens security issues). I believe some of the methods to answer the passphrase using a file (using the echo command) does not work in Windows like it does on Unix/Linux. -----Original Message----- From: gnupg-users-admin@gnupg.org [mailto:gnupg-users-admin@gnupg.org] On Behalf Of Jenkins, Brian P. Sent: Monday, October 06, 2003 1:57 PM To: gnupg-users@gnupg.org Subject: Automation of decryption Please help me understand how I can run GPG to decrypt a file without human intervention. Currently I can use the --yes to handle all questions but cannot feed in the passphrase. I'm using v1.2.3 for windows and am very new to the product. Brian This e-mail and any accompanying attachments are confidential. The information is intended solely for the use of the individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this message to the sender and delete all copies. Thank you for your cooperation. ------=_NextPart_000_0009_01C38C14.89F623B0 Content-Type: text/html; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Message
Without a hurclean programming effort to do it, the only = "simple" way to=20 do it is to not use a passphrase (but then this opens security = issues). =20 I believe some of the methods to answer the passphrase using a file = (using the echo command)  does not work in Windows like it = does on=20 Unix/Linux.
-----Original Message-----
From:=20 gnupg-users-admin@gnupg.org [mailto:gnupg-users-admin@gnupg.org] On = Behalf=20 Of Jenkins, Brian P.
Sent: Monday, October 06, 2003 1:57 = PM
To: gnupg-users@gnupg.org
Subject: Automation = of=20 decryption

Please help=20 me understand how I can run GPG to decrypt a file without human=20 intervention.  Currently I can use the --yes to handle all = questions but=20 cannot feed in the passphrase.  I'm using v1.2.3 for windows and = am very=20 new to the product.
 
Brian


This e-mail and any = accompanying=20 attachments are confidential. The information is intended solely for = the use=20 of the individual to whom it is addressed. Any review, disclosure, = copying,=20 distribution, or use of this e-mail communication by others is = strictly=20 prohibited. If you are not the intended recipient, please notify us=20 immediately by returning this message to the sender and delete all = copies.=20 Thank you for your cooperation.
------=_NextPart_000_0009_01C38C14.89F623B0-- From frank.calfo@csgpro.com Mon Oct 6 23:44:02 2003 From: frank.calfo@csgpro.com (Frank Calfo) Date: Mon Oct 6 22:44:02 2003 Subject: Automation of decryption In-Reply-To: Message-ID: <5.2.1.1.0.20031006134155.00a86460@mail.csgpro.com> --=====================_2463271==.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed I have created a few batch files to automate encryption and decryption, even with a keystore that is password protected. To decrypt a file encrypted via passphrase-based encryption, the following command within a batch file has been working well on Windows: @rem Script wrapper for GNU PGP utility function: Decrypt a file encrypted with password-based encryption @rem Arguments: 1 - password that file was encrypted with @rem 2 - path to EFTS keystore @rem 3 - fully qualified name of decrypted file to create @rem 4 - fully qualified name of encrypted file to decrypt @rem Watch it! - on Windows do NOT include space between %1 and the pipe (|) - will get bad @rem passphrase error echo %1| gpg --homedir %2 --batch --yes --passphrase-fd 0 --output %3 --decrypt %4 To decrypt a file encrypted via key-based encryption, the following command within a batch file has been working well on Windows. Note that this is same as previous example. Only difference is that previous one passed in encryption password under argument #1 while this one passes keystore password under argument #1: @rem Script wrapper for GNU PGP utility function: Decrypt a file encrypted with key-based encryption @rem Arguments: 1 - password to EFTS keystore @rem 2 - path to EFTS keystore @rem 3 - fully qualified name of decrypted file to create @rem 4 - fully qualified name of encrypted file to decrypt @rem Watch it! - on Windows do NOT include space between %1 and the pipe (|) - will get bad @rem passphrase error echo %1| gpg --homedir %2 --batch --yes --passphrase-fd 0 --output %3 --decrypt %4 hth, Frank At 02:57 PM 10/6/2003 -0400, Jenkins, Brian P. wrote: >Please help me understand how I can run GPG to decrypt a file without >human intervention. Currently I can use the --yes to handle all questions >but cannot feed in the passphrase. I'm using v1.2.3 for windows and am >very new to the product. > >Brian > > >This e-mail and any accompanying attachments are confidential. The >information is intended solely for the use of the individual to whom it is >addressed. Any review, disclosure, copying, distribution, or use of this >e-mail communication by others is strictly prohibited. If you are not the >intended recipient, please notify us immediately by returning this message >to the sender and delete all copies. Thank you for your cooperation. --=====================_2463271==.ALT Content-Type: text/html; charset="us-ascii" I have created a few batch files to automate encryption and decryption, even with a keystore that is password protected.

To decrypt a file encrypted via passphrase-based encryption, the following command within a batch file has been working well on Windows:

@rem Script wrapper for GNU PGP utility function: Decrypt a file encrypted with password-based encryption
@rem Arguments: 1 - password that file was encrypted with
@rem            2 - path to EFTS keystore
@rem            3 - fully qualified name of decrypted file to create
@rem            4 - fully qualified name of encrypted file to decrypt
@rem Watch it! - on Windows do NOT include space between %1 and the pipe (|) - will get bad
@rem passphrase error

echo %1| gpg --homedir %2 --batch --yes --passphrase-fd 0 --output %3 --decrypt %4


To decrypt a file encrypted via key-based encryption, the following command within a batch file has been working well on Windows. Note that this is same as previous example.  Only difference is that previous one passed in encryption password under argument #1 while this one passes keystore password under argument #1:

@rem Script wrapper for GNU PGP utility function: Decrypt a file encrypted with key-based encryption
@rem Arguments: 1 - password to EFTS keystore
@rem            2 - path to EFTS keystore
@rem            3 - fully qualified name of decrypted file to create
@rem            4 - fully qualified name of encrypted file to decrypt
@rem Watch it! - on Windows do NOT include space between %1 and the pipe (|) - will get bad
@rem passphrase error

echo %1| gpg --homedir %2 --batch --yes --passphrase-fd 0 --output %3 --decrypt %4


hth,
Frank


At 02:57 PM 10/6/2003 -0400, Jenkins, Brian P. wrote:
Please help me understand how I can run GPG to decrypt a file without human intervention.  Currently I can use the --yes to handle all questions but cannot feed in the passphrase.  I'm using v1.2.3 for windows and am very new to the product.
 
Brian


This e-mail and any accompanying attachments are confidential. The information is intended solely for the use of the individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this message to the sender and delete all copies. Thank you for your cooperation.
--=====================_2463271==.ALT-- From atom-gpg@suspicious.org Tue Oct 7 10:28:02 2003 From: atom-gpg@suspicious.org (Atom 'Smasher') Date: Tue Oct 7 09:28:02 2003 Subject: opie or s/key with gpg? Message-ID: does anyone know if there's (yet) any way to use opie or s/key to unlock one's secret gpg key? if done right, this could greatly reduce (eliminate?) the possibility of having one's password sniffed, either on a network or from the keyboard..... ...atom _______________________________________________ PGP key - http://smasher.suspicious.org/pgp.txt 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3 ------------------------------------------------- "When you have eliminated all which is impossible, then whatever remains, however improbable, must be the truth." -- Sherlock Holmes (Arthur Conan Doyle) From dshaw@jabberwocky.com Tue Oct 7 14:38:01 2003 From: dshaw@jabberwocky.com (David Shaw) Date: Tue Oct 7 13:38:01 2003 Subject: opie or s/key with gpg? In-Reply-To: References: Message-ID: <20031007113958.GB2650@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Oct 07, 2003 at 12:26:20AM -0700, Atom 'Smasher' wrote: > does anyone know if there's (yet) any way to use opie or s/key to unlock > one's secret gpg key? if done right, this could greatly reduce > (eliminate?) the possibility of having one's password sniffed, either on a > network or from the keyboard..... It is theoretically possible (I've thought about it for certain uses), but it does not do what one might think it does. One-time passwords pretty much require that the item being protected be under the control of the machine that runs the OTP system. The process that authenticates the OTP can then grant access to the protected item, in this case the secret key. It comes down to the OTP process either needs access to the unprotected key or the passphrase. This isn't a fatal flaw (after all, the gpg agent holds the same information in memory), but it does change the circumstances where such a setup would be useful. Since most people want such a thing for accessing their keys remotely, the requirement that their remote machine must remain completely secure usually makes them reconsider. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iHEEARECADEFAj+Cpg4qGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2Rhdmlk L2tleXMuYXNjAAoJEOJmXIdJ4cvJYdkAn3W3Jp8W7gAH8I+XL62WsQbHU6YiAJ9u F0xocMJAhIHx099iAg34s7Lc0w== =+EGr -----END PGP SIGNATURE----- From frank.calfo at csgpro.com Tue Oct 7 14:38:45 2003 From: frank.calfo at csgpro.com (Frank Calfo) Date: Tue Oct 7 22:36:25 2003 Subject: WARNING: unsafe permissions on homedir Message-ID: <5.2.1.1.0.20031007133805.00a75d78@mail.csgpro.com> Running GPG on Linux, I get this warning: WARNING: unsafe permissions on homedir what should the permissions on the directory that contains the keystore be ? From linux at codehelp.co.uk Tue Oct 7 23:20:05 2003 From: linux at codehelp.co.uk (Neil Williams) Date: Tue Oct 7 23:15:30 2003 Subject: WARNING: unsafe permissions on homedir In-Reply-To: <5.2.1.1.0.20031007133805.00a75d78@mail.csgpro.com> References: <5.2.1.1.0.20031007133805.00a75d78@mail.csgpro.com> Message-ID: <200310072220.06070.linux@codehelp.co.uk> On Tuesday 07 Oct 2003 9:38 pm, Frank Calfo wrote: > Running GPG on Linux, I get this warning: WARNING: unsafe permissions on > homedir > > what should the permissions on the directory that contains the keystore be > ? chmod 700 drwx------ Files inside .gnupg should be chmod 600 -rw------- Also check the ownership of the directory, it should be owned by the same user that will be running gpg at the command line. man chown These don't usually need to be changed - it's how GnuPG sets itself up. You've been fiddling, haven't you! -- Neil Williams ============= http://www.codehelp.co.uk/ http://www.dclug.org.uk/ http://www.isbn.org.uk/ http://sourceforge.net/projects/isbnsearch/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: signature Url : /pipermail/attachments/20031007/1d54c4d1/attachment.bin From samuel at Update.UU.SE Wed Oct 8 00:31:32 2003 From: samuel at Update.UU.SE (Samuel ]slund) Date: Tue Oct 7 23:29:24 2003 Subject: WARNING: unsafe permissions on homedir In-Reply-To: <5.2.1.1.0.20031007133805.00a75d78@mail.csgpro.com> References: <5.2.1.1.0.20031007133805.00a75d78@mail.csgpro.com> Message-ID: <20031007213132.GN8854@Update.UU.SE> On Tue, Oct 07, 2003 at 01:38:45PM -0700, Frank Calfo wrote: > Running GPG on Linux, I get this warning: WARNING: unsafe permissions on > homedir > > what should the permissions on the directory that contains the keystore be ? It should not be world readable. drwx------ should do it. The point is to protect your private key, if someone gets a copy of it the only barier left is your passphrase. HTH //Samuel From atom-gpg at suspicious.org Tue Oct 7 22:38:38 2003 From: atom-gpg at suspicious.org (Atom 'Smasher') Date: Wed Oct 8 06:40:01 2003 Subject: opie or s/key with gpg? (fwd) Message-ID: it might not require that the secret pgp key be stored in the clear, with access to it controlled by "something else".... i'm not any good when it comes to C (yet!), so i'm not the one to write any proof-of-concept code, but here's how it could work on any machine that you'd trust "enough" to type your password into in the first place... i wish i could do more oversimplifying here, but i'm sure that'll just confuse things... == how it could work == based on the secret-keyring, an opie-secret-keyring is generated (when setting an opie password). when a password is entered (into gpg), to unlock the secret pgp key, it's first checked to see if it's the valid reusable password, and if it isn't then it's checked if it's an opie password. the fun part is how to keep the opie-secret-keyring safe.... remember, this is an oversimplification, so don't flame me if something isn't quite right.... let's say we have the count at 123, the password="p", the seed="s", so the opie-secret-keyring is symmetrically encrypted, with a password based on the final hash value of opie(p,s,124). so, after a successful OTP is given to [an opie version of] gpg, let's decrypt the secret key (from the opie-secret-keyring) so it's available to gpg to do it's thing, and then re-encrypt the opie-secret-keyring, this time with a password based on opie(p,s,123) (the current OTP). the next valid OTP is #122. in other words, the opie-secret-keyring is symmetrically encrypted, using a password which is based on the final hash value of opie as it's password. every time the opie-secret-keyring is accessed, the file is decrypted (otherwise the key can't be accessed), then re-encrypted with it's new password based on the final hash value of opie. now the opie-secret-keyring is encrypted with a password based on opie(p,s,123), and entering the right opie-password (based on a count of 122) will decrypt it, make the key available, and then re-encrypt it with a password based on the final hash of opie(p,s,122). the opie counter is now at 121. ** weakness below ** this should work. of course other concerns would be the security of the computer, including any media that the file is stored on, or accessible to, but that's a matter of implementation, not protocol... and since these concerns already apply to the current implementations, i don't think there's much of a drawback. all in all, i would think that if this were reasonably implemented, it would be at least as secure as a reusable password. maybe this would be even better.... in a case were my keyring is generated and maintained on a local machine (trusted to be secure), i could then copy an opie-secret-keyring to a server that i use to read/send mail, and not have to worry about my keystrokes being logged. (i know; if my keystrokes are logged, then *they* know what i'm writing before it gets encrypted, but they won't get my key - it makes a PART of the system more secure, it doesn't make the whole system more secure.) in some environments, this could eliminate what is currently the weakest link in the practical use of pgp. ** weakness ** if an attacker gets a copy of the opie-secret-keyring, and sniffs any OTP that's newer than the file, that sniffed OTP can be used to generate previously used OTPs (which can unlock the file). this requires that the opie secret password and string are the same, both the time that the file is stolen, and the time that the password is sniffed. however, if an attacker has access to both the opie-secret-keyring AND your password, then you're hosed anyway. this method DOES NOT protect you in the event that your opie-secret-keyring can be read by an attacker; it ONLY protects your password from being replayed. of course, i'm not sure how useful the password would ever be, without a copy of the encrypted secret keyring, so maybe the whole thing makes no sense.... maybe all of this rambling is pointless anyway? it's 0035h here... i'll stop rambling, and start wasting some thought cycles on how to use something like opie to keep files safe.... > > does anyone know if there's (yet) any way to use opie or s/key to unlock > > one's secret gpg key? if done right, this could greatly reduce > > (eliminate?) the possibility of having one's password sniffed, either on a > > network or from the keyboard..... > > It is theoretically possible (I've thought about it for certain uses), > but it does not do what one might think it does. One-time passwords > pretty much require that the item being protected be under the control > of the machine that runs the OTP system. The process that > authenticates the OTP can then grant access to the protected item, in > this case the secret key. It comes down to the OTP process either > needs access to the unprotected key or the passphrase. > > This isn't a fatal flaw (after all, the gpg agent holds the same > information in memory), but it does change the circumstances where > such a setup would be useful. Since most people want such a thing for > accessing their keys remotely, the requirement that their remote > machine must remain completely secure usually makes them reconsider. ...atom _______________________________________________ PGP key - http://smasher.suspicious.org/pgp.txt 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3 ------------------------------------------------- "Violence is the first refuge of the incompetent." -- Issac Asimov From ben at benfinney.id.au Wed Oct 8 16:27:53 2003 From: ben at benfinney.id.au (Ben Finney) Date: Wed Oct 8 07:25:42 2003 Subject: Automation of decryption In-Reply-To: References: Message-ID: <20031008052752.GC2445@benfinney.id.au> On 06-Oct-2003, Jenkins, Brian P. wrote: > Please help me understand how I can run GPG to decrypt a file without > human intervention. Currently I can use the --yes to handle all > questions but cannot feed in the passphrase. Two points: - Don't use a passphrase unless you want a human to type it in. - Don't remove the passphrase without understanding that this reduces the security of the file to the security of the system where the file is stored. -- \ "My doctor told me to stop having intimate dinners for four. | `\ Unless there are three other people." -- Orson Welles | _o__) | Ben Finney -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : /pipermail/attachments/20031008/38e873ea/attachment.bin From ben at benfinney.id.au Wed Oct 8 16:36:44 2003 From: ben at benfinney.id.au (Ben Finney) Date: Wed Oct 8 07:34:25 2003 Subject: Automation of decryption In-Reply-To: <20031008052752.GC2445@benfinney.id.au> References: <20031008052752.GC2445@benfinney.id.au> Message-ID: <20031008053644.GD2445@benfinney.id.au> On 08-Oct-2003, Ben Finney wrote: > - Don't remove the passphrase without understanding that this > reduces the security of the file to the security of the system > where the file is stored. Hmm, let's try that again: - Don't use a key with no passphrase without understanding that the security of the key is reduced to the security of the system where the key file is stored. -- \ "There is no reason anyone would want a computer in their | `\ home." -- Ken Olson, president, chairman and founder of | _o__) Digital Equipment Corp., 1977 | Ben Finney -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : /pipermail/attachments/20031008/ef74c0d2/attachment.bin From davidemelan at tin.it Wed Oct 8 10:22:37 2003 From: davidemelan at tin.it (davidemelan@tin.it) Date: Wed Oct 8 11:20:51 2003 Subject: decrypt failed - secret key unavailable Message-ID: <3F7B4FF4000055AC@ims3d.cp.tin.it> Sorry, this probably a FAQ but I didn't find an answer and I need help. Soon. I rightly imported two public keys, both ELG-E 2048 bits, one from PGP 7 and one from PGP 8. I'm able to crypt messages to those recipients and they can decode and read my mails, but when they answer me, trying to decrypt messages I get the error message as in the subject. Could someone help me? Thanx in advance. davide. From frank.calfo at csgpro.com Wed Oct 8 10:48:25 2003 From: frank.calfo at csgpro.com (Frank Calfo) Date: Wed Oct 8 18:46:14 2003 Subject: decrypt failed - secret key unavailable In-Reply-To: <3F7B4FF4000055AC@ims3d.cp.tin.it> Message-ID: <5.2.1.1.0.20031008094427.00a82d38@mail.csgpro.com> Sounds to me like they did not encrypt their messages to you using your public key; they may have mistakenly encrypted it using their own public key - usually this message is accompanied with the id of the key that the message was encrypted with, if you see this you could make sure that the key identified is your public key Otherwise, it may be that the technique you are using to decrypt the message is not supplying the correct passphrase for your keystore (assuming your keystore is passphrase protected) - so you could also check to make sure that you are supplying the correct keystore passphrase when you're decrypting the message At 09:22 AM 10/8/2003 +0000, davidemelan@tin.it wrote: >Sorry, this probably a FAQ but I didn't find an answer and I need help. >Soon. > >I rightly imported two public keys, both ELG-E 2048 bits, one from PGP 7 >and one from PGP 8. > >I'm able to crypt messages to those recipients and they can decode and read >my mails, but when they answer me, trying to decrypt messages I get the >error message as in the subject. > >Could someone help me? > >Thanx in advance. >davide. > > > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users From dshaw at jabberwocky.com Wed Oct 8 15:11:24 2003 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Oct 8 20:09:03 2003 Subject: opie or s/key with gpg? (fwd) In-Reply-To: References: Message-ID: <20031008181123.GA23830@jabberwocky.com> On Tue, Oct 07, 2003 at 09:38:38PM -0700, Atom 'Smasher' wrote: > let's say we have the count at 123, the password="p", the seed="s", so the > opie-secret-keyring is symmetrically encrypted, with a password based on > the final hash value of opie(p,s,124). > > so, after a successful OTP is given to [an opie version of] gpg, let's > decrypt the secret key (from the opie-secret-keyring) so it's available to > gpg to do it's thing, and then re-encrypt the opie-secret-keyring, this > time with a password based on opie(p,s,123) (the current OTP). the next > valid OTP is #122. > > in other words, the opie-secret-keyring is symmetrically encrypted, using > a password which is based on the final hash value of opie as it's > password. every time the opie-secret-keyring is accessed, the file is > decrypted (otherwise the key can't be accessed), then re-encrypted with > it's new password based on the final hash value of opie. > > now the opie-secret-keyring is encrypted with a password based on > opie(p,s,123), and entering the right opie-password (based on a count of > 122) will decrypt it, make the key available, and then re-encrypt it with > a password based on the final hash of opie(p,s,122). the opie counter is > now at 121. To steal a a secret key, the attacker needs both the encrypted key file, and the passphrase. Using OTP doesn't make it any harder or easier for the attacker to get the encrypted key file, so let's look at the passphrase: It's a given that "regular" GnuPG passphrases can be sniffed off of the wire (or via a keyboard bug, or countless other variations), and so can a one-time passphrase. The point of one-time passphrases is that they are only able to be used once and cannot be re-used a second time. There is no point in sniffing such a one-time passphrase, since it won't be usable later. However, in the system you suggest above, a OTP *can* be re-used. The problem here is the downwards count. Any OTP x is capable of being transformed into any OTP x+n. A stolen encrypted key file encrypted with OTP x can be decrypted by any OTP n where n < x by hashing the OTP x-n times. The only case where the proposed system is more secure than the current system is if the attacker sniffs a passprase, and then later goes back for the encrypted key file. If the attacker steals the encrypted key file at the same time he sniffs the passphrase, or steals the encrypted key file before sniffing the passphrase then the proposed system is effectively the same as the current design. You seem to have realized this as well: > if an attacker gets a copy of the opie-secret-keyring, and sniffs any OTP > that's newer than the file, that sniffed OTP can be used to generate > previously used OTPs (which can unlock the file). this requires that the > opie secret password and string are the same, both the time that the file > is stolen, and the time that the password is sniffed. however, if an > attacker has access to both the opie-secret-keyring AND your password, > then you're hosed anyway. this method DOES NOT protect you in the event > that your opie-secret-keyring can be read by an attacker; it ONLY protects > your password from being replayed. of course, i'm not sure how useful the > password would ever be, without a copy of the encrypted secret keyring, so > maybe the whole thing makes no sense.... maybe all of this rambling is > pointless anyway? Not pointless. It's possible to construct examples where OTP could be useful (say, a signing service or decryption server that does not give general access to the encrypted secret keyring), but it is not generally useful as a passphrase-protection mechanism. David From atom-gpg at suspicious.org Wed Oct 8 17:56:27 2003 From: atom-gpg at suspicious.org (Atom 'Smasher') Date: Thu Oct 9 01:58:07 2003 Subject: opie or s/key with gpg? (fwd) In-Reply-To: <20031008181123.GA23830@jabberwocky.com> References: <20031008181123.GA23830@jabberwocky.com> Message-ID: > Not pointless. It's possible to construct examples where OTP could be > useful (say, a signing service or decryption server that does not give > general access to the encrypted secret keyring), but it is not > generally useful as a passphrase-protection mechanism. ====================================== in the current form of opie and s/key, i agree... in order for an OTP mechanism to be helpful in protecting a file, the "standard" opie system would have to be modified, so even if an attacker had OTP x, it could not be used to determine OTP x+n (or OTP x-n !!!). not at all intuitive... the knee-jerk reaction is probably to say that it can't be done... of course, anyone who's not familiar with s/key or opie would likely describe those as impossible, too..... ...atom _______________________________________________ PGP key - http://smasher.suspicious.org/pgp.txt 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3 ------------------------------------------------- "Now about Lankhmar. She's been invaded, her walls breached everywhere and desperate fighting is going on in the streets, by a fierce host which out-numbers Lankhmar's inhabitants by fifty to one -- and equipped with all modern weapons. Yet you can save the city." "How?" demanded Fafhrd. Ningauble shrugged. "You're a hero. You should know." -- Fritz Leiber, "The Swords of Lankhmar" From dshaw at jabberwocky.com Wed Oct 8 21:13:21 2003 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Oct 9 02:11:03 2003 Subject: opie or s/key with gpg? (fwd) In-Reply-To: References: <20031008181123.GA23830@jabberwocky.com> Message-ID: <20031009001321.GA27791@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Oct 08, 2003 at 04:56:27PM -0700, Atom 'Smasher' wrote: > > Not pointless. It's possible to construct examples where OTP could be > > useful (say, a signing service or decryption server that does not give > > general access to the encrypted secret keyring), but it is not > > generally useful as a passphrase-protection mechanism. > ====================================== > > in the current form of opie and s/key, i agree... in order for an OTP > mechanism to be helpful in protecting a file, the "standard" opie system > would have to be modified, so even if an attacker had OTP x, it could not > be used to determine OTP x+n (or OTP x-n !!!). > > not at all intuitive... the knee-jerk reaction is probably to say that it > can't be done... of course, anyone who's not familiar with s/key or > opie would likely describe those as impossible, too..... If you come up with a scheme that prevents an attacker from deriving OTP x+n from OTP x using the hash-x-times methodology in OPIE, I, and doubtless many others across the Internet, would be quite interested to see how. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.3-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iHEEARECADEFAj+EqCEqGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2Rhdmlk L2tleXMuYXNjAAoJEOJmXIdJ4cvJJSoAoNpBCGioqZezVKIcvz3fv3sPmAt1AKCw MhNbwXV77E8+z3nVw4LIeKNVNw== =0qRR -----END PGP SIGNATURE----- From atom-gpg at suspicious.org Wed Oct 8 18:35:32 2003 From: atom-gpg at suspicious.org (Atom 'Smasher') Date: Thu Oct 9 02:36:57 2003 Subject: opie or s/key with gpg? (fwd) In-Reply-To: <20031009001321.GA27791@jabberwocky.com> References: <20031008181123.GA23830@jabberwocky.com> <20031009001321.GA27791@jabberwocky.com> Message-ID: > If you come up with a scheme that prevents an attacker from deriving > OTP x+n from OTP x using the hash-x-times methodology in OPIE, I, and > doubtless many others across the Internet, would be quite interested > to see how. ======================= hehe... inquiring minds would want to know.... bear in mind that opie & s/key are (together) just one particular protocol for generating one-time-passwords. there are other methods, but most are impractical, for a variety of reasons. i think that ~if~ it is possible to do something like this, it would probably have to be a different protocol. ...atom _______________________________________________ PGP key - http://smasher.suspicious.org/pgp.txt 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3 ------------------------------------------------- "The proposition that intelligence has any long-term survival value remains to be demonstrated." -- Arthur C. Clarke From atom-gpg at suspicious.org Wed Oct 8 21:11:01 2003 From: atom-gpg at suspicious.org (Atom 'Smasher') Date: Thu Oct 9 05:12:28 2003 Subject: opie or s/key with gpg? (fwd) In-Reply-To: References: <20031008181123.GA23830@jabberwocky.com> <20031009001321.GA27791@jabberwocky.com> Message-ID: forgive me for thinking out loud, but this might do the trick.... like opie and s/key, we have a secret password, a seed, and a count, which are used to generate a one time password. unlike opie and s/key, the secret password must be known to both the calculator and the machine receiving the OTP (the remote machine keeps it's copy encrypted). using password="p", seed="s" and count="c", we use f(p,s,c). instead of just performing "c" number of iterations on "p,s" (like opie & s/key), let's also throw "c" into the mixer, so we're performing "c" number of iterations on "p,s,c". (this is probably much more work than necessary, but is that really a problem?) we can use the final result of that function (or a function of it) as a password in a symmetric algorithm to decrypt a file, and if the secret password is contained in that [encrypted] file, then the file can be re-encrypted using that password and the next sequence number (and the seed) to determine the next symmetric password in the sequence. such an algorithm would render it infeasible to use a sniffed OTP to determine any previously used OTP. a sniffed password can still be used to decrypt a stolen keyring, but there is a narrow window in which the keyring must be stolen and the password sniffed.... if Mallory steals Bob's keyring just after Bob accesses it with count=123, then a sniffed password will only be useful to Mallory if it's sniffed while count=122. not perfect, but better than reusable passwords. i guess that any encrypted file can be had by an attacker if it's stolen immediately before the password is sniffed.... i really doubt if there's a way around that. i'm sure there are other ways to accomplish this type of an OTP system, but i think they'd all be vulnerable to that type attack. of course, to create an OTP keyring like this, the OTP secret password must be supplied to both the calculator and the machine creating the file (so the secret password can be stored in the encrypted file). one of the neat things about opie is that the password never has to leave the calculator... oh-well.. if anyone thinks of a way to do it, so the secret password is only known to the calculator, i'd be curious... ...atom _______________________________________________ PGP key - http://smasher.suspicious.org/pgp.txt 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3 ------------------------------------------------- "You have just dined, and however scrupulously the slaughterhouse is concealed in the graceful distance of miles, there is complicity." -- Ralph Waldo Emerson, 1870 From Kimberly.Kordet at nationalcity.com Tue Oct 7 16:43:59 2003 From: Kimberly.Kordet at nationalcity.com (Kordet, Kimberly) Date: Thu Oct 9 11:18:41 2003 Subject: Batch Program Needs to Bypass the Passphrase Message-ID: <20031007194415.9D67D22F@smtpprx2.nationalcity.com> Hi, I am writing a batch program (.bat) to encrypt and decrypt files. However, I'm having trouble figuring out how to NOT have it prompt me for a passphrase. I've looked up things on --passphrase-fd 0 and environment variables, but I can't seem to find the actual steps to follow to get it working properly. Please let me know if you can help! Thanks, Kim From jaboles at fastmail.fm Fri Oct 3 10:12:15 2003 From: jaboles at fastmail.fm (Jonathan Boles) Date: Thu Oct 9 11:18:44 2003 Subject: newbie question about identities In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, Oct 3, 2003, at 08:43 Atlantic/Azores, Atom 'Smasher' wrote: > i guess i'm trying to clarify whether the problem is in the > implementation, the documentation, or just my understanding of it... it > seems like the handbook is advocating something that's not quite right, > and i'm trying to figure out which way(s) are right. i'm also trying to > verify that the documentation is either incorrect or misleading. > The only thing incorrect is how you're trying to use it but not use it. "Hey... I want to do things in a really backasswards way, but the documentation won't tell me how to do it. The documentation must be incorrect or misleading!" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.2 (Darwin) iD8DBQE/fT125AbruKZPx2ARAoRbAJsHzdRkQgOR9CzxHxHupv995S/ZfACePr/d jmsHmWo6ycTIgA3MjVmF39U= =MIcd -----END PGP SIGNATURE----- From Alexandre.Duret-Lutz at src.lip6.fr Thu Oct 9 10:18:33 2003 From: Alexandre.Duret-Lutz at src.lip6.fr (Alexandre Duret-Lutz) Date: Thu Oct 9 11:18:48 2003 Subject: computing detached signature for a batch of files In-Reply-To: <20030910133835.GN4380@pm1.ric-08.lft.widomaker.com> References: <2003-09-09-22-26-15+29474+duret_g@lrde.epita.fr> <20030910133835.GN4380@pm1.ric-08.lft.widomaker.com> Message-ID: >>> "Jason" == Jason Harris writes: Jason> On Tue, Sep 09, 2003 at 10:26:15PM +0200, Alexandre Duret-Lutz wrote: >> I'm using gpg to build detached signatures for packages. >> When doing so, I generally have several files to sign. >> For instance I may have to sign foo-1.1.tar.gz and foo-1.1.tar.bz2. >> >> It's a burden to type my pass-phrase for each file I want to sign. >> Is there any way I could do this and still type my pass-phrase only once? Jason> %check-sigs-and-sign foo-1.1.tar.* Jason> See "code" on my website. Thanks, that would indeed do the trick. But wouldn't it make sense to support such batch processing of several files in gnupg itself? Is there any technical or philosophical reason preventing this? -- Alexandre Duret-Lutz From orv at skatingholmes.com Thu Oct 9 10:18:34 2003 From: orv at skatingholmes.com (Jon Barlow) Date: Thu Oct 9 11:18:51 2003 Subject: Outlook 2003 problem Message-ID: Hi, I am a new user to GnuPG plugin for Outlook and I have a small problem. Whenever I send a PGP encrypted email, it arrives completely empty and the sent item is also empty. Does anyone have any suggestions? I followed the setup instructions here: http://helppages.obsidian.com.au/PGPKeys My current software is: Windows XP SP1 Outlook 2003 GnuPG Plugin v0.91 WinPT v0.7.96rc1 GnuPG v1.2.1 Thanks. Jon. From Christian.Kanja at glueckkanja.com Thu Oct 9 10:18:34 2003 From: Christian.Kanja at glueckkanja.com (Christian Kanja) Date: Thu Oct 9 11:18:55 2003 Subject: Can't decrypt PGP 8 msg Message-ID: <1ED7BFBAE5FE164B9AF47D5BE458ED3D124867@GUK1D002.glueckkanja.org> hi david, "particularly well"... ;-). well, you're somehow right, we made a minor mistake which was a major problem for gnupg - we did not label the hash-algorithm and we used IDEA a little bit often. both is fixed in the new version of cryptoex. we do label the correct hash and we do not use IDEA if not especialy preferred. and its worth a look - i think with the new Outlook integration we made a major step forward in usability for crypto applications. hope that these changes will help us working together with the gnupg-community - we would really appreciate feedback if there are issues in compatibility and we will try to fix these issues fast. best regards, christian kanja ps: i am not sure if this mail will reach the mailing list because i am not a member of this list. if not, i would appreciate if you forward my answer. thanks! =================================================================== christian kanja glueck & kanja technology ag christian-pless-strasse 11-13, d-63069 offenbach, germany phone +49 69 800706 0, fax +49 69 800706 66 web http://www.glueckkanja.com =================================================================== use strong cryptography to protect your e-mails! =================================================================== -----Original Message----- From: gnupg-users-admin@gnupg.org [mailto:gnupg-users-admin@gnupg.org] On Behalf Of David Shaw Sent: Saturday, September 13, 2003 2:41 PM To: Gnupg-Users Subject: Re: Can't decrypt PGP 8 msg On Fri, Sep 12, 2003 at 01:10:23PM -0400, Eugene Smiley wrote: > Eugene Smiley wrote: > > Ah, well I correspond with some users who use S/MIME and some who > > use PGP/GPG. I'm just too lazy to remember to switch back and forth > > between the two when I can do both. ;) > > Then someone goes and posts the message below to > pgp-users@cryptorights.org about the CryptoEx plug-ins that manage the > signing process under MS Outlook or Lotus Notes. Un/forunately I am > done with Outlook and Notes. ;) CryptoEx, historically, has not followed the OpenPGP spec particularly well. I wonder if they've fixed that yet. No matter what hash algorithm was really used in clearsigning, CryptoEx labels it as "MD5" which breaks verification. It also encrypts to sign-only keys... David From iutin at whirix.com Thu Oct 9 10:18:34 2003 From: iutin at whirix.com (Vyacheslav Iutin) Date: Thu Oct 9 11:19:05 2003 Subject: Clearsign of HTML-pages Message-ID: <3F715431.7080109@whirix.com> Hello! Does anybody know how I can make the clearsign of HTML-page, so that browser can display it, but people do not see the gpg-singature. In other words: How to place gpg-signature in the HTML-comments? Is it possible? Thanks for advance! -- Vyacheslav Iutin Whirix Ltd. http://www.whirix.com From kirk at ejecta.net Thu Oct 9 10:18:34 2003 From: kirk at ejecta.net (Eje Cta) Date: Thu Oct 9 11:19:07 2003 Subject: Exporting to server ldap plugin missing? Message-ID: <1064018837.15344.5.camel@kirk.jecta.net> I just installed GPA and when I tried to export my public key to the keyserver, I got a message saying "There is no plugin available for the keyserve protocol you specified" It further described it as ldap://keyserve.pgp.com (as well as the other ones I tried in the list) Open ldap IS installed on my system and the ldap service is running. Can anyone give me a hit as to what's up? I'm at the end of my rope here.. :-( TIA Mike Marcum houston, tx -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : /pipermail/attachments/20031009/60bc0735/attachment.bin From boldyrev+nospam at cgitftp.uiggm.nsc.ru Thu Oct 9 10:18:34 2003 From: boldyrev+nospam at cgitftp.uiggm.nsc.ru (Ivan Boldyrev) Date: Thu Oct 9 11:19:09 2003 Subject: (1) BAD signature and (2) auto SHA1 References: <20030802042103.H21368@lifebook> <20030804155050.GA31169@longshot.toehold.com> <20030910175732.D26616@lifebook> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 8498 day of my life dig.list@telkel.net wrote: > But I still have difficulties with some of them. Is there some list or > something, where I could ask if my signature is correct (to be sure > that it will work for others)? There is also Russain/Ukranian list pgp-n-gpg@yahoogroups.com. We can check your signature too. - -- Ivan Boldyrev There are 256 symbols in English alphabet. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/Y064pb3RmFYJhnMRAhegAKCknf4AQr3C5VgiqfL6jfHYGF70bACfamGO RMhFNFMVQ6m9n0zvYX2KuQc= =U7OO -----END PGP SIGNATURE----- From willy at debian.org Sun Oct 5 22:00:07 2003 From: willy at debian.org (Matthew Wilcox) Date: Thu Oct 9 11:19:14 2003 Subject: [keyanalyze-discuss] new (2003-10-05) keyanalyze results In-Reply-To: <20031005171503.GI924@pm1.ric-17.lft.widomaker.com> References: <20031005171503.GI924@pm1.ric-17.lft.widomaker.com> Message-ID: <20031005200007.GQ24824@parcelfarce.linux.theplanet.co.uk> On Sun, Oct 05, 2003 at 01:15:03PM -0400, Jason Harris wrote: > New keyanalyze results are available at: > > http://keyserver.kjsl.com/~jharris/ka/2003-10-05/ I've updated the footsie graph with these results: http://www.parisc-linux.org/~willy/footsie.png Another small decrease this fortnight, but nothing dramatic. -- "It's not Hollywood. War is real, war is primarily not about defeat or victory, it is about death. I've seen thousands and thousands of dead bodies. Do you think I want to have an academic debate on this subject?" -- Robert Fisk From anonymous at remailer.metacolo.com Thu Oct 9 10:18:34 2003 From: anonymous at remailer.metacolo.com (Anonymous Sender) Date: Thu Oct 9 11:19:17 2003 Subject: GnuPG instead of CryptoAPI Message-ID: <2298d989c3590b835d9365ee3ad010f4@remailer.metacolo.com> > Is it possible to use GnuPG instead of CryptoAPI *and* encrypting the > files on the fly? If so, this is a opensource alternative for PGPdisk. > I've searched on both Google, CryptoAPI mailinglist and this mailinglist, > but couldn't find an answer to my question. One could write a GnuPG wrapper around cattach/cdetach/cmkkey/cpasswd (the utilities that come with the CFS daemon) and use those for a CFS encrypted disk partitiion instead of PGPdisk... From iang at systemics.com Thu Oct 9 10:18:34 2003 From: iang at systemics.com (Ian Grigg) Date: Thu Oct 9 11:19:18 2003 Subject: [PGP-USERS] CA Cert (cacert.org) - a new, non-profit CA References: <00da01c38131$d58eec00$1ae3193e@linear> Message-ID: <3F6F62C6.75F116FA@systemics.com> Ben Pollinger wrote: > The root CA is not included in browsers, but they're working on it. > One route is via a request for enhancement at Mozilla - see > http://bugzilla.mozilla.org/show_bug.cgi?id=215243 (257 votes as of > today) I voted for that. What you have to do is follow the above link, and then half way down the page is a link "Vote for this bug" above the big Additional Comments box. http://bugzilla.mozilla.org/votes.cgi?action=show_user&bug_id=215243 Then, you have to create an account, which takes a few minutes because they mail out the password. And then you can go back to the above page and vote, by clicking on the checkbox to the right, clicking on "Change Votes." Not all really intiutive, but once you get the hang of it, it works well ! What would be even better is if there was a bug to change the handling of self-signed certificates to promote their use! Once browsers start to promote self-signed certs, we might actually see some more crypto being used. iang From martin at stigge.org Thu Oct 9 10:18:34 2003 From: martin at stigge.org (Martin Stigge) Date: Thu Oct 9 11:19:20 2003 Subject: Older self signature not stripped Message-ID: <1063397365.8792.9.camel@monk> Hi, it happened that I have multiple self signatures on some of my uids: http://blackhole.pca.dfn.de:11371/pks/lookup?op=vindex&search=0xD5CE4FE9 I read that gnupg automatically strips older self signatures when importing keys, but with gpg --recv-keys D5CE4FE9 gpg --list-sigs D5CE4FE9 this doesn't seem to apply to my key (gpg 1.2.3). Why? -- Martin Stigge martin@stigge.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : /pipermail/attachments/20031009/1dc50a49/attachment.bin From lee_andrews at cox.net Thu Oct 9 06:59:57 2003 From: lee_andrews at cox.net (Lee Andrews) Date: Thu Oct 9 11:58:01 2003 Subject: Gnupg, Windows 9X and stderr/stdout Message-ID: <013f01c38e4c$1ad60c40$0200a8c0@landrewshome> I have written a batch file that will encrypt and ftp a file. I also have one that will ftp down the file and decrypt. Only on the Windows 9x platforms do I have a problem getting detailed logs on the gpg. Sending output to stderr works fine on NT/2000/XP, but not on 95. Basically I am looking for any way to capture a log on gpg so that we have a history of the encryption process.... Any suggestion is appreciated. Thanks, -------------- next part -------------- An HTML attachment was scrubbed... URL: /pipermail/attachments/20031009/ffdcea1e/attachment.htm From JPClizbe at comcast.net Thu Oct 9 06:15:43 2003 From: JPClizbe at comcast.net (John Clizbe) Date: Thu Oct 9 12:13:51 2003 Subject: Problems Installing GnuPG In-Reply-To: <20030930180421.97CBD502F@smtpprx1.nationalcity.com> References: <20030930180421.97CBD502F@smtpprx1.nationalcity.com> Message-ID: <3F85354F.1010506@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kordet, Kimberly wrote: > Hello, > > I have downloaded the gnupg-w32cli-1.2.3.zip file, and extracted the files. > I have created a c:\gnupg folder, and tried running "gpg" at the command > line, but I am getting an error that "gpg is not recognized as a command". > > Did I miss a step? I thought I followed the README file correctly, but > maybe not. > Did you add "C:\GnuPG" to your PATH? Also there are a few Registry Settings that need set -- save the lines between the ++++ to some file with the extension .reg, edit to reflect your configuration, and double-click in Explorer to install. ++++ Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\GNU] [HKEY_CURRENT_USER\Software\GNU\GNUPG] "HomeDir"="C:\\Program Files\\GnuPG" "gpgProgram"="C:\\PROGRA~1\\GnuPG\\gpg.exe" "OptFile"="C:\\Program Files\\GnuPG\\gpg.conf" ++++ - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Most men take the straight and narrow. A few take the road less traveled. I chose to cut through the woods." "The purpose of life is to achieve balance, in a continual cycle of gaining and retaining harmony. Walk in Beauty." - Navajo Proverb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-nr1 (Windows 2000) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/hTVMHQSsSmCNKhARAojGAKDXws1l1g6hpYxMQ67xDKptVQarXQCgqOF2 vcbA52EOQFZ3dsZaAQmUaGg= =mD+j -----END PGP SIGNATURE----- From ben at benfinney.id.au Fri Oct 10 00:03:58 2003 From: ben at benfinney.id.au (Ben Finney) Date: Thu Oct 9 15:01:42 2003 Subject: Clearsign of HTML-pages In-Reply-To: <3F715431.7080109@whirix.com> References: <3F715431.7080109@whirix.com> Message-ID: <20031009130358.GB1073@benfinney.id.au> On 24-Sep-2003, Vyacheslav Iutin wrote: > How to place gpg-signature in the HTML-comments? If the signature is inside the document that it signs, then it changes the contents of the document. What is the signature supposed to be checked against? For example, to make a signature of this document: ===== Foo Bar ===== that results in the hypothetical signature: ===== ----- BEGIN BOGUS SIGNATURE ----- DEADBEEFDEADBEEF ----- END BOGUS SIGNATURE ----- ===== That signature will only be valid against the *exact contents* of the above document. Placing the signature *within* the document, as HTML comments: ===== Foo Bar ===== results in a completely different document. That signature no longer validates against the document, because its contents have changed. That's why signatures are always explicitly separated from the document; either by having the document delimited with the familiar ----- BEGIN PGP SIGNED DOCUMENT ----- etc., or by having them as separate files (or MIME parts, or whatever makes sense). HTML documents are atomic; the whole thing is a single entity. A separate signature can be made, as a separate file, but not embedded into the document itself. -- \ "The best is the enemy of the good." -- Voltaire | `\ | _o__) | Ben Finney -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : /pipermail/attachments/20031009/f75abb54/attachment.bin From ben at benfinney.id.au Fri Oct 10 00:12:24 2003 From: ben at benfinney.id.au (Ben Finney) Date: Thu Oct 9 15:10:07 2003 Subject: win32 random source In-Reply-To: <01A3BBA5B52FD311A4F200902745920B0334394E@EXCHBSG1.dmmenet.mme.state.va.us> References: <01A3BBA5B52FD311A4F200902745920B0334394E@EXCHBSG1.dmmenet.mme.state.va.us> Message-ID: <20031009131224.GC1073@benfinney.id.au> On 25-Sep-2003, Mullins, Steven B. wrote: > Can anyone tell me what the win32 compiled binary uses as a entropy > source? It generates entropy from various system events, as needed. For details, the source is always available: The 'random.c' file contains the random-number functions used by GnuPG. -- \ "Why was I with her? She reminds me of you. In fact, she | `\ reminds me more of you than you do!" -- Groucho Marx | _o__) | Ben Finney -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : /pipermail/attachments/20031009/c339dd17/attachment.bin From ben at benfinney.id.au Fri Oct 10 00:15:46 2003 From: ben at benfinney.id.au (Ben Finney) Date: Thu Oct 9 15:13:29 2003 Subject: Batch Program Needs to Bypass the Passphrase In-Reply-To: <20031007194415.9D67D22F@smtpprx2.nationalcity.com> References: <20031007194415.9D67D22F@smtpprx2.nationalcity.com> Message-ID: <20031009131546.GD1073@benfinney.id.au> On 07-Oct-2003, Kordet, Kimberly wrote: > I'm having trouble figuring out how to NOT have it prompt me for a > passphrase. Easy: don't set a passphrase, and be aware of the massive reduction in security that entails. The passphrase is there to *ensure* that the human being who owns the key is actually present at the keyboard. If you want a key that has none of the security of a passphrase, make a key without a passphrase. -- \ "I just got out of the hospital; I was in a speed-reading | `\ accident. I hit a bookmark and flew across the room." -- | _o__) Steven Wright | Ben Finney -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : /pipermail/attachments/20031009/418c4c0b/attachment.bin From apavelec at benefit-services.com Thu Oct 9 10:27:05 2003 From: apavelec at benefit-services.com (Adam Pavelec) Date: Thu Oct 9 15:24:50 2003 Subject: Problems Installing GnuPG References: <20030930180421.97CBD502F@smtpprx1.nationalcity.com> <3F85354F.1010506@comcast.net> Message-ID: <009901c38e69$0b634030$2027a8c0@PAVELECA> On Thursday, October 09, 2003 6:15 AM [GMT-5=EST], John Clizbe wrote: > Did you add "C:\GnuPG" to your PATH? Also there are a few Registry > Settings that need set -- save the lines between the ++++ to some file > with the extension .reg, edit to reflect your configuration, and > double-click in Explorer to install. Forgive me if I am wrong, but aren't the registry entries /only/ necessary when GnuPG is located somewhere *other* than C:\GnuPG ? -Adam From SGates at olbh.com Thu Oct 9 10:31:55 2003 From: SGates at olbh.com (Gates, Scott) Date: Thu Oct 9 15:34:02 2003 Subject: Batch Program Needs to Bypass the Passphrase Message-ID: <26B7DBDA79E1D711B57600A0C9C5515029BEBF@ashland01msx> I got by the problem by not signing the encrypted file. I know that's probably a faux pas for some, but, worked for me. ..\GPG --homedir .. --options ..\gpg.conf -er apsmedbill %1.txt -----Original Message----- From: Kordet, Kimberly [mailto:Kimberly.Kordet@nationalcity.com] Sent: Tuesday, October 07, 2003 3:44 PM To: 'gnupg-users@gnupg.org' Subject: Batch Program Needs to Bypass the Passphrase Hi, I am writing a batch program (.bat) to encrypt and decrypt files. However, I'm having trouble figuring out how to NOT have it prompt me for a passphrase. I've looked up things on --passphrase-fd 0 and environment variables, but I can't seem to find the actual steps to follow to get it working properly. Please let me know if you can help! Thanks, Kim _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From svwright+lists at amtp.liv.ac.uk Thu Oct 9 15:57:36 2003 From: svwright+lists at amtp.liv.ac.uk (Stewart V. Wright) Date: Thu Oct 9 15:55:14 2003 Subject: Clearsign of HTML-pages In-Reply-To: <3F715431.7080109@whirix.com> References: <3F715431.7080109@whirix.com> Message-ID: <20031009135736.GD21575@amtp.liv.ac.uk> G'day Vyacheslav, * Vyacheslav Iutin [031009 10:44]: > Hello! > > Does anybody know how I can make the clearsign of HTML-page, so that > browser can display it, but people do not see the gpg-singature. > > In other words: How to place gpg-signature in the HTML-comments? > Is it possible? > > Thanks for advance! I agree with most of what Ben said (in a different reply), but there are two scripts that I've used to varying degrees of success... Have a look at http://members.aol.com/EJNBell/pgp-www.html http://www.sanface.com/pgphtml.html To be honest the SANFACE one is the easiest to use and the most difficult to get to work if you have any desire to do anything other than 'gpg --clearsign -a'. For example I have my keys on removable media (so I need to use --homedir and -u also) and this seems to cause all sorts of difficulties. :-/ HTH, S. -- European Citizens: Please do a little work to convince the European Parliament to reject software patents. This page explains the issue and provides suggestions for action; take the time to participate. http://swpat.ffii.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 274 bytes Desc: Digital signature Url : /pipermail/attachments/20031009/0bf54a00/attachment-0001.bin From ben at benfinney.id.au Fri Oct 10 01:44:14 2003 From: ben at benfinney.id.au (Ben Finney) Date: Thu Oct 9 16:41:58 2003 Subject: Batch Program Needs to Bypass the Passphrase In-Reply-To: <26B7DBDA79E1D711B57600A0C9C5515029BEBF@ashland01msx> References: <26B7DBDA79E1D711B57600A0C9C5515029BEBF@ashland01msx> Message-ID: <20031009144414.GJ1073@benfinney.id.au> On 09-Oct-2003, Gates, Scott wrote: > I got by the problem by not signing the encrypted file. That is only because encryption doesn't require access to your secret key (it uses the recipient's public key). To decrypt a message, or sign one, you'll need access to your secret key, which will require entry of whatever passphrase is set on the key. -- \ "When I get real bored, I like to drive downtown and get a | `\ great parking spot, then sit in my car and count how many | _o__) people ask me if I'm leaving." -- Steven Wright | Ben Finney -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : /pipermail/attachments/20031010/ded4f0fd/attachment.bin From ben at benfinney.id.au Fri Oct 10 01:54:17 2003 From: ben at benfinney.id.au (Ben Finney) Date: Thu Oct 9 16:51:59 2003 Subject: Failed GPG sig In-Reply-To: <20031009135317.GC21575@amtp.liv.ac.uk> References: <3F715431.7080109@whirix.com> <20031009130358.GB1073@benfinney.id.au> <20031009135317.GC21575@amtp.liv.ac.uk> Message-ID: <20031009145417.GL1073@benfinney.id.au> [taking this public on the gnupg-users list] On 09-Oct-2003, Stewart V. Wright wrote: > Did you realise that your sig on the following message to the > gnupg-users mailing list fails? Hmm, I've noticed similar things on this mailing list, and others, from other people's signatures (and informed them). Thanks. > Did the list software change your message somewhere along the line (or > it could be my bloody University...) ? It does seem to be peculiar to mailing lists, in my experience. -- \ "People's Front To Reunite Gondwanaland: Stop the Laurasian | `\ Separatist Movement!" -- wiredog, http://kuro5hin.org/ | _o__) | Ben Finney -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : /pipermail/attachments/20031010/c7859b9f/attachment.bin From dshaw at jabberwocky.com Thu Oct 9 12:36:06 2003 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Oct 9 17:33:44 2003 Subject: win32 random source In-Reply-To: <01A3BBA5B52FD311A4F200902745920B0334394E@EXCHBSG1.dmmenet.mme.state.va.us> References: <01A3BBA5B52FD311A4F200902745920B0334394E@EXCHBSG1.dmmenet.mme.state.va.us> Message-ID: <20031009153606.GC3179@jabberwocky.com> On Thu, Sep 25, 2003 at 02:00:55PM -0400, Mullins, Steven B. wrote: > Can anyone tell me what the win32 compiled binary uses as a entropy source? The win32 code uses a random gatherer based on Peter Gutmann's Cryptlib. The source for it is in cipher/rndw32.c in the GnuPG distribution. The specific items used to stir into the random pool are things like the disk I/O metrics, network statistics, some system performance metrics, process statistics, etc. GnuPG has a notion of entropy quality, and it ranks the entropy sources accordingly. David From atom-gpg at suspicious.org Thu Oct 9 10:38:01 2003 From: atom-gpg at suspicious.org (Atom 'Smasher') Date: Thu Oct 9 18:39:30 2003 Subject: newbie question about identities In-Reply-To: References: Message-ID: > > i guess i'm trying to clarify whether the problem is in the > > implementation, the documentation, or just my understanding of it... it > > seems like the handbook is advocating something that's not quite right, > > and i'm trying to figure out which way(s) are right. i'm also trying to > > verify that the documentation is either incorrect or misleading. > > The only thing incorrect is how you're trying to use it but not use it. > > "Hey... I want to do things in a really backasswards way, but the > documentation won't tell me how to do it. The documentation must be > incorrect or misleading!" ======================================== the documentation says: Additional user IDs are useful when you need multiple identities. For example, you may have an identity for your job and an identity for your work as a political activist. http://www.gnupg.org/gph/en/manual.html#AEN282 that *IMPLIES* that multiple identities that [socially] conflict with each other can share the same key. as i've confirmed, that is not a good idea. since i have some IDs which are socially incompatible with other IDs, i have generated a key-pair for each identity, although the handbook doesn't mention that solution. problem solved. at this point, i'd assert that the documentation is flawed. there should be EXPLICIT mention of the fact that multiple IDs using the same key-pair will leave those multiple IDs visible to each other... if one has multiple IDs that should not leave a trail to each other (politician and anarchist, member of a church and a gay rights group, etc), then each ID must have it's own key pair. THE HANDBOOK DOES *NOT* MAKE THIS CLEAR!! ...atom _______________________________________________ PGP key - http://smasher.suspicious.org/pgp.txt 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3 ------------------------------------------------- "What luck for rulers, that men do not think." -- Adolf Hitler From frank.calfo at csgpro.com Thu Oct 9 14:45:48 2003 From: frank.calfo at csgpro.com (Frank Calfo) Date: Thu Oct 9 22:43:31 2003 Subject: Batch Program Needs to Bypass the Passphrase In-Reply-To: <20031007194415.9D67D22F@smtpprx2.nationalcity.com> Message-ID: <5.2.1.1.0.20031009134116.00a81be8@mail.csgpro.com> Sorry if this has already been answered but I thought I'd pass along my two cents since I just finished a long struggle with this (thanks to help from this group!) : I have created a few batch files to automate encryption and decryption, even with a keystore that is password protected (GPG version 1.2.1). To encrypt a file via key-based encryption and sign it with your own secret key the following command within a batch file has been working well on Windows: @rem Script wrapper for GNU PGP utility function: Encrypt a file using key-based encryption @rem Arguments: 1 - password to keystore @rem 2 - path to keystore @rem 3 - id of public key to use to encrypt the file - should be key of client receiving the file @rem 4 - fully qualified name of file to encrypt @rem Note: since client is prepared for key-based encryption and since we have the keystore password @rem this script will also sign the encrypted file to provide extra security @rem Watch it! - on Windows do NOT include space between %1 and the pipe (|) - will get bad @rem passphrase error echo %1| gpg --homedir %2 --batch --yes --passphrase-fd 0 --always-trust --sign --recipient %3 --encrypt %4 To encrypt a file via password-based encryption WITHOUT signing it the following command within a batch file has been working well on Windows: At this point I hit some trouble if I tried to sign the encrypted file since that requires two passwords as input: the password to use for encryption and the password to use to access the keystore so the encrypted file can be signed. I decided to avoid the problem by not signing the encrypted file - that left me with just one input (the encryption password) which this script can handle. I figured that not signing the encrypted file is ok in this scenario since we're using password-based encryption. If client receiving the file wants to verify my signature, they need to have my public key - and if they have my public key then they're familiar with key-based encryption so why not use key-based encryption instead of password based encryption? Thus, I'm treating password-based encryption as a less stringent, easier form of encryption where lack of signed file is not all that bad. If the receiver wants extra security of a signed file, then they just need to step up to key-based encryption (again, they'll need to start dealing with keys to verify the signature anyway so this should not be a big deal). @rem Script wrapper for GNU PGP utility function: Encrypt a file using password-based encryption @rem Arguments: 1 - password to encrypt the file with @rem 2 - path to keystore @rem 3 - fully qualified name of unencrypted file to encrypt @rem Note: since client is assumed to be not prepared for key-based encryption if they are using @rem this option and since we do not have a good way to provide the keystore password for @rem this option, this script will not sign the encrypted file @rem Watch it! - on Windows do NOT include space between %1 and the pipe (|) - will get bad @rem passphrase error echo %1| gpg --homedir %2 --batch --yes --passphrase-fd 0 --symmetric %3 To decrypt a file encrypted via passphrase-based encryption, the following command within a batch file has been working well on Windows: @rem Script wrapper for GNU PGP utility function: Decrypt a file encrypted with password-based encryption @rem Arguments: 1 - password that file was encrypted with @rem 2 - path to keystore @rem 3 - fully qualified name of decrypted file to create @rem 4 - fully qualified name of encrypted file to decrypt @rem Watch it! - on Windows do NOT include space between %1 and the pipe (|) - will get bad @rem passphrase error echo %1| gpg --homedir %2 --batch --yes --passphrase-fd 0 --output %3 --decrypt %4 To decrypt a file encrypted via key-based encryption, the following command within a batch file has been working well on Windows. Note that this is same as previous example. Only difference is that previous one passed in encryption password under argument #1 while this one passes keystore password under argument #1: @rem Script wrapper for GNU PGP utility function: Decrypt a file encrypted with key-based encryption @rem Arguments: 1 - password to keystore @rem 2 - path to keystore @rem 3 - fully qualified name of decrypted file to create @rem 4 - fully qualified name of encrypted file to decrypt @rem Watch it! - on Windows do NOT include space between %1 and the pipe (|) - will get bad @rem passphrase error echo %1| gpg --homedir %2 --batch --yes --passphrase-fd 0 --output %3 --decrypt %4 hth, Frank At 03:43 PM 10/7/2003 -0400, Kordet, Kimberly wrote: >Hi, > >I am writing a batch program (.bat) to encrypt and decrypt files. However, >I'm having trouble figuring out how to NOT have it prompt me for a >passphrase. I've looked up things on --passphrase-fd 0 and environment >variables, but I can't seem to find the actual steps to follow to get it >working properly. > >Please let me know if you can help! > >Thanks, >Kim > > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users From rj-lists at rjmarq.org Thu Oct 9 20:44:06 2003 From: rj-lists at rjmarq.org (RJ Marquette) Date: Fri Oct 10 01:43:09 2003 Subject: Clearsign of HTML-pages Message-ID: On Thu, 9 Oct 2003, Ben Finney wrote: > HTML documents are atomic; the whole thing is a single entity. A > separate signature can be made, as a separate file, but not embedded > into the document itself. Not true. I wrote a script years ago that does just that. It's available at http://rjmarq.org/pgp/pgpsign.zip, but note that it's written for Windows, relies on pgp 2.6, and doesn't really work that well. I don't believe the source is included in that package because...well, it was ugly. ;) The algorithm is very simple: 1. Start with the HTML file you want to sign. 2. Add "-->" at the start of the file. 3. Add "" at the end of the file. And then the page can be checked by viewing and verifying the source. The solution in Linux and other Unix-style OS's is trivial using a shell script. I did it in about five minutes one time. For Windows, I'd actually written a Pascal program to do it (because I didn't have a C compiler), but it's not difficult to do. You can set it up as an action on the right-click menu to have it happen automatically. What I ran into was this: when I stopped doing it on the PGP Interactions page, no one said a word. So, if no one is bothering to verify them, why should I worry about it? RJ :) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= RJ Marquette RSA:448B035F DSS:CB45C555 http://rjmarq.org From JPClizbe at comcast.net Thu Oct 9 22:42:43 2003 From: JPClizbe at comcast.net (John Clizbe) Date: Fri Oct 10 04:40:59 2003 Subject: Problems Installing GnuPG In-Reply-To: <009901c38e69$0b634030$2027a8c0@PAVELECA> References: <20030930180421.97CBD502F@smtpprx1.nationalcity.com> <3F85354F.1010506@comcast.net> <009901c38e69$0b634030$2027a8c0@PAVELECA> Message-ID: <3F861CA3.7080501@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Adam Pavelec wrote: > On Thursday, October 09, 2003 6:15 AM [GMT-5=EST], John Clizbe > wrote: > >> Did you add "C:\GnuPG" to your PATH? Also there are a few Registry >> Settings that need set -- save the lines between the ++++ to some file >> with the extension .reg, edit to reflect your configuration, and >> double-click in Explorer to install. > > Forgive me if I am wrong, but aren't the registry entries /only/ > necessary when GnuPG is located somewhere *other* than C:\GnuPG ? > > -Adam No, you are "correct". The registry entries are /only necessary/ when GnuPG is located somewhere *other* than C:\GnuPG. There are a few system management and security practices that would recommend a different directories: keeping programs and user data segregated; grouping program files -- applications versus OS files; keeping user data under the user's profile directory; using the builtin OS access restrictions to keep data secure... C:\GnuPG\ as installation and GPG home directory works fine if you are certain you are the only person that will ever use your machine -- otherwise anyone sitting at the keyboard has access to your keyrings and any other GnuPG data that may also be there - key revocation cert perhaps? You pick your threat model and security measures - you should also appropriately pick your GnuPG installation directories. - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Most men take the straight and narrow. A few take the road less traveled. I chose to cut through the woods." "The purpose of life is to achieve balance, in a continual cycle of gaining and retaining harmony. Walk in Beauty." - Navajo Proverb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-nr1 (Windows 2000) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/hhyfHQSsSmCNKhARAh2DAJ4/STjWagtZ8i2pKrwQLxSvIx7khgCgoYrE dJMTq7RnsNsgKbexnDB7Ylc= =HE9c -----END PGP SIGNATURE----- From apavelec at benefit-services.com Fri Oct 10 00:19:36 2003 From: apavelec at benefit-services.com (Adam Pavelec) Date: Fri Oct 10 05:16:54 2003 Subject: Problems Installing GnuPG References: <20030930180421.97CBD502F@smtpprx1.nationalcity.com> <3F85354F.1010506@comcast.net><009901c38e69$0b634030$2027a8c0@PAVELECA> <3F861CA3.7080501@comcast.net> Message-ID: <002b01c38edd$5672b320$6445a8c0@EDGECRUSHER> On Thursday, October 09, 2003 10:42 PM [GMT-5=EST], John Clizbe wrote: > No, you are "correct". The registry entries are /only necessary/ when > GnuPG is located somewhere *other* than C:\GnuPG. [SNIP] > You pick your threat model and security measures - you should also > appropriately pick your GnuPG installation directories. Ture... Indeed... Then again, there are some helper apps that use GPG which expect to see these Registry entries, even if the GPG directory is located in the root of C:\ -- WinPT Tray/WinPT OE come to mind... Personally, I've always used C:\GnuPG and, to make things ultra-simple, placed a copy of gpg.exe in %windir% To each his own, right?!? -Adam From JPClizbe at comcast.net Thu Oct 9 23:52:54 2003 From: JPClizbe at comcast.net (John Clizbe) Date: Fri Oct 10 05:51:03 2003 Subject: newbie question about identities In-Reply-To: References: Message-ID: <3F862D16.70009@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Atom 'Smasher' wrote: > at this point, i'd assert that the documentation is flawed. there should > be EXPLICIT mention of the fact that multiple IDs using the same key-pair > will leave those multiple IDs visible to each other... if one has multiple > IDs that should not leave a trail to each other (politician and anarchist, > member of a church and a gay rights group, etc), then each ID must have > it's own key pair. OK, so the documentation should be EXPLICIT about what most here would seem to consider obvious. Hey, feel free to offer up an update to the documentation. That's another FREEdom of Free Software. BTW, What if one is an anarchist politician? Being gay and a member of a church is only a problem for select values of CHURCH. Might be a problem if one is closeted, but closets are so-o-o-o-o confining, don't you think. 8-}) Peace. - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Most men take the straight and narrow. A few take the road less traveled. I chose to cut through the woods." "The purpose of life is to achieve balance, in a continual cycle of gaining and retaining harmony. Walk in Beauty." - Navajo Proverb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-nr1 (Windows 2000) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/hi0THQSsSmCNKhARAp3hAJ4zIxeYujXAtXSJgdI53HzHQoWOowCgyUgk T8VugPyijffrJGin1DS5ba4= =QNgj -----END PGP SIGNATURE----- From JPClizbe at comcast.net Fri Oct 10 00:51:21 2003 From: JPClizbe at comcast.net (John Clizbe) Date: Fri Oct 10 06:49:34 2003 Subject: Problems Installing GnuPG In-Reply-To: <002b01c38edd$5672b320$6445a8c0@EDGECRUSHER> References: <20030930180421.97CBD502F@smtpprx1.nationalcity.com> <3F85354F.1010506@comcast.net><009901c38e69$0b634030$2027a8c0@PAVELECA> <3F861CA3.7080501@comcast.net> <002b01c38edd$5672b320$6445a8c0@EDGECRUSHER> Message-ID: <3F863AC9.1040003@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Adam Pavelec wrote: > Ture... Indeed... Then again, there are some helper apps that use GPG > which expect to see these Registry entries, even if the GPG directory is > located in the root of C:\ -- WinPT Tray/WinPT OE come to mind... And GPGshell expects to find gpg.exe somewhere in the PATH > > Personally, I've always used C:\GnuPG and, to make things ultra-simple, > placed a copy of gpg.exe in %windir% Yeah, that avoids adding to the PATH, but is subject to breakage if versions are different -- e.g. some app depending on a feature present in version X, but version Y is somewhere earlier in the PATH. One of my dislikes of WinPT was that it installed it's own copy of GNuPG, even when one was already already present on the system. > > To each his own, right?!? > Absolutely!! But why advocate potentially insecure procedures for the sake of easy? But easy will probably continue to trump secure even after all the business ink devoted to HIPPA and continuing popular press coverage of thefts of personal information and identity theft. Personal note: Please (Reply-To: Me) XOR (Reply-To: List). One copy is adequate. - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Most men take the straight and narrow. A few take the road less traveled. I chose to cut through the woods." "The purpose of life is to achieve balance, in a continual cycle of gaining and retaining harmony. Walk in Beauty." - Navajo Proverb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-nr1 (Windows 2000) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/hjrGHQSsSmCNKhARAhjTAKCnZg16QYvwFSwTwcWAkLIaW7IPpgCgqLL/ YkCIcR18DAYsByNiSsP+6lg= =2C9i -----END PGP SIGNATURE----- From atom-gpg at suspicious.org Thu Oct 9 22:58:14 2003 From: atom-gpg at suspicious.org (Atom 'Smasher') Date: Fri Oct 10 06:59:45 2003 Subject: newbie question about identities In-Reply-To: <3F862D16.70009@comcast.net> References: <3F862D16.70009@comcast.net> Message-ID: > > at this point, i'd assert that the documentation is flawed. there should > > be EXPLICIT mention of the fact that multiple IDs using the same key-pair > > will leave those multiple IDs visible to each other... if one has multiple > > IDs that should not leave a trail to each other (politician and anarchist, > > member of a church and a gay rights group, etc), then each ID must have > > it's own key pair. > > OK, so the documentation should be EXPLICIT about what most here would > seem to consider obvious. =============================== it might be obvious to anyone who's familiar with the system, but i think it's sending the wrong message to anyone who's new to pgp/gpg. > Hey, feel free to offer up an update to the documentation. That's another > FREEdom of Free Software. > > BTW, What if one is an anarchist politician? > > Being gay and a member of a church is only a problem for select values of > CHURCH. Might be a problem if one is closeted, but closets are so-o-o-o-o > confining, don't you think. 8-}) =============================== who ever said anything is wrong with being an anarchist politician? of course, one's constituency might not be comfortable with that... and a gay member of a church... i don't see a problem with that, but many people do. so a paragraph or two should be re-written.... i can make a submission for that... any suggestions for a politically correct cast of characters to portray such a situation? ...atom _______________________________________________ PGP key - http://smasher.suspicious.org/pgp.txt 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3 ------------------------------------------------- "MEATLESS" - US government standards allow the use of the word "Meatless" to allow up to 2% animal product and/or meat content. From JPClizbe at comcast.net Fri Oct 10 02:08:17 2003 From: JPClizbe at comcast.net (John Clizbe) Date: Fri Oct 10 08:06:47 2003 Subject: newbie question about identities In-Reply-To: References: <3F862D16.70009@comcast.net> Message-ID: <3F864CD1.2000005@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Atom 'Smasher' wrote: > > so a paragraph or two should be re-written.... i can make a submission for > that... any suggestions for a politically correct cast of characters to > portray such a situation? Thank you for offering to fix the offending passage(s). As a Southern(U.S.)-raised borderline-Bubba "Affectionally-Different Melanin-Impoverished Oppressor-Of-WoFem" 8-}), I'm not the best to offer advice on "Politically Correct". But if you need a cast of characters, the common Dramatis Personae are (From _Applied Cryptography_): Alice First Participant in all the protocols Bob Second Participant in all the protocols Carol Participant in the three- and four-party protocols Dave Participant in the four-party protocols Eve Eavesdropper Mallory Malicious active attacker Trent Trusted arbitrator Walter Warden; He guards Alice and Bob in some protocols Peggy Prover Victor Verifier Actually, I think the contradictory roles already discussed would work fine. Alice could be and . You could have Bob be (Work), and to show how including the work address on both keys would link the other two addresses in a keyserver search. I'm sure other scenarios can easily be created. (Now to dodge the PFLAG and GLAAD mob) (Avoid Inbox-Litter -- Trim those To: lists so you don't hit folks with double-replies.) - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Most men take the straight and narrow. A few take the road less traveled. I chose to cut through the woods." "The purpose of life is to achieve balance, in a continual cycle of gaining and retaining harmony. Walk in Beauty." - Navajo Proverb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-nr1 (Windows 2000) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/hkzJHQSsSmCNKhARAm0+AJ9wNJJxO/v9IKkoAJGPVssAmTuysACffO0e v8TAeQNtDliPdHx4+6gmlUI= =cE+a -----END PGP SIGNATURE----- From atom-gpg at suspicious.org Fri Oct 10 03:00:14 2003 From: atom-gpg at suspicious.org (Atom 'Smasher') Date: Fri Oct 10 11:01:46 2003 Subject: newbie question about identities In-Reply-To: <3F864CD1.2000005@comcast.net> References: <3F862D16.70009@comcast.net> <3F864CD1.2000005@comcast.net> Message-ID: > Thank you for offering to fix the offending passage(s). =========================================== ok, so the part that i'm taking issue with is: Additional user IDs are useful when you need multiple identities. For example, you may have an identity for your job and an identity for your work as a political activist. Coworkers will know you by your work user ID. Coactivists will know you by your activist user ID. Since those groups of people may not overlap, though, each group may not trust the other user ID. Both user IDs are therefore necessary. http://www.gnupg.org/gph/en/manual.html#AEN282 i'd prefer to see something like: Additional user IDs are convenient when you use multiple names or email addresses which do not [socially] conflict with each other. For example, you may have a day job working with computers (employee@big-corp), and you also take night classes at a university (student@university). If it's OK that people who know you from one environment can also know that you're affiliated with the other environment, then both IDs can share the same key. On the other hand, if you work for Big-Corp, and you're also the webmaster at Big-Corp-Sucks, then it's probably a better idea that these IDs do *NOT* share the same key. GnuPG allows you to create additional key pairs, which is important if you don't want one ID to point directly to another ID. Additional key pairs can be created the same way as your first key pair, with --gen-key . When encrypting or signing, use the --local-user option to specify an ID other than the default. any comments? are there any documentation maintainers on this list? ...atom _______________________________________________ PGP key - http://smasher.suspicious.org/pgp.txt 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3 ------------------------------------------------- "It is estimated that we spend $322,000 for each enemy we kill, while we spend in the so-called war on poverty in America only about $53 for each person classified as 'poor'. And much of that $53 goes for salaries of people who are not poor. We have escalated the war in Viet Nam and de-escalated the skirmish against poverty. It challenges the imagination to contemplate what lives we could transform if we were to cease killing." -- Martin Luther King, Jr. The Casualties of the War in Vietnam, 25 February 1967 From svwright+lists at amtp.liv.ac.uk Fri Oct 10 11:31:00 2003 From: svwright+lists at amtp.liv.ac.uk (Stewart V. Wright) Date: Fri Oct 10 11:28:39 2003 Subject: [OT-Seriously!]: Anarchist Politician In-Reply-To: References: <3F862D16.70009@comcast.net> Message-ID: <20031010093100.GK24916@amtp.liv.ac.uk> Yeah, I know this is seriously OT, but I couldn't let it go... G'day Atom, * Atom 'Smasher' [031010 06:10]: > who ever said anything is wrong with being an anarchist politician? of From Webster's Revised Unabridged Dictionary (1913) Anarchist: One who advocates anarchy of aims at the overthrow of civil government. Anarchy: Absence of government; the state of society where there is no law or supreme power; a state of lawlessness; political confusion. Politician: One devoted to politics. Politics: The science of government; that part of ethics which has to do with the regulation and government of a nation or state, the preservation of its safety, peace, and prosperity, the defence of its existence and rights against foreign control or conquest, the augmentation of its strength and resources, and the protection of its citizens in their rights, with the preservation and improvement of their morals. Aren't they mutually exclusive? Anarchist && Politician (! Government ) && ( Government ) It's a bit of a logical conundrum. Or are you using some other definitions of anarchist and politician? S. -- European Citizens: Please do a little work to convince the European Parliament to reject software patents. This page explains the issue and provides suggestions for action; take the time to participate. http://swpat.ffii.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 274 bytes Desc: Digital signature Url : /pipermail/attachments/20031010/a82d7c2e/attachment.bin From eugene at esmiley.net Fri Oct 10 09:50:48 2003 From: eugene at esmiley.net (Eugene Smiley) Date: Fri Oct 10 14:48:23 2003 Subject: newbie question about identities In-Reply-To: <3F864CD1.2000005@comcast.net> References: <3F862D16.70009@comcast.net> <3F864CD1.2000005@comcast.net> Message-ID: <3F86AB28.2060407@esmiley.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John Clizbe wrote: > As a Southern(U.S.)-raised borderline-Bubba > "Affectionally-Different Melanin-Impoverished Oppressor-Of-WoFem" > 8-}), I'm not the best to offer advice on "Politically Correct". Who-HA! That's a downright hilarious self-description. Is this what you are planning to use for your obituary? :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-nr2 (Windows XP) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/hqsi6QPtAqft/S8RAsaJAJ0VIV/9TE0oXH624UqTd0FFaxWU/wCfeSKR IBo1J0vnFrYXXm7zcEY12fk= =YguG -----END PGP SIGNATURE----- From eugene at esmiley.net Fri Oct 10 09:58:12 2003 From: eugene at esmiley.net (Eugene Smiley) Date: Fri Oct 10 14:55:48 2003 Subject: [OT-Seriously!]: Anarchist Politician In-Reply-To: <20031010093100.GK24916@amtp.liv.ac.uk> References: <3F862D16.70009@comcast.net> <20031010093100.GK24916@amtp.liv.ac.uk> Message-ID: <3F86ACE4.1000702@esmiley.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stewart V. Wright wrote: > Anarchist: One who advocates anarchy of aims at the overthrow of > civil government. > Anarchy: Absence of government; the state of society where there is > no law or supreme power; a state of lawlessness; political > confusion. > Politician: One devoted to politics. > Politics: The science of government; that part of ethics which has > to do with the regulation and government of a nation or > state... Hmm... Therefor a politician is one devote to that part of ethics that... Um, wait. Did I just use politician and ethics in the same sentence? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-nr2 (Windows XP) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/hqzZ6QPtAqft/S8RApl6AJ9bxnNZTvr/Ikr2qzg3hnIu+SYw7gCgx27w Gr7C4UwoePkXhN+ijnTKJo8= =DZ2u -----END PGP SIGNATURE----- From rmalayter at bai.org Fri Oct 10 09:30:34 2003 From: rmalayter at bai.org (Ryan Malayter) Date: Fri Oct 10 15:28:41 2003 Subject: Clearsign of HTML-pages Message-ID: <792DE28E91F6EA42B4663AE761C41C2A01115330@cliff.bai.org> From: RJ Marquette [mailto:rj-lists@rjmarq.org] > What I ran into was this: when I stopped doing > it on the PGP Interactions page, no one said a > word. So, if no one is bothering to verify them, > why should I worry about it? We were considering using it only for "important message" pages on our site, like significant news releases. It seems reasonable that people would only verify pages that seem "out of the ordinary" for a particular site, no? -Ryan- From jam at jamux.com Fri Oct 10 10:50:19 2003 From: jam at jamux.com (John A. Martin) Date: Fri Oct 10 15:48:03 2003 Subject: newbie question about identities In-Reply-To: <3F864CD1.2000005@comcast.net> (John Clizbe's message of "Fri, 10 Oct 2003 01:08:17 -0500") References: <3F862D16.70009@comcast.net> <3F864CD1.2000005@comcast.net> Message-ID: <87d6d5xkv8.fsf@athene.jamux.com> IIRC someone somewhere offered a "profile" of the Dramatis Personae based upon an analysis of the available descriptions of their known behavior. Maybe there has been more than one such work, but I seem to recall that one had me ROTFL. Does someone have a pointer to such a work? jam -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 154 bytes Desc: not available Url : /pipermail/attachments/20031010/59a5afc5/attachment-0001.bin From SGates at olbh.com Fri Oct 10 12:07:17 2003 From: SGates at olbh.com (Gates, Scott) Date: Fri Oct 10 17:10:17 2003 Subject: [OT-Seriously!]: Anarchist Politician Message-ID: <26B7DBDA79E1D711B57600A0C9C5515029BEC7@ashland01msx> I don't know. I consider myself a 'nonarchist'. We're less radical than the anarchists. Basically, I live by the rule "If the government leaves ME alone, I'll leave THEM alone." So far it's worked pretty well. I haven't had to declare war on them yet. -----Original Message----- From: Stewart V. Wright [mailto:svwright+lists@amtp.liv.ac.uk] Sent: Friday, October 10, 2003 5:31 AM To: gnupg-users@gnupg.org Subject: [OT-Seriously!]: Anarchist Politician _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From mwood at IUPUI.Edu Fri Oct 10 11:24:17 2003 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Fri Oct 10 17:22:02 2003 Subject: Problems Installing GnuPG In-Reply-To: <002b01c38edd$5672b320$6445a8c0@EDGECRUSHER> References: <20030930180421.97CBD502F@smtpprx1.nationalcity.com> <3F85354F.1010506@comcast.net><009901c38e69$0b634030$2027a8c0@PAVELECA> <3F861CA3.7080501@comcast.net> <002b01c38edd$5672b320$6445a8c0@EDGECRUSHER> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 9 Oct 2003, Adam Pavelec wrote: > On Thursday, October 09, 2003 10:42 PM [GMT-5=EST], John Clizbe > wrote: [snip] > Ture... Indeed... Then again, there are some helper apps that use GPG > which expect to see these Registry entries, even if the GPG directory is > located in the root of C:\ -- WinPT Tray/WinPT OE come to mind... An important point. > Personally, I've always used C:\GnuPG and, to make things ultra-simple, > placed a copy of gpg.exe in %windir% > > To each his own, right?!? Yes, but there's also such a thing as observing established convention. In the Win32 world, applications ought to default to installation into %programfiles%\vendor\application (where %programfiles% is the localized name of the Program Files directory, and should be obtained from the shell using the function provided for that purpose) and should note its presence by creating the key HKLM\Software\vendor\application in the Registry. There's another key (I can look it up if you wish) which makes a file "known" to Win32, so that you can just mention "gpg.exe" and Win32 will know where to find it whether it is on the PATH or not. You can even use a value of that key to specify additions to PATH which apply only to that program, which occasionally comes in handy. Much neater than plunking non-OS applications into %windir%. All of this (and much more) is somewhere in the Logo Requirements document, and I wish more developers (including a lot of billion-dollar companies, *sigh*) would read it. I've long since made a note to see what I can contribute to the packaging and integration of GnuPG for MS Windows, but since I never use it there I haven't done much yet. - -- Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu MS Windows *is* user-friendly, but only for certain values of "user". -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/ iD8DBQE/hs8ls/NR4JuTKG8RAkqRAJsG+uLA6PYLhjIculGDyJVcJssSYwCeN0R5 uTOQBK/7YuxpARak7F7V9qw= =+lWb -----END PGP SIGNATURE----- From rmalayter at bai.org Fri Oct 10 12:17:50 2003 From: rmalayter at bai.org (Ryan Malayter) Date: Fri Oct 10 18:15:57 2003 Subject: Clearsign of HTML-pages Message-ID: <792DE28E91F6EA42B4663AE761C41C2A01115336@cliff.bai.org> From: RJ Marquette [mailto:rj@rjmarq.org] > Makes sense I guess. But if someone's going > to hack your site, why would they just add > an ususual news item? Lots of reasons. Not all hackers just want to be noticed, the might have other nefarious motives. I recall one stock scam that involved a hacker placing a "important message from the CEO" talking about massive accounting problems at the company on a company's website. Of course, the hacker took a massive financial position, shorting the stock right before he posted the fake document. Sure enough, the stock dipped, and the guy made a mint. They caught the guy and convicted him, as I recall. -Ryan- From joel.j.konkle-parker at nasa.gov Fri Oct 10 13:25:18 2003 From: joel.j.konkle-parker at nasa.gov (Joel Konkle-Parker) Date: Fri Oct 10 18:22:56 2003 Subject: Best practices for multiple e-mail addresses Message-ID: <3F86DD6E.7050104@nasa.gov> I have three distinct e-mail addresses: work, home, and another business. What's the best practice for keeping a key for each address? One key with multiple addresses in it (i.e. a key for me as a person)? A separate key for each address (i.e. a key for each of work/home/business as a unit)? How do others do it? -- Joel Konkle-Parker Flow Physics & Control Branch NASA Langley Research Center Building [1247D] Room [105D] Phone [+1 757-864-5533] Fax [+1 757-864-3112] E-mail [joel.j.konkle-parker@nasa.gov] Mail Stop 170 1d E. Reid St. NASA Langley Research Center Hampton, VA 23681-2199 From greg at turnstep.com Fri Oct 10 18:31:20 2003 From: greg at turnstep.com (greg@turnstep.com) Date: Fri Oct 10 19:29:28 2003 Subject: computing detached signature for a batch of files In-Reply-To: <2003-09-09-22-26-15+29474+duret_g@lrde.epita.fr> Message-ID: <4d51afb078311d29f465043b3a8a6967@biglumber.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I'm using gpg to build detached signatures for packages. > When doing so, I generally have several files to sign. > ... > It's a burden to type my pass-phrase for each file I want to sign. > Is there any way I could do this and still type my pass-phrase only once? You could always simply create a textfile containing sha1 checksums of every file and sign that instead of each package. That's what I do for PostgreSQL. Not only is it easier for me to create, but there is only one file that people have to download. - -- Greg Sabino Mullane greg@turnstep.com PGP Key: 0x14964AC8 200310101331 -----BEGIN PGP SIGNATURE----- Comment: http://www.turnstep.com/pgp.html iD8DBQE/huz+vJuQZxSWSsgRAgZ0AKCePXM2mMV/h6iPFkYArUScUPGejACeJN/j 2hzoQEwL/LCXQrDp/vyADJw= =BmAl -----END PGP SIGNATURE----- From JPClizbe at comcast.net Fri Oct 10 14:00:25 2003 From: JPClizbe at comcast.net (John Clizbe) Date: Fri Oct 10 19:58:46 2003 Subject: Problems Installing GnuPG In-Reply-To: References: <20030930180421.97CBD502F@smtpprx1.nationalcity.com> <3F85354F.1010506@comcast.net><009901c38e69$0b634030$2027a8c0@PAVELECA> <3F861CA3.7080501@comcast.net> <002b01c38edd$5672b320$6445a8c0@EDGECRUSHER> Message-ID: <3F86F3B9.5040103@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark H. Wood wrote: > Yes, but there's also such a thing as observing established convention. > In the Win32 world, applications ought to default to installation into > %programfiles%\vendor\application (where %programfiles% is the localized > name of the Program Files directory, and should be obtained from the shell > using the function provided for that purpose) and should note its presence > by creating the key HKLM\Software\vendor\application in the Registry. > > There's another key (I can look it up if you wish) which makes a file > "known" to Win32, so that you can just mention "gpg.exe" and Win32 will > know where to find it whether it is on the PATH or not. You can even use > a value of that key to specify additions to PATH which apply only to that > program, which occasionally comes in handy. Much neater than plunking > non-OS applications into %windir%. > HKLM\Software\Microsoft\Software\CurrentVersion\App Paths\. (default) is set to the full path and name of the executable. Path is set to the path to said executable (for once the Windows API is clear, if not blatantly obvious) This technique also saves one from the multiple versions on the %PATH% sand-trap as you can only have one key named gpg.exe. Adding the directory to PATH is somewhat easier with a User-install of GnuPG as you have five executables to worry about and the (possible) dependency of helper apps such as GPGshell looking for the exe on the PATH. I noticed the last couple Nullify releases have an installer exe that lets you specify your choice of program and home dirs and then sets those values in HKCU\Software\Gnu\GnuPG. Program and Keyring locations both default to C:\GnuPG, instead of %ProgramFiles%\GnuPG and %UserProfile%\Application Data\GnuPG, but it sure is a step in the right direction, IMHO. [1] http://www.nullify.org/gnupg-w32-1.2.3-nr1.exe [2] http://www.nullify.org/gnupg-w32-1.2.2-nr2.exe (Still downloadable, just not linked on the download page) - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Most men take the straight and narrow. A few take the road less traveled. I chose to cut through the woods." "The purpose of life is to achieve balance, in a continual cycle of gaining and retaining harmony. Walk in Beauty." - Navajo Proverb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-nr1 (Windows 2000) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/hvO3HQSsSmCNKhARAukkAKCjw+88OBm/JTORomn10YGjA33iBgCcCf+a eDmV7HE6JW8OIlWg7KtZzOA= =HLvG -----END PGP SIGNATURE----- From atom-gpg at suspicious.org Fri Oct 10 12:33:34 2003 From: atom-gpg at suspicious.org (Atom 'Smasher') Date: Fri Oct 10 20:35:06 2003 Subject: Best practices for multiple e-mail addresses In-Reply-To: <3F86DD6E.7050104@nasa.gov> References: <3F86DD6E.7050104@nasa.gov> Message-ID: > I have three distinct e-mail addresses: work, home, and another > business. What's the best practice for keeping a key for each address? > One key with multiple addresses in it (i.e. a key for me as a person)? A > separate key for each address (i.e. a key for each of work/home/business > as a unit)? > > How do others do it? ===================================== i'm kinda new to the list myself, but since i've been so vocal about this type of thing i'll take a shot at answering you... if you add multiple IDs to a key pair, then each ID "points" to each other ID. this shouldn't be a problem as long as you don't mind that anyone who knows you from work also know you from your other business. on the other hand, if your employer doesn't want you to have you conducting other business on the side (or the type of side-business is not acceptable to the primary employer), then those two IDs should each have their own key pair. of course there are other methods of discovering that two email addresses belong to the same person, but those are (mostly) beyond the scope of pgp/gpg. basically, adding IDs to a key is a convenience, while creating new keys for each ID helps to keep those IDs unrelated to each other. this is one of the practical aspects of pgp/gpg where the right choice depends more on social issues than technical issues. ...atom _______________________________________________ PGP key - http://smasher.suspicious.org/pgp.txt 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3 ------------------------------------------------- To become vegetarian is to step into the stream which leads to nirvana. -- Buddha From atom-gpg at suspicious.org Fri Oct 10 12:47:14 2003 From: atom-gpg at suspicious.org (Atom 'Smasher') Date: Fri Oct 10 20:48:43 2003 Subject: [OT-Seriously!]: Anarchist Politician In-Reply-To: <20031010093100.GK24916@amtp.liv.ac.uk> References: <3F862D16.70009@comcast.net> <20031010093100.GK24916@amtp.liv.ac.uk> Message-ID: > Yeah, I know this is seriously OT, but I couldn't let it go... > > > G'day Atom, > > * Atom 'Smasher' [031010 06:10]: > > who ever said anything is wrong with being an anarchist politician? of > > > From Webster's Revised Unabridged Dictionary (1913) > > Anarchist: One who advocates anarchy of aims at the overthrow of civil > government. > Anarchy: Absence of government; the state of society where there is no > law or supreme power; a state of lawlessness; political > confusion. > Politician: One devoted to politics. > Politics: The science of government; that part of ethics which has to > do with the regulation and government of a nation or state, > the preservation of its safety, peace, and prosperity, the > defence of its existence and rights against foreign control > or conquest, the augmentation of its strength and resources, > and the protection of its citizens in their rights, with the > preservation and improvement of their morals. > > > Aren't they mutually exclusive? > > Anarchist && Politician > (! Government ) && ( Government ) > > It's a bit of a logical conundrum. > > > Or are you using some other definitions of anarchist and politician? ================================== well, i do prefer the Wiktionary definitions to Webster's http://wiktionary.org/wiki/anarchy http://wiktionary.org/wiki/anarchism but otherwise, yes, i agree that this is a bit of a logical conundrum, which is exactly why a politician who is also involved in anarchist issues would probably not what that to be well known. ...atom _______________________________________________ PGP key - http://smasher.suspicious.org/pgp.txt 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3 ------------------------------------------------- "There ought to be limits to freedom." -- George "dubya" Bush, 21 May 1999 "I'm sure your kids, they're wondering, why would you hate America? We didn't do anything to anybody. Well, they hate America because we love freedom." -- George "dubya" Bush, 2 Sep 2002 From dlc at users.sourceforge.net Fri Oct 10 17:27:24 2003 From: dlc at users.sourceforge.net (darren chamberlain) Date: Fri Oct 10 22:25:45 2003 Subject: Clearsign of HTML-pages In-Reply-To: References: Message-ID: <3003ab03aac7978fabe4cf084cf647ce82e992ff@tumbleweed.boston.com> * RJ Marquette [2003-10-10 09:40]: > The algorithm is very simple: Here: #!/bin/sh doc=$1 tmp=/tmp/pgp-html-$$ (echo '-->'; cat $doc; echo '') > $doc rm $tmp Copy into a file and make it executable. (darren) -- Millions long for immortality who do not know what to do with themselves on a rainy Sunday afternoon. -- Susan Ertz -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 269 bytes Desc: not available Url : /pipermail/attachments/20031010/bc1341a1/attachment.bin From joel.j.konkle-parker at nasa.gov Fri Oct 10 17:44:17 2003 From: joel.j.konkle-parker at nasa.gov (Joel Konkle-Parker) Date: Fri Oct 10 22:41:55 2003 Subject: Windows multi-user installation? Message-ID: <3F871A21.3070907@nasa.gov> Is there a way to install GnuPG in a Windows multi-user environment? By default, GPG just stores the keyrings in its installation folder. I want to install it into C:\Program Files\GnuPG and have it store its keyrings and such in C:\Documents and Settings\\Application Data\GnuPG or something like it. Anyone tried this? -- Joel Konkle-Parker Flow Physics & Control Branch NASA Langley Research Center Building [1247D] Room [105D] Phone [+1 757-864-5533] Fax [+1 757-864-3112] E-mail [joel.j.konkle-parker@nasa.gov] Mail Stop 170 1d E. Reid St. NASA Langley Research Center Hampton, VA 23681-2199 From avbidder at fortytwo.ch Sat Oct 11 00:20:45 2003 From: avbidder at fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Fri Oct 10 23:18:27 2003 Subject: Best practices for multiple e-mail addresses In-Reply-To: <3F86DD6E.7050104@nasa.gov> References: <3F86DD6E.7050104@nasa.gov> Message-ID: <200310102320.48053@fortytwo.ch> On Friday 10 October 2003 18:25, Joel Konkle-Parker wrote: > I have three distinct e-mail addresses: work, home, and another > business. What's the best practice for keeping a key for each address? > One key with multiple addresses in it (i.e. a key for me as a person)? A > separate key for each address (i.e. a key for each of work/home/business > as a unit)? It depends. I have several email addresses, too, but I use them mainly to receive mail - I almost always send with the one I'm using here (yes, this is for both work and private email atm). So I have decided against using multiple digital IDs entirely for now, I only use my one key with its one email address. If you have strictly separate work and private email addresses, I would recommend that you also have separate keys: it's different 'roles', you are a different person if you send mail from word vs. as a private person. I would use multiple userids if you have some email addresses where the distinction is not in the function/role: an 'old' and a 'new' address, for example. If you decide for having multiple keys, there is the next questions: do you cross-sign the keys, or do you make a certification key which sends the email keys (for instance with only the name on the cert key, without email addrs). Or do you want to keep the identities separate entirely, to make a point that those keys are really different, and that perhaps somebody might want to trust one without trusting the other (for whatever reasons). Just my ?.02 (or rather CHF 0.02) cheerio -- vbi -- Available for key signing in Z?rich and Basel, Switzerland (what's this? Look at http://fortytwo.ch/gpg/intro) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 331 bytes Desc: signature Url : /pipermail/attachments/20031010/f669b964/attachment-0001.bin From eugene at esmiley.net Fri Oct 10 18:31:36 2003 From: eugene at esmiley.net (Eugene Smiley) Date: Fri Oct 10 23:29:08 2003 Subject: Best practices for multiple e-mail addresses (was also: newbie question about identities) In-Reply-To: <3F86DD6E.7050104@nasa.gov> References: <3F86DD6E.7050104@nasa.gov> Message-ID: <3F872538.40304@esmiley.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joel Konkle-Parker wrote: > I have three distinct e-mail addresses: work, home, and another > business. What's the best practice for keeping a key for each > address? One key with multiple addresses in it (i.e. a key for me > as a person)? A separate key for each address (i.e. a key for each > of work/home/business as a unit)? > > How do others do it? Below is an edited/expanded version of the answer that atom gives. I recommend that it be addded as 3.1.2 The use of Role keys and Managing User IDs for the Handbook. ==================================== There are two distinct ways of looking a Role keys. the first way to look at role keys is that they are keys used by an entity a) for the public to communicate securely with personnel filling particular roles (network administrator, keymaster, list administrator, key revoker, etc.), and b) for these personnel to certify important digital documents. These keys are generally signed by a root key to designate that the entity considers the key valid. The alternative view of roles is at the individual user level. A user may designate roles of related functions/User IDs. Bob might designate a Work Role with UIDs of bob@example.com and webmaster@example.com and a Personal role of bob@earthlink.net. These two roles would be created as two seperate keys. Bob might even consider having a class of email addresses without keys such as bob@hotmail.com and bob@yahoo.com. Or Bob could have one key with any or all of the five User IDs. Adding User IDs on a key is convenient when you use multiple names or email addresses which do not socially conflict with each other. For example, Alice (alice@example.com) works with Bob, and is an alumni of a university (alice@prestigeous.univ.edu) and is a member of a trade association (alice@ieeee.com). She wants the trust and "prestige" of each of these organizations to be shared by the others. To do the same thing with seperate keys would require everyone to sign 3 keys instead of 3 User IDs. However, co-worker Charlie (charlie@example.com) might be the webmaster at Example-sucks.com and might lose his job if someone found out. It would be a good idea if Charlie kept these two identities seperate and distinct. Charlie SHOULD have seperate keys/roles for these two (Work and Activist). Additional key pairs can be created the same way as your first key pair, with --gen-key. When encrypting or signing, use the --local-user option to specify an ID other than the default. ==================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-nr2 (Windows XP) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/hyUy6QPtAqft/S8RAqAUAJ9YJfIjMLpkBUhPvEo/1upcVW/H8wCfazyk C3Ny4jadypofTB9eHOuY7FE= =mNJJ -----END PGP SIGNATURE----- From mwood at IUPUI.Edu Fri Oct 10 17:55:05 2003 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Fri Oct 10 23:52:46 2003 Subject: Windows multi-user installation? In-Reply-To: <3F871A21.3070907@nasa.gov> References: <3F871A21.3070907@nasa.gov> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I set it up that way to try it out with Thunderbird, but I recall having to move stuff into place and tweak the Registry by hand. It seems to work once everything is set. The one part that may be painful is getting the HomeDir value in HKCU\Software\Gnu\GnuPG set properly for each user. There may be a way to cobble together a simple Windows Installer package that will set this up on each user's first run, using the tools that come with WinInstall LE on the Win2k Server kit or your favorite .MSI package builder. Or you could arrange for users to run gpg.cmd, gpg.vbs, or whatever to stuff the Registry and then run the actual gpg.exe, which would likely be a lot simpler, albeit messier. - -- Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu MS Windows *is* user-friendly, but only for certain values of "user". -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/ iD8DBQE/hyq9s/NR4JuTKG8RAjodAKCUqvNc3Pn11eIbtzMaYDI9X6/RWwCfW5nC EDZclkAy+/dPWo8fPejK5wI= =lnAm -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Fri Oct 10 20:16:43 2003 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Oct 11 01:27:21 2003 Subject: [Announce] GnuPG 1.3.3 released (development) Message-ID: <20031010231643.GA27126@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello! The latest release from the development branch of GnuPG is ready for public consumption. This is a branch to create what will eventually become GnuPG 1.4. It will change with greater frequency than the 1.2.x "stable" branch, which will mainly be updated for bug fix reasons. The more GnuPG-familiar user is encouraged try this release (and the ones that will follow in the 1.3.x branch), and report back any problems to gnupg-devel@gnupg.org. In return, you get the latest code with the latest features. Feedback on the "show-validity" display changes is particularly appreciated. Is this additional information (seen in --list-keys or - --list-sigs when "--list-options show-validity" is set) helpful or confusing? Note that while this code is stable enough for many uses, it is still the development branch. Mission-critical applications should always use the 1.2.x stable branch. The files are available from: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.3.tar.gz (1667k) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.3.tar.gz.sig ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.3.2-1.3.3.diff.gz MD5 checksums for the files are: 328ed3ecd62e90b5f2903b211e7f920d gnupg-1.3.3.tar.gz a2558c5f06df52d2e501012c136e3c68 gnupg-1.3.3.tar.gz.sig 514ffb450766b13eb596978ac0d728e9 gnupg-1.3.2-1.3.3.diff.gz Noteworthy changes in version 1.3.3 (2003-10-10) - ------------------------------------------------ * Basic support for the OpenPGP card. New commands --card-status, --card-edit, --change-pin and the configuration options --reader-port, --ctapi-driver, --pcsc-driver, and --disable-ccid. * Full support for the SHA-256 hash has been added. * Support for the TIGER/192 hash has been dropped. This should not be interpreted as a statement as to the strength of TIGER/192 - rather, the upcoming revision to the OpenPGP standard removes support for several unused (or mostly unused) hashes. * Revoked or expired user IDs are now skipped when selecting keys for encryption. Specifying a key by the key ID overrides this check and allows the selection of any key. * Note that --no-mangle-dos-filenames is now the default. If you are upgrading from a 1.2.x version of GnuPG, and are running a very old version of Windows that has the 8.3 filename limit, you may need to change this. * Multiple "Comment:" lines in armored output are now allowed. * New --list-options option. This option takes a list of arguments that allows the user to customize exactly what key listings (including the --edit-key listing) look like, enabling or disabling things such as photo display, policy URL, preferred keyserver URL, or notation display, long or short keyIDs, calculated validity for each user ID, etc. See the manual for the complete list of list-options. * New --verify-options option. This option takes a list of arguments that allows the user to customize exactly what happens during signature verification, enabling or disabling things such as photo display, policy URL, preferred keyserver URL, or notation display, long or short keyIDs, calculated validity for each user ID, etc. See the manual for the complete list of verify-options. * New --sig-keyserver-url to embed a "where to get my key" subpacket into a signature. * The options --show-photos, --show-policy-url, --show-notation, and --show-keyring are all deprecated in favor of those arguments to --list-options and --verify-options. The new method is more flexible since a user can specify (for example) showing photos during sig verification, but not in key listings. * The complete fingerprint of the key that made a given key certification is now available in the --with-colons output. For technical reasons, this is only available when running with --no-sig-cache set. See doc/DETAILS for the specifics of this. * IPv6 support for HKP keyserver access. IPv6 for LDAP keyserver access is also supported, but is dependent on the LDAP library used. * To simplify running both the stable (1.2.x) and development (1.3.x) versions of GnuPG, the development version will try to load the options file gpg.conf-VERSION (e.g. gpg.conf-1.3.3 for this release) before falling back to the regular gpg.conf file. * Two new %-expandos for use in notation and policy URLs. "%g" expands to the fingerprint of the key making the signature (which might be a subkey), and "%p" expands to the fingerprint of the primary key that owns the key making the signature. * New "tru" record in --with-colons --list-keys listings. It shows the status of the trust database that was used to calculate the key validity in the listings. See doc/DETAILS for the specifics of this. * New REVKEYSIG status tag for --status-fd. It indicates a valid signature that was issued by a revoked key. See doc/DETAILS for the specifics of this. * A number of portability changes to make building GnuPG on less-common platforms easier. Happy Hacking, The GnuPG team (David, Stefan, Timo and Werner) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.4-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iHEEARECADEFAj+HPdsqGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2Rhdmlk L2tleXMuYXNjAAoJEOJmXIdJ4cvJNgUAoJ5XDJ0EAhMSiak1q1N49TLwfONAAJ4k A48KADjnIhrjLSGFZKjnZxmL1A== =UGcD -----END PGP SIGNATURE----- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From k.raven at freenet.de Sat Oct 11 18:54:35 2003 From: k.raven at freenet.de (Kai Raven) Date: Sat Oct 11 17:52:17 2003 Subject: --gnupg option Message-ID: <20031011175435.3263ef2d.k.raven@freenet.de> Hi, i have read in the man page, that --gnupg "is essentially" --openpgp, "but with some additional workarounds for common compatibility problems in different versions of PGP." What are the additional workarounds in comparison with the --openpgp option? And what PGP versions are affected by --gnupg? -- Ciao Kai WWW: http://kai.iks-jena.de/ GnuPG-Key: 0x76C65282 ICQ:146714798 From dshaw at jabberwocky.com Sat Oct 11 13:28:34 2003 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Oct 11 18:26:13 2003 Subject: --gnupg option In-Reply-To: <20031011175435.3263ef2d.k.raven@freenet.de> References: <20031011175435.3263ef2d.k.raven@freenet.de> Message-ID: <20031011162833.GB31855@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, Oct 11, 2003 at 05:54:35PM +0200, Kai Raven wrote: > Hi, > > i have read in the man page, that --gnupg "is essentially" > --openpgp, "but with some additional workarounds for common > compatibility problems in different versions of PGP." > What are the additional workarounds in comparison with the --openpgp > option? And what PGP versions are affected by --gnupg? The most significant differences are: * Some win32 mail programs add whitespace to armor in odd places, --gnupg works around this. * --openpgp has no MDC packets. --gnupg does. * --openpgp has no photo IDs. --gnupg does. * --openpgp has no TIGER/192 hash. --gnupg might (if it is compiled in). * All versions of PGP have differences in how they hash text data for signatures. --gnupg has workarounds. Minor differences - - --openpgp: --no-force-v3-sigs --no-escape-from default cipher is 3DES - --gnupg: --force-v3-sigs --escape-from default cipher is CAST5 - --gnupg is the default as it is more useful in the real world. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.4-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iHEEARECADEFAj+IL7EqGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2Rhdmlk L2tleXMuYXNjAAoJEOJmXIdJ4cvJnawAoJsPJ27V8itkKKC9QSbbsorlEqPkAJ44 zG9MzVnvf76wCqM+3DDRtte87w== =Mvtc -----END PGP SIGNATURE----- From k.raven at freenet.de Sat Oct 11 20:57:06 2003 From: k.raven at freenet.de (Kai Raven) Date: Sat Oct 11 19:54:49 2003 Subject: --gnupg option In-Reply-To: <20031011162833.GB31855@jabberwocky.com> References: <20031011175435.3263ef2d.k.raven@freenet.de> <20031011162833.GB31855@jabberwocky.com> Message-ID: <20031011195706.6b1cd3f0.k.raven@freenet.de> Hi David, On Sat, 11 Oct 2003 12:28:34 -0400 you wrote: thx, very informative. > - --gnupg: > --force-v3-sigs from the man: --force-v3-sigs --no-force-v3-sigs OpenPGP states that an implementation should generate v4 signatures but PGP versions 5 and higher only recognize v4 signatures on key material. Do you know, which pgp versions have difficulties with v4 data signatures or is this refered to *all* versions up to PGP 8? This option forces v3 signatures for signatures on data. Note that this option overrides --ask-sig-expire, as v3 signatures cannot have expiration dates. --no-force-v3-sigs disables this option. So with --gnupg i cannot have an expiration date as with --openpgp or ask-sig-expire? And what is with combinations like --openpgp --force-mdc or --gnupg --no-force-v3-sigs Overwrites --openpgp/--gnupg the other options? -- Ciao Kai WWW: http://kai.iks-jena.de/ GPG-Key: 0x60F3882F / 0x76C65282 ICQ:146714798 From dshaw at jabberwocky.com Sat Oct 11 19:09:04 2003 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Oct 12 00:06:41 2003 Subject: --gnupg option In-Reply-To: <20031011195706.6b1cd3f0.k.raven@freenet.de> References: <20031011175435.3263ef2d.k.raven@freenet.de> <20031011162833.GB31855@jabberwocky.com> <20031011195706.6b1cd3f0.k.raven@freenet.de> Message-ID: <20031011220903.GA28399@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, Oct 11, 2003 at 07:57:06PM +0200, Kai Raven wrote: > > Hi David, > > On Sat, 11 Oct 2003 12:28:34 -0400 you wrote: > > thx, very informative. > > > - --gnupg: > > --force-v3-sigs > > from the man: > --force-v3-sigs > --no-force-v3-sigs > OpenPGP states that an implementation should generate v4 signatures but > PGP versions 5 and higher only recognize v4 signatures on key material. > > Do you know, which pgp versions have difficulties with v4 data > signatures or is this refered to *all* versions up to PGP 8? All versions before 7 cannot handle v4 data signatures. Some versions of 7 can handle them, and some can't. 8 can handle them. I should update the manual about that. > This option forces v3 signatures for signatures on data. > Note that this option overrides --ask-sig-expire, as v3 signatures > cannot have expiration dates. --no-force-v3-sigs disables this option. > > So with --gnupg i cannot have an expiration date as with --openpgp or > ask-sig-expire? Correct. You can do "--gnupg --no-force-v3-sigs" though. > And what is with combinations like > --openpgp --force-mdc In GnuPG 1.2.3, --openpgp wins. There would be no MDC. > or > --gnupg --no-force-v3-sigs See above :) Remember that --gnupg is the default. You get --gnupg if you don't explicitly set --openpgp, --rfc2440, --rfc1991, --pgp2, --pgp6, - --pgp7, or --pgp8. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.4-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iHEEARECADEFAj+If38qGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2Rhdmlk L2tleXMuYXNjAAoJEOJmXIdJ4cvJ1P4An1beZ7B2vFz2a/Tu/OnNHign8EhLAJ4z rzQeCoWFW7JBhiuuWWPTN7NWmQ== =JCIW -----END PGP SIGNATURE----- From zero007 at 163.com Sun Oct 12 14:02:37 2003 From: zero007 at 163.com (Liangtao) Date: Sun Oct 12 08:05:23 2003 Subject: --gnupg option In-Reply-To: <20031011220903.GA28399@jabberwocky.com> References: <20031011195706.6b1cd3f0.k.raven@freenet.de> <20031011220903.GA28399@jabberwocky.com> Message-ID: <20031012125939.A940.ZERO007@163.com> Hello,David > All versions before 7 cannot handle v4 data signatures. Some versions > of 7 can handle them, and some can't. 8 can handle them. I should > update the manual about that. You said "8 can handle them", But I use PGP8.02 cant not verify you signatures .It reports "*** Status: Signing Algorithm Not Supported" I use pgpdump shows that your signatures is "Ver 4 - new". Can not PGP8.02 verify your signatures? If can ,how can I do? By the way ,of course I can verify you signatures with GnuPG 1.2.3. -- Liangtao PGP/GPG KeyID: 0x46F77027 Fingerprint: DF8C BAFB EFDE 2128 3565 9B1F 6DE0 C375 46F7 7027 From dshaw at jabberwocky.com Sun Oct 12 09:42:39 2003 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Oct 12 14:40:16 2003 Subject: --gnupg option In-Reply-To: <20031012125939.A940.ZERO007@163.com> References: <20031011195706.6b1cd3f0.k.raven@freenet.de> <20031011220903.GA28399@jabberwocky.com> <20031012125939.A940.ZERO007@163.com> Message-ID: <20031012124238.GE28399@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, Oct 12, 2003 at 01:02:37PM +0800, Liangtao wrote: > Hello,David > > All versions before 7 cannot handle v4 data signatures. Some versions > > of 7 can handle them, and some can't. 8 can handle them. I should > > update the manual about that. > You said "8 can handle them", But I use PGP8.02 cant not verify you > signatures .It reports "*** Status: Signing Algorithm Not Supported" > I use pgpdump shows that your signatures is "Ver 4 - new". > Can not PGP8.02 verify your signatures? If can ,how can I do? > By the way ,of course I can verify you signatures with GnuPG 1.2.3. That's a different problem in PGP 8. It can't always verify signatures made by a subkey. The only way to get PGP 8 to verify subkey signatures is to use the "pgpmail" interface: save the mail to a file and run it through. Using the "current window" trick or plugins won't work. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.4-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iHEEARECADEFAj+JTD4qGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2Rhdmlk L2tleXMuYXNjAAoJEOJmXIdJ4cvJiXoAoMfZ12FI6K9GN5qP3CCPmaxC/0N/AJ4q Nj1eyaJ4NGlv8x0zNOWnTShupQ== =OJrT -----END PGP SIGNATURE----- From bernardino_lopez at yahoo.com Sun Oct 12 16:46:24 2003 From: bernardino_lopez at yahoo.com (bernardino lopez) Date: Mon Oct 13 00:44:02 2003 Subject: Remove Special Character ^@ from Text. Message-ID: <20031012224624.50186.qmail@web10706.mail.yahoo.com> I'm trying to use some files but seems like there is some special spaces or characters, I wonder if somebody know how to escape the special character "^@" which looks like some kind of special space but is hard to do the escape with a RegExp. With VI: $_ = ",some_text^@^@^@,more_text,"; I try: $_=~s/[^+]//g; $_=~s/[^@]//g; $_=~s/\^@//g; None of those work. any help will be appreciated Thanks A lot in advance. Dino. Brains R lik books only work when they R Open. www.phpopenmonitor.com __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com From rj at rjmarq.org Fri Oct 10 12:51:45 2003 From: rj at rjmarq.org (RJ Marquette) Date: Mon Oct 13 11:43:11 2003 Subject: Clearsign of HTML-pages In-Reply-To: <792DE28E91F6EA42B4663AE761C41C2A01115330@cliff.bai.org> References: <792DE28E91F6EA42B4663AE761C41C2A01115330@cliff.bai.org> Message-ID: On Fri, 10 Oct 2003, Ryan Malayter wrote: > We were considering using it only for "important message" pages on our > site, like significant news releases. It seems reasonable that people > would only verify pages that seem "out of the ordinary" for a particular > site, no? Makes sense I guess. But if someone's going to hack your site, why would they just add an ususual news item? RJ :) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= RJ Marquette RSA:448B035F DSS:CB45C555 http://rjmarq.org From matthew.packard at umassmed.edu Fri Oct 10 17:44:29 2003 From: matthew.packard at umassmed.edu (Packard, Matthew) Date: Mon Oct 13 11:43:17 2003 Subject: Interesting issue with 1.2.2/1.2.3 and decrpyting files > 4g Message-ID: <3F871A2D.1020000@umassmed.edu> Everyone, I was hoping someone may have run across this issue - I compiled 1.2.2 and 1.2.3 again on my box in an effort to fix the following issue, but without success. I have a large file (~8g) and am trying to decrpyt it with a symmetric key. However, when the file decrpytion gets to about 4g, I get the following errors: with 1.2.2: block_filter cdf38: read error (size=12085, a->size=12085) gpg: packet(6) with unknown version 5 with 1.2.3 block_filter cdf18: read error (size=12085t,a->size=12085) gpg: [don't know]: old style partial length for invalid packet type gpg: packet(7) with unknown version 1 gpg: [don't know]: invalid packet (ctb=0f) gpg: block_filter: pending bytes! OK, so I've searched the archives, and have found no immediately useful answers (hope I didn't overlook something), and I would really like to get this data back. The data was written with 1.2.2 and burned to DVD - I've tried to copy to disk and decrypt, and to decrypt right from the DVD. Did I miss something with LFs in the compilation, or is there something else? Thanks in advance for your advice, suggestions, and time. Matthew Packard From silk at silk.sh.cvut.cz Mon Oct 13 02:24:04 2003 From: silk at silk.sh.cvut.cz (Petr Koloros) Date: Mon Oct 13 11:43:19 2003 Subject: large file decryption error (zlib) Message-ID: <20031012232404.GA26747@silk.sh.cvut.cz> Hi all, I've encrypted quite a large file (15 gigs) with gpg 1.2.1 and decryption causes this error: gpg: uncompressing failed: unknown compress algorithm I've listed raw data size with -vv parameter and the size is wrong. It says 2651277312 bytes but it is too far to 15 gigs. And the error occurs right when gpg decrypt this amout of bytes. I've tryied to hack the gpg to continue after this limit, but unsuccessfuly. Can anyone help me to decrypt this file or should I say good bye to my data? encryption method was: "gpg -e file" on Linux Thank you, Petr Koloros From eugene at esmiley.net Mon Oct 13 11:28:27 2003 From: eugene at esmiley.net (Eugene Smiley) Date: Mon Oct 13 16:26:08 2003 Subject: Remove Special Character ^@ from Text. In-Reply-To: <20031012224624.50186.qmail@web10706.mail.yahoo.com> References: <20031012224624.50186.qmail@web10706.mail.yahoo.com> Message-ID: <3F8AB68B.9050907@esmiley.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 bernardino lopez wrote: > I'm trying to use some files but seems like there is > some special spaces or characters, I wonder if > somebody know how to escape the special character "^@" > which looks like some kind of special space but is > hard to do the escape with a RegExp. [...] > > $_=~s/[^+]//g; > $_=~s/[^@]//g; > $_=~s/\^@//g; http://www.visibone.com/regular-expressions/ lists '\cX' as the way to escape control characters... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-nr2 (Windows XP) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/iraJ6QPtAqft/S8RAserAJ99JRrl6TjoaH4I3Al5e3npZmDWuACfZrLn +pmel0ZzZEL0Wg76C5JZ4gA= =mAKK -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3553 bytes Desc: S/MIME Cryptographic Signature Url : /pipermail/attachments/20031013/7b76e005/smime.bin From jeanine.gross at cpfoods.com Mon Oct 13 13:00:32 2003 From: jeanine.gross at cpfoods.com (Jeanine Gross) Date: Mon Oct 13 17:58:17 2003 Subject: (no subject) Message-ID: Hi Can anyone point me in the right direction.... I've worked on a project for the last 6-7 months.... it landed on me because the person who originally worked on it was laid off... he was kind enough to give me the password for the key ring. I have been able to decrypt files for the last 6 months with no error messages, however I have now noticed in the last 3 weeks or so that gpg is kicking back an error message to me, "gpg: can't check signature: public key not found". Can anyone tell me why it is happening for the last month? do I need to get another public DSA key? thanks Jeanine Gross Jeanine Gross -------------- next part -------------- An HTML attachment was scrubbed... URL: /pipermail/attachments/20031013/afb0209e/attachment.htm From atom-gpg at suspicious.org Mon Oct 13 10:17:33 2003 From: atom-gpg at suspicious.org (Atom 'Smasher') Date: Mon Oct 13 18:19:13 2003 Subject: Can anyone tell me why it is happening (fwd) Message-ID: > Can anyone point me in the right direction.... I've worked on a project for > the last 6-7 months.... it landed on me because the person who originally > worked on it was laid off... he was kind enough to give me the password for > the key ring. I have been able to decrypt files for the last 6 months with > no error messages, however I have now noticed in the last 3 weeks or so that > gpg is kicking back an error message to me, "gpg: can't check signature: > public key not found". Can anyone tell me why it is happening for the last > month? do I need to get another public DSA key? ============================= personally, i have little compassion for employers who lay people off, so i'm not gonna lose any sleep if they can't decrypt their mail while a former employee scrambles to keep food on the table, and a roof over their head. i'm sure you'll figure it out.... just start reading the handbooks and FAQs, on company time. ...atom _______________________________________________ PGP key - http://smasher.suspicious.org/pgp.txt 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3 ------------------------------------------------- "Our job is to give people not what they want, but what we decide they ought to have." -- Richard Salant - Former President of CBS News From DBSMITH at OhioHealth.com Mon Oct 13 14:45:55 2003 From: DBSMITH at OhioHealth.com (DBSMITH@OhioHealth.com) Date: Mon Oct 13 19:44:06 2003 Subject: non root users Message-ID: All, I am running version 1.2.1 and I want to allow non-root users to be able to list the keys and encrypt for support issues. In my options file I have stated - -no-secmem-warning, but as a test user I still receive that messages about the memory. When I run gpg --list-keys as a test user I get nothing back...??? I have placed them in the proper group and have sgid'ed. thank you! Derek B. Smith OhioHealth IT UNIX / EDM Team 614-566-4145 -------------- next part -------------- An HTML attachment was scrubbed... URL: /pipermail/attachments/20031013/15cfe8a8/attachment.htm From SGates at olbh.com Mon Oct 13 15:20:35 2003 From: SGates at olbh.com (Gates, Scott) Date: Mon Oct 13 20:22:41 2003 Subject: Can anyone tell me why it is happening (fwd) Message-ID: <26B7DBDA79E1D711B57600A0C9C5515029BED0@ashland01msx> Atom, Have a little compassion. I went to Jennine's company's website and they don't appear to be one of the mega-corps that are moving jobs to Asia to save a buck. They look like a small specialty food company who's customers aren't buying anymore, because their jobs are getting exported to Asia. When the town's biggest factory closes, the local grocery store lays off people, too. (Oh! Boy! I got that tee-shirt.) -----Original Message----- From: Atom 'Smasher' [mailto:atom-gpg@suspicious.org] Sent: Monday, October 13, 2003 12:18 PM To: 'gnupg-users@gnupg.org' Subject: Can anyone tell me why it is happening (fwd) > Can anyone point me in the right direction.... I've worked on a > project for the last 6-7 months.... it landed on me because the person > who originally worked on it was laid off... he was kind enough to give > me the password for the key ring. I have been able to decrypt files > for the last 6 months with no error messages, however I have now > noticed in the last 3 weeks or so that gpg is kicking back an error > message to me, "gpg: can't check signature: public key not found". Can > anyone tell me why it is happening for the last month? do I need to > get another public DSA key? ============================= personally, i have little compassion for employers who lay people off, so i'm not gonna lose any sleep if they can't decrypt their mail while a former employee scrambles to keep food on the table, and a roof over their head. i'm sure you'll figure it out.... just start reading the handbooks and FAQs, on company time. ...atom _______________________________________________ PGP key - http://smasher.suspicious.org/pgp.txt 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3 ------------------------------------------------- "Our job is to give people not what they want, but what we decide they ought to have." -- Richard Salant - Former President of CBS News _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From atom-gpg at suspicious.org Mon Oct 13 12:31:39 2003 From: atom-gpg at suspicious.org (Atom 'Smasher') Date: Mon Oct 13 20:33:20 2003 Subject: non root users In-Reply-To: References: Message-ID: > I am running version 1.2.1 and I want to allow non-root users to be able > to list the keys and encrypt for support issues. In my options file I > have stated > - -no-secmem-warning, but as a test user I still receive that messages > about the memory. > When I run gpg --list-keys as a test user I get nothing back...??? I > have placed them in the proper group and have sgid'ed. ================================== i'm ASSuming that you're doing this on *nix, since you mention root... i don't know enough about windoze to know if it even has a root account... btw, checking mail while logged in as root is a bad idea... best to fwd the mail to a non-root account!! AFAIK, the only *correct* way to share keys is give each user a copy of the keyring in their ~/.gnupg/* if they do already have keyrings, keys can be imported, per user... or (if they don't have keyrings) you can just copy the keyrings (and options file) into each users' home dir (and update the ownership). if they already have a keyring, you can export all of your keys, and let each user import that keyring into their own. just do gpg --export -a > all-pub-keys.asc and you'll get all of your public keys in one text file. similar for "--export-secret-keys" and "--export-secret-subkeys". depending on who has access to your system, you might want to make sure that those files exist with restrictive permissions *before* you redirect secret key info into them. also, look into `srm`. another ~secure~ (YMMV) option is to: gpg --export-secret-keys -a | openssl bf > all-secret-keys.enc which will give you a symmetrically encoded copy of the secret keyring. that can then be imported (by other users) through STDIN, with: openssl bf -d < all-secret-keys.enc | gpg --import you *might* be able to sym-link from your ~/.gnupg/ to theirs, and set up a "gpg-user" group that has access to the files. of course, since any user can then delete the keys (either through malice or accident), a secure backup (with restrictive permissions/access) would be prudent. i'm not sure if gpg will complain about liberal permissions on the keyrings.... i'm new here, so maybe there's another way.... of course, if this is for a company that's laying people off, then ignore the above advice, and reset all of your passwords (esp root) to "password" >;) ...atom _______________________________________________ PGP key - http://smasher.suspicious.org/pgp.txt 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3 ------------------------------------------------- "Treat us good, we'll treat you better. Treat us bad, we'll treat you worse." -- motto of The Blue Blaze Irregulars From linux at codehelp.co.uk Mon Oct 13 20:35:23 2003 From: linux at codehelp.co.uk (Neil Williams) Date: Mon Oct 13 20:34:34 2003 Subject: non root users In-Reply-To: References: Message-ID: <200310131935.28619.linux@codehelp.co.uk> On Monday 13 Oct 2003 6:45 pm, DBSMITH@OhioHealth.com wrote: > All, > > I am running version 1.2.1 and I want to allow non-root users to be able > to list the keys and encrypt for support issues. In my options file I > have stated > - -no-secmem-warning, but as a test user I still receive that messages > about the memory. > When I run gpg --list-keys as a test user I get nothing back...??? I Missed the --homedir option? gpg will create an empty .gnupg/ directory in the home directory of that test user. As the test user, do: $ cd ~ $ ls -a Probably an easier way is to import the keyring into the .gnupg folder, that'll allow you to set options in the conf file (which is also reset per user). The warning about secmem should be solvable - I'm sure others here will help with that but you would be best providing more information on exactly how you have used chmod. If the keyring is < 500 keys, it's not a problem to have duplicate keyrings - one for each user. You can either add the --refresh-keys to the lexicon used by ordinary users or leave the keyrings alone if the keys don't change often. It's not usual for everyone to need the same keys, that's why GnuPG runs with a lot of configuration and all keyrings dictated by that user alone. There's not much for root to do, once installation is complete. -- Neil Williams ============= http://www.codehelp.co.uk/ http://www.dclug.org.uk/ http://www.isbn.org.uk/ http://sourceforge.net/projects/isbnsearch/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: signature Url : /pipermail/attachments/20031013/a1478e33/attachment.bin From eugene at esmiley.net Mon Oct 13 15:43:15 2003 From: eugene at esmiley.net (Eugene Smiley) Date: Mon Oct 13 20:43:17 2003 Subject: Can anyone tell me why it is happening (fwd) In-Reply-To: References: Message-ID: <3F8AF243.8050309@esmiley.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Atom 'Smasher' wrote: >> Can anyone point me in the right direction.... I've worked on a >> project for the last 6-7 months.... it landed on me because the >> person who originally worked on it was laid off... he was kind >> enough to give me the password for the key ring. I have been able >> to decrypt files for the last 6 months with no error messages, >> however I have now noticed in the last 3 weeks or so that gpg is >> kicking back an error message to me, "gpg: can't check signature: >> public key not found". Can anyone tell me why it is happening >> for the last month? do I need to get another public DSA key? > > personally, i have little compassion for employers who lay people > off, so i'm not gonna lose any sleep if they can't decrypt their > mail while a former employee scrambles to keep food on the table, > and a roof over their head. I too "have little compassion for employers who lay people off," but I disagree with your making this Jeanine's problem. She's probably no different than the person who was laid off and probably has MORE work due to the lay off. Jeanine, Have you recently "clean out" your public keyring by deleting any keys? You may have deleted the public key that your co-worker set up to be used to check signatures. It may also be the case that your public keyring was corrupted. GPG will create a new keyring in this case and you would need to re-import the appropriate keys. Can you give us more details about what you are doing when you receive the errors? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-nr2 (Windows XP) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/ivJA6QPtAqft/S8RAjuJAKDakCcX5yr91oOMldgIJH4s1ZMhKwCgqPb7 fRB9FzfEixxyzegaGmkuCLs= =agw+ -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3553 bytes Desc: S/MIME Cryptographic Signature Url : /pipermail/attachments/20031013/9cf0456d/smime.bin From atom-gpg at suspicious.org Mon Oct 13 12:43:29 2003 From: atom-gpg at suspicious.org (Atom 'Smasher') Date: Mon Oct 13 20:45:14 2003 Subject: non root users In-Reply-To: References: Message-ID: > you *might* be able to sym-link from your ~/.gnupg/ to theirs, and set up > a "gpg-user" group that has access to the files. of course, since any user > can then delete the keys (either through malice or accident), a secure > backup (with restrictive permissions/access) would be prudent. i'm not > sure if gpg will complain about liberal permissions on the keyrings.... ========================= if you use a linked keyring, i'm also not sure how mangled the keyrings would be if multiple users tried to update key info at the same time... it may very well be UGLY. of course, it might work fine if you have permissions like... -rw-r----- 1 root gpg-user keyfile in which case, everyone in group "gpg-user" will be able to read the keys, but not write to them. again, i'm not sure if this will cause problems.... linking a keyring isn't covered in any documentation that i've seen... ...atom _______________________________________________ PGP key - http://smasher.suspicious.org/pgp.txt 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3 ------------------------------------------------- "Any sufficiently advanced technology is indistinguishable from magic." -- Arthur C. Clarke From atom-gpg at suspicious.org Mon Oct 13 12:54:19 2003 From: atom-gpg at suspicious.org (Atom 'Smasher') Date: Mon Oct 13 20:55:59 2003 Subject: non root users In-Reply-To: <200310131935.28619.linux@codehelp.co.uk> References: <200310131935.28619.linux@codehelp.co.uk> Message-ID: > Missed the --homedir option? ================================= i missed that one... if each user (who's sharing the keys) sets that option in their own ~/.gnupg/gpg.conf , then the keys can just live in one place, and be shared... of course, what i mentioned about permissions (and clobbering) as they relate to links would then also apply to this... ...atom _______________________________________________ PGP key - http://smasher.suspicious.org/pgp.txt 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3 ------------------------------------------------- "They do not bear arms, and do not know them, for I showed them a sword, they took it by the edge and cut themselves out of ignorance. They have no iron. Their spears are made of cane... They would make fine servants... With fifty men we could subjugate them all and make them do whatever we want." -- Christopher Columbus, after "Discovering America" From baby_p_nut3 at yahoo.com Mon Oct 13 13:02:45 2003 From: baby_p_nut3 at yahoo.com (Baby Peanut) Date: Mon Oct 13 21:00:53 2003 Subject: Why isn't this old and very trusted PGP key accepted by GPG? Message-ID: <20031013190245.82934.qmail@web80604.mail.yahoo.com> $ gpg --import Victor_A_Abell.pgp gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: key 40BD3D55: no valid user IDs gpg: this may be caused by a missing self-signature gpg: Total number processed: 1 gpg: w/o user IDs: 1 Why isn't this old and very trusted PGP key accepted by GPG? You can get a copy of the key here: ftp://vic.cc.purdue.edu/pub/Victor_A_Abell.pgp Thanks, BP __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com From atom-gpg at suspicious.org Mon Oct 13 13:04:40 2003 From: atom-gpg at suspicious.org (Atom 'Smasher') Date: Mon Oct 13 21:06:20 2003 Subject: Can anyone tell me why it is happening (fwd) In-Reply-To: <26B7DBDA79E1D711B57600A0C9C5515029BED0@ashland01msx> References: <26B7DBDA79E1D711B57600A0C9C5515029BED0@ashland01msx> Message-ID: > Have a little compassion. I went to Jennine's company's website and they > don't appear to be one of the mega-corps that are moving jobs to Asia to > save a buck. They look like a small specialty food company who's customers > aren't buying anymore, because their jobs are getting exported to Asia. > When the town's biggest factory closes, the local grocery store lays off > people, too. (Oh! Boy! I got that tee-shirt.) ====================== if a company chooses to fire people, instead of lowering executive salaries, it's simply not reasonable to expect the remaining work force to pick up all of the slack, always for no raise in pay. FACT: productivity *WILL* drop... let them waste money on efficiency experts who can put that into a graph. they want to fire someone who knows how to do a job, and then transfer that responsibility to someone at the bottom of the totem pole? RTFM on company time... THAT'S the cost of doing business... i checked out their website too.... did i mention that i'm vegan? ...atom _______________________________________________ PGP key - http://smasher.suspicious.org/pgp.txt 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3 ------------------------------------------------- "The animals of the world exist for their own reasons. They were not made for humans any more than black people were made for white, or women created for men." -- Alice Walker From ingo.kloecker at epost.de Mon Oct 13 22:40:12 2003 From: ingo.kloecker at epost.de (Ingo =?iso-8859-1?q?Kl=F6cker?=) Date: Mon Oct 13 21:39:20 2003 Subject: Why isn't this old and very trusted PGP key accepted by GPG? In-Reply-To: <20031013190245.82934.qmail@web80604.mail.yahoo.com> References: <20031013190245.82934.qmail@web80604.mail.yahoo.com> Message-ID: <200310132140.14124@erwin.ingo-kloecker.de> On Monday 13 October 2003 21:02, Baby Peanut wrote: > $ gpg --import Victor_A_Abell.pgp > gpg: WARNING: using insecure memory! > gpg: please see http://www.gnupg.org/faq.html for more > information > gpg: key 40BD3D55: no valid user IDs > gpg: this may be caused by a missing self-signature ---------------------------------------------- > gpg: Total number processed: 1 > gpg: w/o user IDs: 1 > > Why isn't this old and very trusted PGP key accepted > by GPG? gpg told you why (see above). Regards, Ingo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: signature Url : /pipermail/attachments/20031013/8c63b62a/attachment.bin From SGates at olbh.com Mon Oct 13 16:43:54 2003 From: SGates at olbh.com (Gates, Scott) Date: Mon Oct 13 21:46:02 2003 Subject: Can anyone tell me why it is happening (fwd) Message-ID: <26B7DBDA79E1D711B57600A0C9C5515029BED1@ashland01msx> -er- no you did not mention you were Vegan? So, How long did it take you to get here from Vega? [Humoring Atom as I call the laugh factory about Atom] What kind of gas mileage do you get on a 27 light year trip? [The funny farm hands are driving up in their padded van] Were there any good motels on the way? [Those industrious cleaners of toys in the attic are sneaking up behind.] I hope you have pictures from your trip. [GOTCHA! Snagged in the butterfly net!] Sorry, I had a couple of smart-alec pork chops for lunch. I wouldn't be so mean with you, but, you were being mean with Jeanine, who probably didn't ask to be put in charge of her laid-off cow-orker's work, in addition to her own. (BT-DT-2) You act like you're punishing cpfoods for laying off people, when in reality, you're only punishing Jeanine for surviving the company headsman's axe. That's happened to me. The company cans people with needed expertise, then hangs the remainder out when they can't fill the billet. I've been told to RTFM and fix the problem by end of day or don't come back tomorrow. I'm sure several others on this list have had similar experience. Sux being fired for incompetence in something that never was in your job description. My company uses the term "all other duties as assigned"; which means, if tomorrow they need me to be a helecopter pilot, me and my passengers are gonna die trying to fly. -----Original Message----- From: Atom 'Smasher' [mailto:atom-gpg@suspicious.org] Sent: Monday, October 13, 2003 3:05 PM To: Gates, Scott Cc: 'gnupg-users@gnupg.org' Subject: RE: Can anyone tell me why it is happening (fwd) > Have a little compassion. I went to Jennine's company's website and > they don't appear to be one of the mega-corps that are moving jobs to > Asia to save a buck. They look like a small specialty food company > who's customers aren't buying anymore, because their jobs are getting > exported to Asia. When the town's biggest factory closes, the local > grocery store lays off people, too. (Oh! Boy! I got that tee-shirt.) ====================== if a company chooses to fire people, instead of lowering executive salaries, it's simply not reasonable to expect the remaining work force to pick up all of the slack, always for no raise in pay. FACT: productivity *WILL* drop... let them waste money on efficiency experts who can put that into a graph. they want to fire someone who knows how to do a job, and then transfer that responsibility to someone at the bottom of the totem pole? RTFM on company time... THAT'S the cost of doing business... i checked out their website too.... did i mention that i'm vegan? ...atom _______________________________________________ PGP key - http://smasher.suspicious.org/pgp.txt 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3 ------------------------------------------------- "The animals of the world exist for their own reasons. They were not made for humans any more than black people were made for white, or women created for men." -- Alice Walker From eugene at esmiley.net Mon Oct 13 16:49:50 2003 From: eugene at esmiley.net (Eugene Smiley) Date: Mon Oct 13 21:50:49 2003 Subject: Can anyone tell me why it is happening (fwd) In-Reply-To: References: Message-ID: <3F8B01DE.9090702@esmiley.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jeanine Gross wrote: > My company receives a file weekly from a bank. Every Monday, since > March, I decrypt the file using the pgp command. I just decrypted > one this morning (successfully). However, after I enter the > passphrase and the file is decrypted, I get the message that the > signature was made 9/20/03 using DSA key *****, and that it "can't > check signature: public key not found". I have not used any > commands at all except to decrypt the new file each week. This > leads me to believe that the DSA key is a new one that is not on > the public key ring that was setup by the former employee (my > CIO/IT - my manager's manager) in Feb 2003. I'm also guessing that > I will have to obtain this key, probably from my vendor?, and add > it to my ring .... does this make sense, am I correct in thinking > this? It does make sense. It is possible that the vendor has changed keys. If you have "keyserver-options auto-key-retrieve" in your gpg.conf and the vendor has uploaded the key to the keyservers, gpg should retrieve the key. If you find that this option is in your gpg.conf, then the vendor hasn't uploaded the key and you'll need to get it from them directly. > I have not had a chance to digest the pdf manual, nor have I > ever seen any other documentation. I am a newbie at this. Should I > pursue approaching the vendor - do I start there? I'm afraid this > key will stop working all together at some point in time. The key is already ineffective. The vendor has signed the file using their secret key which you try to verify the authenticity of using their public key. If the signature doesn't validate, anyone could be sending the files. These untrusted files should net be processed further without resolving this issue. I recommend http://www.gnupg.org/gph/en/manual.html for a primer. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-nr2 (Windows XP) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/iwHd6QPtAqft/S8RAqr0AJ9CPlY/jNkG+YwDekQKXJoKW0PHZgCeLiVI QQXQ8x4Sug7Hx4hMxwuDNPc= =mpq3 -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3553 bytes Desc: S/MIME Cryptographic Signature Url : /pipermail/attachments/20031013/0292ed3f/smime.bin From eugene at esmiley.net Mon Oct 13 16:56:12 2003 From: eugene at esmiley.net (Eugene Smiley) Date: Mon Oct 13 21:57:16 2003 Subject: Can anyone tell me why it is happening (fwd) In-Reply-To: <3F8B01DE.9090702@esmiley.net> References: <3F8B01DE.9090702@esmiley.net> Message-ID: <3F8B035C.20208@esmiley.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eugene Smiley wrote: > Jeanine Gross wrote: >> This leads me to believe that the DSA key is a new one that is >> not on the public key ring that was setup by the former employee >> (my CIO/IT - my manager's manager) in Feb 2003. Atom... Note that the laid off employee in question was an executive - -- the CIO -- of the company. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-nr2 (Windows XP) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/iwNb6QPtAqft/S8RAmPgAJ9NgJzM1nxhWcx4Nbrp9RwXkbW7TACgt11w gLfWy4EfcEfx+oEF/72Dpt0= =42/9 -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3553 bytes Desc: S/MIME Cryptographic Signature Url : /pipermail/attachments/20031013/a2958998/smime.bin From linux at codehelp.co.uk Mon Oct 13 22:06:13 2003 From: linux at codehelp.co.uk (Neil Williams) Date: Mon Oct 13 22:01:34 2003 Subject: Why isn't this old and very trusted PGP key accepted by GPG? In-Reply-To: <200310132140.14124@erwin.ingo-kloecker.de> References: <20031013190245.82934.qmail@web80604.mail.yahoo.com> <200310132140.14124@erwin.ingo-kloecker.de> Message-ID: <200310132106.17337.linux@codehelp.co.uk> On Monday 13 Oct 2003 8:40 pm, Ingo Kl?cker wrote: > On Monday 13 October 2003 21:02, Baby Peanut wrote: > > $ gpg --import Victor_A_Abell.pgp Looks like the exported file is missing some data, perhaps it's old? > > gpg: this may be caused by a missing self-signature > > ---------------------------------------------- There's a perfectly valid public key for that ID at: http://www.pgp.uk.demon.net:11371/pks/lookup?op=vindex&search=0x40BD3D55&fingerprint=on http://www.pgp.uk.demon.net:11371/pks/lookup?op=get&search=0x40BD3D55 > > Why isn't this old and very trusted PGP key accepted > > by GPG? > > gpg told you why (see above). It's only the Victor_A_Abell.pgp file that has a problem/corruption. Check the fingerprint (shown on the first link above), you should find it's the same key. If there are missing signatures perhaps, try importing the valid one and then the file one, sometimes GnuPG is clever enough to fix import problems when it has something to work with. Otherwise, contact the person directly and ask them to export the key again. -- Neil Williams ============= http://www.codehelp.co.uk/ http://www.dclug.org.uk/ http://www.isbn.org.uk/ http://sourceforge.net/projects/isbnsearch/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: signature Url : /pipermail/attachments/20031013/cb0c4ecc/attachment.bin From atom-gpg at suspicious.org Mon Oct 13 14:25:26 2003 From: atom-gpg at suspicious.org (Atom 'Smasher') Date: Mon Oct 13 22:27:08 2003 Subject: Can anyone tell me why it is happening (fwd) In-Reply-To: <26B7DBDA79E1D711B57600A0C9C5515029BED1@ashland01msx> References: <26B7DBDA79E1D711B57600A0C9C5515029BED1@ashland01msx> Message-ID: > That's happened to me. The company cans people with needed expertise, then > hangs the remainder out when they can't fill the billet. I've been told to > RTFM and fix the problem by end of day or don't come back tomorrow. I'm > sure several others on this list have had similar experience. Sux being > fired for incompetence in something that never was in your job description. > My company uses the term "all other duties as assigned"; which means, if > tomorrow they need me to be a helecopter pilot, me and my passengers are > gonna die trying to fly. ============================ and if the company decides to fire the person who knows how to decrypt email, then the company may die while trying to read an encrypted email. that's the choice they made... fire someone who knows how to do this critical task, and hope for the best... arguably not the best management practice. maybe they'll need to hire the old guy back... as a "consultant"... i'm sure there are plenty of people on this list who have been laid-off in the last few years, and would be fully qualified to handle such a situation. i don't want to sound like i'm punishing anyone... but now that the responsibility has shifted, i suggest that the person now in charge of it find the most comfortable chair in the office, a big glass of their favorite hot or cold beverage, and RTFM. they may only have a small problem now, but with something as intuitive and user-friendly as pgp/gpg/pki, knowing just enough to be dangerous can really be dangerous ;) ...atom _______________________________________________ PGP key - http://smasher.suspicious.org/pgp.txt 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3 ------------------------------------------------- "Take sides. Neutrality helps the oppressor, never the victim. Silence encourages the tormentor, never the tormented." -- Elie Wiesel From atom-gpg at suspicious.org Mon Oct 13 14:31:18 2003 From: atom-gpg at suspicious.org (Atom 'Smasher') Date: Mon Oct 13 22:32:58 2003 Subject: Can anyone tell me why it is happening (fwd) Message-ID: > That's happened to me. The company cans people with needed expertise, then > hangs the remainder out when they can't fill the billet. I've been told to > RTFM and fix the problem by end of day or don't come back tomorrow. I'm > sure several others on this list have had similar experience. Sux being > fired for incompetence in something that never was in your job description. > My company uses the term "all other duties as assigned"; which means, if > tomorrow they need me to be a helecopter pilot, me and my passengers are > gonna die trying to fly. ============================ and if the company decides to fire the person who knows how to decrypt email, then the company may die while trying to read an encrypted email. that's the choice they made... fire someone who knows how to do this critical task, and hope for the best... arguably not the best management practice. maybe they'll need to hire the old guy back... as a "consultant"... i'm sure there are plenty of people on this list who have been laid-off in the last few years, and would be fully qualified to handle such a situation. i don't want to sound like i'm punishing anyone... but now that the responsibility has shifted, i suggest that the person now in charge of it find the most comfortable chair in the office, a big glass of their favorite hot or cold beverage, and RTFM. they may only have a small problem now, but with something as intuitive and user-friendly as pgp/gpg/pki, knowing just enough to be dangerous can really be dangerous ;) ...atom _______________________________________________ PGP key - http://smasher.suspicious.org/pgp.txt 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3 ------------------------------------------------- "Take sides. Neutrality helps the oppressor, never the victim. Silence encourages the tormentor, never the tormented." -- Elie Wiesel From dshaw at jabberwocky.com Mon Oct 13 18:17:08 2003 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Oct 13 23:14:59 2003 Subject: Can anyone tell me why it is happening (fwd) In-Reply-To: <3F8B01DE.9090702@esmiley.net> References: <3F8B01DE.9090702@esmiley.net> Message-ID: <20031013211707.GA11204@jabberwocky.com> On Mon, Oct 13, 2003 at 03:49:50PM -0400, Eugene Smiley wrote: > Jeanine Gross wrote: > > My company receives a file weekly from a bank. Every Monday, since > > March, I decrypt the file using the pgp command. I just decrypted > > one this morning (successfully). However, after I enter the > > passphrase and the file is decrypted, I get the message that the > > signature was made 9/20/03 using DSA key *****, and that it "can't > > check signature: public key not found". I have not used any > > commands at all except to decrypt the new file each week. This > > leads me to believe that the DSA key is a new one that is not on > > the public key ring that was setup by the former employee (my > > CIO/IT - my manager's manager) in Feb 2003. I'm also guessing that > > I will have to obtain this key, probably from my vendor?, and add > > it to my ring .... does this make sense, am I correct in thinking > > this? > > It does make sense. It is possible that the vendor has changed keys. > If you have "keyserver-options auto-key-retrieve" in your gpg.conf and > the vendor has uploaded the key to the keyservers, gpg should retrieve > the key. If you find that this option is in your gpg.conf, then the > vendor hasn't uploaded the key and you'll need to get it from them > directly. Another possibility is that the vendor was only encrypting (and not signing) the files earlier. Now that the vendor is signing, you'd naturally get the "can't check signature" message. David From baby_p_nut3 at yahoo.com Mon Oct 13 17:57:06 2003 From: baby_p_nut3 at yahoo.com (Baby Peanut) Date: Tue Oct 14 01:55:25 2003 Subject: Why isn't this old and very trusted PGP key accepted by GPG? In-Reply-To: <200310132106.17337.linux@codehelp.co.uk> Message-ID: <20031013235706.26494.qmail@web80602.mail.yahoo.com> --- Neil Williams wrote: > On Monday 13 Oct 2003 8:40 pm, Ingo Klöcker wrote: > > On Monday 13 October 2003 21:02, Baby Peanut wrote: > > > $ gpg --import Victor_A_Abell.pgp > > Looks like the exported file is missing some data, perhaps it's > old? > > > > gpg: this may be caused by a missing self-signature > > > > ---------------------------------------------- > > There's a perfectly valid public key for that ID at: > http://www.pgp.uk.demon.net:11371/pks/lookup?op=vindex&search=0x40BD3D55&fingerprint=on > http://www.pgp.uk.demon.net:11371/pks/lookup?op=get&search=0x40BD3D55 > > > > Why isn't this old and very trusted PGP key accepted > > > by GPG? > > > > gpg told you why (see above). > > It's only the Victor_A_Abell.pgp file that has a problem/corruption. I asked Vic about this a while back and he said that the Victor_A_Abell.pgp file does not have any problems with PGP, only GPG. > Check the fingerprint (shown on the first link above), you should > find it's the same key. > > If there are missing signatures perhaps, try importing the valid > one and then the file one, sometimes GnuPG is clever enough to fix > import problems when it has something to work with. $ gpg --recv-keys 40BD3D55 worked but I still get $ gpg --import Victor_A_Abell.pgp gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: key 40BD3D55: no valid user IDs gpg: this may be caused by a missing self-signature gpg: Total number processed: 1 gpg: w/o user IDs: 1 I am such at PGP & GPG dilettant that I don't really know what to do next about this. > Otherwise, contact the person directly and ask them to export the > key again. > -- I did just a moment ago but I doubt he's going to change his mind about this being a compatiblity issue between PGP and GPG. > Neil Williams > ============= > http://www.codehelp.co.uk/ > http://www.dclug.org.uk/ > http://www.isbn.org.uk/ > http://sourceforge.net/projects/isbnsearch/ > > http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 > __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com From JPClizbe at comcast.net Mon Oct 13 23:56:47 2003 From: JPClizbe at comcast.net (John Clizbe) Date: Tue Oct 14 05:54:57 2003 Subject: Why isn't this old and very trusted PGP key accepted by GPG? In-Reply-To: <20031013235706.26494.qmail@web80602.mail.yahoo.com> References: <20031013235706.26494.qmail@web80602.mail.yahoo.com> Message-ID: <3F8B73FF.5090408@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Baby Peanut wrote: > --- Neil Williams wrote: >> On Monday 13 Oct 2003 8:40 pm, Ingo Kl?cker wrote: >> > On Monday 13 October 2003 21:02, Baby Peanut wrote: >> > > $ gpg --import Victor_A_Abell.pgp >> >> Looks like the exported file is missing some data, perhaps it's >> old? >> >> > > gpg: this may be caused by a missing self-signature >> > >> > ---------------------------------------------- >> Otherwise, contact the person directly and ask them to export the >> key again. >> -- > > I did just a moment ago but I doubt he's going to change his mind > about this being a compatiblity issue between PGP and GPG. > I very much doubt it's a compatibility issue. PGP 8 imports the key from the file and shows both userids on the key as Revoked. Neither userid has a self-signature. Updating the key with the keyserver version adds signatures and the missing self-sigs. It would appear that the file version has been stripped and the validating self-signatures also were deleted either in error or on purpose. C:\PGP>gpg --import Victor_A_Abell.pgp gpg: key 40BD3D55: no valid user IDs gpg: this may be caused by a missing self-signature gpg: Total number processed: 1 gpg: w/o user IDs: 1 C:\PGP>pgpdump Victor_A_Abell.pgp Old: Public Key Packet(tag 6)(141 bytes) Ver 3 - old Public key creation time - Thu Nov 03 13:08:47 CST 1994 Valid days - 0[0 is forever] Pub alg - RSA Encrypt or Sign(pub 1) RSA n(1024 bits) - ... RSA e(5 bits) - ... Old: User ID Packet(tag 13)(32 bytes) User ID - Victor A. Abell Old: User ID Packet(tag 13)(35 bytes) User ID - Victor A. Abell Old: Signature Packet(tag 2)(149 bytes) Ver 3 - old Hash material(5 bytes): Sig type - Generic certification of a User ID and Public Key packet(0x10). Creation time - Fri Nov 04 14:40:56 CST 1994 Key ID - 0x445008FE385850ED Pub alg - RSA Encrypt or Sign(pub 1) Hash alg - MD5(hash 1) Hash left 2 bytes - 00 80 RSA m^d mod n(1022 bits) - ... -> PKCS-1 Old: Signature Packet(tag 2)(149 bytes) Ver 3 - old Hash material(5 bytes): Sig type - Generic certification of a User ID and Public Key packet(0x10). Creation time - Fri Nov 04 11:37:32 CST 1994 Key ID - 0x8057D2322E2C251B Pub alg - RSA Encrypt or Sign(pub 1) Hash alg - MD5(hash 1) Hash left 2 bytes - b9 3e RSA m^d mod n(1023 bits) - ... -> PKCS-1 Old: Signature Packet(tag 2)(149 bytes) Ver 3 - old Hash material(5 bytes): Sig type - Generic certification of a User ID and Public Key packet(0x10). Creation time - Fri Nov 04 09:03:45 CST 1994 Key ID - 0xDE2967B316B6FC9D Pub alg - RSA Encrypt or Sign(pub 1) Hash alg - MD5(hash 1) Hash left 2 bytes - 2a b9 RSA m^d mod n(1024 bits) - ... -> PKCS-1 Old: Signature Packet(tag 2)(149 bytes) Ver 3 - old Hash material(5 bytes): Sig type - Generic certification of a User ID and Public Key packet(0x10). Creation time - Fri Nov 04 07:48:03 CST 1994 Key ID - 0x2258C0A74C68F865 Pub alg - RSA Encrypt or Sign(pub 1) Hash alg - MD5(hash 1) Hash left 2 bytes - e5 7c RSA m^d mod n(1023 bits) - ... -> PKCS-1 Old: Signature Packet(tag 2)(117 bytes) Ver 3 - old Hash material(5 bytes): Sig type - Generic certification of a User ID and Public Key packet(0x10). Creation time - Fri Nov 04 07:17:20 CST 1994 Key ID - 0x0893912DABA4903D Pub alg - RSA Encrypt or Sign(pub 1) Hash alg - MD5(hash 1) Hash left 2 bytes - d2 b1 RSA m^d mod n(766 bits) - ... -> PKCS-1 Old: Signature Packet(tag 2)(149 bytes) Ver 3 - old Hash material(5 bytes): Sig type - Generic certification of a User ID and Public Key packet(0x10). Creation time - Thu Nov 03 15:29:28 CST 1994 Key ID - 0xCA6F2B83FC0C02D5 Pub alg - RSA Encrypt or Sign(pub 1) Hash alg - MD5(hash 1) Hash left 2 bytes - e3 16 RSA m^d mod n(1024 bits) - ... -> PKCS-1 - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Most men take the straight and narrow. A few take the road less traveled. I chose to cut through the woods." "The purpose of life is to achieve balance, in a continual cycle of gaining and retaining harmony. Walk in Beauty." - Navajo Proverb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-nr1 (Windows 2000) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/i3P7HQSsSmCNKhARAlvLAJsE+IEx2KN31OOfsD2R1gVaMfchwACg3Q+W Pe6I372vIjx5p0+S5pYmW1k= =PQjw -----END PGP SIGNATURE----- From Freedom_Lover at pobox.com Tue Oct 14 01:04:44 2003 From: Freedom_Lover at pobox.com (Todd) Date: Tue Oct 14 06:03:02 2003 Subject: Why isn't this old and very trusted PGP key accepted by GPG? In-Reply-To: <20031013235706.26494.qmail@web80602.mail.yahoo.com> References: <200310132106.17337.linux@codehelp.co.uk> <20031013235706.26494.qmail@web80602.mail.yahoo.com> Message-ID: <20031014040443.GC18238@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Baby Peanut wrote: > $ gpg --recv-keys 40BD3D55 > > worked but I still get > > $ gpg --import Victor_A_Abell.pgp > gpg: WARNING: using insecure memory! > gpg: please see http://www.gnupg.org/faq.html for more information > gpg: key 40BD3D55: no valid user IDs > gpg: this may be caused by a missing self-signature > gpg: Total number processed: 1 > gpg: w/o user IDs: 1 > > I am such at PGP & GPG dilettant that I don't really know what to do > next about this. Check the allow-non-selfsigned-uid option. The gpg man page says this: --allow-non-selfsigned-uid --no-allow-non-selfsigned-uid Allow the import and use of keys with user IDs which are not self-signed. This is not recommended, as a non self-signed user ID is trivial to forge. --no-allow-non-selfsigned-uid disables. - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== Any sufficiently advanced technology is indistinguishable from a rigged demo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iD8DBQE/i3Xbuv+09NZUB1oRAhD9AKCY3D603kZO1yAFotU8JaT7Q1xwHACfZ4OH wEcgnnhz+8Dha2U5p+9XYZY= =tZGB -----END PGP SIGNATURE----- From ben at benfinney.id.au Tue Oct 14 17:50:37 2003 From: ben at benfinney.id.au (Ben Finney) Date: Tue Oct 14 08:48:17 2003 Subject: Can anyone tell me why it is happening (fwd) In-Reply-To: <3F8AF243.8050309@esmiley.net> References: <3F8AF243.8050309@esmiley.net> Message-ID: <20031014065037.GF9820@benfinney.id.au> On 13-Oct-2003, Eugene Smiley wrote: > Atom 'Smasher' wrote: > > personally, i have little compassion for employers who lay people > > off, so i'm not gonna lose any sleep if they can't decrypt their > > mail while a former employee scrambles to keep food on the table, > > and a roof over their head. > > I too "have little compassion for employers who lay people off," but I > disagree with your making this Jeanine's problem. I didn't see any suggestion that it should become Jeanine's problem. Rather, the suggestion was that Jeanine make it the company's problem -- by reading the documentation, training herself in how to solve the issue, on the company's time. If Jeanine expends her own resources to solve the issue, then it *does* become her problem -- she's validating the original decision to load her with more work than she's being paid for. If she requires more training for duties that she didn't ask for, then that's the company's responsibility to ensure she receives that training. > She's probably no different than the person who was laid off and > probably has MORE work due to the lay off. Which is another good reason not to validate that decision by accepting the extra burden of training on her own time, or with her own resources. -- \ "My roommate got a pet elephant. Then it got lost. It's in the | `\ apartment somewhere." -- Steven Wright | _o__) | Ben Finney -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : /pipermail/attachments/20031014/e802242d/attachment.bin From avbidder at fortytwo.ch Tue Oct 14 10:10:54 2003 From: avbidder at fortytwo.ch (Adrian von Bidder) Date: Tue Oct 14 09:08:32 2003 Subject: Why isn't this old and very trusted PGP key accepted by GPG? In-Reply-To: <20031013235706.26494.qmail@web80602.mail.yahoo.com> References: <20031013235706.26494.qmail@web80602.mail.yahoo.com> Message-ID: <200310140910.55079@fortytwo.ch> On Tuesday 14 October 2003 01:57, Baby Peanut wrote: > $ gpg --recv-keys 40BD3D55 > > worked but I still get So, does gpg --list-key 40BD3D55 show you the key? Can you encrypt messages to that person without gpg warning? If so, end of story. You don't need to import that file - you do have the key in your keyring. cheers -- vbi -- MuMlutlitithtrhreeaadededd s siigngnatatuurere -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 331 bytes Desc: signature Url : /pipermail/attachments/20031014/936accbf/attachment.bin From anonymous at remailer.metacolo.com Mon Oct 13 13:05:14 2003 From: anonymous at remailer.metacolo.com (Anonymous Sender) Date: Tue Oct 14 11:11:01 2003 Subject: Remove Special Character ^@ from Text. Message-ID: bernardino lopez: > I'm trying to use some files but seems like there is > some special spaces or characters, I wonder if > somebody know how to escape the special character "^@" > which looks like some kind of special space but is > hard to do the escape with a RegExp. You can remove those characters (NUL's, binary zeroes) with 'tr': tr -d '\0' your_file_without_nulls From jeanine.gross at cpfoods.com Mon Oct 13 12:50:19 2003 From: jeanine.gross at cpfoods.com (Jeanine Gross) Date: Tue Oct 14 11:11:06 2003 Subject: DSA keys Message-ID: Hi Can anyone point me in the right direction.... I've worked on a project for the last 6-7 months.... it landed on me because the person who originally worked on it was laid off... he was kind enough to give me the password for the key ring. I have been able to decrypt files for the last 6 months with no error messages, however I have now noticed in the last 3 weeks or so that gpg is kicking back an error message to me, "gpg: can't check signature: public key not found". Can anyone tell me why it is happening for the last month? do I need to get another public DSA key? thanks Jeanine Gross -------------- next part -------------- An HTML attachment was scrubbed... URL: /pipermail/attachments/20031013/591e7543/attachment.htm From roconnor at Math.Berkeley.EDU Mon Oct 13 14:49:39 2003 From: roconnor at Math.Berkeley.EDU (Russell O'Connor) Date: Tue Oct 14 11:11:09 2003 Subject: secret keys and public keys Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [To: gnupg-users@gnupg.org] 1. Are there tools to take a subkey from one key and transfer it to be the subkey of another key, or do I have to write my own? 2. Why is it that GnuPG will refuse to decrypt using a secret key if there is no corresponding public key in one's public key ring? Thanks for any info. - -- Russell O'Connor Work to ensure that Iraq is run by Iraqis. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (SunOS) iQCVAwUBP4sP6E0+aO5oRkNZAQLpNQP6A00CKN2pdq0yw9xRg4QMeRIK9E4lhwcf eGhsrpkN0rCzhC5J5DUz7JghLVTXN8waeK8yXjmIWcKMpOnYVAENSbrY84FzUDAV NHp0rDMJgKuJgULCFW8jTGfQ7ggR12UQ/SO3BSQGV5lm45B07gREbTWJZmZxlxa1 jOMibpYuqC8= =85Im -----END PGP SIGNATURE----- From avbidder at fortytwo.ch Tue Oct 14 13:46:21 2003 From: avbidder at fortytwo.ch (Adrian von Bidder) Date: Tue Oct 14 12:44:05 2003 Subject: secret keys and public keys In-Reply-To: References: Message-ID: <200310141246.28888@fortytwo.ch> On Monday 13 October 2003 22:49, Russell O'Connor wrote: > [To: gnupg-users@gnupg.org] > > 1. Are there tools to take a subkey from one key and transfer it to be the > subkey of another key, or do I have to write my own? AFAICT, the --allow-unsigned-subkeys option (analogous to the --allow-non-selfsigned-uid option) does not exist. So, you could use gpgsplit to get the subkey you want, but you won't get gpg to import that new subkey, and you won't be able to create the missing binding signature. cheers -- vbi -- featured link: http://fortytwo.ch/gpg/intro -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 331 bytes Desc: signature Url : /pipermail/attachments/20031014/e5b6a70d/attachment.bin From gr at eclipsed.net Tue Oct 14 11:12:53 2003 From: gr at eclipsed.net (gabriel rosenkoetter) Date: Tue Oct 14 16:16:02 2003 Subject: DSA keys In-Reply-To: References: Message-ID: <20031014141253.GD22115@eclipsed.net> On Mon, Oct 13, 2003 at 11:50:19AM -0400, Jeanine Gross wrote: > message to me, "gpg: can't check signature: public key not found". > Can anyone tell me why it is happening for the last month? do I need > to get another public DSA key? Sounds like the public key signing the file you're trying to verify doesn't exist on your public keyring. Could you show us all of gpg's output, please? -- gabriel rosenkoetter / grosen@cc3.com / CC3 Unix & Linux sysadmin -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 186 bytes Desc: not available Url : /pipermail/attachments/20031014/0e8b0aa0/attachment.bin From jeanine.gross at cpfoods.com Tue Oct 14 11:44:30 2003 From: jeanine.gross at cpfoods.com (Jeanine Gross) Date: Tue Oct 14 16:43:19 2003 Subject: DSA keys Message-ID: Gabriel, this is what gpg responds with (i've x-d out the key nbrs...) I have also done a gpgp --list-keys , but the DSA key from the signature below does not display for this inquiry gpg: encrypted with ELG-E key, ID xxxxxxx gpg: encrypted with 2048-bit ELG-E key, ID zzzzzz, created 2003-02-12 "user name" gpg: Signature made 10/10/03 23:57:54 using DSA key ID yyyyyy gpg: Can't check signature: public key not found Jeanine Gross -------------- next part -------------- An HTML attachment was scrubbed... URL: /pipermail/attachments/20031014/2006acc5/attachment.htm From baby_p_nut3 at yahoo.com Tue Oct 14 08:45:32 2003 From: baby_p_nut3 at yahoo.com (Baby Peanut) Date: Tue Oct 14 16:49:08 2003 Subject: Why isn't this old and very trusted PGP key accepted by GPG? In-Reply-To: <20031014040443.GC18238@psilocybe.teonanacatl.org> Message-ID: <20031014144532.99817.qmail@web80602.mail.yahoo.com> --- Todd wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Baby Peanut wrote: > > $ gpg --recv-keys 40BD3D55 > > > > worked but I still get > > > > $ gpg --import Victor_A_Abell.pgp > > gpg: WARNING: using insecure memory! > > gpg: please see http://www.gnupg.org/faq.html for more > information > > gpg: key 40BD3D55: no valid user IDs > > gpg: this may be caused by a missing self-signature > > gpg: Total number processed: 1 > > gpg: w/o user IDs: 1 > > > > I am such at PGP & GPG dilettant that I don't really know what to > do > > next about this. > > Check the allow-non-selfsigned-uid option. The gpg man page says > this: > > --allow-non-selfsigned-uid > > --no-allow-non-selfsigned-uid > Allow the import and use of keys with user IDs which are > not > self-signed. This is not recommended, as a non self-signed > user ID is trivial to forge. --no-allow-non-selfsigned-uid > disables. > > - -- > Todd OpenPGP -> KeyID: 0xD654075A | URL: > www.pobox.com/~tmz/pgp > ====================================================================== > Any sufficiently advanced technology is indistinguishable from a > rigged demo > Thanks, it just worked. $ gpg --allow-non-selfsigned-uid --import Victor_A_Abell.pgp gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: key 40BD3D55: accepted non self-signed user ID 'Victor A. Abell ' gpg: key 40BD3D55: accepted non self-signed user ID 'Victor A. Abell ' gpg: key 40BD3D55: "Victor A. Abell " 1 new user ID gpg: Total number processed: 1 gpg: new user IDs: 1 __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com From gr at eclipsed.net Tue Oct 14 12:00:33 2003 From: gr at eclipsed.net (gabriel rosenkoetter) Date: Tue Oct 14 16:58:10 2003 Subject: DSA keys In-Reply-To: References: Message-ID: <20031014150033.GE25013@uriel.eclipsed.net> On Tue, Oct 14, 2003 at 10:44:30AM -0400, Jeanine Gross wrote: > this is what gpg responds with (i've x-d out the key nbrs...) Unless you're really intent on preserving the private identity of the communicants, that's actually making it *harder* for me to help with your problem... > I have also done a gpgp --list-keys , but the DSA key from the > signature below does not display for this inquiry What is ? The email address of the person who sent you this message, or your email address? > gpg: encrypted with ELG-E key, ID xxxxxxx > gpg: encrypted with 2048-bit ELG-E key, ID zzzzzz, created 2003-02-12 > "user name" > gpg: Signature made 10/10/03 23:57:54 using DSA key ID yyyyyy > gpg: Can't check signature: public key not found What does gpg --list-keys yyyyyy say? -- gabriel rosenkoetter gr@eclipsed.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 186 bytes Desc: not available Url : /pipermail/attachments/20031014/0b60907c/attachment-0001.bin From Ediprogrammer at aol.com Tue Oct 14 14:40:29 2003 From: Ediprogrammer at aol.com (Ediprogrammer@aol.com) Date: Tue Oct 14 19:38:39 2003 Subject: GNUPG for Windows Message-ID: <3009D3B2.29B6EBEB.5C91E882@aol.com> Hi - Where can I download the gnupg program for Windows? Thanks! From lporter at hdsmith.com Tue Oct 14 14:02:13 2003 From: lporter at hdsmith.com (Lowell Porter) Date: Tue Oct 14 20:03:13 2003 Subject: GNUPG for Windows In-Reply-To: <3009D3B2.29B6EBEB.5C91E882@aol.com> Message-ID: <004501c3927d$4b96d7d0$6c04a8c0@hdsmith.com> http://www.gnupg.org/(en)/download/index.html -----Original Message----- From: gnupg-users-bounces@gnupg.org [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of Ediprogrammer@aol.com Sent: Tuesday, October 14, 2003 12:40 PM To: gnupg-users@gnupg.org Subject: GNUPG for Windows Hi - Where can I download the gnupg program for Windows? Thanks! _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From Ediprogrammer at aol.com Tue Oct 14 15:24:28 2003 From: Ediprogrammer at aol.com (Ediprogrammer@aol.com) Date: Tue Oct 14 20:24:48 2003 Subject: GNUPG for Windows Message-ID: <36178284.5EBC941E.5C91E882@aol.com> Thank you. Another problem, though. When I go to that link, then click on "FTP" next to "GnuPG 1.2.3 compiled for Microsoft Windows" my web browser gives me a "cannot find server or DNS error" and the address shown in my address window is: ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.2.3.zip. Do you think this is my firewall keeping me from accessing the ftp site, or do you think this gnupg ftp site is down? Thanks! From JPClizbe at comcast.net Tue Oct 14 14:49:56 2003 From: JPClizbe at comcast.net (John Clizbe) Date: Tue Oct 14 20:48:07 2003 Subject: GNUPG for Windows In-Reply-To: <3009D3B2.29B6EBEB.5C91E882@aol.com> References: <3009D3B2.29B6EBEB.5C91E882@aol.com> Message-ID: <3F8C4554.9060600@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ediprogrammer@aol.com wrote: > Hi - > Where can I download the gnupg program for Windows? > Thanks! > You can get the canonical GnuPG build @ http://www.gnupg.org/(en)/download/index.html There is also a Windows-optimized build known as Nullify available at http://www.nullify.org - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Most men take the straight and narrow. A few take the road less traveled. I chose to cut through the woods." "The purpose of life is to achieve balance, in a continual cycle of gaining and retaining harmony. Walk in Beauty." - Navajo Proverb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-nr1 (Windows 2000) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/jEVPHQSsSmCNKhARAnfzAKDF+ZW8HquvbIV7Bktmc0yp072pEQCg+kAi 30j0dd/hfSNMXExdyqQlPI4= =8jYH -----END PGP SIGNATURE----- From ncmail at triad.rr.com Tue Oct 14 23:22:59 2003 From: ncmail at triad.rr.com (Matt) Date: Wed Oct 15 04:20:07 2003 Subject: GNUPG for Windows In-Reply-To: <36178284.5EBC941E.5C91E882@aol.com> Message-ID: <4.2.2.20031014222147.00b67b10@pop-server.triad.rr.com> At 02:24 PM 10/14/03 -0400, Ediprogrammer@aol.com wrote: >Thank you. Another problem, though. When I go to that link, then click on >"FTP" next to "GnuPG 1.2.3 compiled for Microsoft Windows" my web browser >gives me a "cannot find server or DNS error" and the address shown in my >address window is: >ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32cli-1.2.3.zip. Do you think >this is my firewall keeping me from accessing the ftp site, or do you >think this gnupg ftp site is down? >Thanks! It took me several tries at different times to be able to connect. I finally got it though. Matt From pplf at vie-privee.org Wed Oct 15 09:46:03 2003 From: pplf at vie-privee.org (pplf) Date: Wed Oct 15 08:41:44 2003 Subject: GNUPG for Windows In-Reply-To: <3009D3B2.29B6EBEB.5C91E882@aol.com> References: <3009D3B2.29B6EBEB.5C91E882@aol.com> Message-ID: <3F8CED2B.7010505@vie-privee.org> Ediprogrammer@aol.com wrote: > Hi - > Where can I download the gnupg program for Windows? Do you want a graphic (GUI) version or a command-line (CLI) version ? The GUI version is at http://winpt.sourceforge.net/en/download.php The CLI version is at http://www.gnupg.org -- pplf - French OpenPGP page "OpenPGP en francais" PGP: 8263 8399 2074 5277 a6d3 http://www.openpgp.fr.st 622d 1b66 ea3d caa0 8c94 "Anyone who quotes me in their sig is an idiot. -- Rusty Russell." From stephan.stapel at web.de Tue Oct 14 23:16:00 2003 From: stephan.stapel at web.de (Stephan Stapel) Date: Wed Oct 15 11:05:25 2003 Subject: question on multiple public keys Message-ID: <005f01c39290$097ae220$0a0200c0@athome.de> Dear list, I'm planning a network installation of GnuPG. Since some of the public keys are used by all people, I would like to know if it's possible to use multiple public keyrings with GnuPG, e.g. one that is local (specific per user) and one that is global (for all users within the network). If this is not possible, are there any other strategies. However I would try to avoid installing either a keyserver or exchanging the necessary public keys in a peer-2-peer manner. Kind regards, Stephan From avbidder at fortytwo.ch Wed Oct 15 13:33:11 2003 From: avbidder at fortytwo.ch (Adrian von Bidder) Date: Wed Oct 15 12:30:54 2003 Subject: question on multiple public keys In-Reply-To: <005f01c39290$097ae220$0a0200c0@athome.de> References: <005f01c39290$097ae220$0a0200c0@athome.de> Message-ID: <200310151233.16831.avbidder@fortytwo.ch> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 14 October 2003 22:16, Stephan Stapel wrote: > Dear list, > > I'm planning a network installation of GnuPG. Since some of the public keys > are used by all people, I would like to know if it's possible to use > multiple public keyrings with GnuPG, e.g. one that is local (specific per > user) and one that is global (for all users within the network). If this is > not possible, are there any other strategies. However I would try to avoid > installing either a keyserver or exchanging the necessary public keys in a > peer-2-peer manner. Multiple keyrings are possible in principle. Last I've tried (1.2.1 perhaps), the case where one keyring was read-only and one read-write was not handled gracefully when the user tried to update a key that was on the read-only keyring (i.e. gpg would try to add the key to the read-only keyring and fail). Dunno, is that handled in the current version? cheers - -- vbi - -- featured product: the GNOME desktop - http://gnome.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: get my key from http://fortytwo.ch/gpg/92082481 iKcEARECAGcFAj+NImxgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjUmbWQ1c3VtPTVkZmY4NjhkMTE4NDMyNzYw NzFiMjVlYjcwMDZkYTNlAAoJECqqZti935l688QAn0h/YZsi/rAWcZQRRr8Noew2 55PIAJ98MkrungPtXS9HwXEdmVYwq3BMbw== =AWmb -----END PGP SIGNATURE----- From Holger.Sesterhenn at smgwtest.aachen.utimaco.de Wed Oct 15 14:06:08 2003 From: Holger.Sesterhenn at smgwtest.aachen.utimaco.de (Holger Sesterhenn) Date: Wed Oct 15 13:04:07 2003 Subject: Problem with multiple encryption subkeys Message-ID: <3F8D2A20.5020700@smgwtest.aachen.utimaco.de> Hi, I would like to encrypt to a public key which have two ELGamal encryption subkeys (11111111,22222222). Because I don't know which of the subkeys is valid I encrypt to both! This is my command: gpg --armor --recipient 0x11111111 --recipient 0x22222222 \ --output file.txt.asc --encrypt file.txt GnuPG 1.2.3 says something like "0x1111111, Public key already there, skipped!" If I use 0x22222222 as first recipient this keyid is shown in the message. Why? Does GnuPG detect the keyid of the primary (signing) key which of course is the same because its the same key (certificate)? -- Best Regards, Holger Sesterhenn ==== Internet http://www.utimaco.com From avbidder at fortytwo.ch Wed Oct 15 14:17:32 2003 From: avbidder at fortytwo.ch (Adrian von Bidder) Date: Wed Oct 15 13:15:09 2003 Subject: Problem with multiple encryption subkeys In-Reply-To: <3F8D2A20.5020700@smgwtest.aachen.utimaco.de> References: <3F8D2A20.5020700@smgwtest.aachen.utimaco.de> Message-ID: <200310151317.33171.avbidder@fortytwo.ch> On Wednesday 15 October 2003 13:06, Holger Sesterhenn wrote: > Hi, > > I would like to encrypt to a public key which have two ELGamal encryption > subkeys (11111111,22222222). Because I don't know which of the subkeys is > valid I encrypt to both! Does it work if you use ! to specify the subkey. -- featured product: GNU Privacy Guard - http://gnupg.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 331 bytes Desc: signature Url : /pipermail/attachments/20031015/f94cd7ee/attachment.bin From avbidder at fortytwo.ch Wed Oct 15 14:26:00 2003 From: avbidder at fortytwo.ch (Adrian von Bidder) Date: Wed Oct 15 13:23:37 2003 Subject: BUG in gpg 1.2.3 (Re: Problem with multiple encryption subkeys) In-Reply-To: <3F8D2A20.5020700@smgwtest.aachen.utimaco.de> References: <3F8D2A20.5020700@smgwtest.aachen.utimaco.de> Message-ID: <200310151326.00906.avbidder@fortytwo.ch> On Wednesday 15 October 2003 13:06, Holger Sesterhenn wrote: > Hi, > > I would like to encrypt to a public key which have two ELGamal encryption > subkeys (11111111,22222222). Because I don't know which of the subkeys is > valid I encrypt to both! As reported: avbidder@ogo:~/tmp$ gpg --encrypt --armor --recipient 7B389D16 \ --recipient 72B20318 --output file.txt.asc gpg: 7B389D16: skipped: public key already present BUT: avbidder@ogo:~/tmp$ gpg --encrypt --armor --recipient 72B20318\! \ --recipient 7B389D16\! --output file.txt.asc gpg: 72B20318!: skipped: unusable public key Huh!? cheers -- vbi -- Lowery's Law: If it jams -- force it. If it breaks, it needed replacing anyway. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 331 bytes Desc: signature Url : /pipermail/attachments/20031015/1b6f4508/attachment.bin From dshaw at jabberwocky.com Wed Oct 15 08:46:21 2003 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Oct 15 13:43:58 2003 Subject: BUG in gpg 1.2.3 (Re: Problem with multiple encryption subkeys) In-Reply-To: <200310151326.00906.avbidder@fortytwo.ch> References: <3F8D2A20.5020700@smgwtest.aachen.utimaco.de> <200310151326.00906.avbidder@fortytwo.ch> Message-ID: <20031015114620.GA1859@jabberwocky.com> On Wed, Oct 15, 2003 at 01:26:00PM +0200, Adrian von Bidder wrote: Content-Description: signed data > On Wednesday 15 October 2003 13:06, Holger Sesterhenn wrote: > > Hi, > > > > I would like to encrypt to a public key which have two ELGamal encryption > > subkeys (11111111,22222222). Because I don't know which of the subkeys is > > valid I encrypt to both! > > As reported: > avbidder@ogo:~/tmp$ gpg --encrypt --armor --recipient 7B389D16 \ > --recipient 72B20318 --output file.txt.asc > gpg: 7B389D16: skipped: public key already present > > BUT: > avbidder@ogo:~/tmp$ gpg --encrypt --armor --recipient 72B20318\! \ > --recipient 7B389D16\! --output file.txt.asc > gpg: 72B20318!: skipped: unusable public key Hard for me to say something intelligent here without seeing the key.... The same thing works just fine for me. David -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 330 bytes Desc: not available Url : /pipermail/attachments/20031015/f013a97f/attachment.bin From dshaw at jabberwocky.com Wed Oct 15 08:52:20 2003 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Oct 15 13:49:57 2003 Subject: question on multiple public keys In-Reply-To: <005f01c39290$097ae220$0a0200c0@athome.de> References: <005f01c39290$097ae220$0a0200c0@athome.de> Message-ID: <20031015115220.GB1859@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Oct 14, 2003 at 10:16:00PM +0200, Stephan Stapel wrote: > Dear list, > > I'm planning a network installation of GnuPG. Since some of the > public keys are used by all people, I would like to know if it's > possible to use multiple public keyrings with GnuPG, e.g. one that > is local (specific per user) and one that is global (for all users > within the network). If this is not possible, are there any other > strategies. However I would try to avoid installing either a > keyserver or exchanging the necessary public keys in a peer-2-peer > manner. Yes, this is possible. In each user's gpg.conf file, add a line reading: keyring /path/to/the/shared/keyring.gpg Note that when importing a key, each user will import to their own local keyring unless they specifically state they want to import to the shared keyring. Likely you don't want the shared keyring to be imported to by random users, so making it read-only is appropriate. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.4-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iHEEARECADEFAj+NNPQqGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2Rhdmlk L2tleXMuYXNjAAoJEOJmXIdJ4cvJpkEAn15lXzH/fq0t1dDOCsj7kbola3OmAKDT L+RsZPn0Lt8cfsG4Nh26mh+OQA== =9iJu -----END PGP SIGNATURE----- From avbidder at fortytwo.ch Wed Oct 15 15:10:51 2003 From: avbidder at fortytwo.ch (Adrian von Bidder) Date: Wed Oct 15 14:08:28 2003 Subject: BUG in gpg 1.2.3 (Re: Problem with multiple encryption subkeys) In-Reply-To: <20031015114620.GA1859@jabberwocky.com> References: <3F8D2A20.5020700@smgwtest.aachen.utimaco.de> <200310151326.00906.avbidder@fortytwo.ch> <20031015114620.GA1859@jabberwocky.com> Message-ID: <200310151410.51404.avbidder@fortytwo.ch> On Wednesday 15 October 2003 13:46, David Shaw wrote: > > avbidder@ogo:~/tmp$ gpg --encrypt --armor --recipient 72B20318\! \ > > --recipient 7B389D16\! --output file.txt.asc > > gpg: 72B20318!: skipped: unusable public key > > Hard for me to say something intelligent here without seeing the > key.... Ah, sorry - I assumed it was a general bug. Closer inspection tells me: It's a mixture between bad error handling/bad error message on gpg's part and a subkey usage policy on the keyholder's part: the subkey in question has a creation date in the future. The subkeys on that key look like this: sub 4096g/3C3A2A02 2000-11-30 [expires: 2001-12-31] sub 4096g/1D0768FB 2002-01-01 [expires: 2002-12-31] sub 4096g/7B389D16 2003-01-01 [expires: 2003-12-31] sub 4096g/72B20318 2004-01-01 [expires: 2004-12-31] sub 4096g/864FF6D6 2005-01-01 [expires: 2005-12-31] so I guess the real bug is that gpg does not report why the public key is not usable. And the 'skipped' output should probably be skipped, too, since the key is not skipped but the error makes gpg abort (which I find good behaviour). cheers -- vbi -- love, n.: When you don't want someone too close--because you're very sensitive to pleasure. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 331 bytes Desc: signature Url : /pipermail/attachments/20031015/12e4a28d/attachment.bin From wk at gnupg.org Wed Oct 15 15:09:12 2003 From: wk at gnupg.org (Werner Koch) Date: Wed Oct 15 14:29:50 2003 Subject: large file decryption error (zlib) In-Reply-To: <20031012232404.GA26747@silk.sh.cvut.cz> (Petr Koloros's message of "Mon, 13 Oct 2003 01:24:04 +0200") References: <20031012232404.GA26747@silk.sh.cvut.cz> Message-ID: <87brsi3dp3.fsf@alberti.g10code.de> On Mon, 13 Oct 2003 01:24:04 +0200, Petr Koloros said: > Hi all, > I've encrypted quite a large file (15 gigs) with gpg 1.2.1 and decryption > causes this error: > I've listed raw data size with -vv parameter and the size is wrong. It says > 2651277312 bytes but it is too far to 15 gigs. And the error occurs right > when gpg decrypt this amout of bytes. There used to be a bug in gpg 1.2.1, I fixed 4 days after the release. I assume you ran gpg -e largefile which put an invalid file size into the message (OpenPGP can only encode 32 bit of length). If you would have used gpg -e I've tryied to hack the gpg to continue after this limit, but > unsuccessfuly. Can anyone help me to decrypt this file or should I say good > bye to my data? I'd need to donate quite some time to find a way to fix your data. Unfortunately I don't have this spare time. If the data is highlt valuable you might contact me at my company address. Sorry, Werner -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org From Holger.Sesterhenn at smgwtest.aachen.utimaco.de Wed Oct 15 16:36:35 2003 From: Holger.Sesterhenn at smgwtest.aachen.utimaco.de (Holger Sesterhenn) Date: Wed Oct 15 15:35:07 2003 Subject: BUG in gpg 1.2.3 (Re: Problem with multiple encryption subkeys) In-Reply-To: <20031015114620.GA1859@jabberwocky.com> References: <3F8D2A20.5020700@smgwtest.aachen.utimaco.de> <200310151326.00906.avbidder@fortytwo.ch> <20031015114620.GA1859@jabberwocky.com> Message-ID: <3F8D4D63.8030204@smgwtest.aachen.utimaco.de> Hi, David Shaw wrote: > Hard for me to say something intelligent here without seeing the > key.... > The same thing works just fine for me. Arggl. Just read the this little sentence in the man page before "RETURN VALUE"... The '!' did the job. Thanx a lot. Best Regards, Holger Sesterhenn -- http://www.utimaco.com From William_Metcalf at kcmo.org Wed Oct 15 11:14:28 2003 From: William_Metcalf at kcmo.org (William_Metcalf@kcmo.org) Date: Thu Oct 16 11:17:38 2003 Subject: Problems building on AIX 4.3 Message-ID: Having problems building GPG on AIX 4.3, any help would be greatly appreciated. # make make all-recursive Making all in intl Target "all" is up to date. Making all in zlib Target "all" is up to date. Making all in util Target "all" is up to date. Making all in mpi source='mpih-div.c' object='mpih-div.o' libtool=no depfile='.deps/mpih-div.Po' tmpdepfile='.deps/mpih-div.TPo' depmode=gcc /bin/sh ../scripts/depcomp gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../include -g -O2 -Wall -c `test -f 'mpih-div.c' || echo './'`mpih-div.c mpih-div.c: In function `mpihelp_mod_1': mpih-div.c:86: warning: implicit declaration of function `__udiv_w_sdiv' mpih-div.c:100: Can't find a register in class `MQ_REGS' while reloading `asm'. mpih-div.c:101: Can't find a register in class `MQ_REGS' while reloading `asm'. mpih-div.c:106: Can't find a register in class `MQ_REGS' while reloading `asm'. mpih-div.c:107: Can't find a register in class `MQ_REGS' while reloading `asm'. mpih-div.c:136: Can't find a register in class `MQ_REGS' while reloading `asm'. mpih-div.c:136: Can't find a register in class `MQ_REGS' while reloading `asm'. mpih-div.c: In function `mpihelp_divrem': mpih-div.c:290: Can't find a register in class `MQ_REGS' while reloading `asm'. mpih-div.c:354: Can't find a register in class `MQ_REGS' while reloading `asm'. mpih-div.c: In function `mpihelp_divmod_1': mpih-div.c:447: Can't find a register in class `MQ_REGS' while reloading `asm'. mpih-div.c:448: Can't find a register in class `MQ_REGS' while reloading `asm'. mpih-div.c:453: Can't find a register in class `MQ_REGS' while reloading `asm'. mpih-div.c:454: Can't find a register in class `MQ_REGS' while reloading `asm'. mpih-div.c:482: Can't find a register in class `MQ_REGS' while reloading `asm'. mpih-div.c:482: Can't find a register in class `MQ_REGS' while reloading `asm'. make: 1254-004 The error code from the last command is 1. Stop. make: 1254-004 The error code from the last command is 1. Stop. make: 1254-004 The error code from the last command is 2. Stop. -------------- next part -------------- An HTML attachment was scrubbed... URL: /pipermail/attachments/20031015/7afae27a/attachment.htm From silk at silk.sh.cvut.cz Wed Oct 15 19:38:19 2003 From: silk at silk.sh.cvut.cz (Petr Koloros) Date: Thu Oct 16 11:17:44 2003 Subject: large file decryption error (zlib) In-Reply-To: <87brsi3dp3.fsf@alberti.g10code.de> References: <20031012232404.GA26747@silk.sh.cvut.cz> <87brsi3dp3.fsf@alberti.g10code.de> Message-ID: <20031015163819.GA13767@silk.sh.cvut.cz> Hi Werner, > > Hi all, > > I've encrypted quite a large file (15 gigs) with gpg 1.2.1 and decryption > > causes this error: > There used to be a bug in gpg 1.2.1, I fixed 4 days after the > release. I assume you ran > > gpg -e largefile Exactly. But I've found the solution already: --- ../gpg-1.2.1/gnupg-1.2.1/g10/parse-packet.c 2002-10-04 08:00:49.000000000 +0200 +++ g10/parse-packet.c 2003-10-13 17:36:44.000000000 +0200 @@ -2048,7 +2048,9 @@ pt->name[i] = c; } pt->timestamp = read_32(inp); if( pktlen) pktlen -= 4; - pt->len = pktlen; + //pt->len = pktlen; + pt->len = 0; + pt->is_partial = 1; pt->buf = inp; pktlen = 0; Thank you very much for the explanation of the problem. I have all my data decrypted successfuly now. With best regards, Petr Koloros From cmt at burggraben.net Thu Oct 16 15:04:42 2003 From: cmt at burggraben.net (Christoph Moench-Tegeder) Date: Thu Oct 16 14:02:48 2003 Subject: Problems building on AIX 4.3 In-Reply-To: References: Message-ID: <20031016120442.GA368@elch.haidundneu23.net> ## William_Metcalf@kcmo.org (William_Metcalf@kcmo.org): > Having problems building GPG on AIX 4.3, any help would be greatly > appreciated. Perhaps --disable-asm would help. Regards, Christoph -- Spare Space From millis at faztek.org Thu Oct 16 15:07:44 2003 From: millis at faztek.org (Millis Miller) Date: Thu Oct 16 15:05:19 2003 Subject: Help to find information to imlement game server GPG usage Message-ID: Hi, I have a project which is essentialy a email-based game ajudicator, that recevies instructions by email and sends their results alos by email to players. At the moment, it is using clear-text email, which has sufferend from a number of spoofing/fake identity issues. I am thus looking to use email signing/encryption to get around this. On the email sending side, I am using the email program (http://email.cleancode.org) to send emails, but I cannot find out clearly how to decode incoming signed (and possibly encrypted) email automatically. At the moment, I have a .forwards that sends all email to the program to parse. I'd like to have that email preprocessed so that it can: - decrypt it if encrypted - check the signature if signed and pass the post-processed email to the program (adding say some X-Headers to say if the signature was good/bad etc.). How can I do this (bearing in mind that emails are normally MIME encoded by email clients when signed/encrypted)? A second question is that I'd like to have the program automatically encrypt emails when sending to people if possible. Is it a better solution to have a local keyserver (pks) to control these keys, or provide a mechanism to directly place keys onto the ajudicator's keyring? I am not looking for an indepth solution, just some pointers as to what the best methods would be, as by just using munpack/gpg on its own, I don't seem to be getting anywhere. Many thanks, Millis From gr at eclipsed.net Thu Oct 16 11:46:14 2003 From: gr at eclipsed.net (gabriel rosenkoetter) Date: Thu Oct 16 16:43:51 2003 Subject: Help to find information to imlement game server GPG usage In-Reply-To: References: Message-ID: <20031016144614.GO25013@uriel.eclipsed.net> On Thu, Oct 16, 2003 at 02:07:44PM +0100, Millis Miller wrote: > On the email sending side, I am using the email program > (http://email.cleancode.org) to send emails, but I cannot find out > clearly how to decode incoming signed (and possibly encrypted) > email automatically. Didn't look to closely at the rest of your description, but you might find a sysadmin tool called los helpful as a reference implementation. (It only deals with signing, but encryption should be a simple extension.) See: http://savannah.nongnu.org/projects/los/ -- gabriel rosenkoetter gr@eclipsed.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 186 bytes Desc: not available Url : /pipermail/attachments/20031016/f0a7623f/attachment.bin From eugene at esmiley.net Thu Oct 16 11:55:38 2003 From: eugene at esmiley.net (Eugene Smiley) Date: Thu Oct 16 16:53:15 2003 Subject: Help to find information to imlement game server GPG usage In-Reply-To: References: Message-ID: <3F8EB16A.6010402@esmiley.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Millis Miller wrote: > At the moment, I have a .forwards that sends all email to the > program to parse. I'd like to have that email preprocessed so that > it can: - decrypt it if encrypted - check the signature if signed > and pass the post-processed email to the program (adding say some > X-Headers to say if the signature was good/bad etc.). How can I do > this (bearing in mind that emails are normally MIME encoded by > email clients when signed/encrypted)? Since you're using Procmail (I gather from '.forwards'), this message http://lists.gnupg.org/pipermail/gnupg-users/2000-May/005685.html, Titled Calling GPG from Perl from Procmail from... points to http://pgpenvelope.sourceforge.net/ as a solution saying that you don't need to use the Pine functionality. > A second question is that I'd like to have the program > automatically encrypt emails when sending to people if possible. Is > it a better solution to have a local keyserver (pks) to control > these keys, or provide a mechanism to directly place keys onto the > ajudicator's keyring? Well, it seems that your email program supports outgoing encrypion. With the volume of keys you'll have (I expect it to be low, 20-50 per game) I'd suggest using a keyring over a keyserver (overkill). -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-nr2 (Windows XP) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/jrFm6QPtAqft/S8RAmgKAJ4ibQNzdP6k8TqP77WA3gZze4RrQACfRkRu SjibH3IqnNRnVD/me0ZwNko= =Heox -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3553 bytes Desc: S/MIME Cryptographic Signature Url : /pipermail/attachments/20031016/921296b3/smime.bin From dshaw at jabberwocky.com Thu Oct 16 20:20:05 2003 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Oct 17 01:17:43 2003 Subject: secret keys and public keys In-Reply-To: References: Message-ID: <20031016232005.GA1757@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Oct 13, 2003 at 01:49:39PM -0700, Russell O'Connor wrote: > [To: gnupg-users@gnupg.org] > > 1. Are there tools to take a subkey from one key and transfer it to be the > subkey of another key, or do I have to write my own? You have to write your own, though 'gpgsplit' is helpful in getting the packets together. You can of course modify the GnuPG code to help you do this - see in particular sign.c and keygen.c. > 2. Why is it that GnuPG will refuse to decrypt using a secret key if there > is no corresponding public key in one's public key ring? Some of the information about a keypair is stored in the public key. It is not strictly necessary (all secret keys contain the correponding public key anyway), but given the design of GnuPG it works out that way. Future versions of GnuPG may not require this. You can create a public key from a secret key if you like. GnuPG 1.3.1 and later do this automatically when you import a secret key. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.4-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iHEEARECADEFAj+PJ6UqGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2Rhdmlk L2tleXMuYXNjAAoJEOJmXIdJ4cvJ5PoAoNaMCDDgsUECisWxjLS3pco/3RM+AJ0f m00Y8+wkm15kwh02JU1dks3KLA== =5hAs -----END PGP SIGNATURE----- From yxp at hanwang.com.cn Fri Oct 17 11:47:37 2003 From: yxp at hanwang.com.cn (Yang Xiaopeng) Date: Fri Oct 17 04:38:41 2003 Subject: How to verify a signed&encrypted file in script Message-ID: <3F8F5849.3000008@hanwang.com.cn> hi, I create a signed&encrypted file use the following command: gpg -o file.gpg -r recipient -s -e file the recipient must first verify that the file is signed by me and then decrypt it, all of this is done by a bash script, but I find the command gpg --verify file.gpg doesn't work with the error "unexpected data", and the command gpg -o file -d file.gpg can decrypt and verify the file, but the script doesn't know whether the file have a valid signature by checking the return value. Is there any easy way to verify the file? thanks From alkaplun at mjhs.org Thu Oct 16 12:07:11 2003 From: alkaplun at mjhs.org (Alex Kaplun) Date: Fri Oct 17 11:25:47 2003 Subject: passphrase Message-ID: Hello All, Is it possible to disable a passphrase on the key or somehow bypass it? Thanks Alex From Felix_Yap at obrienglass.com.au Fri Oct 17 14:39:08 2003 From: Felix_Yap at obrienglass.com.au (Felix Yap) Date: Fri Oct 17 11:25:51 2003 Subject: 1.2.3 and 1.2.1 compatibility Message-ID: <00EB279DFF95534F9B10A910F46B4D1A5A852B@obgpadex.obrienglass.com.au> Hi all, We had GPG 1.2.1 humming along fine on Compaq Tru64 Unix V5.1A (our development and test server). However, it failed to compile on our production server that runs Digital Unix V4.0F (Rev. 1229). Since we are not C programmers we decided to install GPG 1.2.3 on the production server. I had a feeling that GPG 1.2.1 and 1.2.3 might not be compatible, but we tried to exchange files anyway (after exchanging our keys). The other party using GPG 1.2.1 could import our 1.2.3 key (and we could import their 1.2.1 key) but they could not decrypt our 1.2.3 file. Is it possible to encrypt/decrypt in GPG 1.2.3 to and from a 1.2.1 (like Microsoft Word 2000 can save files in Word 97 format)? Is there any other way to exchange files between these two versions? Or is the answer a simple: "No, these two versions cannot exchange files!" Rgds Felix -----Original Message----- From: gnupg-users-request@gnupg.org [mailto:gnupg-users-request@gnupg.org] Sent: Thursday, 16 October 2003 2:28 PM To: gnupg-users@gnupg.org Subject: Gnupg-users Digest, Vol 1, Issue 1489 Send Gnupg-users mailing list submissions to gnupg-users@gnupg.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.gnupg.org/mailman/listinfo/gnupg-users or, via email, send a message with subject or body 'help' to gnupg-users-request@gnupg.org You can reach the person managing the list at gnupg-users-owner@gnupg.org When replying, please edit your Subject line so it is more specific than "Re: Contents of Gnupg-users digest..." Today's Topics: 1. Re: BUG in gpg 1.2.3 (Re: Problem with multiple encryption subkeys) (Holger Sesterhenn) ---------------------------------------------------------------------- Message: 1 Date: Wed, 15 Oct 2003 15:36:35 +0200 From: Holger Sesterhenn Subject: Re: BUG in gpg 1.2.3 (Re: Problem with multiple encryption subkeys) To: gnupg-users@gnupg.org Message-ID: <3F8D4D63.8030204@smgwtest.aachen.utimaco.de> Content-Type: text/plain; charset=us-ascii Hi, David Shaw wrote: > Hard for me to say something intelligent here without seeing the > key.... The same thing works just fine for me. Arggl. Just read the this little sentence in the man page before "RETURN VALUE"... The '!' did the job. Thanx a lot. Best Regards, Holger Sesterhenn -- http://www.utimaco.com ------------------------------ _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users End of Gnupg-users Digest, Vol 1, Issue 1489 ******************************************** From hanno.mueller at epublica.de Fri Oct 17 13:27:00 2003 From: hanno.mueller at epublica.de (Hanno Mueller) Date: Fri Oct 17 12:24:13 2003 Subject: How to decrypt multiple blocks in one text file Message-ID: <3F8FC3F4.5010702@epublica.de> Hi, I'm collecting personal data from a web form. Since I don't want to store it in cleartext, I use gpg to encrypt each dataset the moment I receive it and put the encrypted text in a database. As an example, let's store the three datasets "1,bla,test1" "2,blubb,test2" and "3,blob,test3" as encrypted text in the database. So now I have several blocks of encrypted data. However, the result file after decryption should be a single text file like this: 1,bla,test1 2,blubb,test2 3,blob,test3 Since all datasets are to be collected in such a single file, anyway, I thought it might be possible to decrypt a single text file with many encrypted blocks like this: > -----BEGIN PGP MESSAGE----- > Version: GnuPG v1.2.3 (MingW32) > > hQIOA7J1VQU8h/vREAgAuLya8yeNNh74fWqVTAA97I3LAVqK6LC7/UuZ0O0V5dyy > ...snip... > -----END PGP MESSAGE----- > -----BEGIN PGP MESSAGE----- > Version: GnuPG v1.2.3 (MingW32) > > hQIOA7J1VQU8h/vREAf9FOR6hEcHv+ouzR1w1xI8RIgs0gPGzJIot/JRXUk2tZwb > ...snip... > -----END PGP MESSAGE----- > -----BEGIN PGP MESSAGE----- > Version: GnuPG v1.2.3 (MingW32) > > hQIOA7J1VQU8h/vREAf9FJZWHwuP6RRBo9SAghFQx/TjbYAWrgSo6ZZxu2EcE+hB > ...snip... > -----END PGP MESSAGE----- If I feed this file to gpg, it will ask for the passphrase, decrypt the first block and then complain "WARNING: encrypted message has been manipulated!" Is there some way gpg will decrypt this to a single file on its own? I want to avoid using sed/perl/whatever to split the text blocks first. Thanks & Greetings, Hanno -- Hanno M?ller, Dipl.-Inform. epublica Internet-Technologie://Konzeption/Produktion/Wartung http://www.epublica.de Tel. +49 (0)40/4109879-4 From avbidder at fortytwo.ch Fri Oct 17 13:39:29 2003 From: avbidder at fortytwo.ch (Adrian von Bidder) Date: Fri Oct 17 12:37:05 2003 Subject: 1.2.3 and 1.2.1 compatibility In-Reply-To: <00EB279DFF95534F9B10A910F46B4D1A5A852B@obgpadex.obrienglass.com.au> References: <00EB279DFF95534F9B10A910F46B4D1A5A852B@obgpadex.obrienglass.com.au> Message-ID: <200310171239.30204.avbidder@fortytwo.ch> On Friday 17 October 2003 05:39, Felix Yap wrote: > Is it possible to encrypt/decrypt in GPG 1.2.3 to and from a 1.2.1 The answer should be a simple 'yes, it works'. If it doesn't, it's likely either a user error or a bug. Reading the Release notes for 1.2.2 and 1.2.3 should tell you if those versions introduced any incompatible changes (I don't remember any, though - most big things where done in the 1.0.6 to 1.0.7 and 1.0.7 to 1.2.x transitions). greetings -- vbi -- featured product: the KDE desktop - http://kde.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 335 bytes Desc: signature Url : /pipermail/attachments/20031017/c33d569e/attachment.bin From eugene at esmiley.net Fri Oct 17 08:46:37 2003 From: eugene at esmiley.net (Eugene Smiley) Date: Fri Oct 17 13:44:13 2003 Subject: passphrase In-Reply-To: References: Message-ID: <3F8FD69D.3020505@esmiley.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Kaplun wrote: > Is it possible to disable a passphrase on the key or somehow bypass > it? This is possible, but you must have the old passphrase to do it. It's not possible in the situation where you have lost your passphrase. GPG wouldn't be secure if you could. The question that I have is why would you want to do this? Valid reasons have been discussed on this list before, but I'm curious about your situation. There may be better ways of doing what you want. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-nr2 (Windows XP) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/j9ab6QPtAqft/S8RAtnUAJ901qSpMoWZOOU/FKn1XsQ3i+e7cgCfcBwd ZtjZIuy7SLb4JCACr1ASpe4= =AsA+ -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Fri Oct 17 11:05:08 2003 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Oct 17 16:02:45 2003 Subject: 1.2.3 and 1.2.1 compatibility In-Reply-To: <00EB279DFF95534F9B10A910F46B4D1A5A852B@obgpadex.obrienglass.com.au> References: <00EB279DFF95534F9B10A910F46B4D1A5A852B@obgpadex.obrienglass.com.au> Message-ID: <20031017140508.GA4819@jabberwocky.com> On Fri, Oct 17, 2003 at 01:39:08PM +1000, Felix Yap wrote: > We had GPG 1.2.1 humming along fine on Compaq Tru64 Unix V5.1A (our > development and test server). However, it failed to compile on our > production server that runs Digital Unix V4.0F (Rev. 1229). Since we are not > C programmers we decided to install GPG 1.2.3 on the production server. I > had a feeling that GPG 1.2.1 and 1.2.3 might not be compatible, but we tried > to exchange files anyway (after exchanging our keys). The other party using > GPG 1.2.1 could import our 1.2.3 key (and we could import their 1.2.1 key) > but they could not decrypt our 1.2.3 file. > > Is it possible to encrypt/decrypt in GPG 1.2.3 to and from a 1.2.1 (like > Microsoft Word 2000 can save files in Word 97 format)? Is there any other > way to exchange files between these two versions? Or is the answer a > simple: "No, these two versions cannot exchange files!" It is possible. To really help though, I'd need more than "it doesn't work". Can you tell me what error message, if any, you saw? Can you encrypt a message to me with 1.2.3 and I'll try decrypting it in 1.2.1? David From korn at caxopen.de Fri Oct 17 17:10:01 2003 From: korn at caxopen.de (Andreas Korn) Date: Fri Oct 17 16:07:37 2003 Subject: verify after export/import of secret key Message-ID: <3F8FF839.5040406@caxopen.de> Hi, when I generate a key pair, import the public key of a friend, sign his public key and verify a signed mail of him this works fine. But when I export my public and secret keys (gpg --export / gpg --export-secret-keys), empty the keyrings (rm ~/.gnupg/*), import them again (gpg --import) and then do the same a before (import pub-key of friend, sign it, verify mail) the verification fails. gpg always tells me that it is a good signature but untrusted: gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. I thought that the keyrings should be in the same state afterwards, no matter if I generate a new key pair or import the secret and public key. What's wrong? This occured on RH-8 with gpg 1.0.7 Andreas -- Do not meddle in the affairs of wizards, for they are subtle and quick to anger! ############################################################################### Andreas Korn, CAxOPEN GmbH, Europaallee 10, 67657 Kaiserslautern fon: +49.631.30323.52 fax: +49.631.30323.02 eMail: korn@caxopen.de ############################################################################### From Freedom_Lover at pobox.com Fri Oct 17 12:29:06 2003 From: Freedom_Lover at pobox.com (Todd) Date: Fri Oct 17 17:27:14 2003 Subject: How to verify a signed&encrypted file in script In-Reply-To: <3F8F5849.3000008@hanwang.com.cn> References: <3F8F5849.3000008@hanwang.com.cn> Message-ID: <20031017152906.GR18238@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yang Xiaopeng wrote: > gpg -o file -d file.gpg > > can decrypt and verify the file, but the script doesn't know whether > the file have a valid signature by checking the return value. Take a look at the --status-fd option. That will get you the info you need about the signature status. If that doesn't help you, maybe you could encrypt the file and then make a detached sig of that, so you would have file.gpg and file.gpg.sig. - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== If a government were put in charge of the Sahara Desert, within five years they'd have a shortage of sand. -- Dr. Milton Friedman -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iD8DBQE/kArCuv+09NZUB1oRAm/iAJ4yhoEAYxO1USuDkQ5OB1V/ZbYn1gCguI7i zcL8ZEOY+VGe2c9o/nQ3XRE= =/8y1 -----END PGP SIGNATURE----- From avbidder at fortytwo.ch Fri Oct 17 19:06:38 2003 From: avbidder at fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Fri Oct 17 18:04:17 2003 Subject: verify after export/import of secret key In-Reply-To: <3F8FF839.5040406@caxopen.de> References: <3F8FF839.5040406@caxopen.de> Message-ID: <200310171806.41129@fortytwo.ch> On Friday 17 October 2003 16:10, Andreas Korn wrote: > Hi, > when I generate a key pair, import the public key of a friend, sign his > public key and verify a signed mail of him this works fine. > But when I export my public and secret keys (gpg --export / gpg > --export-secret-keys), empty the keyrings (rm ~/.gnupg/*), import them > again (gpg --import) and then do the same a before (import pub-key of > friend, sign it, verify mail) the verification fails. gpg always tells > me that it is a good signature but untrusted: > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. You need to tell gpg that your own key is trusted. Do $ gpg --edit ... Command> trust and chose ultimate (5) trust. cheers -- vbi -- MuMlutlitithtrhreeaadededd s siigngnatatuurere -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 331 bytes Desc: signature Url : /pipermail/attachments/20031017/45698a17/attachment.bin From linux at codehelp.co.uk Fri Oct 17 19:20:41 2003 From: linux at codehelp.co.uk (Neil Williams) Date: Fri Oct 17 19:16:02 2003 Subject: verify after export/import of secret key In-Reply-To: <3F8FF839.5040406@caxopen.de> References: <3F8FF839.5040406@caxopen.de> Message-ID: <200310171820.46406.linux@codehelp.co.uk> On Friday 17 Oct 2003 3:10 pm, Andreas Korn wrote: > Hi, > when I generate a key pair, import the public key of a friend, sign his > public key and verify a signed mail of him this works fine. > But when I export my public and secret keys (gpg --export / gpg > --export-secret-keys), empty the keyrings (rm ~/.gnupg/*), import them If you want to empty the keyrings by force using rm, just delete ~/.gnupg/pubring.gpg (and possible secring.gpg) - by deleting the entire directory you are losing all GnuPG options and (the bit that matters for your query) the trust database. The trust is not stored in the keys themselves, it is entirely dictated by user input. Set your key to ultimate trust and keys you have signed should show as fully trusted, keys signed by those people show as marginal. (3 marginals on one key -> full etc.) GnuPG can delete keys from the keyring itself - much more cleanly than using bash and rm. (Sledgehammer vs nut ?) See: http://lists.gnupg.org/pipermail/gnupg-users/2003-August/019993.html > again (gpg --import) and then do the same a before (import pub-key of > friend, sign it, verify mail) the verification fails. gpg always tells > me that it is a good signature but untrusted: Because you deleted the only file that tells GnuPG which keys it can trust - even your own. Just because you generate a key, does not mean GnuPG should assume that you want to deal with the trust, it may just be a temporary / testing key. > What's wrong? rm ~/.gnupg/* That's what was wrong. -- Neil Williams ============= http://www.codehelp.co.uk/ http://www.dclug.org.uk/ http://www.isbn.org.uk/ http://sourceforge.net/projects/isbnsearch/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: signature Url : /pipermail/attachments/20031017/f474e9ec/attachment-0001.bin From linux at codehelp.co.uk Fri Oct 17 19:34:05 2003 From: linux at codehelp.co.uk (Neil Williams) Date: Fri Oct 17 19:29:14 2003 Subject: How to decrypt multiple blocks in one text file In-Reply-To: <3F8FC3F4.5010702@epublica.de> References: <3F8FC3F4.5010702@epublica.de> Message-ID: <200310171834.05689.linux@codehelp.co.uk> On Friday 17 Oct 2003 11:27 am, Hanno Mueller wrote: > Hi, > I'm collecting personal data from a web form. Since I don't want to > store it in cleartext, I use gpg to encrypt each dataset the moment I > receive it and put the encrypted text in a database. > As an example, let's store the three datasets "1,bla,test1" > "2,blubb,test2" and "3,blob,test3" as encrypted text in the database. > So now I have several blocks of encrypted data. However, the result file > after decryption should be a single text file like this: > Since all datasets are to be collected in such a single file, anyway, I > thought it might be possible to decrypt a single text file with many I'm using similar authentication processes but can there really be a need for one single file? It's very inefficient by the time you have more than 20 users - it's not indexed, finding user 5 still means reading the entire file into memory. You've got a database backend, why not create a second table? create table webformtable (id int(10) not null primary key auto_increment, reference in(10) not null, content text); One record per user, use reference to link to another table where other details of that user are stored and query using: select content from webformtable,datatable where datatable.id = reference and reference = $variable; However, if you trust the server enough to receive and encrypt the data in the first place, you might as well store the data as cleartext above the public_html/ folder (out of reach of any inquisitive browser) and let the security of the server be your protection. After all, if I was to crack the server, I could delete the encrypted content or insert new values (the public key must be present for you to encrypt so I can use the same key to encrypt malicious or random data). With the server cracked, your authentication is lost and the need to protect the dataset (which sound awfully like username/password combos) is lost too - you can't protect data on the server once the server itself is compromised without encrypting all sensitive data, not just the identification strings for authentication. -- Neil Williams ============= http://www.codehelp.co.uk/ http://www.dclug.org.uk/ http://www.isbn.org.uk/ http://sourceforge.net/projects/isbnsearch/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: signature Url : /pipermail/attachments/20031017/9d9f7d09/attachment.bin From hanno.mueller at epublica.de Fri Oct 17 22:33:45 2003 From: hanno.mueller at epublica.de (Hanno Mueller) Date: Fri Oct 17 21:31:21 2003 Subject: How to decrypt multiple blocks in one text file In-Reply-To: <200310171834.05689.linux@codehelp.co.uk> References: <3F8FC3F4.5010702@epublica.de> <200310171834.05689.linux@codehelp.co.uk> Message-ID: <3F904419.7000105@epublica.de> Neil Williams schrieb: > I'm using similar authentication processes but can there really be a need for > one single file? Yes, there is a need for one single file in my application. > However, if you trust the server enough to receive and encrypt the data in the > first place, you might as well store the data as cleartext above the > public_html/ folder (out of reach of any inquisitive browser) and let the > security of the server be your protection. After all, if I was to crack the > server, I could delete the encrypted content or insert new values (the public > key must be present for you to encrypt so I can use the same key to encrypt > malicious or random data). With the server cracked, your authentication is > lost and the need to protect the dataset (which sound awfully like > username/password combos) is lost too - you can't protect data on the server > once the server itself is compromised without encrypting all sensitive data, > not just the identification strings for authentication. I'm aware of that, but that's not what I am about to do. I am not trying to encrypt username/password combos, but payment order information. On the web server, the account data is practically "write only". If someone wishes to change his account data, he can enter it again. We never have to show the full account info to the user again and we never have to decrypt it on the web server. We transfer the collected payment data to a second computer, decrypt it there and then give it to our bank for a bulk payment order. Our bank accepts a special file format that lists account data and money amounts for multiple payments. This is why I am trying to create a single file from multiple encrypted blocks, each representing one payment. So of course, the account information I wish to collect on the web server must be reasonably protected against decryption if someone cracks the server and gets full access to the database, because otherwise he could abuse our users' account data. If someone manages to insert false data, our bank will tell us about false or failed payment orders instantly. If this happens, we will contact the user, ask him about it and thus know that his account data has been tampered with. So a breakin as you described can be dealt with and won't produce trouble for our users. Greetings, Hanno From linux at codehelp.co.uk Sat Oct 18 00:41:33 2003 From: linux at codehelp.co.uk (Neil Williams) Date: Sat Oct 18 00:36:41 2003 Subject: How to decrypt multiple blocks in one text file In-Reply-To: <3F904419.7000105@epublica.de> References: <3F8FC3F4.5010702@epublica.de> <200310171834.05689.linux@codehelp.co.uk> <3F904419.7000105@epublica.de> Message-ID: <200310172341.34364.linux@codehelp.co.uk> On Friday 17 Oct 2003 8:33 pm, Hanno Mueller wrote: > Neil Williams schrieb: > > can't protect data on the server once the server itself is compromised > > without encrypting all sensitive data, not just the identification > > strings for authentication. > > I'm aware of that, but that's not what I am about to do. I am not trying > to encrypt username/password combos, but payment order information. And as you describe, all sensitive data is being encrypted, OK. > We transfer the collected payment data to a second computer, decrypt it Clearly you must retain the context of the data (each dataset distinct from all others with no overlaps or mixing) so I tried experimenting with ASCII vs binary outputs, various line separations/append operations with the same errors. I've also tried encapsulating multiple encryption blocks in a single email and only when it was MIME encoded could all blocks be decrypted. The solution was to encompass the entire group in one single encryption block - in effect re-encrypt the encrypted data. I can't demonstrate it to you as you snipped some vital content from the first message and didn't sign it - so I don't have access to a usable public key for you to decrypt. Note: Sending using the inline PGP function within KMail (which does not use MIME) does not allow decryption of the included blocks despite the overlapping encryption of the group. Only sending via S/MIME allows decryption of all blocks. This is sample output from an S/MIME test message to myself using KMail and the OpenPGP plugin to create the MIME boundaries. Encrypted message Encrypted message test2 person2 account2 amount2 item2 End of encrypted message Encrypted message test1 person account amount item End of encrypted message End of encrypted message So it's MIME or some form of scripting to split the file on a known marker - the same principle for each. I know that's not what you wanted to hear, but there it is. S/MIME is no easier to implement in your situation than a perl script but at least it does still retain one file. Perl could split the file on the key block markers, output one complete block to the GnuPG::Interface module in sequence and build the decrypted file block by block. Either way, there's a reasonable amount of work involved in building the script and handling errors. ASCII armoured key blocks lend themselves to regular expressions but you might want to avoid using join() to make the block into a single line expression because of line end problems on decryption. Test for the begin block, check each line following for end block and output to GnuPG::Interface as one unit block. I suspect that this is exactly how S/MIME decrypts the sample message - isolate each block using MIME boundaries and build the whole from the component blocks. -- Neil Williams ============= http://www.codehelp.co.uk/ http://www.dclug.org.uk/ http://www.isbn.org.uk/ http://sourceforge.net/projects/isbnsearch/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: signature Url : /pipermail/attachments/20031017/4b83cf4a/attachment.bin From johanw at vulcan.xs4all.nl Sat Oct 18 15:04:40 2003 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Sun Oct 19 09:02:46 2003 Subject: [Announce] GnuPG 1.3.3 released (development) In-Reply-To: <20031010231643.GA27126@jabberwocky.com> from David Shaw at "Oct 10, 2003 07:16:43 pm" Message-ID: <200310181204.OAA03774@vulcan.xs4all.nl> You, David Shaw, wrote: >It will change with greater frequency than the 1.2.x "stable" branch, which >will mainly be updated for bug fix reasons. Although you write this with every new release of 1.3.x, until now that hasn't been true. > * A number of portability changes to make building GnuPG on > less-common platforms easier. I get this error on a Linux 2.0.38 box, libc 5.4.33: vulcan> make install [snip] Making install in po make[1]: Entering directory /Storage/pgp/gpg/install/gnupg-1.3.3/po' /bin/sh `case "../scripts/mkinstalldirs" in /*) echo "../scripts/mkinstalldirs" ;; *) echo "../../scripts/mkinstalldirs" ;; esac /usr/local/lib/gnupg/share ../../scripts/mkinstalldirs: ../../scripts/mkinstalldirs: No such file or directory make[1]: *** [install-data-yes] Error 1 make[1]: Leaving directory /Storage/pgp/gpg/install/gnupg-1.3.3/po' make: *** [install-recursive] Error 1 However, the installed executables work fine as far as I have tested. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From korn at caxopen.de Fri Oct 17 17:01:40 2003 From: korn at caxopen.de (Andreas Korn) Date: Sun Oct 19 21:12:47 2003 Subject: verify after export/import of secret key Message-ID: <3F8FF644.6010500@caxopen.de> Hi, when I generate a key pair, import the public key of a friend, sign his public key and verify a signed mail of him this works fine. But when I export my public and secret keys (gpg --export / gpg --export-secret-keys), empty the keyrings (rm ~/.gnupg/*), import them again (gpg --import) and then do the same a before (import pub-key of friend, sign it, verify mail) the verification fails. gpg always tells me that it is a good signature but untrusted: gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. I thought that the keyrings should be in the same state afterwards, no matter if I generate a new key pair or import the secret and public key. What's wrong? This occured on RH-8 with gpg 1.0.7 Andreas -- Do not meddle in the affairs of wizards, for they are subtle and quick to anger! ############################################################################### Andreas Korn, CAxOPEN GmbH, Europaallee 10, 67657 Kaiserslautern fon: +49.631.30323.52 fax: +49.631.30323.02 eMail: korn@caxopen.de ############################################################################### From Mike.Kaipust at qwest.com Fri Oct 17 11:48:42 2003 From: Mike.Kaipust at qwest.com (Kaipust, Michael) Date: Sun Oct 19 21:12:53 2003 Subject: decrypt failure using scheduling tool on UNIX; receive msg 'cannot open /dev/tty' Message-ID: <5A17AEBAA6F3B647A0FEA879A73EDE000A5DC635@denntex017.qwest.net> All, The following command executed in a Korn shell script from our scheduling tool is yielding the message: gpg: cannot open /dev/tty: No such device or address command- gpg --recipient "Qwest HRBATCH" --passphrase-fd 3 --output output.txt --decrypt in.txt.pgp 3 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all, after I tried a while to see the difference between gpgv and "gpg --verify", I googled about an hour to recognize that these commands use two different keyfiles (gpgv -> ~/.gnupg/trustedkeys.gpg ; "gpg --verify" -> ~/.gnupg/ trustdb.gpg) Can anybody explain me why this is so? My initial problem was that I didn't know how to add keys to the trustedkeys.gpg? Can anybody tell me how this works? Thanks! Regards Michael - -- mailto: mailbox@chalvatzis.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE/kDpPPq8H+SA6t60RAhVhAJ0YpWvSRGZdLZyD8Oguov5lJd29AgCfZLpr Cqpv5JSvQ8gEASgfjhwf7sY= =pMpS -----END PGP SIGNATURE----- From linux at codehelp.co.uk Sun Oct 19 22:01:37 2003 From: linux at codehelp.co.uk (Neil Williams) Date: Sun Oct 19 21:56:40 2003 Subject: gpgv vs. gpg --verify In-Reply-To: <200310172052.01282.mailbox@chalvatzis.de> References: <200310172052.01282.mailbox@chalvatzis.de> Message-ID: <200310192101.38237.linux@codehelp.co.uk> On Friday 17 Oct 2003 7:51 pm, Michael Chalvatzis wrote: > Hello all, > > after I tried a while to see the difference between gpgv and "gpg > --verify", I googled about an hour to recognize that these commands use two > different keyfiles (gpgv -> ~/.gnupg/trustedkeys.gpg ; "gpg --verify" -> > ~/.gnupg/ trustdb.gpg) > > Can anybody explain me why this is so? trustdb is from editing the trust on the key. gpg --edit-key > My initial problem was that I didn't know how to add keys to the > trustedkeys.gpg? Can anybody tell me how this works? I'd expect it to be related to this part of gpg.conf: # If you have more than 1 secret key in your keyring, you may want to # uncomment the following option and set your preferred keyid. #default-key 621CC013 Just a guess. -- Neil Williams ============= http://www.codehelp.co.uk/ http://www.dclug.org.uk/ http://www.isbn.org.uk/ http://sourceforge.net/projects/isbnsearch/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: signature Url : /pipermail/attachments/20031019/4d0515d4/attachment.bin From jharris at widomaker.com Sun Oct 19 17:57:14 2003 From: jharris at widomaker.com (Jason Harris) Date: Sun Oct 19 22:55:18 2003 Subject: new (2003-10-19) keyanalyze results Message-ID: <20031019205714.GF924@pm1.ric-17.lft.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2003-10-19/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: 8b5c45450731b64d6cc374995571e951093d520e 12500100 preprocess.keys 12e3ffda848fdba36869473d7449a336c2e6ce4e 10080362 othersets.txt 71881f09472b85c291a41c992346adb6482d498f 2278204 msd-sorted.txt 772dcd939e02add4ab8a053dd4f9db668a3e8f3a 1487 index.html 3573afaa79023e10859e8aa6dda62f56eec2256e 2287 keyring_stats 961a58c7e4fee1e5620769f1b01c0ff123d8b364 902907 msd-sorted.txt.bz2 9558be90860f792143d02394c10190d69df81a4c 26 other.txt fd7e648a1e64bb57c932aa3885cb67d2673705b1 1959019 othersets.txt.bz2 44c9821ce2d4cddcc3d5519e6c7284bbc46c052b 5594712 preprocess.keys.bz2 c525f66b5ec9b26ef68d53d897e0127efd243826 10884 status.txt de1eab7cc4b96bf25c5217c4e48f6b791c5dd3ff 212303 top1000table.html 80b98437c4b5f686a24bdadbbb00e25b50f33025 30812 top1000table.html.gz 1489c40bc74a716c91e65c3d82b7814a3af89ddc 11140 top50table.html 556e2ed70c0438a13d5743f1f081cf01bcd0b25e 2074 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com | web: http://keyserver.kjsl.com/~jharris/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20031019/bf8ecb5b/attachment.bin From T.Villnow at villnow-online.de Sun Oct 19 23:59:54 2003 From: T.Villnow at villnow-online.de (Torsten Villnow) Date: Sun Oct 19 22:57:27 2003 Subject: Problem with Encryption of Mails Message-ID: I am using GnuPG 1.2.3 with WinPT 0.7.96 under WinXP and have following problem - two scenarios: (1) the decryption of a mail, which the sender encrypted with both my public key AND his own key (*) fails; the details are: - the decryption window shows correctly both keys and following correct text: "you need a passphrase to unlock the secret key for user 'Torsten ....' " (that's me) - after having entered the passphrase and pressed "ok" the following error message pops up: "Encrypted with RSA Key, ID xyz, 'Joe ...' Decryption failed: secret key not available." (Joe is my buddy who sent me the mail) Obviously the program seems to have "forgot" between those key strokes somehow that the mail is for me, and expects the passphrase from Joe now. (2) the decryption of a mail, which the sender as encrypted with only my public key works as expected: - the decryption window shows only my public key - the encryption works just fine Is this a bug or WAD "working as designed"? - or did I do anything wrong? Torsten Villnow (*) my buddy has done this in order to be able to decrypt his own mail again after sending; this has worked perfectly with PGP on both sides From wk at gnupg.org Mon Oct 20 12:48:07 2003 From: wk at gnupg.org (Werner Koch) Date: Mon Oct 20 11:46:58 2003 Subject: decrypt failure using scheduling tool on UNIX; receive msg 'cannot open /dev/tty' In-Reply-To: <5A17AEBAA6F3B647A0FEA879A73EDE000A5DC635@denntex017.qwest.net> (Michael Kaipust's message of "Fri, 17 Oct 2003 10:48:42 -0600") References: <5A17AEBAA6F3B647A0FEA879A73EDE000A5DC635@denntex017.qwest.net> Message-ID: <87vfqkutns.fsf@alberti.g10code.de> On Fri, 17 Oct 2003 10:48:42 -0600, Kaipust, Michael said: > All, > The following command executed in a Korn shell script from our scheduling tool is yielding the message: > gpg: cannot open /dev/tty: No such device or address You need to add the --batch option and make sure that gpg does not ask anything. In some rare situations --no-tty is also useful. -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org From wk at gnupg.org Mon Oct 20 12:50:00 2003 From: wk at gnupg.org (Werner Koch) Date: Mon Oct 20 11:47:05 2003 Subject: [Announce] GnuPG 1.3.3 released (development) In-Reply-To: <200310181204.OAA03774@vulcan.xs4all.nl> (Johan Wevers's message of "Sat, 18 Oct 2003 14:04:40 +0200 (MET DST)") References: <200310181204.OAA03774@vulcan.xs4all.nl> Message-ID: <87r818utkn.fsf@alberti.g10code.de> On Sat, 18 Oct 2003 14:04:40 +0200 (MET DST), Johan Wevers said: > ;; *) echo "../../scripts/mkinstalldirs" ;; esac /usr/local/lib/gnupg/share > ../../scripts/mkinstalldirs: ../../scripts/mkinstalldirs: No such file or > directory Yep, there is a problem with gettext I didn't caught becuase I did only VPATH builds. Use ./configure --disable-nls as a workaround. -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org From willy at debian.org Mon Oct 20 00:12:54 2003 From: willy at debian.org (Matthew Wilcox) Date: Mon Oct 20 13:42:23 2003 Subject: [keyanalyze-discuss] new (2003-10-19) keyanalyze results In-Reply-To: <20031019205714.GF924@pm1.ric-17.lft.widomaker.com> References: <20031019205714.GF924@pm1.ric-17.lft.widomaker.com> Message-ID: <20031019221254.GF18370@parcelfarce.linux.theplanet.co.uk> On Sun, Oct 19, 2003 at 04:57:14PM -0400, Jason Harris wrote: > > New keyanalyze results are available at: > > http://keyserver.kjsl.com/~jharris/ka/2003-10-19/ Graph updated at: http://www.parisc-linux.org/~willy/footsie.png -- "It's not Hollywood. War is real, war is primarily not about defeat or victory, it is about death. I've seen thousands and thousands of dead bodies. Do you think I want to have an academic debate on this subject?" -- Robert Fisk From dshaw at jabberwocky.com Mon Oct 20 08:52:03 2003 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Oct 20 13:49:38 2003 Subject: [Announce] GnuPG 1.3.3 released (development) In-Reply-To: <200310181204.OAA03774@vulcan.xs4all.nl> References: <20031010231643.GA27126@jabberwocky.com> <200310181204.OAA03774@vulcan.xs4all.nl> Message-ID: <20031020115203.GB2924@jabberwocky.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, Oct 18, 2003 at 02:04:40PM +0200, Johan Wevers wrote: > You, David Shaw, wrote: > > >It will change with greater frequency than the 1.2.x "stable" branch, which > >will mainly be updated for bug fix reasons. > > Although you write this with every new release of 1.3.x, until now that > hasn't been true. You're right, but note that the amount of change in a given 1.3.x release is generally significantly higher than in the 1.2.x releases. David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.4-cvs (GNU/Linux) Comment: Key available at http://www.jabberwocky.com/david/keys.asc iHEEARECADEFAj+TzGMqGGh0dHA6Ly93d3cuamFiYmVyd29ja3kuY29tL2Rhdmlk L2tleXMuYXNjAAoJEOJmXIdJ4cvJbKMAoKkv6FpSqah9OACCjZGcgClnYZHeAJwO afFfPEVvPqYiFoQSiGrkf39qQg== =MBaO -----END PGP SIGNATURE----- From robert.weinmann at humanic.com Mon Oct 20 10:19:06 2003 From: robert.weinmann at humanic.com (Weinmann, Robert) Date: Mon Oct 20 15:19:23 2003 Subject: decrypt failure using scheduling tool on UNIX; receive msg 'c annot open /dev/tty' Message-ID: <39F26EB66361214F9926E08A4B60442001184E2A@exc55cluster> You need to use something like the following command line: gpg --passphrase-fd 0 --batch -v -t --output $OUT --decrypt $IN < $GNUPGHOME/pass note the "--batch" option. HTH, Bob Weinmann Technical Support robert.weinmann@humanic.com Humanic Solutions -----Original Message----- From: Kaipust, Michael [mailto:Mike.Kaipust@qwest.com] Sent: Friday, October 17, 2003 12:49 PM To: gnupg-users@gnupg.org Subject: decrypt failure using scheduling tool on UNIX; receive msg 'cannot open /dev/tty' All, The following command executed in a Korn shell script from our scheduling tool is yielding the message: gpg: cannot open /dev/tty: No such device or address command- gpg --recipient "Qwest HRBATCH" --passphrase-fd 3 --output output.txt --decrypt in.txt.pgp 3 Ok, I've googled this without success. The man page mentions the count, but it doesn't explain what the quality level 0|1|2 argument that precedes it actually means. I've played with this a bit using all three and It's emitting random bytes for me, but I'm wonder what value I should be using ? TIA, -JSM Jason S. Mantor, MCP Senior Computer Programmer/Analyst New York State Higher Education Services Corporation Email: Jason_Mantor@hesc.com Telephone: (518) 402-3545 From twoaday at freakmail.de Mon Oct 20 11:00:50 2003 From: twoaday at freakmail.de (Timo Schulz) Date: Mon Oct 20 17:46:39 2003 Subject: Problem with Encryption of Mails In-Reply-To: References: Message-ID: <20031020080050.GB1524@daredevil.joesixpack.net> On Sun Oct 19 2003; 22:59, Torsten Villnow wrote: > - after having entered the passphrase and pressed "ok" the following error > message pops up: "Encrypted with RSA Key, ID xyz, 'Joe ...' Decryption > failed: secret key not available." (Joe is my buddy who sent me the Hmmm, this is weird. Did you check with GPG on the command line that you are really able to decrypt the file? If both keys are listed in the dialog, it should work. Maybe you can use the File Manager and "List Packets" to check that the msg is really encrypted with both pubkeys. > Obviously the program seems to have "forgot" between those key strokes > somehow that the mail is for me, and expects the passphrase from Joe now. Usually WinPT only shows the dialog with the information from GPG. It does not decide what key to use. This is a GPG thing. > the decryption of a mail, which the sender as encrypted with only my public > key works as expected: > > - the decryption window shows only my public key > - the encryption works just fine Please make sure you use GPG 1.2.3 or better. Timo -- Windows Privacy Tools "Alles auf einmal tun wollen zerst?rt alles (http://winpt.sourceforge.net) auf einmal." -- Georg Christoph Lichtenberg OpenPGP KeyID 0xBF3DF9B4 From wk at gnupg.org Tue Oct 21 13:28:37 2003 From: wk at gnupg.org (Werner Koch) Date: Tue Oct 21 12:26:53 2003 Subject: How to use --gen-random ? In-Reply-To: (Jason Mantor's message of "Mon, 20 Oct 2003 10:41:42 -0400") References: Message-ID: <87ad7uriju.fsf@alberti.g10code.de> On Mon, 20 Oct 2003 10:41:42 -0400, Jason Mantor said: > Ok, I've googled this without success. The man page mentions the count, > but it doesn't explain what the quality level 0|1|2 argument that precedes > it actually means. I've played with this a bit using all three and It's > emitting random bytes for me, but I'm wonder what value I should be using > ? Level 0 should not be considered cryptographic strong random. Level 1 is cryptographic strong random and used by GnuPG for session keys and padding. Level 2 is stronger by requiring that the internal pool has been updated with more entropy; it is used for creating keys. Hth, Werner -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org From Jason.Harper at gecapital.com Tue Oct 21 12:35:43 2003 From: Jason.Harper at gecapital.com (Harper, Jason (CONS FIN)) Date: Tue Oct 21 17:36:39 2003 Subject: FTP site down? Message-ID: <12104DED123C4847A7D1CB86540BE4AB091259E7@ALPMLVEM01.e2k.ad.ge.com> Hi...I am having difficulty getting the GPGME source tar from the ftp site for gnupg (ftp.gnupg.org). Is it me or is the ftp site not responding? Thanks jason From jharris at widomaker.com Tue Oct 21 13:54:55 2003 From: jharris at widomaker.com (Jason Harris) Date: Tue Oct 21 18:52:40 2003 Subject: FTP site down? In-Reply-To: <12104DED123C4847A7D1CB86540BE4AB091259E7@ALPMLVEM01.e2k.ad.ge.com> References: <12104DED123C4847A7D1CB86540BE4AB091259E7@ALPMLVEM01.e2k.ad.ge.com> Message-ID: <20031021165455.GA19184@pm1.ric-18.lft.widomaker.com> On Tue, Oct 21, 2003 at 11:35:43AM -0400, Harper, Jason (CONS FIN) wrote: > Hi...I am having difficulty getting the GPGME source tar from the ftp > site for gnupg (ftp.gnupg.org). Is it me or is the ftp site not > responding? http://www.gnupg.org/mirrors.html http://ftp.gnupg.org/ -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com | web: http://keyserver.kjsl.com/~jharris/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20031021/49782061/attachment.bin From bernardino_lopez at yahoo.com Tue Oct 21 12:07:03 2003 From: bernardino_lopez at yahoo.com (bernardino lopez) Date: Tue Oct 21 20:04:38 2003 Subject: FTP site down? In-Reply-To: <12104DED123C4847A7D1CB86540BE4AB091259E7@ALPMLVEM01.e2k.ad.ge.com> Message-ID: <20031021180703.14898.qmail@web10702.mail.yahoo.com> I put online a web-site that might help in some cases when U need an external point of view. Brains R Like Books only work when they R Open. www.phpopenmonitor.com --- "Harper, Jason (CONS FIN)" wrote: > Hi...I am having difficulty getting the GPGME source > tar from the ftp > site for gnupg (ftp.gnupg.org). Is it me or is the > ftp site not > responding? > > > Thanks > > jason > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com From wk at gnupg.org Tue Oct 21 21:36:40 2003 From: wk at gnupg.org (Werner Koch) Date: Tue Oct 21 20:36:57 2003 Subject: FTP site down? In-Reply-To: <12104DED123C4847A7D1CB86540BE4AB091259E7@ALPMLVEM01.e2k.ad.ge.com> (Jason Harper's message of "Tue, 21 Oct 2003 11:35:43 -0400") References: <12104DED123C4847A7D1CB86540BE4AB091259E7@ALPMLVEM01.e2k.ad.ge.com> Message-ID: <87wuaymo93.fsf@alberti.g10code.de> On Tue, 21 Oct 2003 11:35:43 -0400, Harper, Jason (CONS FIN) said: > Hi...I am having difficulty getting the GPGME source tar from the ftp > site for gnupg (ftp.gnupg.org). Is it me or is the ftp site not > responding? Yes, one of the servers failed (we use several machines under the same name ftp.gnupg.org). Please use the mirrors in such cases. Salam-Shalom, Werner -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org From Jason.Harper at gecapital.com Tue Oct 21 15:41:20 2003 From: Jason.Harper at gecapital.com (Harper, Jason (CONS FIN)) Date: Tue Oct 21 20:40:12 2003 Subject: FTP site down? Message-ID: <12104DED123C4847A7D1CB86540BE4AB091259F1@ALPMLVEM01.e2k.ad.ge.com> Thanks for not taking my flame-bait...i should have checked the mirrors... I typically know better.. Best j -----Original Message----- From: Werner Koch [mailto:wk@gnupg.org] Sent: Tuesday, October 21, 2003 2:37 PM To: Harper, Jason (CONS FIN) Cc: gnupg-users@gnupg.org Subject: Re: FTP site down? On Tue, 21 Oct 2003 11:35:43 -0400, Harper, Jason (CONS FIN) said: > Hi...I am having difficulty getting the GPGME source tar from the ftp > site for gnupg (ftp.gnupg.org). Is it me or is the ftp site not > responding? Yes, one of the servers failed (we use several machines under the same name ftp.gnupg.org). Please use the mirrors in such cases. Salam-Shalom, Werner -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org From jschmid at uakron.edu Tue Oct 21 19:34:43 2003 From: jschmid at uakron.edu (Jeff Schmidt) Date: Wed Oct 22 10:30:31 2003 Subject: Would this be safe? Message-ID: <3F95B483.1070107@uakron.edu> Hello, Well, I'm kind of new to cryptography and how to keep stuff 'safe', so I thought I'd throw this out on the list to see if anyone would be willing to critique a potential use I'm thinking of putting GPG to. In a nutshell, I have a website that I want to have a form that users can fill out (on an ssl-secured page) that would include personal information (possibly credit card or other payment info). The company I'm doing this for (a small family business) currently has a POS credit-card terminal, and wants to just manually process orders instead of doing it fully online, but we want to be able to allow people to place orders online. So, I thought that I could use GPG, on the webserver, to encrypt the user data with a public key (for which the owner of the company will have the corresponding private key to decrypt the info), end then email the encrypted info as an attachment to the owner's email address. He would then get his email once or twice a day, decrypt the info using GPG and his private key, and process the order. That's the basic outline. Specifically, here's what I had in mind. The webpage/form would be proccessed by a PHP script. The script would use the PHP proc_open() function to execute 'GPG -a -r owners_email --encrypt'. The proc_open() command, for those not familiar with PHP, forks, creates two pipes between the parent process (the script) and the STDIN/STDOUT of the child process (for bi-directional communication between the processes), then exec's the command that you specify as the first argument to proc_open. I'm thinking this way I can send the user-inputted data into GPG using the script's writeable pipe (GPG's stdin), and receive back the encrypted data through the readable pipe (GPG's stdout). This will be running on a shared-host linux webserver (that is, we pay like $20/mo or something to the hosting company to have a website, and there are probably a couple hundred other users with sites on the same server), setup so that the PHP script runs as the user for our webhost account. With the above setup, the user data is only unencrypted in-memory (which I think should be fairly secure, yes?), and will only persist for an extremely short period of time. Since I use pipes to send the data to GPG, again it remains in memory (well, it might hit the virtual memory page-cache, but I don't think that's worth worrying about is it?) then gets encrypted and piped back to PHP, where I will email it (at which point it should be safe to send it over the 'public' email system as it is encrypted, right?). The public key will be stored in the keyring for our account (and will be the only thing in the keyring), on the webserver. I plan to have the keyring be 'unprotected' in terms of it not having a passphrase on it, since the only thing in it is a public key anyhow, and since I figure that even if I *did* passphrase it, that gives me the problem of storing the passphrase somewhere on the server for PHP to use, at which point it's basically just as unsecure as if the keyring has no passphrase. So, are there any problems with this setup? I've also considered generating a key-pair for the server, so that the server could sign the encrypted data, but as above, since the keyring would not necessarily be secure (I could ensure that the keyring file can only be read by our user on the system, but then if someone manages to exploit one of my PHP scripts they could grab it potentially, anyhow, since the PHP script runs as our user), I think that signing the form data would just give a potentially false sense of security. Thanks, and sorry for being so long-winded, but just trying to think through all the security implications of the various things I need to do. Jeff Schmidt From roz at altacocina.com Wed Oct 22 02:03:21 2003 From: roz at altacocina.com (Burris F. Resistance) Date: Wed Oct 22 10:30:45 2003 Subject: it takes 1 minute... Message-ID: <001101c39859$1bcb515e$b2742e5c@altacocina.com> To save thousands of dollars NOW! The rates are the LOWEST in 40 years! "BEST TIME TO REFINANCE YOUR HOME!" - New York Times. Check out for yourself: http://www.gordontower.com:32613/freequote/ AS LOW AS 2.9%, ANY CREDIT... Believe it or not. This is a free service, provided by our sponsors. You will not recieve this message again. Thank You! -------------- next part -------------- An HTML attachment was scrubbed... URL: /pipermail/attachments/20031022/0993ca61/attachment.htm From mcoca at gnu.org Wed Oct 22 15:45:24 2003 From: mcoca at gnu.org (Miguel Coca) Date: Wed Oct 22 15:08:51 2003 Subject: [Announce] GPA 0.7.0 released Message-ID: <20031022124524.GA26390@mycroft> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, We are pleased to announce the release of GPA 0.7.0 GPA is a graphical frontend for the GNU Privacy Guard (GnuPG, http://www.gnupg.org). GPA can be used to encrypt, decrypt, and sign files, to verify signatures and to manage the private and public keys. GPA depends on the GnuPG Made Easy (GPGME) library, version 0.4.3 or later. This is a development release. Please be careful when using it on production keys. You can find the release here: ftp://ftp.gnupg.org/gcrypt/alpha/gpa/gpa-0.7.0.tar.gz ftp://ftp.gnupg.org/gcrypt/alpha/gpa/gpa-0.7.0.tar.gz.sig The MD5 checksums for this release are: 44cb60cba64a48837588ed27f8db08b2 gpa-0.7.0.tar.gz a6e414cce650597a24609cc374af4b4d gpa-0.7.0.tar.gz.sig Noteworthy changes in version 0.7.0 (2003-10-22) - ------------------------------------------------ * Long file operations no longer block GPA, so several operations can be run at the same time. This also means GPA does not freeze while an operation runs, leading to a more responsive interface. * The keyring editor now displays all the subkeys of the currently selected key. This is only visible if GPA is in advanced mode (available from the preferences dialog). * The capabilities of a key (certify, sign, encrypt) are now visible from the keyring editor. * The keyring editor can now sort keys by any column. By default, they are listed in the order they were imported into the keyring (i.e. the same order as "gpg --list-keys"). * The key list is now displayed while it is being filled, allowing for faster startup times. * A warning dialog is now displayed when an operation slows down due to gpg rebuilding the trust database. * Imports and exports from files and servers have been separated into different dialogs and menu options. * Invoking GPA with file names as arguments will open those files in the file manager. * Cosmetical and minor fixes to the file manager window. * GPA now remembers the brief/detailed setting view and restores it when GPA is started. * Removed all deprecated widgets. GPA is now pure GTK+ 2.2. * Fixed a hang on startup on PowerPC machines. Known problems in version 0.7.0 - -------------------------------- * Keyserver access now depends on the GnuPG's plugins themselves, instead of on the gpg executable. Therefore, these plugins must be installed for keyserver access to work: - LDAP keyservers require the gpgkeys_ldap plugin, which is automatically compiled along with gpg if the OpenLDAP libraries are available. - HKP keyserver access needs gpgkeys_hkp, which is provided by default along with GnuPG >= 1.3.0, and can be compiled for GnuPG 1.2.x by passing the --enable-external-hkp option to configure. * It's been reported that compiling a Win32 version of GPA is impossible right now, due to our dependence on GPGME. - -- Miguel Coca (mcoca@gnu.org) http://zipi.fi.upm.es/~e970095/ OpenPGP: E60A CBF4 5C6F 914E B6C1 C402 8C4D C7B6 27FC 3CA8 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/lnA5jE3Htif8PKgRAmqnAKCfWGVkw75zbSPiFCWqUL0Q/7rvzQCeM0eu nGC23qORYougNQfRS4EQ8II= =kLe5 -----END PGP SIGNATURE----- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From rmalayter at bai.org Wed Oct 22 09:53:14 2003 From: rmalayter at bai.org (Ryan Malayter) Date: Wed Oct 22 15:51:18 2003 Subject: Would this be safe? Message-ID: <792DE28E91F6EA42B4663AE761C41C2AF3D486@cliff.bai.org> From: Of Jeff Schmidt > So, are there any problems with this setup? You've got it down as far as I can tell. This is how we used to process credit card orders, and it worked very well so long as the volume stayed low. > I've also considered generating a key-pair > for the server ... I think that signing the > form data would just give a potentially false > sense of security. Well, if someone owns your account on that machine, the credit card numbers themselves can be considered compromised, since they could have modified your PHP code to copy the card numbers elsewhere before encryption. I would still have a "server" key pair with no pass phrase that automatically signs the emails, if only to give some protection against spoofing of orders. You should also sign each and every PHP file (detached) on the server with *your* private key, then write a script to periodically download all PHP files from the server and verify each of these signatures to make sure you haven't been hacked. The logic for this should reside on a remote machine. With these precautions in place, I think the only serious worries you would have are: 1) someone hacking you, making changes to capture credit card numbers, and then changing things back before your validation script runs. 2) a hacker not modifying any PHP files, but just copying your server private key and sending spoofed orders. Both of these scenarios can be mitigated somewhat by adjusting your timing: doing the verification run frequently, and changing the unprotected server signing key frequently. Regards, -ryan- From k.raven at freenet.de Thu Oct 23 02:14:29 2003 From: k.raven at freenet.de (Kai Raven) Date: Thu Oct 23 01:14:15 2003 Subject: [Announce] GPA 0.7.0 released In-Reply-To: <20031022124524.GA26390@mycroft> References: <20031022124524.GA26390@mycroft> Message-ID: <20031023011429.34082263.k.raven@freenet.de> Hi Miguel, On Wed, 22 Oct 2003 14:45:24 +0200 you wrote: > We are pleased to announce the release of GPA 0.7.0 Works fine with RedHat 9.0 - generated a testkey - retrieved your key > * The keyring editor now displays all the subkeys of the currently > selected key. This is only visible if GPA is in advanced mode > (available from the preferences dialog). (...) nice new features :) what i miss is the possibility for the user to search for keys with the user-id and to get an import window, where the keys are shown, before the user imports them. -- Ciao Kai WWW: http://kai.iks-jena.de/ GnuPG-Key: 0x76C65282 ICQ:146714798 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 660 bytes Desc: not available Url : /pipermail/attachments/20031023/58941c14/attachment.bin From avbidder at fortytwo.ch Thu Oct 23 09:15:06 2003 From: avbidder at fortytwo.ch (Adrian 'Dagurashibanipal' von Bidder) Date: Thu Oct 23 08:12:51 2003 Subject: Would this be safe? In-Reply-To: <3F95B483.1070107@uakron.edu> References: <3F95B483.1070107@uakron.edu> Message-ID: <200310230815.11250@fortytwo.ch> On Wednesday 22 October 2003 00:34, Jeff Schmidt wrote: > willing to critique a potential use I'm thinking of putting GPG to. In > a nutshell, I have a website that I want to have a form that users can > fill out (on an ssl-secured page) that would include personal > information (possibly credit card or other payment info). The company Looks fine so far. [signing the mails] Let's first look at what attacks are possible: basically, somebody could send a bogus order email directly, instead of entering it in the web form. From what you say (order emails are processed automatically, web site is on a big hosting server anyway), I think your assessment is correct that signing doesn't buy you a big benefit. To which key do you want to encrypt the emails? I would recommend that you generate a special key pair for this and do not just use the key pair of the show owner. So either the shop owner or the ordering system can change the key without much hassle - and as gpg with multiple secret keys works just normal (selects the right secret key to decrypt automatically), the additional work is close to zero. cheers -- vbi -- featured product: PostgreSQL - http://postgresql.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 331 bytes Desc: signature Url : /pipermail/attachments/20031023/bb00fd61/attachment.bin From mcoca at gnu.org Thu Oct 23 15:37:27 2003 From: mcoca at gnu.org (Miguel Coca) Date: Thu Oct 23 14:35:07 2003 Subject: [Announce] GPA 0.7.0 released In-Reply-To: <20031023011429.34082263.k.raven@freenet.de> References: <20031022124524.GA26390@mycroft> <20031023011429.34082263.k.raven@freenet.de> Message-ID: <20031023123727.GA2382@mycroft> On Thu, Oct 23, 2003 at 01:14:29 +0200, Kai Raven wrote: > Hi Miguel, Hi, > On Wed, 22 Oct 2003 14:45:24 +0200 you wrote: > > > We are pleased to announce the release of GPA 0.7.0 > > Works fine with RedHat 9.0 > - generated a testkey > - retrieved your key Very good. > what i miss is the possibility for the user to search for keys with the > user-id and to get an import window, where the keys are shown, before > the user imports them. This has been planned for a long time. I'll see what can be done about it for the next release. Thanks, -- Miguel Coca (mcoca@gnu.org) http://zipi.fi.upm.es/~e970095/ OpenPGP: E60A CBF4 5C6F 914E B6C1 C402 8C4D C7B6 27FC 3CA8 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20031023/b9618d9d/attachment.bin From rob at gemini.demon.nl Thu Oct 23 17:56:12 2003 From: rob at gemini.demon.nl (Rob) Date: Thu Oct 23 22:53:35 2003 Subject: GnuPG & TheBat! v.2 Message-ID: <186579965566.20031023165612@gemini.demon.nl> Hello all, hope someone here can help me ... despite the announcement that TB2 offers better support for GnuPG here : [+] GnuPG passphrase caching. The user now can select from various signing keys available. i am having nothing but problems with GnuPG in v.2 ... :-( I have several accounts, each with their own e-mail address and servers. For 2 of those addresses i created signing-keys ... When writing a message and signing it, i get a popup for the passphrase for the key corresponding to the e-mail address for the account i'm working in, no choice/selection, just a passphrase prompt. When signing a message in an account with an e-mail address for which i did not create a signing-key, i even get prompted for the passphrase for a signing-key (ie. e-mail address) that does not even exist ?!? Also, passphrase caching does not work ... Where did i go wrong ?? I found a post in the TBBETA archive about a 'GnuPG plugin', is that what i'm missing ? -- Rob using The Bat! 2.01.3 on Windows 2000 5.0 Build 2195 Service Pack 4 ~ From T.Villnow at villnow-online.de Fri Oct 24 19:53:53 2003 From: T.Villnow at villnow-online.de (Torsten Villnow) Date: Fri Oct 24 18:51:27 2003 Subject: Problem with Encryption of Mails In-Reply-To: <200310200802.13991.linux@codehelp.co.uk> Message-ID: > -----Original Message----- > From: Neil Williams [mailto:linux@codehelp.co.uk] > Sent: Monday, October 20, 2003 9:02 AM > To: Torsten Villnow > Subject: Re: Problem with Encryption of Mails I seem to be getting confused ... > > (1) > > the decryption of a mail, which the sender encrypted with both my public > > key AND his own key (*) fails; > > Umm, it should. If it's encrypted with both keys, you mean that > the block is: > > Start message encrypted to you > Start message encrypted to himself > End message encrypted to himself > End message encrypted to you. > > You will only ever be able to decrypt the outer wrap. It's the correct > behaviour. > > Incidentally, without YOUR secret key, your mate cannot decrypt > the message at > all - the block he can decrypt is hidden inside a block he cannot > decrypt. ... I can encrypt a file (using the file manager of WinPT) with both my buddy's public key and my own key. That one single file I can decrypt afterwards again, after having entered my own passphrase. The same is possible with mails I generate. > (Unless you two are sharing secret keys! Or not using the default > public/private key structure.) > > When people encrypt to themselves and to the recipient it is normally a > SEPARATE process. e.g. if I was to encrypt to you, the message > sent to you > would only be encrypted with your public key. A COPY of the > message before > encryption is then encrypted using my public key and stored in > Sent Items - > it never leaves my machine. The mail client handles this transparently. no - at least not ony ma machine ... :-) I currently encrypt the mail's body via the clip board, so the mail client (Outlook 2000) does not interfere during the encryption process. So I manually generate only one physical mail, and that mail I can decrypt afterwards again. And my buddy can encrypt this mail as well (using PGP). Torsten Villnow From david.anderson at calixo.net Sun Oct 26 08:24:03 2003 From: david.anderson at calixo.net (David Anderson) Date: Sun Oct 26 08:21:41 2003 Subject: Using GPGME Message-ID: <3F9B7693.3080503@calixo.net> Hi all First of all, apologies if this is not the right group to ask about GPGME. It seemed to be the best... I am currently working on a projet which requires both authentication through signature verification and encryption of a session key. I believe, through exploration of the texinfo manual, that I have managed to initialise libgpgme, create a working context. I also understand how to shuffle data through signature/verification and encryption/decryption. My only remaining obstable is how to retrieve the keys! Right now, our program is given the KeyID to use, and it must first look for it in the local keyring (with private section if required by the specific task), then search on a keyserver for the public part if all else fails. How would I implement this using gpgme functions? I can see that I must set the key location mode to either local or external, but the workings of the browsing/selection of a key elude me... Thanks in advance for any help you can give me David Anderson From root at nicolinux.de Mon Oct 27 01:20:50 2003 From: root at nicolinux.de (Stefan Nicolin) Date: Mon Oct 27 00:11:13 2003 Subject: Options to revoke a key Message-ID: <20031027012050.76e9857c.root@nicolinux.de> Hi, I must admit it that I was dumb enough to create an nice key (for playing with a USB Token "eToken") and forget the passphrase... Apparently I also didn't create a revoke certificate (not sure if I understand the whole revoking thing here because I'am prompted for the passphrase upon revoking the key). I still remember fragments of my passphrase. That's why I'am asking for advice how to brute force recover it. Any real life experience with those things? The OS is Linux. Thanks for your help Stefan Nicolin From ben at benfinney.id.au Mon Oct 27 11:47:06 2003 From: ben at benfinney.id.au (Ben Finney) Date: Mon Oct 27 01:44:45 2003 Subject: Options to revoke a key In-Reply-To: <20031027012050.76e9857c.root@nicolinux.de> References: <20031027012050.76e9857c.root@nicolinux.de> Message-ID: <20031027004706.GA20711@benfinney.id.au> On 27-Oct-2003, Stefan Nicolin wrote: > Apparently I also didn't create a revoke certificate (not sure if I > understand the whole revoking thing here because I'am prompted for the > passphrase upon revoking the key). Revoking a key requires access to the key. Access to the key requires the passphrase. This is necessary to prevent someone in posession of your secret key from revoking it without your permission. > I still remember fragments of my passphrase. That's why I'am asking > for advice how to brute force recover it. Infeasibility of brute-force compromise is a goal behind the algorithms used to protect the key. If it were feasible to do so, we'd want to know about it so that it could be fixed (made infeasible) again. As far as the software is concerned, someone who has lost their passphrase is indistinguishable from someone who never knew it. For this reason, the documentation (and, I believe, the keypair generation process) recommends creating a revocation certificate *at the time of the key's creation*, since losing the passphrase os one of the most common circumstances for wanting to use a revocation certificate. -- \ "There is no reason anyone would want a computer in their | `\ home." -- Ken Olson, president, chairman and founder of | _o__) Digital Equipment Corp., 1977 | Ben Finney -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : /pipermail/attachments/20031027/c4476554/attachment.bin From atom-gpg at suspicious.org Sun Oct 26 19:26:27 2003 From: atom-gpg at suspicious.org (Atom 'Smasher') Date: Mon Oct 27 04:24:02 2003 Subject: Options to revoke a key Message-ID: > > I still remember fragments of my passphrase. That's why I'am asking > > for advice how to brute force recover it. > > Infeasibility of brute-force compromise is a goal behind the algorithms > used to protect the key. If it were feasible to do so, we'd want to > know about it so that it could be fixed (made infeasible) again. > > As far as the software is concerned, someone who has lost their > passphrase is indistinguishable from someone who never knew it. ==================================== although, if you remember pieces of it, then you do (in theory) have an advantage over anyone else who might try to brute-force it.... with the pieces that you know, and some programming, it still may not be feasible to crack your own password. something else of relevance, that i found in the man page, is: --desig-revoke Generate a designated revocation certificate for a key. This allows a user (with the permission of the keyholder) to revoke someone else's key. and... addrevoker Add a designated revoker. This takes one optional argument: "sensitive". If a designated revoker is marked as sensitive, it will not be exported by default (see export-options). i haven't played with them, but they may be worth looking into if one has a trusted friend/partner who is less likely than oneself to lose the keys. idea... (sorry, i'm thinking out loud, again) what if bob generates a revocation certificate, and uses gpg to encrypt a copy of it for alice (using alice's public key), and then encrypts that copy for carol (using carol's public key). then bob sends that double-encrypted copy to carol, with instructions to both carol and alice... neither carol nor alice could decrypt the certificate unless they both work together, which presumably they'd do only at bob's request to recover the revocation certificate. of course, if you have a place that's [electronically, physically and/or socially] secure enough to store a revocation certificate, then you should consider if it's also secure enough to store a copy of your pass-phrase. conventional wisdom says you should never write down a password, but with reasonable precautions it might be better to have a copy you can get to. check out the password links (towards the bottom) that i've collected at - http://smasher.suspicious.org/open/ also, an expiration date on keys let's them die on their own if they're not maintained... i'm keeping my keys good for 12-24 months at a time... when the expiration date hits 12 months, i'll add another 12 months to them. i figure it's easier to update (or force people to update) a key that expires at a later date, than an earlier date. ...atom _______________________________________________ PGP key - http://smasher.suspicious.org/pgp.txt 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3 ------------------------------------------------- "Fighting crime by building more jails is like fighting cancer by building more cemeteries." -- Paul Kelly From ben at benfinney.id.au Mon Oct 27 15:47:04 2003 From: ben at benfinney.id.au (Ben Finney) Date: Mon Oct 27 05:44:41 2003 Subject: Options to revoke a key In-Reply-To: References: <20031027012050.76e9857c.root@nicolinux.de> <20031027004706.GA20711@benfinney.id.au> Message-ID: <20031027044704.GC20711@benfinney.id.au> [Please honour my Mail-Followup-To header; I'm subscribed to the list, and list followups don't need to Cc me.] On 26-Oct-2003, Atom 'Smasher' wrote: > > As far as the software is concerned, someone who has lost their > > passphrase is indistinguishable from someone who never knew it. > > although, if you remember pieces of it, then you do (in theory) have > an advantage over anyone else who might try to brute-force it.... with > the pieces that you know, and some programming, it still may not be > feasible to crack your own password. Which is indistinguishable to the software; it doesn't matter, as far as the algorithm is concerned, how much knowledge you have if you're brute-forcing passwords. -- \ "Demagogue: One who preaches doctrines he knows to be untrue to | `\ men he knows to be idiots." -- Henry L. Mencken | _o__) | Ben Finney -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : /pipermail/attachments/20031027/de30ce58/attachment.bin From atom-gpg at suspicious.org Sun Oct 26 21:08:44 2003 From: atom-gpg at suspicious.org (Atom 'Smasher') Date: Mon Oct 27 06:06:21 2003 Subject: safe places to store a password In-Reply-To: References: Message-ID: ok, not everyone can remember "strong" passwords like: iD0F`r"Z6 ^X?|/J+oix esp when they're not used several times a a day. so, here's a (probably incomplete) list of apps that could help. of course, if you're storing a bunch of passwords in one of these, and you forget the master password, you're hosed. *nix * Figaro's Password Manager http://fpm.sourceforge.net/ * pwman - password management program http://pwman.sourceforge.net/ * Gringotts http://devel.pluto.linux.it/projects/Gringotts/ * Gpasman http://gpasman.nl.linux.org/ palm OS * Strip http://www.zetetic.net/products.html * Keyring for Palm OS http://gnukeyring.sourceforge.net/ a non OS dependent solution could be storing your password(s), electronically or printed, in a safe-deposit box or a safe. remember, any "safe" that can be carried away is not secure ;) it's suggested that a "real" safe should be at least 600 lbs (275 Kg) and/or be bolted to a concrete floor... otherwise it's too easy for an attacker to carry the safe away and crack it at their leisure. and then there's the locking mechanism of the safe... ...atom _______________________________________________ PGP key - http://smasher.suspicious.org/pgp.txt 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3 ------------------------------------------------- "Nearly all men can stand adversity, but if you want to test a man's character, give him power." -- Abraham Lincoln From atom-gpg at suspicious.org Sun Oct 26 22:00:04 2003 From: atom-gpg at suspicious.org (Atom 'Smasher') Date: Mon Oct 27 06:57:41 2003 Subject: Options to revoke a key In-Reply-To: <20031027044704.GC20711@benfinney.id.au> References: <20031027012050.76e9857c.root@nicolinux.de> <20031027004706.GA20711@benfinney.id.au> <20031027044704.GC20711@benfinney.id.au> Message-ID: > [Please honour my Mail-Followup-To header; I'm subscribed to the list, > and list followups don't need to Cc me.] ============ sorry about that... > > > As far as the software is concerned, someone who has lost their > > > passphrase is indistinguishable from someone who never knew it. > > > > although, if you remember pieces of it, then you do (in theory) have > > an advantage over anyone else who might try to brute-force it.... with > > the pieces that you know, and some programming, it still may not be > > feasible to crack your own password. > > Which is indistinguishable to the software; it doesn't matter, as far as > the algorithm is concerned, how much knowledge you have if you're > brute-forcing passwords. ============= all i'm saying is that (hypothetically) someone who knows that a password starts with a lowercase "abc", ends with a capital "XYZ", and has a total of 8 alpha-numeric characters, then they should be able break the password *MUCH* faster than someone who does not have that much information... they've just reduced the size of the attack from unknown, to 62^2, or just under 12 bits of attack space. on the other hand, if one party knows that the password contains the string "abc", that doesn't really help much... the password could be "abc123", or it could be "!5mZR?abc+dHu3RfEz" depending on how much information is known about the password, and how well that information can be applied to the problem via a cracking program, the information could significantly reduce the size of the password space... instead of a password that has a 0.5 chance of being cracked before the earth crashes into the sun, an attacker may have a 0.5 chance of cracking it before dinner (in this context, an attacker may be the legitimate owner of the password). ...atom _______________________________________________ PGP key - http://smasher.suspicious.org/pgp.txt 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3 ------------------------------------------------- "The more corrupt the state, the more numerous the laws." -- Tacitus (A.D. 55?-130?) From avbidder at fortytwo.ch Mon Oct 27 09:28:34 2003 From: avbidder at fortytwo.ch (Adrian von Bidder) Date: Mon Oct 27 09:26:11 2003 Subject: Options to revoke a key In-Reply-To: <20031027012050.76e9857c.root@nicolinux.de> References: <20031027012050.76e9857c.root@nicolinux.de> Message-ID: <200310270928.35042@fortytwo.ch> On Monday 27 October 2003 01:20, Stefan Nicolin wrote: > the key). I still remember fragments of my passphrase. You can then probably write a script/program to generate the possible passphrases (you probably know not only fragments, but perhaps also the general form of the parts you don't remember - where they numeric, alphanumeric, punctuation, how long were the parts etc.). So you should be able to narrow it down to a few thousand possible passphrases - then, depending on your coding skills, you can use a script that calls gpg (with --passphrase-fd; very slow) or a program that reads the secret keyring file and brute-forces it directly. RFC2440 describes the binary format of the file you get when you do --export-secret-key (Hmm. On second thought - does it really? It only deals with public keys...) cheers -- vbi -- featured link: http://fortytwo.ch/gpg/subkeys -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 331 bytes Desc: signature Url : /pipermail/attachments/20031027/ac66de66/attachment.bin From tuevsec at gmx.net Mon Oct 27 14:51:55 2003 From: tuevsec at gmx.net (Thomas Springer) Date: Mon Oct 27 14:49:45 2003 Subject: simple windows-gui for gnupg Message-ID: <3F9D22FB.7070602@gmx.net> Hi, does anybody know a simple windows-gui for gnupg that is able to change passphrase for private key? there should be no dos-box involved like it is in gpgshell! From tuevsec at gmx.net Mon Oct 27 14:58:02 2003 From: tuevsec at gmx.net (Thomas Springer) Date: Mon Oct 27 14:56:12 2003 Subject: GPGME for Windows? Message-ID: <3F9D246A.2060200@gmx.net> Hi, Has anybody yet an (even limited) Version of GPGME for Windows compiled? From wk at gnupg.org Mon Oct 27 15:07:52 2003 From: wk at gnupg.org (Werner Koch) Date: Mon Oct 27 15:06:58 2003 Subject: simple windows-gui for gnupg In-Reply-To: <3F9D22FB.7070602@gmx.net> (Thomas Springer's message of "Mon, 27 Oct 2003 14:51:55 +0100") References: <3F9D22FB.7070602@gmx.net> Message-ID: <8765iawz7r.fsf@alberti.g10code.de> On Mon, 27 Oct 2003 14:51:55 +0100, Thomas Springer said: > Hi, > does anybody know a simple windows-gui for gnupg that is able to > change passphrase for private key? www.winpt.org -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org From kushwaha at netsolutionsindia.com Mon Oct 27 20:03:51 2003 From: kushwaha at netsolutionsindia.com (Abhay S. Kushwaha) Date: Mon Oct 27 15:31:30 2003 Subject: simple windows-gui for gnupg In-Reply-To: <3F9D22FB.7070602@gmx.net> References: <3F9D22FB.7070602@gmx.net> Message-ID: <20031027200351.0000064c.kushwaha@netsolutionsindia.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Thomas: On Mon, 27 Oct 2003 14:51:55 +0100, Thomas Springer wrote: > does anybody know a simple windows-gui for gnupg that is able to > change passphrase for private key? > > there should be no dos-box involved like it is in gpgshell! I'm very happy with WinPT [1]. Take the entire suite from the download page [2] and not just the WinPT Tray from the main page. [1] http://winpt.sourceforge.net/en/ [2] http://winpt.sourceforge.net/en/download.php HTH [abhay] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (MingW32) iD8DBQE/nSzPx16q9V45oEURAo2XAJ9yer1pXEO0nfGZjZGIzI5RsAD3FgCeJnfm cForOeuvSuOtoyrnQQDum+8= =jygc -----END PGP SIGNATURE----- From root at nicolinux.de Mon Oct 27 20:25:11 2003 From: root at nicolinux.de (Stefan Nicolin) Date: Mon Oct 27 19:00:14 2003 Subject: Options to revoke a key Message-ID: <20031027202511.7a5dac2c.root@nicolinux.de> >> > I still remember fragments of my passphrase. That's why I'am asking > > > for advice how to brute force recover it. > > > > Infeasibility of brute-force compromise is a goal behind the algorithms > > used to protect the key. If it were feasible to do so, we'd want to > > know about it so that it could be fixed (made infeasible) again. > > > > As far as the software is concerned, someone who has lost their > > passphrase is indistinguishable from someone who never knew it. > ==================================== > although, if you remember pieces of it, then you do (in theory) have an > advantage over anyone else who might try to brute-force it.... with the > pieces that you know, and some programming, it still may not be feasible > to crack your own password. I thaugt of using a dictonary file (filled with the fragments that I still remember and other common words). The only missing part is that I don't know how to really accomplish the "cracking" task. Running gpg --edit-key and revoking the key where I am prompted for the passphrase is not that practicable to put in a loop and try every combination based of my custom dictonary.... > something else of relevance, that i found in the man page, is: > --desig-revoke > Generate a designated revocation certificate for a key. This > allows a user (with the permission of the keyholder) to > revoke someone else's key. > and... > addrevoker > Add a designated revoker. This takes one optional > argument: "sensitive". If a designated revoker is > marked as sensitive, it will not be exported by > default (see export-options). > > i haven't played with them, but they may be worth looking into if one has > a trusted friend/partner who is less likely than oneself to lose the keys. Hm - tried it. Gpg tells me that I didn't found any revocation keys for the given ID. [...] > conventional wisdom says you should never write down a password, but with > reasonable precautions it might be better to have a copy you can get to. > check out the password links (towards the bottom) that i've collected at - > http://smasher.suspicious.org/open/ > > also, an expiration date on keys let's them die on their own if they're > not maintained... i'm keeping my keys good for 12-24 months at a time... > when the expiration date hits 12 months, i'll add another 12 months to > them. i figure it's easier to update (or force people to update) a key > that expires at a later date, than an earlier date. Thanks for your advice - that's what I've done with the new key. > ...atom Stefan > _______________________________________________ > PGP key - http://smasher.suspicious.org/pgp.txt > 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3 > ------------------------------------------------- > "Fighting crime by building more jails is like > fighting cancer by building more cemeteries." > -- Paul Kelly From twoaday at freakmail.de Mon Oct 27 19:09:21 2003 From: twoaday at freakmail.de (Timo Schulz) Date: Mon Oct 27 19:16:25 2003 Subject: GPGME for Windows? In-Reply-To: <3F9D246A.2060200@gmx.net> References: <3F9D246A.2060200@gmx.net> Message-ID: <20031027180921.GB919@daredevil.joesixpack.net> On Mon Oct 27 2003; 14:58, Thomas Springer wrote: > Has anybody yet an (even limited) Version of GPGME for Windows > compiled? WinPT includes a modified version, crafted for the Windows use. It is called MyGPGME. The new WinPt source provides the code as a static lib. Maybe this is useful for you. I plan to release a 0.9.x version (binary+code) very soon. Timo -- Windows Privacy Tools "Alles auf einmal tun wollen zerst?rt alles (http://winpt.sourceforge.net) auf einmal." -- Georg Christoph Lichtenberg OpenPGP KeyID 0xBF3DF9B4 From atom-gpg at suspicious.org Mon Oct 27 10:34:30 2003 From: atom-gpg at suspicious.org (Atom 'Smasher') Date: Mon Oct 27 19:32:08 2003 Subject: Options to revoke a key In-Reply-To: <20031027202511.7a5dac2c.root@nicolinux.de> References: <20031027202511.7a5dac2c.root@nicolinux.de> Message-ID: > I thaugt of using a dictonary file (filled with the fragments that I still remember > and other common words). > The only missing part is that I don't know how to really accomplish the "cracking" task. > Running gpg --edit-key and revoking the key where I am prompted for the > passphrase is not that practicable to put in a loop and try every combination > based of my custom dictonary.... ==================== a proper cracking app will bypass gpg, and work directly with your keyring (or an exported key?). after you crack it, you can then access it, so a revocation may not be necessary, if you choose to just write down and/or change the password. ...atom _______________________________________________ PGP key - http://smasher.suspicious.org/pgp.txt 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3 ------------------------------------------------- "Don't fight it son. Confess quickly! If you hold out too long you could jeopardize your credit rating." -- Brazil From abhayk at netsolutionsindia.com Mon Oct 27 19:58:07 2003 From: abhayk at netsolutionsindia.com (Abhay S. Kushwaha) Date: Tue Oct 28 11:08:37 2003 Subject: simple windows-gui for gnupg In-Reply-To: <3F9D22FB.7070602@gmx.net> References: <3F9D22FB.7070602@gmx.net> Message-ID: <20031027195807.00007862.abhayk@netsolutionsindia.com> Hi Thomas: On Mon, 27 Oct 2003 14:51:55 +0100, Thomas Springer wrote: > does anybody know a simple windows-gui for gnupg that is able to > change passphrase for private key? > > there should be no dos-box involved like it is in gpgshell! I'm very happy with WinPT [1]. Take the entire suite from the download page [2] and not just the WinPT Tray from the main page. [1] http://winpt.sourceforge.net/en/ [2] http://winpt.sourceforge.net/en/download.php HTH [abhay] -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20031027/e6de4866/attachment.bin From jayind_2002 at yahoo.com Tue Oct 28 00:00:36 2003 From: jayind_2002 at yahoo.com (J Prakash) Date: Tue Oct 28 11:08:42 2003 Subject: Is this software compatible with Mainframe OS/390? Message-ID: <20031028080036.78195.qmail@web20604.mail.yahoo.com> Hi, I would like to know whether this software is compatible with the Mainframe (OS/390)? If not what is the alternative process I can use? Thanks, Jay. --------------------------------- Do you Yahoo!? Exclusive Video Premiere - Britney Spears -------------- next part -------------- An HTML attachment was scrubbed... URL: /pipermail/attachments/20031028/8c737090/attachment.htm From wk at gnupg.org Tue Oct 28 11:33:30 2003 From: wk at gnupg.org (Werner Koch) Date: Tue Oct 28 11:32:01 2003 Subject: Is this software compatible with Mainframe OS/390? In-Reply-To: <20031028080036.78195.qmail@web20604.mail.yahoo.com> (J. Prakash's message of "Tue, 28 Oct 2003 00:00:36 -0800 (PST)") References: <20031028080036.78195.qmail@web20604.mail.yahoo.com> Message-ID: <87vfq9slc5.fsf@alberti.g10code.de> On Tue, 28 Oct 2003 00:00:36 -0800 (PST), J Prakash said: > I would like to know whether this software is compatible with the Mainframe (OS/390)? I don't think that it can be easily ported to plain MVS, frankly I removed all initial support for it due to the advance of GNU/Linux running on these machines. It should be possible to build it in the POSIX substem - the problem is that you need a source of random there - maybe a 4753 can be used for it. > If not what is the alternative process I can use? There used to be a PGP 2 port for MVS (iirc, by Harald Denker) but this is pretty much outdated and not OpenPGP compatible. Using an extra PC box for running GnuPG might be another choice for you. Werner -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org From gr at eclipsed.net Tue Oct 28 09:49:33 2003 From: gr at eclipsed.net (gabriel rosenkoetter) Date: Tue Oct 28 15:47:09 2003 Subject: Problem with Encryption of Mails In-Reply-To: References: <200310200802.13991.linux@codehelp.co.uk> Message-ID: <20031028144933.GA14469@uriel.eclipsed.net> On Fri, Oct 24, 2003 at 06:53:53PM +0200, Torsten Villnow wrote: > ... I can encrypt a file (using the file manager of WinPT) with both my > buddy's public key and my own key. That one single file I can decrypt > afterwards again, after having entered my own passphrase. The same is > possible with mails I generate. You're right, and that's certainly possible. I think you were taken too literally, but I didn't pay attention to the conversation till just now. What happens when you go through the motions you describe is that a temporary key (symmetric, I think, but I've never actually looked at GnuPG's implementation) is generated, the message enciphered with that key, the key enciphered separately with each of recipients' keys, and the whole mess sent along. > From: Neil Williams [mailto:linux@codehelp.co.uk] > Sent: Monday, October 20, 2003 9:02 AM > > When people encrypt to themselves and to the recipient it is normally a > > SEPARATE process. e.g. if I was to encrypt to you, the message > > sent to you > > would only be encrypted with your public key. A COPY of the > > message before > > encryption is then encrypted using my public key and stored in > > Sent Items - > > it never leaves my machine. The mail client handles this transparently. That's not an accurate description of what GnuPG does. (That is, viewing messages that I have composed in mutt and enciphered to more than one recipient, it is still possible to see to what recipients it was enciphered, and it is possible for those recipients to take the PGP block on my hard drive and decipher it.) Please, Neil, don't assert statements like this unless you actually know how the software works, because it really is confusing to people who don't. Torsten, it's hard to help you without knowing more about what your PGP software your communicant is using. You might investigate the compatibility options (--openpgp, --rfc1991, --pgp{2,6..8}) when decoding on your end. It's possible that it's some unnecessary option he has set on his end that would make you need to use one of these options, and if he really doesn't need it, he could probably unset it to make your life easier. If all else fails, have him encipher a message to both your key and mine (0x0cf9091a; get it from subkeys.pgp.net, please) and set that to me privately and I'll see if I can figure out what's wrong. -- gabriel rosenkoetter gr@eclipsed.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 186 bytes Desc: not available Url : /pipermail/attachments/20031028/254f6eca/attachment.bin From Bryan_Hunter at archway.com Wed Oct 29 11:36:45 2003 From: Bryan_Hunter at archway.com (Hunter, Bryan) Date: Wed Oct 29 17:26:56 2003 Subject: Comparison of WinPT and GPA Message-ID: <2E40FE65F46EEC40984776ED29756EE4420377@stargate1.tsdet.archway.com> Hi: Would someone please compare WinPT and GPA for a windows environment? Thank you in advance, Bryan Hunter From asier at alphyra.ie Wed Oct 29 22:00:15 2003 From: asier at alphyra.ie (Asier Urrutia) Date: Wed Oct 29 21:58:11 2003 Subject: gpg:cannot open /dev/tty: No such device or address In-Reply-To: <2E40FE65F46EEC40984776ED29756EE4420377@stargate1.tsdet.archway.com> Message-ID: Hi all, I've built a perl script in order to parse a mailbox, save attachments from emails and decrypt them. If I run the perl script from a shell... bash$ cat mailbox | mbox-parser.pl Reading passphrase from file descriptor 11 You need a passphrase to unlock the secret key for user: "GPG user (GPG user's key) " 1024-bit ELG-E key, ID D49D1DBC, created 2003-10-28 (main key ID 7724AA8E) bash$ ...it works fine. However, I am unable to get rid of the gpg passphrase output. I tried to redirect STDOUT to a log file, but doesn't make any difference. The main problem is when I pipe mail to this perl script from procmail: bash$ cat .procmailrc LOGFILE=/home/user/maillog :0 HB : user.procmail.lock * ^To:.*user@localhost.localdomain | /home/user/bin/mbox-parser.pl bash$ then, the script doesn't work due to the following error msg: gpg: Warning: using insecure memory! gpg: cannot open /dev/tty: No such device or address which looks to me that the gpg passphrase output is being sent to a terminal, but can't be found any and it fails. I'll enclose here the subroutine I'm using on the decryption, just in case somebody wants to know what I'm doing... begin------------------------------------------- sub decrypting { my $attachment = $_[0]; my $gnupg = GnuPG::Interface->new(); $gnupg->options->hash_init( armor => 1, recipients => [ 'tj-cl-testing@alphyra.ie' ] ); my ( $input, $output, $error, $passphrase_fh, $status_fh ) = ( IO::Handle->new(), IO::Handle->new(), IO::Handle->new(), IO::Handle->new(), IO::Handle->new(), ); my $handles = GnuPG::Handles->new( stdin => $input, stdout => $output, stderr => $error, passphrase => $passphrase_fh, status => $status_fh, ); my $cipher_file = IO::File->new( "$attachment" ); my $pid = $gnupg->decrypt( handles => $handles ); print $passphrase_fh $passphrase; close $passphrase_fh; print $input $_ while <$cipher_file>; close $input; close $cipher_file; my @plaintext = <$output>; # reading the output my @error_output = <$error>; # reading the error my @status_info = <$status_fh>; # read the status info open(LOGFILE,">>$DECRLOG"); my $date = `date`; chomp($date); print LOGFILE "\n$date -- $attachment decryption logging...\n=============================\n"; print LOGFILE @error_output; print LOGFILE @status_info; close(LOGFILE); open (SAVE,">$ATTACHLOC/$ATTACHMENT.decrypted"); print SAVE @plaintext; close(SAVE); # clean up... close $output; close $error; close $status_fh; waitpid $pid, 0; # clean up the finished GnuPG process } end------------------------------------------------------ Anybody came across something like this? Thanks a million, Asier From sbutler at fchn.com Wed Oct 29 13:45:03 2003 From: sbutler at fchn.com (Steve Butler) Date: Wed Oct 29 22:44:37 2003 Subject: cannot open /dev/tty: No such device or address Message-ID: <9A86613AB85FF346BB1321840DB42B4B01EC0533@jupiter.fchn.com> There is a similar error message when driving gpg from cron. Try the --no-tty option. -----Original Message----- From: Asier Urrutia [mailto:asier@alphyra.ie] Sent: Wednesday, October 29, 2003 1:00 PM To: gnupg-users@gnupg.org Subject: gpg:cannot open /dev/tty: No such device or address Hi all, I've built a perl script in order to parse a mailbox, save attachments from emails and decrypt them. If I run the perl script from a shell... bash$ cat mailbox | mbox-parser.pl Reading passphrase from file descriptor 11 You need a passphrase to unlock the secret key for user: "GPG user (GPG user's key) " 1024-bit ELG-E key, ID D49D1DBC, created 2003-10-28 (main key ID 7724AA8E) bash$ ...it works fine. However, I am unable to get rid of the gpg passphrase output. I tried to redirect STDOUT to a log file, but doesn't make any difference. The main problem is when I pipe mail to this perl script from procmail: bash$ cat .procmailrc LOGFILE=/home/user/maillog :0 HB : user.procmail.lock * ^To:.*user@localhost.localdomain | /home/user/bin/mbox-parser.pl bash$ then, the script doesn't work due to the following error msg: gpg: Warning: using insecure memory! gpg: cannot open /dev/tty: No such device or address which looks to me that the gpg passphrase output is being sent to a terminal, but can't be found any and it fails. I'll enclose here the subroutine I'm using on the decryption, just in case somebody wants to know what I'm doing... begin------------------------------------------- sub decrypting { my $attachment = $_[0]; my $gnupg = GnuPG::Interface->new(); $gnupg->options->hash_init( armor => 1, recipients => [ 'tj-cl-testing@alphyra.ie' ] ); my ( $input, $output, $error, $passphrase_fh, $status_fh ) = ( IO::Handle->new(), IO::Handle->new(), IO::Handle->new(), IO::Handle->new(), IO::Handle->new(), ); my $handles = GnuPG::Handles->new( stdin => $input, stdout => $output, stderr => $error, passphrase => $passphrase_fh, status => $status_fh, ); my $cipher_file = IO::File->new( "$attachment" ); my $pid = $gnupg->decrypt( handles => $handles ); print $passphrase_fh $passphrase; close $passphrase_fh; print $input $_ while <$cipher_file>; close $input; close $cipher_file; my @plaintext = <$output>; # reading the output my @error_output = <$error>; # reading the error my @status_info = <$status_fh>; # read the status info open(LOGFILE,">>$DECRLOG"); my $date = `date`; chomp($date); print LOGFILE "\n$date -- $attachment decryption logging...\n=============================\n"; print LOGFILE @error_output; print LOGFILE @status_info; close(LOGFILE); open (SAVE,">$ATTACHLOC/$ATTACHMENT.decrypted"); print SAVE @plaintext; close(SAVE); # clean up... close $output; close $error; close $status_fh; waitpid $pid, 0; # clean up the finished GnuPG process } end------------------------------------------------------ Anybody came across something like this? Thanks a million, Asier _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From asier at alphyra.ie Wed Oct 29 23:22:54 2003 From: asier at alphyra.ie (Asier Urrutia) Date: Wed Oct 29 23:20:32 2003 Subject: cannot open /dev/tty: No such device or address In-Reply-To: <9A86613AB85FF346BB1321840DB42B4B01EC0533@jupiter.fchn.com> Message-ID: Hi Steve, thanks for your reply. This is a perl script (not shell), so where/how can I set the "--no-tty"? On Wed, 29 Oct 2003, Steve Butler wrote: > There is a similar error message when driving gpg from cron. Try the > --no-tty option. > > -----Original Message----- > From: Asier Urrutia [mailto:asier@alphyra.ie] > Sent: Wednesday, October 29, 2003 1:00 PM > To: gnupg-users@gnupg.org > Subject: gpg:cannot open /dev/tty: No such device or address > > > Hi all, > > I've built a perl script in order to parse a mailbox, save > attachments from emails and decrypt them. If I run the perl script from a > shell... > > bash$ cat mailbox | mbox-parser.pl > Reading passphrase from file descriptor 11 > > You need a passphrase to unlock the secret key for > user: "GPG user (GPG user's key) " > 1024-bit ELG-E key, ID D49D1DBC, created 2003-10-28 (main key ID 7724AA8E) > bash$ > > ...it works fine. However, I am unable to get rid of the gpg > passphrase output. I tried to redirect STDOUT to a log file, but doesn't > make any difference. > > The main problem is when I pipe mail to this perl script from > procmail: > > bash$ cat .procmailrc > LOGFILE=/home/user/maillog > :0 HB : user.procmail.lock > * ^To:.*user@localhost.localdomain > | /home/user/bin/mbox-parser.pl > bash$ > > then, the script doesn't work due to the following error msg: > > gpg: Warning: using insecure memory! > gpg: cannot open /dev/tty: No such device or address > > which looks to me that the gpg passphrase output is being sent to > a terminal, but can't be found any and it fails. I'll enclose here the > subroutine I'm using on the decryption, just in case somebody wants to > know what I'm doing... > > begin------------------------------------------- > sub decrypting > { > > my $attachment = $_[0]; > > my $gnupg = GnuPG::Interface->new(); > > $gnupg->options->hash_init( armor => 1, > recipients => [ 'tj-cl-testing@alphyra.ie' ] > ); > > my ( $input, $output, $error, $passphrase_fh, $status_fh ) > = ( IO::Handle->new(), > IO::Handle->new(), > IO::Handle->new(), > IO::Handle->new(), > IO::Handle->new(), > ); > > my $handles = GnuPG::Handles->new( stdin => $input, > stdout => $output, > stderr => $error, > passphrase => $passphrase_fh, > status => $status_fh, > ); > > my $cipher_file = IO::File->new( "$attachment" ); > my $pid = $gnupg->decrypt( handles => $handles ); > > print $passphrase_fh $passphrase; > close $passphrase_fh; > print $input $_ while <$cipher_file>; > close $input; > close $cipher_file; > > my @plaintext = <$output>; # reading the output > my @error_output = <$error>; # reading the error > my @status_info = <$status_fh>; # read the status info > > open(LOGFILE,">>$DECRLOG"); > my $date = `date`; > chomp($date); > print LOGFILE "\n$date -- $attachment decryption > logging...\n=============================\n"; > print LOGFILE @error_output; > print LOGFILE @status_info; > close(LOGFILE); > > open (SAVE,">$ATTACHLOC/$ATTACHMENT.decrypted"); > print SAVE @plaintext; > close(SAVE); > # clean up... > close $output; > close $error; > close $status_fh; > > waitpid $pid, 0; # clean up the finished GnuPG process > > } > end------------------------------------------------------ > > > Anybody came across something like this? > > Thanks a million, > Asier > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. > -- Asier Urrutia Phone: +34 94 677 4372 Systems Administration Team Alphyra Ireland, Heather Road, Mobile: +34 690 632 839 Sandyford Ind. Est., Dublin 18 Email: asier@alphyra.ie From asier at alphyra.ie Wed Oct 29 23:28:49 2003 From: asier at alphyra.ie (Asier Urrutia) Date: Wed Oct 29 23:26:21 2003 Subject: cannot open /dev/tty: No such device or address In-Reply-To: <9A86613AB85FF346BB1321840DB42B4B01EC0533@jupiter.fchn.com> Message-ID: got it, defining meta_interactive => 0 in $gnupg->options->hash_init Thanks everybody!!! On Wed, 29 Oct 2003, Steve Butler wrote: > There is a similar error message when driving gpg from cron. Try the > --no-tty option. > > -----Original Message----- > From: Asier Urrutia [mailto:asier@alphyra.ie] > Sent: Wednesday, October 29, 2003 1:00 PM > To: gnupg-users@gnupg.org > Subject: gpg:cannot open /dev/tty: No such device or address > > > Hi all, > > I've built a perl script in order to parse a mailbox, save > attachments from emails and decrypt them. If I run the perl script from a > shell... > > bash$ cat mailbox | mbox-parser.pl > Reading passphrase from file descriptor 11 > > You need a passphrase to unlock the secret key for > user: "GPG user (GPG user's key) " > 1024-bit ELG-E key, ID D49D1DBC, created 2003-10-28 (main key ID 7724AA8E) > bash$ > > ...it works fine. However, I am unable to get rid of the gpg > passphrase output. I tried to redirect STDOUT to a log file, but doesn't > make any difference. > > The main problem is when I pipe mail to this perl script from > procmail: > > bash$ cat .procmailrc > LOGFILE=/home/user/maillog > :0 HB : user.procmail.lock > * ^To:.*user@localhost.localdomain > | /home/user/bin/mbox-parser.pl > bash$ > > then, the script doesn't work due to the following error msg: > > gpg: Warning: using insecure memory! > gpg: cannot open /dev/tty: No such device or address > > which looks to me that the gpg passphrase output is being sent to > a terminal, but can't be found any and it fails. I'll enclose here the > subroutine I'm using on the decryption, just in case somebody wants to > know what I'm doing... > > begin------------------------------------------- > sub decrypting > { > > my $attachment = $_[0]; > > my $gnupg = GnuPG::Interface->new(); > > $gnupg->options->hash_init( armor => 1, > recipients => [ 'tj-cl-testing@alphyra.ie' ] > ); > > my ( $input, $output, $error, $passphrase_fh, $status_fh ) > = ( IO::Handle->new(), > IO::Handle->new(), > IO::Handle->new(), > IO::Handle->new(), > IO::Handle->new(), > ); > > my $handles = GnuPG::Handles->new( stdin => $input, > stdout => $output, > stderr => $error, > passphrase => $passphrase_fh, > status => $status_fh, > ); > > my $cipher_file = IO::File->new( "$attachment" ); > my $pid = $gnupg->decrypt( handles => $handles ); > > print $passphrase_fh $passphrase; > close $passphrase_fh; > print $input $_ while <$cipher_file>; > close $input; > close $cipher_file; > > my @plaintext = <$output>; # reading the output > my @error_output = <$error>; # reading the error > my @status_info = <$status_fh>; # read the status info > > open(LOGFILE,">>$DECRLOG"); > my $date = `date`; > chomp($date); > print LOGFILE "\n$date -- $attachment decryption > logging...\n=============================\n"; > print LOGFILE @error_output; > print LOGFILE @status_info; > close(LOGFILE); > > open (SAVE,">$ATTACHLOC/$ATTACHMENT.decrypted"); > print SAVE @plaintext; > close(SAVE); > # clean up... > close $output; > close $error; > close $status_fh; > > waitpid $pid, 0; # clean up the finished GnuPG process > > } > end------------------------------------------------------ > > > Anybody came across something like this? > > Thanks a million, > Asier > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. > -- Asier Urrutia Phone: +34 94 677 4372 Systems Administration Team Alphyra Ireland, Heather Road, Mobile: +34 690 632 839 Sandyford Ind. Est., Dublin 18 Email: asier@alphyra.ie From wk at gnupg.org Thu Oct 30 09:14:11 2003 From: wk at gnupg.org (Werner Koch) Date: Thu Oct 30 09:12:10 2003 Subject: Comparison of WinPT and GPA In-Reply-To: <2E40FE65F46EEC40984776ED29756EE4420377@stargate1.tsdet.archway.com> (Bryan Hunter's message of "Wed, 29 Oct 2003 11:36:45 -0500") References: <2E40FE65F46EEC40984776ED29756EE4420377@stargate1.tsdet.archway.com> Message-ID: <871xsvjg6k.fsf@alberti.g10code.de> On Wed, 29 Oct 2003 11:36:45 -0500, Hunter, Bryan said: > Hi: > Would someone please compare WinPT and GPA for a windows environment? There is no current GPA for Windows and I don't think we will do that in the foreseeable time. WinPT has the advantage of a native Windows program, whereas GPA uses its own GUI framework (GTK+). Werner -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org From Bryan_Hunter at archway.com Thu Oct 30 17:11:04 2003 From: Bryan_Hunter at archway.com (Hunter, Bryan) Date: Thu Oct 30 23:09:09 2003 Subject: Timing test of GnuPG and old PGP Message-ID: <2E40FE65F46EEC40984776ED29756EE442037A@stargate1.tsdet.archway.com> Hi: A timing of a simple encryption of a large (327MB) file showed that GnuPG took 2 1/2 times longer than an old PGP program. Is this an expected typical result? This was run with the following. Windows98 SP2 WinPT 0.7.96rc1 GnuPG 1.2.1 GPG 6.0.2 Key DSA/ELG 1024/2048 Any comments or suggestions would be appreciated. Thanks, Bryan Hunter From rhkelly at myrealbox.com Thu Oct 30 23:25:12 2003 From: rhkelly at myrealbox.com (rhkelly) Date: Fri Oct 31 00:22:57 2003 Subject: Timing test of GnuPG and old PGP In-Reply-To: <2E40FE65F46EEC40984776ED29756EE442037A@stargate1.tsdet.archway.com> References: <2E40FE65F46EEC40984776ED29756EE442037A@stargate1.tsdet.archway.com> Message-ID: <3FA19DD8.4090407@myrealbox.com> Hunter, Bryan wrote: > Hi: > > A timing of a simple encryption of a large (327MB) > file showed that GnuPG took 2 1/2 times longer than > an old PGP program. Is this an expected > typical result? What is the symetrical cipher used in those two cases? (I'd guess old PGP would be 3DES, GPG would be AES...) Roger From rmalayter at bai.org Thu Oct 30 17:36:20 2003 From: rmalayter at bai.org (Ryan Malayter) Date: Fri Oct 31 00:34:25 2003 Subject: Timing test of GnuPG and old PGP Message-ID: <792DE28E91F6EA42B4663AE761C41C2A012C3542@cliff.bai.org> > From: Hunter, Bryan > Subject: Timing test of GnuPG and old PGP > A timing of a simple encryption of a large (327MB) file > showed that GnuPG > took 2 1/2 times longer than an old PGP program. Is this an expected > typical result? Maybe. What version was the "old" PGP? What symmetric cipher did you use with each program? Perhaps GnuPG used Triple-DES, which is much slower than the IDEA and CAST algorithms that were the default in older PGP programs. You can change your kep preferences to use AES, CAST, or some other speedy cipher with GnuPG. I assume you eliminated the obvious possibilities for the slowness: other system activity, file system fragmentation, etc. Regards, Ryan From rhkelly at myrealbox.com Fri Oct 31 02:26:23 2003 From: rhkelly at myrealbox.com (rhkelly) Date: Fri Oct 31 03:23:59 2003 Subject: mailto:Gnupg-users@gnupg.org In-Reply-To: <2E40FE65F46EEC40984776ED29756EE442037A@stargate1.tsdet.archway.com> References: <2E40FE65F46EEC40984776ED29756EE442037A@stargate1.tsdet.archway.com> Message-ID: <3FA1C84F.4030401@myrealbox.com> Hunter, Bryan wrote: > > A timing of a simple encryption .... showed that GnuPG > took 2 1/2 times longer than an old PGP program. Strange... my results (on a 100MB random/binary file) are: PGP 2.6.2: 74 seconds GPG 1.0.6-2: 26 seconds BTW, a dedicated file/crypt program (burp120, blowfish) is considerably faster: 14 seconds Roger From craig at hertsweb.net Thu Oct 30 13:47:02 2003 From: craig at hertsweb.net (Craig N MacKenzie) Date: Fri Oct 31 10:27:39 2003 Subject: Can you print GPG Emails? Message-ID: <000e01c39eec$4c929090$0be3f1d4@craigxp> Hi All - a newbie question, so be gentle. Probably a simple answer I'm sure but I can't seem to find a solution. How on Earth do you print an email that has been encrypted using gpg? I'm encrypting orders from an online store which are emailed to Outlook. I decrypt using the Outlook plugin - and I can read it just fine. Trouble is - when I try to print the order for my records - it prints the encrypted version. Thanks in advance if anyone can suggest a solution. /Craig - Ware - UK From rmalayter at bai.org Fri Oct 31 09:12:04 2003 From: rmalayter at bai.org (Ryan Malayter) Date: Fri Oct 31 16:10:08 2003 Subject: Can you print GPG Emails? Message-ID: <792DE28E91F6EA42B4663AE761C41C2A012C3572@cliff.bai.org> After you decrypt the message, you must choose "file-save" from the message window to save an unencrypted version. Outlook versions prints the saved version, which is still be encrypted if you don't hit save. Another workaround, of course, is to copy the decrytped text into notepad or something similar and print from there. > -----Original Message----- > From: gnupg-users-bounces@gnupg.org > [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of Craig N MacKenzie > Sent: Thursday, October 30, 2003 7:47 AM > To: gnupg-users@gnupg.org > Subject: Can you print GPG Emails? > > Hi All - a newbie question, so be gentle. > > Probably a simple answer I'm sure but I can't seem to find a solution. > > How on Earth do you print an email that has been encrypted using gpg? > I'm encrypting orders from an online store which are emailed > to Outlook. > I decrypt using the Outlook plugin - and I can read it just fine. > Trouble is - when I try to print the order for my records - > it prints the > encrypted version. > > Thanks in advance if anyone can suggest a solution. From dlc at users.sourceforge.net Fri Oct 31 10:55:20 2003 From: dlc at users.sourceforge.net (darren chamberlain) Date: Fri Oct 31 16:53:37 2003 Subject: Can you print GPG Emails? In-Reply-To: <792DE28E91F6EA42B4663AE761C41C2A012C3572@cliff.bai.org> References: <792DE28E91F6EA42B4663AE761C41C2A012C3572@cliff.bai.org> Message-ID: <94850fc749f519f74623d241bebf7120ca869d45@tumbleweed.boston.com> * Ryan Malayter [2003-10-31 09:12]: > > How on Earth do you print an email that has been encrypted using > > gpg? I'm encrypting orders from an online store which are emailed > > to Outlook. > > After you decrypt the message, you must choose "file-save" from the > message window to save an unencrypted version. Outlook versions prints > the saved version, which is still be encrypted if you don't hit save. This almost defeats the purpose of the encryption, though, if you aren't careful to delete the decrypted file. > Another workaround, of course, is to copy the decrytped text into > notepad or something similar and print from there. I think this is a better option; copy the decrypted text into something that can print, print it, and then close the document without saving. (darren) -- The secret of life is enjoying the passage of time. -- James Taylor -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 269 bytes Desc: not available Url : /pipermail/attachments/20031031/2ccb81d5/attachment.bin From dave at acadaca.com Fri Oct 31 11:43:33 2003 From: dave at acadaca.com (Dave Della Costa) Date: Fri Oct 31 17:38:29 2003 Subject: help needed desperately: gpg --decrypt hanging Message-ID: <1067618613.7702.8.camel@davebox.acadacainternal.com> Hi folks, I'm working on a RedHat 7.3 system. We were having some problems importing keys into an Outlook PGP plugin yesterday, and RedHat 7.3 has 1.0.6, so I upgraded to 1.0.7 per the FAQ's instruction for getting PGP to play nicely with GPG (this didn't work by the way...PGP still couldn't handle the secret key for some reason, but let's not get into my frustration with THAT). Anyways, that's the backstory; not my main problem. Basically, at this point, I am no longer able to decrypt messages!!! This is screwing up our system, and has been a really, really frustrating thing for me--I've tried to downgrade and upgrade back and forth between 1.0.6 and 1.0.7 several times, I've deleted the .gnupg directory and replaced it with an old back .gnupg directory, I've completely wiped the .gnupg directory and re-imported every public and private key we were using by hand, nothing. I type 'gpg --decrypt,' it asks me for the password for the secret key, and then sits there, waiting for eternity. What can I do to fix this? This needed to be working yesterday, and our system can not import orders into our database (we are using the perl Crypt::GPG package in our import script, FYI). I've searched through the last year or so of the archives but I can not find anything relevant, my apologies if this is a common issue and I missed it. I kind of hope that is the case. PLEASE PLEASE PLEASE HELP!!! Thank you, Dave D. -- Acadaca Internet Solutions 636 Broadway, Suite 516, Bell #50 New York, NY 10012 p 212.505.5885 f 212.505.5655 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : /pipermail/attachments/20031031/658f3cbe/attachment.bin From seidls at schneider.com Fri Oct 31 11:01:47 2003 From: seidls at schneider.com (seidls@schneider.com) Date: Fri Oct 31 17:57:14 2003 Subject: Non-Zero return code on successful decryption? Message-ID: Hello, I have an automated script that will decrypt files that are sent to us over FTP. One file that was received today the file would decrypt without issue, but gpg would return with a non zero return code. It was verified that the file could be decrypted from the output sent to the status-fd file, and from manually decrypting the file. I am using gpg 1.2.1 on a solaris box. Does anyone know why this non-zero return code was issued?? script command gpg --options ${gpgoptfle} -o ${outputfile} <${inputfile} 2<${pass} 3> ${gpglog} script command excuted (with set -x turned on) gpg --options /opt/mailbox/scripts/gpg.options -o /opt/mailbox/fawork/pgpwork/send/FILE1~24535 0< /opt/mailbox/fawork/pgpwork/FILE1.330431088~24535 2< /opt/mailbox/etc/gpgdefaultkey + es=2 [[ 2 != 0 ]] status-fd file output [GNUPG:] ENC_TO AF7F6D910EABD565 16 0 [GNUPG:] USERID_HINT AF7F6D910EABD565 [GNUPG:] NEED_PASSPHRASE AF7F6D910EABD565 760B2E363A4E02F0 16 0 [GNUPG:] GOOD_PASSPHRASE [GNUPG:] BEGIN_DECRYPTION [GNUPG:] SIG_ID PVu4jM06Eupu96tH+Jq6t4A/gUw 2003-10-31 1067611083 [GNUPG:] GOODSIG D58B162C43D74D85 [GNUPG:] VALIDSIG DF05364B525285FB93D9347D4638BD5E 2003-10-31 1067611083 0 [GNUPG:] TRUST_FULLY [GNUPG:] DECRYPTION_OKAY [GNUPG:] END_DECRYPTION Thanks Scott Seidl Electronic Communication Services seidls@schneider.com Tel) 920-592-2163 This document, and any attachments therein, contains proprietary and confidential information that may not be disclosed without the prior written permission of Schneider National, Inc. and its subsidiaries. Unauthorized use or misuse of this information and its contents is strictly prohibited. Schneider National, Inc. vigorously protects its rights. From sbutler at fchn.com Fri Oct 31 09:47:12 2003 From: sbutler at fchn.com (Steve Butler) Date: Fri Oct 31 18:46:45 2003 Subject: help needed desperately: gpg --decrypt hanging Message-ID: <9A86613AB85FF346BB1321840DB42B4B01EC0544@jupiter.fchn.com> Dave, I don't use Perl but I do have a Korn shell script that works for me on a SuSE SLES Linux box. You will need to replace the 'default gpg_pass$1' routine with something that gets the passphrase for your secret key. Also replace 'default gpg_homd' with something that gets the GnuPG home directory for your box (or set the environment before running the script). # COPYRIGHT (c) 1995-2002 Stephen M. Butler dba XRG # This information may be copied, distributed and/or modified under # certain conditions, but it comes WITHOUT ANY WARRANTY. # See the Design Science License for more details # ================================================================= # # gpg_decrypt pass_id input_file output_file # Interface for edi and default routines to decrypt pgp files vi GnuPG. # # pass_id 1 or 2 to indicate which pass phrase needs to be picked up. # input_file name of file to decrypt. Includes any path # output_file name where to place output plain text file (with path) # # Note: See 'default' script for default usage. XRG_DBA=${XRG_DBA:-/usr/xrg_dba} xrgbin=$XRG_DBA/bin homedir=$($xrgbin/default gpg_home) rm -f "$3" 2>&1 1> /dev/null $xrgbin/default gpg_pass$1 \ | gpg --homedir $homedir --passphrase-fd 0 --no-tty --skip-verify \ --output "$3" --decrypt "$2" # -----Original Message----- From: Dave Della Costa [mailto:dave@acadaca.com] Sent: Friday, October 31, 2003 8:44 AM To: gnupg-users@gnupg.org Cc: jason@acadaca.com Subject: help needed desperately: gpg --decrypt hanging _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From dave at acadaca.com Fri Oct 31 13:52:04 2003 From: dave at acadaca.com (Dave Della Costa) Date: Fri Oct 31 19:47:02 2003 Subject: help needed desperately: gpg --decrypt hanging In-Reply-To: <9A86613AB85FF346BB1321840DB42B4B01EC0544@jupiter.fchn.com> References: <9A86613AB85FF346BB1321840DB42B4B01EC0544@jupiter.fchn.com> Message-ID: <1067626324.7737.45.camel@davebox.acadacainternal.com> Sorry Steve, I don't think I explained the problem well enough. If I run, on the command line: gpg --decrypt Then I pass it the encrypted text to decrypt, and then I give it the password, it just hangs! It sits and sits and sits...and we get nothing. Thanks for your help! Dave On Fri, 2003-10-31 at 12:47, Steve Butler wrote: > Dave, > > I don't use Perl but I do have a Korn shell script that works for me on a > SuSE SLES Linux box. You will need to replace the 'default gpg_pass$1' > routine with something that gets the passphrase for your secret key. Also > replace 'default gpg_homd' with something that gets the GnuPG home directory > for your box (or set the environment before running the script). > > > # COPYRIGHT (c) 1995-2002 Stephen M. Butler dba XRG > # This information may be copied, distributed and/or modified under > # certain conditions, but it comes WITHOUT ANY WARRANTY. > # See the Design Science License for more details > # ================================================================= > # > # gpg_decrypt pass_id input_file output_file > # Interface for edi and default routines to decrypt pgp files vi GnuPG. > # > # pass_id 1 or 2 to indicate which pass phrase needs to be picked > up. > # input_file name of file to decrypt. Includes any path > # output_file name where to place output plain text file (with path) > # > # Note: See 'default' script for default usage. > > XRG_DBA=${XRG_DBA:-/usr/xrg_dba} > xrgbin=$XRG_DBA/bin > > homedir=$($xrgbin/default gpg_home) > > rm -f "$3" 2>&1 1> /dev/null > $xrgbin/default gpg_pass$1 \ > | gpg --homedir $homedir --passphrase-fd 0 --no-tty --skip-verify \ > --output "$3" --decrypt "$2" > # > > -----Original Message----- > From: Dave Della Costa [mailto:dave@acadaca.com] > Sent: Friday, October 31, 2003 8:44 AM > To: gnupg-users@gnupg.org > Cc: jason@acadaca.com > Subject: help needed desperately: gpg --decrypt hanging > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -- Acadaca Internet Solutions 636 Broadway, Suite 516, Bell #50 New York, NY 10012 p 212.505.5885 f 212.505.5655 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : /pipermail/attachments/20031031/adb6b04e/attachment.bin From sbutler at fchn.com Fri Oct 31 11:02:01 2003 From: sbutler at fchn.com (Steve Butler) Date: Fri Oct 31 20:00:35 2003 Subject: help needed desperately: gpg --decrypt hanging Message-ID: <9A86613AB85FF346BB1321840DB42B4B01EC0547@jupiter.fchn.com> OK. Perhaps I was the brain dead one <>. Perhaps you already know this and I just didn't pick it out from the Perl script. However, the data to be encrypted and the passphrase cannot both come through STDIN (or FD 0). I would suggest that you send the passphrase through STDIN (and use the --passphrase-fd 0 command line option) and send the data to decrypt through a named pipe. Perhaps something like: mknod mydata p cat info_to_decrypt > mydata & cat my_pass_phrase | gpg --no-tty --passphrase-fd 0 --decrypt mydata > my_output_file Does that help or am I still barking up the wrong tree? --Steve -----Original Message----- From: Dave Della Costa [mailto:dave@acadaca.com] Sent: Friday, October 31, 2003 10:52 AM To: gnupg-users@gnupg.org Cc: Steve Butler; jason@acadaca.com Subject: RE: help needed desperately: gpg --decrypt hanging Sorry Steve, I don't think I explained the problem well enough. If I run, on the command line: gpg --decrypt Then I pass it the encrypted text to decrypt, and then I give it the password, it just hangs! It sits and sits and sits...and we get nothing. Thanks for your help! Dave On Fri, 2003-10-31 at 12:47, Steve Butler wrote: > Dave, > > I don't use Perl but I do have a Korn shell script that works for me on a > SuSE SLES Linux box. You will need to replace the 'default gpg_pass$1' > routine with something that gets the passphrase for your secret key. Also > replace 'default gpg_homd' with something that gets the GnuPG home directory > for your box (or set the environment before running the script). > > > # COPYRIGHT (c) 1995-2002 Stephen M. Butler dba XRG > # This information may be copied, distributed and/or modified under > # certain conditions, but it comes WITHOUT ANY WARRANTY. > # See the Design Science License for more details > # ================================================================= > # > # gpg_decrypt pass_id input_file output_file > # Interface for edi and default routines to decrypt pgp files vi GnuPG. > # > # pass_id 1 or 2 to indicate which pass phrase needs to be picked > up. > # input_file name of file to decrypt. Includes any path > # output_file name where to place output plain text file (with path) > # > # Note: See 'default' script for default usage. > > XRG_DBA=${XRG_DBA:-/usr/xrg_dba} > xrgbin=$XRG_DBA/bin > > homedir=$($xrgbin/default gpg_home) > > rm -f "$3" 2>&1 1> /dev/null > $xrgbin/default gpg_pass$1 \ > | gpg --homedir $homedir --passphrase-fd 0 --no-tty --skip-verify \ > --output "$3" --decrypt "$2" > # > > -----Original Message----- > From: Dave Della Costa [mailto:dave@acadaca.com] > Sent: Friday, October 31, 2003 8:44 AM > To: gnupg-users@gnupg.org > Cc: jason@acadaca.com > Subject: help needed desperately: gpg --decrypt hanging > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -- Acadaca Internet Solutions 636 Broadway, Suite 516, Bell #50 New York, NY 10012 p 212.505.5885 f 212.505.5655 CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From dshaw at jabberwocky.com Fri Oct 31 14:32:23 2003 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Oct 31 20:29:59 2003 Subject: help needed desperately: gpg --decrypt hanging In-Reply-To: <1067626324.7737.45.camel@davebox.acadacainternal.com> References: <9A86613AB85FF346BB1321840DB42B4B01EC0544@jupiter.fchn.com> <1067626324.7737.45.camel@davebox.acadacainternal.com> Message-ID: <20031031193223.GB11971@jabberwocky.com> On Fri, Oct 31, 2003 at 01:52:04PM -0500, Dave Della Costa wrote: > Sorry Steve, I don't think I explained the problem well enough. If I > run, on the command line: > > gpg --decrypt > > Then I pass it the encrypted text to decrypt, and then I give it the > password, it just hangs! It sits and sits and sits...and we get > nothing. First things first. If you put the data in a file, and run: gpg thefile.gpg Does it work properly? David From dave at acadaca.com Fri Oct 31 15:03:15 2003 From: dave at acadaca.com (Dave Della Costa) Date: Fri Oct 31 20:58:12 2003 Subject: help needed desperately: gpg --decrypt hanging In-Reply-To: <20031031193223.GB11971@jabberwocky.com> References: <9A86613AB85FF346BB1321840DB42B4B01EC0544@jupiter.fchn.com> <1067626324.7737.45.camel@davebox.acadacainternal.com> <20031031193223.GB11971@jabberwocky.com> Message-ID: <1067630595.7747.65.camel@davebox.acadacainternal.com> Yes David, that does work--here's the body of an email I send to someone else, didn't realize I wasn't sending to the list, sorry: On Fri, 2003-10-31 at 13:53, Newton Hammet wrote: > 1. What exactly are you typing on the command line? > > gpg --decrypt > > will hang. it is waiting for input from stdin. I understand. So, I give it input--a piece of encrypted text, and it gives me this output: You need a passphrase to unlock the secret key for user: "xxxx xxxxxx " 2048-bit ELG-E key, ID XXXXXXXX, created 2002-02-18 (main key ID XXXXXXXX) Enter passphrase: I then enter the passphrase, and I see this, and nothing else, until I hit ctrl-c: gpg: encrypted with 2048-bit ELG-E key, ID E66D9B0B, created 2002-02-18 "Jason Feingold " So, I guess this is improper usage then? Why does it let me get this far, i.e. asks for a passphrase and whatnot? The other thing that is strange to me is that the Crypt::GPG package that I'm using with perl worked fine before I started messing with this stuff yesterday, now it does not. I assume this is because it is somehow using the same method to hand information to gpg for decryption, but I'm not positive. Obviously that is not a question for this list. But I'd like to verify that the usage I'm trying above is incorrect and then I'll try to figure that out. > > the following should not hang ::: > > gpg --decrypt encrypted.file > > -or- > > cat encrypted.file | gpg --decrypt You're right, these two methods *do* work. So, worse case scenario I use some shell scripting making these sorts of calls rather than the Crypt::GPG package with I'm guessing tries in the same way to decrypt as I am above. > > > Try editting the keys you have imported: > > gpg --edit-key > > where "" is a place holder for some key on key ring you know > the password to. > > See if that hangs... I was able to run gpg --edit-key on the key I've been trying to use to decrypt with, I changed the owner trust and then ctrl-c'ed out of there. So I guess that is working fine. > > just quit from that command line w/o saving any changes. > > Hope this helps. > > Let me know if you have more information or more questions. > > I know the above may be stupid questions but I always start there first. Absolutely; I understand. > > Regards, > Newton Thanks Newton. Dave On Fri, 2003-10-31 at 14:32, David Shaw wrote: > On Fri, Oct 31, 2003 at 01:52:04PM -0500, Dave Della Costa wrote: > > Sorry Steve, I don't think I explained the problem well enough. If I > > run, on the command line: > > > > gpg --decrypt > > > > Then I pass it the encrypted text to decrypt, and then I give it the > > password, it just hangs! It sits and sits and sits...and we get > > nothing. > > First things first. If you put the data in a file, and run: > gpg thefile.gpg > > Does it work properly? > > David > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Acadaca Internet Solutions 636 Broadway, Suite 516, Bell #50 New York, NY 10012 p 212.505.5885 f 212.505.5655 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : /pipermail/attachments/20031031/16800dff/attachment.bin From dave at acadaca.com Fri Oct 31 15:06:27 2003 From: dave at acadaca.com (Dave Della Costa) Date: Fri Oct 31 21:01:25 2003 Subject: help needed desperately: gpg --decrypt hanging In-Reply-To: <9A86613AB85FF346BB1321840DB42B4B01EC0547@jupiter.fchn.com> References: <9A86613AB85FF346BB1321840DB42B4B01EC0547@jupiter.fchn.com> Message-ID: <1067630786.7747.69.camel@davebox.acadacainternal.com> Hi Steve, Yes, the Halloween bug is hitting us all here in NYC too. :) Well, the first problem is that I'm not able to use gpg from the command line, in at least one fashion (see my message to David Shaw on the list). The next issue is that Crypt::GPG (perl module) now appears to be broken, because, I'm assuming, it is using the same method to decrypt text through gpg. Of course this is not the realm of this list, but I'm hoping that if I get gpg working or at least understand why it doesn't work the way I think it should, then I'll figure out the Crypt::GPG issue...we'll see. Just to avoid restating the issue--check out the email I sent in reply to David Shaw's--that better explains what's going on. Thanks for your help, Dave On Fri, 2003-10-31 at 14:02, Steve Butler wrote: > OK. Perhaps I was the brain dead one < through the company today it could be contagious>>. > > Perhaps you already know this and I just didn't pick it out from the Perl > script. However, the data to be encrypted and the passphrase cannot both > come through STDIN (or FD 0). I would suggest that you send the passphrase > through STDIN (and use the --passphrase-fd 0 command line option) and send > the data to decrypt through a named pipe. Perhaps something like: > > mknod mydata p > cat info_to_decrypt > mydata & > cat my_pass_phrase | gpg --no-tty --passphrase-fd 0 --decrypt mydata > > my_output_file > > Does that help or am I still barking up the wrong tree? > > --Steve > > -----Original Message----- > From: Dave Della Costa [mailto:dave@acadaca.com] > Sent: Friday, October 31, 2003 10:52 AM > To: gnupg-users@gnupg.org > Cc: Steve Butler; jason@acadaca.com > Subject: RE: help needed desperately: gpg --decrypt hanging > > > Sorry Steve, I don't think I explained the problem well enough. If I > run, on the command line: > > gpg --decrypt > > Then I pass it the encrypted text to decrypt, and then I give it the > password, it just hangs! It sits and sits and sits...and we get > nothing. > > Thanks for your help! > > Dave > > > > > On Fri, 2003-10-31 at 12:47, Steve Butler wrote: > > Dave, > > > > I don't use Perl but I do have a Korn shell script that works for me on a > > SuSE SLES Linux box. You will need to replace the 'default gpg_pass$1' > > routine with something that gets the passphrase for your secret key. Also > > replace 'default gpg_homd' with something that gets the GnuPG home > directory > > for your box (or set the environment before running the script). > > > > > > # COPYRIGHT (c) 1995-2002 Stephen M. Butler dba XRG > > # This information may be copied, distributed and/or modified under > > # certain conditions, but it comes WITHOUT ANY WARRANTY. > > # See the Design Science License for more details > > # ================================================================= > > # > > # gpg_decrypt pass_id input_file output_file > > # Interface for edi and default routines to decrypt pgp files vi > GnuPG. > > # > > # pass_id 1 or 2 to indicate which pass phrase needs to be picked > > up. > > # input_file name of file to decrypt. Includes any path > > # output_file name where to place output plain text file (with path) > > # > > # Note: See 'default' script for default usage. > > > > XRG_DBA=${XRG_DBA:-/usr/xrg_dba} > > xrgbin=$XRG_DBA/bin > > > > homedir=$($xrgbin/default gpg_home) > > > > rm -f "$3" 2>&1 1> /dev/null > > $xrgbin/default gpg_pass$1 \ > > | gpg --homedir $homedir --passphrase-fd 0 --no-tty --skip-verify \ > > --output "$3" --decrypt "$2" > > # > > > > -----Original Message----- > > From: Dave Della Costa [mailto:dave@acadaca.com] > > Sent: Friday, October 31, 2003 8:44 AM > > To: gnupg-users@gnupg.org > > Cc: jason@acadaca.com > > Subject: help needed desperately: gpg --decrypt hanging > > > > > > _______________________________________________ > > Gnupg-users mailing list > > Gnupg-users@gnupg.org > > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > > > > CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, > is for the sole use of the intended recipient(s) and may contain > confidential and privileged information. Any unauthorized review, use, > disclosure or distribution is prohibited. If you are not the intended > recipient, please contact the sender by reply e-mail and destroy all copies > of the original message. -- Acadaca Internet Solutions 636 Broadway, Suite 516, Bell #50 New York, NY 10012 p 212.505.5885 f 212.505.5655 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : /pipermail/attachments/20031031/6b80c51a/attachment.bin From sbutler at fchn.com Fri Oct 31 12:32:31 2003 From: sbutler at fchn.com (Steve Butler) Date: Fri Oct 31 21:30:57 2003 Subject: help needed desperately: gpg --decrypt hanging Message-ID: <9A86613AB85FF346BB1321840DB42B4B01EC054B@jupiter.fchn.com> Can't help with Perl or Crypt. However, I can help with: gpg --decrypt This wants to have both the passphrase and the encrypted file come in through STDIN. The problem is that it wants to start readying the encrypted data (from STDIN) first. So, it will just sit there. If you do feed it some encrypted, it will start to read the encrypted data (to find out which key is needed to decrypt) but then need the passphrase (which you did see and entered). After that, it will need the rest of the encrypted data until it hits end-of-file (EOF). You can simulate an EOF by entering a CNTRL-D at the keyboard. But that is cumbersome. You can try that just to see if it works (using a really small encrypted file). But, you should try the below first and see if it works for you. cat try1.pgp | gpg --decrypt You need a passphrase to unlock the secret key for user: "First Choice Health Network (FCHN) " 2048-bit ELG-E key, ID 5A2CEA48, created 2001-10-16 (main key ID 1B32D54B) Enter passphrase: <> gpg: encrypted with 2048-bit ELG-E key, ID 5A2CEA48, created 2001-10-16 "First Choice Health Network (FCHN) " <> If this all works so far, then try sending the encrypted data through a named pipe: mknod mydata p cat try1.pgp > mydata & [1] 28405 gpg --no-batch --decrypt mydata You need a passphrase to unlock the secret key for user: "First Choice Health Network (FCHN) " 2048-bit ELG-E key, ID 5A2CEA48, created 2001-10-16 (main key ID 1B32D54B) Enter passphrase: <> gpg: encrypted with 2048-bit ELG-E key, ID 5A2CEA48, created 2001-10-16 "First Choice Health Network (FCHN) "t <> This should all work based on the command line. If it doesn't, then there is a problem with your gpg setup/install. If this all works, then we can tackle whatever problem is left (like sending the passphrase to FD 0 and the encrypted data via the named pipe with output going to either STLIST or a file. --Steve -----Original Message----- From: Dave Della Costa [mailto:dave@acadaca.com] Sent: Friday, October 31, 2003 12:06 PM To: Steve Butler Cc: gnupg-users@gnupg.org; jason@acadaca.com Subject: RE: help needed desperately: gpg --decrypt hanging Hi Steve, Yes, the Halloween bug is hitting us all here in NYC too. :) Well, the first problem is that I'm not able to use gpg from the command line, in at least one fashion (see my message to David Shaw on the list). The next issue is that Crypt::GPG (perl module) now appears to be broken, because, I'm assuming, it is using the same method to decrypt text through gpg. <> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From linux at codehelp.co.uk Fri Oct 31 20:41:01 2003 From: linux at codehelp.co.uk (Neil Williams) Date: Fri Oct 31 21:38:30 2003 Subject: help needed desperately: gpg --decrypt waiting for EOF In-Reply-To: <1067626324.7737.45.camel@davebox.acadacainternal.com> References: <9A86613AB85FF346BB1321840DB42B4B01EC0544@jupiter.fchn.com> <1067626324.7737.45.camel@davebox.acadacainternal.com> Message-ID: <200310312041.05188.linux@codehelp.co.uk> On Friday 31 Oct 2003 6:52 pm, Dave Della Costa wrote: > Sorry Steve, I don't think I explained the problem well enough. If I > run, on the command line: > > gpg --decrypt > > Then I pass it the encrypted text to decrypt, and then I give it the > password, it just hangs! It sits and sits and sits...and we get > nothing. How are you passing the encrypted text? If you use: $ gpg --decrypt then simply copy and paste the encrypted text in, then you must TELL GnuPG when the data is complete. It hasn't 'hung' it's 'waiting for input'. More precisely, it's waiting for you to say EndOfFile - EOF. This stumped me for a while (and the answer is there in the archive but not in a form you might expect). GnuPG expects the EOF to be entered as: Ctrl+D To experiment, do the following: $ gpg -a -r 58727399 -e Now enter a simple test string: testing decryption End the string with Ctrl-D GnuPG outputs a keyblock (in ascii armour because of the -a). Now copy that block to the clipboard. gpg -d Paste the contents in, enter your passphrase when prompted. Again, end the input using Ctrl-D The encrypted test string will appear on the next line. -- Neil Williams ============= http://www.codehelp.co.uk/ http://www.dclug.org.uk/ http://www.isbn.org.uk/ http://sourceforge.net/projects/isbnsearch/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: signature Url : /pipermail/attachments/20031031/94e641f9/attachment.bin From dave at acadaca.com Fri Oct 31 15:49:52 2003 From: dave at acadaca.com (Dave Della Costa) Date: Fri Oct 31 21:44:53 2003 Subject: help needed desperately: gpg --decrypt hanging In-Reply-To: <9A86613AB85FF346BB1321840DB42B4B01EC054B@jupiter.fchn.com> References: <9A86613AB85FF346BB1321840DB42B4B01EC054B@jupiter.fchn.com> Message-ID: <1067633392.7702.74.camel@davebox.acadacainternal.com> Steve, thank you so much--now I understand why I am getting the response I am getting with gpg. I will try to figure out what is up with Crypt now...again, many thanks. Dave On Fri, 2003-10-31 at 15:32, Steve Butler wrote: > Can't help with Perl or Crypt. However, I can help with: > > gpg --decrypt > > This wants to have both the passphrase and the encrypted file come in > through STDIN. The problem is that it wants to start readying the encrypted > data (from STDIN) first. So, it will just sit there. If you do feed it > some encrypted, it will start to read the encrypted data (to find out which > key is needed to decrypt) but then need the passphrase (which you did see > and entered). After that, it will need the rest of the encrypted data until > it hits end-of-file (EOF). You can simulate an EOF by entering a CNTRL-D at > the keyboard. But that is cumbersome. You can try that just to see if it > works (using a really small encrypted file). > > But, you should try the below first and see if it works for you. > > cat try1.pgp | gpg --decrypt > > You need a passphrase to unlock the secret key for > user: "First Choice Health Network (FCHN) " > 2048-bit ELG-E key, ID 5A2CEA48, created 2001-10-16 (main key ID 1B32D54B) > > Enter passphrase: <> > gpg: encrypted with 2048-bit ELG-E key, ID 5A2CEA48, created 2001-10-16 > "First Choice Health Network (FCHN) " > <> > > > If this all works so far, then try sending the encrypted data through a > named pipe: > > mknod mydata p > cat try1.pgp > mydata & > [1] 28405 > gpg --no-batch --decrypt mydata > > You need a passphrase to unlock the secret key for > user: "First Choice Health Network (FCHN) " > 2048-bit ELG-E key, ID 5A2CEA48, created 2001-10-16 (main key ID 1B32D54B) > > Enter passphrase: <> > gpg: encrypted with 2048-bit ELG-E key, ID 5A2CEA48, created 2001-10-16 > "First Choice Health Network (FCHN) "t > <> > > This should all work based on the command line. If it doesn't, then there > is a problem with your gpg setup/install. > > If this all works, then we can tackle whatever problem is left (like sending > the passphrase to FD 0 and the encrypted data via the named pipe with output > going to either STLIST or a file. > > --Steve > > > -----Original Message----- > From: Dave Della Costa [mailto:dave@acadaca.com] > Sent: Friday, October 31, 2003 12:06 PM > To: Steve Butler > Cc: gnupg-users@gnupg.org; jason@acadaca.com > Subject: RE: help needed desperately: gpg --decrypt hanging > > > Hi Steve, > > Yes, the Halloween bug is hitting us all here in NYC too. :) > > Well, the first problem is that I'm not able to use gpg from the command > line, in at least one fashion (see my message to David Shaw on the > list). The next issue is that Crypt::GPG (perl module) now appears to > be broken, because, I'm assuming, it is using the same method to decrypt > text through gpg. > <> > > > CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -- Acadaca Internet Solutions 636 Broadway, Suite 516, Bell #50 New York, NY 10012 p 212.505.5885 f 212.505.5655 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : /pipermail/attachments/20031031/01632d33/attachment.bin From abjork at runbox.no Fri Oct 31 15:20:55 2003 From: abjork at runbox.no (=?ISO-8859-1?Q?Arild_Bj=F8rk?=) Date: Mon Nov 3 11:51:28 2003 Subject: Timing test of GnuPG and old PGP In-Reply-To: <2E40FE65F46EEC40984776ED29756EE442037A@stargate1.tsdet.archway.com> References: <2E40FE65F46EEC40984776ED29756EE442037A@stargate1.tsdet.archway.com> Message-ID: <3FA26FC7.4050607@runbox.no> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hunter, Bryan wrote: | Hi: | | A timing of a simple encryption of a large (327MB) file showed that GnuPG | took 2 1/2 times longer than an old PGP program. Is this an expected | typical result? | | This was run with the following. | | Windows98 SP2 | WinPT 0.7.96rc1 | GnuPG 1.2.1 | GPG 6.0.2 | Key DSA/ELG 1024/2048 | | Any comments or suggestions would be appreciated. I did test my Celeron 2.0 laptop with 512 MB RAM. I encrypted a 177 MB compressed ARJ-file. Both PGP 8.03 and GPG 1.2.3-nr1 from Nullify use 3DES for my key. I encrypted the same file 3 times with each program. On average it took 1 minute and 09 seconds to encrypt the file in both GPG and PGP. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-nr1 (Windows XP) iD8DBQE/om/Gn1hjZcCMxG0RAjXuAJ91W1KhbFxA8UX+OMKMn8jsCDThKwCfZBCl kfplKmzRJsCtL0xNVOP4VnM= =GLrV -----END PGP SIGNATURE----- From cwsiv_home1 at juno.com Fri Oct 31 20:38:38 2003 From: cwsiv_home1 at juno.com (carl w spitzer) Date: Mon Nov 3 20:46:01 2003 Subject: ggp-agent problems Message-ID: <20031103.114723.9631.0.cwsiv_home1@juno.com> gpg: gpg-agent not available this secession??????? cwsiv@linux:~> gpg-agent gpg-agent[5265]: please use the option `--daemon' to run the program in the background cwsiv@linux:~> gpg-agent --daemon GPG_AGENT_INFO=/tmp/gpg-6GVTWB/S.gpg-agent:5269:1; export GPG_AGENT_INFO; cwsiv@linux:~> ________________________________________________________________ The best thing to hit the internet in years - Juno SpeedBand! Surf the web up to FIVE TIMES FASTER! Only $14.95/ month - visit www.juno.com to sign up today!