re. Moving from PGP to GnuPG and other questions ...

Wed Apr 28 18:07:44 CEST 2004

On Wednesday 28 April 2004 3:14, Denis Green wrote:
> 4/
> When I try to encrypt files using GPGtools, I get to
> select the file(to be encrypted), but when the
> " GPG Tools - Encrypt " window opens up, I don't see
> any public keys in the dialog box

That's because no public keys are set as trusted. If you have your own secret 
key, import both the secret and public key and then use --edit-key to set 
your own key to ultimate trust. GnuPG will check through the other keys in 
the keyring and will only let you encrypt to those that can be trusted 
(without using command-line options intended for secure environments). These 
will be keys that you have already signed or keys that are signed by people 
you have signed, etc.

There's no sense allowing encryption of sensitive data to a key that cannot be 
trusted! If you override the GnuPG security using '--trust-model always' or 
similar, you must still verify the key in some other manner.

Trust begins with the secret keys - those are presumably yours so if you have 
the passphrase, these should be set as ultimate trust. I tend to consider 
ultimate trust as only for keys with a usable secret key. All other keys then 
have their trust calculated as starting from your ultimate keys, fully 
trusted (allowing encryption), marginally trusted (needing an override but 
still not recommended) or trust unknown (don't encrypt to these unless you 
*really* know what you are doing). Other trust factors like revoked and 
expired are hopefully clear in their meaning.

BTW. General question: will '--trust-model always' allow encryption to a 
revoked key? i.e. after you've imported/refreshed the key with it's 
revocation certificate. (I'd guess that it won't but haven't got any revoked 
keys to test against.)

> 5/
> What I've checked so far

If you can list keys then GPG is working. Issues about encryption are actually 
about trust.

> 9/
> How does one denote "free as in free beer" (i.e.) Software
> not requiring payment, while writing to groups like this ?

shareware, proprietary, demo, trojan (!), virus, (!) . . .
Even shareware is proprietary - you don't generally have access to the source 
code and you are not free to redistribute the program with or without 
modifications either with or without payments - there are restrictions.

> [and how to distinguish **that** from Free as in Freedom of
> Speech ? -say a version of Linux that needs payment ]

A free software program that requires payment is still free software.

Think of 'free software' as one term, not two words.

-- 

Neil Williams
=============
http://www.codehelp.co.uk/
http://www.dclug.org.uk/
http://www.isbn.org.uk/
http://sourceforge.net/projects/isbnsearch/

http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
Url : /pipermail/attachments/20040428/9d383b45/attachment-0001.bin