re. Moving from PGP to GnuPG and other questions ...

Thu Apr 29 08:46:43 CEST 2004

Dear Neil 

Thanks for this detailed response. 

>re. Moving from PGP to GnuPG and other questions ...
>Neil Williams linux at codehelp.co.uk
>Wed Apr 28 18:07:44 CEST 2004
>
>
>On Wednesday 28 April 2004 3:14, Denis Green wrote:
>> 4/
>> When I try to encrypt files using GPGtools, I get to
>> select the file(to be encrypted), but when the
>> " GPG Tools - Encrypt " window opens up, I don't see
>> any public keys in the dialog box
>
>That's because no public keys are set as trusted. If you
>have your own secret key, import both the secret and public
>key and then use --edit-key to set your own key to ultimate
>trust. 

done

>GnuPG will check through the other keys in the
>keyring and will only let you encrypt to those that can be
>trusted (without using command-line options intended for
>secure environments). These will be keys that you have
>already signed or keys that are signed by people you have
>signed, etc.
>

A little confused here.

Is sign = Trust ? or 

Because when I use the "edit" function from GPG Keys
window, I get a help list, which has both sign and trust as
separate commands. Keys that I sign seem to be the ones I
am allowed to encrypt to ? (am I right there ?)

>There's no sense allowing encryption of sensitive data to
>a key that cannot be trusted! 

Not very sure of what you mean by trusting a key ?

Is this the same as trusting a person behind that key ?

Then  Oh ! no, there a are set of keys that I'd like to
encrypt to ...but I have no knowledge of the person bend
the key, either to trust them or ... NOT to trust them 

For e.g. a re-mailer key ...

I've explained my thoughts on siging, later in this post 

>If you override the GnuPG
>security using '--trust-model always' or similar, you must
>still verify the key in some other manner.
>

Lets say I've got some 500 Public keys on my PGP keyring

Lets say I may end up using some 100 of these public keys
pretty regularly - like Nym keys, re-mailer keys, list
member keys, news reporter's keys etc. 

Theoretically, in quite a few some cases, I'm not even 
expected to know who these people are and so the question 
of trusting or not trusting **the person** doesn't arise 

.. and a practical question ..
-----------------------------------
How do I get to use GPG to encrypt to such keys ?
Is there a command to sign all 100 keys in 1 go 
Can I choose multiple keys selectively with this command ?

>Trust begins with the secret keys - those are presumably
>yours so if you have the pass-phrase, these should be set as
>ultimate trust. I tend to consider ultimate trust as only
>for keys with a usable secret key. 

Ok. 
Set ultimate trust to 1 of my secret keys , for starters

>All other keys then have
>their trust calculated as starting from your ultimate keys,
>fully trusted (allowing encryption), marginally trusted
>(needing an override but still not recommended) or trust
>unknown (don't encrypt to these unless you *really* know
>what you are doing). Other trust factors like revoked and
>expired are hopefully clear in their meaning.
>

I took a sample key. Set it to fully trusted (just one
level below ultimate trust). Still I had to sign this key
before I could encrypt to this key

...some additional questions ..
--------------------------------------

1/
I had imported all the 500+ public keys and my private
key*s* to GPG (from PGP). The process went thru a 500 Y/N
sequence ... but was ultimately completed. 

Then while trying to edit a key, I inadvertently deleted it
(I had signed this key earlier - to test encrypting to
this key)

Since I still had this public key on my PGP ring, I tried
importing this key from PGP (copy from clipboard - asc export 
from PGP and import from GnupG keys etc. etc.]

Here's what I get every time I try to import **just** this
key

--------------------------------------------------------------

pub  1024D/abcdefgh..  created: 2002-06-15 expires: never
     Key fingerprint = aaaa bbbb cccc dddd eeee  ffff gggg hhhh iiii jjjj

     abcdesfgh ... <abcder at abcder.abc>

Do you want to import this key? (y/N) y

gpg: renaming `C:/gnudirectory\pubring.gpg' to
`C:/gnudirectory\pubring.bak' failed: Permission denied

[***comment added : I have full rights to this directory. Checked the same
by creating, renaming, deleting files in the directory **]

gpg: error writing keyring `C:/gnudirectory\pubring.gpg': file rename error

gpg: key abcdefgh ..: public key "[User id not found]" imported

gpg: error reading `c:\docume~1\adminname\locals~1\temp\~gpgtray.asc': file
rename error
gpg: import from `c:\docume~1\adminname\locals~1\temp\~gpgtray.asc' failed:
file rename error

[ comment added : Tried searching for gpgtray.asc ... can't find the file
on the machine !]

gpg: Total number processed: 0
gpg:               imported: 1

[comment added : Though it says 1 imported, I can't see_this_key in GuPG
keys]

Press any key to continue . . .

--------------------------------------------------------------

2/
I have multiple private keys. Lets say I have key pars

a - used in office (in the Full name and office e mail id)
b - used for nym and re-mailers (with my nym address)
c - used in personal communications (with my short name
    and personal address)

3/
How do I choose different private_ keys to sign
different public keys ? For e.g. my colleague's key with
_my_private_(a), a re-mailer ops key with _my_private_(b)
and my brother's key with _my_private__(c) and so on ?

4/
Don't we import public keys - basically to encrypt to them
(i.e.) with an intention to use them. How else would a
public key get into my key ring ? (without me getting a
public key block and me importing it by certain willful
actions, without me searching the key servers and importing
etc.. etc..)

so why should I go through another process of signing a key ?

(i.e.) forgetting the cryptography involved behind the
process of signing, as a user, why should I do a second
action (call it signing or stamping or whatever **after** 
willfully importing a public key ?

Thanks

DG