re. Moving from PGP to GnuPG and other questions ...
rainman at hod.aarg.net
Thu Apr 29 08:46:43 CEST 2004
Thanks for this detailed response.
>re. Moving from PGP to GnuPG and other questions ...
>Neil Williams linux at codehelp.co.uk
>Wed Apr 28 18:07:44 CEST 2004
>On Wednesday 28 April 2004 3:14, Denis Green wrote:
>> When I try to encrypt files using GPGtools, I get to
>> select the file(to be encrypted), but when the
>> " GPG Tools - Encrypt " window opens up, I don't see
>> any public keys in the dialog box
>That's because no public keys are set as trusted. If you
>have your own secret key, import both the secret and public
>key and then use --edit-key to set your own key to ultimate
>GnuPG will check through the other keys in the
>keyring and will only let you encrypt to those that can be
>trusted (without using command-line options intended for
>secure environments). These will be keys that you have
>already signed or keys that are signed by people you have
A little confused here.
Is sign = Trust ? or
Because when I use the "edit" function from GPG Keys
window, I get a help list, which has both sign and trust as
separate commands. Keys that I sign seem to be the ones I
am allowed to encrypt to ? (am I right there ?)
>There's no sense allowing encryption of sensitive data to
>a key that cannot be trusted!
Not very sure of what you mean by trusting a key ?
Is this the same as trusting a person behind that key ?
Then Oh ! no, there a are set of keys that I'd like to
encrypt to ...but I have no knowledge of the person bend
the key, either to trust them or ... NOT to trust them
For e.g. a re-mailer key ...
I've explained my thoughts on siging, later in this post
>If you override the GnuPG
>security using '--trust-model always' or similar, you must
>still verify the key in some other manner.
Lets say I've got some 500 Public keys on my PGP keyring
Lets say I may end up using some 100 of these public keys
pretty regularly - like Nym keys, re-mailer keys, list
member keys, news reporter's keys etc.
Theoretically, in quite a few some cases, I'm not even
expected to know who these people are and so the question
of trusting or not trusting **the person** doesn't arise
.. and a practical question ..
How do I get to use GPG to encrypt to such keys ?
Is there a command to sign all 100 keys in 1 go
Can I choose multiple keys selectively with this command ?
>Trust begins with the secret keys - those are presumably
>yours so if you have the pass-phrase, these should be set as
>ultimate trust. I tend to consider ultimate trust as only
>for keys with a usable secret key.
Set ultimate trust to 1 of my secret keys , for starters
>All other keys then have
>their trust calculated as starting from your ultimate keys,
>fully trusted (allowing encryption), marginally trusted
>(needing an override but still not recommended) or trust
>unknown (don't encrypt to these unless you *really* know
>what you are doing). Other trust factors like revoked and
>expired are hopefully clear in their meaning.
I took a sample key. Set it to fully trusted (just one
level below ultimate trust). Still I had to sign this key
before I could encrypt to this key
...some additional questions ..
I had imported all the 500+ public keys and my private
key*s* to GPG (from PGP). The process went thru a 500 Y/N
sequence ... but was ultimately completed.
Then while trying to edit a key, I inadvertently deleted it
(I had signed this key earlier - to test encrypting to
Since I still had this public key on my PGP ring, I tried
importing this key from PGP (copy from clipboard - asc export
from PGP and import from GnupG keys etc. etc.]
Here's what I get every time I try to import **just** this
pub 1024D/abcdefgh.. created: 2002-06-15 expires: never
Key fingerprint = aaaa bbbb cccc dddd eeee ffff gggg hhhh iiii jjjj
abcdesfgh ... <abcder at abcder.abc>
Do you want to import this key? (y/N) y
gpg: renaming `C:/gnudirectory\pubring.gpg' to
`C:/gnudirectory\pubring.bak' failed: Permission denied
[***comment added : I have full rights to this directory. Checked the same
by creating, renaming, deleting files in the directory **]
gpg: error writing keyring `C:/gnudirectory\pubring.gpg': file rename error
gpg: key abcdefgh ..: public key "[User id not found]" imported
gpg: error reading `c:\docume~1\adminname\locals~1\temp\~gpgtray.asc': file
gpg: import from `c:\docume~1\adminname\locals~1\temp\~gpgtray.asc' failed:
file rename error
[ comment added : Tried searching for gpgtray.asc ... can't find the file
on the machine !]
gpg: Total number processed: 0
gpg: imported: 1
[comment added : Though it says 1 imported, I can't see_this_key in GuPG
Press any key to continue . . .
I have multiple private keys. Lets say I have key pars
a - used in office (in the Full name and office e mail id)
b - used for nym and re-mailers (with my nym address)
c - used in personal communications (with my short name
and personal address)
How do I choose different private_ keys to sign
different public keys ? For e.g. my colleague's key with
_my_private_(a), a re-mailer ops key with _my_private_(b)
and my brother's key with _my_private__(c) and so on ?
Don't we import public keys - basically to encrypt to them
(i.e.) with an intention to use them. How else would a
public key get into my key ring ? (without me getting a
public key block and me importing it by certain willful
actions, without me searching the key servers and importing
so why should I go through another process of signing a key ?
(i.e.) forgetting the cryptography involved behind the
process of signing, as a user, why should I do a second
action (call it signing or stamping or whatever **after**
willfully importing a public key ?
More information about the Gnupg-users