From gcs at lsc.hu Mon Nov 1 01:53:49 2004 From: gcs at lsc.hu (Laszlo 'GCS' Boszormenyi) Date: Mon Nov 1 01:58:07 2004 Subject: validate inline signatures in mail by hand/application Message-ID: <20041101005349.GA28868@pooh> Hi, I would like to develop an application which can receive mails, check if the signature on them is correct (fetch the key if necessary). My problem is that I get mails with inline signatures but without the -----BEGIN PGP SIGNED MESSAGE----- heading, I have only the -----BEGIN PGP SIGNATURE----- / -----END PGP SIGNATURE----- block. Mutt verifies these mails without any problem. But I can not find out how to do it from my application even when I tried to restructure the message (remove mailer lines from the top, add the PGP header and hash). Now it is recognised by GnuPG, but the signature said to be bad. :( Is there any library out there to help me out? GPGME looks promising, but I still have to check if that can check such mails and/or how can I reconstruct such mails? Thanks, Laszlo/GCS -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20041101/61a7c694/attachment.bin From servie_tech at yahoo.com Mon Nov 1 02:17:30 2004 From: servie_tech at yahoo.com (Servie Platon) Date: Mon Nov 1 02:14:30 2004 Subject: gpg: error loading `iconv.dll': ec=126 In-Reply-To: <41850DC5.70203@joimail.com> Message-ID: <20041101011730.65319.qmail@web52501.mail.yahoo.com> Thank you John, Barry and Zuki for your help guys. Initially, I was able to install on one windows box running XP and got it to work with v 1.2.5, then did an upgrade to v. 1.3.91 and it worked. Now, when I started to work on my other desktop machine running windows xp, wherein I installed first v. 1.2.5 binary then upgrade to v. 1.3.92, then it showed this error. Anyways, I will try out your suggestion solution and will let you know what happens, next. BTW, does v. 1.3.92 tar ball for linux has the same problem when I compile this for my FC2 just like what happened with my windoze box? Thank you very much gnupg gurus who always help out. Appreciate your kindness and generosity. Sincerely, Servie --- JOHN MOORE wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > The following information should assist you in > getting 1.3.92 to function: > > For proper internationalization you should have the > GNU iconv.dll > installed. For convenience we make this DLL > available at: > > ~ > ftp://ftp.gnupg.org/gcrypt/binary/libiconv-1.9.1.dll.zip > (644k) > ~ > ftp://ftp.gnupg.org/gcrypt/binary/libiconv-1.9.1.dll.zip.sig > > Noteworthy changes in version 1.3.92 (2004-10-28) > - - > ------------------------------------------------- > > ~ * Added Russian man page. Thanks to Pawel I. > Shajdo. > > ~ * libiconv is now used to support other > character sets other than > ~ UTF-8, Latin-1,-2 and KOI8-2. The W32 > version will only work > ~ correctly when iconv.dll is installed on the > system. A binary > ~ version is available at all GNU mirror sites > under libiconv. > > ~ * gettext for Windows has been simplified. The > MO files are now > ~ distributed UTF-8 encoded and gpg translates > on the fly. > > This .dll needs to be placed in the same folder as > your executable binaries. > > JOHN :) > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.3.92 (MingW32) > Comment: Using GnuPG with Thunderbird - > http://enigmail.mozdev.org > > iD8DBQFBhQ3CnCmZhrerneURAha7AJwMEjP13Oucwo4bwxR6PZpZ1rmXQgCghAkt > VLEyMil0vE5Kx4Es8tc4aXk= > =apHw > -----END PGP SIGNATURE----- > ===== Sincerely, Servie Platon __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From johnmoore3rd at joimail.com Mon Nov 1 04:11:49 2004 From: johnmoore3rd at joimail.com (JOHN MOORE) Date: Mon Nov 1 04:09:04 2004 Subject: gpg: error loading `iconv.dll': ec=126 In-Reply-To: <20041101011730.65319.qmail@web52501.mail.yahoo.com> References: <20041101011730.65319.qmail@web52501.mail.yahoo.com> Message-ID: <4185A975.6080101@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Servie Platon wrote: | Thank you John, Barry and Zuki for your help guys. | | Initially, I was able to install on one windows box | running XP and got it to work with v 1.2.5, then did | an upgrade to v. 1.3.91 and it worked. | | Now, when I started to work on my other desktop | machine running windows xp, wherein I installed first | v. 1.2.5 binary then upgrade to v. 1.3.92, then it | showed this error. | | Anyways, I will try out your suggestion solution and | will let you know what happens, next. Adding the iconv.dll binary to the location where the other executables binaries are in your Windoze installation will have it up & running. | | BTW, does v. 1.3.92 tar ball for linux has the same | problem when I compile this for my FC2 just like what | happened with my windoze box? No problem there...the tar.gz will install & work great without needing an additional component. | JOHN :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.92 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBhalpnCmZhrerneURAtDWAJsF/OayBlkg0Pv5Hx3qWvRuEyneGwCg+YWv HzmIWgtbUKif0tPPWPoya0w= =ljp8 -----END PGP SIGNATURE----- From zuxy.meng at gmail.com Mon Nov 1 05:59:04 2004 From: zuxy.meng at gmail.com (Zuxy) Date: Mon Nov 1 05:55:41 2004 Subject: v1.3.92 problems with The Bat! In-Reply-To: <1219179547.20041031124242@nospam.kcoates.com> References: <1219179547.20041031124242@nospam.kcoates.com> Message-ID: On Sun, 31 Oct 2004 12:42:42 -0500, Kevin Coates wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello GnuPG-Users, > > I installed v1.3.92 and placed the required iconv.dll in the Windows > /System32 folder. > > Attempts to verify sigs using The Bat! e-mail client yield this error: > > gpg: conversion from `utf-8' to `CP0' not available gpg might not be able to determine the current locale when called from the Bat! Maybe you should switch to Mozilla Thundermail? -- Zuxy Beauty is truth, While truth is beauty. PGP KeyID: E8555ED6 From jharris at widomaker.com Mon Nov 1 06:26:28 2004 From: jharris at widomaker.com (Jason Harris) Date: Mon Nov 1 06:23:21 2004 Subject: new (2004-10-31) keyanalyze results (+sigcheck) Message-ID: <20041101052627.GA3782@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2004-10-31/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: 7231603cee957bc5a6e3d8b8fa028668e553a976 10712862 preprocess.keys b057bf4fc2aefd7f43aa6c27ca6aa554483cd9f7 6932388 othersets.txt 71daf70373146696ee6705967f3f2a4896aa6ef3 2774094 msd-sorted.txt b0f152cbac2bff77aeed70a933fec6d7ac3e7b71 1484 index.html bead24c46179e971b3f0a50e63449a2c2db25c26 2289 keyring_stats d23b22e4c4af3e0e3a642d907ebd8754c483f41b 1089657 msd-sorted.txt.bz2 ab3fcaf3d756b5db2d5220d1d167d5c21540c7b7 2202957 msd.txt 480b0f6c5bea1387c4a0513a3515eba69ffbc828 26 other.txt 5c85798727c11d0af6d8bd318d918c54aa076862 1486205 othersets.txt.bz2 8352357634eb835f771e80435cf706854213be6c 4332603 preprocess.keys.bz2 61af732703cb1e2b3ceba7eb90c166afb8e9331b 10480 status.txt 6ab499b9ea1c68c9a2db54483d10bf59d5499e8c 211786 top1000table.html 3016b7c092b9a999c36e951774814959e8d09a90 30646 top1000table.html.gz 999cee1a25445e37dec9b6366486cbfc072b5700 10984 top50table.html 8359c663be29fe5170e2c6404f9a10dda966183b 2414 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20041101/2145c3db/attachment.bin From johnmoore3rd at joimail.com Mon Nov 1 21:22:49 2004 From: johnmoore3rd at joimail.com (JOHN MOORE) Date: Mon Nov 1 21:19:28 2004 Subject: 1.3.92 w/GPG Shell 3.23 Message-ID: <41869B19.1060509@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Having changed to 1.3.92 I have seen the change when using my MUA (T-Bird) but whenever I use the Tray tool the version still shows 1.3.91. A check of the Environmental Information also indicates that GPG Shell reads my version as 1.3.91. Has anyone else experienced this? JOHN :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.92 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBhpsNnCmZhrerneURAiLIAKDkfkKE8qxsR7ymXgFL+yOt7oOg9wCgzVGS eKtGu1sdBq019dACILJOPL8= =oZE0 -----END PGP SIGNATURE----- From jharris at widomaker.com Mon Nov 1 22:10:36 2004 From: jharris at widomaker.com (Jason Harris) Date: Mon Nov 1 22:07:19 2004 Subject: validate inline signatures in mail by hand/application In-Reply-To: <20041101005349.GA28868@pooh> References: <20041101005349.GA28868@pooh> Message-ID: <20041101211036.GC3782@wilma.widomaker.com> On Mon, Nov 01, 2004 at 01:53:49AM +0100, Laszlo 'GCS' Boszormenyi wrote: > I would like to develop an application which can receive mails, check > if the signature on them is correct (fetch the key if necessary). > My problem is that I get mails with inline signatures but without the > -----BEGIN PGP SIGNED MESSAGE----- > heading, I have only the -----BEGIN PGP SIGNATURE----- / -----END PGP > SIGNATURE----- block. Mutt verifies these mails without any problem. But > I can not find out how to do it from my application even when I tried to > restructure the message (remove mailer lines from the top, add the PGP > header and hash). Now it is recognised by GnuPG, but the signature said > to be bad. :( Is there any library out there to help me out? GPGME looks > promising, but I still have to check if that can check such mails and/or > how can I reconstruct such mails? See ./code/gvv and gvv.asc on my website (URL below). It works for many cases of single-part mails without other attachments. Kyle (0x2A94C484) sent me a patch months ago to handle multipart messages, IIRC, but I haven't done anything with it yet. Use "gvv -k" to keep the message parts, and compare them with mutt's version when they disagree on the signature status. I use FreeBSD's chflags(1) in a script I temporarily rename to gpg to keep mutt from unlink()ing its temporary files. "cd /tmp" and "chflags uchg $*" is all the "gpg" script does. Beyond that, ask: "What would mutt do?" :) -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20041101/63eea785/attachment.bin From mail at mark-kirchner.de Mon Nov 1 23:23:39 2004 From: mail at mark-kirchner.de (Mark Kirchner) Date: Mon Nov 1 23:21:21 2004 Subject: v1.3.92 problems with The Bat! In-Reply-To: <1219179547.20041031124242@nospam.kcoates.com> References: <1219179547.20041031124242@nospam.kcoates.com> Message-ID: <1293513206.20041101232339@mark-kirchner.de> Hi, On Sunday, October 31, 2004, 6:42:42 PM, Kevin wrote: > Attempts to verify sigs using The Bat! e-mail client yield this error: > > gpg: conversion from `utf-8' to `CP0' not available Yes, same thing here. My guess is that "The Bat!" is telling gpg that it uses the (non-existent, I think) charset "CP0". gpg calls iconv.dll to perform this conversion but iconv.dll obviously fails. But this is a very, very wild guess, it might be completely off. Regards, Mark Kirchner -- _____________________________________________________________ Key (0x19DC86D3): http://www.mark-kirchner.de/keys/key-mk.asc From wk at gnupg.org Tue Nov 2 10:53:53 2004 From: wk at gnupg.org (Werner Koch) Date: Tue Nov 2 16:50:12 2004 Subject: iconv.dll ?? In-Reply-To: <41831E53.3060205@comcast.net> (John Clizbe's message of "Fri, 29 Oct 2004 23:53:39 -0500") References: <4182FEFB.50401@joimail.com> <41831E53.3060205@comcast.net> Message-ID: <87sm7sefv2.fsf@wheatstone.g10code.de> On Fri, 29 Oct 2004 23:53:39 -0500, John Clizbe said: > http://prdownloads.sourceforge.net/gettext/libiconv-1.9.1.bin.woe32.zip?download There is also a smaller package with just the dll and a short readme available at ftp.gnupg.org/gcrypt/binary/ (note that this is not the alpha/binary/) - its the same DLL but lack all the other non-required stuff. The DLL is loaded on runtime and thus there is no hard dependency on it. A missing DLL will merely lead to wrongly displayed characters. I am already considereing to add built in support for the commonly used CP850 so that at least for Western Europe the DLL is not needed. Werner From wk at gnupg.org Tue Nov 2 10:59:10 2004 From: wk at gnupg.org (Werner Koch) Date: Tue Nov 2 16:50:23 2004 Subject: v1.3.92 problems with The Bat! In-Reply-To: <1293513206.20041101232339@mark-kirchner.de> (Mark Kirchner's message of "Mon, 1 Nov 2004 23:23:39 +0100") References: <1219179547.20041031124242@nospam.kcoates.com> <1293513206.20041101232339@mark-kirchner.de> Message-ID: <87oeigefm9.fsf@wheatstone.g10code.de> On Mon, 1 Nov 2004 23:23:39 +0100, Mark Kirchner said: > But this is a very, very wild guess, it might be completely off. gpg uses GetConsoleOutputCP to deternmine the CP - here we get for some reasons 0 back which is not documented in my W32 API specs. Not sure what the frontend does but given that WinPT, Outlgpg and other tools don't have any problem I guess it should be solved on the frontend side. Workaround is to use --charset something which overrides the auto-detection. Werner From wk at gnupg.org Thu Nov 4 09:21:35 2004 From: wk at gnupg.org (Werner Koch) Date: Thu Nov 4 09:24:25 2004 Subject: When to lock page under WinNT? In-Reply-To: (zuxy.meng@gmail.com's message of "Sun, 31 Oct 2004 23:48:10 +0800") References: <87vfd4dmfk.fsf@wheatstone.g10code.de> Message-ID: <877jp23tyo.fsf@wheatstone.g10code.de> On Sun, 31 Oct 2004 23:48:10 +0800, Zuxy said: > if (!VirtualLock (addr, len)) { As said several times: VirtualLock does not do what you think it does. Frankly, according to POSIX, even mlock is not required to avoid swapping out pages. Shalom-Salam, Werner From erpo41 at hotpop.com Fri Nov 5 04:39:31 2004 From: erpo41 at hotpop.com (Erpo) Date: Fri Nov 5 04:37:32 2004 Subject: Should I use S/MIME? Message-ID: <1099625971.1335.12.camel@andry> Hello all, I just upgraded to Evolution 2.0.2 and there's a new option in the Security menu to "S/MIME Sign" my mail. Should I use it? I'd like to help spread Free crypto as widely as possible, so it seems like increasing compatibility by providing an additional signature would be a good idea (more signature types == more compatibility == more ease of use == more people using crypto). However, I don't want to promote a standard that's closed or patented. What's the consensus in the GPG community? -- Erpo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : /pipermail/attachments/20041104/dda8bf0e/attachment.bin From Simon.Richter at in.tum.de Thu Nov 4 18:34:21 2004 From: Simon.Richter at in.tum.de (Simon.Richter@in.tum.de) Date: Fri Nov 5 08:18:30 2004 Subject: SmartCard as subkey? Message-ID: <20041104183421.A22474@sunhalle105.informatik.tu-muenchen.de> Hi, I just got a PPC-Card OpenPGP smart card, and am wondering how to use the keys on the card as subkeys to my regular DSA key. As an added complication, I don't have a smartcard reader in the boxen I consider trustworthy enough to hold my master key. Is there a way I can generate a key in the uni, get the private key stub that references the card to my other box and import it as a public/secret subkey? Simon From wk at gnupg.org Fri Nov 5 11:15:25 2004 From: wk at gnupg.org (Werner Koch) Date: Fri Nov 5 11:19:40 2004 Subject: SmartCard as subkey? In-Reply-To: <20041104183421.A22474@sunhalle105.informatik.tu-muenchen.de> (Simon Richter's message of "Thu, 4 Nov 2004 18:34:21 +0100") References: <20041104183421.A22474@sunhalle105.informatik.tu-muenchen.de> Message-ID: <87mzxwzjnm.fsf@wheatstone.g10code.de> On Thu, 4 Nov 2004 18:34:21 +0100, Simon Richter said: > I don't have a smartcard reader in the boxen I consider trustworthy enough > to hold my master key. Is there a way I can generate a key in the uni, get You don't need to trust the smartcard reader; the reader can't get any sensitive information out of the card and snooping the PIN is usually of minor interest. However, to create just subkey you need to have the primary key available and that should only be done on a trusted machine. If you have such a box, just enter the usual key edit menu and use "addcardkey". Werner From wk at gnupg.org Fri Nov 5 11:18:44 2004 From: wk at gnupg.org (Werner Koch) Date: Fri Nov 5 11:19:51 2004 Subject: Should I use S/MIME? In-Reply-To: <1099625971.1335.12.camel@andry> (erpo41@hotpop.com's message of "Thu, 04 Nov 2004 19:39:31 -0800") References: <1099625971.1335.12.camel@andry> Message-ID: <87is8kzji3.fsf@wheatstone.g10code.de> On Thu, 04 Nov 2004 19:39:31 -0800, Erpo said: > What's the consensus in the GPG community? Technically both standards are not that different and can be implemented in a secure way. However getting the S/MIME (i.e. X.509) infrastructure right is something virtually nobody has yet achieved. OpenPGP is a proved and usable standard and people who really care about things are using PGP and OpenPGP for more than a decade. Salam-Shalom, Werner From amilivojevic at pbl.ca Fri Nov 5 16:40:23 2004 From: amilivojevic at pbl.ca (Aleksandar Milivojevic) Date: Fri Nov 5 16:38:10 2004 Subject: Should I use S/MIME? In-Reply-To: <1099625971.1335.12.camel@andry> References: <1099625971.1335.12.camel@andry> Message-ID: <418B9EE7.6070602@pbl.ca> Erpo wrote: > Hello all, > > I just upgraded to Evolution 2.0.2 and there's a new option in the > Security menu to "S/MIME Sign" my mail. Should I use it? Well, the main problem I have with S/MIME is the trust relationship that you are forced to use if you want it to just work "out-of-the-box". You, and all your correspondents need to buy certificates (or get one for free from Thawte, but there are some gotchas about those free ones). So basically, instead of choosing who you trust, you are forced to trust commercial entities such as Verisign, GlobalSign, and hole bunch of others that are installed as certification authorities in your mail client. Actually, virtually all S/MIME capable mail clients are set up to trust them automatically. It is not all that hard to buy falsified certificate from most of them. For example, some time ago there was incident when Verising sold some certificates to somebody pretending to be Microsoft Corp, that could be used for code signing. Who knows how many falsified were sold to less known names. Now, the question is, why would you trust any of those corporations? Because everybody else trust them? Because you are told you should trust them? Neither is good reason. On the other hand, with OpenPGP, you are forced to build your trust relationships yourself. Personally, I find the web model of OpenPGP more secure and flexible than hierarchical x509 model. Of course, you could also generate and use self-signed certificates. But than, you are loosing all the advatages of x509 model. Plus, other people can't sign your certificate (as they can OpenPGP key), so it makes it even less usefull. You can even create your own CA. But then, your correspondents would have to trust this CA and that you made it secure (so that nobody can break into your machine, steal CA keys, and falsify certificates with it). On the technical side, I never liked the fact that S/MIME signature contains certificate (public key signed by CA) needed to verify signature as part of it. It makes S/MIME signatures huge in comparation to OpenPGP signature, and most of the time they are waste of bandwith and disk space (you preatty soon end up with virtually thousands of useless copies of other people certificates stored in your mail folders). On one hand, this is a nice feature. You don't need to obtain your corespondents certificate beforehand. You simply extract it from S/MIME signature, check CA signature on certificate, and use that certificate to verify signature on email. Works nicely if you buy certificate from trusted CA. Doesn't work at all in all other cases. On the other hand, as I said, you end up wasting your disk space. Try signing one-line email with S/MIME and with OpenPGP, look at the message source, and see the huge difference in size. -- Aleksandar Milivojevic Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7 From johnmoore3rd at joimail.com Fri Nov 5 19:33:42 2004 From: johnmoore3rd at joimail.com (JOHN MOORE) Date: Fri Nov 5 19:30:49 2004 Subject: Should I use S/MIME? In-Reply-To: <418B9EE7.6070602@pbl.ca> References: <1099625971.1335.12.camel@andry> <418B9EE7.6070602@pbl.ca> Message-ID: <418BC786.8010401@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you truly wish to use S/MIME I highly recommend CAcert as a source to obtain a Free Certificate. You will also need to download their Root Certificate into your Certificate Manager as they are not Universally supplied with most software. In order to establish Trust you will need to meet with Assurers to prove your identity. (This is also true with Thawte & the others) However, since the vast majority of CAcert Notaries are also PGP/GnuPG users, getting your Key signed at the same time is no problem. CAcert will also sign your PGP Key as well, indicating the level of attained trust. JOHN :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.92 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBi8eCnCmZhrerneURAjWkAKDJiswSetX3iMON6+AMftoQKppD8gCfSoqg 3W+CXZ1UymfpVeAcA1mUIvI= =Yy78 -----END PGP SIGNATURE----- From wk at gnupg.org Fri Nov 5 21:59:48 2004 From: wk at gnupg.org (Werner Koch) Date: Fri Nov 5 21:59:29 2004 Subject: Should I use S/MIME? In-Reply-To: <418B9EE7.6070602@pbl.ca> (Aleksandar Milivojevic's message of "Fri, 05 Nov 2004 09:40:23 -0600") References: <1099625971.1335.12.camel@andry> <418B9EE7.6070602@pbl.ca> Message-ID: <87ekj8vwor.fsf@wheatstone.g10code.de> On Fri, 05 Nov 2004 09:40:23 -0600, Aleksandar Milivojevic said: > On the technical side, I never liked the fact that S/MIME signature > contains certificate (public key signed by CA) needed to verify > signature as part of it. It makes S/MIME signatures huge in To be frank, that is not a technical requirement but common use because there is no other way to get the required certificates. That is all due to the X.500 design of having unique global hierachical directory system - which will fortunately never become reality. The real technical problem with X.509 is the incompatibilty: There is a standard and dozens of incompatible profiles to interpret the standard - as well as hundreds of implementations with their own interpretation of the implemented profile. To solve that the committees added new features and requirements to the standard/profile/implementation to fix the problems. With OpenPGP there are only a few implementations and the developers actually talk to each other. OpenPGP solves the trust problem the easy way: It does not enforce any semantics, it just provides the technical means to implement what ever you like. Salam-Shalom, Werner From jas at extundo.com Sat Nov 6 00:14:36 2004 From: jas at extundo.com (Simon Josefsson) Date: Sat Nov 6 00:11:17 2004 Subject: Should I use S/MIME? References: <1099625971.1335.12.camel@andry> <418B9EE7.6070602@pbl.ca> <418BC786.8010401__15900.5303671167$1099679887$gmane$org@joimail.com> Message-ID: JOHN MOORE writes: > If you truly wish to use S/MIME I highly recommend CAcert as a source to > obtain a Free Certificate. To give an alternative view, I'd recommend against CAcert. Initially I thought their service was a good idea, but when I signed up for a certificate, they asked me for lots of personal details that I don't feel comfortable giving out to some unknown organization. If someone knows of a public X.509 CA that issue you a certificate if you prove possession of a private key and an email address, I am interested and would recommend it to others. Heck, even one that give you a certificate and a private key if you prove possession of an email address would suffice. Perhaps PGP keyservers could issue X.509 certificates for their users, they have the email address and public key. Thanks, Simon From alexander.babkin at ge.com Fri Nov 5 22:34:33 2004 From: alexander.babkin at ge.com (Babkin, Alexander (GE Consumer Finance, consultant)) Date: Sun Nov 7 11:37:30 2004 Subject: Unusable key Message-ID: <7730B3FE2184A5499A4A8601F598BB1B0A87430A@ALPMLVEM01.e2k.ad.ge.com> I have imported public key and checked the finger print. The key import and fingerprint show no problems. Using edit-key I set the trust to u/u. But when I try to encrypt file I get the following: xtrace line 11: gpg --quiet --output /loyalty/GEMMA/out/test.csv.gpg --encrypt --recipient jlennan@gemmacom.com /loyalty/GEMMA/out/test.csv gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: jlennan@gemmacom.com: skipped: unusable public key gpg: /loyalty/GEMMA/out/test.csv: encryption failed: unusable public key xtrace line 11: exit I would appreciate any help in solving this problem. Regards, Alexander Babkin Sr. Consultant Satyam, Shelton ' Work: 203-944-6171 * Mobile: 203-524-5025 From atom at suspicious.org Sun Nov 7 20:19:41 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Sun Nov 7 20:16:38 2004 Subject: Unusable key In-Reply-To: <7730B3FE2184A5499A4A8601F598BB1B0A87430A@ALPMLVEM01.e2k.ad.ge.com> References: <7730B3FE2184A5499A4A8601F598BB1B0A87430A@ALPMLVEM01.e2k.ad.ge.com> Message-ID: <20041107191955.15762.qmail@suspicious.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Fri, 5 Nov 2004, Babkin, Alexander \(GE Consumer Finance, consultant\) wrote: > I have imported public key and checked the finger print. The key import > and fingerprint show no problems. Using edit-key I set the trust to u/u. > But when I try to encrypt file I get the following: > > xtrace line 11: gpg --quiet --output /loyalty/GEMMA/out/test.csv.gpg > --encrypt --recipient jlennan@gemmacom.com /loyalty/GEMMA/out/test.csv > gpg: WARNING: using insecure memory! gpg: please see > http://www.gnupg.org/faq.html for more information gpg: > jlennan@gemmacom.com: skipped: unusable public key gpg: > /loyalty/GEMMA/out/test.csv: encryption failed: unusable public key > xtrace line 11: exit > > I would appreciate any help in solving this problem. ================= does the key have an encryption subkey? is the (sub)key expired or revoked? what happens if you try "--encrypt-to" instead of "--encrypt"? - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- Hofstadter's law: Any computer project will take twice as long as you think it will even when you take into account Hofstadter's law. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJBjnVSAAoJEAx/d+cTpVciiboIALw4BhxhApw+4aoRdA9lA7cG ZNWUARNRuLcUMHsX2UYrYJgmbGAItqqP4I2++eRsn7B7bzoAJeOVOy/n+F7hQmvr Ieibgy4Up+v6c8Vw4lfGiBb/B44SzmG6vzrM2omHWeOpNchXGSkN6Fsv/VqutgOw mqLd0VyiUm5srgvwOv4t3Fi2lTzZSviAAv6EVJcvxAFHtG/EXtOF1vU3RR52faP9 3Y11X/C4YnkwXUX8IukeypD/gnNNssAGAd38AkP0uOjnTi+UAiEAvrwOb6vAUpiv BB5esrPZNUZRlhfKTvr6pGBED6jBlOzyswySRL5mYBcqlPS7CkB8uhkA76NFZOA= =/WFU -----END PGP SIGNATURE----- From mwood at IUPUI.Edu Mon Nov 8 14:02:08 2004 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Mon Nov 8 13:58:47 2004 Subject: Should I use S/MIME? In-Reply-To: References: <1099625971.1335.12.camel@andry> <418B9EE7.6070602@pbl.ca> <418BC786.8010401__15900.5303671167$1099679887$gmane$org@joimail.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm not prepared to address the original question, but some of the responses are dancing around an issue which, in my opinion, is too little discussed. On Sat, 6 Nov 2004, Simon Josefsson wrote: [snip] > If someone knows of a public X.509 CA that issue you a certificate if > you prove possession of a private key and an email address, I am > interested and would recommend it to others. Heck, even one that give > you a certificate and a private key if you prove possession of an > email address would suffice. Whether that is a good idea or not depends on what you (as the sender, *or* as the recipient) want an identity document to mean. If it's good enough to be able to strongly suggest that the sender of message A and the sender of message B are the same (possibly unknown) person, then these essentially anonymous certificates should suffice. If, on the other hand, someone wishes to identify the sender of a message with some entity or event outside the realm of e-mail (and there are legitimate reasons to do so) then more investigation is needed to bind the certificate to that other identity. I wouldn't give much weight to the word of a CA which depends on e.g. AOL to supply real-world identity checking. I don't know what the ISPs do to identify people, beyond assuring themselves that the checks are bankable. I'd accept such a certificate as usefully meaningful if I received it physically from a known individual described by the certificate. (Yes, I'm well aware that my own PGP key is as yet signed only by me. I'm still looking for a way to find someone *known to me* who also uses PGP, and meanwhile it at least allows me to tell people personally that they should discount messages appearing to emanate from me which are not signed.) - -- Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu Open-source executable: $0.00. Source: $0.00 Control: priceless! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/ iD8DBQFBj25Us/NR4JuTKG8RAiALAJ9vygAJritjTD9r2U1RkVuLDzO/agCgohZ8 dK4f/C8GMf9ktspSRzGsWJ0= =4rzC -----END PGP SIGNATURE----- From jas at extundo.com Mon Nov 8 15:10:56 2004 From: jas at extundo.com (Simon Josefsson) Date: Mon Nov 8 15:07:41 2004 Subject: Should I use S/MIME? References: <1099625971.1335.12.camel@andry> <418B9EE7.6070602@pbl.ca> <418BC786.8010401__15900.5303671167$1099679887$gmane$org@joimail.com> Message-ID: "Mark H. Wood" writes: > On Sat, 6 Nov 2004, Simon Josefsson wrote: > [snip] >> If someone knows of a public X.509 CA that issue you a certificate if >> you prove possession of a private key and an email address, I am >> interested and would recommend it to others. Heck, even one that give >> you a certificate and a private key if you prove possession of an >> email address would suffice. > > Whether that is a good idea or not depends on what you (as the sender, > *or* as the recipient) want an identity document to mean. If it's good > enough to be able to strongly suggest that the sender of message A and the > sender of message B are the same (possibly unknown) person, then these > essentially anonymous certificates should suffice. If, on the other hand, > someone wishes to identify the sender of a message with some entity or > event outside the realm of e-mail (and there are legitimate reasons to do > so) then more investigation is needed to bind the certificate to that > other identity. Right, I agree. However, in the case of CACert, it seems suspect to give out privacy critical information to someone you don't have a paper contract with. CACert try to suggest that their service provide a strong binding of the certificate and the real person, but it really doesn't. They only seem to verify the e-mail <-> certificate binding. I think it would give a better impression of a service to only ask for personal information that they actually verify, than to ask for personal information just because they think they need it. Btw, someone suggested www.trustcenter.de as an example of a CA I asked for above. I enrolled for a certificate, they asked me for my personal name, e-mail address and gender, and I got a certificate. Nice work, even though it could be improved by making the personal name and gender optional. Of course, giving out TLS web server certificates for free would also be useful. From wk at gnupg.org Mon Nov 8 16:07:26 2004 From: wk at gnupg.org (Werner Koch) Date: Mon Nov 8 16:09:45 2004 Subject: SmartCard as subkey? In-Reply-To: <20041108143723.GA18478@sunhalle104.informatik.tu-muenchen.de> (Simon Richter's message of "Mon, 8 Nov 2004 15:37:23 +0100") References: <20041104183421.A22474@sunhalle105.informatik.tu-muenchen.de> <87mzxwzjnm.fsf@wheatstone.g10code.de> <20041108143723.GA18478@sunhalle104.informatik.tu-muenchen.de> Message-ID: <87k6swfkgh.fsf@wheatstone.g10code.de> On Mon, 8 Nov 2004 15:37:23 +0100, Simon Richter said: > then allow me to enter my PIN securely (takes over display and keyboard, > blinks "Secure PIN entry" LED, sends the PIN to the card and returns. Is > something like this supported in GPG already? I have a CPR532 here and it works. What's missing is a way to tell the upper layers that there is a PINPAD reader available and that it should just pop up an informational window whiole the reader is expecting a PIN. > Also, would the following property names be acceptable: Seems so. In gpg we use different names and put some balues into one return line, see app-openpgp.c:do_getattr. > Maybe it would be good to add a --export-secret-stubs command that exports > only master key stubs and all valid subkeys that do not contain private > key info? Good point, will add such a feature. > Also, the "General key info" now shows the keyid of the first subkey. Is > there a way I can make it show the master key? Should be no problem. > And, last but not least, the "login" field is specified as "proprietary". > Are there already any uses for this (I could, for example, add login > functionality into the Sun OCF driver, but would not really like to > conflict with existing implementations here)? Suggested use is: Everything up to the first LF is used as an account name, the second line is currently used for optional flags which are not yes used (app-openpgp.c:parse_login_data). The next spec of the card will feature a couple of arbitrary data fields some of them protected by PINs. The account name is for example useful to be displayed in a pinentry if a card has been inserted for login; the flags might be used to allow login/access only with the card using a known PIN. Salam-Shalom, Werner From johnmoore3rd at joimail.com Mon Nov 8 17:14:06 2004 From: johnmoore3rd at joimail.com (JOHN MOORE) Date: Mon Nov 8 17:11:31 2004 Subject: Should I use S/MIME? In-Reply-To: References: <1099625971.1335.12.camel@andry> <418B9EE7.6070602@pbl.ca> <418BC786.8010401__15900.5303671167$1099679887$gmane$org@joimail.com> Message-ID: <418F9B4E.9050909@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simon Josefsson wrote: | "Mark H. Wood" writes: | | |>On Sat, 6 Nov 2004, Simon Josefsson wrote: |>[snip] |> |>>If someone knows of a public X.509 CA that issue you a certificate if |>>you prove possession of a private key and an email address, I am |>>interested and would recommend it to others. Heck, even one that give |>>you a certificate and a private key if you prove possession of an |>>email address would suffice. |> |>Whether that is a good idea or not depends on what you (as the sender, |>*or* as the recipient) want an identity document to mean. If it's good |>enough to be able to strongly suggest that the sender of message A and the |>sender of message B are the same (possibly unknown) person, then these |>essentially anonymous certificates should suffice. If, on the other hand, |>someone wishes to identify the sender of a message with some entity or |>event outside the realm of e-mail (and there are legitimate reasons to do |>so) then more investigation is needed to bind the certificate to that |>other identity. | | | Right, I agree. | | However, in the case of CACert, it seems suspect to give out privacy | critical information to someone you don't have a paper contract with. | CACert try to suggest that their service provide a strong binding of | the certificate and the real person, but it really doesn't. They only | seem to verify the e-mail <-> certificate binding. I think it would | give a better impression of a service to only ask for personal | information that they actually verify, than to ask for personal | information just because they think they need it. | | Btw, someone suggested www.trustcenter.de as an example of a CA I | asked for above. I enrolled for a certificate, they asked me for my | personal name, e-mail address and gender, and I got a certificate. | Nice work, even though it could be improved by making the personal | name and gender optional. Of course, giving out TLS web server | certificates for free would also be useful. | However it must be pointed out that with CAcert (and Thawte) the only way to have your Name appear on the Certificate is to physically have your identity verified by another Member or Members (called Assurers) who then sign your key vouching for the validity. The only personal information they ask/require is some government issued number which you can produce to an Assurer later to confirm you are the same individual. ~ A simple email address is easy to Spoof! It's hardly "proof of identity" and neither CAcert or Thawte truly cares if you "make up" a number for ID purposes; however, without a way to "prove" that number is yours you'll never get enough Assurance Points to have your Name placed upon the certificate. Think of it as having a Bill of Sale notarized for future proof that you did sign the contract. JOHN :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.92 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBj5tFnCmZhrerneURAum/AKCUYt83RcFzZE8mP19aSVhaxBDifACfayhV 01zKkTGYF6vqTXS5gOLJQM0= =q0/X -----END PGP SIGNATURE----- From walter at torres.ws Tue Nov 9 05:59:14 2004 From: walter at torres.ws (Walter Torres) Date: Tue Nov 9 05:55:48 2004 Subject: OK, here goes trouble... re c:\gnupg Message-ID: <1322.69.208.168.4.1099976354.squirrel@mail.braverock.com> I have read the archives. I've done key word searches. I've been reading and googling for almost a week. I think I can ask this now without people throwing "RTFM" at me. Unless they also throw a URL with it! ;) The file README.W32 contains the following: 4. If you did not use the default directory "c:\gnupg", you should enter a string with the directory into the Registry under the key: \\HKEY_CURRENT_USER\Software\GNU\GnuPG\HomeDir Now, this is my issue. Registry keys. I have been working for over a year on finding gnu-type apps and configuring them to work on my windows machine (almost) as if they were on Linux. I'm almost there! Almost. I have Apache (with SSL), Perl, mod_perl, SSL, SSH, PHP, Python, CVS (with SSH), MySQL (almost with SSL), and some 160+ other unix command line executables running. (still can't find a MAN or windows that I can figure out how to configure. It gets to my 'HOME' issue) All without a single registry setting. All without a single file on the C: drive or in the WINDOWS directory. Nothing. No where. All within the standard Linux file structure (with limits. Not everything is in the Linux file structure. I'm not that crazy) (details at web.torres.ws/dev/php/walters_way) So now I've turned my sights on GnuPG for windows. I do have GnuPG running. But it has a registry setting. It breaks my paradigm. I need to make one request (and I've read that it has been made before, many times) to *add* (don't want to break anything) the ability to look for an ENV VAR labled 'HOME' and use that if the registry key is not found. I've read the requests. I've read the (half-hearted) replies. Now, I will admit I know nothing on the working of GnuPG. I have no idea what the limitations are on how it operates in Windows. But based upon what I do know about windows development and restrictions and conditions, I know that windows apps can (and do) look for and use ENV VARs. So please, I'm beging some enterprising person to open the source, find where it looks for the reg key, do a conditional branch and look for an ENV VAR labled HOME (it has to be that because my CVS and SSH use it, and I really don't see a need for a second ENV VAR with a different label with the same definition) if the reg key does not exist, and then go on its merry way. As far as I can tell GnuPGP only uses 2 keys. One to tell it where .gnupg file is and the other for context menu de/encryption (and that has to stay in the registry, I'm not that fanatical.) So, now the flames can begin. (I got flamed pretty bad over on the CVS lists on this topic) BTW: I saw someone request the the config and keys live in the standard windows path for users personal directories. Please no. Please. That directory is buried so deep, backing it up is a pain. I threw out a good SSH (and SFTP and SCP) client for that very reason. They saw no validity to not having their the .ssh files anywhere but the standard windows location. So be it. Their choice, and mine. Anyway. Anyone game? Walter ================================================================ To announce that there must be no criticism of the President, or that we are to stand by the President, right or wrong, is not only unpatriotic and servile, but is morally treasonable to the American public. - Theodore Roosevelt, 1918 26th President of the United States 1901-1909 From erpo41 at hotpop.com Tue Nov 9 07:35:44 2004 From: erpo41 at hotpop.com (Erpo) Date: Tue Nov 9 07:33:32 2004 Subject: Should I use S/MIME? In-Reply-To: References: <1099625971.1335.12.camel@andry> <418B9EE7.6070602@pbl.ca> <418BC786.8010401__15900.5303671167$1099679887$gmane$org@joimail.com> Message-ID: <1099982144.1593.3.camel@andry> It sounds like the consensus is that the technology itself isn't evil, but the requirement of having a certificate provided by a certificate authority places too much control in the hands of one entity, which could be bad for various reasons. I think I'll stick to straight gpg. Thanks to all who responded and helped inform me. :) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : /pipermail/attachments/20041108/57244f9b/attachment-0001.bin From wk at gnupg.org Tue Nov 9 09:25:53 2004 From: wk at gnupg.org (Werner Koch) Date: Tue Nov 9 09:29:29 2004 Subject: OK, here goes trouble... re c:\gnupg In-Reply-To: <1322.69.208.168.4.1099976354.squirrel@mail.braverock.com> (Walter Torres's message of "Mon, 8 Nov 2004 22:59:14 -0600 (CST)") References: <1322.69.208.168.4.1099976354.squirrel@mail.braverock.com> Message-ID: <878y9be8dq.fsf@wheatstone.g10code.de> On Mon, 8 Nov 2004 22:59:14 -0600 (CST), Walter Torres said: > So please, I'm beging some enterprising person to open the source, find > where it looks for the reg key, do a conditional branch and look for an > ENV VAR labled HOME (it has to be that because my CVS and SSH use it, and > I really don't see a need for a second ENV VAR with a different label with > the same definition) if the reg key does not exist, and then go on its > merry way. Many years ago GnuPg used to use the GNUPGHOME environment variable the same way as it does under Unix. People complained about this because it seemed to be too hard to set an environment variable under Windows at that time. They conviced me that the proper way under Windows is to make use of the registry. So I did. Now people want to have the GNUPGHOME back and it should take precedence over the registry setting - or should it be only used if the registry entry is missing? The workaround of using a wrapper with --homedir %GNUPGHOME% seems to be not sufficient either. You are asking for support of HOME if GNUPGHOME has not been set and there is no registry setiing. This seems to be easy to implement - but: The usual home directory of gnupg is $HOME/.gnupg and AFAIK file names starting with a dot a troublesome under some Windows versions. I now lean toward using GNUPGHOME with precedence over the registry entry. However it will make it harder for us to analyze bug reports. Any other comments? Werner From richtesi at informatik.tu-muenchen.de Mon Nov 8 15:37:23 2004 From: richtesi at informatik.tu-muenchen.de (Simon Richter) Date: Tue Nov 9 13:57:50 2004 Subject: SmartCard as subkey? In-Reply-To: <87mzxwzjnm.fsf@wheatstone.g10code.de> References: <20041104183421.A22474@sunhalle105.informatik.tu-muenchen.de> <87mzxwzjnm.fsf@wheatstone.g10code.de> Message-ID: <20041108143723.GA18478@sunhalle104.informatik.tu-muenchen.de> Hi, > > I don't have a smartcard reader in the boxen I consider trustworthy enough > > to hold my master key. Is there a way I can generate a key in the uni, get > You don't need to trust the smartcard reader; the reader can't get any > sensitive information out of the card and snooping the PIN is usually > of minor interest. Hrm, if I understood the Sun smart card framework correctly, I can write a Java class and give that (as root) to the smartcard handling daemon which will then allow me to enter my PIN securely (takes over display and keyboard, blinks "Secure PIN entry" LED, sends the PIN to the card and returns. Is something like this supported in GPG already? Also, would the following property names be acceptable: version Version (ro) manufacturer Manufacturer (ro) serial Serial number (ro) name Name of cardholder language Language prefs sex Sex url URL of public key login Login data pin1 PIN 1 (wo) pin2 PIN 2 (wo) pin3 PIN 3 (wo) pin1len PIN 1 Maximum length (ro) pin2len PIN 2 Maximum length (ro) pin3len PIN 3 Maximum length (ro) pin1cnt PIN 1 Retry counter (ro) pin2cnt PIN 2 Retry counter (ro) pin3cnt PIN 3 Retry counter (ro) sigcount Signature counter (ro) sigfingerprint Signature key fingerprint (ro) encfingerprint Encryption key fingerprint (ro) authfingerprint Authentication key fingerprint (ro) > However, to create just subkey you need to have the primary key > available and that should only be done on a trusted machine. If you > have such a box, just enter the usual key edit menu and use > "addcardkey". Done that now, but it was a major hassle to get a useful "secret" key (stub master key, redirect-to-card subkeys) to the machines in the uni as I needed to strip the old, "real" subkeys off. Maybe it would be good to add a --export-secret-stubs command that exports only master key stubs and all valid subkeys that do not contain private key info? Also, the "General key info" now shows the keyid of the first subkey. Is there a way I can make it show the master key? And, last but not least, the "login" field is specified as "proprietary". Are there already any uses for this (I could, for example, add login functionality into the Sun OCF driver, but would not really like to conflict with existing implementations here)? Simon (who signs this message with the card now) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available Url : /pipermail/attachments/20041108/07cbe3a3/attachment.bin From mwood at IUPUI.Edu Tue Nov 9 14:19:19 2004 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Tue Nov 9 14:32:19 2004 Subject: OK, here goes trouble... re c:\gnupg In-Reply-To: <878y9be8dq.fsf@wheatstone.g10code.de> References: <1322.69.208.168.4.1099976354.squirrel@mail.braverock.com> <878y9be8dq.fsf@wheatstone.g10code.de> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 9 Nov 2004, Werner Koch wrote: [snip some history] > I now lean toward using GNUPGHOME with precedence over the registry > entry. However it will make it harder for us to analyze bug reports. The difficulty arises because some people want the MS Windows version to work like every other MS Windows application, and some want it to work like every Unix application. Your proposed behavior is probably the best compromise between these two irreconcilable desires. The default user-settings directory can *and should* be dependent on the OS, because the conventions are different. On Unix-alikes it should be $HOME/.gnupg, and on MS Windows it should be %ApplicationData%/gnupg/gnupg (the first "gnupg" is the "vendor" and the second the product). The product should not be installing itself directly off the root of the file system. A product using an active installer should ask the user where to install itself, and the default should be %ProgramFiles%\vendor\product . Further, no per-user data should *ever* be stored there, unless the user insists; user settings go in the profile, as indicated above, unless the user says otherwise. (OTOH I usually try to keep layered products *off* of %SystemDrive% and complain bitterly when the installer doesn't let me change the install path.) (I've shown the environment variables ApplicationData and ProgramFiles, but those paths should actually be fetched using the appropriate Shell APIs. Microsoft say that the variable names may be localized, but the API argument constants won't change.) On MS Windows an executable can discover the path from which it was run, and that's probably the best way for the product to find its installed location. There's also a Registry key AppPaths somewhere in which the path should be stored if other applications need to find yours. I may be arguing for a lot of stuff that's already been done, because I only use GnuPG on Linux and haven't seen the MS Windows deployment. But I do develop stuff for MS Windows [hangs head in shame] and the above is the way that MS Windows fans will expect things to work. People who want things to work as in Unix should IMHO use Unix, but sometimes one can't, so some *optional* accommodations for that situation would be a great kindness. - -- Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu Open-source executable: $0.00. Source: $0.00 Control: priceless! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/ iD8DBQFBkMPcs/NR4JuTKG8RAk1oAKCfVV3m6OyOmXbLWpJlgxwB9rfEDQCgi40/ 6jPgWgFOeHg1WzBx0AvMHnA= =A1Vy -----END PGP SIGNATURE----- From walter at torres.ws Tue Nov 9 16:24:30 2004 From: walter at torres.ws (Walter Torres) Date: Tue Nov 9 16:21:01 2004 Subject: OK, here goes trouble... re c:\gnupg In-Reply-To: <878y9be8dq.fsf@wheatstone.g10code.de> References: <1322.69.208.168.4.1099976354.squirrel@mail.braverock.com> <878y9be8dq.fsf@wheatstone.g10code.de> Message-ID: <31732.38.115.154.129.1100013870.squirrel@mail.braverock.com> > Now people want to have the GNUPGHOME back... Just can't keep people happy! ;) > and it should take precedence over the registry setting - or should > it be only used if the registry entry is missing? I prefer the latter, because it does not break Windows methodology and thinking, as well as GPG windows legacy. For those in the windows world, the reg key fits and they understand and expect it. Also, I've found some GUI apps that expect this key as primary source. For those of us (poor souls) that have a foot in each camp, having the ENV VAR work if the key is not there works because us Linux folks understand and expect ENV VARs. > You are asking for support of HOME if GNUPGHOME has not been set and > there is no registry setting. Now that is a nice compromise. Precedance search: 1) reg key 2) GNUPGHOME 3) HOME #1 for Windows folks and legacy. #2 for those with only GnuGPG and limited "linux" tools. #3 for those stubborn fools that try to have their cake and eat it too! > This seems to be easy to implement - but: uh - oh > The usual home directory of gnupg is $HOME/.gnupg and AFAIK file > names starting with a dot a troublesome under some Windows versions. Well, that is true. The windows explorer will NOT let you create a directory that begins with a PERIOD. But that's OK, because the command line will. And since this "feature" is for us hopless (and lost) Linux fools, that works. > I now lean toward using GNUPGHOME with precedence over the registry > entry. OK, Precedance search: 1) GNUPGHOME 2) reg key 3) HOME > However it will make it harder for us to analyze bug reports. Now that I have no leg to stand on. This is very important but I can give no voice to this. Lastly, I wish to give my gratitude for this thoughtful conversation on this topic. Too many times I've been rebuffed out of hand. Walter From walter at torres.ws Tue Nov 9 16:35:05 2004 From: walter at torres.ws (Walter Torres) Date: Tue Nov 9 16:31:34 2004 Subject: OK, here goes trouble... re c:\gnupg In-Reply-To: References: <1322.69.208.168.4.1099976354.squirrel@mail.braverock.com> <878y9be8dq.fsf@wheatstone.g10code.de> Message-ID: <33848.38.115.154.129.1100014505.squirrel@mail.braverock.com> Mark H. Wood added: > The difficulty arises because some people want the MS Windows version > to work like every other MS Windows application, and some want it to > work like every Unix application. Your proposed behavior is probably > the best compromise between these two irreconcilable desires. I hope so. > The default user-settings directory can *and should* be dependent on the > OS, because the conventions are different. On Unix-alikes it should be > $HOME/.gnupg, and on MS Windows it should be %ApplicationData%/gnupg/gnupg > (the first "gnupg" is the "vendor" and the second the product). Absolutly, but... > On MS Windows an executable can discover the path from which it was run, And this Windows "feature" is an arguement many use to demand that the GnuGPG config sit in the directory that GnuGPG.exe sits in, not "some other directory". I expected this behavour when I began working with GnuGPG. But I got over it. ;) > ... People who want things to work as in Unix should IMHO use Unix, A very common attitude... > but sometimes one can't, So true, some of us have to work for Palpatine, even if indirectly. > so some *optional* accommodations Yes, *optional* is the key word. > for that situation would be a great kindness. Yes, "great kindness". Walter From cedar at 3web.net Tue Nov 9 16:45:32 2004 From: cedar at 3web.net (C. D. Rok) Date: Tue Nov 9 16:42:34 2004 Subject: OK, here goes trouble... re c:\gnupg In-Reply-To: References: <1322.69.208.168.4.1099976354.squirrel@mail.braverock.com> <878y9be8dq.fsf@wheatstone.g10code.de> Message-ID: <4190E61C.5040304@3web.net> Mark H. Wood wrote (in a very sensible post): > The difficulty arises because some people want the MS Windows version to > work like every other MS Windows application, and some want it to work > like every Unix application... And (only slightly expanding on the topic) some people want it "medium-centric", not "computer-centric"; i.e., they want to run gpg of removable medium, with no permanent footprint (or droppings) on the computer it is running on. There are many arguments - some have been visited on this list before - why this might or might not be a prudent way to use gpg. But I propose that such use is becoming more and more common (think of home and work computers...) and I propose that the excellent developers of an excellent product should listen to a growing segment of their user base. cheers, C. Rok. From wk at gnupg.org Tue Nov 9 17:35:17 2004 From: wk at gnupg.org (Werner Koch) Date: Tue Nov 9 17:39:34 2004 Subject: w32 installation paths (was: OK, here goes trouble... re c:\gnupg) In-Reply-To: (Mark H. Wood's message of "Tue, 9 Nov 2004 08:19:19 -0500 (EST)") References: <1322.69.208.168.4.1099976354.squirrel@mail.braverock.com> <878y9be8dq.fsf@wheatstone.g10code.de> Message-ID: <874qjz56be.fsf_-_@wheatstone.g10code.de> On Tue, 9 Nov 2004 08:19:19 -0500 (EST), Mark H Wood said: > The difficulty arises because some people want the MS Windows version to > work like every other MS Windows application, and some want it to work > like every Unix application. Your proposed behavior is probably the best For a Unix like environment, using a Cygwin version of gpg is probably best because it will better play together with other Unix tools. > OS, because the conventions are different. On Unix-alikes it should be > $HOME/.gnupg, and on MS Windows it should be %ApplicationData%/gnupg/gnupg > (the first "gnupg" is the "vendor" and the second the product). So what you are saying is that we should not use the registry to locate the home directory but to use an environment variable instead. Just checked it on W2000: Running a shell does not show "ApplicationData" but only "APPDATA" - does this depend on the Windows versions? hat about W98 and such; I guess they don't define these variables at all? > where to install itself, and the default should be > %ProgramFiles%\vendor\product . Further, no per-user data should *ever* > be stored there, unless the user insists; user settings go in the profile, Okay. ProgramFiles is available. > as indicated above, unless the user says otherwise. (OTOH I usually try > to keep layered products *off* of %SystemDrive% and complain bitterly when > the installer doesn't let me change the install path.) Noted, for a future installer based package. > (I've shown the environment variables ApplicationData and ProgramFiles, > but those paths should actually be fetched using the appropriate Shell > APIs. Microsoft say that the variable names may be localized, but the API > argument constants won't change.) I see, any hints on the function name for this? I guess that function needs to be dlopened to allow running under W98 etc. > On MS Windows an executable can discover the path from which it was run, > and that's probably the best way for the product to find its installed > location. There's also a Registry key AppPaths somewhere in which the You mean an installer should locate an existing installation by running "gpg --version" and figure out its path? Makes sense to me. > path should be stored if other applications need to find yours. Does that mean we should add a key AppPath to the registry entry for GnuPG, like: [HKEY_LOCAL_MACHINE\Software\GNU\GNUPG] "HomeDir"="C:\\GnuPG" "gpgProgram"="C:\\GnuPG\\gpg.exe" "AppPath"="C"\\GnuPG\\" > I may be arguing for a lot of stuff that's already been done, because I > only use GnuPG on Linux and haven't seen the MS Windows deployment. But I I have virtually no experience with Windows administration so appreciate any hints. To sum up how things should work: 1. Installation: gpg and the other other executables should be installed in %ProgramFiles%\GNU\GnuPG\ unless an existing gpg.exe has been found or the user requested a different directory. A Registry entry [HKEY_LOCAL_MACHINE\Software\GNU\GNUPG] "gpgProgram"="%ProgramFiles%\\GNU=GnuPG\\gpg.exe" "AppPath"="%ProgramFiles%\\GNU\\GnuPG\\" will be created. The question is whether %ProgramFile% is to be sued or the expanded value. IRIC, W98 does not support the expansion. Question: Just entering "gpg" on the command line won't work then becuase it is not listed in the PATH environment variable. What the usual way to fix this? 2. Runtime When gpg has been started it needs to locate its home directory. The following algorithm will be used: if option --homedir given use that else if env var GNUPGHOME set use that else if "HKEY_CURRENT_USER\\Software\\GNU\\GnuPG\\HomeDir" set use that else if env var %ApplicationData% set use %ApplicationData%\\GNU\GnuPG\ else use c:\\gnupg -- old default This is not compatible to old versions but 1.4 is a new major release and thus some changes are possible. Any comments? Werner From wk at gnupg.org Tue Nov 9 18:15:48 2004 From: wk at gnupg.org (Werner Koch) Date: Tue Nov 9 18:19:30 2004 Subject: OK, here goes trouble... re c:\gnupg In-Reply-To: <31732.38.115.154.129.1100013870.squirrel@mail.braverock.com> (Walter Torres's message of "Tue, 9 Nov 2004 09:24:30 -0600 (CST)") References: <1322.69.208.168.4.1099976354.squirrel@mail.braverock.com> <878y9be8dq.fsf@wheatstone.g10code.de> <31732.38.115.154.129.1100013870.squirrel@mail.braverock.com> Message-ID: <87ekj33pvf.fsf@wheatstone.g10code.de> On Tue, 9 Nov 2004 09:24:30 -0600 (CST), Walter Torres said: > Well, that is true. The windows explorer will NOT let you create a > directory that begins with a PERIOD. But that's OK, because the command > line will. And since this "feature" is for us hopless (and lost) Linux > fools, that works. What about W98 or more general FAT file systems? IIRC< it was not possible to create such a directory using the System call or the command line. Using "gnupg" instead of ".gnupg" will work - would that be acceptable? > OK, Precedance search: > 1) GNUPGHOME > 2) reg key > 3) HOME See also my other posting. which would turn the avove into 1) GNUPGHOME 2) reg key 3) %ApplicationData%... 3) HOME > Lastly, I wish to give my gratitude for this thoughtful conversation on > this topic. Too many times I've been rebuffed out of hand. Coincidently Timo and me started to talk about a better directory usage a few days ago. Salam-Shalom, Werner From johanw at vulcan.xs4all.nl Tue Nov 9 21:06:19 2004 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Tue Nov 9 21:01:43 2004 Subject: w32 installation paths (was: OK, here goes trouble... re c:\gnupg) In-Reply-To: <874qjz56be.fsf_-_@wheatstone.g10code.de> from Werner Koch at "Nov 9, 2004 05:35:17 pm" Message-ID: <200411092006.VAA01489@vulcan.xs4all.nl> Werner Koch wrote: >So what you are saying is that we should not use the registry to >locate the home directory but to use an environment variable instead. I think so. On Win2000, "My Documents" is a default homedir, and is also a different physical directory for each user like the Unix homedir. A default like \My Documents\.gnupg would be usable on NT4, Win2000 and XP. For win98 I'm not sure if this works the same. >Does that mean we should add a key AppPath to the registry entry for >GnuPG, like: > > [HKEY_LOCAL_MACHINE\Software\GNU\GNUPG] > "HomeDir"="C:\\GnuPG" > "gpgProgram"="C:\\GnuPG\\gpg.exe" > "AppPath"="C"\\GnuPG\\" This could be very usable for graphical shells that want to use gpg, so they can locate the binary easily. >1. Installation: > > gpg and the other other executables should be installed in > %ProgramFiles%\GNU\GnuPG\ unless an existing gpg.exe has been > found or the user requested a different directory. > > A Registry entry > > [HKEY_LOCAL_MACHINE\Software\GNU\GNUPG] > "gpgProgram"="%ProgramFiles%\\GNU=GnuPG\\gpg.exe" > "AppPath"="%ProgramFiles%\\GNU\\GnuPG\\" > > will be created. The question is whether %ProgramFile% is to be > sued or the expanded value. IRIC, W98 does not support the > expansion. > > Question: Just entering "gpg" on the command line won't work then > becuase it is not listed in the PATH environment variable. What > the usual way to fix this? To look for a previous installed version? I think that most programs just check some registry entries like the gpgProgram. However, this can require some heuristics like checking the old default C:\gnupg, or even a filesearch for gpg.exe. >Any comments? There is one consideration I've seen more in this thread: some people, like me, want to carry gpg on removable media (a CDR in my case), to a computer at work. I don't want to store my secret keyring there locally. Sometimes users there have no rights to change the registry, and it would be nice to a able to run gpg from CDR or memory stick without requiring any changes to the local system. With the environment variables this is possible, just start gpg with a batchfile that sets the env first. And about the remarks I read about locating the executable's starting path: I've found that this depends on the compiler. With Borland C++ Builder, argv[0] contains the full path and executable name. With Microsoft C++, you just get the first argument typed in on the command line. So when I type "gpg", MS argv[0] = "gpg", while Borlands would be (for example) "C:\\Program Files\\GNU\\gnupg\\gpg.exe". -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From ajgpgml at tesla.inka.de Tue Nov 9 22:01:55 2004 From: ajgpgml at tesla.inka.de (Andreas John) Date: Tue Nov 9 21:57:10 2004 Subject: OK, here goes trouble... re c:\gnupg References: <1322.69.208.168.4.1099976354.squirrel@mail.braverock.com><878y9be8dq.fsf@wheatstone.g10code.de><31732.38.115.154.129.1100013870.squirrel@mail.braverock.com> <87ekj33pvf.fsf@wheatstone.g10code.de> Message-ID: <008501c4c69f$626e1de0$4ca7e4d9@tesla> Hi! > What about W98 or more general FAT file systems? IIRC< it was not > possible to create such a directory using the System call or the > command line. Using "gnupg" instead of ".gnupg" will work - would > that be acceptable? As Walter said: It's no problem to "mkdir .gnupg" under Win98. It's then renamed to "gnupg~1" for the old FAT 8.3-Naming. But nevertheless I'd opt for the "special Name" because Explorer bitches around. > 1) GNUPGHOME > 2) reg key > 3) %ApplicationData%... > 3) HOME It's actually %APPDATA%, which is also present in Win98, it's introduced with InternetExplorer 4 (so Win95+MSIE4 should also work), just have a look at: SHGetSpecialFolderPath(...) using CSIDL_APPDATA. But ExpandEnvironmentStrings(...) should do as well (and without further investigation looks easier to check for "isPresent"). About the "AppPath": I think the idea was to go for: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths After you entered the full path as default-string for eg. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\gpg.exe you can go for "start gpg" (of course if "gpg" will be found in %PATH% this preceeds the App Paths-Entry). Optionally you can add a "path"-string below the entry, which should give the path DLLs located somewhere else. Bye! From chd at chud.net Tue Nov 9 22:22:03 2004 From: chd at chud.net (Chris De Young) Date: Tue Nov 9 22:11:32 2004 Subject: Question - after decryption, carriage-control oddness? Message-ID: <20041109212202.GA10495@dionysus.chud.net> Hi, I'm having an odd, though minor, issue with certain encrypted messages... they decrypt correctly, but when I view them after decrypting (using Mutt), carriage returns are explicitly displayed, thusly: This is some^M message text^M The actual line breaks are in the correct place, and "^M" is actually a single character of course. When the same sender sends a message that is signed but not encrypted, it looks fine. The sender is using Mozilla configured to do in-line PGP: User-Agent: Mozilla Thunderbird 0.8 (X11/20040913) X-Enigmail-Version: 0.86.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime One thing I notice that might be a clue is that the message specifies the character set: -----BEGIN PGP MESSAGE----- Charset: ISO-8859-1 Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org [...] But... ISO-8859-1 doesn't seem like a choice that should result in any unusual weirdness. I'm using whatever Mutt defaults to under Redhat Linux on the receiving end. Has anyone run across this before and could point me in the right direction as to exactly what's happening? Thanks much! Cheers, -Chris -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041109/365d7546/attachment.bin From twoaday at freakmail.de Tue Nov 9 16:56:11 2004 From: twoaday at freakmail.de (Timo Schulz) Date: Tue Nov 9 22:27:24 2004 Subject: Announcement for Outlook GPG 0.94 Message-ID: <20041109155611.GA407@daredevil.joesixpack.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! g10 Code released an update of the Outlook GPG plugin (originally written by G-DATA). All users who have problems with their current Outlook GPG version might want to update their files to see if this version fixes the problems. You can download the zip archive and the digital signature here: ftp://ftp.g10code.com/g10code/outlgpg/outlgpg-0.94.zip (99k) ftp://ftp.g10code.com/g10code/outlgpg/outlgpg-0.94.zip.sig MD5 checksums for the files are: 9e81aafab5b14c55129a218be2893d94 outlgpg-0.94.zip a95fa1cc0b484d3073f528627766a7e6 outlgpg-0.94.zip.sig Noteworthy changes in version 0.94 ================================== - - Allow to parse messages generated by older mailers which uses the application/pgp content type. - - By default use PGP as the extension for attachments to allow easier PGP decryption. That's it. g10 Code GmbH (http://www.g10code.com) of course also provides commercial support for the plugin and other GPG components. Timo -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAkGQ5scACgkQ7UaByb89+bRL2QCgo07WFbT+CeR77mfVIo4zTJsM uM8An131iW9ToOCw6p9sIZ9P5kki/KVX =1/br -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Tue Nov 9 23:14:52 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Nov 9 23:11:55 2004 Subject: Question - after decryption, carriage-control oddness? In-Reply-To: <20041109212202.GA10495@dionysus.chud.net> References: <20041109212202.GA10495@dionysus.chud.net> Message-ID: <20041109221452.GA4750@jabberwocky.com> On Tue, Nov 09, 2004 at 02:22:03PM -0700, Chris De Young wrote: > Hi, > > I'm having an odd, though minor, issue with certain encrypted > messages... they decrypt correctly, but when I view them after > decrypting (using Mutt), carriage returns are explicitly displayed, > thusly: > > This is some^M > message text^M > > The actual line breaks are in the correct place, and "^M" is actually > a single character of course. The messages are being sent as binary, not as text, so there is no way for the recipient to canonicalize line endings (LF->CR->CRLF->etc). You need "--textmode" in your GnuPG command line. David From zuxy.meng at gmail.com Wed Nov 10 02:29:31 2004 From: zuxy.meng at gmail.com (Zuxy) Date: Wed Nov 10 02:26:14 2004 Subject: Error creating backup of trustdb with 1.3.92 In-Reply-To: References: <418FE08B.4010907@gmx.net> <20041109065106.GB336@daredevil.joesixpack.net> <4190FE57.8030807@gmx.net> <87bre63nk5.fsf@wheatstone.g10code.de> <419117E0.4070709@bpuk.net> Message-ID: On Tue, 09 Nov 2004 19:17:52 +0000, Barry Porter wrote: > I get exactly the same permission denied error for pubring.bak > There is no pubring.bak, only a pubring.tmp to which there is full > access and no permissions issues. It's most probably you have another process that has opened pubring.gpg or something. I got this problem only when I'm running gpgrelay or winpt. -- Zuxy Beauty is truth, While truth is beauty. PGP KeyID: E8555ED6 From vedaal at hush.com Wed Nov 10 18:45:10 2004 From: vedaal at hush.com (vedaal@hush.com) Date: Wed Nov 10 18:41:47 2004 Subject: w32 installation paths Message-ID: <200411101745.iAAHjESm037032@mailserver3.hushmail.com> >Message: 7 >Date: Tue, 09 Nov 2004 17:35:17 +0100 >From: Werner Koch >Subject: w32 installation paths (was: OK, here goes trouble... re >I have virtually no experience with Windows administration so >appreciate any hints. To sum up how things should work: > Question: Just entering "gpg" on the command line won't work >then > becuase it is not listed in the PATH environment variable. >What > the usual way to fix this? just direct the command line to the gnupg directory: c:\ cd c:\progra~1\gnupg (windows commandlines don't allow more than 8 character directory names, so after the 6th character, windows/dos uses a '~1') then, when the command line says: c:\progra~1\gnupg> then gpg, and all other commands will work (this is the same way that pgp2.x is still run from a floppy on windows without installing it into the path) a kind linux user (who occasionally posts to this list too), also developed a way to run gnupg from a floppy without any registry entries: http://www.torduninja.tk/ but it requires a windows file 'cmd.exe' for the floppy since this file is already on windows systems, it 'might' be possible to set up gnupg on windows without involving registry entries, but would need 'some experimentation' vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From walter at torres.ws Wed Nov 10 20:30:01 2004 From: walter at torres.ws (Walter Torres) Date: Wed Nov 10 20:26:36 2004 Subject: w32 installation paths In-Reply-To: <200411101745.iAAHjESm037032@mailserver3.hushmail.com> References: <200411101745.iAAHjESm037032@mailserver3.hushmail.com> Message-ID: <1501.38.115.154.129.1100115001.squirrel@mail.braverock.com> >> Message: 7 >> Date: Tue, 09 Nov 2004 17:35:17 +0100 >> From: Werner Koch >> Question: Just entering "gpg" on the command line won't work >> then becuase it is not listed in the PATH environment variable. What >> the usual way to fix this? > > just direct the command line to the gnupg directory: > > c:\ cd c:\progra~1\gnupg > (windows commandlines don't allow more than 8 character directory > names, so after the 6th character, windows/dos uses a '~1') I beg to differ: [note: no idea about 98] NT/2l/XP will accept... cd "C:\Program Files\gnupg\gpg.exe" Or any other path of any length, with or without spaces. But notice, I had to give it quote marks because of the spaces in the directory name. > a kind linux user (who occasionally posts to this list too), also > developed a way to run gnupg from a floppy without any registry entries: > > http://www.torduninja.tk/ Very nice. I've had a few thoughts a "portable" GPG method. I figure, *if* the next round adds the new path "features" discussed ( which included defaulting the binary (as a last resort) to look in the same directory the binary for your personal config file), then the binary, config files and your keys on your CD, or your memory stick or floppy. Everything is self contained. Just a theory of mine I was going to explore once this concpet was nailed down and beta-tested out. Walter From johanw at vulcan.xs4all.nl Wed Nov 10 22:43:31 2004 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed Nov 10 22:43:50 2004 Subject: w32 installation paths In-Reply-To: <200411101745.iAAHjESm037032@mailserver3.hushmail.com> from "vedaal@hush.com" at "Nov 10, 2004 09:45:10 am" Message-ID: <200411102143.WAA00856@vulcan.xs4all.nl> vedaal@hush.com wrote: >c:\ cd c:\progra~1\gnupg >(windows commandlines don't allow more than 8 character directory >names, Who told you that? On win2000/XP, with commandline completion, this is untrue. On win98 I can also use longer names, but if there's a space in them they should be quoted: cd "Program Files". -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From wk at gnupg.org Thu Nov 11 08:16:35 2004 From: wk at gnupg.org (Werner Koch) Date: Thu Nov 11 08:19:30 2004 Subject: w32 installation paths In-Reply-To: <200411102143.WAA00856@vulcan.xs4all.nl> (Johan Wevers's message of "Wed, 10 Nov 2004 22:43:31 +0100 (MET)") References: <200411102143.WAA00856@vulcan.xs4all.nl> Message-ID: <87mzxoyhws.fsf@wheatstone.g10code.de> On Wed, 10 Nov 2004 22:43:31 +0100 (MET), Johan Wevers said: > Who told you that? On win2000/XP, with commandline completion, this is command line completion? How do I enable that on w2000? Werner From johanw at vulcan.xs4all.nl Thu Nov 11 10:30:16 2004 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Nov 11 10:41:41 2004 Subject: w32 installation paths In-Reply-To: <87mzxoyhws.fsf@wheatstone.g10code.de> from Werner Koch at "Nov 11, 2004 08:16:35 am" Message-ID: <200411110930.KAA02278@vulcan.xs4all.nl> Werner Koch wrote: >command line completion? How do I enable that on w2000? From bogus@does.not.exist.com Mon Nov 8 15:07:41 2004 From: bogus@does.not.exist.com () Date: Thu Nov 11 10:41:42 2004 Subject: No subject Message-ID: You find something like "CompletionChar". Default value is 0 (disabled). Change it to 9 (ASCII value of tab) to enable it. I didn't chack if other values work too. It will work immediately in all newly started command prompts. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From wk at gnupg.org Thu Nov 11 12:01:45 2004 From: wk at gnupg.org (Werner Koch) Date: Thu Nov 11 12:04:28 2004 Subject: w32 installation paths In-Reply-To: <200411110930.KAA02278@vulcan.xs4all.nl> (Johan Wevers's message of "Thu, 11 Nov 2004 10:30:16 +0100 (MET)") References: <200411110930.KAA02278@vulcan.xs4all.nl> Message-ID: <87oei4wsx2.fsf@wheatstone.g10code.de> On Thu, 11 Nov 2004 10:30:16 +0100 (MET), Johan Wevers said: > (disabled). Change it to 9 (ASCII value of tab) to enable it. > I didn't chack if other values work too. It will work immediately > in all newly started command prompts. Works. Cool. Thanks, Werner From torduninja at netcourrier.com Thu Nov 11 17:37:37 2004 From: torduninja at netcourrier.com (Maxine Brandt) Date: Thu Nov 11 17:34:10 2004 Subject: w32 installation paths Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vedaal wrote: > Subject: Re: w32 installation paths > To: gnupg-users@gnupg.org > > a kind linux user (who occasionally posts to this list too), > also developed a way to run gnupg from a floppy without any > registry entries: > > http://www.torduninja.tk/ > > but it requires a windows file 'cmd.exe' for the floppy > > since this file is already on windows systems, > it 'might' be possible to set up gnupg on windows without involving > registry entries, > > but would need 'some experimentation' > There were two reasons I included cmd.exe (NT systems) or command.com (all Windows systems ) on the GPG TO GO floppy. The first was simply to avoid leaving traces of their usage in the Start > Run history, but the second reason may have some bearing on this thread. MS-DOS assumes that all files are located in the working directory, so if you're in A: (the floppy) it assumes everything is on the floppy and there's no need to include the path to the files you want to encrypt or decrypt. However, the GnuPG home directory is an exception to this rule and you have to specify its location in the command line even when it's on the floppy. I assume that this exceptional behaviour is coded into the gpg binary. I considered working on the code to change this default home directory location to the floppy, but that wouldn't help those using GPG TO GO on a USB stick, so I left it as it was. One thought that occurs to me is to install the binaries and gpg.conf in the same directoy as cmd.exe (or command.com) so that gpg could pick up locations of keyrings etc from the configuration file (which would be the default "home"). But this is "Windows-think" and might cause more problems than it solves,considering gpg is designed for cross-platform compilation and Windows is bottom of the list of priorities. In any case, for those who have problems creating registry keys to use GPG on work machines, GPG TO GO is a viable solution. Salut Maxine > > > > > Concerned about your pr -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) Comment: GPG TO GO http://www.torduninja.tk iD8DBQFBk5OFKBY/R6nbCcARAuVnAJsFOwY3lzBV2pe9FZ9NI49e7mWstgCdFtka KovBLhj5Z/3zAsv6kgcLloI= =p9aZ -----END PGP SIGNATURE----- ------------------------------------------------------------- NetCourrier, votre bureau virtuel sur Internet : Mail, Agenda, Clubs, Toolbar... Web/Wap : www.netcourrier.com T?l?phone/Fax : 08 92 69 00 21 (0,34 ? TTC/min) Minitel: 3615 NETCOURRIER (0,16 ? TTC/min) From wk at gnupg.org Thu Nov 11 20:10:33 2004 From: wk at gnupg.org (Werner Koch) Date: Thu Nov 11 20:14:30 2004 Subject: w32 installation paths In-Reply-To: (Maxine Brandt's message of "Thu, 11 Nov 2004 17:37:37 CET") References: Message-ID: <877josw6ae.fsf@wheatstone.g10code.de> On Thu, 11 Nov 2004 17:37:37 CET, Maxine Brandt said: > However, the GnuPG home directory is an exception to this rule and you have to specify its > location in the command line even when it's on the floppy. I assume that this exceptional > behaviour is coded into the gpg binary. I considered working on the code to change this What is your problem using: a: gpg --homedir . or a:\gpg --homedir a:\ rename gpg.exe to something else and write a batched named gpg. Werner From walter at torres.ws Thu Nov 11 20:29:07 2004 From: walter at torres.ws (Walter Torres) Date: Thu Nov 11 20:25:44 2004 Subject: w32 installation paths In-Reply-To: References: Message-ID: <62342.38.115.154.129.1100201347.squirrel@mail.braverock.com> Maxine spoke: > ... MS-DOS assumes that all files are located in the working directory, > so if you're in A: (the floppy) it assumes everything is on the floppy > and there's no need to include the path to the files you want to encrypt > or decrypt. > > However, the GnuPG home directory is an exception to this rule and you > have to specify its location in the command line even when it's on the > floppy. I assume that this exceptional behaviour is coded into the gpg > binary. I considered working on the code to change this default home > directory location to the floppy, but that wouldn't help those using GPG > TO GO on a USB stick, so I left it as it was. OK. I lost you here. If I have CMD/COMMAND.EXE, gnupg.exe, keys, etc on a UBS Stick, how is that different than a floppy? > One thought that occurs to me is to install the binaries and gpg.conf in > the same directoy as cmd.exe (or command.com) so that gpg could pick up > locations of keyrings etc from the configuration file (which would be the > default "home"). But this is "Windows-think" and might cause more problems > than it solves,considering gpg is designed for cross-platform compilation > and Windows is bottom of the list of priorities. Yes, this is windows speak. But then again, I don't feel that this "segment" of users should be "ignored" (wrong word) because of that. GPG is cross-platform, as many other (and a growing number of) Gnu apps are. This doesn't mean that the MAKE can't be made to understand that "if WINDOWS, do this, otherwise do 'normal'" But then again, more and more PCs are becoming Linux, and not every Linux install has GPG, so this GOG TO GO would be a viable option for that user base as well. > In any case, for those who have problems creating registry keys to use > GPG on work machines, GPG TO GO is a viable solution. Yes, I really like this concept. Walter From cedar at 3web.net Fri Nov 12 01:27:27 2004 From: cedar at 3web.net (C. D. Rok) Date: Fri Nov 12 01:24:30 2004 Subject: w32 installation paths In-Reply-To: <62342.38.115.154.129.1100201347.squirrel@mail.braverock.com> References: <62342.38.115.154.129.1100201347.squirrel@mail.braverock.com> Message-ID: <4194036F.1080304@3web.net> >>In any case, for those who have problems creating registry keys to use >>GPG on work machines, GPG TO GO is a viable solution. > > > Yes, I really like this concept. Yes, one day all software will be portable... cf.: http://johnhaller.com/jh/mozilla/portable_thunderbird/ C.Rok From torduninja at netcourrier.com Fri Nov 12 04:19:43 2004 From: torduninja at netcourrier.com (Maxine Brandt) Date: Fri Nov 12 04:16:19 2004 Subject: w32 installation paths Message-ID: Werner Koch wrote: > > What is your problem using: > > a: > gpg --homedir . > > or > > a:\gpg --homedir a:\ > > rename gpg.exe to something else and write a batched named gpg. > > Werner > > Personally, I find no problem at all. I was simply looking for a way to make the command line exactly the same as in regular gpg use. In fact, your second suggestion is what is used in GPG TO GO. Salut Maxine ------------------------------------------------------------- NetCourrier, votre bureau virtuel sur Internet : Mail, Agenda, Clubs, Toolbar... Web/Wap : www.netcourrier.com T?l?phone/Fax : 08 92 69 00 21 (0,34 ? TTC/min) Minitel: 3615 NETCOURRIER (0,16 ? TTC/min) From jharris at widomaker.com Sun Nov 14 23:13:13 2004 From: jharris at widomaker.com (Jason Harris) Date: Sun Nov 14 23:10:10 2004 Subject: new (2004-11-14) keyanalyze results (+sigcheck) Message-ID: <20041114221313.GS3782@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2004-11-14/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: 5b759b74db9d268165598c404b67ce9536e16a59 10799298 preprocess.keys d550de717a6e797c61bda0ca309b27184b5423ff 6966643 othersets.txt 7b97765cc2544815dfbaeaeeda98bc1955ca7fe8 2791468 msd-sorted.txt b0f152cbac2bff77aeed70a933fec6d7ac3e7b71 1484 index.html 19664f61d33580f136808450a4f4279ed59e7295 2289 keyring_stats 12d6fc1283369007f54e3ef0de559dbeb48455ed 1097082 msd-sorted.txt.bz2 a70503947ddd531ae5d64f87ca9a20b644013fa7 26 other.txt 8c744cc6520ec5c8ff8aef9d02aec7e2e9f334e9 1494626 othersets.txt.bz2 7c1e3bfdccf2bf80bc40c89c3c6b70e55ed9757f 4363130 preprocess.keys.bz2 2ef15fa7640b48ceb6263a564bdf889ab9c861b5 10693 status.txt 24448255d88635e90fa8c9c5a8be58b4ae4c4ecb 211790 top1000table.html 5bbf4980c5fd45bbf1eddbc8993c810434c783e3 30599 top1000table.html.gz 9dcdfd8571219c322473d180b895323d5082d01e 10991 top50table.html 605cc8d62e7dd03b24227438cbd30b3386b00ff7 2414 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20041114/e4789e36/attachment.bin From johnmoore3rd at joimail.com Sun Nov 14 23:13:41 2004 From: johnmoore3rd at joimail.com (John Moore) Date: Sun Nov 14 23:10:34 2004 Subject: Key Signed/Created "in the future" Message-ID: <4197D895.7050502@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Twice today someone has sent me a Key that will not Import into my GPG Keyring. The Error message says that either the Key was "created in the future" or that there is no valid self-signature. The Key will Import with no problem into PGP Keyring. Has anyone else had experience with this problem? Is this a known "bug" in 1.3.92? JOHN :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.92 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBl9iMnCmZhrerneURAsclAKDsFUDLBYGRS5WI+98po8zEihGjSwCePCrU aLrVvgvNWkjw1hZSbKu0BSw= =PIwM -----END PGP SIGNATURE----- From nobody at dizum.com Thu Nov 11 13:20:02 2004 From: nobody at dizum.com (Nomen Nescio) Date: Mon Nov 15 08:51:39 2004 Subject: using gpg remotely over ssh? Message-ID: <1dc36b3ce6000375b4cd7a1aa453c1be@dizum.com> I know not to use gpg over telnet, but is it OK to use it remotely over ssh if I trust the machine I'm typing at and the machine I'm remotely logged in to? From wk at gnupg.org Mon Nov 15 08:57:19 2004 From: wk at gnupg.org (Werner Koch) Date: Mon Nov 15 08:59:30 2004 Subject: Key Signed/Created "in the future" In-Reply-To: <4197D895.7050502@joimail.com> (John Moore's message of "Sun, 14 Nov 2004 17:13:41 -0500") References: <4197D895.7050502@joimail.com> Message-ID: <87zn1jsfxc.fsf@wheatstone.g10code.de> On Sun, 14 Nov 2004 17:13:41 -0500, John Moore said: > with no problem into PGP Keyring. Has anyone else had experience with > this problem? Is this a known "bug" in 1.3.92? No, this is not bug. use --ignore-time-conflict to turn it into a warning. Werner From Holger.Sesterhenn at smgwtest.aachen.utimaco.de Mon Nov 15 09:41:04 2004 From: Holger.Sesterhenn at smgwtest.aachen.utimaco.de (Holger Sesterhenn) Date: Mon Nov 15 09:38:18 2004 Subject: Key Signed/Created "in the future" In-Reply-To: <4197D895.7050502@joimail.com> References: <4197D895.7050502@joimail.com> Message-ID: <41986BA0.6080504@smgwtest.aachen.utimaco.de> Hi, > Twice today someone has sent me a Key that will not Import into my GPG > Keyring. The Error message says that either the Key was "created in the > future" or that there is no valid self-signature. The Key will Import > with no problem into PGP Keyring. Has anyone else had experience with > this problem? Is this a known "bug" in 1.3.92? Just use the options "--ignore-time-conflict" "--allow-non-selfsigned-uid". Be aware that you have to use "allow-non-...." every time you want to use this key! -- Best Regards, Holger Sesterhenn --- Internet http://www.utimaco.com From rorym at nebula.co.za Mon Nov 15 10:38:18 2004 From: rorym at nebula.co.za (Rory McKinley) Date: Mon Nov 15 10:34:51 2004 Subject: Creation of encrypted virtual drives - Linux Message-ID: <4198790A.9000809@nebula.co.za> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi List I was wondering if there is way to do create an encrypted "virtual drive" in Linux, similar to what PGP Desktop does in Windows, using my private key? The only options i hav seen so far involve mountloop (oh no not another long password to remember) or recompiling the kernel (and I am way too much of a Linux newbie to do that. Any help would be appreciated. - -- Rory McKinley Nebula Solutions +27 21 555 3227 - office +27 21 551 0676 - fax +27 82 857 2391 - mobile www.nebula.co.za ==================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) iD8DBQFBmHkKpslJtahJIvMRAn5QAKC6MEqduTsEVjAm8vP1wriw5JSTuwCg/aZj NJ05Zv2Nyy3aIc3jHtkDNQk= =riTO -----END PGP SIGNATURE----- From atom at suspicious.org Mon Nov 15 15:54:04 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Mon Nov 15 15:50:52 2004 Subject: detecting armor or text Message-ID: <20041115145414.9108.qmail@suspicious.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 is there a good way to programmatically detect whether a message is text, binary or armored? if not, i'd like to request a status-fd keyword that identifies this. thanks... - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Your password must be at least 18770 characters and cannot repeat any of your previous 30689 passwords. Please type a different password. Type a password that meets these requirements in both text boxes." -- Microsoft takes security seriously in Knowledge Base Article Q276304. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJBmMMRAAoJEAx/d+cTpVci5AMH/3bdL4TOeNyd3k2zY2qcUh9N cK8spok4M9B/Wt2o0UwhF69/rT2Pq9x8aBgCXNrhbOdDlsEh5w3IX7wWLDal8bBo MKE+cw5hm0oqmCl/zcyOznaWZOtQs1P0qyJPmOvBGyS5kG34mvU0wlOn6bchpmpX IVRAvXC3xUZQ+iN7W6SbBDRZ55i+UDWANbt94ArCjRoXJyk0pMboZAr0cKATfSXC aouxNflQg9cLF+Oz6nZUZrsxoKLGh4+0nRFR6G2YClUGh1ggi5LYwZ7LTF/W7RyW SNpE12sKfSsUsnr03mRdFKS81p6sCyz8LbN0fATwc781qTUO3FPoT4DearSrW5g= =zIfb -----END PGP SIGNATURE----- From vedaal at hush.com Mon Nov 15 16:36:11 2004 From: vedaal at hush.com (vedaal@hush.com) Date: Mon Nov 15 16:32:44 2004 Subject: detecting armor or text Message-ID: <200411151536.iAFFaCbP017185@mailserver2.hushmail.com> Atom 'Smasher' atom at suspicious.org wrote on Mon Nov 15 15:54:04 CET 2004 : ]is there a good way to programmatically detect whether a message is text, binary or armored? gpg --list-packets vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From atom at suspicious.org Mon Nov 15 16:49:52 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Mon Nov 15 16:46:37 2004 Subject: detecting armor or text In-Reply-To: <200411151536.iAFFaCbP017185@mailserver2.hushmail.com> References: <200411151536.iAFFaCbP017185@mailserver2.hushmail.com> Message-ID: <20041115155007.49990.qmail@suspicious.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Mon, 15 Nov 2004 vedaal@hush.com wrote: > gpg --list-packets ======================= $ echo test | gpg --store | gpg --no-verbose --list-packets :compressed packet: algo=3 :literal data packet: mode b, created 1100533258, name="", raw data: 5 bytes +- armor \/ $ echo test | gpg -a --store | gpg --no-verbose --list-packets :compressed packet: algo=3 :literal data packet: mode b, created 1100533259, name="", raw data: 5 bytes i don't see any difference in the "list-packets" between the binary and the armored input. i guess a mode "b" is armored or raw binary, and mode "t" is plain text? - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "If a baseball player slides into home plate and, right before the umpire rules if he is safe or out, the player says to the umpire - 'Here is $1,000.' What would we call that? We would call that a bribe. If a lawyer was arguing a case before a judge and said, 'Your honor before you decide on the guilt or innocence of my client, here is $1,000.' What would we call that? We would call that a bribe. But if an industry lobbyist walks into the office of a key legislator and hands her or him a check for $1,000, we call that a campaign contribution. We should call it a bribe." -- Janice Fine Dollars and Sense magazine -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJBmNAlAAoJEAx/d+cTpVci+oUH/ArV/Pof1jZqOuqo6q3Ovw2r oT4Dh40cciIr3X1Eh0mT2ABGcySWw2E6AlPEwt048EBPMfH2pAMWRGlnkV3K5jvI sh9nVl5HMb8Zp7XbU/cuYuvcMzTcIiVKLurHIiRe7FkDwZQSHgLzCMbU1EOh5qjq NbyPX6/BYc3DUzLCVVAN8p8Czv3XzLwGuPn6sDR/TdqhXKJgPXBT730Vd4bhXerG ClmSSVmvoO+MMoWCqf/anDaUhsPPlIk/6kvX2RHrcDLy7mmc+c/utTByufHju+Ed J/XEDO5hIgWwmDWvfsM5VpDl+1HizHCbg/is5WD+Hnu5cKkVn0Nsltb8/Om4aIA= =FtD8 -----END PGP SIGNATURE----- From torduninja at netcourrier.com Mon Nov 15 19:37:45 2004 From: torduninja at netcourrier.com (Maxine Brandt) Date: Mon Nov 15 19:34:20 2004 Subject: w32 installation paths Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Walter Torres wrote: > >> However, the GnuPG home directory is an exception to this rule and you > >> have to specify its location in the command line even when it's on the > >> floppy. I assume that this exceptional behaviour is coded into the gpg > >> binary. I considered working on the code to change this default home > >> directory location to the floppy, but that wouldn't help those using GPG > >> TO GO on a USB stick, so I left it as it was. > > > OK. I lost you here. > > If I have CMD/COMMAND.EXE, gnupg.exe, keys, etc on a UBS Stick, how is > that different than a floppy? > Unlike a floppy, which has a dedicated drive letter, the drive letter for USB sticks will vary according to disk partitioning, and in any case it don't think it will be A : even if your machine has no floppy drive. > > >> One thought that occurs to me is to install the binaries and gpg.conf in > >> the same directoy as cmd.exe (or command.com) so that gpg could pick up > >> locations of keyrings etc from the configuration file (which would be the > >> default "home"). But this is "Windows-think" and might cause more problems > >> than it solves,considering gpg is designed for cross-platform compilation > >> and Windows is bottom of the list of priorities. > > > Yes, this is windows speak. But then again, I don't feel that this > "segment" of users should be "ignored" (wrong word) because of that. > > GPG is cross-platform, as many other (and a growing number of) Gnu apps are. > > This doesn't mean that the MAKE can't be made to understand that "if > WINDOWS, do this, otherwise do 'normal'" > It does that already, in fact, concerning the location of the gpg default home directory. Actually, my reasoning for not pursuing the change in the code for GPG TO GO on a floppy seems no longer valid. Since my earlier post in this thread I've had a look at the Windows version of 1.3.92 and it's too big for a floppy. With the best upx compression, the gpg.exe binary is almost 100kb larger than that of 1.2.5 and it requires the iconv.dll which is more than 600kb - a total of 700kb extra. A bare-bones version will just fit on the floppy, but there's virtually no room for files to encrypt or decrypt. So it looks like GPG TO GO using 1.4 is reserved for USB sticks, and the floppy version will have to stay with the latest 1.2.x release. > But then again, more and more PCs are becoming Linux, and not every Linux > install has GPG, so this GOG TO GO would be a viable option for that user > base as well. > GPG TO GO was conceived as a replacement for PGP 2 for people living in nasty places where using encryption can sometimes get you killed, or worse. It's designed to leave no trace on the host machine that encryption has taken place and to be used on public machines, which in the vast majority run Windows systems. But from the feedback I've received, it fills the need of many people who have the problem of using GPG on work machines where they don't have the rights to install, and Linux users could fall into this category . I've never seen a Linux distribution that doesn't include GPG, but no doubt there are some installations where it's not installed. I don't have a floppy drive on my Linux machine so I can't verify it , but if you put the gpg binaries and gpg home directory files on a floppy, replace A: by fd0, then you should be able to cd to the floppy and use the same commands as in the Windows version. Salut Maxine -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) Comment: GPG TO GO http://www.torduninja.tk iD8DBQFBmPSrKBY/R6nbCcARAvTPAJ4m5cn5nf/RQrAsVvUVRgu4C8V3VACdFErw mUeunV/3hb6x1C7zMpav4tw= =lahb -----END PGP SIGNATURE----- ------------------------------------------------------------- NetCourrier, votre bureau virtuel sur Internet : Mail, Agenda, Clubs, Toolbar... Web/Wap : www.netcourrier.com T?l?phone/Fax : 08 92 69 00 21 (0,34 ? TTC/min) Minitel: 3615 NETCOURRIER (0,16 ? TTC/min) From linux at codehelp.co.uk Mon Nov 15 20:30:15 2004 From: linux at codehelp.co.uk (Neil Williams) Date: Mon Nov 15 20:26:39 2004 Subject: using gpg remotely over ssh? In-Reply-To: <1dc36b3ce6000375b4cd7a1aa453c1be@dizum.com> References: <1dc36b3ce6000375b4cd7a1aa453c1be@dizum.com> Message-ID: <200411151930.17023.linux@codehelp.co.uk> On Thursday 11 November 2004 12:20 pm, Nomen Nescio wrote: > I know not to use gpg over telnet, but is it OK to use it remotely > over ssh if I trust the machine I'm typing at and the machine I'm > remotely logged in to? The more important question is: Do you have the root password for this remote machine? Does anyone else? Is that what you mean by trust? It's your decision, but I wouldn't put my secret key on any remote machine. If it's hosted on someone else's system your secret key could be available to a third party. With the secret key in their possession, only an attack on your passphrase protects your secret key from being compromised. Isn't there another way of doing this? Why not decrypt and sign locally? SSH has a complimentary SCP that can copy the required files over ssh. Just have any necessary public keys on the remote machine, encrypt and verify signatures if you want to, then copy the files to your local machine for decryption and back again if you are sending up signed files. -- Neil Williams ============= http://www.codehelp.co.uk/ http://www.dclug.org.uk/ http://www.isbn.org.uk/ http://sourceforge.net/projects/isbnsearch/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041115/54523f8f/attachment.bin From cedar at 3web.net Mon Nov 15 22:23:08 2004 From: cedar at 3web.net (C. D. Rok) Date: Mon Nov 15 22:20:12 2004 Subject: w32 installation paths In-Reply-To: References: Message-ID: <41991E3C.6070805@3web.net> Maxine Brandt wrote: > Actually, my reasoning for not pursuing the change in the code for GPG TO GO > on a floppy seems no longer valid. Since my earlier post in this thread I've had > a look at the Windows version of 1.3.92 and it's too big for a floppy. With the best > upx compression, the gpg.exe binary is almost 100kb larger than that of 1.2.5 and it > requires the iconv.dll which is more than 600kb - a total of 700kb extra. A bare-bones > version will just fit on the floppy, but there's virtually no room for files to encrypt or > decrypt. ... > GPG TO GO was conceived as a replacement for PGP 2 for people living in > nasty places... So it seems that - as the opening of your fine page suggests, it might be "back to the future"; i.e., ...One of the earliest versions of PGP, 2.6, is still highly regarded... From what I know, 2.6.3ia-multi06 would be the version of choice. In contrast to USB drives, "in nasty places" the old floppy has one very important advantage: it is the only r/w medium cheap enough to make practical protocols which call for copies of both the software and the data to be destroyed after each use. I was wondering if your proposition that [2.6]'s "...cryptographic security has been in doubt for some time now..." really applies to 2.6.3ia-multi06? (compatibility with the current crop of PGPGs aside). C. R. From Lamont_Gilbert at RigidSoftware.com Mon Nov 15 22:35:01 2004 From: Lamont_Gilbert at RigidSoftware.com (CL Gilbert) Date: Mon Nov 15 22:32:14 2004 Subject: using gpg remotely over ssh? In-Reply-To: <200411151930.17023.linux@codehelp.co.uk> References: <1dc36b3ce6000375b4cd7a1aa453c1be@dizum.com> <200411151930.17023.linux@codehelp.co.uk> Message-ID: <41992105.9060406@RigidSoftware.com> Neil Williams wrote: > On Thursday 11 November 2004 12:20 pm, Nomen Nescio wrote: > >>I know not to use gpg over telnet, but is it OK to use it remotely >>over ssh if I trust the machine I'm typing at and the machine I'm >>remotely logged in to? > Well if local machine is secure, and remote machine is secure, and you connect from one to the other using a secure shell, then you have a secure system. > > The more important question is: Do you have the root password for this remote > machine? Does anyone else? Is that what you mean by trust? > > It's your decision, but I wouldn't put my secret key on any remote machine. If > it's hosted on someone else's system your secret key could be available to a > third party. With the secret key in their possession, only an attack on your > passphrase protects your secret key from being compromised. > > Isn't there another way of doing this? Why not decrypt and sign locally? SSH > has a complimentary SCP that can copy the required files over ssh. > Why? What advantage can be gained from doing it locally which means he must bring his key onto the local machine? > Just have any necessary public keys on the remote machine, encrypt and verify > signatures if you want to, then copy the files to your local machine for > decryption and back again if you are sending up signed files. > The remote machine has all his key files today if i understand him. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Thank you, CL Gilbert "Then said I, Wisdom [is] better than strength: nevertheless the poor man's wisdom [is] despised, and his words are not heard." Ecclesiastes 9:16 GnuPG Key Fingerprint: 82A6 8893 C2A1 F64E A9AD 19AE 55B2 4CD7 80D2 0A2D GNU Privacy Guard http://www.gnupg.org From vedaal at hush.com Tue Nov 16 00:55:43 2004 From: vedaal at hush.com (vedaal@hush.com) Date: Tue Nov 16 00:52:17 2004 Subject: w32 installation paths Message-ID: <200411152355.iAFNtkHN021810@mailserver2.hushmail.com> >Message: 7 >Date: Mon, 15 Nov 2004 19:37:45 CET >From: Maxine Brandt >Subject: Re: w32 installation paths >To: gnupg-users@gnupg.org >Message-ID: >Content-Type: text/plain; charset=ISO-8859-1 > With the best >upx compression, the gpg.exe binary is almost 100kb larger than >that of 1.2.5 and it >requires the iconv.dll which is more than 600kb - a total of 700kb >extra. A bare-bones >version will just fit on the floppy, what would happen if the iconv.dll would be left out? what wouldn't work? vedaal >Message: 9 >Date: Mon, 15 Nov 2004 21:23:08 +0000 >From: "C. D. Rok" >Subject: Re: w32 installation paths >To: gnupg-users@gnupg.org >Message-ID: <41991E3C.6070805@3web.net> >Content-Type: text/plain; charset=ISO-8859-1; format=flowed > From what I know, 2.6.3ia-multi06 would be the version of choice. >In contrast to USB drives, "in nasty places" the old floppy has >one very >important advantage: it is the only r/w medium cheap enough to >make practical >protocols which call for copies of both the software and the data >to be >destroyed after each use. I was wondering if your proposition that >[2.6]'s >"...cryptographic security has been in doubt for some time now..." >really >applies to 2.6.3ia-multi06? (compatibility with the current crop >of >PGPGs aside). much as i love 2.6.3a multi 6, and am one of the few diehards that still uses it regularly (and from a floppy), i would _not_ recommend it for use in 'really nasty places' no crypto program is useful there, as a simple screen capturer or hardware key logger is enough to cause major tragedy the best solution there, is to use zero-distortion stego carriers, and without 'any' program outside of the user's head several such text-within-text stego pencil and paper schemes are available vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From cedar at 3web.net Tue Nov 16 01:55:38 2004 From: cedar at 3web.net (C. D. Rok) Date: Tue Nov 16 01:52:43 2004 Subject: w32 installation paths In-Reply-To: <200411152355.iAFNtkHN021810@mailserver2.hushmail.com> References: <200411152355.iAFNtkHN021810@mailserver2.hushmail.com> Message-ID: <4199500A.50807@3web.net> vedaal@hush.com wrote: >>From what I know, 2.6.3ia-multi06 would be the version of choice. >>[2.6]' "...cryptographic security has been in doubt for some time now..." > much as i love 2.6.3a multi 6, > and am one of the few diehards that still uses it regularly > (and from a floppy), > > i would _not_ recommend it for use in > 'really nasty places'... > no crypto program is useful there, > as a simple screen capturer or hardware key logger is enough > to cause major tragedy ... Of course. (I just re-used the expression from a previous post). Let me thus rephrase: Is there any reason to believe that with the right choice of cipher and key length 2.6.3a multi 6 would be cryptographically less secure than the current PGPG's? CR From dshaw at jabberwocky.com Tue Nov 16 04:35:34 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Nov 16 04:32:29 2004 Subject: detecting armor or text In-Reply-To: <20041115145414.9108.qmail@suspicious.org> References: <20041115145414.9108.qmail@suspicious.org> Message-ID: <20041116033534.GC23577@jabberwocky.com> On Mon, Nov 15, 2004 at 09:54:04AM -0500, Atom 'Smasher' wrote: > is there a good way to programmatically detect whether a message is text, > binary or armored? This is not a meaningful question. A message can be text or binary, and armored or not. Or any combination. There aren't three possibilities, there are four: Armored text Armored binary Unarmored text Unarmored binary To tell an armored message from an unarmored one, just look at the first byte. If it has the high bit (0x80) set, it is not armored. To tell a binary message from a text one, there is a PLAINTEXT status tag in 1.3.x. The first argument will be 62 for binary, 74 for text, and 75 for UTF-8 text. David From dshaw at jabberwocky.com Tue Nov 16 04:39:31 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Nov 16 04:36:18 2004 Subject: w32 installation paths In-Reply-To: References: Message-ID: <20041116033931.GD23577@jabberwocky.com> On Mon, Nov 15, 2004 at 07:37:45PM +0100, Maxine Brandt wrote: > Actually, my reasoning for not pursuing the change in the code for > GPG TO GO on a floppy seems no longer valid. Since my earlier post > in this thread I've had a look at the Windows version of 1.3.92 and > it's too big for a floppy. With the best upx compression, the > gpg.exe binary is almost 100kb larger than that of 1.2.5 and it > requires the iconv.dll which is more than 600kb - a total of 700kb > extra. A bare-bones version will just fit on the floppy, but there's > virtually no room for files to encrypt or decrypt. I wonder why. The 1.3.x binary actually has less code than the 1.2.x one since there is no keyserver stuff and the Elgamal signing code was removed. Perhaps the bzip2 library? David From walter at torres.ws Tue Nov 16 06:39:24 2004 From: walter at torres.ws (Walter Torres) Date: Tue Nov 16 06:36:01 2004 Subject: w32 installation paths Message-ID: <2562.69.209.14.58.1100583564.squirrel@mail.braverock.com> > Unlike a floppy, which has a dedicated drive letter, the drive > letter for USB sticks will vary according to disk partitioning, > and in any case it don't think it will be A : even if your machine > has no floppy drive. ah, yes. Didn't think of that, but... On my Windows system, I have Apache, PHP, MySQL, and Perl, GnuGPG all running with *OUT* volume letters. All config/ini files defined pathsa re based from "root" [/]. Of course, all the files are on the same volume on that is not a problem. If you look at my "unix" volume, it looks *exatcly* linke my Linux box at work. Well, not exactly, but close enough for government work. So, given that, I don't see why a GPG TO GO couldn't live on a CD or UDB stick. But I'd have to play and see. > GPG TO GO was conceived as a replacement for PGP 2 for people living > in nasty places where using encryption can sometimes get you killed, > or worse. It's designed to leave no trace on the host machine that > encryption has taken place and to be used on public machines, which > in the vast majority run Windows systems. Yes, I understand that POV. I worked (for a time) on the cryporights project. Still put time in in the Squirelmail GPG project. I work across the "hall" from Brian Peterson, the brain behind that [Squiremail GPG]project so this securtiy chea ozzes around our office! ;) Walter ==================================================== Taking it to the next level. web.torres.ws/dev From torduninja at netcourrier.com Tue Nov 16 06:40:09 2004 From: torduninja at netcourrier.com (Maxine Brandt) Date: Tue Nov 16 06:36:35 2004 Subject: w32 installation paths Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 C. D. Rok wrote: > > GPG TO GO was conceived as a replacement for PGP 2 for people living in > > nasty places... > > > So it seems that - as the opening of your fine page suggests, it might be > "back to the future"; i.e., > > ...One of the earliest versions of PGP, 2.6, is still highly regarded... > > From what I know, 2.6.3ia-multi06 would be the version of choice. > In contrast to USB drives, "in nasty places" the old floppy has one very > important advantage: it is the only r/w medium cheap enough to make practical > protocols which call for copies of both the software and the data to be > destroyed after each use. I was wondering if your proposition that [2.6]'s > "...cryptographic security has been in doubt for some time now..." really > applies to 2.6.3ia-multi06? (compatibility with the current crop of > PGPGs aside). > This version has the recent cipher and hash algorithms added and can generate larger keys, which in theory make it more secure. I say "in theory" because I strongly doubt that the implementations of these changes have had the same level of peer review that GnuPG has had, and I'm not sure that they've had very much at all. But the issue of compatibility was also a factor in the conception of GPG TO GO. Salut Maxine -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) Comment: GPG TO GO http://www.torduninja.tk iD8DBQFBmYihKBY/R6nbCcARArpyAJ0RCI1pzU1z3F5NJj1f2qhYv1Rj/gCdF449 yte3DmE1FRWUF1a35NJqRzA= =a5eV -----END PGP SIGNATURE----- ------------------------------------------------------------- NetCourrier, votre bureau virtuel sur Internet : Mail, Agenda, Clubs, Toolbar... Web/Wap : www.netcourrier.com T?l?phone/Fax : 08 92 69 00 21 (0,34 ? TTC/min) Minitel: 3615 NETCOURRIER (0,16 ? TTC/min) From asmart at kingsdown.swindon.sch.uk Tue Nov 16 12:44:28 2004 From: asmart at kingsdown.swindon.sch.uk (Andy Smart) Date: Tue Nov 16 12:41:10 2004 Subject: Signed emails showing as attachments in OE Message-ID: <4199E81C.7010502@kingsdown.swindon.sch.uk> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20041116/54c6eb88/signature.bin From zuxy.meng at gmail.com Tue Nov 16 13:27:28 2004 From: zuxy.meng at gmail.com (Zuxy) Date: Tue Nov 16 13:24:27 2004 Subject: Signed emails showing as attachments in OE In-Reply-To: <4199E81C.7010502@kingsdown.swindon.sch.uk> References: <4199E81C.7010502@kingsdown.swindon.sch.uk> Message-ID: Obviously you're using PGP/MIME and OE lacks support for that. I guess Thunderbird's Enigma plug-in has an option to use inline PGP mode instead of PGP/MIME that provides compatibility for OE and most other email clients. On Tue, 16 Nov 2004 11:44:28 +0000, Andy Smart wrote: > I use Thunderbird with gpgmime to sign my emails and newsgroup posts, > but a couple of people who use OE say that the content does not show up > for them inline but as an attachement. -- Zuxy Beauty is truth, While truth is beauty. PGP KeyID: E8555ED6 From johanw at vulcan.xs4all.nl Mon Nov 15 21:37:03 2004 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Tue Nov 16 14:41:29 2004 Subject: w32 installation paths In-Reply-To: from Maxine Brandt at "Nov 15, 2004 07:37:45 pm" Message-ID: <200411152037.VAA01997@vulcan.xs4all.nl> Maxine Brandt wrote: >requires the iconv.dll which is more than 600kb Does gpg.exe really require it? I thought it was only needed when you wanted to use translations, which can of course be skipped for a project like this. >- a total of 700kb extra. A bare-bones version will just fit on the floppy, >but there's virtually no room for files to encrypt or decrypt. Often this is not such a big problem on work PC's: you can encrypt a file on the harddisk, and copy it to another floppy (or set of floppy's) after encryption. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From wk at gnupg.org Tue Nov 16 16:48:04 2004 From: wk at gnupg.org (Werner Koch) Date: Tue Nov 16 16:49:35 2004 Subject: w32 installation paths In-Reply-To: <200411152037.VAA01997@vulcan.xs4all.nl> (Johan Wevers's message of "Mon, 15 Nov 2004 21:37:03 +0100 (MET)") References: <200411152037.VAA01997@vulcan.xs4all.nl> Message-ID: <87d5ydpzgr.fsf@wheatstone.g10code.de> On Mon, 15 Nov 2004 21:37:03 +0100 (MET), Johan Wevers said: > Does gpg.exe really require it? I thought it was only needed when you wanted > to use translations, which can of course be skipped for a project like this. Right, it is only used for translation and for converting user IDs and such. It is only important to use when you are creating a new user ID with non-ascii characters from a non Latin-1 code pages. And there is no problem to copy that DLL to the usual DLLPATH. Several programs are using that DLL and it won't harm to have it on every Windows PC. Werner From vedaal at hush.com Tue Nov 16 16:56:19 2004 From: vedaal at hush.com (vedaal@hush.com) Date: Tue Nov 16 16:52:51 2004 Subject: w32 installation paths (C. D. Rok) Message-ID: <200411161556.iAGFuM6g071608@mailserver2.hushmail.com> >Message: 3 >Date: Tue, 16 Nov 2004 00:55:38 +0000 >From: "C. D. Rok" >Subject: Re: w32 installation paths >To: gnupg-users@gnupg.org >Message-ID: <4199500A.50807@3web.net> >Is there any reason to believe that with the right choice of >cipher and key length 2.6.3a multi 6 would be cryptographically >less secure than the current PGPG's? even in multi 6, the keys must be signed using md5 [and sadly, Disastry is no longer with us to fix this :-((( ] so there is some concern that all key trust for v3 keys may become compromised to the level that only securely exchanged keys from known correspondents, can be trusted the primary reason for some diehards (not me, but respected cryptographers) trust only 2.6.3, is that it is the only one that they personally have gone over the source code gnupg, which almost everyone agrees is much better and more secure than any other pgp implementation, {+/- elgamal signing issues), has a source code at least an order of magnitude larger than Disastry's 2.6.3, and if the cryptographers haven't been with gnupg since the beginning and gone over each of the diffs, it is too much to check all at once now with regard to the wipe function in 2.6.x, it is not as good as Eraser, and may not work in xp on the ntfs file journaling backup system even if you need to boot from a floppy and wipe, Darik's boot and nuke is excellent, (but is 'all or none' [all hard drives, or nothing, no ability to wipe just one file] so, besides communication with other pgp 2.x user's who insist on only 2.6.x, gnupg is much more secure vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From JPClizbe at comcast.net Tue Nov 16 18:35:51 2004 From: JPClizbe at comcast.net (John Clizbe) Date: Tue Nov 16 18:32:56 2004 Subject: Signed emails showing as attachments in OE In-Reply-To: <4199E81C.7010502@kingsdown.swindon.sch.uk> References: <4199E81C.7010502@kingsdown.swindon.sch.uk> Message-ID: <419A3A77.70604@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andy Smart wrote: > I use Thunderbird with gpgmime to sign my emails and newsgroup posts, > but a couple of people who use OE say that the content does not show up > for them inline but as an attachement. What causes this and is there > anything they can do? OE/Outlook does not understand PGP/MIME without either the PGP plugin or the g10code OE plugin. You can use inline signatures to send mail that they will be able to open. You could also setup a per-recipient rule in Enigmail to NEVER send users at that email domain PGP/MIME mail. - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.93-cvs (Windows 2000 SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Annoy John Asscraft -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBmjp3HQSsSmCNKhARAioIAKC9oLMICAGNdeMM9tlF3/iHKQUz0wCgqNvz lj8dsrQqA6sZ29bxawWlvvU= =50zK -----END PGP SIGNATURE----- From zvrba at zax.CARNET Mon Nov 15 19:30:15 2004 From: zvrba at zax.CARNET (Zeljko Vrba) Date: Tue Nov 16 20:16:24 2004 Subject: support for non-openpgp cards Message-ID: <20041115183015.GA1269@zax.CARNET> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hi to everybody.. I have made a patch to GNUPG 1.3.92 which makes possible to use general PKCS#11 tokens with GPG. You can retrieve the patch and signature at: http://www.core-dump.com.hr/software/gnupg-1.3.92-pkcs11.patch http://www.core-dump.com.hr/software/gnupg-1.3.92-pkcs11.patch.asc (the patch also includes p11howto.txt - the deisgn document). Now there are several issues to address with this patch in combination with the MUSCLE project (http://www.linuxnet.com): - - I use libmusclepkcs11.so with Cryptoflex 8k card. The library is, IMHO, incorrect in several respects with regards to PKCS#11: - it requires to specify CKA_TOKEN when generating keys - it expects the data to be PKCS#11 padded before encryption (although it explicitly knows that the card supports only raw rsa); and this is the main problem - supports only 2 keypairs on Cryptoflex cards (32k and 8k; the code is common). The alternative is to use the MUSCLE API (also described on the above site) which limits the library usage to JAVA cards with MUSCLE applet installed only (MUSCLE works on many UNICES and Win32). Given this input, here are some questions (both for users and developers; thus this mail goes to both lists): 1. Is there enough interest from GPG users to pursue further development of non-OpenPGP smart-cards? (either with PKCS#11 which I'd prefer, or with MUSCLE API; if there is enough interest I'll contact the developers of MUSCLE to resolve PKCS#11 issues). 2. Does GPG do PKCS#1 padding before signing or encryption? 3. Is it possible to make GPG generate only 1, or 2 keys on the card? (AFAIK, the generate command always tries to generate 3 keys and this command is the only way to make gpg learn about the card..) Even better, is it possible to make GPG use pre-generated keys on the card? I have already talked to Werner about this, and he didn't like the idea because of GPL license (the result of linking proprietary PKCS#11 lib with GPG is undefined). So please, no arguments about that. I'll leave to each user's conscience whether to run legally-undefined program, or not. MUSCLE itself is released under BSD license. - -- The corresponding public key is located at: http://ds.carnet.hr:11371/pks/lookup?op=get&search=0x5081D08A1DC7E994 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBmPWRUIHQih3H6ZQRA7J+AJ9gJp5bUEfAB9GQuaXP+kACFHtC0QCeOBZ9 tKk/pliIkJlE045G/bTEaGQ= =+/x9 -----END PGP SIGNATURE----- From jsWalter at torres.ws Tue Nov 16 06:36:13 2004 From: jsWalter at torres.ws (jsWalter) Date: Tue Nov 16 20:16:29 2004 Subject: w32 installation paths In-Reply-To: References: Message-ID: <2527.69.209.14.58.1100583373.squirrel@mail.braverock.com> > Unlike a floppy, which has a dedicated drive letter, the drive > letter for USB sticks will vary according to disk partitioning, > and in any case it don't think it will be A : even if your machine > has no floppy drive. ah, yes. Didn't think of that, but... On my Windows system, I have Apache, PHP, MySQL, and Perl, GnuGPG all running with *OUT* volume letters. All config/ini files defined pathsa re based from "root" [/]. Of course, all the files are on the same volume on that is not a problem. If you look at my "unix" volume, it looks *exatcly* linke my Linux box at work. Well, not exactly, but close enough for government work. So, given that, I don't see why a GPG TO GO couldn't live on a CD or UDB stick. But I'd have to play and see. > GPG TO GO was conceived as a replacement for PGP 2 for people living > in nasty places where using encryption can sometimes get you killed, > or worse. It's designed to leave no trace on the host machine that > encryption has taken place and to be used on public machines, which > in the vast majority run Windows systems. Yes, I understand that POV. I worked (for a time) on the cryporights project. Still put time in in the Squirelmail GPG project. I work across the "hall" from Brian Peterson, the brain behind that [Squiremail GPG]project so this securtiy chea ozzes around our office! ;) Walter From wk at gnupg.org Tue Nov 16 20:33:18 2004 From: wk at gnupg.org (Werner Koch) Date: Tue Nov 16 20:34:32 2004 Subject: support for non-openpgp cards In-Reply-To: <20041115183015.GA1269@zax.CARNET> (Zeljko Vrba's message of "Mon, 15 Nov 2004 19:30:15 +0100") References: <20041115183015.GA1269@zax.CARNET> Message-ID: <87zn1hoagx.fsf@wheatstone.g10code.de> On Mon, 15 Nov 2004 19:30:15 +0100, Zeljko Vrba said: > I have already talked to Werner about this, and he didn't like the idea > because of GPL license (the result of linking proprietary PKCS#11 lib with > GPG is undefined). So please, no arguments about that. I'll leave to Sorry but this is not just undefined: it is a clear violation of the GPL. Salam-Shalom, Werner From linux at thorstenhau.de Tue Nov 16 22:35:40 2004 From: linux at thorstenhau.de (Thorsten Haude) Date: Tue Nov 16 22:36:46 2004 Subject: Signed emails showing as attachments in OE In-Reply-To: References: <4199E81C.7010502@kingsdown.swindon.sch.uk> Message-ID: <20041116213540.GA1267@eumel.yoo.local> Hi, * Zuxy wrote (2004-11-16 13:27): >Obviously you're using PGP/MIME and OE lacks support for that. As I understand it, OE lacks proper support for MIME, or it would show the mail and signature inline. Thorsten -- Hobbes: Shouldn't we read the instructions? Calvin: Do I look like a sissy? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041116/7fa3ca69/attachment.bin From servie_tech at yahoo.com Wed Nov 17 06:43:07 2004 From: servie_tech at yahoo.com (Servie Platon) Date: Wed Nov 17 06:40:11 2004 Subject: Of Public Key Servers, Revocation and Key ID's Message-ID: <20041117054307.88342.qmail@web52510.mail.yahoo.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi gnupg gurus, I need to shed some light on how Public Key Servers Revocation Certificate and Key ID's play hand in hand. Based from my understanding, after we create our key pair we are supposed to create a revocation certificate right away so that in the event that our key pair in particular private key has been compromised or regarded as useless we can revoke it anytime. Now, if we would like our public keys to be readily available to everyone for verification purposes, public keyserver are available to us so we could upload these. Is this correct? Based on the following situation, please kindly advise what, or is there anything I could do here: 1. I created 2 key pairs, one for my public web mail account and one for my work (private use), with Key ID's 0xKeyID#1 and 0xKeyID#2 for example; 2. I have uploaded both Key IDs to a public keyserver of choice, random.sks.keyserver.penguin.de which was somehow successful; 3. I did create a revocation certificate for both keys by issuing this command in a command prompt: gpg --output revcert.asc --gen-revoke 0xKeyID#1 and gpg --output revcert1.asc - --gen-revoke 0xKeyID#2 respectively; Now for my questions: 1. Assuming, I wanted to revoke KeyID#1 which I uploaded to penguin.de. How do I do this? I did some tinkering using gpg keys, (gpg shell), highlighted the UserID (KeyID) in question, went to keys - import, then selected revcert.asc for KeyID#1. After which, went to Keys-Update from Key-Server and selected penguin.de. Now, to check if this has been revoked at the prompt, I see my KeyID with revoke in it. Does this mean locally my Key has been revoked or it has been revoked at the public key server as well? 2. How do we check for the KeyID's that it really comes from that person? For instance, I post here and it displays my Key ID, how do you guys check my KeyID if in case, I have already posted this to a public key server? 3. And finally, if I have uploaded my public key to a public key server and I deleted my keys locally without doing a revocation certificate and updated the key server hosting my key. And after awhile, I created myself another key pair for the same UserID which I deleted before without revoking. Will this pose as a problem for me considering it might confuse other people such as yourself trying to figure out which key is being used since there are two entries of KeyIDs? I really do need some pointers on how to manage my keys properly and I feel this is the place where I could find the answers. Thank you very much. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.92 (MingW32) - GPGshell v3.23 iD8DBQFBmuS6yQgrZePdA38RAhONAJ9EgJDxBbzVdQQ52jDrrxiNJ1P51wCeIatO ee4kPvUKR2ngdlXW4yxhvv0= =cca6 -----END PGP SIGNATURE----- ===== Sincerely, Servie Platon __________________________________ Do you Yahoo!? Meet the all-new My Yahoo! - Try it today! http://my.yahoo.com From atom at suspicious.org Wed Nov 17 08:29:55 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Wed Nov 17 08:26:31 2004 Subject: The OpenPGP mail and news header Message-ID: <20041117073006.98816.qmail@suspicious.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ** cross posted - watch replies ** The OpenPGP mail and news header http://josefsson.org/openpgp-header/ before formally sending this to the IETF for consideration, we're looking for comments from the pgp/gpg community. thanks... - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- A student asked his old Sufi Master if he should tie up his camel for the night, so that it wouldn't wander away while they were sleeping or if doing so was an insult to God. Should he leave the camel untied to show his trust in God that the camel wouldn't run away? The Master replied "Trust God AND tie up your camel." -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJBmv34AAoJEAx/d+cTpVciTgAIAJu/rqsC+U9V0mgSdcIL1YaF znVMZTiu7OcZGI6I3qo8fAY/m6+acMpQux7zQS3WoHeUDykQEvOiQNusBdkMOIcf Cs3DaH1s1kPs6bxf9BiKuM60OmygYoRuiwNRCqn6Cxg6sJpgBzNpzahbPIbuPAEh 2DvGlcYMGmgEi3UsbOpYcy7iXwVI0oYGyeUX9MoOssCUWOImp+K9eMBkHHjrYekc Ev5Xb0tdvcz8piSbflSxn4mSKVc1yyoZto8CceD3IhXKSRLKPMh+3JmJPDooJRcP BBQMJzAIV38TeL3PhJQAPfJFIRf4rLCQeeZ2TVQu1G40a+xzyg5rDDenfMJ+Sg0= =75J2 -----END PGP SIGNATURE----- From johanw at vulcan.xs4all.nl Wed Nov 17 00:29:03 2004 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed Nov 17 08:33:20 2004 Subject: w32 installation paths In-Reply-To: <4199500A.50807@3web.net> from "C. D. Rok" at "Nov 16, 2004 00:55:38 am" Message-ID: <200411162329.AAA00924@vulcan.xs4all.nl> C. D. Rok wrote: >Is there any reason to believe that with the right choice of >cipher and key length 2.6.3a multi 6 would be cryptographically >less secure than the current PGPG's? No. But the same holds for 2.6.3ia - IDEA and RSA are still unbroken. The MD5 hash might be more questionable, but for encryption only that doesn't matter. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From johanw at vulcan.xs4all.nl Wed Nov 17 00:37:27 2004 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed Nov 17 08:33:30 2004 Subject: w32 installation paths (C. D. Rok) In-Reply-To: <200411161556.iAGFuM6g071608@mailserver2.hushmail.com> from "vedaal@hush.com" at "Nov 16, 2004 07:56:19 am" Message-ID: <200411162337.AAA01074@vulcan.xs4all.nl> vedaal@hush.com wrote: >so, besides communication with other pgp 2.x user's >who insist on only 2.6.x, > >gnupg is much more secure GnuPG can communicate with pgp2. That's where the --pgp2 option is for. You do have to install the IDEA module and use IDEA/RSA/MD5 of course. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From linux at codehelp.co.uk Wed Nov 17 10:12:39 2004 From: linux at codehelp.co.uk (Neil Williams) Date: Wed Nov 17 10:09:21 2004 Subject: Of Public Key Servers, Revocation and Key ID's In-Reply-To: <20041117054307.88342.qmail@web52510.mail.yahoo.com> References: <20041117054307.88342.qmail@web52510.mail.yahoo.com> Message-ID: <200411170912.43339.linux@codehelp.co.uk> On Wednesday 17 November 2004 5:43 am, Servie Platon wrote: > Based from my understanding, after we create our key > pair we are > supposed to create a revocation certificate right away > so that > in the event that our key pair in particular private > key has > been compromised or regarded as useless we can revoke > it > anytime. Yes. Keep it safe, don't keep it on your filesystem and don't keep it anywhere that someone will be able to find it or where you might enter it accidentally. Many people print them out, it's only a few lines of text. > Now, if we would like our public keys to be readily > available to > everyone for verification purposes, public keyserver > are > available to us so we could upload these. Yes. > 1. Assuming, I wanted to revoke KeyID#1 which I > uploaded to > penguin.de. How do I do this? Import the revocation certificate into your local keyring and then send the revoked key to the keyserver. Anyone can do this, once they have access to the revocation certificate they don't need access to the secret key, so be careful where you store it! $ gpg --import revcert.asc $ gpg --keyserver subkeys.pgp.net --send-key 0xKeyID#1 > I did some tinkering using gpg keys, (gpg shell), > highlighted > the UserID (KeyID) in question, went to keys - import, > then > selected revcert.asc for KeyID#1. After which, went to > Keys-Update from Key-Server and selected penguin.de. > > Now, to check if this has been revoked at the prompt, > I see my > KeyID with revoke in it. Does this mean locally my Key > has been > revoked or it has been revoked at the public key > server as well? Most keyservers have a web interface that will show you the status of the key. Alternatively: 1. Export your public key to a file. 2. Delete your own public key from your local keyring. 3. Import your public key from the keyserver. 4. Verify it has been revoked. > 2. How do we check for the KeyID's that it really > comes from > that person? For instance, I post here and it displays > my Key > ID, how do you guys check my KeyID if in case, I have > already > posted this to a public key server? We have to meet in person, exchange key fingerprints and verify photo ID. Then we sign each other's keys. The signed keys are uploaded to keyservers. People who trust me to properly verify keys will usually accept yours as verified. http://www.codehelp.co.uk/html/neilwilliams.html http://gnupg.neil.williamsleesmill.me.uk/book1.html http://www.cryptnet.net/fdp/crypto/gpg-party.html > 3. And finally, if I have uploaded my public key to a > public key > server and I deleted my keys locally without doing a > revocation > certificate and updated the key server hosting my key. > And after > awhile, I created myself another key pair for the same > UserID > which I deleted before without revoking. Will this > pose as a > problem for me considering it might confuse other > people such as > yourself trying to figure out which key is being used > since > there are two entries of KeyIDs? Potentially yes, it makes things awkward but not difficult. You should always revoke a key that is: 1. compromised or 2. the only UID is invalid (e.g. the specified email account no longer operates) or 3. the key itself is no longer in use or 4. if you've forgotten the passphrase for your secret key. Revoking a key prevents anyone using it to encrypt to you. It should be used when either the encrypted message could be read by someone else or when you no longer have the ability to receive and/or decrypt the message using that key. > I really do need some pointers on how to manage my > keys properly > and I feel this is the place where I could find the > answers. Please read the FAQ's before posting. http://www.gnupg.org/gph/en/manual.html http://www.gnupg.org/ http://www.dclug.org.uk/linux_adm/gnupg.html -- Neil Williams ============= http://www.codehelp.co.uk/ http://www.dclug.org.uk/ http://www.isbn.org.uk/ http://sourceforge.net/projects/isbnsearch/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041117/da78e635/attachment.bin From squidjohnson at yahoo.com Wed Nov 17 10:55:55 2004 From: squidjohnson at yahoo.com (Johnson Jeba Asir) Date: Wed Nov 17 10:52:53 2004 Subject: Newbee question Message-ID: <20041117095555.23839.qmail@web52102.mail.yahoo.com> Hello all, I'm just trying to configure gpg, My requirenment is as follows 1. The client has to encrypt the messages with its key 2. the Client keys should be updated to the server 3. Using the client key the server has to decrypt the message I had carried out the following steps:- from PC1 1. gpg --gen-key (Real name = Gpg Client Email-ID = gpgclient@localhost) 2. gpg --armor --export gpg@localhost > mykey.txt 3. gpg -e -r gpgclient plain.txt (after the above command i was able to see a plain.txt.gpg binary file) The mykey.txt and plain.txt.gpg files are transfered to the PC2 from PC2 1. gpg --import mykey.txt (Got the key added message) 2. gpg -d < plain.text.gpg The above command throug me the following message. Where i'm doing mistake. Kindly kel me to solve the problem [pgpserver@mypc pgpserver]$ gpg -d < /tmp/Key/t.txt.gpg gpg: Warning: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: encrypted with 1024-bit ELG-E key, ID B97C02D6, created 2004-11-17 "gpgclient (nothing) " gpg: decryption failed: secret key not available Thanks in advance Regards, John __________________________________ Do you Yahoo!? Meet the all-new My Yahoo! - Try it today! http://my.yahoo.com From sam at rfc1149.net Wed Nov 17 11:27:37 2004 From: sam at rfc1149.net (Samuel Tardieu) Date: Wed Nov 17 11:26:58 2004 Subject: support for non-openpgp cards References: <20041115183015.GA1269@zax.CARNET> <87zn1hoagx.fsf@wheatstone.g10code.de> Message-ID: <87hdnobwiu.fsf@beeblebrox.rfc1149.net> >>>>> "Werner" == Werner Koch writes: Werner> On Mon, 15 Nov 2004 19:30:15 +0100, Zeljko Vrba said: >> I have already talked to Werner about this, and he didn't like the >> idea because of GPL license (the result of linking proprietary >> PKCS#11 lib with GPG is undefined). So please, no arguments about >> that. I'll leave to Werner> Sorry but this is not just undefined: it is a clear violation Werner> of the GPL. Linking a GPL program with proprietary code is allowed a long as you don't distribute the result in binary form. Sam -- Samuel Tardieu -- sam@rfc1149.net -- http://www.rfc1149.net/sam From linux at codehelp.co.uk Wed Nov 17 12:10:56 2004 From: linux at codehelp.co.uk (Neil Williams) Date: Wed Nov 17 12:08:38 2004 Subject: Newbee question In-Reply-To: <20041117095555.23839.qmail@web52102.mail.yahoo.com> References: <20041117095555.23839.qmail@web52102.mail.yahoo.com> Message-ID: <200411171111.04077.linux@codehelp.co.uk> On Wednesday 17 November 2004 9:55 am, Johnson Jeba Asir wrote: > 1. The client has to encrypt the messages with its key > 2. the Client keys should be updated to the server > 3. Using the client key the server has to decrypt the > > message To do this, the server needs the secret key of the client. This may be insecure. Can't the server have it's own key? Does the server need a key at all - if you just want to encrypt something during transport, use SSH and it's partner scp which use the same security as https:// > 2. gpg --armor --export gpg@localhost > mykey.txt You haven't exported the secret key yet - it's a separate option because it has security implications and shouldn't be used without thinking through the problems. Once you export a secret key and copy it to another machine, the chances of the key being compromised increase. If this is to be your personal key, it would be better to use a key for you and a separate key for the server. Better still, find a way for the server to not do the decryption itself if you cannot solve the security problems. gpg -a --export-secret-key gpg@localhost > mysecretkey.txt > 3. gpg -e -r gpgclient plain.txt (after the above > command i was able to see a plain.txt.gpg binary file) > > The mykey.txt and plain.txt.gpg files are transfered > to the PC2 And mysecretkey.txt > > from PC2 > > 1. gpg --import mykey.txt > (Got the key added message) gpg --import mysecretkey.txt > 2. gpg -d < plain.text.gpg Hence: > gpg: decryption failed: secret key not available gpg is right, the secret key needed to decrypt the message (the client secret key) isn't available. -- Neil Williams ============= http://www.codehelp.co.uk/ http://www.dclug.org.uk/ http://www.isbn.org.uk/ http://sourceforge.net/projects/isbnsearch/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041117/475bc7cc/attachment.bin From gnupg at kubieziel.de Wed Nov 17 13:25:35 2004 From: gnupg at kubieziel.de (Jens Kubieziel) Date: Wed Nov 17 13:54:28 2004 Subject: Of Public Key Servers, Revocation and Key ID's In-Reply-To: <20041117054307.88342.qmail@web52510.mail.yahoo.com> References: <20041117054307.88342.qmail@web52510.mail.yahoo.com> Message-ID: <20041117122535.GA5454@kubieziel.de> * Servie Platon schrieb am 2004-11-17 um 06:43 Uhr: > Based from my understanding, after we create our key pair we are > supposed to create a revocation certificate right away so that in the > event that our key pair in particular private key has been compromised > or regarded as useless we can revoke it anytime. ACK. That should be the first step after generating the key. > Now, if we would like our public keys to be readily available to > everyone for verification purposes, public keyserver are available to > us so we could upload these. You should use a keyserver which synchronises with others. So subkeys.pgp.net or random.sks.keyserver.penguin.de are both good choices. Furthermore you can publish your key at your website. > 1. Assuming, I wanted to revoke KeyID#1 which I uploaded to > penguin.de. How do I do this? gpg --import $REVOCATION_CERTIFIFCATE You should also upload this revoked key to a keyserver. > Now, to check if this has been revoked at the prompt, I see my KeyID > with revoke in it. Does this mean locally my Key has been revoked or > it has been revoked at the public key server as well? You could check a keyservers webinterface (e.g. http://subkeys.pgp.net:11371/). If the key is revoked, then you'll see it there. You can also create a new testuser on your sytem and receive your key. If "gpg --listkeys" shows the key as revoked, than it is revoked. > 2. How do we check for the KeyID's that it really comes from that > person? For instance, I post here and it displays my Key ID, how do > you guys check my KeyID if in case, I have already posted this to a > public key server? Normally you have to do some keysignings. That means you have to meet other people, check their passports, their fingerprints. If all seems OK, you sign the others key. If the other one thinks that all is OK, he'll sign your key. "gpg --list-sigs $KEYID" shows you a list of all signatures a key has. If you have signed person B's key and B has signed C's key and you trust B than you can (more or less) be sure, that C is C. > I really do need some pointers on how to manage my keys properly and I > feel this is the place where I could find the answers. You can check http://www.gnupg.org/(en)/documentation/index.html I guess it answers some of your questions. -- Jens Kubieziel http://www.kubieziel.de Willst du abnehmen? - Dann pfl?cke Obst. Erhard Horst Bellermann -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20041117/e6323047/attachment-0001.bin From mcgrof at ruslug.rutgers.edu Wed Nov 17 16:18:39 2004 From: mcgrof at ruslug.rutgers.edu (Luis R. Rodriguez) Date: Wed Nov 17 16:15:14 2004 Subject: PGP/MIME corrupting Exchange server mailboxes? Message-ID: <20041117151839.GU24306@ruslug.rutgers.edu> I PGP/MIME sign my e-mails at work and our mail server is an Exchange Server. Now some mailboxes are being moved from one mailstore to another and apparantly a lot of errors are popping up in logs when this is done. It seems a lot of my e-mails come up as corrupt. This is only happening for the e-mail I have sent to peers at work. The only thing I can think of as the root cause is that I am the only person who PGP/MIME signs my e-mails. Now, according to the Official Internet Protocol Standards [1], RFC 2015 is already an accepted standard. I am still wondering if anyone knows if data corruption can occur or has occurred before on mail servers for PGP/MIME signed e-mails. The error that pops up looks as follows: --- - =C2=A0 = /dc=3Dnet/dc=3DCompanyName/cn=3DConfiguration/cn=3DServices/cn=3DMic= rosoft Exchange/cn=3DCompanyName/cn=3DAdministrative Groups/cn=3DFirst = Administrative = Group/cn=3DServers/cn=3DMAIL/cn=3DInformationStore/cn=3DFirst Storage = Group/cn=3DMailbox Store (MAIL1)=20 =C2=A0 - =C2=A0 M= ISC=20 =C2=A0 Luis Rodriguez=20 =C2=A0 Luis' Co-worker=20 =C2=A0 Some regular e-mail=20 =C2=A0 676=20 =C2=A0 7/7/2004 10:35 AM=20 =C2=A0 7/7/2004 10:35 AM=20 =C2=A0 = 3FF3339124FCE741867D958113CD63DC00000020164A=20 =C2=A0 --- I have done some searching on what error code 80004005 may mean and the only thing relevant I can find is a problem with exchange on "use of quotation mark (") character in name of storage group using Exchange Management Object" [2] -- whater the hell this means. Any feedback would be welcomed. Thanks. [1] http://www.rfc-editor.org/rfcxx00.html [2] http://support.microsoft.com/?scid=kb;en-us;256420&spid=1773&sid=global -- GnuPG Key fingerprint = 113F B290 C6D2 0251 4D84 A34A 6ADD 4937 E20A 525E -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041117/d6dac622/attachment.bin From rafal at rudnicki.com.pl Wed Nov 17 09:23:51 2004 From: rafal at rudnicki.com.pl (=?iso-8859-2?b?UmFmYbMgUnVkbmlja2k=?=) Date: Wed Nov 17 16:38:14 2004 Subject: (foulty) revoking key Message-ID: <20041117082351.BFB1BC796D@mail32.partnerzy.futuro.pl> while experimenting with keys I executed several careless steps and now seek some way out of the situation steps executed: - generated a proper pair of keys - generated revoke-cert (revoking certyficate / key) - did send the public key to keyserver - double clikked (by mistake) the revoke-cert file, that effected with revoking my key (locally, on my PC) - I DID NOT send the revoked key to key server (so the revoked key still is present there as a valid key) - deleted from HD all files related to the "old" / revoked key (public key, secret key, revocation file, all backups (it was done very effectively, I can not recover thye files even with a solid file recovery software) the problem: how to revoke / delete the not valid key from keyserver having nothing else but the public key on this server and assphrase ? I have GnuPG 1.2.3 and GnuPG Shell --------------------------------------------- Rafa? Rudnicki www.rudnicki.com.pl From yurgi.arginzoniz at air-bites.com Wed Nov 17 14:53:07 2004 From: yurgi.arginzoniz at air-bites.com (Xabier Iurgi Arginzoniz Cebreiro) Date: Wed Nov 17 16:38:18 2004 Subject: Compiling gnupg for mipsel Message-ID: <11135.80.25.69.159.1100699587.squirrel@80.25.69.159> Hello there I'd be very pleased if anyone could help me with this issue. I'll explain my situation: - I have a Linksys WRT54G with openWRT on it: that is, a wireless router with linux on it. - I need gpg for it: it has a mipsel processor. - I have successfuly compiled gpg, but it amazingly takes 3,8MB of disk space!! - I only have 580KB free space on my box's flash memory. I've tried compiling it with everything disabled (--disable-[all de variations]) and finally reduce it to 3,6MB. When I look at the size of the x86 linux binaries, I see they only use 600KB aprox. Why is it? Can I reduce the size of it? Does anyone already have a compiled version for mips archiecture?? Any help is very appreciated. If possible, post it to both the mailing list and my address: yurgi.arginzoniz@air-bites.com ----------------------------- Xabier Iurgi Arginzoniz air bites Bilbao Technical Team ---------------------------- From gottfried.hufnagel at onb.ac.at Wed Nov 17 17:18:28 2004 From: gottfried.hufnagel at onb.ac.at (gottfried hufnagel) Date: Wed Nov 17 17:15:00 2004 Subject: (foulty) revoking key In-Reply-To: <20041117082351.BFB1BC796D@mail32.partnerzy.futuro.pl> References: <20041117082351.BFB1BC796D@mail32.partnerzy.futuro.pl> Message-ID: <200411171718.34668.gottfried.hufnagel@onb.ac.at> sorry. but there is no way for the keyserver to prove your identity without a public key. so the key cannot be deleted (afaik). btw: i'm with you. did it the same (hard) way On Wednesday 17 November 2004 09:23, Rafa? Rudnicki wrote: > while experimenting with keys I executed several careless steps and now > seek some way out of the situation > > steps executed: > - generated a proper pair of keys > - generated revoke-cert (revoking certyficate / key) > - did send the public key to keyserver > - double clikked (by mistake) the revoke-cert file, that effected with > revoking my key (locally, on my PC) > - I DID NOT send the revoked key to key server (so the revoked key still is > present there as a valid key) > - deleted from HD all files related to the "old" / revoked key (public key, > secret key, revocation file, all backups (it was done very effectively, I > can not recover thye files even with a solid file recovery software) > > the problem: how to revoke / delete the not valid key from keyserver having > nothing else but the public key on this server and assphrase ? > > I have GnuPG 1.2.3 and GnuPG Shell > --------------------------------------------- > Rafa? Rudnicki > www.rudnicki.com.pl > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Ing. Gottfried Hufnagel Systemadministrator Zentraler Informatikdienst ?sterreichische Nationalbibliothek Josefsplatz 1, 1015 Wien Tel.: (+43 1) 53 410 - 607 Fax: (+43 1) 53 410 - 610 Email: gottfried.hufnagel@onb.ac.at Web: www.onb.ac.at -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041117/5887bf48/attachment.bin From gottfried.hufnagel at onb.ac.at Wed Nov 17 17:32:02 2004 From: gottfried.hufnagel at onb.ac.at (gottfried hufnagel) Date: Wed Nov 17 17:28:29 2004 Subject: (foulty) revoking key In-Reply-To: <200411171718.34668.gottfried.hufnagel@onb.ac.at> References: <20041117082351.BFB1BC796D@mail32.partnerzy.futuro.pl> <200411171718.34668.gottfried.hufnagel@onb.ac.at> Message-ID: <200411171732.02468.gottfried.hufnagel@onb.ac.at> typo: [..] no way for the keyserver to proof your identity without the PRIVATE key [..] On Wednesday 17 November 2004 17:18, gottfried hufnagel wrote: > sorry. but there is no way for the keyserver to prove your identity without > a public key. so the key cannot be deleted (afaik). > btw: i'm with you. did it the same (hard) way > > On Wednesday 17 November 2004 09:23, Rafa? Rudnicki wrote: > > while experimenting with keys I executed several careless steps and now > > seek some way out of the situation > > > > steps executed: > > - generated a proper pair of keys > > - generated revoke-cert (revoking certyficate / key) > > - did send the public key to keyserver > > - double clikked (by mistake) the revoke-cert file, that effected with > > revoking my key (locally, on my PC) > > - I DID NOT send the revoked key to key server (so the revoked key still > > is present there as a valid key) > > - deleted from HD all files related to the "old" / revoked key (public > > key, secret key, revocation file, all backups (it was done very > > effectively, I can not recover thye files even with a solid file recovery > > software) > > > > the problem: how to revoke / delete the not valid key from keyserver > > having nothing else but the public key on this server and assphrase ? > > > > I have GnuPG 1.2.3 and GnuPG Shell > > --------------------------------------------- > > Rafa? Rudnicki > > www.rudnicki.com.pl > > > > _______________________________________________ > > Gnupg-users mailing list > > Gnupg-users@gnupg.org > > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Ing. Gottfried Hufnagel Systemadministrator Zentraler Informatikdienst ?sterreichische Nationalbibliothek Josefsplatz 1, 1015 Wien Tel.: (+43 1) 53 410 - 607 Fax: (+43 1) 53 410 - 610 Email: gottfried.hufnagel@onb.ac.at Web: www.onb.ac.at -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041117/54de3da0/attachment.bin From linux at codehelp.co.uk Wed Nov 17 17:56:58 2004 From: linux at codehelp.co.uk (Neil Williams) Date: Wed Nov 17 17:53:39 2004 Subject: Compiling gnupg for mipsel In-Reply-To: <11135.80.25.69.159.1100699587.squirrel@80.25.69.159> References: <11135.80.25.69.159.1100699587.squirrel@80.25.69.159> Message-ID: <200411171657.05111.linux@codehelp.co.uk> On Wednesday 17 November 2004 1:53 pm, Xabier Iurgi Arginzoniz Cebreiro wrote: > I've tried compiling it with everything disabled (--disable-[all de > variations]) and finally reduce it to 3,6MB. When I look at the size of > the x86 linux binaries, I see they only use 600KB aprox. You've used strip? man strip strip - Discard symbols from object files. Packaging schemes will strip the debugging symbols but when compiling from source, it's usually left to you because if you are developing code, you need debugging symbols to work with gdb etc. Stripping one of my own library files compiled from a tarball makes it go from 53Kb to 9.3kb - a 6 fold decrease that should bring your 3.6Mb closer to 600kb. Sometimes, strip can be put into the make options or it can be done in preparing the package. -- Neil Williams ============= http://www.codehelp.co.uk/ http://www.dclug.org.uk/ http://www.isbn.org.uk/ http://sourceforge.net/projects/isbnsearch/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041117/2bc71843/attachment.bin From linux at codehelp.co.uk Wed Nov 17 18:05:34 2004 From: linux at codehelp.co.uk (Neil Williams) Date: Wed Nov 17 18:02:38 2004 Subject: (foulty) revoking key In-Reply-To: <20041117082351.BFB1BC796D@mail32.partnerzy.futuro.pl> References: <20041117082351.BFB1BC796D@mail32.partnerzy.futuro.pl> Message-ID: <200411171705.37606.linux@codehelp.co.uk> On Wednesday 17 November 2004 8:23 am, Rafa? Rudnicki wrote: > - generated a proper pair of keys > - generated revoke-cert (revoking certyficate / key) > - did send the public key to keyserver Good. > - double clikked (by mistake) the revoke-cert file, that effected with > revoking my key (locally, on my PC) Bad. (Blame your OS - there's no reason for a revocation certificate to have an automatic action, it should be described as text/plain and load in a text editor, NOT gpg.) > - I DID NOT send the revoked key to key server (so the revoked key still is > present there as a valid key) Good - if you'd done the next bit properly. As it turns out, sending to the keyserver was a bad thing. > - deleted from HD all files related to the "old" / revoked key (public key, > secret key, revocation file, all backups (it was done very effectively, I > can not recover thye files even with a solid file recovery software) BAD!!! There was no need to delete the secret key (or the revocation certificate). Panic is NOT a good tutor. > > the problem: how to revoke / delete the not valid key from keyserver having > nothing else but the public key on this server and assphrase ? You can't. You need one of two things: 1. the secret key AND passphrase (neither is adequate on their own) OR 2. the revocation certificate. There's nothing you can do, your original key now joins the army of redundant keys on keyservers that can never be used or revoked. Next time, PRINT the revocation certificate, DELETE the revocation certificate FILE and keep the print out very safe. THINK before you go for the shredder. -- Neil Williams ============= http://www.codehelp.co.uk/ http://www.dclug.org.uk/ http://www.isbn.org.uk/ http://sourceforge.net/projects/isbnsearch/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041117/649cb495/attachment.bin From torduninja at netcourrier.com Wed Nov 17 21:19:08 2004 From: torduninja at netcourrier.com (Maxine Brandt) Date: Wed Nov 17 21:15:42 2004 Subject: w32 installation paths Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Werner Koch wrote: > >> Does gpg.exe really require it? I thought it was only needed when you wanted > >> to use translations, which can of course be skipped for a project like this. > > > Right, it is only used for translation and for converting user IDs and > such. It is only important to use when you are creating a new user > ID with non-ascii characters from a non Latin-1 code pages. > This doesn't seem to be the case. My tests of running 1.3.92 on a floppy without the iconv.dll on the machine or the floppy showed that gpg couldn't access the key rings, and logically couldn't encrypt or decrypt anything. Any command which involves access to the key rings gives the error message gpg: error loading 'iconv.dll' ec:126 and then gpg stops. > And there is no problem to copy that DLL to the usual DLLPATH. > Several programs are using that DLL and it won't harm to have it on > every Windows PC. > That indeed solves the problem, but whether it's possible to write to rhe usual DLLPATH on a public machine is another matter. Salut Maxine -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) Comment: GPG TO GO http://www.torduninja.tk iD8DBQFBm7AQKBY/R6nbCcARAmGNAJ4hj6ttCF3duobhjrff5rSWsWs55QCfWItd 2TwTQ/tdw2DAkHgnX/+FeHo= =HDJm -----END PGP SIGNATURE----- ------------------------------------------------------------- NetCourrier, votre bureau virtuel sur Internet : Mail, Agenda, Clubs, Toolbar... Web/Wap : www.netcourrier.com T?l?phone/Fax : 08 92 69 00 21 (0,34 ? TTC/min) Minitel: 3615 NETCOURRIER (0,16 ? TTC/min) From vedaal at hush.com Thu Nov 18 00:41:41 2004 From: vedaal at hush.com (vedaal@hush.com) Date: Thu Nov 18 00:38:17 2004 Subject: w32 installation paths // iconv.dll Message-ID: <200411172341.iAHNfgAK068564@mailserver3.hushmail.com> Maxine Brandt torduninja at netcourrier.com Wed Nov 17 21:19:08 CET 2004 wrote: >>it is only used for translation and for converting user IDs and >> such. It is only important to use when you are creating a new user >> ID with non-ascii characters from a non Latin-1 code pages. >This doesn't seem to be the case. My tests of running 1.3.92 on a >floppy without the iconv.dll on the machine or the floppy showed that >gpg couldn't access the key rings, and logically couldn't encrypt or >decrypt anything. >Any command which involves access to the key rings gives the error >message >gpg: error loading 'iconv.dll' ec:126 >and then gpg stops. as gpg to go on a floppy is a very worthwile endeavor, and *very* useful, could there be an option to avoid calling the iconv.dll ? (under 'expert', if felt more appropriate) that would allow gnupg to continue the operations that don't really require the iconv.dll vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From wk at gnupg.org Thu Nov 18 09:55:21 2004 From: wk at gnupg.org (Werner Koch) Date: Thu Nov 18 09:59:35 2004 Subject: w32 installation paths // iconv.dll In-Reply-To: <200411172341.iAHNfgAK068564@mailserver3.hushmail.com> (vedaal@hush.com's message of "Wed, 17 Nov 2004 15:41:41 -0800") References: <200411172341.iAHNfgAK068564@mailserver3.hushmail.com> Message-ID: <87zn1f35ae.fsf@wheatstone.g10code.de> On Wed, 17 Nov 2004 15:41:41 -0800, said: > could there be an option to > avoid calling the iconv.dll ? Dont know why this should harm but --charset=latin-1 or better --charset=utf-8 should do the trick. Werner From johanw at vulcan.xs4all.nl Thu Nov 18 14:00:42 2004 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Nov 18 13:56:06 2004 Subject: w32 installation paths // iconv.dll In-Reply-To: <87zn1f35ae.fsf@wheatstone.g10code.de> from Werner Koch at "Nov 18, 2004 09:55:21 am" Message-ID: <200411181300.OAA01020@vulcan.xs4all.nl> Werner Koch wrote: >Dont know why this should harm but --charset=latin-1 or better >--charset=utf-8 should do the trick. Hmmm. Putting charset=latin-1 or utf-9 in gpg.conf gave an error that the file contained an invalid option when using gpg 1.3.92 (on Linux). However, in the default gpg.conf there is an option for charset, so I assume this is an option that can be put in gpg.conf. Is this a bug? -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From pragai at rubin.hu Thu Nov 18 15:39:46 2004 From: pragai at rubin.hu (=?ISO-8859-1?Q?=22Pr=E1gai=2C_R=F3bert=22?=) Date: Thu Nov 18 15:36:55 2004 Subject: support for non-openpgp cards In-Reply-To: <20041115183015.GA1269@zax.CARNET> References: <20041115183015.GA1269@zax.CARNET> Message-ID: <419CB432.5010104@rubin.hu> Hi Zeljko, big welcome for the pkcs11 patch for gnupg! We use cryptoflex e-gate 32k cards here and planned to make such a patch, too. You were the quicker:) My question: is the MUSCLE pkcs11 library required for this patch or any other pkcs11 (e.g. opensc-pkcs11) library will do the job? > > 1. Is there enough interest from GPG users to pursue further development of > non-OpenPGP smart-cards? (either with PKCS#11 which I'd prefer, or with > MUSCLE API; if there is enough interest I'll contact the developers of > MUSCLE to resolve PKCS#11 issues). > Yes there is! I think like opensc-pkcs11 support would also be nice. However, maybe there is no need for it if MUSCLE pkcs11 support works just fine... Thanks for this patch, Robert From vedaal at hush.com Thu Nov 18 16:08:11 2004 From: vedaal at hush.com (vedaal@hush.com) Date: Thu Nov 18 16:04:44 2004 Subject: w32 installation paths // iconv.dll Message-ID: <200411181508.iAIF8CND065891@mailserver3.hushmail.com> Johan Wevers johanw at vulcan.xs4all.nl Thu Nov 18 14:00:42 CET 2004 wrote: >Hmmm. Putting charset=latin-1 or utf-9 in gpg.conf gave an error that >the file contained an invalid option when using gpg 1.3.92 (on Linux). the following option in gpg.conf works (1.3.6 on windows): charset utf-8 (no = or - between charset and utf) the real test would be if it works from the floppy on 1.3.92 without the iconv.dll vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From sist.mex at ovoplus.com Thu Nov 18 18:51:20 2004 From: sist.mex at ovoplus.com (Lorenzo Maldonado M.) Date: Thu Nov 18 19:17:02 2004 Subject: Outlook and mozilla mail Message-ID: <20041118175207.25B355265E@mail.ovoplus.com> Hi! I have the next problem, I have a user using Outlook2000, g-data(0.91 now outlgpg-0.94) plugin, gnupg1.2.5, and gpgshell3.30rc. Other users are using Mozilla mail 1.7.3, enigmail0.8.5, gnupg1.2.5, and gpgshell3.30rc When I send a message encrypt with attachments (from mozilla mail to outlook), mozilla mail give 3 opcions to encrypt, when I select the 3rd option (PGP/MIME) the message is send in one file (encrypted.asc), then when I was to unencrypt in outlook, it can't unencrypt the message. How can I resolv this problem? When I select the 1st or the 2nd option I don't have problems to encrypt/unencrypt with this mua's (outlook, mozilla mail) Do you known how to resolv it problem?? Thanks! From torduninja at netcourrier.com Thu Nov 18 19:44:00 2004 From: torduninja at netcourrier.com (Maxine Brandt) Date: Thu Nov 18 19:40:28 2004 Subject: w32 installation paths // iconv.dll Message-ID: Werner Koch wrote > > could there be an option to > > avoid calling the iconv.dll ? > > Dont know why this should harm but --charset=latin-1 or better > --charset=utf-8 should do the trick. > A las! This doesn't solve the problem. Also, trying with latin-1 I get the error gpg: latin-1 is not a valid character set Salut, Maxine ------------------------------------------------------------- NetCourrier, votre bureau virtuel sur Internet : Mail, Agenda, Clubs, Toolbar... Web/Wap : www.netcourrier.com T?l?phone/Fax : 08 92 69 00 21 (0,34 ? TTC/min) Minitel: 3615 NETCOURRIER (0,16 ? TTC/min) From zvrba at globalnet.hr Thu Nov 18 19:59:39 2004 From: zvrba at globalnet.hr (Zeljko Vrba) Date: Thu Nov 18 19:52:01 2004 Subject: support for non-openpgp cards In-Reply-To: <419CB432.5010104@rubin.hu> References: <20041115183015.GA1269@zax.CARNET> <419CB432.5010104@rubin.hu> Message-ID: <419CF11B.8030104@globalnet.hr> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Pr?gai, R?bert wrote: | Hi Zeljko, | | big welcome for the pkcs11 patch for gnupg! We use cryptoflex | e-gate 32k cards here and planned to make such a patch, too. You | were the quicker:) My question: is the MUSCLE pkcs11 library | required for this patch or any other pkcs11 (e.g. opensc-pkcs11) | library will do the job? | | I believe that any PKCS#11 implementation for that card should work in theory. Unfortunately, I have seen few PKCS#11 implementations (even commercial) that correctly implement PKCS#11 spec in all relevant aspects. So that supporting different PKCS#11 _implementation_ (even for the same card) could result in big code changes.. So, what _in theory_ should be ONE source, _in practice_ that source gets many #ifdefs for various PKCS#11 implementations.. :( Even my implementation has flaws that I described in my first mail (what I believe are bugs in MUSCLE PKCS#11 implementation). So the only way to find out if it will work with OpenSC is to TRY and see if it works. If it doesn't work, debug :) I don't have much time to spend on this, but I'll give OpenSC a try for the weekend and post the results. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBnPEaUIHQih3H6ZQRA0DeAKDI9dcpDPWSB4nNLxHPw1f88FcP+ACfeh5K OP0nb2OsADRrx/O8oRqkVwU= =8F20 -----END PGP SIGNATURE----- From vedaal at hush.com Thu Nov 18 20:54:48 2004 From: vedaal at hush.com (vedaal@hush.com) Date: Thu Nov 18 20:51:25 2004 Subject: w32 installation paths // iconv.dll Message-ID: <200411181954.iAIJsnFx030360@mailserver3.hushmail.com> Maxine Brandt torduninja at netcourrier.com Thu Nov 18 19:44:00 CET 2004 wrote: >A las! This doesn't solve the problem. >Also, trying with latin-1 I get the error >gpg: latin-1 is not a valid character set 1.3.92 (windows binary) has a few different man.page option syntax entries: ========================[ begin quote ]============ --display-charset name iso-8859-1 This is the Latin 1 set iso-8859-2 The Latin 2 set. iso-8859-15 This is currently an alias for the Latin 1 set. utf-8 Bypass all translations and assume that the OS uses native UTF-8 encoding. --utf8-strings --no-utf8-strings Assume that command line arguments are given as UTF8 strings. The default (--no-utf8-strings) is to assume that arguments are encoded in the character set as specified by --display-charset. These options affect all following arguments. Both options may be used multiple times. ====================[ end quote ]================================ have tried using the options: (separately and together) display-charset utf-8 utf-8 strings but still get the same error message in 1.3.92 : gpg: error loading 'iconv.dll' ec:126 is there an '--ignore-dll-error' type of option, or other set of options to be used ? vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From torduninja at netcourrier.com Thu Nov 18 21:00:56 2004 From: torduninja at netcourrier.com (Maxine Brandt) Date: Thu Nov 18 20:57:24 2004 Subject: w32 installation paths // iconv.dll Message-ID: Vedaal wrote: > the following option in gpg.conf works (1.3.6 on windows): > > charset utf-8 > (no = or - between charset and utf) > But 1.3.6 doesn't use the iconv.dll Salut Maxine ------------------------------------------------------------- NetCourrier, votre bureau virtuel sur Internet : Mail, Agenda, Clubs, Toolbar... Web/Wap : www.netcourrier.com T?l?phone/Fax : 08 92 69 00 21 (0,34 ? TTC/min) Minitel: 3615 NETCOURRIER (0,16 ? TTC/min) From Billt at Mahagonny.com Thu Nov 18 21:15:27 2004 From: Billt at Mahagonny.com (Bill Thompson) Date: Thu Nov 18 21:12:30 2004 Subject: Outlook and mozilla mail In-Reply-To: <20041118175207.25B355265E@mail.ovoplus.com> References: <20041118175207.25B355265E@mail.ovoplus.com> Message-ID: <20041118121527.5a076d0e@BeBop> On Thu, 18 Nov 2004 11:51:20 -0600 "Lorenzo Maldonado M." wrote: > Hi! I have the next problem, I have a user using Outlook2000, > g-data(0.91 now outlgpg-0.94) plugin, gnupg1.2.5, and gpgshell3.30rc. > Other users are using Mozilla mail 1.7.3, enigmail0.8.5, gnupg1.2.5, and > > gpgshell3.30rc > > When I send a message encrypt with attachments (from mozilla mail to > outlook), mozilla mail give 3 opcions to encrypt, when I select the 3rd > option (PGP/MIME) the message is send in one file (encrypted.asc), then > when I was to unencrypt in outlook, it can't unencrypt the message. How > > can I resolv this problem? > > When I select the 1st or the 2nd option I don't have problems to > encrypt/unencrypt with this mua's (outlook, mozilla mail) > > Do you known how to resolv it problem?? > Thanks! > Unfortunately I believe the answer is don't use Outlook. Outlook and Outlook express do not recognize PGP/MIME formatted attachments. Neither program allows you to add mime-types to the system, so you are stuck with in-line signatures or nothing. This has been an ongoing problem for me as well, so please feel free to correct me if I'm wrong. -- Bill Thompson BillT@Mahagonny.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041118/c3429953/attachment-0001.bin From johnmoore3rd at joimail.com Thu Nov 18 21:52:51 2004 From: johnmoore3rd at joimail.com (John Moore) Date: Thu Nov 18 21:49:57 2004 Subject: Outlook and mozilla mail In-Reply-To: <20041118121527.5a076d0e@BeBop> References: <20041118175207.25B355265E@mail.ovoplus.com> <20041118121527.5a076d0e@BeBop> Message-ID: <419D0BA3.5080908@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bill Thompson wrote: | On Thu, 18 Nov 2004 11:51:20 -0600 | "Lorenzo Maldonado M." wrote: | | |>Hi! I have the next problem, I have a user using Outlook2000, |>g-data(0.91 now outlgpg-0.94) plugin, gnupg1.2.5, and gpgshell3.30rc. |>Other users are using Mozilla mail 1.7.3, enigmail0.8.5, gnupg1.2.5, and |> |>gpgshell3.30rc |> |>When I send a message encrypt with attachments (from mozilla mail to |>outlook), mozilla mail give 3 opcions to encrypt, when I select the 3rd |>option (PGP/MIME) the message is send in one file (encrypted.asc), then |>when I was to unencrypt in outlook, it can't unencrypt the message. How |> |>can I resolv this problem? |> |>When I select the 1st or the 2nd option I don't have problems to |>encrypt/unencrypt with this mua's (outlook, mozilla mail) |> |>Do you known how to resolv it problem?? |>Thanks! |> | | | Unfortunately I believe the answer is don't use Outlook. Outlook and | Outlook express do not recognize PGP/MIME formatted attachments. Neither | program allows you to add mime-types to the system, so you are stuck with | in-line signatures or nothing. | | This has been an ongoing problem for me as well, so please feel free to | correct me if I'm wrong. | Well, there is always the "option" to pay PGP fpr plug-in use. Also, why not download and use Thunderbird for your Default MUA? The price is right & the PGP/MIME option is native. JOHN :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.92 (MingW32) Comment: Public Key Available at: http://tinyurl.com/5ztc6 Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBnQufnCmZhrerneURAuY3AKD96OrLBDXAPaKM3ZKCtgd/Ng9aEQCfcKBE IZyv8Mljlt0IsvXv8XAzvak= =ro7/ -----END PGP SIGNATURE----- From moski at volny.cz Thu Nov 18 23:05:51 2004 From: moski at volny.cz (moski@volny.cz) Date: Thu Nov 18 23:02:50 2004 Subject: encrypt memory stream Message-ID: Hi, Sorry about my English. I'm new in GnuPG. I'm using win32 version of gnupg and I would like to encrypt some text from my C# code using gpg.exe. Is it possible to encypt some text without saving it to an external file, just encrypt stream in memory? Is it possible to pass in the passphrase as a command-line argument or I must use a key without passphrase? Thanks, Moski From jas at extundo.com Thu Nov 18 23:35:20 2004 From: jas at extundo.com (Simon Josefsson) Date: Thu Nov 18 23:47:27 2004 Subject: support for non-openpgp cards References: <20041115183015.GA1269@zax.CARNET> <419CB432.5010104@rubin.hu> <419CF11B.8030104@globalnet.hr> Message-ID: Zeljko Vrba writes: > Pr=E1gai, R=F3bert wrote: > > | Hi Zeljko, > | > | big welcome for the pkcs11 patch for gnupg! We use cryptoflex > | e-gate 32k cards here and planned to make such a patch, too. You > | were the quicker:) My question: is the MUSCLE pkcs11 library > | required for this patch or any other pkcs11 (e.g. opensc-pkcs11) > | library will do the job? > | > | > I believe that any PKCS#11 implementation for that card should work in > theory. > > Unfortunately, I have seen few PKCS#11 implementations (even > commercial) that correctly implement PKCS#11 spec in all relevant > aspects. So that supporting different PKCS#11 _implementation_ (even > for the same card) could result in big code changes.. > > So, what _in theory_ should be ONE source, _in practice_ that source > gets many #ifdefs for various PKCS#11 implementations.. :( IMHO, you should not care about broken implementations. There is a well-defined PKCS#11 specification, even including header files. Write code for the specification. If something doesn't work because someone isn't implementing the specification, that's their problem. Polluting GnuPG code with #ifdef would make GnuPG users pay the price of other's bad work. To make things work in the real world, and not just a dream world where everyone implement the specification, you can write a module that translate from broken PKCS#11 to correct PKCS#11. IMHO, this is much better than coding for broken PKCS#11 directly. But hey, I'm not doing any work, so if you are, you get to chose the strategy. ;-) There is a GNU PKCS#11 package: http://gpkcs11.sourceforge.net/ Alas, it uses OpenSSL. Regards, Simon From colstar at iprimus.com.au Fri Nov 19 05:28:32 2004 From: colstar at iprimus.com.au (colstar@iprimus.com.au) Date: Fri Nov 19 05:25:03 2004 Subject: Compiling gnupg for mipsel In-Reply-To: <200411171657.05111.linux@codehelp.co.uk> Message-ID: <41939016000062CD@cpms02.int.iprimus.net.au> Another way of making the binary smaller is to use an executable compressor after stipping the debugging symbols and thus saving you disk space Regards C. >-- Original Message -- >From: Neil Williams >To: "Gnupg-Users" >Date: Wed, 17 Nov 2004 16:56:58 +0000 >Cc: Xabier Iurgi Arginzoniz Cebreiro >Subject: Re: Compiling gnupg for mipsel > > >On Wednesday 17 November 2004 1:53 pm, Xabier Iurgi Arginzoniz Cebreiro wrote: >> I've tried compiling it with everything disabled (--disable-[all de >> variations]) and finally reduce it to 3,6MB. When I look at the size of >> the x86 linux binaries, I see they only use 600KB aprox. > >You've used strip? >man strip >strip - Discard symbols from object files. > >Packaging schemes will strip the debugging symbols but when compiling from > >source, it's usually left to you because if you are developing code, you >need >debugging symbols to work with gdb etc. > >Stripping one of my own library files compiled from a tarball makes it go >from >53Kb to 9.3kb - a 6 fold decrease that should bring your 3.6Mb closer to > >600kb. > >Sometimes, strip can be put into the make options or it can be done in >preparing the package. > >-- > >Neil Williams >============= >http://www.codehelp.co.uk/ >http://www.dclug.org.uk/ >http://www.isbn.org.uk/ >http://sourceforge.net/projects/isbnsearch/ > >http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 > >Attachment: Attachment > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users From colstar at iprimus.com.au Fri Nov 19 05:37:31 2004 From: colstar at iprimus.com.au (colstar@iprimus.com.au) Date: Fri Nov 19 05:34:07 2004 Subject: encrypt memory stream In-Reply-To: Message-ID: <41939016000062FE@cpms02.int.iprimus.net.au> Hi Moski, yes it is possilbe, I have written a C# wrapper for gnuPG, which seems to work a treat. It is also very easy to pass the passphrase as a command-line argument. I dont have a code sample in fron of me but can provide one latter. Best Regards C. >-- Original Message -- >From: >To: "GnuPG" >Date: Thu, 18 Nov 2004 23:05:51 +0100 >Subject: encrypt memory stream > > >Hi, > >Sorry about my English. >I'm new in GnuPG. >I'm using win32 version of gnupg and I would like to encrypt some text from >my C# code using gpg.exe. >Is it possible to encypt some text without saving it to an external file, >just encrypt stream in memory? >Is it possible to pass in the passphrase as a command-line argument or I >must use a key without passphrase? > >Thanks, >Moski > > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users From wk at gnupg.org Fri Nov 19 10:07:14 2004 From: wk at gnupg.org (Werner Koch) Date: Fri Nov 19 10:09:34 2004 Subject: w32 installation paths // iconv.dll In-Reply-To: <200411181954.iAIJsnFx030360@mailserver3.hushmail.com> (vedaal@hush.com's message of "Thu, 18 Nov 2004 11:54:48 -0800") References: <200411181954.iAIJsnFx030360@mailserver3.hushmail.com> Message-ID: <87vfc2qkal.fsf@wheatstone.g10code.de> On Thu, 18 Nov 2004 11:54:48 -0800, said: > gpg: error loading 'iconv.dll' ec:126 > is there an '--ignore-dll-error' type of option, Not needed. I already turned it into a warning. Werner From yurgi.arginzoniz at air-bites.com Wed Nov 17 18:54:31 2004 From: yurgi.arginzoniz at air-bites.com (Xabier Iurgi Arginzoniz Cebreiro) Date: Fri Nov 19 10:29:32 2004 Subject: [Fwd: Re: Compiling gnupg for mipsel] Message-ID: <17721.80.25.69.159.1100714071.squirrel@80.25.69.159> Hello Neil First of all I really apreciate your help, I look forward to trying it. But I've taken a look at 'man strip' and read that 'strip --help' would give me information about the architectures it accepts, and I can't see mips; does it mean I can't strip mipsel objects? This is probably because I'm cross-compiling the gpg from a x386-debian box to mipsel, and so, the strip I have is for x386? Is the stripping need to be done in all the object (.o) files of the gnupg or in one precise file? Thank you very much again Iurgi > On Wednesday 17 November 2004 1:53 pm, Xabier Iurgi Arginzoniz Cebreiro wrote: >> I've tried compiling it with everything disabled (--disable-[all de variations]) and finally reduce it to 3,6MB. When I look at the size of the x86 linux binaries, I see they only use 600KB aprox. > > You've used strip? > man strip > strip - Discard symbols from object files. > > Packaging schemes will strip the debugging symbols but when compiling from source, it's usually left to you because if you are developing code, you need > debugging symbols to work with gdb etc. > > Stripping one of my own library files compiled from a tarball makes it go from > 53Kb to 9.3kb - a 6 fold decrease that should bring your 3.6Mb closer to 600kb. > > Sometimes, strip can be put into the make options or it can be done in preparing the package. > > -- > > Neil Williams > ============http://www.codehelp.co.uk/ > http://www.dclug.org.uk/ > http://www.isbn.org.uk/ > http://sourceforge.net/projects/isbnsearch/ > > http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 > ----------------------------- Xabier Iurgi Arginzoniz air bites Bilbao Technical Team ---------------------------- ----------------------------- Xabier Iurgi Arginzoniz air bites Bilbao Technical Team ---------------------------- From pgut001 at cs.auckland.ac.nz Fri Nov 19 09:27:04 2004 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Fri Nov 19 10:29:40 2004 Subject: support for non-openpgp cards In-Reply-To: <419CF11B.8030104@globalnet.hr> Message-ID: Zeljko Vrba writes: >I believe that any PKCS#11 implementation for that card should work in >theory. > >Unfortunately, I have seen few PKCS#11 implementations (even commercial) that >correctly implement PKCS#11 spec in all relevant aspects. So that supporting >different PKCS#11 _implementation_ (even for the same card) could result in >big code changes.. > >So, what _in theory_ should be ONE source, _in practice_ that source gets >many #ifdefs for various PKCS#11 implementations.. :( I've spent a *lot* of time tuning the PKCS #11 code in cryptlib (http://www.cs.auckland.ac.nz/~pgut001/cryptlib/index.html) for a large number of (often quite buggy) PKCS #11 drivers. It's available under a GPL- compatible licence, so you could always just use that, it'll work with pretty much any PKCS #11 device except one or two extremely broken ones. Peter. From pgut001 at cs.auckland.ac.nz Fri Nov 19 09:32:20 2004 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Fri Nov 19 10:29:44 2004 Subject: support for non-openpgp cards In-Reply-To: Message-ID: Simon Josefsson writes: >IMHO, you should not care about broken implementations. There is a well- >defined PKCS#11 specification, even including header files. Write code for >the specification. If something doesn't work because someone isn't >implementing the specification, that's their problem. That would rule out about 99% of all PKCS #11 implementations in existence. The problem is twofold, firstly the spec is very flexible (since it covers a large number of crypto devices ranging from little tinkertoy smart cards up to high-end crypto coprocessors) so there's a lot of room for interpretation, secondly since the major driving force for PKCS #11 for many years was Netscape, many vendors implemented whatever Netscape needed, which includes Netscape bugs. So you can't create an implementation "for the specification" both because there are many ways to interpret it and because historically drivers have done things other than the way the spec said they should. Peter. From anhny at wmdata.com Fri Nov 19 11:13:21 2004 From: anhny at wmdata.com (Henry Andrew) Date: Fri Nov 19 11:10:47 2004 Subject: Determining algorithm to be used? Message-ID: <20D152299AA73D47941BC3A94EDFF5DE046F98@WMRI000166.corp.wmdata.net> Hi, If I encrypt a file, how can I determine which algorithm was or is used to encrypt it? Is it the first algorithm in the list of algos on my key?? If I update prefs to make sure AES256 is first, will encryption automatically use this algo?? I want to stop having to use --cipher-algo aes256 every time I encrypt. Thanks! --Andrew From johanw at vulcan.xs4all.nl Fri Nov 19 11:38:48 2004 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Fri Nov 19 12:49:46 2004 Subject: Determining algorithm to be used? In-Reply-To: <20D152299AA73D47941BC3A94EDFF5DE046F98@WMRI000166.corp.wmdata.net> from Henry Andrew at "Nov 19, 2004 11:13:21 am" Message-ID: <200411191038.LAA03061@vulcan.xs4all.nl> Henry Andrew wrote: >If I encrypt a file, how can I determine which algorithm was or is used >to encrypt it? Is it the first algorithm in the list of algos on my >key?? The first algo that is on all keys the file will be encrypted to. If there are more keys I don't know in which order they will be searched. >If I update prefs to make sure AES256 is first, will encryption >automatically use this algo?? If you encrypt only to that key, yes. >I want to stop having to use --cipher-algo aes256 every time I encrypt. You could also put cipher-algo aes256 in gpg.conf. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From dshaw at jabberwocky.com Fri Nov 19 14:04:34 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Nov 19 14:01:42 2004 Subject: Determining algorithm to be used? In-Reply-To: <20D152299AA73D47941BC3A94EDFF5DE046F98@WMRI000166.corp.wmdata.net> References: <20D152299AA73D47941BC3A94EDFF5DE046F98@WMRI000166.corp.wmdata.net> Message-ID: <20041119130434.GC1303@jabberwocky.com> On Fri, Nov 19, 2004 at 11:13:21AM +0100, Henry Andrew wrote: > Hi, > > If I encrypt a file, how can I determine which algorithm was or is used > to encrypt it? Is it the first algorithm in the list of algos on my > key?? > > If I update prefs to make sure AES256 is first, will encryption > automatically use this algo?? Not necesssarily. The algorithm picker works like this: 1) Take the union of all preferences from all recipient keys. This rules out any algorithm that isn't supported by all recipients. Note that all recipients understand 3DES, regardless of what the preferences say. 2) The personal-cipher-preferences list gets to be the "tie breaker". Whatever this lists first is the algorithm that is used, so long as it is still in the union (i.e. that all the keys support it). If there are no personal-cipher-preferences set, then the last key is used as the tie breaker. > I want to stop having to use --cipher-algo aes256 every time I encrypt. You never want to use --cipher-algo with public key encryption. It's only safe to use with --symmetric. The reason why is simple: the above system to choose algorithms to use is safe - it will never pick an algorithm that will result in an unusable message by one of the recipients. If you use --cipher-algo you override this safety net and force the use of an algorithm that not all of your recipients can handle. The bottom line, if you want to use AES256, is to put this: personal-cipher-preferences aes256 in your gpg.conf file. That will use AES256 whenever possible, but will never use it if a recipient cannot handle it. Note that personal-cipher-preferences is a GnuPG 1.4 feature. David -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 251 bytes Desc: not available Url : /pipermail/attachments/20041119/0321542d/attachment.bin From wk at gnupg.org Fri Nov 19 15:55:30 2004 From: wk at gnupg.org (Werner Koch) Date: Fri Nov 19 15:59:31 2004 Subject: [Fwd: Re: Compiling gnupg for mipsel] In-Reply-To: <17721.80.25.69.159.1100714071.squirrel@80.25.69.159> (Xabier Iurgi Arginzoniz Cebreiro's message of "Wed, 17 Nov 2004 18:54:31 +0100 (CET)") References: <17721.80.25.69.159.1100714071.squirrel@80.25.69.159> Message-ID: <877johriql.fsf@wheatstone.g10code.de> On Wed, 17 Nov 2004 18:54:31 +0100 (CET), Xabier Iurgi Arginzoniz Cebreiro said: > This is probably because I'm cross-compiling the gpg from a x386-debian > box to mipsel, and so, the strip I have is for x386? Depending on the architecture the strip may work. Anyway the cross compiler comes with a strip version for the target (something like mips-elf-strip) > Is the stripping need to be done in all the object (.o) files of the gnupg > or in one precise file? strip gpg Werner From atom at suspicious.org Fri Nov 19 16:27:53 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Fri Nov 19 16:24:40 2004 Subject: Determining algorithm to be used? In-Reply-To: <20D152299AA73D47941BC3A94EDFF5DE046F98@WMRI000166.corp.wmdata.net> References: <20D152299AA73D47941BC3A94EDFF5DE046F98@WMRI000166.corp.wmdata.net> Message-ID: <20041119152805.29610.qmail@suspicious.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Fri, 19 Nov 2004, Henry Andrew wrote: > If I encrypt a file, how can I determine which algorithm was or is used > to encrypt it? Is it the first algorithm in the list of algos on my > key?? ================= if you use "-v" or "--verbose" you will see what algo the message is being encrypted to: $ echo test | gpg -v -ear smasher <> gpg: RSA/TWOFISH encrypted for: "0x84E5717C Atom Smasher " <> - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Government is not reason, it is not eloquence, it is force; like fire, a troublesome servant and a fearful master. Never for a moment should it be left to irresponsible action." -- George Washington -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJBnhD/AAoJEAx/d+cTpVcizS4H+gLBq+U1Add+LZSP6HFygsoJ uc4WteUGweh8qyzkmi4IoavSy9m/0Jjy6lyfxhT5CzXJC7TI9cPnKyUUfNaZJAHP U4bO3RningcPNTHThoYynLouPD0ILY/YWO8lsLzF4eLKniXjVos9AudAA4D3dFsd evipC/7Ll+8GkiAPbkEIlJr5V5dHI8tEYdbI5mCovaOWue5E2RS37lkcfFLlVzp+ qDnHajHXkp2TyCaY0ccrAGao3k3dirjTRw29EzrBLK+SLqFuoGs7lND52ywZqu1E bGgfBmtzdnYncQ8bqMJevlsFwEx6sxtHeRhAJLylOFEenKXnRopNCAwrM2K9wPY= =H8vY -----END PGP SIGNATURE----- From jan-peter.ruehmann at debitel.net Fri Nov 19 17:06:54 2004 From: jan-peter.ruehmann at debitel.net (=?ISO-8859-1?Q?Jan-Peter_R=FChmann?=) Date: Fri Nov 19 17:04:08 2004 Subject: GnuPG and Proxy Message-ID: <419E1A1E.8020406@debitel.net> Hello. Are there any future Plans for implementing full Proxy Support? I now tried since more than a Year but it wont work. Still the last Version 1.3.92 didn?t work. Bye, Jan-Peter -- ------------------------------------------------------------------------ Hallo Leute Jan-Peter R?hmann Gubkower Str. 7 Tel.: +49 (038205) 65484 18195 Prangendorf FAX: +49 (038205) 65212 Deutschland EMail (Privat) jan-peter.ruehmann@debitel.net EMail (Firma) HP: http://home.debitel.net/user/jan-peter.ruehmann/ ------------------------------------------------------------------------ Protection By The Ya-Right Network Virus Protection Team. Last Updated: Thu, Oct 17 9:42:03 PM EST 2002 -500 (GMT) Scanning for, 107,753 viruses, trojans and many variants. From dshaw at jabberwocky.com Fri Nov 19 17:16:20 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Nov 19 17:13:28 2004 Subject: GnuPG and Proxy In-Reply-To: <419E1A1E.8020406@debitel.net> References: <419E1A1E.8020406@debitel.net> Message-ID: <20041119161620.GA10044@jabberwocky.com> On Fri, Nov 19, 2004 at 05:06:54PM +0100, Jan-Peter R?hmann wrote: > Hello. > > Are there any future Plans for implementing full Proxy Support? > > I now tried since more than a Year but it wont work. Still the last > Version 1.3.92 didn?t work. It depends on what you mean by "full proxy support" and "didn't work". David From zuxy.meng at gmail.com Fri Nov 19 17:18:28 2004 From: zuxy.meng at gmail.com (Zuxy) Date: Fri Nov 19 17:15:23 2004 Subject: GnuPG and Proxy In-Reply-To: <419E1A1E.8020406@debitel.net> References: <419E1A1E.8020406@debitel.net> Message-ID: On Fri, 19 Nov 2004 17:06:54 +0100, Jan-Peter R?hmann wrote: > Hello. > > Are there any future Plans for implementing full Proxy Support? > > I now tried since more than a Year but it wont work. Still the last > Version 1.3.92 didn?t work. What do you mean by "full"? GnuPG supports hkp & http thru a http proxy. -- Zuxy Beauty is truth, While truth is beauty. PGP KeyID: E8555ED6 From ml at charliesangels.biz Fri Nov 19 17:36:45 2004 From: ml at charliesangels.biz (Sascha Kaempf) Date: Fri Nov 19 17:33:20 2004 Subject: Little pictures Message-ID: <419E211D.4020007@charliesangels.biz> Hi List :) I need you help. I have to prepare a presentation regarding GnuPG: 1) What is GnuPG ? 2) What are Keys ? Private Key ? Public Key ? 3) What is the difference between sign and encrypt ? I would like to add some "nice little pictures" to visualize these topics. I know it is an unusal question - but does anyone have any links or pictures handy ? Thanks and regards Sascha From kmb8c at virginia.edu Sat Nov 20 05:58:02 2004 From: kmb8c at virginia.edu (Kevin Binswanger) Date: Sat Nov 20 05:55:30 2004 Subject: Two different problems Message-ID: <419ECEDA.8040404@virginia.edu> #1) I accidentally used the wrong revocation key, and I need to undo it (for key 0x37512C45). Is there a way to do that? #2) I tried to fix #1 by refreshing my keys/re-receiving them from the public-key servers. I get this error: C:\GnuPG>gpg --recv-key 37512C45 gpg: can't get key from keyserver: No such file or directory gpg: Total number processed: 0 C:\GnuPG> GPG worked fine before this (I was trying to revoke 42020537). Kevin -- "I must not fear. Fear is the mind-killer. Fear is the little-death that brings total obliteration. I will face my fear. I will permit it to pass over me and through me. And when it has gone past I will turn the inner eye to see its path. Where the fear has gone there will be nothing. Only I will remain." - Bene Gesserit Litany Against Fear From linux at codehelp.co.uk Sat Nov 20 19:39:08 2004 From: linux at codehelp.co.uk (Neil Williams) Date: Sat Nov 20 19:36:26 2004 Subject: Two different problems In-Reply-To: <419ECEDA.8040404@virginia.edu> References: <419ECEDA.8040404@virginia.edu> Message-ID: <200411201839.13907.linux@codehelp.co.uk> On Saturday 20 November 2004 4:58 am, Kevin Binswanger wrote: > #1) I accidentally used the wrong revocation key, and I need to undo it > (for key 0x37512C45). Is there a way to do that? A revocation certificate is bound to a certain key - if you imported the revocation certificate for 0x42020537, it would be revoked on your local system. The certificate for 0x42020537 cannot revoke any other key. Check your key listings and send the key to keyservers to revoke it. Neither key is currently showing as revoked. > #2) I tried to fix #1 by refreshing my keys/re-receiving them from the Receiving a key from a keyserver merges the keyserver copy with the local copy - if the keyserver copy is not revoked, the --recv-key operation will have no effect. To undo a local error on your key, you must first delete the local copy of your public key and then receive the keyserver version. > public-key servers. I get this error: > C:\GnuPG>gpg --recv-key 37512C45 > gpg: can't get key from keyserver: No such file or directory > gpg: Total number processed: 0 Use a different keyserver, it was found perfectly on subkeys.pgp.net and keyserver.kjsl.com - other keyservers are usually not worth using. > GPG worked fine before this (I was trying to revoke 42020537). > Kevin -- Neil Williams ============= http://www.codehelp.co.uk/ http://www.dclug.org.uk/ http://www.isbn.org.uk/ http://sourceforge.net/projects/isbnsearch/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041120/bb92623a/attachment-0001.bin From scubacuda at iname.com Sat Nov 20 22:30:49 2004 From: scubacuda at iname.com (Roger E. Rustad, Jr.) Date: Sat Nov 20 22:22:09 2004 Subject: can receive, but not send, encrypted e-mail Message-ID: <419FB789.9080400@iname.com> I just recently installed Enigmail/GnuPG on Thunderbird/Windows 2000. I can receive encrypted mail from people, but I can't send out encrypted e-mail. When I check the "encrypted" option, it still sends it out in lear text. Not sure what I might be doing wrong... Thanks in advance, Roger From zvrba at globalnet.hr Sun Nov 21 09:42:36 2004 From: zvrba at globalnet.hr (Zeljko Vrba) Date: Sun Nov 21 09:34:51 2004 Subject: PKCS#11 card status summary Message-ID: <41A054FC.5010906@globalnet.hr> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 I caught some time this weekend to play with OpenSC + GPG. Now here are the results: ===== (conclusion first, as this also goes to users list) In conclusion, the best I could do, both with MUSCLE and OpenSC[1], is the following scenario: 1. Support ONE RSA/1024 keypair per card. 2. This keypair would be used exclusively for signing. 3. The card and keypair is initialized by some extra utilities unknown to GPG. 4. The configuration about existing keypair (and other meta-data that GNUPG stores normally on OpenPGP card) is read/written from/to configuration file (in the patch is an example of pkcs11.config). What I don't know how to do is persuade GPG that a signing keypair is on the card. GPG 'generate' command assumes that the user has an OpenPGP card and always tries to generate 3 keypairs. [1] Within the scope of making a patch to support PKCS#11 cards in GNUPG. If I had the time I could also make patches to MUSCLE and/or OpenSC but I think it would be unacceptable to most existing users of those tools. Also I don't have the time to keep pace with development of those libraries. ===== (technical details regarding OpenSC) 1. OpenSC pkcs15-init is the only way to format the card and create PKCS#15 file structure on it (PKCS#15 is what OpenSC is all about). The sequence goes something like this: pkcs15-init -E -C pkcs15-init --store-pin --auth-id 0 After formatting, the Cryptoflex key files are missing. I am not able to generate a key by PKCS#11 interface after this procedure. 2. After that I generate the key with pkcs15-init -G rsa/1024 --auth-id 0 Unfortunately the key is marked as sign only for PKCS#11, and the PKCS#11 reports that the key is inconsistent with its usage when I call C_DecryptInit. I have not found a way to mark the same key decrypt+sign. Browsing through the source, it should be made automatically if possible. Why do I even need C_Decrypt? Well, PKCS#11 tokens can return public and private keys in arbitrary order and they do not have to be labeled in any way. I need to pair them and present them as a single fingerprint to GPG. So I iterate over all public keys on the card, encrypt a sample message and try decryption with each private key. When the decryption gives back the original content, I've found a keypair. I can accomplish the same goal with C_Sign. 3. OpenSC thinks that my card (Cryptoflex 8k) doesn't have RSA keygen capability so it generates the key off-card and imports it. Well, it thinks plain *WRONG*. Cryptoflex 8k *DOES* have a keygen capability (some do, some don't. but anyway, why not first try to generate on-card and if the card reports an error, generate off-card and import. the card capabilities are *HARD-CODED* into OpenSC). (BTW, I have rather old cards, OpenSC didn't have my ATR in its database so I already did hack throught that part of the code). 4. OpenSC Cryptoflex card profile is strange so that I can't have more than one key pair. Strangely, pkcs15-init leaves about 4k for user data which is unused, but there is no room for another keypair directory (long story about filesystem allocation on cards..) 5. My original idea was using OpenSC PKCS#15 API to access the card. However, Werner rejected the idea (in private communication) on the grounds that OpenSC is unstable regarding the API (i.e. arbitrary API changes between versions, breaking ABI without changing the major library version number etc.). Based on his arguments (which I hold valid) I decided to make a new patch using PKCS#11 and disregard the idea of using OpenSC's PKCS#15 API. - -- The corresponding PGP public key can be found at: http://ds.carnet.hr:11371/pks/lookup?op=get&search=0x5081D08A1DC7E994 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBoFT8UIHQih3H6ZQRAx/vAKDZLEJeDfJrpqoVOyu7Ct15Gl0rYgCfUV5R A/VB8Wdik8m9/vxjhR9oDns= =J9DE -----END PGP SIGNATURE----- From jluehr at gmx.net Sun Nov 21 10:55:40 2004 From: jluehr at gmx.net (Jan =?iso-8859-1?q?L=FChr?=) Date: Sun Nov 21 10:52:34 2004 Subject: incrementel asymetric encryption? Message-ID: <200411211055.41155.jluehr@gmx.net> Greetings in order to protect some sensitive log on a server, I encrypt the log via. GPG ( | gpg -e -a -r logger |). This creates an ascii-File full of gpg-messages. But if I try to decrypt the log, I just get the first message and some warning about a changed / corrputed messages. If I delete the first one, I get the second one, and a warning, if a delelete the first n-1 messages (assuming n messages are encrypted) I get the n-th messages without any warning. But how can I decrypt the whole log at once - or how can I encrypt the log incremental, to create one big GPG Message? Keep smiling yanosz -- Achtung: Die E-Mail-Adresse jluehr@netcologne.de wird in K?rze deaktivierte werden. Bitte nutzen Sie die Adresse jluehr@gmx.net From zvrba at globalnet.hr Sun Nov 21 13:12:36 2004 From: zvrba at globalnet.hr (Zeljko Vrba) Date: Sun Nov 21 13:04:42 2004 Subject: incrementel asymetric encryption? In-Reply-To: <200411211055.41155.jluehr@gmx.net> References: <200411211055.41155.jluehr@gmx.net> Message-ID: <41A08634.7050103@globalnet.hr> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 | | But how can I decrypt the whole log at once - or how can I encrypt the log | incremental, to create one big GPG Message? | Well, the log is full of GPG start/end headers like - -----BEGIN PGP... - -----END PGP.. You can use csplit(3) to split the logs into corresponding PGP chunks. Something like: csplit -z q1 '/^-----END PGP MESSAGE-----/+1' '{*}' will split the logfile in a series of files named xx00, xx01, ... one file for each PGP record. If you have many log messages, you can also add -n option to increase the number of decimal digits, e.g. -n4 Then write a simple for loop (xx is csplit's default prefix): for i in xx*; do gpg $i -o $i.out; done Of course, this assumes a normal UNIX system with bourne-like shell. - -- The corresponding PGP public key can be found at: http://ds.carnet.hr:11371/pks/lookup?op=get&search=0x5081D08A1DC7E994 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBoIY0UIHQih3H6ZQRAxb4AJ4+DFb0NYyBpZ9Uvst3DEVNpdV0FgCfY7T5 J2ZwNH8/2WxKaRI1vjTG1+0= =r36J -----END PGP SIGNATURE----- From jluehr at gmx.net Sun Nov 21 19:01:03 2004 From: jluehr at gmx.net (Jan =?iso-8859-1?q?L=FChr?=) Date: Sun Nov 21 18:57:54 2004 Subject: incrementel asymetric encryption? In-Reply-To: <41A08634.7050103@globalnet.hr> References: <200411211055.41155.jluehr@gmx.net> <41A08634.7050103@globalnet.hr> Message-ID: <200411211901.03792.jluehr@gmx.net> Greetings,... Am Sonntag, 21. November 2004 13:12 schrieben Sie: > | But how can I decrypt the whole log at once - or how can I encrypt > > the log > > | incremental, to create one big GPG Message? > > Well, the log is full of GPG start/end headers like > -----BEGIN PGP... > -----END PGP.. > > You can use csplit(3) to split the logs into corresponding PGP chunks. > Something like: > for i in xx*; do gpg $i -o $i.out; done Well, by that, I can either use a key without a passphrase or I have to enter the passphrase several times. But I want to decrypt the whole log at once without not having any passphrase and without entering some a dozen times. Keep smiling yanosz -- Achtung: Die E-Mail-Adresse jluehr@netcologne.de wird in K?rze deaktivierte werden. Bitte nutzen Sie die Adresse jluehr@gmx.net From gnupg at dossen.dk Mon Nov 22 00:15:03 2004 From: gnupg at dossen.dk (Mads Laursen) Date: Mon Nov 22 00:11:32 2004 Subject: incrementel asymetric encryption? In-Reply-To: <200411211901.03792.jluehr@gmx.net> References: <200411211055.41155.jluehr@gmx.net> <41A08634.7050103@globalnet.hr> <200411211901.03792.jluehr@gmx.net> Message-ID: <20041121231502.GA17458@daimi.daimi.au.dk> On 21/11/04 19.01, Jan L?hr wrote: > Greetings,... > Am Sonntag, 21. November 2004 13:12 schrieben Sie: > > | But how can I decrypt the whole log at once - or how can I encrypt > > > > the log > > > > | incremental, to create one big GPG Message? > > > > Well, the log is full of GPG start/end headers like > > > > You can use csplit(3) to split the logs into corresponding PGP chunks. > > Something like: > > > for i in xx*; do gpg $i -o $i.out; done > > Well, by that, I can either use a key without a passphrase or I have to enter > the passphrase several times. But I want to decrypt the whole log at once > without not having any passphrase and without entering some a dozen times. How about writing a small script to do it. Just have the script prompt for the password and feed it to each gpg-instance via the --passphrase-fd option. Not as safe as letting gpg prompt for it, but it should be doable without resorting to having the password in a file. /dossen -- Common sense is the collection of prejudices acquired by age eighteen. -- Albert Einstein -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041122/db220635/attachment.bin From johanw at vulcan.xs4all.nl Mon Nov 22 00:31:33 2004 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Mon Nov 22 03:37:33 2004 Subject: Determining algorithm to be used? In-Reply-To: <20041119130434.GC1303@jabberwocky.com> from David Shaw at "Nov 19, 2004 08:04:34 am" Message-ID: <200411212331.AAA03065@vulcan.xs4all.nl> David Shaw wrote: >You never want to use --cipher-algo with public key encryption. It's >only safe to use with --symmetric. The reason why is simple: the >above system to choose algorithms to use is safe - it will never pick >an algorithm that will result in an unusable message by one of the >recipients. Yeah, well, that's the theory. Recently I sent encrypted messages to a friend but got replies that she could not decrypt them. It turned out that het key - generated with pgp 6.something - had preferences set that were incompatible with he new setup (gpg 1.2.4 without IDEA). After I understood this and overrode the cipher algo manually decrypting my messages was no problem any more. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From dshaw at jabberwocky.com Mon Nov 22 04:26:32 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Nov 22 04:23:38 2004 Subject: Determining algorithm to be used? In-Reply-To: <200411212331.AAA03065@vulcan.xs4all.nl> References: <20041119130434.GC1303@jabberwocky.com> <200411212331.AAA03065@vulcan.xs4all.nl> Message-ID: <20041122032631.GA22670@jabberwocky.com> On Mon, Nov 22, 2004 at 12:31:33AM +0100, Johan Wevers wrote: > David Shaw wrote: > > >You never want to use --cipher-algo with public key encryption. It's > >only safe to use with --symmetric. The reason why is simple: the > >above system to choose algorithms to use is safe - it will never pick > >an algorithm that will result in an unusable message by one of the > >recipients. > > Yeah, well, that's the theory. Recently I sent encrypted messages to a > friend but got replies that she could not decrypt them. It turned out > that het key - generated with pgp 6.something - had preferences set > that were incompatible with he new setup (gpg 1.2.4 without IDEA). > After I understood this and overrode the cipher algo manually > decrypting my messages was no problem any more. Yes, this is a problem. Your friend just needs to do "gpg --edit-key xxxx updpref", and the preferences will be updated properly for his new environment. Without that, he's advertising the wrong preferences and will have all sorts of problems. GnuPG 1.4 actually does this on key import automatically, so hopefully this will become less of a problem in the future. David From Mike.Edwards at ega.com Fri Nov 19 17:42:46 2004 From: Mike.Edwards at ega.com (Mike Edwards) Date: Mon Nov 22 11:37:26 2004 Subject: Group use of keys Message-ID: <419E2286.3080509@ega.com> Hi! I have a public key that I share with our customers and the secret is on my keyring. I have another person in my department that needs to be able to decrypt files sent by our customers that have been encoded with my public key. IOW, we want a single public key with either a shared secret or separate secret keys for the same public key. Are either scenarios possible? Thanks! Mike -- Mike Edwards, MIS Edwards Graphic Arts 2700 Bell Ave Des Moines, IA 50321 voice: 515.280.9765 x128 fax: 515.280.9631 e-mail: Mike dot Edwards at ega dot com From atom at suspicious.org Mon Nov 22 18:04:18 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Mon Nov 22 18:01:24 2004 Subject: Group use of keys In-Reply-To: <419E2286.3080509@ega.com> References: <419E2286.3080509@ega.com> Message-ID: <20041122170431.98704.qmail@suspicious.org> On Fri, 19 Nov 2004, Mike Edwards wrote: > Hi! I have a public key that I share with our customers and the secret > is on my keyring. I have another person in my department that needs to > be able to decrypt files sent by our customers that have been encoded > with my public key. IOW, we want a single public key with either a > shared secret or separate secret keys for the same public key. Are > either scenarios possible? ============================= it's easy for everyone to use the same key, and let everyone use their own passphrase for it. 1) "edit-key" and reset the password to something impossible. this ensures that everyone will change it. 2) export the secret key and give copies to everyone who needs it. 3) tell them that the passphrase is "pbrtavzHc0ZSRjEKsSIAdutLL6" (or something comparable) and tell them how to change it... they *will* change it. 4) you still have your copy, just reset your own passphrase after you export a copy with the impossible passphrase. although it will work just the same, i would recommend that the UID identify it as a group (Customer Service), not an individual (Bob), but that's really for ideological reasons. btw, how do you get your customers to use pgp?!?! -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Until they become conscious they will never rebel, and until after they have rebelled they cannot become conscious." -- George Orwell From amilivojevic at pbl.ca Mon Nov 22 18:46:08 2004 From: amilivojevic at pbl.ca (Aleksandar Milivojevic) Date: Mon Nov 22 18:43:17 2004 Subject: Group use of keys In-Reply-To: <419E2286.3080509@ega.com> References: <419E2286.3080509@ega.com> Message-ID: <41A225E0.3050600@pbl.ca> Mike Edwards wrote: > Hi! I have a public key that I share with our customers and the secret > is on my keyring. I have another person in my department that needs to > be able to decrypt files sent by our customers that have been encoded > with my public key. IOW, we want a single public key with either a > shared secret or separate secret keys for the same public key. Are > either scenarios possible? You would have to share secret key. It would be best not to use personal key for this, because you will need to give it to your co-worker. That means he can decrypt everyhting, and sign anything with it. Create a new key for group usage. Basically, there is "real" difference between personal and group key other than possibly in the key ID (peronal would say "Bob", group would say "Tech Support", or "Foobar Inc"). The way how to share it depends on the installation and your comfort level. If you will be using same computer, you can place it in separate keyrings (for public and private key), and include those keyrings from GnuPG configuration file (I think config options for including public and secret keyrings are not the same). Make sure file permissions on keyrings are such that only you and your co-worker can access additional secret keyring. If two of you are using separate computers, you can share that directory on the network (NFS, windows share) and go with previous solution. But this is generally very bad idea (from security point of view). Sharing secret key is bad idea to begin with. Sharing them over network file systems is probably the most insecure way of doing it. Better idea would be to copy needed secret and public keys into your co-workers keyring. He can than set his own passphrase for that key, so he doesn't know your passphrase, and you don't know his passphrase. In both cases, since there will be multiple secret keys in the keyrings, it is good idea to specify which one is default key for signing in GnuPG configuration file (depending on work requirements, that would either be personal or group key). If you don't specify default secret key, GnuPG will simply use first that if finds (something you shouldn't rely on). -- Aleksandar Milivojevic Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7 From amilivojevic at pbl.ca Mon Nov 22 18:49:41 2004 From: amilivojevic at pbl.ca (Aleksandar Milivojevic) Date: Mon Nov 22 18:46:46 2004 Subject: Group use of keys In-Reply-To: <41A225E0.3050600@pbl.ca> References: <419E2286.3080509@ega.com> <41A225E0.3050600@pbl.ca> Message-ID: <41A226B5.5050106@pbl.ca> Aleksandar Milivojevic wrote: > Basically, there is "real" > difference between personal and group key other than possibly in the key > ID (peronal would say "Bob", group would say "Tech Support", or "Foobar > Inc"). Hm, small typo, should be "there is no real difference". -- Aleksandar Milivojevic Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7 From amilivojevic at pbl.ca Mon Nov 22 19:03:35 2004 From: amilivojevic at pbl.ca (Aleksandar Milivojevic) Date: Mon Nov 22 19:00:31 2004 Subject: Group use of keys In-Reply-To: <20041122170431.98704.qmail@suspicious.org> References: <419E2286.3080509@ega.com> <20041122170431.98704.qmail@suspicious.org> Message-ID: <41A229F7.5040804@pbl.ca> Atom 'Smasher' wrote: > btw, how do you get your customers to use pgp?!?! Bribe. Blackmail. Extortion. Horse head never fails. But in this times it is not considered to be politically correct (no animals should be hurt, but hurting humans is OK). Check "Godfather" movies for some more ideas. ;-) -- Aleksandar Milivojevic Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7 From amilivojevic at pbl.ca Mon Nov 22 19:12:37 2004 From: amilivojevic at pbl.ca (Aleksandar Milivojevic) Date: Mon Nov 22 19:09:36 2004 Subject: Asking a favour from fellow list subscribers Message-ID: <41A22C15.2060908@pbl.ca> Could somebody please email sist.mex@ovoplus.com and explain to him that Canada has more to offer than spam. Or at least forward this email. Bouncing entire .ca top level domain isn't going to help him much with his spam problems. But it might prevent him from getting some friendly help when he needs it. Currently I'm getting bounces from him for each and every mail I send to this list, and it's a bit annoying. Thanks to everybody willing to help :-) -- Aleksandar Milivojevic Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7 From atom at suspicious.org Mon Nov 22 19:16:25 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Mon Nov 22 19:13:06 2004 Subject: Group use of keys In-Reply-To: <41A229F7.5040804@pbl.ca> References: <419E2286.3080509@ega.com> <20041122170431.98704.qmail@suspicious.org> <41A229F7.5040804@pbl.ca> Message-ID: <20041122181638.38175.qmail@suspicious.org> On Mon, 22 Nov 2004, Aleksandar Milivojevic wrote: > Atom 'Smasher' wrote: >> btw, how do you get your customers to use pgp?!?! > > Bribe. Blackmail. Extortion. Horse head never fails. But in this > times it is not considered to be politically correct (no animals should > be hurt, but hurting humans is OK). Check "Godfather" movies for some > more ideas. ;-) ====================== is a teddy bear head politically correct? i've *have* tried telling people (customers and friends) that if they email me the root password without encrypting it they are subject to blackmail, extortion, sabotage, baldness, warts, etc... they never listen... of course, 90% of the root passwords that people give me would fall to a dictionary attack within hours. at least i only have 1 client who still uses telnet over the public internet (he logs in as admin and su's to root! he learned unix in the US military!). -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "They know we own their country. We own their airspace... We dictate the way they live and talk. And that's what's great about America right now. It's a good thing, especially when there's a lot of oil out there we need." -- U.S. Brig. General William Looney From cstacy at dtpq.com Mon Nov 22 20:23:18 2004 From: cstacy at dtpq.com (Christopher C. Stacy) Date: Mon Nov 22 20:20:29 2004 Subject: Group use of keys In-Reply-To: <20041122181638.38175.qmail@suspicious.org> (atom@suspicious.org) References: <419E2286.3080509@ega.com> <20041122170431.98704.qmail@suspicious.org> <41A229F7.5040804@pbl.ca> <20041122181638.38175.qmail@suspicious.org> Message-ID: Date: Mon, 22 Nov 2004 13:16:25 -0500 (EST) From: "Atom 'Smasher'" of course, 90% of the root passwords that people give me would fall to a dictionary attack within hours. at least i only have 1 client who still uses telnet over the public internet (he logs in as admin and su's to root! he learned unix in the US military!). That's probably because he was on a completely trusted network, where the network, the shielded building it's in, every device, and every person, is cleared to handle classified material. That doesn't mean that it wouldn't be a good idea to use encryption anyway, but it's unlikely that the situation is as un-secured as you might imagine. Usually in order to break into these networks network, first you have to get past several physical barriers, each of which involces guards armed with machine guns. Prime numbers will be the least of your concerns. From atom at suspicious.org Mon Nov 22 20:50:09 2004 From: atom at suspicious.org (Atom 'Smasher') Date: Mon Nov 22 20:46:45 2004 Subject: Group use of keys In-Reply-To: References: <419E2286.3080509@ega.com> <20041122170431.98704.qmail@suspicious.org> <41A229F7.5040804@pbl.ca> <20041122181638.38175.qmail@suspicious.org> Message-ID: <20041122195018.75551.qmail@suspicious.org> On Mon, 22 Nov 2004, Christopher C. Stacy wrote: > That's probably because he was on a completely trusted network, where > the network, the shielded building it's in, every device, and every > person, is cleared to handle classified material. That doesn't mean that > it wouldn't be a good idea to use encryption anyway, but it's unlikely > that the situation is as un-secured as you might imagine. Usually in > order to break into these networks network, first you have to get past > several physical barriers, each of which involces guards armed with > machine guns. Prime numbers will be the least of your concerns. =============== no doubt. that's a side effect of working for an organization so big that security is "someone else's job" and the sysadmin can't be bothered with it. it becomes a very serious issue when someone then uses that experience to get a job where they can be dangerous... IT security just doesn't have any relevance to this guy, despite a (military) resume that hints otherwise. -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "All that is necessary for the triumph of evil is for good men to do nothing." -- Edmund Burke From pmehta.net at gmail.com Tue Nov 23 06:14:14 2004 From: pmehta.net at gmail.com (Parag Mehta) Date: Tue Nov 23 06:11:59 2004 Subject: Help on GPG error Message-ID: Folks, i am trying to use the party-table.pl script to generate the output file which fails with following error. Error: gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: [don't know]: invalid packet (ctb=2d) gpg: keydb_search_first failed: invalid packet I have reviewed the FAQ and made sure the setuid root is set on the gpg binary. The steps that i performed where: - -- scp'ed the pubring.gpg file from my windows box to my linux box. - -- windows box is running gnupg-32cli-1.2.5 - -- linux box is running gnupg-1.2.6 (built rpm from source using the spec file provided on RH7.2) - -- tried using the pubring.gpg file directly failed. - -- imported the windows keyring file to a new keyrinh file in linux machine. (still get the same error) - -- exported the whole keyring on windows machines and scp'ed the armor file to linux machine. imported the aromor file on linux machine (still fails with the same error) Additionally i had to do the following steps to currently fix the problem but it does not solve my problem completely. - -- changed the setuid permission on the gpg binary. - -- importing pubring.gpg from a windows machine to the Linux machine failed - -- hence deleted the keyring files on Linux machine and imported the keys directly from keyserver. - -- ran party-table Perl script and Voila! the file is generated without errors. My gpg.conf has followign lines: no-greeting no-mangle-dos-filenames no-mdc-warning no-version ignore-time-conflict ignore-valid-from I am still not sure as to why does it give those errors even after running the following commands: In windows machine running gpg 1.2.5 - -- gpg --armor --export -o all.asc In linux machine running gpg 1.2.6 - -- gpg --import all.asc The import completes successfully and i can list the whole keyring however the Perl script fails to run again with the same error. I would also like to know if this is version incompatibility or something else. I am willing to run any further tests if somebdoy would like me to and help figure out the root cause of this problem. From patrick.marquetecken at pandora.be Tue Nov 23 13:03:21 2004 From: patrick.marquetecken at pandora.be (Patrick Marquetecken) Date: Tue Nov 23 16:52:53 2004 Subject: OT - Encrypting /Decrypting in Gnome Message-ID: <20041123130321.00004ad1@laptop_pmn.SXPBELUX.NET> Hi, This is a bit off-topic but is there a easy way in Gnome, to encrypt and decrypt files by a double click or a right click? I have a lot of encrypted files and going to the terminal everytime ... TIA Patrick From bcrane at netcentrix.net Tue Nov 23 15:51:17 2004 From: bcrane at netcentrix.net (Bill Crane) Date: Tue Nov 23 16:53:10 2004 Subject: PGP encrypt/GnuPG decrypt problem Message-ID: <6.0.3.0.2.20041123090709.02fa7c00@mail.netcentrix.net> I'm a novice and I've struggled with this problem for a few days. I've searched the FAQs and other information sources looking for information regarding the problem that I'm having. While I've found some information in the GnuPG FAQ from question 5.9, I'm still stuck. Quick Synopsis. I've create a new key pair using GnuPG, and I've exported the new public key and imported it into PGP. I've then encrypted a file using the newly imported public key and transferred the encrypted file back to my linux server, and when I try to decrypt it I get the following message: gpg: encrypted with ELG-E key, ID 26B23A2E gpg: decryption failed: secret key not available For what it's worth, the key ID listed above (26B23A2E) does not appear (not that I can find) on any key in my PGP keyring. Here are specifics: GPG info # gpg --version gpg (GnuPG) 1.2.1 Copyright (C) 2002 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA, ELG Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160 Compress: Uncompressed, ZIP, ZLIB Running on RedHat Enterprise server PGP info Version 8.0.3 running on Windows 2000 License expiration is March 2005 Procedural info When this key pair was created using GnuPG, I chose DSA and ElGamal 2048 bytes no expiration passphrase assigned After the key pair was created, I followed the advice found in question 5.9 of the FAQ (http://www.gnupg.org/(en)/documentation/faqs.html#q5.9) and I ran the following GnuPG commands: $ gpg --s2k-cipher-algo cast5 --s2k-digest-algo sha1 --s2k-mode 3 \ --simple-sk-checksum --edit MyKeyID > setpref S9 S8 S7 S3 S2 S10 H2 H3 Z1 Z0 > updpref > passwd (new passphrase given) > save $ gpg --export MyKeyID > mypublickey.pgp The exported public key was successfully imported into PGP and appears there are on my keyring. Here is the slightly modified output of a gpg --list-keys command # gpg --list-keys /root/.gnupg/pubring.gpg ------------------------ pub 1024D/CC4BD445 2004-11-23 MyKeyID (MyKeyID) sub 2048g/50FA58C8 2004-11-23 When I view the key properties of the imported key within PGP, I see this information: ID 0xCC4BD455 Type DH/DSS Size 2048/1024 Cipher AES-256 Enabled From my novice perspective, everything appears to be in order, and yet when I decrypt a file with the public key using PGP and try and decrypt using GnuPG, I get: # gpg --decrypt MyFile.txt.pgp gpg: encrypted with ELG-E key, ID 26B23A2E gpg: decryption failed: secret key not available Is there a step that I have left out which I should have performed? Thanks in advance. From Freedom_Lover at pobox.com Tue Nov 23 17:43:36 2004 From: Freedom_Lover at pobox.com (Todd) Date: Tue Nov 23 17:40:36 2004 Subject: OT - Encrypting /Decrypting in Gnome In-Reply-To: <20041123130321.00004ad1@laptop_pmn.SXPBELUX.NET> References: <20041123130321.00004ad1@laptop_pmn.SXPBELUX.NET> Message-ID: <20041123164336.GD8284@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Patrick Marquetecken wrote: > This is a bit off-topic but is there a easy way in Gnome, to encrypt > and decrypt files by a double click or a right click? > > I have a lot of encrypted files and going to the terminal everytime ... I don't know if Seahorse does what you want. I just recall seeing it as a Gnome based GnuPG frontend. http://seahorse.sourceforge.net/ - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== Play "wheels on the bus" and get the hell out of my sight. -- Stewie Griffin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iD8DBQFBo2i4uv+09NZUB1oRAsCQAKCszK7Z6LY+ON+iqSPDGIojFpjpjwCeLniM r5Im0AotAR7yDftqp++71lc= =8cpa -----END PGP SIGNATURE----- From linux at codehelp.co.uk Tue Nov 23 18:14:21 2004 From: linux at codehelp.co.uk (Neil Williams) Date: Tue Nov 23 18:11:05 2004 Subject: PGP encrypt/GnuPG decrypt problem In-Reply-To: <6.0.3.0.2.20041123090709.02fa7c00@mail.netcentrix.net> References: <6.0.3.0.2.20041123090709.02fa7c00@mail.netcentrix.net> Message-ID: <200411231714.24943.linux@codehelp.co.uk> On Tuesday 23 November 2004 2:51 pm, Bill Crane wrote: > Here is the slightly modified output of a gpg --list-keys command > # gpg --list-keys > /root/.gnupg/pubring.gpg WOAH! Why on earth are you running this as ROOT!!?? A: No good reason. Do not login as root, don't run userland programs as root, don't spend any longer than you absolutely must in a root environment. > ------------------------ > pub 1024D/CC4BD445 2004-11-23 MyKeyID (MyKeyID) > sub 2048g/50FA58C8 2004-11-23 > From my novice perspective, everything appears to be in order, and yet > when I decrypt encrypt? > a file with the public key using PGP and try and decrypt > using GnuPG, I get: 1. Check you can encrypt and decrypt on the one box first. Encrypt a file using GnuPG and decrypt it using GnuPG without transferring it. 2. You presumably have a key in PGP that has a secret key, try the reverse - encrypt in GnuPG to PGP. > # gpg --decrypt MyFile.txt.pgp > gpg: encrypted with ELG-E key, ID 26B23A2E That's normally the subkey used to encrypt the message. e.g. with my key: gpg: encrypted with 1024-bit ELG-E key, ID AD3CB326, created 2002-01-27 The public key is: pub 1024D/28BCB3E3 2002-01-27 Neil Williams (CodeHelp) uid N Williams (CodeHelp) uid Neil Williams (general) uid Neil Williams (Linux User Group) uid Neil Williams (Devon and Cornwall LUG) sub 1024g/AD3CB326 2002-01-27 Check for that subkey in your PGP keyring. -- Neil Williams ============= http://www.codehelp.co.uk/ http://www.dclug.org.uk/ http://www.isbn.org.uk/ http://sourceforge.net/projects/isbnsearch/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041123/91d92561/attachment.bin From troworld at rogers.com Tue Nov 23 19:10:32 2004 From: troworld at rogers.com (Dmitri Vassilenko) Date: Tue Nov 23 19:07:44 2004 Subject: Export the smallest possible version of a public key Message-ID: <200411231310.42655.troworld@rogers.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, list. I'd like to send someone the smallest possible version (armored) of my public key containing only the primary key/primary uid/self sig. At the moment, I don't see any way to do this, other than deleting all extra data locally, exporting the key, and then re(stor/fetch)ing it from a keyserver. I've looked through the FAQ on gnupg.org, but couldn't find anything relevant. There was a section on restoring a public key from a private one, but that seems to be more complicated than the way described above. Is there an easier way? Thanks, Dmitri -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFBo30id7EQcXYRh/oRAuoPAJ0UD2JPhVwF+pZLcVKfcRO5lba3FQCeLHvW jC6XKCmikv8Edok/K7y9pdo= =NWPN -----END PGP SIGNATURE----- From vedaal at hush.com Tue Nov 23 20:01:38 2004 From: vedaal at hush.com (vedaal@hush.com) Date: Tue Nov 23 19:58:11 2004 Subject: PGP encrypt/GnuPG decrypt problem Message-ID: <200411231901.iANJ1faG021864@mailserver2.hushmail.com> >Message: 10 >Date: Tue, 23 Nov 2004 09:51:17 -0500 >From: Bill Crane >Subject: PGP encrypt/GnuPG decrypt problem >To: gnupg-users@gnupg.org >Message-ID: ><6.0.3.0.2.20041123090709.02fa7c00@mail.netcentrix.net> >Content-Type: text/plain; charset="us-ascii"; format=flowed > >I'm a novice >Quick Synopsis. > >I've create a new key pair using GnuPG, and I've exported the new >public key and imported it into PGP. ^^^^^^^^ the key _pair_ needs to be exported, the public key and then the secret key gpg --export-secret-key keyname > when I try to decrypt it I get the following message: > > gpg: encrypted with ELG-E key, ID 26B23A2E > gpg: decryption failed: secret key not available > >For what it's worth, the key ID listed above (26B23A2E) does not >appear >(not that I can find) on any key in my PGP keyring. it wasn't exported from gnupg, and couldn't be imported to pgp > $ gpg --export MyKeyID > mypublickey.pgp good, now do the same for the secret key gpg --export-secret-key MyKeyID mysecretkey.pgp good luck vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From dfraser at capybara.org Tue Nov 23 21:57:51 2004 From: dfraser at capybara.org (Dan Fraser) Date: Tue Nov 23 21:54:15 2004 Subject: scripting and trust validation Message-ID: <56F2011F-3D92-11D9-A587-000393A71CBC@capybara.org> I'm having a problem with GPG. Here's what I want to do: Create a top-level key that is only used for signing other keys. (Manager key) Create a second-level key that is signed by the top-level key. (Alice's key) Send a file signed with Alice's key and Alice's public key itself to a remote host. Have the remote host import Alice's public key, check it against the public key of the manager (which it already has, and has full owner-trust) and if it's okay, use Alice's key to check the signature on the file. This seems to be possible, except that I can't find a way for GPG to exit with an error condition if Alice's key cannot be validated in the trustdb. It prints WARNING messages and complains, but without actually parsing the textual output from GPG, I see no way of doing what I need. Am I missing something? Thanks... From shavital at mac.com Tue Nov 23 22:50:12 2004 From: shavital at mac.com (Charly Avital) Date: Tue Nov 23 22:47:00 2004 Subject: PGP encrypt/GnuPG decrypt problem In-Reply-To: <6.0.3.0.2.20041123090709.02fa7c00@mail.netcentrix.net> References: <6.0.3.0.2.20041123090709.02fa7c00@mail.netcentrix.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The public key created with GnuPG in your linux system is, as you indicated: > ------------------------ > pub 1024D/CC4BD445 2004-11-23 MyKeyID (MyKeyID) > > sub 2048g/50FA58C8 2004-11-23 Please note that the subkey is 50FA58C8 Your GnuPG system in your linux box tells you that: > gpg: encrypted with ELG-E key, ID 26B23A2E When encrypting to a DSA-ElGamal key, it's the subkey that is used for encryption. Therefore ID 26B23A2E should correspond to a subkey. This does not check against previous information stating that the subkey of the public key you generated is 50FA58C8. You cannot find 0x26B23A2E in your PGP keyring, because 0x26B23A2E is a subkey. PGP, in public key properties, displays the existence and the dates of a subkey, but not its ID. At least, this is the way it works in a Macintosh environment. I don't know whether PGP, in a Windows environment, displays subkeys IDs. I don't think it does. Excuse my question: when you encrypted in PGP, are you sure you used 0xCC4BD445? Your PGP keyring contains such a key, as you reported; but did you use it to encrypt that test file? As suggested by Neil Williams: Encrypt a file using GnuPG and decrypt it using GnuPG without transferring it. Charly Macintosh GnuPG 1.3.92 PGP 8.1 On Nov 23, 2004, at 9:51 AM, Bill Crane wrote: > I'm a novice and I've struggled with this problem for a few days. > I've searched the FAQs and other information sources looking for > information regarding the problem that I'm having. While I've found > some information in the GnuPG FAQ from question 5.9, I'm still stuck. > > Quick Synopsis. > [snip] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.92 (Darwin) iD8DBQFBo7Ci8SG5rMkbCF4RAlIEAJ9Hxp3ZaL74bbClPPAp0jWSr7zyswCgxexX NBX8FLU9wm3XV9+k4Lz/iCk= =LtIg -----END PGP SIGNATURE----- From jharris at widomaker.com Thu Nov 25 00:38:25 2004 From: jharris at widomaker.com (Jason Harris) Date: Thu Nov 25 00:35:11 2004 Subject: [pgp-keyserver-folk] poor use of HTTP in keyserver designs In-Reply-To: <20041122011912.GV3782@wilma.widomaker.com> References: <4076A92B.9050101@neggie.net> <20041122011912.GV3782@wilma.widomaker.com> Message-ID: <20041124233825.GY3782@wilma.widomaker.com> On Sun, Nov 21, 2004 at 08:19:12PM -0500, Jason Harris wrote: > On Fri, Apr 09, 2004 at 09:46:19AM -0400, John Belmonte wrote: > > While looking for keyserver software to tinker with, I stumbled upon > > pkspxy, the key server proxy. That got me wondering why keyservers > > would need a custom proxy. Well, looking at the HTTP response headers > > I'd like to see the HTTP response headers improved. For example, use of > > entity tags would allow clients and proxies to poll for key changes with > > minimum burden to the server. Combined with proper cache control > > headers, general HTTP proxies could serve the keyserver network well. > > Clients like wget only use timestamps, which I assume most browsers > limit themselves too as well. Do you know which browsers use ETag > for cache control? But, note that neither pks nor SKS currently index > key IDs/fingerprints/hashes to their last update times. keyserver.kjsl.com is now generating Date:, Content-Length:, and Content-MD5: headers for most replies. Additionally, it now supports HEAD requests with these headers included. Note that the PHP4 page(s) that support port 80 access do not generate the latter two headers, however. While generating ETag: and Last-Modified: headers, as well as supporting If-Modified-Since and other specifiers in GET/HEAD requests will be needed for full cache-control semantics, it is unclear (to me) which proxies/caches, and, if any, which browsers/clients, implement ETag comparisons. Squid[-cache.org] seems to only use timestamps, but if anyone uses a proxy/cache that supports ETags, please let me know. Right now, the size headers are useful so clients like wget can compute the remaining download time when retrieving keys, but I believe the MD5 values are not currently used by [m]any caches/ proxies/clients. However, clients like GPG might start checking the MD5 hashes of received keys and/or issuing HEAD requests to see if the hashes have changed since the keys were last downloaded from a particular keyserver. This should not replace cache-control using ETags and/or timestamps, of course, but it should prove to be a good solution until more software supports ETags. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20041124/a3482c48/attachment.bin From dshaw at jabberwocky.com Thu Nov 25 01:16:03 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Nov 25 01:13:23 2004 Subject: Export the smallest possible version of a public key In-Reply-To: <200411231310.42655.troworld@rogers.com> References: <200411231310.42655.troworld@rogers.com> Message-ID: <20041125001602.GA17767@jabberwocky.com> On Tue, Nov 23, 2004 at 01:10:32PM -0500, Dmitri Vassilenko wrote: > Hi, list. > > I'd like to send someone the smallest possible version (armored) of > my public key containing only the primary key/primary uid/self sig. > > At the moment, I don't see any way to do this, other than deleting > all extra data locally, exporting the key, and then > re(stor/fetch)ing it from a keyserver. > > I've looked through the FAQ on gnupg.org, but couldn't find anything > relevant. There was a section on restoring a public key from a > private one, but that seems to be more complicated than the way > described above. Restoring a public key from a private key has nothing to do with what you are asking. It's not that it is more complicated or more simple... it's just unrelated to the problem. There is no feature in GnuPG that does what you want. It's asked for often enough that if I have a few minutes this weekend, I'll probably do it for 1.4. It's very simple. In the meantime, the method you are using is fine. David From groups at deDanaan.de Thu Nov 25 14:18:35 2004 From: groups at deDanaan.de (Frank Meier) Date: Thu Nov 25 14:15:12 2004 Subject: GEAM and capitalization Message-ID: <41A5DBAB.2040608@deDanaan.de> Hi, I've a prob whith encryption If I send a message to name@domain.tld the mail is encrypted. But the mail address Name@domain.tld is undefined and not encrypted. Is there a way to fix that? Greetings Frank From johanw at vulcan.xs4all.nl Thu Nov 25 16:25:14 2004 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Nov 25 17:19:16 2004 Subject: GEAM and capitalization In-Reply-To: <41A5DBAB.2040608@deDanaan.de> from Frank Meier at "Nov 25, 2004 02:18:35 pm" Message-ID: <200411251525.QAA09951@vulcan.xs4all.nl> Frank Meier wrote: >If I send a message to name@domain.tld the mail is encrypted. >But the mail address Name@domain.tld is undefined and not encrypted. > >Is there a way to fix that? Yes, use chained anonymous remailers. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From amilivojevic at pbl.ca Thu Nov 25 18:30:29 2004 From: amilivojevic at pbl.ca (Aleksandar Milivojevic) Date: Thu Nov 25 18:27:30 2004 Subject: Access to key servers through athenticating proxy server Message-ID: <41A616B5.7070409@pbl.ca> I have a firewall that enforces policy of accessing Internet by using proxy server only (no direct connections to outside world from internal network). The proxy uses authentication (username and password) to limit access only to some users. I was able to find at least one key server that supports connections over port 80, but I couldn't get through the proxy. The problem is that when using proxy server, gpg doesn't seem to support proxy authentication. It simply prints that key was not found on the key server, instead of prompting me for proxy username and password. Even if I place username/password into http_proxy environment variable ('http://username:password@myproxy.mydomain.com:port'), it still doesn't work. In this case it attempts to connect to proxy named 'username.mydomain.com' (obviously it is unable to correctly parse URL that defines the proxy server, so it interprets it as if it was 'http://username'). I don't like placing password there, but I wanted to try if that would work. Are there any plans to make a bit more robust proxy support for accessing key servers? [ off-topic ] I've also attempted to access same proxy server using Enigmail (Thunderbird version). Supposedly it should have its own code for accessing key server, and should honor proxy settings from FireFox. But that hasn't worked either. -- Aleksandar Milivojevic Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7 From dshaw at jabberwocky.com Thu Nov 25 19:35:49 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Nov 25 19:33:01 2004 Subject: Access to key servers through athenticating proxy server In-Reply-To: <41A616B5.7070409@pbl.ca> References: <41A616B5.7070409@pbl.ca> Message-ID: <20041125183549.GF17767@jabberwocky.com> On Thu, Nov 25, 2004 at 11:30:29AM -0600, Aleksandar Milivojevic wrote: > I have a firewall that enforces policy of accessing Internet by using > proxy server only (no direct connections to outside world from internal > network). The proxy uses authentication (username and password) to > limit access only to some users. I was able to find at least one key > server that supports connections over port 80, but I couldn't get > through the proxy. > > The problem is that when using proxy server, gpg doesn't seem to support > proxy authentication. It simply prints that key was not found on the > key server, instead of prompting me for proxy username and password. > > Even if I place username/password into http_proxy environment variable > ('http://username:password@myproxy.mydomain.com:port'), it still doesn't > work. In this case it attempts to connect to proxy named > 'username.mydomain.com' (obviously it is unable to correctly parse URL > that defines the proxy server, so it interprets it as if it was > 'http://username'). I don't like placing password there, but I wanted > to try if that would work. > > Are there any plans to make a bit more robust proxy support for > accessing key servers? The upcoming GnuPG 1.4 supports username/password authentication for proxies. You might download the latest 1.3.x release and give it a try. David From admin at panta-rhei.dyndns.org Fri Nov 26 00:46:28 2004 From: admin at panta-rhei.dyndns.org (panta-admin) Date: Fri Nov 26 00:55:15 2004 Subject: Get version of PGP Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi ! I am the administrator of a public nym server providing anonymous email addresses via the remailer network. I use a perl script for all nymserver manipulations, and have a severe problem with PGP 2.6.x users. They can not decrypt the messages made with GnuPG in the script. I think I would be able to modify the nymserver script to create valid 2.6.x signatures and encryption packets, the problem is, how do I know that the users RSA key was created by PGP 2.6.x ? So my question is, is there any way of finding out if a key has been created by PGP 2.6.x ? Thanks a lot, Cheers, panta-admin -----BEGIN PGP SIGNATURE----- Version: N/A iQA/AwUBQaZr2R2e88Id2BOOEQIhZACcC0N0y4x0r07QPVb8wQyLiGZHB88An0v1 qYiCWBUjVqRSQVHKOxp1VxOW =vt2m -----END PGP SIGNATURE----- From johanw at vulcan.xs4all.nl Fri Nov 26 11:42:47 2004 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Fri Nov 26 14:12:34 2004 Subject: Get version of PGP In-Reply-To: from panta-admin at "Nov 25, 2004 11:46:28 pm" Message-ID: <200411261042.LAA04279@vulcan.xs4all.nl> panta-admin wrote: >So my question is, is there any way of finding out if a key has been >created by PGP 2.6.x ? Not 100% certain, but if it's a v3 RSA key the chance is pretty big. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From admin at panta-rhei.dyndns.org Fri Nov 26 15:16:14 2004 From: admin at panta-rhei.dyndns.org (panta-admin) Date: Fri Nov 26 15:09:52 2004 Subject: Get version of PGP References: from panta-admin at <200411261042.LAA04279@vulcan.xs4all.nl> Message-ID: <2E8NFRM638317.5946064815@anonymous.poster> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi ! >>So my question is, is there any way of finding out if a key has been >>created by PGP 2.6.x ? > >Not 100% certain, but if it's a v3 RSA key the chance is pretty big. Thanks, thats what I feared. As I would not like to break it for GnuPG users (IDEA) I will request all PGP 2.6.x users to have "PGP2" in their userid. (Or is there any other textfield in the key that I could use ?) Then the script can check for that and use pgp2 compatible encryption. As for PGP2 compatible encryption/signing, is http://www.gnupg.org/gph/en/pgp2x.html still up to date ? I wonder because it does not mention the --pgp2 option. Is the method shown in this document still the recommended one to get PGP2 compatibility ? All I need is: encrypt or sign + encrypt messages with an RSA v3 key so PGP2 users can decrypt it. Thanks a lot for your help, Cheers, panta-admin -----BEGIN PGP SIGNATURE----- Version: N/A iQA/AwUBQac5FR2e88Id2BOOEQJOFgCeP8MTk0uQ0Zl4b5wS37eTR4wPCFwAn2C6 khcm0cSFHNebVSHk6W0wfTDY =mgQt -----END PGP SIGNATURE----- From tmp at nitwit.de Fri Nov 26 19:10:21 2004 From: tmp at nitwit.de (tmp@nitwit.de) Date: Fri Nov 26 19:06:55 2004 Subject: Resetting expiration of subkey Message-ID: <200411261910.22745.tmp@nitwit.de> Hi! My key was initially set to expire after 1 year. That year has passed now and I want to remove the expiration at all. I did so via gpg --edit-key but the ElGamal subkey kept its expiration date and I cannot encrypt data using this key no more. How can I alter the expiration of the subkey? Timo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041126/ceed6141/attachment.bin From dshaw at jabberwocky.com Fri Nov 26 20:26:06 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Nov 26 20:23:05 2004 Subject: Resetting expiration of subkey In-Reply-To: <200411261910.22745.tmp@nitwit.de> References: <200411261910.22745.tmp@nitwit.de> Message-ID: <20041126192605.GM17767@jabberwocky.com> On Fri, Nov 26, 2004 at 07:10:21PM +0100, tmp@nitwit.de wrote: > Hi! > > My key was initially set to expire after 1 year. That year has passed now and > I want to remove the expiration at all. I did so via gpg --edit-key but the > ElGamal subkey kept its expiration date and I cannot encrypt data using this > key no more. > > How can I alter the expiration of the subkey? You have to specify the key you want to remove the expiration date from. If you don't specify, you are removing the expiration from the key as a whole. Use "key 1" (or "key 2", etc) in the --edit-key menu before using "expire". David From jharris at widomaker.com Sat Nov 27 16:08:29 2004 From: jharris at widomaker.com (Jason Harris) Date: Sat Nov 27 16:05:22 2004 Subject: [pgp-keyserver-folk] poor use of HTTP in keyserver designs In-Reply-To: <20041124233825.GY3782@wilma.widomaker.com> References: <4076A92B.9050101@neggie.net> <20041122011912.GV3782@wilma.widomaker.com> <20041124233825.GY3782@wilma.widomaker.com> Message-ID: <20041127150828.GZ3782@wilma.widomaker.com> On Wed, Nov 24, 2004 at 06:38:25PM -0500, Jason Harris wrote: > On Sun, Nov 21, 2004 at 08:19:12PM -0500, Jason Harris wrote: > > On Fri, Apr 09, 2004 at 09:46:19AM -0400, John Belmonte wrote: > > > I'd like to see the HTTP response headers improved. For example, use of > > > entity tags would allow clients and proxies to poll for key changes with > > > minimum burden to the server. Combined with proper cache control > > > headers, general HTTP proxies could serve the keyserver network well. > > > > Clients like wget only use timestamps, which I assume most browsers > > limit themselves too as well. Do you know which browsers use ETag > > for cache control? But, note that neither pks nor SKS currently index > > key IDs/fingerprints/hashes to their last update times. > > keyserver.kjsl.com is now generating Date:, Content-Length:, and > Content-MD5: headers for most replies. Additionally, it now supports > HEAD requests with these headers included. Note that the PHP4 page(s) > that support port 80 access do not generate the latter two headers, > however. The PHP4 page is now generating its own Content-Length: and Content-MD5: headers, as well as reusing the Content-MD5: hash for the ETag: header. (http://www.aota.net/ubb/Forum15/HTML/000749-1.html shows how to generate such ETags in PHP.) wget can generate a request to show that ETag-only comparisons work (in this Apache-served page that doesn't also generate a Last-Modified: header): wget -s -S --header='If-None-Match: e54d91e9622bdeb2d3f871235108c97b' \ 'http://keyserver.kjsl.com:80/pks/lookup?op=index&search=0xd39da0e3' (NB: As always, please access the keyserver directly on port 11371 whenever possible.) > proxies/clients. However, clients like GPG might start checking the > MD5 hashes of received keys and/or issuing HEAD requests to see if > the hashes have changed since the keys were last downloaded from a Developers, feel free to exercise this page to test/verify new ETag- only cache-control semantics in HTTP/HKP clients until keyservers support them directly. Note that the page also supports HEAD requests, so you can build actual ETag: lists without downloading keys that may only be interesting when they change. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20041127/33799a70/attachment-0001.bin From wilde at sha-bang.de Sat Nov 27 21:37:21 2004 From: wilde at sha-bang.de (Sascha Wilde) Date: Sat Nov 27 21:33:46 2004 Subject: RfC 2440 Signature Types and Web Of Trust Message-ID: <20041127203721.GA11422@kenny.sha-bang.local> Hello *, reading the GnuPG documentation and sikimming through the source I found that, while signing Keys support RfC 2440 Signature Types 0x10 to 0x13[0] the Web Of Trust management doesn't take the Signature Type into account. Is that true, or am I missing something? Is there any way of making use of Signature Types with GnuPG other than just displaying them? cheers sascha [0] As described in RfC 2440, Section 5.2 -- Sascha Wilde "Gimme about 10 seconds to think for a minute..." -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041127/d6f45b22/attachment.bin From dshaw at jabberwocky.com Sat Nov 27 22:43:49 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Nov 27 22:40:56 2004 Subject: RfC 2440 Signature Types and Web Of Trust In-Reply-To: <20041127203721.GA11422@kenny.sha-bang.local> References: <20041127203721.GA11422@kenny.sha-bang.local> Message-ID: <20041127214348.GO17767@jabberwocky.com> On Sat, Nov 27, 2004 at 09:37:21PM +0100, Sascha Wilde wrote: > Hello *, > > reading the GnuPG documentation and sikimming through the source I > found that, while signing Keys support RfC 2440 Signature Types 0x10 > to 0x13[0] the Web Of Trust management doesn't take the Signature Type > into account. > > Is that true, or am I missing something? That's all true. Remember that the OpenPGP is (mostly) a message format, and as such does not define the trust model to use. The classic PGP web of trust is actually not specfied in any standard anywhere. For historical reasons, the web of trust never used the 0x11-0x13 signature types (except to treat them as identical to 0x10). > Is there any way of making use of Signature Types with GnuPG other > than just displaying them? Yes. You can use the --min-cert-level option which allows you to ignore certain signature types. For example, a --min-cert-level option of 2 means that 0x11 signatures are ignored. GnuPG 1.4 actually defaults to this. David From wilde at sha-bang.de Sun Nov 28 00:08:41 2004 From: wilde at sha-bang.de (Sascha Wilde) Date: Sun Nov 28 00:05:11 2004 Subject: RfC 2440 Signature Types and Web Of Trust In-Reply-To: <20041127214348.GO17767@jabberwocky.com> References: <20041127203721.GA11422@kenny.sha-bang.local> <20041127214348.GO17767@jabberwocky.com> Message-ID: <20041127230841.GA12056@kenny.sha-bang.local> On Sat, Nov 27, 2004 at 04:43:49PM -0500, David Shaw wrote: > On Sat, Nov 27, 2004 at 09:37:21PM +0100, Sascha Wilde wrote: [...] > > Is there any way of making use of Signature Types with GnuPG other > > than just displaying them? > > Yes. You can use the --min-cert-level option which allows you to > ignore certain signature types. For example, a --min-cert-level > option of 2 means that 0x11 signatures are ignored. GnuPG 1.4 > actually defaults to this. Thanks for the insightful reply. --min-cert-level seems to be what I were missing... ;-) cheers sascha -- Sascha Wilde "Gimme about 10 seconds to think for a minute..." -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20041128/7eee204d/attachment.bin From allen.schultz at gmail.com Sun Nov 28 01:27:21 2004 From: allen.schultz at gmail.com (Allen Schultz) Date: Sun Nov 28 01:24:15 2004 Subject: GnuPG versions... Message-ID: <3f34f842041127162761c69b8e@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Where are you guys getting GnuPG v1.3 and above? I only have 1.2.6 and whatever the default WinPT has for Windows. Or are they only available on non-windows? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) - WinPT 0.7.96rc1 Comment: GnuPG w/WinPT (How do I get v1.2.5 in here?) iD8DBQFBqRtUhJLaSKltvMIRAt+BAJ9zzZtkiJjMYWoO8GSpYivHc+77IQCbBgCz RJkWddrr8pLS1ug68JpthNA= =mR1D -----END PGP SIGNATURE----- Opps, sorry, 1.2.5. From dshaw at jabberwocky.com Sun Nov 28 02:19:29 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Nov 28 02:16:34 2004 Subject: GnuPG versions... In-Reply-To: <3f34f842041127162761c69b8e@mail.gmail.com> References: <3f34f842041127162761c69b8e@mail.gmail.com> Message-ID: <20041128011929.GP17767@jabberwocky.com> On Sat, Nov 27, 2004 at 05:27:21PM -0700, Allen Schultz wrote: > Where are you guys getting GnuPG v1.3 and above? I only have 1.2.6 and > whatever the default WinPT has for Windows. Or are they only available > on non-windows? GnuPG 1.3.x are the development releases building up to GnuPG 1.4. They are available from: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg David From johnmoore3rd at joimail.com Sun Nov 28 03:25:44 2004 From: johnmoore3rd at joimail.com (John Moore) Date: Sun Nov 28 04:33:44 2004 Subject: GnuPG versions... In-Reply-To: <20041128011929.GP17767@jabberwocky.com> References: <3f34f842041127162761c69b8e@mail.gmail.com> <20041128011929.GP17767@jabberwocky.com> Message-ID: <41A93728.8090701@joimail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shaw wrote: | On Sat, Nov 27, 2004 at 05:27:21PM -0700, Allen Schultz wrote: | |>Where are you guys getting GnuPG v1.3 and above? I only have 1.2.6 and |>whatever the default WinPT has for Windows. Or are they only available |>on non-windows? | | | GnuPG 1.3.x are the development releases building up to GnuPG 1.4. | They are available from: | | ftp://ftp.gnupg.org/gcrypt/alpha/gnupg | | David | The Windows Binaries for 1.3.92 are also available by followning the links from the GnuPG Homepage. While there, also download the iconv.dll as you will need it with the current 1.3.92 dvelopment build. JOHN :) - -- For a list of all the ways technology has failed to improve the quality of life, please press three. --Alice Kahn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.92 (MingW32) Comment: Public Key at: http://tinyurl.com/5ztc6 Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBqTcknCmZhrerneURAuMAAKDbtZIXlPxxojLxTWjHJoEwkrKJ+wCg7+k9 YTxBZrUxcODUg6xjArhlW3A= =q9PW -----END PGP SIGNATURE----- From henkdebruijn at wanadoo.nl Sun Nov 28 07:53:59 2004 From: henkdebruijn at wanadoo.nl (Henk de Bruijn) Date: Sun Nov 28 07:50:21 2004 Subject: GnuPG versions... In-Reply-To: <41A93728.8090701@joimail.com> References: <3f34f842041127162761c69b8e@mail.gmail.com> <20041128011929.GP17767@jabberwocky.com> <41A93728.8090701@joimail.com> Message-ID: <1209098216.20041128075359@wanadoo.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 27 Nov 2004 21:25:44 -0500GMT (28-11-2004, 3:25 +0100, where I live), John Moore wrote: > The Windows Binaries for 1.3.92 are also available by followning the > links from the GnuPG Homepage. While there, also download the iconv.dll > as you will need it with the current 1.3.92 dvelopment build. What/which is/are the difference(s) compared to the version I am using? TIA - -- cheers, Henk ______________________________________________________________________ The Bat!? Natural Email System v3.0.2.8nl Professional on Windows XP SP2 PGPkey request: see headers or send email with subj.: send HenksKeyID Gossamer Spider Web of Trust http://gswot.webhop.info/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) Comment: with GPGshell 3.24 iD8DBQFBqXYHEgabk9vm5ngRAr5jAJ9Qq95sf/jk7YQNZ5roHWlwS8gBEQCdGZQp 25S08mPoog6coI1PjlwROOY= =Gsd0 -----END PGP SIGNATURE----- From johanw at vulcan.xs4all.nl Sun Nov 28 08:12:32 2004 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Sun Nov 28 13:29:47 2004 Subject: Get version of PGP In-Reply-To: <2E8NFRM638317.5946064815@anonymous.poster> from panta-admin at "Nov 26, 2004 02:16:14 pm" Message-ID: <200411280712.IAA02064@vulcan.xs4all.nl> panta-admin wrote: >As for PGP2 compatible encryption/signing, is >http://www.gnupg.org/gph/en/pgp2x.html still up to date ? > >I wonder because it does not mention the --pgp2 option. It's outdated. The --pgp2 option replaces most other options (who still work). It mentions the RSA module, which is included into GnuPG after the patent expired. And it doesn't mention the fact that idea.c can now also be included directly into the binary by placing it into the cipher dir before running configure. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From sckbr at alltel.net Sun Nov 28 14:37:00 2004 From: sckbr at alltel.net (Bob) Date: Sun Nov 28 14:33:58 2004 Subject: Very Confusing was Re: Get version of PGP In-Reply-To: <200411280712.IAA02064@vulcan.xs4all.nl> References: <200411280712.IAA02064@vulcan.xs4all.nl> Message-ID: <41A9D47C.1080308@alltel.net> Sunday, Nov. 28, 2004 Ladies and Gentlemen, This all very confusing to me and I would appreciate someone explaining where to begin. I use Mozilla's Thunderbird and suppose that Enigimail is what I need? A version is installed which has done nothing but subtract from my available disk space (some sort of complaint about my lack of certificate and would I like to learn how(?) now, which does not do a thing after I select yes). This shouldn't be difficult, however all the discussion concerning PGP, Gnupg, enigimail, along with the technical aspects of PGP have left me in the dust. I suppose I should mention that my computer is a windows XP (Pro). Someones guidance and patience would be most appreciated. Bob From henkdebruijn at wanadoo.nl Sun Nov 28 15:59:21 2004 From: henkdebruijn at wanadoo.nl (Henk de Bruijn) Date: Sun Nov 28 15:55:46 2004 Subject: gpg: conversion from `utf-8' to `CP0' not available Message-ID: <1159783930.20041128155921@wanadoo.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, installed 1.3.92 over 1.2.5 get the following message: gpg: conversion from `utf-8' to `CP0' not available I read something in the archives that it is probably something at the frontend? Does that mean that is has something to do with The Bat! or with GPGshell - -- Henk ______________________________________________________________________ The Bat!? Natural Email System v3.0.2.8nl Professional on Windows XP SP2 PGPkey request: see headers or send email with subj.: send HenksKeyID Gossamer Spider Web of Trust http://gswot.webhop.info/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) Comment: with GPGshell 3.24 iD8DBQFBqefBEgabk9vm5ngRAlyuAKChLKUKxStxE6yCxw5ST+lLBb565gCgqTbS 6ejcyslzNEYEmwJq6oFkZnc= =+fd+ -----END PGP SIGNATURE----- From wk at gnupg.org Sun Nov 28 16:35:41 2004 From: wk at gnupg.org (Werner Koch) Date: Sun Nov 28 16:36:56 2004 Subject: gpg: conversion from `utf-8' to `CP0' not available In-Reply-To: <1159783930.20041128155921@wanadoo.nl> (Henk de Bruijn's message of "Sun, 28 Nov 2004 15:59:21 +0100") References: <1159783930.20041128155921@wanadoo.nl> Message-ID: <87act27zqq.fsf@wheatstone.g10code.de> On Sun, 28 Nov 2004 15:59:21 +0100, Henk de Bruijn said: > gpg: conversion from `utf-8' to `CP0' not available > I read something in the archives that it is probably something at the > frontend? I don't know what the reason is. The 0 above is the return value of GetConsoleOutputCP (). > Does that mean that is has something to do with The Bat! or with > GPGshell I guess so. Please check the source to see what they are doing. Oh, you don't have the source? See now why using Free Software is important? Werner From wk at gnupg.org Sun Nov 28 16:36:57 2004 From: wk at gnupg.org (Werner Koch) Date: Sun Nov 28 16:37:05 2004 Subject: gpg: conversion from `utf-8' to `CP0' not available In-Reply-To: <1159783930.20041128155921@wanadoo.nl> (Henk de Bruijn's message of "Sun, 28 Nov 2004 15:59:21 +0100") References: <1159783930.20041128155921@wanadoo.nl> Message-ID: <87653q7zom.fsf@wheatstone.g10code.de> On Sun, 28 Nov 2004 15:59:21 +0100, Henk de Bruijn said: > gpg: conversion from `utf-8' to `CP0' not available Using charset= in gpg.conf overrides the default auto detection. Salam-Shalom, Werner From wren at hunt.org Sun Nov 28 17:10:55 2004 From: wren at hunt.org (J. Wren Hunt) Date: Sun Nov 28 17:28:09 2004 Subject: Very Confusing was Re: Get version of PGP In-Reply-To: <41A9D47C.1080308@alltel.net> References: <200411280712.IAA02064@vulcan.xs4all.nl> <41A9D47C.1080308@alltel.net> Message-ID: <41A9F88F.3010900@hunt.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bob wrote: | Sunday, Nov. 28, 2004 | | Ladies and Gentlemen, | | This all very confusing to me and I would appreciate someone | explaining where to begin. I use Mozilla's Thunderbird and | suppose that Enigimail is what I need? A version is installed which has | done nothing but subtract from my available disk | space (some sort of complaint about my lack of certificate and would I | like to learn how(?) now, which does not do a thing after I | select yes). This shouldn't be difficult, however all the discussion | concerning PGP, Gnupg, enigimail, along with the technical | aspects of PGP have left me in the dust. I suppose I should mention | that my computer is a windows XP (Pro). | | Someones guidance and patience would be most appreciated. | | Bob Hey Bob! Sounds like you might be confusing digital certificates with PGP. They are two very different beasts and while each may be used to sign and/or encrypt they go about it differently. Thunderbird has no native support for PGP. But popping in Enigmail makes it very easy so you shouldn't have too hard a time googling for info. Thunderbird uses the Certificate Manager to handle X.509 digital certificates and can handle them with no other extensions required. If you want to test drive these, check out Thawte (http://www.thawte.com), or CAcert (http://www.cacert.org), both of which issue free email client certificates via a method very similar to PGP's web-of-trust. Wren -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.92 (GNU/Linux) iD8DBQFBqfiPA/qR4Uok1vQRApYPAJ9meDDwaEtGr1AifSV5BpadJgnqDgCgom/P PYvl/M+Cr5yl7Z4AhRBsqe4= =Ej8z -----END PGP SIGNATURE----- From jharris at widomaker.com Sun Nov 28 23:50:53 2004 From: jharris at widomaker.com (Jason Harris) Date: Sun Nov 28 23:47:36 2004 Subject: new (2004-11-28) keyanalyze results (+sigcheck) Message-ID: <20041128225053.GA3782@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2004-11-28/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: 06bac3afa0a5800ffdb74177b6dcca95e78e7529 10851858 preprocess.keys b80f6bd107ffc0321877e0f03d615087529ff79a 6988397 othersets.txt 861c77f143b3a248ba91893b1031b07e8270339f 2803606 msd-sorted.txt b0f152cbac2bff77aeed70a933fec6d7ac3e7b71 1484 index.html 6ee9bc6e096d919a1bf68ee36cf9240e5c6ef70c 2289 keyring_stats e124e94aaffac949d9574442ad2ca43433738667 1102256 msd-sorted.txt.bz2 f091f4112e6c7c97cf93517e1f91b33ff4ae3473 26 other.txt 8dfb506d8d685bebc66e607a585fb778b3ff3820 1499853 othersets.txt.bz2 0f9e15c04095644d18be53248dba1c2c6a30b205 4394474 preprocess.keys.bz2 d1a48b5cd42b78200c243096fac3f4c413c89797 10814 status.txt 8eeca26ca18d91f06d51bfdc65440d6af938b85a 211901 top1000table.html f42ba5a63937dc4fec4fcd4330c21b29ff2a20e0 30751 top1000table.html.gz 17185a3806d09c8238703bb8158607efde721d3c 11012 top50table.html 23359cb7ddd4b6b3a2b3ba8658000162751fc6bc 2414 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20041128/4c17a76c/attachment.bin From JPClizbe at comcast.net Mon Nov 29 01:25:07 2004 From: JPClizbe at comcast.net (John Clizbe) Date: Mon Nov 29 01:22:19 2004 Subject: Very Confusing was Re: Get version of PGP In-Reply-To: <41A9D47C.1080308@alltel.net> References: <200411280712.IAA02064@vulcan.xs4all.nl> <41A9D47C.1080308@alltel.net> Message-ID: <41AA6C63.7050305@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bob wrote: > This all very confusing to me and I would appreciate someone explaining > where to begin. I use Mozilla's Thunderbird and > suppose that Enigimail is what I need? A version is installed which has > done nothing but subtract from my available disk > space (some sort of complaint about my lack of certificate and would I > like to learn how(?) now, which does not do a thing after I > select yes). This shouldn't be difficult, however all the discussion > concerning PGP, Gnupg, enigimail, along with the technical > aspects of PGP have left me in the dust. I suppose I should mention > that my computer is a windows XP (Pro). > > Someones guidance and patience would be most appreciated. > Hello Bob, It was confusing to most of us in the beginning. Fear not. The complaint sounds more like a lack of a X.509 certificate which Thunderbird (or Mozilla / Netscape mail) would use for S/MIME. They are available free of charge from Thawte (http://www.thawte.com), CAcert (http://www.cacert.org), and TC Trustcenter (http://www.trustcenter.de). S/MIME and OpenPGP operate in similar manners, but don't interoperate very well. If you would like to use OpenPGP keys with Thunderbird, then Enigmail is certainly what you need. It requires that you also have a working copy of GnuPG installed. We've put together a step-by-step How-To specifically for Windows users (written by Windows users/admins) which is at http://enigmail.mozdev.org/gpgconf.html. We've also simplified the installation of Enigmail to only one XPI to install as of 0.89.0. There is a responsive mailing list for your Enigmail-related queries (We'll also handle the GnuPG part) at mailto://enigmail@mozdev.org. You can subscribe at http://www.mozdev.org/mailman/listinfo/enigmail/ - subscription is not mandatory, but it will avoid the delay of waiting for the moderators. - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.93-cvs-2004-11-27 (Windows 2000 SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Annoy John Asscraft -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBqmxhHQSsSmCNKhARAq7RAJ9Dc+pvy40T3UXCPDtm4dYlrArjLwCg3z/V GTUqnIT1qqyEAEX9piFUoTU= =k2zK -----END PGP SIGNATURE----- From Don.Ferguson at mitchell.com Mon Nov 29 08:16:34 2004 From: Don.Ferguson at mitchell.com (Don Ferguson) Date: Mon Nov 29 08:13:32 2004 Subject: Announcement for Outlook GPG 0.94 Message-ID: <601E1B8E735FBF4FA07BB6DBCF8F480B0684B7@mail60nt.mitchell.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 After a few hours of troubleshooting I was able to get this to work with Outlook 2003. It seams that G-DATA only works properly if the message is sent in plain text mode. After testing in with plain text, it seams that all works well. Is the source code to this modification available? > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Hi! > > g10 Code released an update of the Outlook GPG plugin (originally > written by G-DATA). > > All users who have problems with their current Outlook GPG version might > want to update their files to see if this version fixes the problems. > You can download the zip archive and the digital signature here: > > ftp://ftp.g10code.com/g10code/outlgpg/outlgpg-0.94.zip (99k) > ftp://ftp.g10code.com/g10code/outlgpg/outlgpg-0.94.zip.sig > > MD5 checksums for the files are: > > 9e81aafab5b14c55129a218be2893d94 outlgpg-0.94.zip > a95fa1cc0b484d3073f528627766a7e6 outlgpg-0.94.zip.sig > > > Noteworthy changes in version 0.94 > ================================== > > - - Allow to parse messages generated by older mailers which > uses the application/pgp content type. > > - - By default use PGP as the extension for attachments to > allow easier PGP decryption. > > > That's it. > > g10 Code GmbH (http://www.g10code.com) of course also provides > commercial support for the plugin and other GPG components. > > Timo > > -----BEGIN PGP SIGNATURE----- > > iEYEARECAAYFAkGQ5scACgkQ7UaByb89+bRL2QCgo07WFbT+CeR77mfVIo4zTJsM > uM8An131iW9ToOCw6p9sIZ9P5kki/KVX > =1/br > -----END PGP SIGNATURE----- > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) iD8DBQFBqszSqxAsVB/zfWkRAu28AJsFRRBOsRHg/Ui8xglYtcQWpB4BkwCfTDUD wXQo0US5ixNnpaHTWN9HIa4= =m0iw -----END PGP SIGNATURE----- From henkdebruijn at wanadoo.nl Mon Nov 29 09:04:06 2004 From: henkdebruijn at wanadoo.nl (Henk de Bruijn) Date: Mon Nov 29 09:00:32 2004 Subject: gpg: conversion from `utf-8' to `CP0' not available In-Reply-To: <87653q7zom.fsf@wheatstone.g10code.de> References: <1159783930.20041128155921@wanadoo.nl> <87653q7zom.fsf@wheatstone.g10code.de> Message-ID: <873573880.20041129090406@wanadoo.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, 28 Nov 2004 16:36:57 +0100GMT (28-11-2004, 16:36 +0100, where I live), Werner Koch wrote: > On Sun, 28 Nov 2004 15:59:21 +0100, Henk de Bruijn said: >> gpg: conversion from `utf-8' to `CP0' not available > Using charset= in gpg.conf overrides the default auto > detection. My old gpg.conf: display charset ISO-8859-1 I tried all kind of possibilities from Using charset=850 to using charset=cp850 But can?t get it to work :-( - -- Henk ______________________________________________________________________ The Bat!? Natural Email System v3.0.2.8nl Professional on Windows XP SP2 PGPkey request: see headers or send email with subj.: send HenksKeyID Gossamer Spider Web of Trust http://gswot.webhop.info/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) Comment: with GPGshell 3.24 iD8DBQFBqtf2Egabk9vm5ngRAl4cAJ98VvOUkz0/YuqrImj57E3pnAZeRQCeMcx/ pVArMoxeEVfL6si9VwGxfHI= =MEdK -----END PGP SIGNATURE----- From SnoopeReva at copper.net Sat Nov 27 18:56:17 2004 From: SnoopeReva at copper.net (SnoopeReva@copper.net) Date: Mon Nov 29 10:17:13 2004 Subject: Technical help please re: installing GnuPG... Message-ID: <41A8BFC1.1020106@copper.net> OK...so I am up to Installation on Wiundows NT/2000/XP (my program is Windows Home/Professional XP). Now I have just extracted GnuPG files and am looking at them in my GnuPG file in C:/Program Files. The installation guide I am following here, point 3, states that if I used GnuPG zip, I will have a directory full of files which need sorting out.! Well, until I went to explore this file, there was only one file which was: gnupg-1.2.6. When I went to explore this file I found several files and, what appears to be some pages. Now the installation instructions said I should make two subdirectories. I already had a file cal Doc in the files I opened; but, di make a locale file. Then I went to try to sort out .mo file and .exe files; but, none of the files that I saw had such extensions. The file icons themselves showed now extensions and the icons that look like pages had either no extensions on their names or were called .logfile, or .sh ; but, I see no .mo files or .exe to sort these files by. Help pleasse. From SnoopeReva at copper.net Sat Nov 27 21:15:53 2004 From: SnoopeReva at copper.net (SnoopeReva@copper.net) Date: Mon Nov 29 10:17:20 2004 Subject: Failed installation test of GnuPG Message-ID: <41A8E079.405@copper.net> To Whom It May Concern: So I have very patiently spent most of this day following the installation directions for GnuPG; and, now that I go to test its installation the command prompt window says: 'gpg is not recognized as an internal or external command, operable program or batch file. Help pleases.... Reva E. SnoopeReva@copper.net From wk at gnupg.org Mon Nov 29 11:51:17 2004 From: wk at gnupg.org (Werner Koch) Date: Mon Nov 29 11:54:30 2004 Subject: gpg: conversion from `utf-8' to `CP0' not available In-Reply-To: <873573880.20041129090406@wanadoo.nl> (Henk de Bruijn's message of "Mon, 29 Nov 2004 09:04:06 +0100") References: <1159783930.20041128155921@wanadoo.nl> <87653q7zom.fsf@wheatstone.g10code.de> <873573880.20041129090406@wanadoo.nl> Message-ID: <87sm6t53oa.fsf@wheatstone.g10code.de> On Mon, 29 Nov 2004 09:04:06 +0100, Henk de Bruijn said: > My old gpg.conf: > display charset ISO-8859-1 I guess your gpg.conf is not the one used. Try it on the command line: gpg --charset=CP850 -k akey if this does also not work do gpg --no-options --charset=CP850 -k akey Shalom-Salam, Werner From henkdebruijn at wanadoo.nl Mon Nov 29 15:17:57 2004 From: henkdebruijn at wanadoo.nl (Henk de Bruijn) Date: Mon Nov 29 15:14:34 2004 Subject: gpg: conversion from `utf-8' to `CP0' not available In-Reply-To: <87sm6t53oa.fsf@wheatstone.g10code.de> References: <1159783930.20041128155921@wanadoo.nl> <87653q7zom.fsf@wheatstone.g10code.de> <873573880.20041129090406@wanadoo.nl> <87sm6t53oa.fsf@wheatstone.g10code.de> Message-ID: <1727693086.20041129151757@wanadoo.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 29 Nov 2004 11:51:17 +0100GMT (29-11-2004, 11:51 +0100, where I live), Werner Koch wrote: > On Mon, 29 Nov 2004 09:04:06 +0100, Henk de Bruijn said: >> My old gpg.conf: >> display charset ISO-8859-1 > I guess your gpg.conf is not the one used. Try it on the command > line: > gpg --charset=CP850 -k akey > if this does also not work do > gpg --no-options --charset=CP850 -k akey Tried it all but no, think I?ll just have to keep on using 1.2.5 for a while :-( - -- Henk ______________________________________________________________________ The Bat!? Natural Email System v3.0.2.8nl Professional on Windows XP SP2 PGPkey request: see headers or send email with subj.: send HenksKeyID Gossamer Spider Web of Trust http://gswot.webhop.info/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) iD8DBQFBqy+bEgabk9vm5ngRAvCcAKDM1stDCKINact5o/MNFlPkMY9BVACg3jHn pb6a9W5HNrXqWE7nbABucyQ= =5So1 -----END PGP SIGNATURE----- From DenisMcCauley at ifrance.com Mon Nov 29 21:15:40 2004 From: DenisMcCauley at ifrance.com (Denis McCauley) Date: Mon Nov 29 21:15:18 2004 Subject: Large SHA512 support in 1.2.6 In-Reply-To: References: Message-ID: <41AB836C.6030107@ifrance.com> I've done a native Windows build of 1.2.6 with MSYS/MinGW, enabling large SHA read-support with --enable-SHA512 in CFLAGS. But before I start testing it with large hashes created by 1.3.x and third-party PGP builds I'd like to know if there are there any known problems with the read-support of these hashes in 1.2.6. Cheers, Denis McCauley From anhny at wmdata.com Tue Nov 30 13:59:34 2004 From: anhny at wmdata.com (Henry Andrew) Date: Tue Nov 30 13:55:57 2004 Subject: Public key server doesn't accept photos. Message-ID: <20D152299AA73D47941BC3A94EDFF5DE046FDA@WMRI000166.corp.wmdata.net> Hi, I tried to upload a public key with photo to MITs key server and they do not support this. Does anyone know of a key server that does support photo keys? If I upload a photo key to another key server, will that key fail to register with all those key servers that do not support this feature, once synchronisation begins? Thanks, Andrew From thomas at northernsecurity.net Tue Nov 30 15:05:53 2004 From: thomas at northernsecurity.net (Thomas =?iso-8859-1?Q?Sj=F6gren?=) Date: Tue Nov 30 15:02:59 2004 Subject: Public key server doesn't accept photos. In-Reply-To: <20D152299AA73D47941BC3A94EDFF5DE046FDA@WMRI000166.corp.wmdata.net> References: <20D152299AA73D47941BC3A94EDFF5DE046FDA@WMRI000166.corp.wmdata.net> Message-ID: <20041130140553.GA26510@northernsecurity.net> On Tue, Nov 30, 2004 at 01:59:34PM +0100, Henry Andrew wrote: > I tried to upload a public key with photo to MITs key server and they do > not support this. Does anyone know of a key server that does support > photo keys? subkeys.pgp.net > If I upload a photo key to another key server, will that key fail to > register with all those key servers that do not support this feature, > once synchronisation begins? Your key will not include the photo (or subkeys) on the servers not supporting it, besides that there shouldnt be any problems. /Thomas -- == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: Digital signature Url : /pipermail/attachments/20041130/d9f3698e/attachment.bin From shavital at mac.com Tue Nov 30 15:25:25 2004 From: shavital at mac.com (Charly Avital) Date: Tue Nov 30 15:22:04 2004 Subject: Public key server doesn't accept photos. In-Reply-To: <20D152299AA73D47941BC3A94EDFF5DE046FDA@WMRI000166.corp.wmdata.net> References: <20D152299AA73D47941BC3A94EDFF5DE046FDA@WMRI000166.corp.wmdata.net> Message-ID: <41AC82D5.3050607@mac.com> Photo files are supported by ldap keyservers. Charly Henry Andrew wrote: >Hi, > >I tried to upload a public key with photo to MITs key server and they do >not support this. Does anyone know of a key server that does support >photo keys? > >If I upload a photo key to another key server, will that key fail to >register with all those key servers that do not support this feature, >once synchronisation begins? > >Thanks, >Andrew > > From anhny at wmdata.com Tue Nov 30 15:28:09 2004 From: anhny at wmdata.com (Henry Andrew) Date: Tue Nov 30 15:24:31 2004 Subject: Cannot remove key from key server? Message-ID: <20D152299AA73D47941BC3A94EDFF5DE046FDB@WMRI000166.corp.wmdata.net> Hi, I am trying to remove an old key from MITs key server and i'm not sure how to do this and would appreciate some help. Om MITs site they say that you cannot remove a key but you can upload a revocation certificate. Does this mean that I use --gen-revoke for my key or do I edit the key first and use the revkey command?? I tried the second option to revoke a subkey (not really understanding what the effect of this will be), then generatde an armoured public key and tried to upload that to the server cia their web interface, and the key server gave the following fail message: ----------------------------------------------------- Public Key Server -- Add Key block added to key server database. New public keys added: 1 Your key block contained 1 format errors, which were treated as if the erroneous elements hadn't been part of your submission. The last error was on key 0x7ebf7222: Key block corrupt: subkey revocation not supported ----------------------------------------------------- Now, back to the photo question. This key has a photo attached, and when I tried to --gen-revoke and upload the key, the server gave another message, but said there were no new keys in the text. I then thought that maybe I had uploaded this key before adding the photo, so I took the photo UID away and tried again, which resulted in the error above. Assuming that the photo *did* exist when I uploaded the key [to another server], then how can I revoke it? Thanks for all and any help! Andrew From zuxy.meng at gmail.com Tue Nov 30 15:41:41 2004 From: zuxy.meng at gmail.com (Zuxy) Date: Tue Nov 30 15:38:35 2004 Subject: Cannot remove key from key server? In-Reply-To: <20D152299AA73D47941BC3A94EDFF5DE046FDB@WMRI000166.corp.wmdata.net> References: <20D152299AA73D47941BC3A94EDFF5DE046FDB@WMRI000166.corp.wmdata.net> Message-ID: On Tue, 30 Nov 2004 15:28:09 +0100, Henry Andrew wrote: > I am trying to remove an old key from MITs key server and i'm not sure > how to do this and would appreciate some help. Keys can't be removed from a keyserver. > Om MITs site they say that you cannot remove a key but you can upload a > revocation certificate. Does this mean that I use --gen-revoke for my > key or do I edit the key first and use the revkey command?? I guess both are OK if you really want to revoke the whole thing right now. > I tried the second option to revoke a subkey (not really understanding > what the effect of this will be), then generatde an armoured public key > and tried to upload that to the server cia their web interface, and the > key server gave the following fail message: MIT keyserver doesn't handle keys with multiple subkeys properly. Use hkp://subkeys.pgp.net instead. -- Zuxy Beauty is truth, While truth is beauty. PGP KeyID: E8555ED6 From jharris at widomaker.com Tue Nov 30 16:08:11 2004 From: jharris at widomaker.com (Jason Harris) Date: Tue Nov 30 16:04:46 2004 Subject: Public key server doesn't accept photos. In-Reply-To: <20041130140553.GA26510@northernsecurity.net> References: <20D152299AA73D47941BC3A94EDFF5DE046FDA@WMRI000166.corp.wmdata.net> <20041130140553.GA26510@northernsecurity.net> Message-ID: <20041130150811.GC3782@wilma.widomaker.com> On Tue, Nov 30, 2004 at 03:05:53PM +0100, Thomas Sj?gren wrote: > On Tue, Nov 30, 2004 at 01:59:34PM +0100, Henry Andrew wrote: > > I tried to upload a public key with photo to MITs key server and they do > > not support this. Does anyone know of a key server that does support > > photo keys? > > subkeys.pgp.net Almost. One server in the rotation, x-hkp://keyserver.kjsl.com:11371, will strip the photos. Use a specific SKS server or random.sks.keyserver.penguin.de if you care about photos on keys. > > If I upload a photo key to another key server, will that key fail to > > register with all those key servers that do not support this feature, > > once synchronisation begins? > > Your key will not include the photo (or subkeys) on the servers not supporting it, > besides that there shouldnt be any problems. Specifically, keyserver.kjsl.com strips photo IDs before sending keys to other keyservers, most of which silently drop all sync. emails with photos in them and would not otherwise have (the photoless versions of) such keys. Otherwise, you['d] have to add "--export-options no-include-attributes" and make a special effort to send such a key to pgp.mit.edu, for example, which would then propagate the (naturally, photoless version of the) key. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20041130/dcf4f688/attachment.bin From thomas at northernsecurity.net Tue Nov 30 21:19:51 2004 From: thomas at northernsecurity.net (Thomas =?iso-8859-1?Q?Sj=F6gren?=) Date: Tue Nov 30 21:17:01 2004 Subject: Public key server doesn't accept photos. In-Reply-To: <20041130150811.GC3782@wilma.widomaker.com> References: <20D152299AA73D47941BC3A94EDFF5DE046FDA@WMRI000166.corp.wmdata.net> <20041130140553.GA26510@northernsecurity.net> <20041130150811.GC3782@wilma.widomaker.com> Message-ID: <20041130201950.GD26510@northernsecurity.net> On Tue, Nov 30, 2004 at 10:08:11AM -0500, Jason Harris wrote: > Almost. One server in the rotation, x-hkp://keyserver.kjsl.com:11371, > will strip the photos. Use a specific SKS server or > random.sks.keyserver.penguin.de if you care about photos on keys. My mistake, I thought keyserver.kjsl.com was all patched up. /Thomas -- == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: Digital signature Url : /pipermail/attachments/20041130/ad0df26a/attachment.bin From dshaw at jabberwocky.com Tue Nov 30 21:50:26 2004 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Nov 30 21:47:27 2004 Subject: Public key server doesn't accept photos. In-Reply-To: <20041130150811.GC3782@wilma.widomaker.com> References: <20D152299AA73D47941BC3A94EDFF5DE046FDA@WMRI000166.corp.wmdata.net> <20041130140553.GA26510@northernsecurity.net> <20041130150811.GC3782@wilma.widomaker.com> Message-ID: <20041130205025.GA8161@jabberwocky.com> On Tue, Nov 30, 2004 at 10:08:11AM -0500, Jason Harris wrote: > Specifically, keyserver.kjsl.com strips photo IDs before sending keys > to other keyservers, most of which silently drop all sync. emails with > photos in them and would not otherwise have (the photoless versions of) > such keys. Otherwise, you['d] have to add "--export-options > no-include-attributes" and make a special effort to send such a key to > pgp.mit.edu, for example, which would then propagate the (naturally, > photoless version of the) key. Use "--keyserver-options no-include-attributes" for this. --export-options only applies to exporting to a file, not sending to a keyserver. David From cbonar at gmail.com Tue Nov 30 22:57:30 2004 From: cbonar at gmail.com (Nicolas BONARDELLE) Date: Tue Nov 30 22:54:37 2004 Subject: To sign a .jar with PGP In-Reply-To: <20041130201950.GD26510@northernsecurity.net> References: <20D152299AA73D47941BC3A94EDFF5DE046FDA@WMRI000166.corp.wmdata.net> <20041130150811.GC3782@wilma.widomaker.com> <20041130201950.GD26510@northernsecurity.net> Message-ID: <200411302257.38642.cbonar@gmail.com> Hi list, I'm thinking about using Jar in a Java application I'm coding. Not only as an archiving means, but also because it can be signed easily. To make the long story short, the Jar archive would contain a text file, and would be signed by everyone who enters in its possession and agrees with the content of the text file. The signer would then distribute the newly signed Jar to others. Since I can't ask every user to get a X.509 certificate, the idea is to sign the .jar with their PGP key by following exactly the Jar and Manifest specifications (http://java.sun.com/j2se/1.4.2/docs/guide/jar/jar.html). Those specs tell us that PKCS7 RSA, PKCS7 DSA and PGP are supported by default, and even that one can use its own algorithm. However, I have a few problems : 1- I can't find any live example of Jar signed with PGP 2- can't even any info about doing it programmatically 3- the 'keytool' util (with Sun's jdk) don't want to import my PGP keys in the .keystore (even if I ask him very kindly) so I can use it with the 'jarsigner' util :-[ So, a few questions that may protect me from doing naughty things : 1- am I totally nuts to want to do this ? 2- do you know a way to intrude my PGP key in the evil .keystore ? 3- do you know some application on the web (and open source preferably) using PGP to sign Jar archives ? cheers, cbonar