From jgentil at sebistar.net Tue Feb 1 01:51:49 2005 From: jgentil at sebistar.net (Jon-Pierre Gentil) Date: Tue Feb 1 01:48:12 2005 Subject: Information about GNUPG In-Reply-To: <66F5E9657FDC044E9189775375F858AC035B554B@TYOMLVEM02.e2k.ad.ge.com> References: <66F5E9657FDC044E9189775375F858AC035B554B@TYOMLVEM02.e2k.ad.ge.com> Message-ID: <200501311851.54347.jgentil@sebistar.net> On Sunday 30 January 2005 08:19 pm, Ueda, Edson (GE Commercial Finance, NonGE) wrote: > We would like to know more details about GNUPG application. > a) Wich Company should us contact in Japan (Osaka or Tokyo) There is no company, it is an open-source project. > b) We would like to know more details about installation process http://www.gnupg.org/(en)/documentation/index.html is a good start.. -- _________________________________________________________ Jon-Pierre Gentil PGP: 0xA21BC30E jabber: jgentil@sebistar.net web: www.sebistar.net "If you think education is expensive, try ignorance." _________________________________________________________ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : /pipermail/attachments/20050131/be2114e8/attachment-0001.pgp From og at pre-secure.de Tue Feb 1 08:02:41 2005 From: og at pre-secure.de (Olaf Gellert) Date: Tue Feb 1 08:01:23 2005 Subject: gpgsm: building of certificate chains Message-ID: <41FF2991.5030700@pre-secure.de> Hi list, I was just experimenting with cross-certificates and came across a little strange behaviour of gpgsm. Obviously the building of certificate chains (eg from enduser to subCA to rootCA) is influenced by the order of the certificates in the keyring! In the case of cross-certificates this can lead to different validation results depending on the order of imported keys... Example: I have the following certificates: ranum@ranum:~> gpgsm --list-keys | grep fingerprint Secure memory is not locked into core gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION! gpgsm: It is only intended for test purposes and should NOT be gpgsm: used in a production environment or with production keys! fingerprint: 83:F2:31:0B:BF:DE:EB:0A:AF:8A:22:3D:E6:37:93:3A:C3:45:2E:1C fingerprint: 99:9B:C4:25:AB:88:59:D1:5F:B0:E1:39:5B:0F:98:19:3B:26:80:AE fingerprint: 44:C4:9C:82:1E:78:FA:86:53:78:2D:33:A1:41:28:E9:BF:C0:39:EE fingerprint: 26:10:10:4B:0A:D2:9A:06:78:97:D5:CF:D1:26:50:FD:C5:4B:EF:D1 fingerprint: 52:81:29:C5:AD:64:5F:B6:A6:02:C1:D1:E1:E1:52:4B:5B:3A:97:DC Now I try to verify a signed email: ranum@ranum:~> gpgsm --verify testetext.signed Secure memory is not locked into core gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION! gpgsm: It is only intended for test purposes and should NOT be gpgsm: used in a production environment or with production keys! gpgsm: Signatur erzeugt am 2005-01-31 16:47:13mittels Zertifikat ID C54BEFD1 gpgsm: CRLs not checked due to --disable-crl-checks option gpgsm: Korrekte Signatur von "/CN=Test User B3/O=Test Organization B/C=DE/EMail=user@testorg-b.org" alias "user@testorg-b.org" Ok, now I change the order of the certificates by removing the certificate 99:9B:C4:... and reimporting it. Result: ranum@ranum:~> gpgsm --verify testtext.signedlist-keys | grep fingerprint Secure memory is not locked into core gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION! gpgsm: It is only intended for test purposes and should NOT be gpgsm: used in a production environment or with production keys! fingerprint: 83:F2:31:0B:BF:DE:EB:0A:AF:8A:22:3D:E6:37:93:3A:C3:45:2E:1C fingerprint: 44:C4:9C:82:1E:78:FA:86:53:78:2D:33:A1:41:28:E9:BF:C0:39:EE fingerprint: 26:10:10:4B:0A:D2:9A:06:78:97:D5:CF:D1:26:50:FD:C5:4B:EF:D1 fingerprint: 52:81:29:C5:AD:64:5F:B6:A6:02:C1:D1:E1:E1:52:4B:5B:3A:97:DC fingerprint: 99:9B:C4:25:AB:88:59:D1:5F:B0:E1:39:5B:0F:98:19:3B:26:80:AE And now I try to verify the signed text again: ranum@ranum:~> gpgsm --verify testtext.signed Secure memory is not locked into core gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION! gpgsm: It is only intended for test purposes and should NOT be gpgsm: used in a production environment or with production keys! gpgsm: Signatur erzeugt am 2005-01-31 16:47:13mittels Zertifikat ID C54BEFD1 gpgsm: Das Wurzelzertifikat ist nicht als vertrauensw?rdig markiert gpgsm: Fingerprint=52:81:29:C5:AD:64:5F:B6:A6:02:C1:D1:E1:E1:52:4B:5B:3A:97:DC gpgsm: DBG: BEGIN Certificate `issuer': gpgsm: DBG: serial: 00 gpgsm: DBG: notBefore: 2005-01-12 12:37:40 gpgsm: DBG: notAfter: 2007-01-12 12:37:40 gpgsm: DBG: issuer: 1.2.840.113549.1.9.1=#636140746573746F72672D622E6F7267, CN=Test Root CA B1,O=Test Organization B,C=DE gpgsm: DBG: subject: 1.2.840.113549.1.9.1=#636140746573746F72672D622E6F7267, CN=Test Root CA B1,O=Test Organization B,C=DE gpgsm: DBG: hash algo: 1.2.840.113549.1.1.5 gpgsm: DBG: SHA1 Fingerprint: 52:81:29:C5:AD:64:5F:B6:A6:02:C1:D1:E1:E1:52:4B: 5B:3A:97:DC gpgsm: DBG: END Certificate gpgsm: after checking the fingerprint, you may want to add it manually to the li st of trusted certificates. gpgsm: invalid certification chain: Nicht vertrauensw?rdig I would say, the certificate chains should be build using an exhaustive search of the existing certificates, gpgsm seems to try only the first match. Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE og@pre-secure.de A daily view on Internet Attacks https://www.ecsirt.net/sensornet From twoaday at freakmail.de Tue Feb 1 08:05:35 2005 From: twoaday at freakmail.de (Timo Schulz) Date: Tue Feb 1 08:48:05 2005 Subject: GnuGP 1.4a & G DATA Outlook Plugin Message-ID: <20050201070535.GA814@daredevil.joesixpack.net> On Sat Jan 29 2005; 01:47, Paul Rarey wrote: > When I install the G-DATA Outlook plugin .91 (just the plugin option - not > the full install) the G-DATA plugin fails. Won't sign and/or encrypt (posts > blank body), Nor does the Key Manager work. Maybe you can try again with 0.94. This version contains a lot of bug fixes. You can get it here: http://www.winpt.org FYI, winpt.org is no longer redirected to SF.net Timo From wk at gnupg.org Tue Feb 1 09:51:14 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Feb 1 12:31:04 2005 Subject: Information about GNUPG In-Reply-To: <200501311851.54347.jgentil@sebistar.net> (Jon-Pierre Gentil's message of "Mon, 31 Jan 2005 18:51:49 -0600") References: <66F5E9657FDC044E9189775375F858AC035B554B@TYOMLVEM02.e2k.ad.ge.com> <200501311851.54347.jgentil@sebistar.net> Message-ID: <878y68vf25.fsf@wheatstone.g10code.de> On Mon, 31 Jan 2005 18:51:49 -0600, Jon-Pierre Gentil said: > There is no company, it is an open-source project. Well there are quite some companies providing support for Free Software (i.e. what you call open source). See for example http://www.gnu.org/prep/service.html . Don't know about contacts in Japan, though. Googling for "gnupg", "keyserver", "openpgp", "Japan" etc. will likely give you a list of potential service providers. Salam-Shalom, Werner -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org From yraffah at gmail.com Tue Feb 1 09:46:26 2005 From: yraffah at gmail.com (Yousef Raffah) Date: Tue Feb 1 14:15:41 2005 Subject: GnuPG+GPGShell+GData+Outlook2002 signing binaries problem In-Reply-To: <41FE7D7E.1070209@bpuk.net> References: <41FD1C54.8050100@bpuk.net> <41FE7D7E.1070209@bpuk.net> Message-ID: On Mon, 31 Jan 2005 18:48:30 +0000, Barry Porter wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 31/01/2005 08:57, Yousef Raffah wrote: > > Hi Yousef, > > > Thanks Barry, > > > > I tried the update but still didn't fix the problem, however, I > > noticed now the attachments are signed with *.png.pgp extension > > instead of *.png.gpg. I guess this means the patch is working fine for > > me but it didn't fix the problem on binary attachments yet! > > > > What do you think? > > What format are you trying to write your emails in in Outlook? If you > are using anything other than plain text that will cause problems too. > That's an interesting point, although I was using rich text, I changed it to plain text, but still no luck :(. Binaries are being corrupted. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1-cvs (Windows XP Pro SP2) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFB/n183wKVPLs2unURAr8ZAKCdFctQ6vq7hXV5kIj1RuM/n+Q2rQCfafXV > SsYiZA2cT2JU6CUK7qlA8PI= > =Kwxa > -----END PGP SIGNATURE----- > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- ========= Sincerely, Yousef Raffah Join FSF as an Associate Member at: Get Firefox! From pschott at drivefinancial.com Tue Feb 1 18:40:50 2005 From: pschott at drivefinancial.com (Peter Schott) Date: Tue Feb 1 19:57:06 2005 Subject: Issue with WinPT and GPG versions Message-ID: <4E28ECEE2E06784AA8921F82878C889E026C5D32@DFSTXEXCH3.dfs.com> Tried to run the latest version of WinPT on a new workstation. For some reason, it can't determine the correct version of GPG with GPG 1.40a for Windows. The latest version tells me I need to run something higher. Going backwards in the WinPT.exe and dll, it keeps giving me version problems even to the point of saying GPG 1.21 or higher. Has anyone else encountered this? What is the problem/fix if you have? Thanks. Peter A. Schott drive financial services Database Administrator p: 214.237.3567 c: 214.734.1792 f: 214.237.3791 email: pschott@drivefinancial.com ___________________________________________________________________________________ This e-mail is covered by the Electronic Communications Privacy Act, 18 U.S.C. Sections 2510-2521. The information contained in this e-mail is confidential and intended only for use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this message in error or there are any problems please notify the originator immediately. The unauthorized use, disclosure, copying or alteration of this message is strictly forbidden. This mail and any attachments have been scanned for viruses prior to leaving the Drive Financial Services network. Drive Financial Services will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any virus being passed on. ___________________________________________________________________________________ From twoaday at freakmail.de Tue Feb 1 22:05:46 2005 From: twoaday at freakmail.de (Timo Schulz) Date: Tue Feb 1 22:11:18 2005 Subject: Issue with WinPT and GPG versions In-Reply-To: <4E28ECEE2E06784AA8921F82878C889E026C5D32@DFSTXEXCH3.dfs.com> References: <4E28ECEE2E06784AA8921F82878C889E026C5D32@DFSTXEXCH3.dfs.com> Message-ID: <20050201210546.GA2240@daredevil.joesixpack.net> On Tue Feb 01 2005; 11:40, Peter Schott wrote: > Tried to run the latest version of WinPT on a new workstation. For some > reason, it can't determine the correct version of GPG with GPG 1.40a for This sounds like a problem with 0.9.14. But this is not the latest version. I know that 0.9.50/0.9.90-cvs will work with GPG >= 1.4.x You can get 0.9.50 at http://www.winpt.org Timo From wk at gnupg.org Tue Feb 1 22:46:18 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Feb 1 22:45:41 2005 Subject: Issue with WinPT and GPG versions In-Reply-To: <4E28ECEE2E06784AA8921F82878C889E026C5D32@DFSTXEXCH3.dfs.com> (Peter Schott's message of "Tue, 1 Feb 2005 11:40:50 -0600") References: <4E28ECEE2E06784AA8921F82878C889E026C5D32@DFSTXEXCH3.dfs.com> Message-ID: <87r7k0nec5.fsf@wheatstone.g10code.de> On Tue, 1 Feb 2005 11:40:50 -0600, Peter Schott said: > Tried to run the latest version of WinPT on a new workstation. For some What do you think is the latest version? Tried 0.9.50 at www.winpt.org ? Shalom-Salam, Werner From sk at intertivity.com Wed Feb 2 02:41:36 2005 From: sk at intertivity.com (Kiefer, Sascha) Date: Wed Feb 2 02:37:45 2005 Subject: --yes Message-ID: <002301c508c8$55b7fdd0$f300a8c0@HOME> Hi everyone, Fyi: I have WinXp SP2 and gnupg 1.4.0a (compileted myself using MinGW). Why is --yes not always working. I used following call: gpg --dry-run --yes --default-key XYZ --passphrase-fd 0 --command-fd 0 --status-fd 2 --sign-key ABC It still asks me "Really sign all user Ids?" or "Really sign?". Is it a security reason or my own stupidy :) ? Have fun esskar From wk at gnupg.org Wed Feb 2 09:47:47 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Feb 2 09:45:41 2005 Subject: --yes In-Reply-To: <002301c508c8$55b7fdd0$f300a8c0@HOME> (Sascha Kiefer's message of "Wed, 2 Feb 2005 02:41:36 +0100") References: <002301c508c8$55b7fdd0$f300a8c0@HOME> Message-ID: <87fz0fnya4.fsf@wheatstone.g10code.de> On Wed, 2 Feb 2005 02:41:36 +0100, Kiefer, Sascha said: > Why is --yes not always working. I used following call: --yes Assume "yes" on most questions. ^^^^ Shalom-Salam, Werner From list at rachinsky.de Wed Feb 2 09:23:47 2005 From: list at rachinsky.de (Nicolas Rachinsky) Date: Wed Feb 2 10:18:03 2005 Subject: difference between undef and unknown Message-ID: <20050202082347.GA29393@pc5.i.0x5.de> Hallo, can somebody tell me, what the difference between validity 'undef' and validity 'unknown' is? Like here: pub 1024D/5B0358A2 1999-03-15 [expires: 2009-07-11] uid [ unknown] Werner Koch uid [ undef ] Werner Koch uid [ undef ] Werner Koch Thanks, Nicolas From sk at intertivity.com Wed Feb 2 13:19:25 2005 From: sk at intertivity.com (Sascha Kiefer) Date: Wed Feb 2 13:15:44 2005 Subject: --list-sigs, --check-sigs and --list-keys Message-ID: <4200C54D.4040305@intertivity.com> Hi. 1. is it true that --check-sigs and --list-sigs have pretty much the same output: --check-sigs just adds the signature information? I used the following syntax: --fixed-list-mode --with-colons --list-keys --with-fingerprint --with-fingerprint --fixed-list-mode --with-colons --check-sigs --with-fingerprint --with-fingerprint 2. is there a significant performance difference between --check-sigs and --list-sigs? Thanks for help. esskar From dshaw at jabberwocky.com Wed Feb 2 16:40:55 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Feb 2 16:37:33 2005 Subject: --list-sigs, --check-sigs and --list-keys In-Reply-To: <4200C54D.4040305@intertivity.com> References: <4200C54D.4040305@intertivity.com> Message-ID: <20050202154055.GA9429@jabberwocky.com> On Wed, Feb 02, 2005 at 01:19:25PM +0100, Sascha Kiefer wrote: > Hi. > > 1. is it true that --check-sigs and --list-sigs have pretty much the > same output: --check-sigs just adds the signature information? --list-sigs shows the sigs. --check-sigs goes one step further and checks the sigs for validity. > 2. is there a significant performance difference between --check-sigs > and --list-sigs? In general --check-sigs is going to be slower as there is more work to do. Whether it is significant or not depends on a number of factors. In most cases with 1.4.0, it's not even noticable. In some cases (with Elgamal signatures and older GnuPG), it's 20-30 minutes slower. David From dshaw at jabberwocky.com Wed Feb 2 15:11:53 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Feb 2 16:51:53 2005 Subject: difference between undef and unknown In-Reply-To: <20050202082347.GA29393@pc5.i.0x5.de> References: <20050202082347.GA29393@pc5.i.0x5.de> Message-ID: <20050202141153.GB29147@jabberwocky.com> On Wed, Feb 02, 2005 at 09:23:47AM +0100, Nicolas Rachinsky wrote: > Hallo, > > can somebody tell me, what the difference between validity 'undef' > and validity 'unknown' is? > > Like here: > pub 1024D/5B0358A2 1999-03-15 [expires: 2009-07-11] > uid [ unknown] Werner Koch > uid [ undef ] Werner Koch > uid [ undef ] Werner Koch Unknown means completely unknown. The trust calculations have not yet reached that key, the user ID is not signed by any key you have, etc. Undefined means not enough information. For example, if you have marginals-needed set to 3 and only have 2 marginal signatures. In practice, they are the same. Either way, the user ID isn't valid to encrypt to without a warning. David From wk at gnupg.org Wed Feb 2 18:13:11 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Feb 2 18:10:42 2005 Subject: --list-sigs, --check-sigs and --list-keys In-Reply-To: <20050202154055.GA9429@jabberwocky.com> (David Shaw's message of "Wed, 2 Feb 2005 10:40:55 -0500") References: <4200C54D.4040305@intertivity.com> <20050202154055.GA9429@jabberwocky.com> Message-ID: <87brb2khqw.fsf@wheatstone.g10code.de> On Wed, 2 Feb 2005 10:40:55 -0500, David Shaw said: > In most cases with 1.4.0, it's not even noticable. In some cases Unless you are using a P100 box which was my fastest development box at the time I impleemnted these options ;-) Werner From jharris at widomaker.com Wed Feb 2 18:56:50 2005 From: jharris at widomaker.com (Jason Harris) Date: Wed Feb 2 18:53:08 2005 Subject: --list-sigs, --check-sigs and --list-keys In-Reply-To: <20050202154055.GA9429@jabberwocky.com> References: <4200C54D.4040305@intertivity.com> <20050202154055.GA9429@jabberwocky.com> Message-ID: <20050202175649.GA3466@wilma.widomaker.com> On Wed, Feb 02, 2005 at 10:40:55AM -0500, David Shaw wrote: > On Wed, Feb 02, 2005 at 01:19:25PM +0100, Sascha Kiefer wrote: > > 2. is there a significant performance difference between --check-sigs > > and --list-sigs? > > In general --check-sigs is going to be slower as there is more work to > do. Whether it is significant or not depends on a number of factors. > In most cases with 1.4.0, it's not even noticable. In some cases > (with Elgamal signatures and older GnuPG), it's 20-30 minutes slower. Also, IINM, signature validities are cached in the (writable) keyring(s). Valid signatures apparently look like this (pgpdump output): Old: Trust Packet(tag 12)(2 bytes) Trust - 00 03 NB: If you want to disable this (and other such) caching, use --no-sig-cache. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050202/f98dbae2/attachment.pgp From sk at intertivity.com Wed Feb 2 20:25:05 2005 From: sk at intertivity.com (Kiefer, Sascha) Date: Wed Feb 2 20:21:10 2005 Subject: --list-sigs, --check-sigs and --list-keys In-Reply-To: <20050202154055.GA9429@jabberwocky.com> Message-ID: <000201c5095c$e6dfe040$f300a8c0@HOME> But it is true that --check-sigs just extends the --list-keys call? Right? > Behalf Of David Shaw > Sent: Mittwoch, 2. Februar 2005 16:41 > > On Wed, Feb 02, 2005 at 01:19:25PM +0100, Sascha Kiefer wrote: > > Hi. > > > > 1. is it true that --check-sigs and --list-sigs have pretty much the > > same output: --check-sigs just adds the signature information? > > --list-sigs shows the sigs. --check-sigs goes one step > further and checks the sigs for validity. > > > 2. is there a significant performance difference between > --check-sigs > > and --list-sigs? > > In general --check-sigs is going to be slower as there is > more work to do. Whether it is significant or not depends on > a number of factors. In most cases with 1.4.0, it's not even > noticable. In some cases (with Elgamal signatures and older > GnuPG), it's 20-30 minutes slower. > > David > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From thfrdue at gmx.de Wed Feb 2 21:12:18 2005 From: thfrdue at gmx.de (=?ISO-8859-15?Q?=22Thomas_F=2E_D=FCllmann=22?=) Date: Wed Feb 2 22:08:33 2005 Subject: "Malformed user ID" Message-ID: <42013422.4070107@gmx.de> Hi, everytime I want to encrypt any file/text following error message is displayed: "malformed user id" How can I solve this problem/ what is the cause for this problem? Thanks very much Greetz Thomas Email: thfrdue@gmx.de -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.8.4 - Release Date: 01.02.2005 From dshaw at jabberwocky.com Wed Feb 2 22:55:48 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Feb 2 22:52:30 2005 Subject: --list-sigs, --check-sigs and --list-keys In-Reply-To: <20050202175649.GA3466@wilma.widomaker.com> References: <4200C54D.4040305@intertivity.com> <20050202154055.GA9429@jabberwocky.com> <20050202175649.GA3466@wilma.widomaker.com> Message-ID: <20050202215548.GD9429@jabberwocky.com> On Wed, Feb 02, 2005 at 12:56:50PM -0500, Jason Harris wrote: > On Wed, Feb 02, 2005 at 10:40:55AM -0500, David Shaw wrote: > > On Wed, Feb 02, 2005 at 01:19:25PM +0100, Sascha Kiefer wrote: > > > > 2. is there a significant performance difference between --check-sigs > > > and --list-sigs? > > > > In general --check-sigs is going to be slower as there is more work to > > do. Whether it is significant or not depends on a number of factors. > > In most cases with 1.4.0, it's not even noticable. In some cases > > (with Elgamal signatures and older GnuPG), it's 20-30 minutes slower. > > Also, IINM, signature validities are cached in the (writable) keyring(s). That's why in most cases with 1.4.0 it's not even noticable. Every time you check your trustdb, uncached signatures are cached. David From pschott at drivefinancial.com Wed Feb 2 23:15:05 2005 From: pschott at drivefinancial.com (Peter Schott) Date: Wed Feb 2 23:10:51 2005 Subject: Issue with WinPT and GPG versions - resolved Message-ID: <4E28ECEE2E06784AA8921F82878C889E026C5EA2@DFSTXEXCH3.dfs.com> Installing the latest complete package from www.winpt.org did the trick. No idea why it wasn't working when I tried with the other versions. One more program to check off my list for migrating. :-) Thanks for the suggestion on the reinstall with the latest version. Peter A. Schott drive financial services Database Administrator p: 214.237.3567 c: 214.734.1792 f: 214.237.3791 email: pschott@drivefinancial.com ------------------------------ Date: Tue, 1 Feb 2005 22:05:46 +0100 From: Timo Schulz Subject: Re: Issue with WinPT and GPG versions On Tue Feb 01 2005; 11:40, Peter Schott wrote: > Tried to run the latest version of WinPT on a new workstation. For some > reason, it can't determine the correct version of GPG with GPG 1.40a for This sounds like a problem with 0.9.14. But this is not the latest version. I know that 0.9.50/0.9.90-cvs will work with GPG >= 1.4.x You can get 0.9.50 at http://www.winpt.org Timo ___________________________________________________________________________________ This e-mail is covered by the Electronic Communications Privacy Act, 18 U.S.C. Sections 2510-2521. The information contained in this e-mail is confidential and intended only for use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this message in error or there are any problems please notify the originator immediately. The unauthorized use, disclosure, copying or alteration of this message is strictly forbidden. This mail and any attachments have been scanned for viruses prior to leaving the Drive Financial Services network. Drive Financial Services will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any virus being passed on. ___________________________________________________________________________________ From wk at gnupg.org Thu Feb 3 08:16:52 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Feb 3 08:22:20 2005 Subject: --list-sigs, --check-sigs and --list-keys In-Reply-To: <000201c5095c$e6dfe040$f300a8c0@HOME> (Sascha Kiefer's message of "Wed, 2 Feb 2005 20:25:05 +0100") References: <000201c5095c$e6dfe040$f300a8c0@HOME> Message-ID: <87r7jyi04b.fsf@wheatstone.g10code.de> On Wed, 2 Feb 2005 20:25:05 +0100, Kiefer, Sascha said: > But it is true that --check-sigs just extends the --list-keys call? > Right? True. Shalom-Salam, Werner From wk at gnupg.org Thu Feb 3 08:23:13 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Feb 3 09:14:30 2005 Subject: "Malformed user ID" In-Reply-To: <42013422.4070107@gmx.de> ( =?utf-8?q?Thomas_F=2E_D=C3=BCllmann's_message_of?= "Wed, 02 Feb 2005 21:12:18 +0100") References: <42013422.4070107@gmx.de> Message-ID: <87mzumhztq.fsf@wheatstone.g10code.de> On Wed, 02 Feb 2005 21:12:18 +0100, Thomas F D?llmann said: > everytime I want to encrypt any file/text following error message is > displayed: > "malformed user id" You used an empty string for a user ID (recipient or signer), it does not match the syntax for a keyid or similar. You should give an example of what you did and not just a part of the error message. Salam-Shalom, Werner From bjoern.klement at web.de Thu Feb 3 09:13:30 2005 From: bjoern.klement at web.de (=?iso-8859-1?Q? Bj=F6rn=20Klement ?=) Date: Thu Feb 3 10:39:07 2005 Subject: Smartcard to decrypt a Filesystem Message-ID: <857142288@web.de> Hi, I want to store a key on a smartcard. And now I want to use the smartcard token to access to an encrypted filesystem or file. I tried to crypt a Filesystem with losetup. gpg --decrypt /tmp/key.gpg | /sbin/losetup -e AES128 /dev/loop0 /dev/hda6 -p 0 mount /dev/loop0 /crypto It works fine, but the key is stored local and I want to store the key on a Aladdin Etoken Pro. And other People with the key an there Token should also decrypt the fs. Thanks. Bj?rn __________________________________________________________ Mit WEB.DE FreePhone mit hoechster Qualitaet ab 0 Ct./Min. weltweit telefonieren! http://freephone.web.de/?mc=021201 From david69 at charter.net Thu Feb 3 10:42:52 2005 From: david69 at charter.net (David) Date: Thu Feb 3 11:25:01 2005 Subject: RSA subkeys Message-ID: <20050203094252.GA2406@charter.net> Hello, I'm using gpg 1.2.1 on RH9. I consider generating RSA key as described: master 2048 RSA key sign only, used for signing sub-keys, doesn't expire | |- 2048 RSA sign sub-key, for signing docs, expires | |- 4096 RSA encryption sub-key, expires 1. I plan to generate a new sub-key shortly before the previous one expires. Will my recipients consider the new sub-key as valid since it is signed by the master key? 2. Are there any compatibility issues I should consider? Thanks, David -- "In theory, there is no difference between theory and practice. But, in practice, there is." - Jan L.A. van de Snepscheut - From wk at gnupg.org Thu Feb 3 12:48:26 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Feb 3 12:46:32 2005 Subject: [Announce] release candidate for 1.4.1 available Message-ID: <87fz0dhnjp.fsf@wheatstone.g10code.de> Hi! We are pleased to announce the availability of a release candidate for the forthcoming 1.4.1 version of gnupg: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc1.tar.bz2 (2709k) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc1.tar.bz2.sig A binary for Windows is also available: ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc1.exe (1377k) ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc1.exe.sig Please try these versions out and report any problems. The installer used for the Windows binary package is pretty basic right now but nevertheless a first step. In particular, selecting the language to use still needs manual interaction. We hope to improve it over time. Checksums are: 323445ee8e0c1de97243c646538d9f5dae5567ff gnupg-1.4.1rc1.tar.bz2 cda3e84f89dd7a0fd7df59e4c142e7bbb9669cb2 gnupg-w32cli-1.4.1rc1.exe Noteworthy changes since 1.4.0: * New --rfc2440-text option which controls how text is handled in signatures. This is in response to some problems seen with certain PGP/MIME mail clients and GnuPG version 1.4.0. More details about this are available at * New "import-unusable-sigs" and "export-unusable-sigs" tags for --import-options and --export-options. These are on by default, and cause GnuPG to not import or export key signatures that are not usable (e.g. expired signatures). * New experimental HTTP, HTTPS, FTP, and FTPS keyserver helper that uses the cURL library to retrieve keys. This is disabled by default, but may be enabled with the configure option --with-libcurl. Without this option, the existing HTTP code is used for HTTP, and HTTPS, FTP, and FTPS are not supported. * When running a --card-status or --card-edit and a public key is available, missing secret key stubs will be created on the fly. Details of the key are listed too. * The implicit packet dumping in double verbose mode is now send to stderr and not to stdout. * [W32] The algorithm for the default home directory changed: First we look at the environment variable GNUPGHOME, if this one is not set, we check whether the registry entry {HKCU,HKLM}\Software\GNU\GnuPG:HomeDir has been set. If this fails we use a GnuPG directory below the standard application data directory (APPDATA) of the current user. Only in the case that this directory cannot be determined, the old default of c:\gnupg will be used. The option --homedir still overrides all of them. * [W32] The locale selection under Windows changed. You need to enter the locale in the registry at HKCU\Software\GNU\GnuPG:Lang. For German you would use "de". If it is not set, GnupG falls back to HKLM. The languages files "*.mo" are expected in a directory named "gnupg.nls" below the installation directory; that directory must be stored in the registry at the same key as above with the name "Install Directory". Happy Hacking, David, Timo, Werner -- Werner Koch The GnuPG Experts http://g10code.com Free Software Foundation Europe http://fsfeurope.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : /pipermail/attachments/20050203/005c5657/attachment.pgp From sk at intertivity.com Thu Feb 3 14:19:30 2005 From: sk at intertivity.com (Sascha Kiefer) Date: Thu Feb 3 14:15:36 2005 Subject: capacity of keyring In-Reply-To: <4200C54D.4040305@intertivity.com> References: <4200C54D.4040305@intertivity.com> Message-ID: <420224E2.9070900@intertivity.com> Hi. It's me again! :-) Do you know how many keys can you put into a keystore and still be fast? What happens when I put 10.000 keys in there? What about 100.000 keys? Greetings esskar From henkdebruijn at wanadoo.nl Thu Feb 3 15:07:30 2005 From: henkdebruijn at wanadoo.nl (Henk de Bruijn) Date: Thu Feb 3 15:03:36 2005 Subject: [Announce] release candidate for 1.4.1 available In-Reply-To: <87fz0dhnjp.fsf@wheatstone.g10code.de> References: <87fz0dhnjp.fsf@wheatstone.g10code.de> Message-ID: <5910418497.20050203150730@wanadoo.nl> On Thu, 03 Feb 2005 12:48:26 +0100GMT (3-2-2005, 12:48 +0100, where I live), Werner Koch wrote: > We are pleased to announce the availability of a release candidate for > the forthcoming 1.4.1 version of gnupg: > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc1.tar.bz2 (2709k) > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc1.tar.bz2.sig > A binary for Windows is also available: > > ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc1.exe > (1377k) > > ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc1.exe.sig > Please try these versions out and report any problems. The installer > used for the Windows binary package is pretty basic right now but > nevertheless a first step. In particular, selecting the language to > use still needs manual interaction. We hope to improve it over time. Thanks, up and running! -- Henk ______________________________________________________________________ The Bat!? Natural Email System v3.0.1.33nl Professional on Windows XP SP2 PGPkey available at http://www.biglumber.com/x/web?qs=0x12069B93DBE6E678 Gossamer Spider Web of Trust GSWoT http://www.gswot.org/ A Progressive and Innovative Web of Trust From thfrdue at gmx.de Thu Feb 3 15:15:10 2005 From: thfrdue at gmx.de (=?ISO-8859-15?Q?=22Thomas_F=2E_D=FCllmann=22?=) Date: Thu Feb 3 15:11:16 2005 Subject: "Malformed User ID" Message-ID: <420231EE.20302@gmx.de> Hi, as recently posted I get an errormessage if i want to encrypt any File/Text. I tried it twice: 1. I tried to encrypt a file. 2. I tried to encrypt a mail. Both ended with the errormessage "Malformed User ID". I chose another email-address of mine, so i had the public key. Greetz Thomas -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.8.4 - Release Date: 01.02.2005 From JediKnight2 at ec.rr.com Thu Feb 3 14:42:25 2005 From: JediKnight2 at ec.rr.com (Kevin Smith) Date: Thu Feb 3 15:15:08 2005 Subject: Multiple files Message-ID: <200502031342.j13DgIKj013182@ms-smtp-01-eri0.southeast.rr.com> Is there a way to encrypt multiple files at one time...say I want to encrypt EVERY file in a folder called tobeencrypted...any easy way?? From dshaw at jabberwocky.com Thu Feb 3 15:19:25 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Feb 3 15:16:03 2005 Subject: Smartcard to decrypt a Filesystem In-Reply-To: <857142288@web.de> References: <857142288@web.de> Message-ID: <20050203141925.GA10077@jabberwocky.com> On Thu, Feb 03, 2005 at 09:13:30AM +0100, Bj?rn Klement wrote: > Hi, > > I want to store a key on a smartcard. And now I want to use the smartcard token to access to an encrypted filesystem or file. I tried to crypt a Filesystem with losetup. > > gpg --decrypt /tmp/key.gpg | /sbin/losetup -e AES128 /dev/loop0 /dev/hda6 -p 0 > > mount /dev/loop0 /crypto > > It works fine, but the key is stored local and I want to store the > key on a Aladdin Etoken Pro. And other People with the key an there > Token should also decrypt the fs. Get yourself one of these: http://www.g10code.de/p-card.html and you're all set. David From johanw at vulcan.xs4all.nl Thu Feb 3 16:42:21 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Feb 3 16:38:44 2005 Subject: Multiple files In-Reply-To: <200502031342.j13DgIKj013182@ms-smtp-01-eri0.southeast.rr.com> from Kevin Smith at "Feb 3, 2005 08:42:25 am" Message-ID: <200502031542.QAA03539@vulcan.xs4all.nl> Kevin Smith wrote: >Is there a way to encrypt multiple files at one time...say I want to encrypt >EVERY file in a folder called tobeencrypted...any easy way?? #!/bin/bash for i in *; do gpg -e -r myname $i; done -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From texmex at uni.de Thu Feb 3 15:36:51 2005 From: texmex at uni.de (Gregor Zattler) Date: Thu Feb 3 16:56:38 2005 Subject: release candidate for 1.4.1 available In-Reply-To: <87fz0dhnjp.fsf@wheatstone.g10code.de> References: <87fz0dhnjp.fsf@wheatstone.g10code.de> Message-ID: <20050203143651.GD19332@pit.ID-43118.user.dfncis.de> Hi Werner, * Werner Koch [03. Feb. 2005]: > We are pleased to announce the availability of a release candidate for > the forthcoming 1.4.1 version of gnupg: > > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc1.tar.bz2 (2709k) > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc1.tar.bz2.sig > > A binary for Windows is also available: > > ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc1.exe (1377k) > ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc1.exe.sig > > Please try these versions out and report any problems. The installer > used for the Windows binary package is pretty basic right now but > nevertheless a first step. In particular, selecting the language to > use still needs manual interaction. We hope to improve it over time. I installed it with WINE under Linux, imported my pubring.gpg and successfully checked the signature file. I installed it on Win98se and got an alarm box saying: gpg.exe is linked to the not available Export-SHELL32.DLL:SHGetFolderPathA. (Message was shown in german, I translated it. For original see attached image). > * [W32] The locale selection under Windows changed. You need to > enter the locale in the registry at HKCU\Software\GNU\GnuPG:Lang. > For German you would use "de". If it is not set, GnupG falls > back to HKLM. The languages files "*.mo" are expected in a > directory named "gnupg.nls" below the installation directory; > that directory must be stored in the registry at the same key as > above with the name "Install Directory". I did this under WINE and the output was half english half german. The Umlauts didn't show correct. This may be a problem of my WINE installation. Gregor From atom at smasher.org Thu Feb 3 17:24:39 2005 From: atom at smasher.org (Atom Smasher) Date: Thu Feb 3 17:20:37 2005 Subject: RSA subkeys In-Reply-To: <20050203094252.GA2406@charter.net> References: <20050203094252.GA2406@charter.net> Message-ID: <20050203162428.71861.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, 3 Feb 2005, David wrote: > Hello, > > I'm using gpg 1.2.1 on RH9. ============= gpg 1.4 is better. no comment on RH9. > I consider generating RSA key as described: > > master 2048 RSA key sign only, used for signing sub-keys, doesn't expire > | > |- 2048 RSA sign sub-key, for signing docs, expires > | > |- 4096 RSA encryption sub-key, expires > > 1. I plan to generate a new sub-key shortly before the previous one > expires. Will my recipients consider the new sub-key as valid since > it is signed by the master key? ================ why not update the expiration date on the subkeys, and keep them? if they're not compromised there's no reason to throw them away. > 2. Are there any compatibility issues I should consider? ================= RSA support is optional in rfc2440. i've been using an RSA only key for a while with no problems, mostly with other gpg users. - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "The shepherd drives the wolf from the sheep's for which the sheep thanks the shepherd as his liberator, while the wolf denounces him for the same act as the destroyer of liberty. Plainly, the sheep and the wolf are not agreed upon a definition of liberty." -- Abraham Lincoln -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJCAlBNAAoJEAx/d+cTpVcifcgIAIU35WoazW2SArq1tZoENtS0 IONPyp8KvoMkqgcDXFomHNd56yeDqtdSeuXjnwQQI+hsh+NBXzZPC2By/EoZi3FI V8EQpj6g5jCitvxfZHmdU17R6DlDhndh+wp1kT8bP6IHOQFmrptopyhta0tBD2od 9SylW8krjz1ChjPEeEhEeM8PP9hxVgcWwg4c0oH6B2VLTToC3P21nzD/Qm77y0/x dzEhoYFAjP7SeOp269kAZCyxnhrU2mE9TF9zuyyYn36t93OTRbuf4xVwz46rcCiB BEKc7KBovb3263Y1FcXYpXm6qDujDyyaqPcR+tMTJ9xXEvSUk54dOjYxmu5iiYM= =hGI4 -----END PGP SIGNATURE----- From atom at smasher.org Thu Feb 3 17:29:41 2005 From: atom at smasher.org (Atom Smasher) Date: Thu Feb 3 17:25:35 2005 Subject: Multiple files In-Reply-To: <200502031342.j13DgIKj013182@ms-smtp-01-eri0.southeast.rr.com> References: <200502031342.j13DgIKj013182@ms-smtp-01-eri0.southeast.rr.com> Message-ID: <20050203162929.80332.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, 3 Feb 2005, Kevin Smith wrote: > Is there a way to encrypt multiple files at one time...say I want to > encrypt EVERY file in a folder called tobeencrypted...any easy way?? ===================== --multifile This modifies certain other commands to accept multiple files for processing on the command line or read from stdin with each filename on a separate line. This allows for many files to be processed at once. --multifile may currently be used along with --verify, --encrypt, and --decrypt. Note that `--multifile --verify' may not be used with detached signatures. second time that this has been asked recently. should it go in the faq? - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "This is Radio Clash On pirate satellite Orbiting your living room Everybody hold on tight" -- The Clash -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJCAlF7AAoJEAx/d+cTpVcinNgH/jjnYQJXOKXGJc9hFOK3sX+A 08lapg7nMa7m738UKW72WrP9+U9RtKNiG0SnPiM5jz/fS+bd+0BxI8K+gStKxygl CXUT+shlnZD80Q7Rw+qSfatL2vxIxrEduhFHCh9IsT4ZWfy5cu/wz8uel4VmawSg pnH0kCq2OJv5Gb2rExzjp/mKY0p3G/2IMY072k4Jrv9jsrdCxVf6Yij+EeTn488I Ed6YrXhynQj9wzxZhzeaStVqhGTe9/zumB0KIWvGpBCTbt++3JfoDMzSjlGFSNEV BEwX4nSZJCtHNSDaFGyY4c8PavFjvCFiTjUhvn6pcnWkY05SkiNJJ/Yh4wTkNgw= =Mtfz -----END PGP SIGNATURE----- From sk at intertivity.com Thu Feb 3 17:44:33 2005 From: sk at intertivity.com (Sascha Kiefer) Date: Thu Feb 3 17:40:39 2005 Subject: release candidate for 1.4.1 available In-Reply-To: <20050203143651.GD19332@pit.ID-43118.user.dfncis.de> References: <87fz0dhnjp.fsf@wheatstone.g10code.de> <20050203143651.GD19332@pit.ID-43118.user.dfncis.de> Message-ID: <420254F1.8090506@intertivity.com> Have you added %SystemRoot%\System and %SystemRoot%\System32 to your environment path variable? HTH Gregor Zattler schrieb: >I installed it on Win98se and got an alarm box saying: gpg.exe is >linked to the not available Export-SHELL32.DLL:SHGetFolderPathA. >(Message was shown in german, I translated it. For original see >attached image). > > From Freedom_Lover at pobox.com Thu Feb 3 18:54:28 2005 From: Freedom_Lover at pobox.com (Todd) Date: Thu Feb 3 18:51:28 2005 Subject: Multiple files In-Reply-To: <200502031542.QAA03539@vulcan.xs4all.nl> References: <200502031342.j13DgIKj013182@ms-smtp-01-eri0.southeast.rr.com> <200502031542.QAA03539@vulcan.xs4all.nl> Message-ID: <20050203175427.GA4175@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Johan Wevers wrote: > Kevin Smith wrote: >> >>Is there a way to encrypt multiple files at one time...say I want to >>encrypt EVERY file in a folder called tobeencrypted...any easy way?? > > #!/bin/bash > for i in *; do gpg -e -r myname $i; done Or, in 1.2.5 and above, use the multifile option: gpg --multifile --encrypt tobeencrypted/* That would get you an individually encrypted file for each file in the directory. You might also want to just tar up the directory and then encrypt that. tar -cf - dir/ | gpg -r 0x0123456 --encrypt -o dir.tar.gpg - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== I'm proud to be paying taxes in the U.S. The only thing is-I could be just as proud for half the money. -- Arthur Godfrey -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iG0EARECAC0FAkICZVMmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt ei5hc2MACgkQuv+09NZUB1oIKQCgyQcSRK2W/nzmRPy5uCLmTC6aURIAn2GxQ3O+ uqZvDnzzg2GIYtMFAEQ1 =6K2V -----END PGP SIGNATURE----- From shavital at mac.com Thu Feb 3 19:21:39 2005 From: shavital at mac.com (Charly Avital) Date: Thu Feb 3 19:18:12 2005 Subject: [Announce] release candidate for 1.4.1 available In-Reply-To: <87fz0dhnjp.fsf@wheatstone.g10code.de> References: <87fz0dhnjp.fsf@wheatstone.g10code.de> Message-ID: <050b2b6f51db0fa8e5d0a7c4fc5d6bce@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Feb 3, 2005, at 6:48 AM, Werner Koch wrote: > Hi! > > We are pleased to announce the availability of a release candidate for > the forthcoming 1.4.1 version of gnupg: > > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc1.tar.bz2 (2709k) > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc1.tar.bz2.sig Compiled for Macintosh OS X 10.3.7, Darwin 7.7.0, CPU PPC G4 (1.1). Running OK. > [...] > Noteworthy changes since 1.4.0: > > * New --rfc2440-text option which controls how text is handled in > signatures. This is in response to some problems seen with > certain PGP/MIME mail clients and GnuPG version 1.4.0. More > details about this are available at > > 024408.html> Self-test correctly verified by two different MUAs that use gpg. When verifying with PGP 8.1, bad signature (will inform the PGP people). This message is signed using PGP/MIME (I hope). > > * New "import-unusable-sigs" and "export-unusable-sigs" tags for > --import-options and --export-options. These are on by > default, and cause GnuPG to not import or export key signatures > that are not usable (e.g. expired signatures). The wording is a bit confusing, *for me* that is: if the tag --import-unusable-sigs is on by default, how will that cause GnuPG *not* to import key signatures that are not usable? It would seem that it would cause GnuPG to import key signatures that are not usable. Ditto for export. Sorry if this sounds dense. > > * New experimental HTTP, HTTPS, FTP, and FTPS keyserver helper > that uses the cURL library to retrieve > keys. This is disabled by default, but may be enabled with the > configure option --with-libcurl. Without this option, the > existing HTTP code is used for HTTP, and HTTPS, FTP, and FTPS > are not supported. Sorry, missed that one. I'll try an additional ./configure with that option enabled. [...] > Happy Hacking, > > David, Timo, Werner Thanks to you three. Charly -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc1 (Darwin) Comment: GnuPG for Privacy iD8DBQFCAmvE8SG5rMkbCF4RAthaAJ9kKNRlnQ1LOcNz+HSo6OPDLcnFnQCfWeLS zxN9PP2tqUjmUSbPB94J6V8= =vF9g -----END PGP SIGNATURE----- From shavital at mac.com Thu Feb 3 19:36:28 2005 From: shavital at mac.com (Charly Avital) Date: Thu Feb 3 19:32:55 2005 Subject: PGP/MIME signed - (was: [Announce] release candidate for 1.4.1 available) Message-ID: Sorry, my previous message to the list was not signed using PGP/MIME, my mistake (in fact, my MUA's mistake, but mine all the same). This one should be. Charly MacOS X 10.3.8 -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 216 bytes Desc: This is a digitally signed message part Url : /pipermail/attachments/20050203/8cca43f1/PGP.pgp From wk at gnupg.org Thu Feb 3 19:46:53 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Feb 3 19:45:37 2005 Subject: RSA subkeys In-Reply-To: <20050203162428.71861.qmail@smasher.org> (Atom Smasher's message of "Thu, 3 Feb 2005 11:24:39 -0500 (EST)") References: <20050203094252.GA2406@charter.net> <20050203162428.71861.qmail@smasher.org> Message-ID: <877jlpeb1e.fsf@wheatstone.g10code.de> On Thu, 3 Feb 2005 11:24:39 -0500 (EST), Atom Smasher said: > why not update the expiration date on the subkeys, and keep them? if > they're not compromised there's no reason to throw them away. You never know whether a key is compromised. Key rollover is actually a good thing to gain some forward secrecy. It helps against a warrant to decrypt an old intercepted message - you can claim that you have destroyed the key a few days after it expired. Ask the UK folks about that - well, they won't be allowed to tell. Shalom-Salam, Werner From wk at gnupg.org Thu Feb 3 19:50:32 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Feb 3 19:50:38 2005 Subject: release candidate for 1.4.1 available In-Reply-To: <20050203143651.GD19332@pit.ID-43118.user.dfncis.de> (Gregor Zattler's message of "Thu, 3 Feb 2005 15:36:51 +0100") References: <87fz0dhnjp.fsf@wheatstone.g10code.de> <20050203143651.GD19332@pit.ID-43118.user.dfncis.de> Message-ID: <873bwdeavb.fsf@wheatstone.g10code.de> On Thu, 3 Feb 2005 15:36:51 +0100, Gregor Zattler said: > I installed it on Win98se and got an alarm box saying: gpg.exe is > linked to the not available Export-SHELL32.DLL:SHGetFolderPathA. I feared that one. AFAIK you have to install at least Internet Exploder 4.5 which updates the shell32.dll - or something like that. I hope you don't really need it under Wine. Let's see what happens on native W98 > I did this under WINE and the output was half english half german. > The Umlauts didn't show correct. This may be a problem of my WINE > installation. The German tranlsation has not been updated. The Umlauts do work for me on the console. Thanks, Werner From wk at gnupg.org Thu Feb 3 19:54:37 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Feb 3 19:50:46 2005 Subject: "Malformed User ID" In-Reply-To: <420231EE.20302@gmx.de> ( =?utf-8?q?Thomas_F=2E_D=C3=BCllmann's_message_of?= "Thu, 03 Feb 2005 15:15:10 +0100") References: <420231EE.20302@gmx.de> Message-ID: <87u0otcw42.fsf@wheatstone.g10code.de> On Thu, 03 Feb 2005 15:15:10 +0100, Thomas F D?llmann said: > as recently posted I get an errormessage if i want to encrypt any File/Text. As said, please post waht you actually did. Tell us the complete command line you used. If there is a confidential user ID replace the letters and numbers by others - but not their count. Salam-Shalom, Werner From wk at gnupg.org Thu Feb 3 19:52:38 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Feb 3 19:50:54 2005 Subject: capacity of keyring In-Reply-To: <420224E2.9070900@intertivity.com> (Sascha Kiefer's message of "Thu, 03 Feb 2005 14:19:30 +0100") References: <4200C54D.4040305@intertivity.com> <420224E2.9070900@intertivity.com> Message-ID: <87y8e5cw7d.fsf@wheatstone.g10code.de> On Thu, 03 Feb 2005 14:19:30 +0100, Sascha Kiefer said: > What happens when I put 10.000 keys in there? What about 100.000 keys? 10.000 should basically work. 100000 work too but I am pretty sure that it will be very very slow. gnupg 1.9 will fix this by using a random access key storage (not yet implemented for OpenPGP). Werner From atom at smasher.org Thu Feb 3 19:58:31 2005 From: atom at smasher.org (Atom Smasher) Date: Thu Feb 3 19:54:23 2005 Subject: RSA subkeys In-Reply-To: <877jlpeb1e.fsf@wheatstone.g10code.de> References: <20050203094252.GA2406@charter.net> <20050203162428.71861.qmail@smasher.org> <877jlpeb1e.fsf@wheatstone.g10code.de> Message-ID: <20050203185817.85492.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, 3 Feb 2005, Werner Koch wrote: > On Thu, 3 Feb 2005 11:24:39 -0500 (EST), Atom Smasher said: > >> why not update the expiration date on the subkeys, and keep them? if >> they're not compromised there's no reason to throw them away. > > You never know whether a key is compromised. Key rollover is actually a > good thing to gain some forward secrecy. It helps against a warrant to > decrypt an old intercepted message - you can claim that you have > destroyed the key a few days after it expired. Ask the UK folks about > that - well, they won't be allowed to tell. ===================== ok, i guess that does have advantages under the UK's IPA(?). here in the states one is protected against govt abuse by not writing down their passphrase . - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "They have computers, and they may have other weapons of mass destruction." -- Janet Reno, US Attorney General, 27 Feb 1998 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJCAnRcAAoJEAx/d+cTpVciWygH/2US+O7KkhSKLRjRxnkFwEfg sT3AOCB2VZ/Ar5IO/7ovMZmUc/f9pZF26jTheGCR1cmN6aVJoIqUMVPoqIIWKQVE LwtAHUgmO96z/DiyzKGGkenYljfO7TQ/0Gx0kT6L/bNHF/8zC/bUuGiOsms0QJxH Lq5vU0RNYdp56YbL8PHjPpmjlAN19D41O37ZsgQYy8CzXzEoRjBP9ibY0LzObWel 073OuRNOg9qY1xRFh+LTvyMXJmRi3pRxOULO73gWCQWmn8/u3dgiDLWp1pH1BPIU M6AN280/HOPwHpDWBxqbapucjJV9RXaJGdW+oxszw2il4DwtkFApo8WHok4ZAYo= =DfB5 -----END PGP SIGNATURE----- From wk at gnupg.org Thu Feb 3 19:56:58 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Feb 3 19:55:40 2005 Subject: Multiple files In-Reply-To: <200502031542.QAA03539@vulcan.xs4all.nl> (Johan Wevers's message of "Thu, 3 Feb 2005 16:42:21 +0100 (MET)") References: <200502031542.QAA03539@vulcan.xs4all.nl> Message-ID: <87mzulcw05.fsf@wheatstone.g10code.de> On Thu, 3 Feb 2005 16:42:21 +0100 (MET), Johan Wevers said: > Kevin Smith wrote: >> Is there a way to encrypt multiple files at one time...say I want to encrypt >> EVERY file in a folder called tobeencrypted...any easy way?? > #!/bin/bash > for i in *; do gpg -e -r myname $i; done Or use --multifile This modifies certain other commands to accept multiple files for processing on the command line or read from stdin with each filename on a separate line. This allows for many files to be processed at once. --multifile may currently be used along with --verify, --encrypt, and --decrypt. Note that `--multifile --verify' may not be used with detached signatures. From huehn-ml at arcor.de Thu Feb 3 20:11:24 2005 From: huehn-ml at arcor.de (=?ISO-8859-1?Q?Thomas_H=FChn?=) Date: Thu Feb 3 20:07:32 2005 Subject: [Announce] release candidate for 1.4.1 available In-Reply-To: <87fz0dhnjp.fsf@wheatstone.g10code.de> References: <87fz0dhnjp.fsf@wheatstone.g10code.de> Message-ID: <4202775C.2020606@arcor.de> Werner Koch wrote: > * When running a --card-status or --card-edit and a public key is > available, missing secret key stubs will be created on the fly. > Details of the key are listed too. Very nice. I was surprised it wasn't like that before. :-) With regards to the "key generation on card" issue you recommended trying CVS, which I haven't so far. Is that fix in 1.4.1rc? Thomas From WilliamsM at hnicorp.com Thu Feb 3 17:22:56 2005 From: WilliamsM at hnicorp.com (WilliamsM (IT)) Date: Thu Feb 3 20:59:18 2005 Subject: gnupg on AIX 5.2 mpih-div.c:453: Can't find a register in class ` MQ_REGS' while reloading `asm' Message-ID: <3E7077285B8A1048BD43F3CAB3466FB403A09DB1@srv-it-exch3.honi.com> All, Rookie user here, quickly sinking in the quagmire of a go-live project. While trying to do the Make of gnupg-1.2.6 I receive the following error along with several other similar just different numbers: mpih-div.c:453: Can't find a register in class `MQ_REGS' while reloading `asm' Found a blurb on the web referring to AIX 4.3 telling me "Perhaps --disable-asm would help.", but as a rookie, I don't know how to do this. I would also appreciate if you can help with this, you respond directly in addition to the users list as I am not sure my subscription is set and that I get the related emails. TIA Regards, Michael R. Williams "People can come up with statistics to prove anything, 14% of all people know that." Homer Simpson HNI Corporation Unix System Admin/Progress DBA (563)264-7292 williamsm@hnicorp.com From shavital at mac.com Thu Feb 3 21:12:55 2005 From: shavital at mac.com (Charly Avital) Date: Thu Feb 3 21:09:27 2005 Subject: PGP/MIME signed message - GnuPG 1.4.1rc1 released Message-ID: <792b097efb955c67c30be31f707ebd7e@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 My previous message to the list, that I believed to be signed using PGP/MIME, was not (my mistake). That was fortunate, because a second (short) message actually signed with PGP/MIME was rejected by the list's server, I should have anticipated that. Charly -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc1 (Darwin) Comment: GnuPG for Privacy iD8DBQFCAoXS8SG5rMkbCF4RAoJUAJ9HvQtW3AkPs+1BaERajAv+khYPcwCfbtom uyb8u3OmpJ4OuARwdezdOpg= =MaTd -----END PGP SIGNATURE----- From wk at gnupg.org Thu Feb 3 21:26:54 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Feb 3 21:25:41 2005 Subject: gnupg on AIX 5.2 mpih-div.c:453: Can't find a register in class ` MQ_REGS' while reloading `asm' In-Reply-To: <3E7077285B8A1048BD43F3CAB3466FB403A09DB1@srv-it-exch3.honi.com> (WilliamsM@hnicorp.com's message of "Thu, 3 Feb 2005 10:22:56 -0600") References: <3E7077285B8A1048BD43F3CAB3466FB403A09DB1@srv-it-exch3.honi.com> Message-ID: <87zmyl9ypd.fsf@wheatstone.g10code.de> On Thu, 3 Feb 2005 10:22:56 -0600 , WilliamsM (IT) said: > Found a blurb on the web referring to AIX 4.3 telling me "Perhaps > --disable-asm would help.", but as a rookie, I don't know how to do this. I ./configure --disable-asm make will do > would also appreciate if you can help with this, you respond directly in > addition to the users list as I am not sure my subscription is set > and that No, you are not subscribed, I approved it. In general no problem but there might a few hours or a day of delay. Werner From wk at gnupg.org Thu Feb 3 21:29:42 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Feb 3 21:25:53 2005 Subject: [Announce] release candidate for 1.4.1 available In-Reply-To: <4202775C.2020606@arcor.de> ( =?utf-8?q?Thomas_H=C3=BChn's_message_of?= "Thu, 03 Feb 2005 20:11:24 +0100") References: <87fz0dhnjp.fsf@wheatstone.g10code.de> <4202775C.2020606@arcor.de> Message-ID: <87r7jx9ykp.fsf@wheatstone.g10code.de> On Thu, 03 Feb 2005 20:11:24 +0100, Thomas H?hn said: > With regards to the "key generation on card" issue you recommended > trying CVS, which I haven't so far. Is that fix in 1.4.1rc? Yes. From wk at gnupg.org Thu Feb 3 21:28:16 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Feb 3 21:26:04 2005 Subject: release candidate for 1.4.1 available In-Reply-To: <420254F1.8090506@intertivity.com> (Sascha Kiefer's message of "Thu, 03 Feb 2005 17:44:33 +0100") References: <87fz0dhnjp.fsf@wheatstone.g10code.de> <20050203143651.GD19332@pit.ID-43118.user.dfncis.de> <420254F1.8090506@intertivity.com> Message-ID: <87vf999yn3.fsf@wheatstone.g10code.de> On Thu, 03 Feb 2005 17:44:33 +0100, Sascha Kiefer said: > Have you added %SystemRoot%\System and %SystemRoot%\System32 to your > environment path variable? IIRC, that is one of the default locations searched by LoadModule. Werner From johanw at vulcan.xs4all.nl Thu Feb 3 21:23:17 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Feb 3 21:55:47 2005 Subject: RSA subkeys In-Reply-To: <20050203185817.85492.qmail@smasher.org> from Atom Smasher at "Feb 3, 2005 01:58:31 pm" Message-ID: <200502032023.VAA04208@vulcan.xs4all.nl> Atom Smasher wrote: >ok, i guess that does have advantages under the UK's IPA(?). here in the >states one is protected against govt abuse by not writing down their >passphrase . In the USA they can "suspect" you of terrorist activity and lock you up in Guantanamo indefinitely without trial. In the UK, the trick of adding a message "This key is not requested by the governemnt" and removing the message if it is can be used. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From johanw at vulcan.xs4all.nl Thu Feb 3 21:58:42 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Feb 3 21:55:56 2005 Subject: [Announce] release candidate for 1.4.1 available In-Reply-To: <87fz0dhnjp.fsf@wheatstone.g10code.de> from Werner Koch at "Feb 3, 2005 12:48:26 pm" Message-ID: <200502032058.VAA04581@vulcan.xs4all.nl> Werner Koch wrote: > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc1.tar.bz2 (2709k) > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc1.tar.bz2.sig I get a bad signature on this file (with gpg 1.4.0). > ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc1.exe (1377k) > ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc1.exe.sig This signature checks OK. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From atom at smasher.org Thu Feb 3 22:15:57 2005 From: atom at smasher.org (Atom Smasher) Date: Thu Feb 3 22:12:02 2005 Subject: RSA subkeys In-Reply-To: <200502032023.VAA04208@vulcan.xs4all.nl> References: <200502032023.VAA04208@vulcan.xs4all.nl> Message-ID: <20050203211542.72055.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, 3 Feb 2005, Johan Wevers wrote: > Atom Smasher wrote: > >> ok, i guess that does have advantages under the UK's IPA(?). here in >> the states one is protected against govt abuse by not writing down >> their passphrase . > > In the USA they can "suspect" you of terrorist activity and lock you up > in Guantanamo indefinitely without trial. ============= yeah, but they don't need evidence to do that, so crypto is largely irrelevant. in fact it could save someone from the gulag... if they *really* want to know what's encrypted they'll work out a deal. the guantanamo gulag is reserved for people who can't be convicted anyway. sooner or later the civilized world will liberate us... or we'll collapse under our own weight. > In the UK, the trick of adding a message "This key is not requested by > the governemnt" and removing the message if it is can be used. ============= huh? i'm not sure how that works... tell me more... - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "The lawgiver, of all beings, most owes the law allegiance. He of all men should behave as though the law compelled him. But it is the universal weakness of mankind that what we are given to administer we presently imagine we own." -- H.G. Wells -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJCApSSAAoJEAx/d+cTpVcio7UH/RX0d/7ctE9jY3HiOlj0+rfM DBL8DCO48U80Wk3kOMAwb8upXkTLZRoj713DGspfvVnp2pbFuzQnnHzaKgM4pd5f iTQc5kCqnlPGKahtL80PiRiob0DKoyByTG1SQsmRuwegPHu7VorOEE2tp9xGgzmh iaCNlB/Em5GurV3++c/gxYHa0paRggTmFp0f/XpeNwaebyab816VFU+W6Js9uw06 FybP6cV93GqkS+fU5nQIN1n7jPDAqoJp3g+3owTvdQl3LwfuGfR4RwPBnFF5gUrU XL166TYNGj/qGyp6UzDrE2ihiWQqUO6Mm2iPYbDJre+WR7nRVKwD3OcMy7E4v8g= =JoJs -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Thu Feb 3 22:38:21 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Feb 3 22:35:01 2005 Subject: [Announce] release candidate for 1.4.1 available In-Reply-To: <050b2b6f51db0fa8e5d0a7c4fc5d6bce@mac.com> References: <87fz0dhnjp.fsf@wheatstone.g10code.de> <050b2b6f51db0fa8e5d0a7c4fc5d6bce@mac.com> Message-ID: <20050203213821.GA12554@jabberwocky.com> On Thu, Feb 03, 2005 at 01:21:39PM -0500, Charly Avital wrote: > > * New --rfc2440-text option which controls how text is handled in > > signatures. This is in response to some problems seen with > > certain PGP/MIME mail clients and GnuPG version 1.4.0. More > > details about this are available at > > > > > 024408.html> > > Self-test correctly verified by two different MUAs that use gpg. When > verifying with PGP 8.1, bad signature (will inform the PGP people). I'm not sure what didn't work here. What did you verify with PGP 8.1? > > * New "import-unusable-sigs" and "export-unusable-sigs" tags for > > --import-options and --export-options. These are on by > > default, and cause GnuPG to not import or export key signatures > > that are not usable (e.g. expired signatures). > > The wording is a bit confusing, *for me* that is: > if the tag --import-unusable-sigs is on by default, how will that cause > GnuPG *not* to import key signatures that are not usable? It would seem > that it would cause GnuPG to import key signatures that are not usable. > Ditto for export. Sorry if this sounds dense. This was a typo. The options are *off* by default. David From dany_list at natzo.com Thu Feb 3 21:42:25 2005 From: dany_list at natzo.com (Dany Nativel) Date: Thu Feb 3 23:04:51 2005 Subject: Any LiveCD with GnuPG 1.4? In-Reply-To: <41F7D813.6030804@natzo.com> References: <41F7D813.6030804@natzo.com> Message-ID: <42028CB1.4050509@natzo.com> This is the third time I'm trying to post to this list without success. Dany Dany Nativel wrote: > Posted the following one on the 25th but it never showed up on the list! > Dany > > Hello, > > I've been looking around for any LiveCD, LiveFloppy, LiveUSB... you > name it that would have GnuPG 1.4. > > I think that a LiveCD/Floppy like this would be the best companion for > the OpenPGP card during the key generation process. GnuPG 1.4 has > built-in support for CCID smart card readers so it's really portable > and provide a (more) secure way to launch an on-card key generation > with off-card backup (on a floppy for example). The real men don't > backup their keys ;) > > I was hopping that Klik (great tool for adding new applications to > Knoppix) would have the 1.4 but that's not the case. > > So I guess I just have to wait... > > Do not hesitate to let me know if you see one around. > > PS: Now it's time to get this old Tinfoilinux floppy project back for > even more protection. > > Dany > From atom at smasher.org Thu Feb 3 23:25:42 2005 From: atom at smasher.org (Atom Smasher) Date: Thu Feb 3 23:21:36 2005 Subject: "Malformed User ID" In-Reply-To: <420231EE.20302@gmx.de> References: <420231EE.20302@gmx.de> Message-ID: <20050203222529.17200.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 is the key publicly circulated? if yes, what is the key id? have you tried specifying the key by key id? or user id? ie: gpg -e file -r test@example.com or gpg -e file -r 0x12345678 - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "What you are seeing is not just a consolidation of seed companies, it is really a consolidation of the entire food chain. Since water is as central to food production as seed is, and without water life is not possible, Monsanto is now trying to establish its control over water." -- Robert Farley, Monsanto -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJCAqTsAAoJEAx/d+cTpVciLxQH/14sHb8U0wlCixBpjBqLCCs+ 5rjNyqwUrdEc87887HXZx+Xm1RN/VSbP7A2AK9XM3qf2RlBpCtTv8oelXyAL+s0G kX9yt6c1TxjquUWZhOXkebrs/wjlt1bm8imAt9jETbTmho4jduIecWEhcPWuVfZ7 wqPElfendmSHYTgKQDcnL/WfultGoKgtHHEBijFOo3D1JP9err2wqLFBkzlC+F8I NKhCD40HGsI+2WmVM3UXORd6qSrwXvhHd3shTI9eWeEl1Q1PE+NxOnGTtyCclkN3 f95df2NVG6N1sXIjr7aZ9cvPdkERzV4IWE5JWfCaegMMeIm3V/U/RfcgQTFoLj4= =1Fc4 -----END PGP SIGNATURE----- From atom at smasher.org Thu Feb 3 23:30:55 2005 From: atom at smasher.org (Atom Smasher) Date: Thu Feb 3 23:26:49 2005 Subject: "Malformed User ID" In-Reply-To: <20050203222529.17200.qmail@smasher.org> References: <420231EE.20302@gmx.de> <20050203222529.17200.qmail@smasher.org> Message-ID: <20050203223039.19885.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, 3 Feb 2005, Atom Smasher wrote: > ie: > gpg -e file -r test@example.com > or > gpg -e file -r 0x12345678 ======================== correction to self. that won't work. i meant: gpg -er test@example.com file or gpg -er 0x12345678 file - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "It must be in our vital interest whether we ever send troops. The mission must be clear. Soldiers must understand why we're going. The force must be strong enough so that the mission can be accomplished. And the exit strategy needs to be well-defined." -- George "dubya" Bush 3rd Bush-Gore debate, 17 Oct 2000 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJCAqYkAAoJEAx/d+cTpVciyEMIAISAmQq6vhpEjKSYB2ZYXaZS yzOM3lwtfbf38NR9EzQDOhmHjL3znv7+qFZL159IW4OJ9N7YAueW4eKc4NWP3rqc pM8ap1qessVV491aAv5PU8qHrc/29F1ucjQuQ+lqqIcdIvrEn4f9EtPnjArW39C6 iauG4ncLoiyatFh/M6QjbDQ8gOPaub4noU4uZpVR6PsEletAOObDHkfz4p5c3Kdg QjGFeE/w4KDHY850W2LbghOot7uP+I2s6MoVPxV+tEqn1i52Gyg1XW9rnteXdLl+ v9nrFb+3mtZ+/8gK2IMK/ORCooqmgiQILZ5EMRPkwKsDS4VotvhFCRoiQvnG4xQ= =HPT9 -----END PGP SIGNATURE----- From johanw at vulcan.xs4all.nl Fri Feb 4 00:24:25 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Fri Feb 4 00:21:55 2005 Subject: RSA subkeys In-Reply-To: <20050203211542.72055.qmail@smasher.org> from Atom Smasher at "Feb 3, 2005 04:15:57 pm" Message-ID: <200502032324.AAA13069@vulcan.xs4all.nl> Atom Smasher wrote: >> In the UK, the trick of adding a message "This key is not requested by >> the governemnt" and removing the message if it is can be used. >huh? i'm not sure how that works... tell me more... You add a message to all your encrypted files and your key with such a text. If the gouvernment requests the key, you remove the message. Bruce Schneier reported some library did the same with gouvernment requests to log internet activity. They put up a sign "XXX days without logging", and the suddenly removed the sign, making obvious what happened. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From johanw at vulcan.xs4all.nl Fri Feb 4 00:25:38 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Fri Feb 4 00:22:04 2005 Subject: [Announce] release candidate for 1.4.1 available In-Reply-To: <87fz0dhnjp.fsf@wheatstone.g10code.de> from Werner Koch at "Feb 3, 2005 12:48:26 pm" Message-ID: <200502032325.AAA13076@vulcan.xs4all.nl> Werner Koch wrote: > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc1.tar.bz2 (2709k) > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc1.tar.bz2.sig My first report about a bad signature was in error. I redownloaded the .bz2 file and now it checked OK. Compilation and teste were also OK. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From linux at codehelp.co.uk Fri Feb 4 00:40:27 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Fri Feb 4 00:36:46 2005 Subject: Any LiveCD with GnuPG 1.4? In-Reply-To: <42028CB1.4050509@natzo.com> References: <41F7D813.6030804@natzo.com> <42028CB1.4050509@natzo.com> Message-ID: <200502032340.30625.linux@codehelp.co.uk> On Thursday 03 February 2005 8:42 pm, Dany Nativel wrote: > > I've been looking around for any LiveCD, LiveFloppy, LiveUSB... you > > name it that would have GnuPG 1.4. USB - possible, better to probably roll your own if you've got one of those 1Gb USB sticks - probably more work than it is worth to re-hash an iso to 512Mb. > > So I guess I just have to wait... Why not try to create your own? It's how all projects start . . . > > Do not hesitate to let me know if you see one around. Google is your friend - don't rely on others. -- Neil Williams ============= http://www.dcglug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.neil.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050203/a53785e6/attachment.pgp From shavital at mac.com Fri Feb 4 00:58:34 2005 From: shavital at mac.com (Charly Avital) Date: Fri Feb 4 00:54:47 2005 Subject: [Announce] release candidate for 1.4.1 available In-Reply-To: <20050203213821.GA12554@jabberwocky.com> References: <87fz0dhnjp.fsf@wheatstone.g10code.de> <050b2b6f51db0fa8e5d0a7c4fc5d6bce@mac.com> <20050203213821.GA12554@jabberwocky.com> Message-ID: <4202BAAA.8050702@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shaw wrote: | * New --rfc2440-text [...] | I'm not sure what didn't work here. What did you verify with PGP 8.1? I sent a self-test, PGP/MIME signed message from Thunderbird 1.0: - - verified with Mail.app and gpg 1.4.1 - good signature - - verified with Thunderbird 1.0 and gpg 1.4.1 - good signature - - verified with Eudora and PGP 8.1 - bad signature But now, an additional test, verified with Mail.app and PGP 8.1 - good signature. The only bad signature was with Eudora. Eudora has a problem with utf-8. This verification (with Eudora) is not, IMO, valid, and there is no problem with PGP 8.1's verification. [...] |>The wording is a bit confusing, *for me* that is: |>if the tag --import-unusable-sigs is on by default, how will that cause |>GnuPG *not* to import key signatures that are not usable? It would seem |>that it would cause GnuPG to import key signatures that are not usable. |>Ditto for export. Sorry if this sounds dense. | | | This was a typo. The options are *off* by default. Thanks for clarifying that. Charly -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc1 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCArql8SG5rMkbCF4RArWRAJ48NKn5dGUNliq6vcbH/Afaq7LqDQCfRZr0 bKhU3zdkRna87Txn145KqYI= =20JM -----END PGP SIGNATURE----- From freebsd at usol.com Fri Feb 4 01:50:35 2005 From: freebsd at usol.com (Eric Buchanan) Date: Fri Feb 4 01:47:03 2005 Subject: Multiple files In-Reply-To: <20050203175427.GA4175@psilocybe.teonanacatl.org> References: <200502031342.j13DgIKj013182@ms-smtp-01-eri0.southeast.rr.com> <200502031542.QAA03539@vulcan.xs4all.nl> <20050203175427.GA4175@psilocybe.teonanacatl.org> Message-ID: <200502031650.40727.freebsd@usol.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I just used tar and gpg to encrypt the file as shown earlier, and it decrypted fine, but when I went to untar it, I got this error: backup/temp/ backup/temp/misc/ backup/temp/misc/autprint.mrk tar: Skipping to next header tar: Archive contains obsolescent base-64 headers tar: Error exit delayed from previous errors This is version 1.4.0 on FreeBSD 4.11. It only decrypts the first tiny bit of the decrypted tar archive. It also repeated the exact same error messages when I ran "gpg -r root --encrypt-files -sta b.tar" and then after decrypting I run "tar xvf b.tar." My OpenBSD installation is hosed right now so I can't try repeating this on another platform. Any ideas? TIA, Eric Buchanan El Jue 03 Feb 2005 09:54 AM, Todd escribi?: > Johan Wevers wrote: > > Kevin Smith wrote: > >>Is there a way to encrypt multiple files at one time...say I want to > >>encrypt EVERY file in a folder called tobeencrypted...any easy way?? > > > > #!/bin/bash > > for i in *; do gpg -e -r myname $i; done > > Or, in 1.2.5 and above, use the multifile option: > > gpg --multifile --encrypt tobeencrypted/* > > That would get you an individually encrypted file for each file in the > directory. You might also want to just tar up the directory and then > encrypt that. > > tar -cf - dir/ | gpg -r 0x0123456 --encrypt -o dir.tar.gpg -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCAsbe//GaROrFlAkRAnEnAKDrEWzsmWM4RWYAYE4RKQOSUbDWaQCeIc+4 9Koqv5hDqBS4oJ/5w4Z9mIw= =yUmJ -----END PGP SIGNATURE----- From freebsd at usol.com Fri Feb 4 01:58:58 2005 From: freebsd at usol.com (Eric Buchanan) Date: Fri Feb 4 01:55:14 2005 Subject: Multiple files In-Reply-To: <200502031650.40727.freebsd@usol.com> References: <200502031342.j13DgIKj013182@ms-smtp-01-eri0.southeast.rr.com> <20050203175427.GA4175@psilocybe.teonanacatl.org> <200502031650.40727.freebsd@usol.com> Message-ID: <200502031659.00962.freebsd@usol.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I meant to say "untar" instead of "decrypts only a tiny bit of the archive." -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCAsjU//GaROrFlAkRAiUhAJ9zflullHmo01ZiIZ4e250jssNdnwCg4ye1 vwFvl21WJYoExQ00OW8SAwg= =pjuC -----END PGP SIGNATURE----- From david69 at charter.net Fri Feb 4 08:17:46 2005 From: david69 at charter.net (David) Date: Fri Feb 4 10:03:03 2005 Subject: RSA subkeys In-Reply-To: <20050203162428.71861.qmail@smasher.org> References: <20050203094252.GA2406@charter.net> <20050203162428.71861.qmail@smasher.org> Message-ID: <20050204071746.GA3234@charter.net> On Thu, Feb 03, 2005 at 11:24:39AM -0500, Atom Smasher wrote: > > gpg 1.4 is better. no comment on RH9. I will upgrade to 1.4. > > why not update the expiration date on the subkeys, and keep them? if > they're not compromised there's no reason to throw them away. It may be a good practice if GPG/PGP can automatically consider them as valid since they are signed with the master key. > > RSA support is optional in rfc2440. i've been using an RSA only key for a > while with no problems, mostly with other gpg users. Can PGP 5+ handle this kind of key (master RSA + 2 RSA sub-keys)? Thanks for your help, David -- "In theory, there is no difference between theory and practice. But, in practice, there is." - Jan L.A. van de Snepscheut - From Holger.Sesterhenn at smgwtest.aachen.utimaco.de Fri Feb 4 09:49:38 2005 From: Holger.Sesterhenn at smgwtest.aachen.utimaco.de (Holger Sesterhenn) Date: Fri Feb 4 10:36:39 2005 Subject: capacity of keyring In-Reply-To: <420224E2.9070900@intertivity.com> References: <4200C54D.4040305@intertivity.com> <420224E2.9070900@intertivity.com> Message-ID: <42033722.7030302@smgwtest.aachen.utimaco.de> Hi, > Do you know how many keys can you put into a keystore and > still be fast? > What happens when I put 10.000 keys in there? What about 100.000 keys? I have done some tests with dumps from a HKP keyserver (> 20MB of data, 25000 keys, SuSE Linux 9.x and own Linux distribution). GnuPG 1.2.3 crashed during import after about 2500 keys. GnuPG 1.3.9X and 1.4.0 did the job but terribly slow. It took more than 6 hours to '--import' on a P-IV/2,4 MHz (512 MB RAM, 40 GB ATA) and was only a bit faster on a dual P-IV/3 Mhz (2 GB RAM, SCSI with 64 MB Cache controller). It's because GnuPG has to scan the whole keyring again and again if you append keys to it. It's an exponential behaviour. GnuPG is still a client software not designed to handle such an amount of keys. But as Werner mentioned, this may change in future releases ;-). -- Best Regards, Holger Sesterhenn --- Internet http://www.utimaco.de From wk at gnupg.org Fri Feb 4 11:20:35 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Feb 4 11:48:55 2005 Subject: RSA subkeys In-Reply-To: <20050204071746.GA3234@charter.net> (david69@charter.net's message of "Thu, 3 Feb 2005 23:17:46 -0800") References: <20050203094252.GA2406@charter.net> <20050203162428.71861.qmail@smasher.org> <20050204071746.GA3234@charter.net> Message-ID: <876518aaoc.fsf@wheatstone.g10code.de> On Thu, 3 Feb 2005 23:17:46 -0800, David said: > It may be a good practice if GPG/PGP can automatically consider them as valid > since they are signed with the master key. It does. > Can PGP 5+ handle this kind of key (master RSA + 2 RSA sub-keys)? Yes, unless you have sign-only subkeys where PGP gets it wrong. Werner From sk at intertivity.com Fri Feb 4 12:16:57 2005 From: sk at intertivity.com (Sascha Kiefer) Date: Fri Feb 4 12:13:27 2005 Subject: capacity of keyring In-Reply-To: <42033722.7030302@smgwtest.aachen.utimaco.de> References: <4200C54D.4040305@intertivity.com> <420224E2.9070900@intertivity.com> <42033722.7030302@smgwtest.aachen.utimaco.de> Message-ID: <420359A9.7020908@intertivity.com> When do you think that 1.9.x is going to be realeased? Or how "stable" is 1.9 right now? Holger Sesterhenn schrieb: > Hi, > >> Do you know how many keys can you put into a keystore and >> still be fast? >> What happens when I put 10.000 keys in there? What about 100.000 keys? > > > I have done some tests with dumps from a HKP keyserver (> 20MB of > data, 25000 keys, SuSE Linux 9.x and own Linux distribution). > GnuPG 1.2.3 crashed during import after about 2500 keys. GnuPG 1.3.9X > and 1.4.0 did the job but terribly slow. > > It took more than 6 hours to '--import' on a P-IV/2,4 MHz (512 MB RAM, > 40 GB ATA) and was only a bit faster on a dual P-IV/3 Mhz (2 GB RAM, > SCSI with 64 MB Cache controller). > > It's because GnuPG has to scan the whole keyring again and again if > you append keys to it. It's an exponential behaviour. > > GnuPG is still a client software not designed to handle such an amount > of keys. > > But as Werner mentioned, this may change in future releases ;-). From sk at intertivity.com Fri Feb 4 12:36:40 2005 From: sk at intertivity.com (Sascha Kiefer) Date: Fri Feb 4 12:32:51 2005 Subject: capacity of keyring In-Reply-To: <42033722.7030302@smgwtest.aachen.utimaco.de> References: <4200C54D.4040305@intertivity.com> <420224E2.9070900@intertivity.com> <42033722.7030302@smgwtest.aachen.utimaco.de> Message-ID: <42035E48.1090501@intertivity.com> Yes. It's pretty worse. gpg: Total number processed: 569 gpg: w/o user IDs: 3 gpg: imported: 434 (RSA: 36) gpg: unchanged: 132 the program is still running: Name Pid Pri Thd Hnd Priv CPU Time Elapsed Time gpg 3836 8 1 24 230048 0:14:35.265 0:15:55.496 Hmm, thats pretty bad and i have to overthink my ideas! Holger Sesterhenn schrieb: > Hi, > >> Do you know how many keys can you put into a keystore and >> still be fast? >> What happens when I put 10.000 keys in there? What about 100.000 keys? > > > I have done some tests with dumps from a HKP keyserver (> 20MB of > data, 25000 keys, SuSE Linux 9.x and own Linux distribution). > GnuPG 1.2.3 crashed during import after about 2500 keys. GnuPG 1.3.9X > and 1.4.0 did the job but terribly slow. > > It took more than 6 hours to '--import' on a P-IV/2,4 MHz (512 MB RAM, > 40 GB ATA) and was only a bit faster on a dual P-IV/3 Mhz (2 GB RAM, > SCSI with 64 MB Cache controller). > > It's because GnuPG has to scan the whole keyring again and again if > you append keys to it. It's an exponential behaviour. > > GnuPG is still a client software not designed to handle such an amount > of keys. > > But as Werner mentioned, this may change in future releases ;-). From texmex at uni.de Fri Feb 4 13:44:10 2005 From: texmex at uni.de (Gregor Zattler) Date: Fri Feb 4 14:00:47 2005 Subject: release candidate for 1.4.1 available In-Reply-To: <873bwdeavb.fsf@wheatstone.g10code.de> References: <87fz0dhnjp.fsf@wheatstone.g10code.de> <20050203143651.GD19332@pit.ID-43118.user.dfncis.de> <873bwdeavb.fsf@wheatstone.g10code.de> Message-ID: <20050204124410.GF21069@pit.ID-43118.user.dfncis.de> Hi Werner, * Werner Koch [03. Feb. 2005]: > On Thu, 3 Feb 2005 15:36:51 +0100, Gregor Zattler said: > > > I installed it on Win98se and got an alarm box saying: gpg.exe is > > linked to the not available Export-SHELL32.DLL:SHGetFolderPathA. > > I feared that one. AFAIK you have to install at least Internet > Exploder 4.5 which updates the shell32.dll - or something like that. IE 5.00 is installed. But perhaps updating of the dll was not allowed, when this was installed!? shell32.dll is version 4.72.3612.1700 > I hope you don't really need it under Wine. Sure. I do not need it under Wine. > Let's see what happens on > native W98 > > > I did this under WINE and the output was half english half german. > > The Umlauts didn't show correct. This may be a problem of my WINE > > installation. > > The German tranlsation has not been updated. The Umlauts do work for > me on the console. On the Linux console? Yes, me too. Gregor From texmex at uni.de Fri Feb 4 13:35:23 2005 From: texmex at uni.de (Gregor Zattler) Date: Fri Feb 4 14:03:19 2005 Subject: release candidate for 1.4.1 available In-Reply-To: <420254F1.8090506@intertivity.com> References: <87fz0dhnjp.fsf@wheatstone.g10code.de> <20050203143651.GD19332@pit.ID-43118.user.dfncis.de> <420254F1.8090506@intertivity.com> Message-ID: <20050204123523.GE21069@pit.ID-43118.user.dfncis.de> Hi Sascha, * Sascha Kiefer [03. Feb. 2005]: > Have you added %SystemRoot%\System and %SystemRoot%\System32 to your > environment path variable? No, PATH was: PATH=C:\WINDOWS;C:\WINDOWS\COMMAND I set it to PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\SYSTEM;C:\SYSTEM32 the Problem remained. Gregor > > HTH > > Gregor Zattler schrieb: > > >I installed it on Win98se and got an alarm box saying: gpg.exe is > >linked to the not available Export-SHELL32.DLL:SHGetFolderPathA. > >(Message was shown in german, I translated it. For original see > >attached image). > > > > > > From ml at bitfalle.org Fri Feb 4 13:09:37 2005 From: ml at bitfalle.org (markus reichelt) Date: Fri Feb 4 14:06:31 2005 Subject: Any LiveCD with GnuPG 1.4? In-Reply-To: <42028CB1.4050509@natzo.com> References: <41F7D813.6030804@natzo.com> <42028CB1.4050509@natzo.com> Message-ID: <20050204120937.GA3272@dantooine> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dany Nativel wrote: > >I've been looking around for any LiveCD, LiveFloppy, LiveUSB... you > >name it that would have GnuPG 1.4. just build your own. runt is a good starting point if you ask me :-) - -- Bastard Administrator in $hell -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCA2YBLMyTO8Kj/uQRAj21AJ0XcyEUGi8O2Y1blTXt00P70ZIcJgCfdlfS jv875sFTOOgsz/hMEmqTqs0= =U6lL -----END PGP SIGNATURE----- From LTottman at careline-services.co.uk Fri Feb 4 14:07:51 2005 From: LTottman at careline-services.co.uk (LTottman@careline-services.co.uk) Date: Fri Feb 4 14:57:44 2005 Subject: GPG question Message-ID: <7020AE3619B4D411AF6B00D0B744271603B9959A@CS-NT3> We have a file that needs encrypting on a daily basis. The filename changes from day to day, is gpg able to give the encrypted file the same name it had before it was encrypted without specifying it in the command line. Can the encrypted filename be generated automatically? Any helps would be appreciated L DISCLAIMER: This e-mail contains proprietary information some or all of which may be legally privileged. It is for the intended recipient only. If an addressing error has misdirected this e-mail, please notify the author by replying to this e-mail. If you are not the intended recipient you must not use, disclose, distribute, copy, print or rely on this e-mail. From sk at intertivity.com Fri Feb 4 16:27:56 2005 From: sk at intertivity.com (Sascha Kiefer) Date: Fri Feb 4 16:24:07 2005 Subject: release candidate for 1.4.1 available In-Reply-To: <20050204123523.GE21069@pit.ID-43118.user.dfncis.de> References: <87fz0dhnjp.fsf@wheatstone.g10code.de> <20050203143651.GD19332@pit.ID-43118.user.dfncis.de> <420254F1.8090506@intertivity.com> <20050204123523.GE21069@pit.ID-43118.user.dfncis.de> Message-ID: <4203947C.7060307@intertivity.com> :) %SystemRoot% = c:\Windows => PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\WINDOWS\SYSTEM;C:\WINDOWS\SYSTEM32 and the restart will always help! Gregor Zattler schrieb: >Hi Sascha, >* Sascha Kiefer [03. Feb. 2005]: > > >>Have you added %SystemRoot%\System and %SystemRoot%\System32 to your >>environment path variable? >> >> > >No, PATH was: PATH=C:\WINDOWS;C:\WINDOWS\COMMAND >I set it to >PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\SYSTEM;C:\SYSTEM32 > >the Problem remained. > >Gregor > > > > >>HTH >> >>Gregor Zattler schrieb: >> >> >> >>>I installed it on Win98se and got an alarm box saying: gpg.exe is >>>linked to the not available Export-SHELL32.DLL:SHGetFolderPathA. >>>(Message was shown in german, I translated it. For original see >>>attached image). >>> >>> >>> >>> >> >> > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > From thfrdue at gmx.de Fri Feb 4 17:08:27 2005 From: thfrdue at gmx.de (=?ISO-8859-1?Q?=22Thomas_F=2E_D=FCllmann=22?=) Date: Fri Feb 4 17:05:12 2005 Subject: "Malformed User ID" In-Reply-To: <20050203223039.19885.qmail@smasher.org> References: <420231EE.20302@gmx.de> <20050203222529.17200.qmail@smasher.org> <20050203223039.19885.qmail@smasher.org> Message-ID: <42039DFB.4090301@gmx.de> Hi, I did as Atom Smasher told me, but it's still the same error Message ("malformed user id"). I also tried to create a new key and crypt with it, but the same message again. I don't know what else to describe. Greetz Thomas Email: thfrdue@gmx.de Atom Smasher schrieb: > i meant: > gpg -er test@example.com file > or > gpg -er 0x12345678 file > -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.8.5 - Release Date: 03.02.2005 From dshaw at jabberwocky.com Fri Feb 4 15:19:31 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Feb 4 17:12:53 2005 Subject: GPG question In-Reply-To: <7020AE3619B4D411AF6B00D0B744271603B9959A@CS-NT3> References: <7020AE3619B4D411AF6B00D0B744271603B9959A@CS-NT3> Message-ID: <20050204141931.GA22324@jabberwocky.com> On Fri, Feb 04, 2005 at 01:07:51PM -0000, LTottman@careline-services.co.uk wrote: > We have a file that needs encrypting on a daily basis. The filename changes > from day to day, is gpg able to give the encrypted file the same name it had > before it was encrypted without specifying it in the command line. Can the > encrypted filename be generated automatically? GnuPG automatically includes the original filename inside the encrypted file. Include the --use-embedded-filename option when decrypting to use this name when decrypting. David From texmex at uni.de Fri Feb 4 17:47:56 2005 From: texmex at uni.de (Gregor Zattler) Date: Fri Feb 4 17:44:48 2005 Subject: it's not a PATH problem (was: Re: release candidate for 1.4.1 available) In-Reply-To: <4203947C.7060307@intertivity.com> References: <87fz0dhnjp.fsf@wheatstone.g10code.de> <20050203143651.GD19332@pit.ID-43118.user.dfncis.de> <420254F1.8090506@intertivity.com> <20050204123523.GE21069@pit.ID-43118.user.dfncis.de> <4203947C.7060307@intertivity.com> Message-ID: <20050204164756.GA16960@pit.ID-43118.user.dfncis.de> Hi Sascha, * Sascha Kiefer [04. Feb. 2005]: > :) > > %SystemRoot% = c:\Windows > => PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\WINDOWS\SYSTEM;C:\WINDOWS\SYSTEM32 > > and the restart will always help! ah, I see my typo. Did as you wrote (cut 'n paste in autoexec.lbat, reebot, tested %PATH%, cd to C:\Programme\GNU\GnuPG, "gpg --help" --> said error message) but didn't help. Gregor > > > Gregor Zattler schrieb: > > >Hi Sascha, > >* Sascha Kiefer [03. Feb. 2005]: > > > > > >>Have you added %SystemRoot%\System and %SystemRoot%\System32 to your > >>environment path variable? > >> > >> > > > >No, PATH was: PATH=C:\WINDOWS;C:\WINDOWS\COMMAND > >I set it to > >PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\SYSTEM;C:\SYSTEM32 > > > >the Problem remained. > > > >Gregor > > > > > > > > > >>HTH > >> > >>Gregor Zattler schrieb: > >> > >> > >> > >>>I installed it on Win98se and got an alarm box saying: gpg.exe is > >>>linked to the not available Export-SHELL32.DLL:SHGetFolderPathA. > >>>(Message was shown in german, I translated it. For original see > >>>attached image). > >>> > >>> > >>> > >>> > >> > >> > > > > From sk at intertivity.com Fri Feb 4 17:07:05 2005 From: sk at intertivity.com (Sascha Kiefer) Date: Fri Feb 4 18:26:19 2005 Subject: Signing a Key Message-ID: <42039DA9.8020306@intertivity.com> Hi, when i used to sign a key using 1.2.4 i was asked how good i know the person which partly reflected "Signature Types" of RFC2440,5 . But know (1.4.0a) i won't be asked anymore and the signature type is always 0x10 Best thanks esskar From atom at smasher.org Fri Feb 4 19:17:32 2005 From: atom at smasher.org (Atom Smasher) Date: Fri Feb 4 19:13:39 2005 Subject: Signing a Key In-Reply-To: <42039DA9.8020306@intertivity.com> References: <42039DA9.8020306@intertivity.com> Message-ID: <20050204181714.71249.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Fri, 4 Feb 2005, Sascha Kiefer wrote: > Hi, when i used to sign a key using 1.2.4 i was asked how good i know > the person which partly reflected "Signature Types" of RFC2440,5 . But > know (1.4.0a) i won't be asked anymore and the signature type is always > 0x10 ================== --ask-cert-level --no-ask-cert-level When making a key signature, prompt for a certification level. If this option is not specified, the certification level used is set via --default-cert-level. See --default-cert-level for information on the specific levels and how they are used. --no-ask-cert-level disables this option. This option defaults to no. this used to default to yes. now you have to specify it explicitly. also check out "--default-cert-level". i have both in my config. - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Not a single war has been fought by vegetarians." -- Akbarali Jetha -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJCA7xCAAoJEAx/d+cTpVcil+gIAL/gJc73lr3fkZRi7MG19CL2 Sv4gj9t0MrnqabHupO4dU0leyu05ontF7hx/cnt/nanNyDRj57MLfYmavFO3I4+G 0zZ3YGaHCrs9Q4NgPid415GZlQ2gtLjwT7ibGtOkUxFalON3wEt/GT8e69WkANwF 2cEqK015EGBivLLRNBWxwi6DVHa/KdaI9tGnBspCYMSaMB44ECDDXlqjnVt4IXrI 9h/meMkgxM8jg2qxio4hmVAdRzBnuITauGiTrLqPN1xyagwBwNh3iGt5ifdov5au 7zlw8TxqsuQzRHRhGpUgy+ulfhfNdA/vogk212DjzLLG1U8MS07ov8xOE3hNkWU= =NpHg -----END PGP SIGNATURE----- From ml at bitfalle.org Fri Feb 4 19:29:04 2005 From: ml at bitfalle.org (markus reichelt) Date: Fri Feb 4 19:26:14 2005 Subject: Signing a Key In-Reply-To: <42039DA9.8020306@intertivity.com> References: <42039DA9.8020306@intertivity.com> Message-ID: <20050204182904.GA3110@dantooine> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sascha Kiefer wrote: > when i used to sign a key using 1.2.4 i was asked how good i know the > person which partly reflected "Signature Types" of RFC2440,5 . > But know (1.4.0a) i won't be asked anymore and the signature type is > always 0x10 i noticed that, too. by adding *-cert-level options to config file it works as before again. - -- Bastard Administrator in $hell -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCA77vLMyTO8Kj/uQRAijcAJ92y4coSNOuhsZwWs6vi1FFICpKkwCaA6LF i72TJ4mBFwGIaSE9ZjC9jFM= =CbBE -----END PGP SIGNATURE----- From ml at bitfalle.org Fri Feb 4 19:31:43 2005 From: ml at bitfalle.org (markus reichelt) Date: Fri Feb 4 19:28:39 2005 Subject: Signing a Key In-Reply-To: <20050204181714.71249.qmail@smasher.org> References: <42039DA9.8020306@intertivity.com> <20050204181714.71249.qmail@smasher.org> Message-ID: <20050204183143.GB3110@dantooine> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Atom Smasher wrote: > this used to default to yes. now you have to specify it explicitly. also > check out "--default-cert-level". i have both in my config. newbies will stumble upon this... just curious, any idea why this was changed? i really don't see why it was necessary. - -- Bastard Administrator in $hell -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCA7+PLMyTO8Kj/uQRAgcRAJ9/FQKraryLD72xZlpPSjr5v2prywCeLf+p m+3/dPfZio3sq/iDK+UPy8k= =ymmQ -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Fri Feb 4 19:39:05 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Feb 4 19:35:57 2005 Subject: Signing a Key In-Reply-To: <20050204183143.GB3110@dantooine> References: <42039DA9.8020306@intertivity.com> <20050204181714.71249.qmail@smasher.org> <20050204183143.GB3110@dantooine> Message-ID: <20050204183905.GC22572@jabberwocky.com> On Fri, Feb 04, 2005 at 07:31:43PM +0100, markus reichelt wrote: > Atom Smasher wrote: > > this used to default to yes. now you have to specify it explicitly. also > > check out "--default-cert-level". i have both in my config. > > newbies will stumble upon this... just curious, any idea why this was > changed? i really don't see why it was necessary. Some people decided that since a level 1 "I didn't check at all" signature type was available, that it was a Real Good Idea to sign every single key they saw. Also, it's one more thing to have to explain to newbies. If they don't see the question, they don't have to ask. David From atom at smasher.org Fri Feb 4 19:44:01 2005 From: atom at smasher.org (Atom Smasher) Date: Fri Feb 4 19:39:49 2005 Subject: Signing a Key In-Reply-To: <20050204183143.GB3110@dantooine> References: <42039DA9.8020306@intertivity.com> <20050204181714.71249.qmail@smasher.org> <20050204183143.GB3110@dantooine> Message-ID: <20050204184342.89686.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Fri, 4 Feb 2005, markus reichelt wrote: > Atom Smasher wrote: >> this used to default to yes. now you have to specify it explicitly. >> also check out "--default-cert-level". i have both in my config. > > newbies will stumble upon this... just curious, any idea why this was > changed? i really don't see why it was necessary. ====================== i think too many noobs were being confused by the prompt. the theory now seems to be that if you know about levels, you'll figure out how to sign with a desired level. for everyone else, it defaults to 0x10. IFIAK, PGP(tm) is still only capable of issuing 0x10 key signatures. - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "The idea that Bill Gates has appeared like a knight in shining armor to lead all customers out of a mire of technological chaos neatly ignores the fact that it was he, who by peddling second-rate technology, led them into it in the first place." -- Douglas Adams -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJCA8J3AAoJEAx/d+cTpVci24IH/0Z+bNiR0o0dru+BoYmfaiQ5 ZOHML7ZjjUDBITe/Yiioml2+zjYDdhtQOWRygOZ1vVKXsbqK+oG5RGbaztUeS63g OlVUQeIe2LBW9YIHLIzH0Htxd6C56i0D2EN7/EGCsZv+ELE2kVK/9XuKAckssgCl kuLHVoxvL8pFM1UVfOT4CzAXxMF3666BdmBAVb9y+CSsTb155R0V9znDWRfPhhGY WdXcFw2G8u44sIO7hQKt7sjksa8p9bC2D9K1MrmYuGTXR3wAF7tZ5f2o4heSOmt3 mWVWZDbk4HfPg9w+Xs65swMC7jPsSSknn4fYm/sw0qEhlHsK0T4Znvtp+PeHP6U= =5KCE -----END PGP SIGNATURE----- From deleemo at yahoo.com Fri Feb 4 19:43:43 2005 From: deleemo at yahoo.com (David Lee) Date: Fri Feb 4 20:40:28 2005 Subject: PGP 7.1 Decryption failed bad key Message-ID: <20050204184343.29252.qmail@web52301.mail.yahoo.com> Created new key pair in 1.4. Exported the public key to pgp 7.1. It now works. pubkey enc packet: version 3, algo 16, data: [2048 bits] data: [2048 bits] Why does pgp 7.1 not work with the old public key? Looking for help with additional directions to solve this problem. Using gnupg 1.4. exported keys from old keyring imported into 1.4 keyring. Old version 1.0.3 looked on gnupg-users for anything related, did not find any particular solution. I have other customers that use pgp that I am not having a problem with even with 1.0.3 Is it possible that the character set is an issue. My software is running under hpux11. Any ideas would be greatly appreciated. The other party also indicated that they encrypt files that are used by their customers running gunpg. Don't particularly want to create a new secret and public key for these guys but will if that is the solution. 311 /transapps/adi/gpg> gpg -v -v -v --decrypt Testfile.pgp gpg: using character set `utf-8' gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: armor: BEGIN PGP MESSAGE gpg: armor header: Version: PGP 7.1 :marker packet: 50 47 50 :pubkey enc packet: version 3, algo 16, keyid XXXXXXXXXXXXX data: [1024 bits] data: [1024 bits] gpg: public key is XXXXXXX gpg: using secondary key XXXXXXX instead of primary key XXXXXXX You need a passphrase to unlock the secret key for user: "ediup101 (Transentric Public Key for GTE) " gpg: using secondary key XXXXXXX instead of primary key XXXXXXX 1024-bit ELG-E key, ID XXXXXXX, created 2000-10-16 (main key ID XXXXXXX) gpg: public key encrypted data: good DEK :encrypted data packet: length: 632 gpg: encrypted with 1024-bit ELG-E key, ID XXXXXXX, created 2000-10-16 "ediup101 (Transentric Public Key for GTE) " gpg: TWOFISH encrypted data gpg: decryption failed: bad key __________________________________ Do you Yahoo!? Yahoo! Mail - now with 250MB free storage. Learn more. http://info.mail.yahoo.com/mail_250 From jharris at widomaker.com Fri Feb 4 20:57:08 2005 From: jharris at widomaker.com (Jason Harris) Date: Fri Feb 4 20:53:31 2005 Subject: Signing a Key In-Reply-To: <20050204183905.GC22572@jabberwocky.com> References: <42039DA9.8020306@intertivity.com> <20050204181714.71249.qmail@smasher.org> <20050204183143.GB3110@dantooine> <20050204183905.GC22572@jabberwocky.com> Message-ID: <20050204195707.GC3466@wilma.widomaker.com> On Fri, Feb 04, 2005 at 01:39:05PM -0500, David Shaw wrote: > Some people decided that since a level 1 "I didn't check at all" > signature type was available, that it was a Real Good Idea to sign > every single key they saw. In the 2005-01-23 keyanalyze keydump, there are 2896 0x11 (userid cert.) sigs. from 589 issuers (unique long keyids). 296 issuers (50%) only issued one 0x11 sig. and 560 (95%) issued less than ten 0x11 sigs. 0x10581685C521097E (Kyle's RobotCA instance) is responsible for 592 such sigs, or 20%, 0x6EA7FB4DE0BB4BCD (telering.at's RobotCA instance) issued 217, or 7.5%, and 0x25360A719C851DF1 (ImperialViolet) issued 127. Only two individuals issued more 0x11 sigs than my 40. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050204/2657d475/attachment.pgp From dshaw at jabberwocky.com Fri Feb 4 21:48:31 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Feb 4 21:45:19 2005 Subject: Signing a Key In-Reply-To: <20050204195707.GC3466@wilma.widomaker.com> References: <42039DA9.8020306@intertivity.com> <20050204181714.71249.qmail@smasher.org> <20050204183143.GB3110@dantooine> <20050204183905.GC22572@jabberwocky.com> <20050204195707.GC3466@wilma.widomaker.com> Message-ID: <20050204204831.GD22572@jabberwocky.com> On Fri, Feb 04, 2005 at 02:57:08PM -0500, Jason Harris wrote: > On Fri, Feb 04, 2005 at 01:39:05PM -0500, David Shaw wrote: > > > Some people decided that since a level 1 "I didn't check at all" > > signature type was available, that it was a Real Good Idea to sign > > every single key they saw. > > In the 2005-01-23 keyanalyze keydump, there are 2896 0x11 (userid cert.) > sigs. from 589 issuers (unique long keyids). 296 issuers (50%) only > issued one 0x11 sig. and 560 (95%) issued less than ten 0x11 sigs. > 0x10581685C521097E (Kyle's RobotCA instance) is responsible for 592 > such sigs, or 20%, 0x6EA7FB4DE0BB4BCD (telering.at's RobotCA instance) > issued 217, or 7.5%, and 0x25360A719C851DF1 (ImperialViolet) issued 127. > Only two individuals issued more 0x11 sigs than my 40. I'm afraid I don't see the point you're trying to make. David From mconahan at iotest.org Fri Feb 4 22:38:17 2005 From: mconahan at iotest.org (mconahan@iotest.org) Date: Fri Feb 4 22:34:32 2005 Subject: Creating a RFC3156 compliant encrypted message with Gnu PG Message-ID: <4203EB49.20604@iotest.org> Does anyone know how to create a RFC 3156 compliant PGP encrypted message with Gnu PG? I am building an app that is making use of the Gnu PG functionality, and I am having some trouble getting other PGP apps (said to be 3156 compliant) to accept it. I have read both RFC 3156 and 2015, and I seem to be missing something, since it isn't working. Does anyone know of tutorial site, or has a script that creates a RFC 3156 compliant message? Any help would be appreciated. From sk at intertivity.com Fri Feb 4 23:01:36 2005 From: sk at intertivity.com (Kiefer, Sascha) Date: Fri Feb 4 22:57:41 2005 Subject: Creating a RFC3156 compliant encrypted message with Gnu PG In-Reply-To: <4203EB49.20604@iotest.org> Message-ID: <000e01c50b05$19144cf0$f300a8c0@HOME> Well, you have to build the MIME structure yourself. As far as i know GnuPG does not know about MIME in particular. Have fun. esskar > -----Original Message----- > From: gnupg-users-bounces@gnupg.org > [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of > mconahan@iotest.org > Sent: Freitag, 4. Februar 2005 22:38 > To: gnupg-users@gnupg.org > Subject: Creating a RFC3156 compliant encrypted message with Gnu PG > > > Does anyone know how to create a RFC 3156 compliant PGP encrypted > message with Gnu PG? I am building an app that is making use > of the Gnu > PG functionality, and I am having some trouble getting other PGP apps > (said to be 3156 compliant) to accept it. I have read both > RFC 3156 and > 2015, and I seem to be missing something, since it isn't working. > > Does anyone know of tutorial site, or has a script that creates a RFC > 3156 compliant message? Any help would be appreciated. > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From JPClizbe at comcast.net Fri Feb 4 23:09:46 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Fri Feb 4 23:06:27 2005 Subject: Creating a RFC3156 compliant encrypted message with Gnu PG In-Reply-To: <4203EB49.20604@iotest.org> References: <4203EB49.20604@iotest.org> Message-ID: <4203F2AA.2030909@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 mconahan@iotest.org wrote: > Does anyone know how to create a RFC 3156 compliant PGP encrypted > message with Gnu PG? I am building an app that is making use of the Gnu > PG functionality, and I am having some trouble getting other PGP apps > (said to be 3156 compliant) to accept it. I have read both RFC 3156 and > 2015, and I seem to be missing something, since it isn't working. > > Does anyone know of tutorial site, or has a script that creates a RFC > 3156 compliant message? Any help would be appreciated. Check the source code for Enigmail or Mutt. - -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org GingerBear Consluting PGP/GPG KeyID: 0x608D2A10 "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc1 (MingW32) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCA/KqHQSsSmCNKhARAgl6AJ9dLvtPYylG6TYZUrNtG4sBa7G8DACfVys1 ApG+APz5W7ZYy08NX/nHjwY= =v595 -----END PGP SIGNATURE----- From jharris at widomaker.com Sat Feb 5 00:51:31 2005 From: jharris at widomaker.com (Jason Harris) Date: Sat Feb 5 00:47:53 2005 Subject: Signing a Key In-Reply-To: <20050204204831.GD22572@jabberwocky.com> References: <42039DA9.8020306@intertivity.com> <20050204181714.71249.qmail@smasher.org> <20050204183143.GB3110@dantooine> <20050204183905.GC22572@jabberwocky.com> <20050204195707.GC3466@wilma.widomaker.com> <20050204204831.GD22572@jabberwocky.com> Message-ID: <20050204235131.GD3466@wilma.widomaker.com> On Fri, Feb 04, 2005 at 03:48:31PM -0500, David Shaw wrote: > On Fri, Feb 04, 2005 at 02:57:08PM -0500, Jason Harris wrote: > > On Fri, Feb 04, 2005 at 01:39:05PM -0500, David Shaw wrote: > > > Some people decided that since a level 1 "I didn't check at all" > > > signature type was available, that it was a Real Good Idea to sign > > > every single key they saw. > > > > In the 2005-01-23 keyanalyze keydump, there are 2896 0x11 (userid cert.) > > sigs. from 589 issuers (unique long keyids). 296 issuers (50%) only > > issued one 0x11 sig. and 560 (95%) issued less than ten 0x11 sigs. > > 0x10581685C521097E (Kyle's RobotCA instance) is responsible for 592 > > such sigs, or 20%, 0x6EA7FB4DE0BB4BCD (telering.at's RobotCA instance) > > issued 217, or 7.5%, and 0x25360A719C851DF1 (ImperialViolet) issued 127. > > Only two individuals issued more 0x11 sigs than my 40. > > I'm afraid I don't see the point you're trying to make. Looking at the stats, the number of people issuing 0x11 signatures doesn't seem worrisome, and having issued 40 such sigs myself, there are only two individuals I'd question about issuing even more (specifically, 69 and 52) 0x11 signatures. Furthermore, since the RFC allows one to explicitly assert (quoting draft-ietf-openpgp-rfc2440bis-12.txt): 0x11: Persona certification of a User ID and Public Key packet. The issuer of this certification has not done any verification of the claim that the owner of this key is the User ID specified. rather than always just: 0x10: Generic certification of a User ID and Public Key packet. The issuer of this certification does not make any particular assertion as to how well the certifier has checked that the owner of the key is in fact the person described by the User ID. Note that all PGP "key signatures" are this type of certification. I feel everyone should be given the opportunity to do so. Per the RFC, 0x11 sigs don't even require email verification, so I see no harm in allowing one to state "I checked nothing" v. "I won't tell you what I did and/or didn't check." Even requiring a policy URL or other explanation/justification for each signature won't allow us to determine the _highly subjective_ nature of one's signature levels in any automated way, by definition in the RFC: Please note that the vagueness of these certification claims is not a flaw, but a feature of the system. Because PGP places final authority for validity upon the receiver of a certification, it may be that one authority's casual certification might be more rigorous than some other authority's positive certification. These classifications allow a certification authority to issue fine-grained claims. so we may as well resign ourselves to this fact. (Thus, GPG's --min-cert-level probably needs to be settable per signer - after reviewing the signer's policies - to account for these differences.) -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050204/ea4e2bf1/attachment.pgp From dshaw at jabberwocky.com Sat Feb 5 02:46:05 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Feb 5 02:43:08 2005 Subject: Signing a Key In-Reply-To: <20050204235131.GD3466@wilma.widomaker.com> References: <42039DA9.8020306@intertivity.com> <20050204181714.71249.qmail@smasher.org> <20050204183143.GB3110@dantooine> <20050204183905.GC22572@jabberwocky.com> <20050204195707.GC3466@wilma.widomaker.com> <20050204204831.GD22572@jabberwocky.com> <20050204235131.GD3466@wilma.widomaker.com> Message-ID: <20050205014605.GA23212@jabberwocky.com> On Fri, Feb 04, 2005 at 06:51:31PM -0500, Jason Harris wrote: > On Fri, Feb 04, 2005 at 03:48:31PM -0500, David Shaw wrote: > > On Fri, Feb 04, 2005 at 02:57:08PM -0500, Jason Harris wrote: > > > On Fri, Feb 04, 2005 at 01:39:05PM -0500, David Shaw wrote: > > > > > Some people decided that since a level 1 "I didn't check at all" > > > > signature type was available, that it was a Real Good Idea to sign > > > > every single key they saw. > > > > > > In the 2005-01-23 keyanalyze keydump, there are 2896 0x11 (userid cert.) > > > sigs. from 589 issuers (unique long keyids). 296 issuers (50%) only > > > issued one 0x11 sig. and 560 (95%) issued less than ten 0x11 sigs. > > > 0x10581685C521097E (Kyle's RobotCA instance) is responsible for 592 > > > such sigs, or 20%, 0x6EA7FB4DE0BB4BCD (telering.at's RobotCA instance) > > > issued 217, or 7.5%, and 0x25360A719C851DF1 (ImperialViolet) issued 127. > > > Only two individuals issued more 0x11 sigs than my 40. > > > > I'm afraid I don't see the point you're trying to make. > > Looking at the stats, the number of people issuing 0x11 signatures > doesn't seem worrisome, and having issued 40 such sigs myself, there > are only two individuals I'd question about issuing even more > (specifically, 69 and 52) 0x11 signatures. > > Furthermore, since the RFC allows one to explicitly assert (quoting > draft-ietf-openpgp-rfc2440bis-12.txt): [ snip RFC quoting ] > I feel everyone should be given the opportunity to do so. Per the RFC, > 0x11 sigs don't even require email verification, so I see no harm in > allowing one to state "I checked nothing" v. "I won't tell you what I > did and/or didn't check." Even requiring a policy URL or other > explanation/justification for each signature won't allow us to determine > the _highly subjective_ nature of one's signature levels in any automated > way, by definition in the RFC: [ snip more RFC quoting ] > so we may as well resign ourselves to this fact. Facts are interesting things. The RFC doesn't specify a trust model anywhere. Thus, all programs accept a 0x11 (or 0x10, 0x12 or 0x13) signature... but treat them all the same. Perfectly compliant to the RFC. 0x11 signatures are also interesting things. When made by people (as opposed to robots) they are in effect someone making a public statement to say "Hey, look, I made a lousy signature". I can't imagine why someone would choose to advertise far and wide how terrible their signing policy is, but GnuPG allows people to do stupid things if they really want to. GnuPG will quite happily make 0x11 signatures. It just doesn't do so by default. Those people who want to make typed signatures can set --ask-cert-level and then everyone is happy. Similarly, by default GnuPG ignores 0x11 signatures. Like issuing them, this doesn't stop anyone from accepting 0x11 signatures. Any user who cares to can opt-in via "--min-cert-level 1" and accept any signatures they like. Given that the whole point of an 0x11 signature is to say "I didn't check AT ALL", ignoring them by default is safer than accepting them. To put this another way, the RFC allows a sender to send foolish things. It does not require the recipient to accept them. > (Thus, GPG's --min-cert-level probably needs to be settable per signer - > after reviewing the signer's policies - to account for these differences.) Your own statistics argue against this. 589 people in the entire OpenPGP world actually issued 0x11 signatures. Just 293 people issued more than one. Given the number of people using OpenPGP, 293 people is a rounding error. That's not worth having a whole new trust model for, especially given the serious security ramifications of 0x11 signatures, be vastly more confusing to new users, and be incompatible with PGP to boot. David From devegades at gmail.com Sat Feb 5 09:26:41 2005 From: devegades at gmail.com (Toni) Date: Sat Feb 5 10:22:57 2005 Subject: Howto multiple mail accts. Message-ID: <9d7e2bf905020500264adbfe92@mail.gmail.com> Hi, I'm new to gpg and have some doubts I could not google. Please direct me to a FAQ / HOWTO / etc if such document exists: I have several mail accounts, some personal, some for work, etc. I have seen three possibilities to deal with this: - Add multiple UIDs to my main key - Have multiple signing subkeys - Have secondary "complete" keys signed by my main key. I've been reading the pros/cons of each aproach and can't make up my mind to what is the best approach. Right now I thinnk the best would be to have a main key, with no e-mail at all and use this to sign other keys, one for each mail account. What do you think? Thanks for answers, Toni From sk at intertivity.com Sat Feb 5 12:10:37 2005 From: sk at intertivity.com (Kiefer, Sascha) Date: Sat Feb 5 12:07:07 2005 Subject: it's not a PATH problem (was: Re: release candidate for 1.4.1available) In-Reply-To: <20050204164756.GA16960@pit.ID-43118.user.dfncis.de> Message-ID: <000401c50b73$524f4b00$f300a8c0@HOME> Hi. Installing http://www.microsoft.com/downloads/details.aspx?FamilyID=6ae02498-07e9-48f1- a5d6-dbfa18d37e0f&DisplayLang=en may be helps. esskar > -----Original Message----- > From: gnupg-users-bounces@gnupg.org > [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of Gregor Zattler > Sent: Freitag, 4. Februar 2005 17:48 > To: gnupg-users > Subject: it's not a PATH problem (was: Re: release candidate > for 1.4.1available) > > > Hi Sascha, > * Sascha Kiefer [04. Feb. 2005]: > > :) > > > > %SystemRoot% = c:\Windows > > => > > > PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\WINDOWS\SYSTEM;C:\WINDOWS\SYSTEM > > 32 > > > > and the restart will always help! > > ah, I see my typo. Did as you wrote (cut 'n paste in > autoexec.lbat, reebot, tested %PATH%, cd to > C:\Programme\GNU\GnuPG, "gpg --help" > --> said error message) but didn't help. > > Gregor > > > > > > > > Gregor Zattler schrieb: > > > > >Hi Sascha, > > >* Sascha Kiefer [03. Feb. 2005]: > > > > > > > > >>Have you added %SystemRoot%\System and > %SystemRoot%\System32 to your > > >>environment path variable? > > >> > > >> > > > > > >No, PATH was: PATH=C:\WINDOWS;C:\WINDOWS\COMMAND > > >I set it to > PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\SYSTEM;C:\SYSTEM32 > > > > > >the Problem remained. > > > > > >Gregor > > > > > > > > > > > > > > >>HTH > > >> > > >>Gregor Zattler schrieb: > > >> > > >> > > >> > > >>>I installed it on Win98se and got an alarm box saying: > gpg.exe is > > >>>linked to the not available Export-SHELL32.DLL:SHGetFolderPathA. > > >>>(Message was shown in german, I translated it. For original see > > >>>attached image). > > >>> > > >>> > > >>> > > >>> > > >> > > >> > > > > > > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From thfrdue at gmx.de Sat Feb 5 16:31:20 2005 From: thfrdue at gmx.de (=?ISO-8859-15?Q?=22Thomas_F=2E_D=FCllmann=22?=) Date: Sat Feb 5 16:27:19 2005 Subject: "Malformed user id" Message-ID: <4204E6C8.7090907@gmx.de> Hi, |You wrote: | |>>everytime I want to encrypt any file/text following error message is |>>displayed: |>> |>>"malformed user id" | | |and Werner replied: | |>You used an empty string for a user ID (recipient or signer), |>it does not match the syntax for a keyid or similar. | | |Amen to you not providing the actual (even if you obfuscate |the User ID stuff). For example, if I do a "gpg --list-keys" |I get the following two entries: | |pub 1024D/83E13389 1999-09-18 CeTro |sub 2048g/B0759308 1999-09-18 | |I can encrypt a file named "Crypt.txt" with the following |command for "CeTro" with any of the following commands (one |good example is priceless): | |gpg -a --encrypt -r CeTro < Crypt.txt > Crypt.txt.asc |# or |gpg -a --encrypt -r 83E13389 < Crypt.txt > Crypt.txt.asc |# or |gpg -a --encrypt -r troutman@mesh.net < Crypt.txt > Crypt.txt.asc | I tried to encrypt it, but it just created a file named Crypt.txt.asc , but then the same error message occured ("Malformed user id"). |The -a option (armour) is necessary to send the email to somebody |else, since it makes the output in printable ASCII characters. |Don't worry about all of the above three files being different. |Each time you call GPG, you end up with different encryption |because the random_seed keeps changing. | |If this doesn't clear it up for you, let me know, but I suspect |it will make EVERYTHING clear. It's clear to me how it works, but it doesn't as i want. I always get this errormessage. Please help, don't know what to do now Greetz duelle Email: thfrdue@gmx.de -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.8.5 - Release Date: 03.02.2005 From david69 at charter.net Sat Feb 5 19:05:10 2005 From: david69 at charter.net (David) Date: Sat Feb 5 19:02:29 2005 Subject: RSA subkeys Message-ID: <20050205180510.GA3229@charter.net> Thank you atom, Werner and Johan. I will create a RSA 2048 (sign only) key with RSA 4096 (encrypt) subkey. I understand that most recent PGP and all recent GPG can handle it. David From jharris at widomaker.com Sat Feb 5 18:28:34 2005 From: jharris at widomaker.com (Jason Harris) Date: Sat Feb 5 19:15:08 2005 Subject: Signing a Key In-Reply-To: <20050205014605.GA23212@jabberwocky.com> References: <42039DA9.8020306@intertivity.com> <20050204181714.71249.qmail@smasher.org> <20050204183143.GB3110@dantooine> <20050204183905.GC22572@jabberwocky.com> <20050204195707.GC3466@wilma.widomaker.com> <20050204204831.GD22572@jabberwocky.com> <20050204235131.GD3466@wilma.widomaker.com> <20050205014605.GA23212@jabberwocky.com> Message-ID: <20050205172833.GE3466@wilma.widomaker.com> On Fri, Feb 04, 2005 at 08:46:05PM -0500, David Shaw wrote: > On Fri, Feb 04, 2005 at 06:51:31PM -0500, Jason Harris wrote: > 0x11 signatures are also interesting things. When made by people (as > opposed to robots) they are in effect someone making a public > statement to say "Hey, look, I made a lousy signature". I can't > imagine why someone would choose to advertise far and wide how > terrible their signing policy is, but GnuPG allows people to do stupid > things if they really want to. You (continue to) assume _all_ humans who issue 0x11 signatures do so without employing encrypted challenges? > > (Thus, GPG's --min-cert-level probably needs to be settable per signer - > > after reviewing the signer's policies - to account for these differences.) > > Your own statistics argue against this. 589 people in the entire > OpenPGP world actually issued 0x11 signatures. Just 293 people issued > more than one. Given the number of people using OpenPGP, 293 people > is a rounding error. That's not worth having a whole new trust model > for, especially given the serious security ramifications of 0x11 > signatures, be vastly more confusing to new users, and be incompatible > with PGP to boot. Even ignoring 0x11 signatures, a 0x12 signature from a given issuer implies less trust (due to less checking) than a 0x13 signature from the same issuer. What is the point in (any OpenPGP program) throwing this extra data away (by ignoring it in trust calculations)? -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050205/446236a6/attachment.pgp From npcole at yahoo.co.uk Sat Feb 5 18:39:41 2005 From: npcole at yahoo.co.uk (Nicholas Cole) Date: Sat Feb 5 19:36:21 2005 Subject: Signing a Key In-Reply-To: <20050205014605.GA23212@jabberwocky.com> Message-ID: <20050205173941.57245.qmail@web25408.mail.ukl.yahoo.com> --- David Shaw wrote: [snip] > Similarly, by default GnuPG ignores 0x11 signatures. > Like issuing them, this doesn't stopanyone from > accepting 0x11 signatures. Any user who cares to can > opt-in via "--min-cert-level 1" and accept any > signatures they like. Given that the whole point of > an 0x11 signature is to say "I didn't check AT ALL", > ignoring them by default is safer than accepting them. [snip] Dear David, Without wishing to question any of the defaults, which I think make perfect sense, could I just point out that the man page does not make it clear that level 0 signatures are ALWAYS accepted, regardless of the min-cert-level? As I read it at the moment, it seems to suggest that by default level 0 and level 1 signatures are both ignored, which I'm sure is not the case. Best, N. ___________________________________________________________ ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com From dshaw at jabberwocky.com Sat Feb 5 20:23:53 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Feb 5 20:20:48 2005 Subject: Signing a Key In-Reply-To: <20050205172833.GE3466@wilma.widomaker.com> References: <42039DA9.8020306@intertivity.com> <20050204181714.71249.qmail@smasher.org> <20050204183143.GB3110@dantooine> <20050204183905.GC22572@jabberwocky.com> <20050204195707.GC3466@wilma.widomaker.com> <20050204204831.GD22572@jabberwocky.com> <20050204235131.GD3466@wilma.widomaker.com> <20050205014605.GA23212@jabberwocky.com> <20050205172833.GE3466@wilma.widomaker.com> Message-ID: <20050205192353.GA4263@jabberwocky.com> On Sat, Feb 05, 2005 at 12:28:34PM -0500, Jason Harris wrote: > On Fri, Feb 04, 2005 at 08:46:05PM -0500, David Shaw wrote: > > On Fri, Feb 04, 2005 at 06:51:31PM -0500, Jason Harris wrote: > > > 0x11 signatures are also interesting things. When made by people (as > > opposed to robots) they are in effect someone making a public > > statement to say "Hey, look, I made a lousy signature". I can't > > imagine why someone would choose to advertise far and wide how > > terrible their signing policy is, but GnuPG allows people to do stupid > > things if they really want to. > > You (continue to) assume _all_ humans who issue 0x11 signatures do so > without employing encrypted challenges? Sigh. As I keep saying: if you want to issue 0x11 signatures, go ahead. Nobody is stopping you. If you want to accept 0x11 signatures, go ahead. Nobody is stopping you. Where's the problem? You don't like the defaults? Change them. > Even ignoring 0x11 signatures, a 0x12 signature from a given issuer > implies less trust (due to less checking) than a 0x13 signature from > the same issuer. What is the point in (any OpenPGP program) throwing > this extra data away (by ignoring it in trust calculations)? If a user only wants to accept 0x13 signatures, that is their decision to make, via --min-cert-level 3. The default behavior in GnuPG is to accept both 0x12 and 0x13 (and 0x10, of course). David From atom at smasher.org Sat Feb 5 20:31:23 2005 From: atom at smasher.org (Atom Smasher) Date: Sat Feb 5 20:27:24 2005 Subject: Signing a Key In-Reply-To: <20050205172833.GE3466@wilma.widomaker.com> References: <42039DA9.8020306@intertivity.com> <20050204181714.71249.qmail@smasher.org> <20050204183143.GB3110@dantooine> <20050204183905.GC22572@jabberwocky.com> <20050204195707.GC3466@wilma.widomaker.com> <20050204204831.GD22572@jabberwocky.com> <20050204235131.GD3466@wilma.widomaker.com> <20050205014605.GA23212@jabberwocky.com> <20050205172833.GE3466@wilma.widomaker.com> Message-ID: <20050205193112.3303.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sat, 5 Feb 2005, Jason Harris wrote: > Even ignoring 0x11 signatures, a 0x12 signature from a given issuer > implies less trust (due to less checking) than a 0x13 signature from the > same issuer. What is the point in (any OpenPGP program) throwing this > extra data away (by ignoring it in trust calculations)? ===================== i don't know about anyone else, but i reserve 0x13 sigs for people i *know*, usually for some length of time. if i meet someone at a keysigning party and they show me some identification with a picture that looks like them, that earns a 0x12 from me. i have no idea who they *really* are, but they have gone through the trouble of showing me some identification that looks like them. OTOH if my brother, or someone who i've known personally for a several years wants me to sign their key, they're more likely to _earn_ a 0x13 sig from me. to me, that fits the definition of "casual" and "extensive" verification. if i board a plane and they look at my identification, i wouldn't call that an "extensive" check. of course, the system does encourage people to do what makes sense for them. there isn't necessarily a wrong way to issue sigs... as long as there's a defensible reasoning for it, everyone can choose for them self how to define "casual" and "extensive". - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "A good many observers have remarked that if equality could come at once the Negro would not be ready for it. I submit that the white American is even more unprepared." -- Martin Luther King, Jr. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJCBR8WAAoJEAx/d+cTpVciK2YH/2cByYzBVMZTK42Jl6vtk8gf wl4PqGSsKOCkoce83YKz+kVZrJjR9gbAZwZ9QYAi4SIKSNcewswhk11FIw2ag5d5 itkOYDVNM2ec4L+VhyL/FPsn93kqbrhY0smKM9R2AnBaiNcvnGp44Mkyg+gZs+bd QOr7Xzsf2w4s+aj239qtuVIbQ86QIhSXpq8fFp7m3TnOSFUzhdtXqsJhDk0efCJ7 K8IrOl4RclPj47BrcalotKgsZbgt2lhjXQQstSD+5i6d1fSGBZ/NoLCqgWo8IhiQ iACNoPBE7UmAWurdMEp+7J1kT2cj1lowNu06WFrWTBw3MG/PxPNdOOf/cm6OJEU= =RDYU -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Sat Feb 5 20:38:18 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Feb 5 20:35:01 2005 Subject: Signing a Key In-Reply-To: <20050205173941.57245.qmail@web25408.mail.ukl.yahoo.com> References: <20050205014605.GA23212@jabberwocky.com> <20050205173941.57245.qmail@web25408.mail.ukl.yahoo.com> Message-ID: <20050205193818.GB4263@jabberwocky.com> On Sat, Feb 05, 2005 at 05:39:41PM +0000, Nicholas Cole wrote: > --- David Shaw wrote: > > [snip] > > > Similarly, by default GnuPG ignores 0x11 signatures. > > Like issuing them, this doesn't stopanyone from > > accepting 0x11 signatures. Any user who cares to > can > > opt-in via "--min-cert-level 1" and accept any > > signatures they like. Given that the whole point of > > an 0x11 signature is to say "I didn't check AT ALL", > > ignoring them by default is safer than accepting > them. > > [snip] > > Dear David, > > Without wishing to question any of the defaults, which > I think make perfect sense, could I just point out > that the man page does not make it clear that level 0 > signatures are ALWAYS accepted, regardless of the > min-cert-level? As I read it at the moment, it seems > to suggest that by default level 0 and level 1 > signatures are both ignored, which I'm sure is not the > case. You're right. The manual is misleading on this point. I'll fix it. David From atom at smasher.org Sat Feb 5 21:35:41 2005 From: atom at smasher.org (Atom Smasher) Date: Sat Feb 5 21:31:50 2005 Subject: Howto multiple mail accts. In-Reply-To: <9d7e2bf905020500264adbfe92@mail.gmail.com> References: <9d7e2bf905020500264adbfe92@mail.gmail.com> Message-ID: <20050205203528.74659.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sat, 5 Feb 2005, Toni wrote: > I'm new to gpg and have some doubts I could not google. Please direct me > to a FAQ / HOWTO / etc if such document exists: > > I have several mail accounts, some personal, some for work, etc. I have > seen three possibilities to deal with this: > > - Add multiple UIDs to my main key > - Have multiple signing subkeys > - Have secondary "complete" keys signed by my main key. > > I've been reading the pros/cons of each aproach and can't make up my > mind to what is the best approach. > > Right now I thinnk the best would be to have a main key, with no e-mail > at all and use this to sign other keys, one for each mail account. > > What do you think? =========================== if it's no secret that all of the accounts belong to you, then a single key with multiple UIDs is probably the best thing. it's certainly the easiest. if you don't want people to immediately know that all of the accounts belong to you, then use multiple keys. i have 3 keys that are publicly distributed. one for business and professional correspondence, one for casual correspondence and one for an address (read: identity) that i don't share with too many people. on my casual correspondence key i have 2 UIDs. it's no secret that i control both of those mailboxes. if your multiple accounts require your key(s) to be stored on machines that you don't own/admin (such as a company computer) then you should consider multiple keys/subkeys. if you decide to use multiple subkeys this might help - http://fortytwo.ch/gpg/subkeys - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "We don't know if lobsters feel pain... [but] since pain is a perception, we often don't know whether people feel it either" -- Prof. Edward Kravitz, Harvard Medical School -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJCBS4nAAoJEAx/d+cTpVcipBYH/3C2SCZ1nWhDjEYRsNhwhCg8 YH4+R4J1F8wv30/Lo+09JOMngnSsith/YpmI4ywz8QhQedUCqKlT7jczsm+natRD Zem93ystFdgJp1SIPgT+HP0b1N9auwAlNxg9D+1YSKAGi7xB2F1siJrs/ohVmHZe /vfi5UqN246y5m3KSTo9pGZG3e2RkWSuOJdXe94h1Hzg+F3b5bl/WEaAI27GnsNy wxJgiP1xP2BLT+69lT23pA/QCbaYQ2hQaDRhY1OttWfuow1Iy8fjNlbHF2cme/ls 9SRedOeoGuMK9Mvjw85FxsTCG8HhfOThdvtQi7+O0b0yWpmWsiVXnlF2OoAlShY= =D/2R -----END PGP SIGNATURE----- From wesley.tabadore at gmail.com Sun Feb 6 00:29:27 2005 From: wesley.tabadore at gmail.com (Wesley Tabadore) Date: Sun Feb 6 01:25:35 2005 Subject: Strongest Key, Hash, and Cypher Algorithms Message-ID: Hi, I'm new to GPG and encryption in general and trying to figure out the strongest way to encrypt files (less than 100 megs in size). Speed is not at all a concern, strength of the encryption is the most critical thing. I would like to encrypt some files symmetrically and other files asymmetrically, so I am trying to understand the strength of both methods. Based on the research I have done thus far, I undertand that in both cases, I need to ensure the passphrases are strong. Having long passphrases is not an issue. I am inclined to use the DiceWare method to generate the passphrases. Any comments on this method? Symmetric encryption: Which current GPG Hash and Cypher Algorithm are the strongest and how many bits of entropy (or DiceWare words) would my passphrase have to contain in order to gain the most benefit from this Hash/Cypher Algorithm combination? Asymmetric encryption: What type of key should I generate and how do I choose the strongest Hash and Cypher Algorithm when encrypting files? Also how long should my passphrase be (bits of entropy or DiceWare words) in order to gain the most benefit in security from this scheme? Thanks in advance, Wes From dany_list at natzo.com Sun Feb 6 15:01:14 2005 From: dany_list at natzo.com (Dany Nativel) Date: Sun Feb 6 14:57:34 2005 Subject: GnuPG 1.4.1rc1 + Smart Card reader package for Knoppix/Kanotix In-Reply-To: <42028CB1.4050509@natzo.com> References: <41F7D813.6030804@natzo.com> <42028CB1.4050509@natzo.com> Message-ID: <4206232A.90005@natzo.com> Hello, In a previous post (Any LiveCD with GnuPG 1.4?) I was asking about a potential LiveCD that supports Gnupg 1.4 (at least). Thanks everyone for the valuable comments you've provided. I received a private email from David Lorch suggesting recompiling gpg and associated libraries under Knoppix by mounting some ramdisk. I kind of tried but it didn't go very far. Finally I found a way to get gpg 1.4.1rc1 to run under Knoppix without much hassle (using a SCM SCR331 reader which has a driver built-in gnupg). In fact it was as easy as ./configure and make ! I then added additional drivers for various readers using the Klik technology. In the end I had a handy package that contained gpg1.4.1rc1 as well as drivers that I could carry around and use with almost any Knoppix/Kanotix LiveCD. This is very convenient when it comes to key generation (on-card for example with off-card backup for example). 1) Boot from Knoppix CD (3.7 12/08) or even better from Kanotix BH X IMPORTANT : for Knoppix I only used boot: knoppix26 .... I couldn't get most of my USB peripherals to work with regule knoppix (2.4). Kanotix is 2.6 by default so no problems. 2) Download and extract gnupg-1.4.1-rc from ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc1.tar.bz2 for example in your home directory (/home/knoppix) 3) Compile GnuPG cd ~/gnupg-1.4.1rc1 ./configure make the executable is available in ~/gnupg-1.4.1rc1/g10 4) Smart Card Reader a) CCID reader directly supported by gnupg (e.g. USB SCM SCR331) Nothing to do ... just use it : ~/gnupg-1.4.1rc1/g10/gpg --card-status b) CCID reader supported by libccid (see http://pcsclite.alioth.debian.org/ccid.html for a list of supported readers) I've used it with the Gemplus GemTwin USB. In order to use libccid you need the pcscd which can be downloaded as a "klik" application for Knoppix. Knoppix users you need an extra step to get the klik client up and running (Kanotix users... go to the next step): # Press Alt-F2 and paste: # wget klik.atekon.de/client/install -O -|sh Go to the following address http://klik.atekon.de/details.php?section=misc&package=pcscd and "klik" to install or even faster open a web browser and enter : klik://pcscd Now killall pcscd session that may have been opened during the installation process. I noticed that the pcscd would only work if launched with debug options. This pcscd packages includes the libccid drivers by default so it's ready to go. Unfortunately gnupg is looking for libpcslite.so so a link has to be created : ln /tmp/klik/pcscd/usr/lib/libpcsclite.so.1 /tmp/klik/pcscd/usr/lib/libpcsclite.so Now it's time to start the pcscd from the command line (not the icon on your desktop) /tmp/klik/pcscd/wrapper pcscd -af NB: this worked fine under Knoppix but not under Kanotix, sudo /tmp/klik/pcscd/wrapper pcscd -af solved the problem Before starting gpg you need to set the path to libpcsclite.so : export LD_LIBRARY_PATH=/tmp/klik/pcscd/usr/lib/:$LD_LIBRARY_PATH You can now start gnupg but remember that if you're using a CCID reader not supported by GnuPG itself you must disable ccid when calling GnuPG so it won't try to talk to the reader directly. For example the GemTwin will fail if not started with the extra option. ~/gnupg-1.4.1rc1/g10/gpg --card-status --disable-ccid NB: SCR331 can also be used with libccid (it's supported by both gnupg and libccid) c) Other Smart Card readers If none of your reader is supported by the above solutions you need to install an additional driver. Klik provides a convenient way to download precompiled drivers. Below is a list of available drivers: - libasedrive-serial | PC/SC driver for the Athena ASEDrive IIIe serial smart card reader - libasedrive-usb | PC/SC driver for the Athena ASEDrive IIIe USB smart card reader - libcteco50000 | Orga Eco 5000 smartcard reader PCSC and CT-API driver - libetoken | PC/SC Driver for Aladdin's eToken usb plug - libgcr410 | PC/SC driver for GemPlus GCR410 serial SmartCard interface - libgempc410 | PC/SC driver for the GemPC 410, 412, 413 and 415 smart card readers - libgempc430 | PC/SC driver for the GemPC 430, 432, 435 smart card readers - libslbreflex2 | Reflex 62/64 smartcard reader PCSC and CT-API driver - libtowitoko2 | Towitoko smartcard reader PCSC and CT-API driver Example : USB Towitoko Chipdrive Micro 130 After "kliking" on libtowitoko2 (http://klik.atekon.de/details.php?section=libs&package=libtowitoko2) you'll find a new directory under /temp/klik called towitoko2 The drivers files need to be placed under the pcscd directory and according to a specific directory organization mkdir /tmp/klik/pcscd/usr/lib/pcsc/drivers/ifd-towitoko2.bundle mkdir /tmp/klik/pcscd/usr/lib/pcsc/drivers/ifd-towitoko2.bundle/Contents mkdir /tmp/klik/pcscd/usr/lib/pcsc/drivers/ifd-towitoko2.bundle/Contents/Linux cp /tmp/klik/libtowitoko2/usr/lib/libtowitoko.so.2.0.0 /tmp/klik/pcscd/usr/lib/pcsc/drivers/ifd-towitoko2.bundle/Contents/Linux cp /tmp/klik/libtowitoko2/usr/share/towitoko/Info.plist /tmp/klik/pcscd/usr/lib/pcsc/drivers/ifd-towitoko2.bundle/Contents and then start pcscd the same way : /tmp/klik/pcscd/wrapper pcscd -af (with sudo if using Kanotix) Don't forget to set the path to libpcsclite.so before running gnupg : export LD_LIBRARY_PATH=/tmp/klik/pcscd/usr/lib/:$LD_LIBRARY_PATH ~/gnupg-1.4.1rc1/g10/gpg --card-status NB: Serial reader may also be used but they'll need a little bit more tweaking for properly configuring the serial port and so on. I tried to play a little bit with the GCR415 without success. 5) Conclusion Now that you've got your reader up and running you probably don't want to go to this process next time you're booting from Knoppix/Kanotix. The only thing you need to save (on a USB drive for example) is the /tmp/klik directory and gpg executable files You can also use the convenient persistent home directory and just move the klik to it so it will be available all the time. Don't forget to adjust the export LD_LIBRARY_PATH accordingly ! I've packaged a pre-compiled gpg-1.4.1rc1, pcsd (including libccid) and towitoko driver so you can just extract it under /home/knoppix and follow the instructions found in the short readme file. The file can be downloaded from http://natzo.com/klik-gpg1.4.1rc1.tar.gz This should help users seeking to generate their keys on-card and save a backup copy off-card. For more security you should probably recompile gpg yourself (it doesn't take that long). One could also disable network connections (Knoppix sets them up automatically) and use encrypted swap file (especially if swap is mounted on a hdd). Dany From henkdebruijn at wanadoo.nl Sun Feb 6 17:41:36 2005 From: henkdebruijn at wanadoo.nl (Henk de Bruijn) Date: Sun Feb 6 17:37:45 2005 Subject: [Announce] release candidate for 1.4.1 available In-Reply-To: <87fz0dhnjp.fsf@wheatstone.g10code.de> References: <87fz0dhnjp.fsf@wheatstone.g10code.de> Message-ID: <1147928909.20050206174136@wanadoo.nl> > We are pleased to announce the availability of a release candidate for > the forthcoming 1.4.1 version of gnupg: > A binary for Windows is also available: > > ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc1.exe > (1377k) > Please try these versions out and report any problems. The installer > used for the Windows binary package is pretty basic right now but > nevertheless a first step. In particular, selecting the language to > use still needs manual interaction. We hope to improve it over time. Up and running like a charm! -- Henk ______________________________________________________________________ The Bat!? Natural Email System v3.0.1.33nl Professional on Windows XP SP2 PGPkey available at http://www.biglumber.com/x/web?qs=0x12069B93DBE6E678 Gossamer Spider Web of Trust GSWoT http://www.gswot.org/ A Progressive and Innovative Web of Trust From wk at gnupg.org Sun Feb 6 19:47:02 2005 From: wk at gnupg.org (Werner Koch) Date: Sun Feb 6 19:46:25 2005 Subject: "Malformed user id" In-Reply-To: <4204E6C8.7090907@gmx.de> ( =?utf-8?q?Thomas_F=2E_D=C3=BCllmann's_message_of?= "Sat, 05 Feb 2005 16:31:20 +0100") References: <4204E6C8.7090907@gmx.de> Message-ID: <87mzuh8r15.fsf@wheatstone.g10code.de> On Sat, 05 Feb 2005 16:31:20 +0100, Thomas F D?llmann said: > I tried to encrypt it, but it just created a file named Crypt.txt.asc > , but then the same error message occured ("Malformed user id"). What is the content of your gpg.conf? Shalom-Salam, Werner From thfrdue at gmx.de Sun Feb 6 20:06:45 2005 From: thfrdue at gmx.de (=?UTF-8?B?IlRob21hcyBGLiBEw7xsbG1hbm4i?=) Date: Sun Feb 6 20:02:40 2005 Subject: "Malformed user id" In-Reply-To: <87mzuh8r15.fsf@wheatstone.g10code.de> References: <4204E6C8.7090907@gmx.de> <87mzuh8r15.fsf@wheatstone.g10code.de> Message-ID: <42066AC5.9030702@gmx.de> Werner Koch schrieb: >On Sat, 05 Feb 2005 16:31:20 +0100, Thomas F D?llmann said: > > > >>I tried to encrypt it, but it just created a file named Crypt.txt.asc >>, but then the same error message occured ("Malformed user id"). >> >> > >What is the content of your gpg.conf? > > > > Here the content of the gpg.conf: default-key # ********* // both keys are the same encrypt-to # ******** keyserver-options auto-key-retrieve photo-viewer C:\Programme\GPGshell\gpgview.exe %i /title 0x%k #load-extension Lib\idea # keyserver ldap://pgp.surfnet.nl:11370 # keyserver ldap://keyserver.pgp.com:11370 # keyserver ldap://certserver.pgp.com keyserver x-hkp://keyserver.kjsl.com keyserver x-hkp://pgp.dtype.org keyserver x-hkp://pgp.mit.edu keyserver x-hkp://pks.gpg.cz keyserver x-hkp://random.sks.keyserver.penguin.de keyserver x-hkp://pgpkeys.pca.dfn.de Thank You Thomas Email: thfrdue@gmx.de -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.8.5 - Release Date: 03.02.2005 From jharris at widomaker.com Mon Feb 7 02:50:48 2005 From: jharris at widomaker.com (Jason Harris) Date: Mon Feb 7 02:47:56 2005 Subject: new (2005-02-06) keyanalyze results (+sigcheck) Message-ID: <20050207015048.GF3466@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2005-02-06/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: 4f90c2b998d6a2946b400223ef4f136f5145d103 11308176 preprocess.keys 018fa151a214140f7ce50ec594e57fb763309532 7147601 othersets.txt b08526172e2d1791045cb93afded087be803719d 2864126 msd-sorted.txt ee7513d6673185c48dd654a1e8e683b1f7c8788f 1450 index.html 5ab2a52c9bec6696be6a4c990c2f3354a6e98cce 2290 keyring_stats 3fc4462b3381802c07c897db2072b6b357a4f236 1126947 msd-sorted.txt.bz2 8c088e5ea0bf51e74d980c8836839f3b71b38ac1 26 other.txt 9afec2c9f388a23ed3135f44ad8bbb8af0bbac28 1536770 othersets.txt.bz2 0ed0596f5a988a58c49043859bd7a819440b27fb 4568885 preprocess.keys.bz2 0f30f51d498009716976eaee8dd7fbf4f7566a4f 11268 status.txt 442b8444c261e6a8813834c98b61332c5dc91e4e 211730 top1000table.html d3a67e0ad9404f19ef60c34290459a5a02903940 30452 top1000table.html.gz 216624310787e93b5f7b6eeb0ebfc363e32b431b 10997 top50table.html 6b55bc800c591e0057e14163bc5d7770ce2e8d3e 2369 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050206/bd0393f0/attachment.pgp From atom at smasher.org Mon Feb 7 07:00:06 2005 From: atom at smasher.org (Atom Smasher) Date: Mon Feb 7 06:56:05 2005 Subject: Strongest Key, Hash, and Cypher Algorithms In-Reply-To: References: Message-ID: <20050207055949.17827.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sat, 5 Feb 2005, Wesley Tabadore wrote: > I'm new to GPG and encryption in general and trying to figure out the > strongest way to encrypt files (less than 100 megs in size). Speed is > not at all a concern, strength of the encryption is the most critical > thing. ================== there are no weak algorithms in pgp/gpg. even the "weakest" algorithms should be fine against any attack that can currently be mounted against them. > I would like to encrypt some files symmetrically and other files > asymmetrically, so I am trying to understand the strength of both > methods. ==================== the strength of symmetric encryption is that you don't need to keep a key in a file. all you need to do is remember the passphrase and you will always be able to decrypt your data. the strengths of asymmetric encryption are unattended encryption (you don't have to type a passphrase to encrypt) and secure communication across an insecure channel (such as the internet) between 2 or more parties. > Based on the research I have done thus far, I undertand that in both > cases, I need to ensure the passphrases are strong. Having long > passphrases is not an issue. I am inclined to use the DiceWare method > to generate the passphrases. Any comments on this method? ======================== diceware is good. more info on other techniques - http://atom.smasher.org/links/#passwords > Symmetric encryption: Which current GPG Hash and Cypher Algorithm are > the strongest and how many bits of entropy (or DiceWare words) would my > passphrase have to contain in order to gain the most benefit from this > Hash/Cypher Algorithm combination? ======================= hashing is rarely done with symmetric encryption (except as part of the s2k process). in a way, knowing the passphrase *is* authentication (and in another way, it isn't). (all other factors being equal) the bigger the passphrase, the more protection. the question you should ask is "what size passphrase is sufficient for the secrets i want to keep?" check out these sections of the diceware FAQ - How long should my passphrase be? http://world.std.com/~reinhold/dicewarefaq.html#howlong What if I want a passphrase with full 128-bit security? http://world.std.com/~reinhold/dicewarefaq.html#128-bit > Asymmetric encryption: What type of key should I generate and how do I > choose the strongest Hash and Cypher Algorithm when encrypting files? > Also how long should my passphrase be (bits of entropy or DiceWare > words) in order to gain the most benefit in security from this scheme? =========================== the key types and algorithm preferences, if you don't use the defaults, should be based on your latest research and suspicions of what information you have. some people don't like 3DES... other people don't like BLOWFISH/TWOFISH... i don't like AES... at the end of the day, none of the algorithms are broken, or even close to being broken, but many of us have our favorites. only your research and/or crystal ball will dictate which algorithms you decide to trust most, or not at all. - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "I have presented factual data, statistical data, and projected data. Form your own conclusions. Perhaps the NSA has found a polynomial-time (read: fast) factoring algorithm. But we cannot dismiss an otherwise secure cryptosystem due to paranoia. Of course, on the same token, we cannot trust cryptosystems on hearsay or assumptions of security. Bottom line is this: in the field of computer security, it pays to be cautious. But it doesn't pay to be un-informed or needlessly paranoid. Know the facts." -- infiNity, The PGP Attack FAQ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJCBwP0AAoJEAx/d+cTpVci9TUH+wfLOJoyiK4TLrqYCDf6fFre 6iut7IoVGIzAocwR9WRDxH8+6oZX2u+8QNQA1Y+X8O6b1WUH0T0DRX0EOAuI9y97 QiO0pv0/IcMS52RzOYDnc4OzDEmmnu+qYBHE4ePqBgK8tzsqPEWswrfkmZjDQq5A 3ljXF4jOYFlj3bl203aiqV5rovTgQd3VfDVY95V5eaTSPI/QWWMFIYT704iRceMb WMVltunszkbV8xMZJUFTsgcyS0YQ5OablVZmkWwxaRkQ778+EtM+C9Vo41xD9xTx ivJetPxeCjeSWf446LTPgpM3i8/H3p20RmGapJjwcS0wVVl7o4/4ga1Zz0vZOzE= =W93E -----END PGP SIGNATURE----- From ms419 at freezone.co.uk Mon Feb 7 05:52:00 2005 From: ms419 at freezone.co.uk (ms419@freezone.co.uk) Date: Mon Feb 7 07:35:56 2005 Subject: "http" & "finger" keyserver schemes Message-ID: <00ABEF23-78C4-11D9-BD46-0003931DA24A@freezone.co.uk> I don't get how to receive keys using using the "http" & "finger" keyserver schemes. I tried some variations on - gpg --keyserver finger:wk@g10code.com --recv-keys gpg --keyserver "http://eatflamingdeath.com/~dleslie/pubkey.asc" --recv-keys - but nothing I tried worked. Receiving keys from "ldap" or "hkp" keyservers is no problem - gpg --keyserver ldap://keyserver.pgp.com --search-keys Lypkie gpg --keyserver hkp://pgp.mit.edu --search-keys Demwell Frustratingly, I couldn't find examples on the web or in the documentation of using "http" or "finger" keyserver schemes. Can anyone help? Thanks! Jack From list at rachinsky.de Mon Feb 7 08:39:27 2005 From: list at rachinsky.de (Nicolas Rachinsky) Date: Mon Feb 7 08:35:35 2005 Subject: "http" & "finger" keyserver schemes In-Reply-To: <00ABEF23-78C4-11D9-BD46-0003931DA24A@freezone.co.uk> References: <00ABEF23-78C4-11D9-BD46-0003931DA24A@freezone.co.uk> Message-ID: <20050207073927.GA27995@pc5.i.0x5.de> * ms419@freezone.co.uk [2005-02-06 20:52 -0800]: > I don't get how to receive keys using using the "http" & "finger" > keyserver schemes. > > I tried some variations on - > > > gpg --keyserver finger:wk@g10code.com --recv-keys > > gpg --keyserver "http://eatflamingdeath.com/~dleslie/pubkey.asc" > --recv-keys You have to add an keyid. gpg --keyserver http://www.rachinsky.de/nicolas/pgp/nicolas_rachinsky.asc --recv 12345678 Works fine here. Nicolas From devegades at gmail.com Mon Feb 7 11:37:01 2005 From: devegades at gmail.com (Toni) Date: Mon Feb 7 11:33:30 2005 Subject: Howto multiple mail accts. In-Reply-To: <20050205203528.74659.qmail@smasher.org> References: <9d7e2bf905020500264adbfe92@mail.gmail.com> <20050205203528.74659.qmail@smasher.org> Message-ID: <9d7e2bf9050207023749c96b94@mail.gmail.com> On Sat, 5 Feb 2005 15:35:41 -0500 (EST), Atom Smasher wrote: > On Sat, 5 Feb 2005, Toni wrote: > > > I have several mail accounts, some personal, some for work, etc. > > if it's no secret that all of the accounts belong to you, then a single > key with multiple UIDs is probably the best thing. it's certainly the > easiest. Yes, I was considering this approach for my work accounts. With those it can even be good to publicize the other accounts. The question is what happens when you change project / client / etc and are given a new mail address? Do you need everybody to resign your key or does it suffice to add / delete UIDs? > if you don't want people to immediately know that all of the accounts > belong to you, then use multiple keys. Yes, that's why I wanted to have a master and several other keys. Even if it would be easy for the knowledgeable to find out all addresses I have, it would not be evident for the casual spammer. > i have 3 keys that are publicly distributed. one for business and > professional correspondence, one for casual correspondence and one for an > address (read: identity) that i don't share with too many people. > > on my casual correspondence key i have 2 UIDs. it's no secret that i > control both of those mailboxes. Similar to my situation. > if you decide to use multiple subkeys this might help - > http://fortytwo.ch/gpg/subkeys Yes, I had already seen this. To my novice eyes it seems to much of twiddling. Maybe when I have some more experience I'll give it another look. Thanks for your comments. -- Toni From dshaw at jabberwocky.com Mon Feb 7 14:19:30 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Feb 7 14:16:14 2005 Subject: "http" & "finger" keyserver schemes In-Reply-To: <00ABEF23-78C4-11D9-BD46-0003931DA24A@freezone.co.uk> References: <00ABEF23-78C4-11D9-BD46-0003931DA24A@freezone.co.uk> Message-ID: <20050207131930.GA29857@jabberwocky.com> On Sun, Feb 06, 2005 at 08:52:00PM -0800, ms419@freezone.co.uk wrote: > I don't get how to receive keys using using the "http" & "finger" > keyserver schemes. > > I tried some variations on - > > > gpg --keyserver finger:wk@g10code.com --recv-keys > > gpg --keyserver "http://eatflamingdeath.com/~dleslie/pubkey.asc" > --recv-keys > > > - but nothing I tried worked. Receiving keys from "ldap" or "hkp" > keyservers is no problem - > > > gpg --keyserver ldap://keyserver.pgp.com --search-keys Lypkie > > gpg --keyserver hkp://pgp.mit.edu --search-keys Demwell > > > Frustratingly, I couldn't find examples on the web or in the > documentation of using "http" or "finger" keyserver schemes. Can anyone > help? http and finger schemes are most useful for putting in preferred keyserver URLs so the key can be automatically refreshed. They're not really intended for use on the command line, but it's possible to fool the system into working on the command line by doing something like: gpg --keyserver finger:the_finger@example.com --recv-keys 99999999 i.e. "receive key 99999999 from finger:the_finger@example.com". The key that arrives probably won't be 99999999, but it'll arrive anyway. David From mconahan at iotest.org Mon Feb 7 19:31:45 2005 From: mconahan at iotest.org (mconahan@iotest.org) Date: Mon Feb 7 19:28:04 2005 Subject: Creating a RFC3156 compliant encrypted message with Gnu PG In-Reply-To: <000e01c50b05$19144cf0$f300a8c0@HOME> References: <000e01c50b05$19144cf0$f300a8c0@HOME> Message-ID: <4207B411.8000400@iotest.org> Kiefer, Sascha wrote: Yes, I knew that, but thanks for your response. There was another responder who recommended that I should obtain the Enigmail (or Mutt) source, and view how those apps process rfc 3156 (PGP/MIME) messages. I'm taking that approach...I'm currently upgrading my environment with the requisites (Mozilla 1.7.x/Gnu PG 1.4), before compiling and installing Enigmail. >Well, you have to build the MIME structure yourself. >As far as i know GnuPG does not know about MIME in particular. >Have fun. > >esskar > > > >>-----Original Message----- >>From: gnupg-users-bounces@gnupg.org >>[mailto:gnupg-users-bounces@gnupg.org] On Behalf Of >>mconahan@iotest.org >>Sent: Freitag, 4. Februar 2005 22:38 >>To: gnupg-users@gnupg.org >>Subject: Creating a RFC3156 compliant encrypted message with Gnu PG >> >> >>Does anyone know how to create a RFC 3156 compliant PGP encrypted >>message with Gnu PG? I am building an app that is making use >>of the Gnu >>PG functionality, and I am having some trouble getting other PGP apps >>(said to be 3156 compliant) to accept it. I have read both >>RFC 3156 and >>2015, and I seem to be missing something, since it isn't working. >> >>Does anyone know of tutorial site, or has a script that creates a RFC >>3156 compliant message? Any help would be appreciated. >> >> >>_______________________________________________ >>Gnupg-users mailing list >>Gnupg-users@gnupg.org >>http://lists.gnupg.org/mailman/listinfo/gnupg-users >> >> >> > > > > From mconahan at iotest.org Mon Feb 7 22:01:55 2005 From: mconahan at iotest.org (mconahan@iotest.org) Date: Mon Feb 7 21:58:25 2005 Subject: Creating a RFC3156 compliant encrypted message with Gnu PG In-Reply-To: <4203F2AA.2030909@comcast.net> References: <4203EB49.20604@iotest.org> <4203F2AA.2030909@comcast.net> Message-ID: <4207D743.9000907@iotest.org> John Clizbe wrote: > mconahan@iotest.org wrote: > > >Does anyone know how to create a RFC 3156 compliant PGP encrypted > >message with Gnu PG? I am building an app that is making use of the Gnu > >PG functionality, and I am having some trouble getting other PGP apps > >(said to be 3156 compliant) to accept it. I have read both RFC 3156 and > >2015, and I seem to be missing something, since it isn't working. > > >Does anyone know of tutorial site, or has a script that creates a RFC > >3156 compliant message? Any help would be appreciated. > > > Check the source code for Enigmail or Mutt. > > -- > John P. Clizbe Inet: John (a) Mozilla-Enigmail.org > GingerBear Consluting PGP/GPG KeyID: 0x608D2A10 > "what's the key to success?" / "two words: good decisions." > "what's the key to good decisions?" / "one word: experience." > "how do i get experience?" / "two words: bad decisions." > > "Just how do the residents of Haiku, Hawai'i hold conversations?" Thanks. I'll look into it. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From rmalayter at bai.org Mon Feb 7 22:01:45 2005 From: rmalayter at bai.org (Ryan Malayter) Date: Mon Feb 7 21:58:34 2005 Subject: Strongest Key, Hash, and Cypher Algorithms Message-ID: <792DE28E91F6EA42B4663AE761C41C2A039DC8C0@cliff.bai.org> [From Atom Smasher] > i don't like AES... None of the papers I've read suggest anything close to an attack that is better than brute-force on full-round AES. Although, I have seen some in the crypto field complain Rijndael is just "too simple" to be secure. Of course, the same was said about RC4 many years ago, and AFAIK there are still no attacks better than brute force against the RC4 algorithm itself (protocol issues in WEP don't count). Just to edjumacate myself, as W. would say, what are your reasons for disliking AES? I've been using it more and more frequently for VPNs I set up when there is no hardware crypto assist available, since the CPU utilization is so much lower than with 3DES. I just want to make sure I'm not missing something. Did anything "scary" come out about AES recently? Regards, Ryan From atom at smasher.org Mon Feb 7 22:05:56 2005 From: atom at smasher.org (Atom Smasher) Date: Mon Feb 7 22:01:28 2005 Subject: OT - pgp art Message-ID: <20050207210516.36506.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 some pgp artwork/wallpaper - http://www.deviantart.com/deviation/14884064/ - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "MEATLESS" - US government standards allow the use of the word "Meatless" to allow up to 2% animal product and/or meat content. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJCB9g6AAoJEAx/d+cTpVciBPgH/3xanEYM0pjhox+TMH1fdY2s 8Nj+S39u1hFP1sQBy86jLpf1W8q0yZAL2okH6XyiChUmJ5rb649McDKSPnV9MycI Ayg8v4YM5ScPQfp6dEOqtfcQYm7d7OMGZ6ipI5iddeqZ5AE9QNu6tj0hgzC4cjKQ lboDuEk3qmianj6bcVMMRtoOoeB+xlYyMKJcCX6dNIAj1JkVkwcdT3gSJKxrNXYL tS2NV65WT34rdOPNo2hw1xYiUl2BN8Fri+iBRgyhN4QPidv9A10MkhPemwNe2aSQ 3Y/oMySjBsujLHCfepIu6TJqjuSLSmPVO49cWD3raFSzKtW62nBm84XGa27skNk= =h8Uo -----END PGP SIGNATURE----- From atom at smasher.org Mon Feb 7 22:37:09 2005 From: atom at smasher.org (Atom Smasher) Date: Mon Feb 7 22:32:43 2005 Subject: Strongest Key, Hash, and Cypher Algorithms In-Reply-To: <792DE28E91F6EA42B4663AE761C41C2A039DC8C0@cliff.bai.org> References: <792DE28E91F6EA42B4663AE761C41C2A039DC8C0@cliff.bai.org> Message-ID: <20050207213634.55149.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Mon, 7 Feb 2005, Ryan Malayter wrote: > [From Atom Smasher] >> i don't like AES... > > None of the papers I've read suggest anything close to an attack that is > better than brute-force on full-round AES. Although, I have seen some in > the crypto field complain Rijndael is just "too simple" to be secure. Of > course, the same was said about RC4 many years ago, and AFAIK there are > still no attacks better than brute force against the RC4 algorithm > itself (protocol issues in WEP don't count). =================== there have been several succesful attacks against against RC4, but only when it's incorectly implemented. the lesson here is that some good algorithms are weakly implemented... some algorithms are difficult to implement correctly. i think elgamal for signatures falls into that category. > Just to edjumacate myself, as W. would say, what are your reasons for > disliking AES? I've been using it more and more frequently for VPNs I > set up when there is no hardware crypto assist available, since the CPU > utilization is so much lower than with 3DES. ================ http://en.wikipedia.org/wiki/AES#Security Some cryptographers worry about the security of AES. They feel that the margin between the number of rounds specified in the cipher and the best known attacks is too small for comfort. The risk is that some way to improve these attacks might be found and that, if so, the cipher could be broken. In this meaning, a cryptographic "break" is anything faster than an exhaustive search, so an attack against 128-bit key AES requiring 'only' 2120 operations would be considered a break even though it would be, now, quite infeasible. In practical application, any break of AES which is only this 'good' would be irrelevant. For the moment, such concerns can be ignored. The largest publically-known brute-force attack has been against a 64 bit RC5 key by distributed.net. Another concern is the mathematical structure of AES. Unlike most other block ciphers, AES has a very neat mathematical description [2] (http://www.macfergus.com/pub/rdalgeq.html), [3] (http://www.isg.rhul.ac.uk/~sean/). This has not yet led to any attacks, but some researchers are worried that future attacks may find a way to exploit this structure. In 2002, a theoretical attack, termed the "XSL attack", was announced by Nicolas Courtois and Josef Pieprzyk, showing a potential weakness in the AES algorithm. It seems that the attack, if the mathematics is correct, is not currently practical as it would have a prohibitively high "work factor". There have been claims of considerable work factor improvement, however, so the attack technique might become practical in the future. On the other hand, several cryptography experts have found problems in the underlying mathematics of the proposed attack, suggesting that the authors have made a mistake in their estimates. Whether this line of attack can be made to work against AES remains an open question. For the moment, as far as is publicly known, the XSL attack against AES is speculative; it is unlikely that anyone could carry out the current attack in practice. - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "There is no such thing at this date of the world's history in America as an independent press. You know it, and I know it. There is not one of you who dares to write his honest opinion, and if you did, you know beforehand it would never appear in print. I am paid weekly for keeping my honest opinion out of the paper. Others of you are paid similar salaries for similar things. And any of you who would be so foolish as to write honest opinions would be out on the streets looking for another job. "If I allow my honest opinions to appear in one issue of my paper, before 24 hours, my occupation would be gone. The business of the journalist is to destroy the truth, to lie outright, to pervert, to vilify, to fawn at the feet of Mammon and to sell his country and his race for his daily bread. You know it, and I know it, and what folly is this toasting an independent press? We are the tools and the vassals of rich men behind the scenes. We are the jumping jacks. They pull the strings, and we dance. Our talents, our possibilities and our lives are all the property of other men. "We are intellectual prostitutes." -- John Swinden, 1953, then head of the New York Times, when asked to toast an independent press in a gathering at the National Press Club. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJCB9+NAAoJEAx/d+cTpVcitjgH/3OVMpY8QXblFfvrmeaG86/A ZJ7H+eqbMKKtIWexYpcthlNdbm2le9TNdx0b5BhiWVJot0R+8XncMYvLtP5z/dMR WdowPoZ2f1EzpXDOwLS4rTEQG7GgcJnSYTBch9ow7A3D03z4XG8Q6wVla2Gn1Sum JpmnL2Wm/aC6y/iK+JCy1s9Psq3yka+yuo+8vPJd4t3vZnwKZFMLs2TuJUqpMHiT ocooXsjKPIPADxvg+0b5W+iDUs/dBvX3Y/Q+wG5HoD/x34pcyBTnaib/XEqF7N0I OH/Gw16DB7CA69dzOtikE0dyvBaFENkFNbHxytls043DI89cRSAiu+EYL+fZPq4= =CfPS -----END PGP SIGNATURE----- From wesley.tabadore at gmail.com Mon Feb 7 22:56:31 2005 From: wesley.tabadore at gmail.com (Wesley Tabadore) Date: Mon Feb 7 22:52:39 2005 Subject: Strongest Key, Hash, and Cypher Algorithms In-Reply-To: <20050207213634.55149.qmail@smasher.org> References: <792DE28E91F6EA42B4663AE761C41C2A039DC8C0@cliff.bai.org> <20050207213634.55149.qmail@smasher.org> Message-ID: Atom, This is great information! Can you provide such an analysis for TWOFISH? How about for the asymmetric algorithms supported by GPG? There is so much data to sort through out there, it is difficult to come up with the consise explanations and feedback you have given thus far. Would really apreciate more on the other options. :-) Thanks, Wes On Mon, 7 Feb 2005 16:37:09 -0500 (EST), Atom Smasher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On Mon, 7 Feb 2005, Ryan Malayter wrote: > > > [From Atom Smasher] > >> i don't like AES... > > > > None of the papers I've read suggest anything close to an attack that is > > better than brute-force on full-round AES. Although, I have seen some in > > the crypto field complain Rijndael is just "too simple" to be secure. Of > > course, the same was said about RC4 many years ago, and AFAIK there are > > still no attacks better than brute force against the RC4 algorithm > > itself (protocol issues in WEP don't count). > =================== > > there have been several succesful attacks against against RC4, but only > when it's incorectly implemented. the lesson here is that some good > algorithms are weakly implemented... some algorithms are difficult to > implement correctly. i think elgamal for signatures falls into that > category. > > > > Just to edjumacate myself, as W. would say, what are your reasons for > > disliking AES? I've been using it more and more frequently for VPNs I > > set up when there is no hardware crypto assist available, since the CPU > > utilization is so much lower than with 3DES. > ================ > > http://en.wikipedia.org/wiki/AES#Security > > Some cryptographers worry about the security of AES. They feel > that the margin between the number of rounds specified in the cipher and > the best known attacks is too small for comfort. The risk is that some way > to improve these attacks might be found and that, if so, the cipher could > be broken. In this meaning, a cryptographic "break" is anything faster > than an exhaustive search, so an attack against 128-bit key AES requiring > 'only' 2120 operations would be considered a break even though it would > be, now, quite infeasible. In practical application, any break of AES > which is only this 'good' would be irrelevant. For the moment, such > concerns can be ignored. The largest publically-known brute-force attack > has been against a 64 bit RC5 key by distributed.net. > > Another concern is the mathematical structure of AES. Unlike most > other block ciphers, AES has a very neat mathematical description [2] > (http://www.macfergus.com/pub/rdalgeq.html), [3] > (http://www.isg.rhul.ac.uk/~sean/). This has not yet led to any attacks, > but some researchers are worried that future attacks may find a way to > exploit this structure. > > In 2002, a theoretical attack, termed the "XSL attack", was > announced by Nicolas Courtois and Josef Pieprzyk, showing a potential > weakness in the AES algorithm. It seems that the attack, if the > mathematics is correct, is not currently practical as it would have a > prohibitively high "work factor". There have been claims of considerable > work factor improvement, however, so the attack technique might become > practical in the future. On the other hand, several cryptography experts > have found problems in the underlying mathematics of the proposed attack, > suggesting that the authors have made a mistake in their estimates. > Whether this line of attack can be made to work against AES remains an > open question. For the moment, as far as is publicly known, the XSL attack > against AES is speculative; it is unlikely that anyone could carry out the > current attack in practice. > > > - -- > ...atom > > _________________________________________ > PGP key - http://atom.smasher.org/pgp.txt > 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 > ------------------------------------------------- > > "There is no such thing at this date of the world's history in > America as an independent press. You know it, and I know it. > There is not one of you who dares to write his honest > opinion, and if you did, you know beforehand it would never > appear in print. I am paid weekly for keeping my honest > opinion out of the paper. Others of you are paid similar > salaries for similar things. And any of you who would be so > foolish as to write honest opinions would be out on the > streets looking for another job. > > "If I allow my honest opinions to appear in one issue of my > paper, before 24 hours, my occupation would be gone. The > business of the journalist is to destroy the truth, to lie > outright, to pervert, to vilify, to fawn at the feet of > Mammon and to sell his country and his race for his daily > bread. You know it, and I know it, and what folly is this > toasting an independent press? We are the tools and the > vassals of rich men behind the scenes. We are the jumping > jacks. They pull the strings, and we dance. Our talents, our > possibilities and our lives are all the property of other men. > > "We are intellectual prostitutes." > -- John Swinden, 1953, then head of the New York > Times, when asked to toast an independent press > in a gathering at the National Press Club. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.0 (FreeBSD) > Comment: What is this gibberish? > Comment: http://atom.smasher.org/links/#digital_signatures > > iQEcBAEBCAAGBQJCB9+NAAoJEAx/d+cTpVcitjgH/3OVMpY8QXblFfvrmeaG86/A > ZJ7H+eqbMKKtIWexYpcthlNdbm2le9TNdx0b5BhiWVJot0R+8XncMYvLtP5z/dMR > WdowPoZ2f1EzpXDOwLS4rTEQG7GgcJnSYTBch9ow7A3D03z4XG8Q6wVla2Gn1Sum > JpmnL2Wm/aC6y/iK+JCy1s9Psq3yka+yuo+8vPJd4t3vZnwKZFMLs2TuJUqpMHiT > ocooXsjKPIPADxvg+0b5W+iDUs/dBvX3Y/Q+wG5HoD/x34pcyBTnaib/XEqF7N0I > OH/Gw16DB7CA69dzOtikE0dyvBaFENkFNbHxytls043DI89cRSAiu+EYL+fZPq4= > =CfPS > -----END PGP SIGNATURE----- > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From hmujtaba at forumsys.com Mon Feb 7 23:09:49 2005 From: hmujtaba at forumsys.com (Hasnain Mujtaba) Date: Mon Feb 7 23:41:13 2005 Subject: Partial body length encoding for Compressed packets Message-ID: <4DCE15B9C4E66F4CA967EBF64C53D64D67B3FE@bstn-exch1.forumsys.com> Hi David, I generated a PGP 2 style packet using GPG's --pgp2 option and tore it apart to look inside its structure. I found that both the encrypted and literal data packets are broken into RFC 2440 style partial body length chunks. But, as you explained, the compressed packet was indeterminate length encoded. I find this behavior perplexing. They made PGP 2 RFC2440 compliant only for encrypted and literal packets. But why not for compressed packets as well? Is this behavior found in PGP 5.x. PGP 6.x, and PGP 7.x as well, i.e RFC 2440 chunking for literal & encrypted packets, but indeterminate for compressed packets? Or will PGP 5.x and above, understand chunking for all three packets? Not meaning to beat on a dead horse, but this forum is my only hope of staying sane in a world of interoperability minefields. Regards, Hasnain. -----Original Message----- From: gnupg-users-bounces@gnupg.org [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of David Shaw Sent: Monday, August 09, 2004 8:25 PM To: gnupg-users@gnupg.org Subject: Re: Partial body length encoding for Compressed packets On Sat, Aug 07, 2004 at 06:11:59PM -0400, Hasnain Mujtaba wrote: > Hi everyone, > > I am working with RFC2440 partial body length (PBL) encoding for my app. > I have noticed that even though GPG's Encrypted Data Packets are cut > into partial body length (PBL) chunks, the enclosed Compressed Data > Packets are encoded using indeterminate lengths, rather than PBLs. Is > this the default behavior for GPG and if so for what reasons? > > If possible, I would like GPG to create both compressed data packets and > enclosed literal data packets using PBL encoding. Is there some way to > force enable this feature? For PGP 2 compatibility reasons, GnuPG uses indeterminate lengths for compressed packets. There is no way to change this, but if you are willing to compile a special GnuPG to test with, you can do something like setting "new_ctb" to 1 in build_packet() when generating a compressed data packet. David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From atom at smasher.org Mon Feb 7 23:53:44 2005 From: atom at smasher.org (Atom Smasher) Date: Mon Feb 7 23:49:34 2005 Subject: Strongest Key, Hash, and Cypher Algorithms In-Reply-To: References: <792DE28E91F6EA42B4663AE761C41C2A039DC8C0@cliff.bai.org> <20050207213634.55149.qmail@smasher.org> Message-ID: <20050207225304.18999.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Mon, 7 Feb 2005, Wesley Tabadore wrote: > This is great information! Can you provide such an analysis for > TWOFISH? > > How about for the asymmetric algorithms supported by GPG? > > There is so much data to sort through out there, it is difficult to come > up with the consise explanations and feedback you have given thus far. > Would really apreciate more on the other options. :-) ====================== i'm flattered that you like it so much, but i'm not a cryptographer. although i have a good understanding of the protocols i actually suck really bad at the math. most of the information is out there, although a lot of it is dated. i guess you could start here - The PGP Attack FAQ http://www.stack.nl/~galactus/remailers/attack-faq.html PGP DH vs. RSA FAQ http://www.scramdisk.clara.net/pgpfaq.html Practical Attacks on PGP http://www.privacy.com.au/pgpatk.html http://atom.smasher.org/links/#crypto - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "All censorships exist to prevent anyone from challenging current conceptions and existing institutions. All progress is initiated by challenging current conceptions, and executed by supplanting existing institutions. Consequently, the first condition of progress is the removal of censorships." -- George Bernard Shaw -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJCB/F+AAoJEAx/d+cTpVciu4gH/jtkd4GI93i23YdSGHCboiQi D8vbaVAesqgrh/Oty7091d6b2bwP0rB7B9uWzqh7433RSG2Fe+U4LvtFfx/iVJNL grmB6So1/+szJM6/aw2VCcmkviFtS/Ws0EkZ/0/k58d+4oxArgVlwRwZdgBB4qoR skNBA2+P8rMEGjOM2bFvwWEjEkApi2UjxjHQCR1RTLQmFzZKqAdBnHBYYkRKQBuS vqByQ+U+Do5GLkT/KhLCBQRVulLXqWFm/QHQ2XqNjDDXjERtSyC3Vv28aZTQVfmV aYeXwuTlYK1YznVBFNd86piEBBZsoqP5/jq4lnpYr7e19x7eUC/8op/jc/2J/Js= =E3Hw -----END PGP SIGNATURE----- From chd at chud.net Mon Feb 7 22:44:09 2005 From: chd at chud.net (Chris De Young) Date: Tue Feb 8 00:01:50 2005 Subject: Strongest Key, Hash, and Cypher Algorithms In-Reply-To: <792DE28E91F6EA42B4663AE761C41C2A039DC8C0@cliff.bai.org> References: <792DE28E91F6EA42B4663AE761C41C2A039DC8C0@cliff.bai.org> Message-ID: <4207E129.2080406@chud.net> Ryan Malayter wrote: > Of > course, the same was said about RC4 many years ago, and AFAIK there are > still no attacks better than brute force against the RC4 algorithm > itself (protocol issues in WEP don't count). RC4 has some classes of weak keys, as I recall. Implementations can work around these problems, but I would still tend to classify that as a weakness in the algorithm rather than in the implementation. Pedantic, perhaps, but anyway... :) -Chris -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050207/efe554fd/signature.pgp From swp5jhu02 at sneakemail.com Mon Feb 7 13:58:17 2005 From: swp5jhu02 at sneakemail.com (=?ISO-8859-1?Q?Peter_Valdemar_M=F8rch?=) Date: Tue Feb 8 09:32:27 2005 Subject: 1.4.0: Howto verify a signed file quickly - without any --homedir... Message-ID: <420765E9.1020805@sneakemail.com> Hi there, My task: I have a public keyring and a signed file. I need to test whether they verify from a script. I don't want to use the current user's trust, keyrings or anything. In fact, the user's home directory may not even be writable by the user. In gnupg 1.2.5, this worked: # gpg --always-trust --secret-keyring /dev/null --no-default-keyring --keyring /my/key.ring --verify /some/file gpg: Signature made Mon 19 Apr 2004 13:29:53 CEST using DSA key ID 53776FD8 gpg: Good signature from "Somebody " gpg: WARNING: Using untrusted key! However, in 1.4.0, this gives the following error: gpg: fatal: can't create directory `/home/user/.gnupg': Permission denied OK, so I can always do e.g.: # mkdir /tmp/bogus # gpg --homedir /tmp/bogus ... # rm -rf /tmp/bogus But then I'm spending time creating the bogus directory, initializing a trust database, only to just delete it afterward. And now I have to take care not to have two scripts running simultaneously or to use distinct temporary directory names with all the pitfalls *that* has. Isn't there a simpler way? (--homedir /dev/null doesn't work! :-D) Peter -- Peter Valdemar M?rch http://www.morch.com From wk at gnupg.org Tue Feb 8 09:48:48 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Feb 8 09:45:48 2005 Subject: "Malformed user id" In-Reply-To: <42066AC5.9030702@gmx.de> ( =?utf-8?q?Thomas_F=2E_D=C3=BCllmann's_message_of?= "Sun, 06 Feb 2005 20:06:45 +0100") References: <4204E6C8.7090907@gmx.de> <87mzuh8r15.fsf@wheatstone.g10code.de> <42066AC5.9030702@gmx.de> Message-ID: <87r7jr77yn.fsf@wheatstone.g10code.de> On Sun, 06 Feb 2005 20:06:45 +0100, Thomas F D?llmann said: > default-key # ********* // both keys are > the same > encrypt-to # ******** Remove them and try again. Then look closely on what you entered. It should similar to: default-key 5B0358A2 encrypt-to 5B0358A2 Werner From wk at gnupg.org Tue Feb 8 09:55:24 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Feb 8 09:55:50 2005 Subject: capacity of keyring In-Reply-To: <420359A9.7020908@intertivity.com> (Sascha Kiefer's message of "Fri, 04 Feb 2005 12:16:57 +0100") References: <4200C54D.4040305@intertivity.com> <420224E2.9070900@intertivity.com> <42033722.7030302@smgwtest.aachen.utimaco.de> <420359A9.7020908@intertivity.com> Message-ID: <87mzuf77nn.fsf@wheatstone.g10code.de> On Fri, 04 Feb 2005 12:16:57 +0100, Sascha Kiefer said: > When do you think that 1.9.x is going to be realeased? There are releases every few weeks, there should be another one this week. The support for larger keyrings has not yet been implemented, though. > Or how "stable" is 1.9 right now? The S/MIME part is pretty stable and in use for quite some time. The OpenPGP part is not verty matured yet but gpg 1.4 may be used along with 1.9. Shalom-Salam, Werner From swp5jhu02 at sneakemail.com Tue Feb 8 10:58:08 2005 From: swp5jhu02 at sneakemail.com (=?ISO-8859-1?Q?Peter_Valdemar_M=F8rch?=) Date: Tue Feb 8 10:54:29 2005 Subject: 1.4.0: Howto verify a signed file quickly - without any --homedir... Message-ID: <42088D30.1060800@sneakemail.com> Hi there, My task: I have a public keyring and a signed file. I need to test whether they verify from a script. I don't want to use the current user's trust, keyrings or anything. In fact, the user's home directory may not even be writable by the user. In gnupg 1.2.5, this worked: # gpg --always-trust --secret-keyring /dev/null --no-default-keyring --keyring /my/key.ring --verify /some/file gpg: Signature made Mon 19 Apr 2004 13:29:53 CEST using DSA key ID 53776FD8 gpg: Good signature from "Somebody " gpg: WARNING: Using untrusted key! However, in 1.4.0, this gives the following error: gpg: fatal: can't create directory `/home/user/.gnupg': Permission denied OK, so I can always do e.g.: # mkdir /tmp/bogus # gpg --homedir /tmp/bogus ... # rm -rf /tmp/bogus But then I'm spending time creating the bogus directory, initializing a trust database, only to just delete it afterward. And now I have to take care not to have two scripts running simultaneously or to use distinct temporary directory names with all the pitfalls *that* has. Isn't there a simpler way avoiding the homedir altogether? (--homedir /dev/null doesn't work! :-D) Peter -- Peter Valdemar M?rch http://www.morch.com From dshaw at jabberwocky.com Tue Feb 8 15:10:57 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Feb 8 15:07:58 2005 Subject: 1.4.0: Howto verify a signed file quickly - without any --homedir... In-Reply-To: <42088D30.1060800@sneakemail.com> References: <42088D30.1060800@sneakemail.com> Message-ID: <20050208141057.GA10444@jabberwocky.com> On Tue, Feb 08, 2005 at 10:58:08AM +0100, Peter Valdemar M?rch wrote: > Hi there, > > My task: I have a public keyring and a signed file. I need to test > whether they verify from a script. > > I don't want to use the current user's trust, keyrings or anything. In > fact, the user's home directory may not even be writable by the user. > > In gnupg 1.2.5, this worked: > > # gpg --always-trust --secret-keyring /dev/null --no-default-keyring > --keyring /my/key.ring --verify /some/file > gpg: Signature made Mon 19 Apr 2004 13:29:53 CEST using DSA key ID 53776FD8 > gpg: Good signature from "Somebody " > gpg: WARNING: Using untrusted key! > > > However, in 1.4.0, this gives the following error: > > gpg: fatal: can't create directory `/home/user/.gnupg': Permission denied > > OK, so I can always do e.g.: > # mkdir /tmp/bogus > # gpg --homedir /tmp/bogus ... > # rm -rf /tmp/bogus > > But then I'm spending time creating the bogus directory, initializing a > trust database, only to just delete it afterward. And now I have to take > care not to have two scripts running simultaneously or to use distinct > temporary directory names with all the pitfalls *that* has. > > Isn't there a simpler way avoiding the homedir altogether? (--homedir > /dev/null doesn't work! :-D) It sounds like you are looking for gpgv, which comes with GnuPG. It does just what you want - verifies files and nothing else. David From dshaw at jabberwocky.com Tue Feb 8 17:35:14 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Feb 8 17:32:29 2005 Subject: Partial body length encoding for Compressed packets In-Reply-To: <4DCE15B9C4E66F4CA967EBF64C53D64D67B3FE@bstn-exch1.forumsys.com> References: <4DCE15B9C4E66F4CA967EBF64C53D64D67B3FE@bstn-exch1.forumsys.com> Message-ID: <20050208163514.GB10858@jabberwocky.com> On Mon, Feb 07, 2005 at 05:09:49PM -0500, Hasnain Mujtaba wrote: > Hi David, > > I generated a PGP 2 style packet using GPG's --pgp2 option and tore it > apart to look inside its structure. I found that both the encrypted and > literal data packets are broken into RFC 2440 style partial body length > chunks. But, as you explained, the compressed packet was indeterminate > length encoded. > > I find this behavior perplexing. They made PGP 2 RFC2440 compliant only > for encrypted and literal packets. But why not for compressed packets as > well? PGP 2 isn't RFC-2440 compliant. PGP 2 dates from quite a few years before 2440 was even written. > Is this behavior found in PGP 5.x. PGP 6.x, and PGP 7.x as well, i.e RFC > 2440 chunking for literal & encrypted packets, but indeterminate for > compressed packets? Or will PGP 5.x and above, understand chunking for > all three packets? > > Not meaning to beat on a dead horse, but this forum is my only hope of > staying sane in a world of interoperability minefields. It won't work ;) Sane PGP interoperability requires knowing when to give up. For example, there are details between PGP 5 and 7 where you can support one or the other, but not both. To a certain extent, supporting bugs from old versions that have been replaced many times over is actually harmful. I know that some users have settled on one version of PGP and will continue to use that version until the sun goes nova, but given the choice between supporting that tiny minority of people, and the huge majority of people who are using something actually RFC compliant, I know where I'm going to spend my energy. David From johanw at vulcan.xs4all.nl Tue Feb 8 02:35:42 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Tue Feb 8 17:44:07 2005 Subject: Strongest Key, Hash, and Cypher Algorithms In-Reply-To: from Wesley Tabadore at "Feb 7, 2005 01:56:31 pm" Message-ID: <200502080135.CAA00593@vulcan.xs4all.nl> Wesley Tabadore wrote: >How about for the asymmetric algorithms supported by GPG? The security of RSA and DH are linked: it has been proven that an attack faster than brute-forcing against one means the other can also be attacked faster than brute-forcing. Wether such an attack is possible at all seems to be an open question. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From texmex at uni.de Tue Feb 8 18:08:17 2005 From: texmex at uni.de (Gregor Zattler) Date: Tue Feb 8 18:05:01 2005 Subject: didn't help either (was: Re: it's not a PATH problem ) In-Reply-To: <000401c50b73$524f4b00$f300a8c0@HOME> References: <20050204164756.GA16960@pit.ID-43118.user.dfncis.de> <000401c50b73$524f4b00$f300a8c0@HOME> Message-ID: <20050208170817.GJ21898@pit.ID-43118.user.dfncis.de> Hi Kiefer,, * Kiefer, Sascha [05. Feb. 2005]: > Hi. > Installing > http://www.microsoft.com/downloads/details.aspx?FamilyID=6ae02498-07e9-48f1- > a5d6-dbfa18d37e0f&DisplayLang=en > may be helps. i installed it, rebooted, cd'ed to \Programme\GNU\GnuPG, did "gpg --help" --> same problem. Ciao; gregor From hmujtaba at forumsys.com Tue Feb 8 19:53:15 2005 From: hmujtaba at forumsys.com (Hasnain Mujtaba) Date: Tue Feb 8 19:50:13 2005 Subject: Partial body length encoding for Compressed packets Message-ID: <4DCE15B9C4E66F4CA967EBF64C53D64D67B400@bstn-exch1.forumsys.com> Hi David, There's food for thought in your comments. Sanity is very important to me. So, thanks. On a techincal level, I was only curious about this mixing and matching of partial body length headers and indeterminate encoding. I guess I will never know for sure why it is that way with 2.x, and perhaps 5.x. Cheers, Hasnain. -----Original Message----- From: gnupg-users-bounces@gnupg.org [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of David Shaw Sent: Tuesday, February 08, 2005 11:35 AM To: gnupg-users@gnupg.org Subject: Re: Partial body length encoding for Compressed packets On Mon, Feb 07, 2005 at 05:09:49PM -0500, Hasnain Mujtaba wrote: > Hi David, > > I generated a PGP 2 style packet using GPG's --pgp2 option and tore it > apart to look inside its structure. I found that both the encrypted and > literal data packets are broken into RFC 2440 style partial body length > chunks. But, as you explained, the compressed packet was indeterminate > length encoded. > > I find this behavior perplexing. They made PGP 2 RFC2440 compliant only > for encrypted and literal packets. But why not for compressed packets as > well? PGP 2 isn't RFC-2440 compliant. PGP 2 dates from quite a few years before 2440 was even written. > Is this behavior found in PGP 5.x. PGP 6.x, and PGP 7.x as well, i.e RFC > 2440 chunking for literal & encrypted packets, but indeterminate for > compressed packets? Or will PGP 5.x and above, understand chunking for > all three packets? > > Not meaning to beat on a dead horse, but this forum is my only hope of > staying sane in a world of interoperability minefields. It won't work ;) Sane PGP interoperability requires knowing when to give up. For example, there are details between PGP 5 and 7 where you can support one or the other, but not both. To a certain extent, supporting bugs from old versions that have been replaced many times over is actually harmful. I know that some users have settled on one version of PGP and will continue to use that version until the sun goes nova, but given the choice between supporting that tiny minority of people, and the huge majority of people who are using something actually RFC compliant, I know where I'm going to spend my energy. David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From dshaw at jabberwocky.com Tue Feb 8 19:59:48 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Feb 8 19:56:37 2005 Subject: Partial body length encoding for Compressed packets In-Reply-To: <4DCE15B9C4E66F4CA967EBF64C53D64D67B400@bstn-exch1.forumsys.com> References: <4DCE15B9C4E66F4CA967EBF64C53D64D67B400@bstn-exch1.forumsys.com> Message-ID: <20050208185948.GE10858@jabberwocky.com> On Tue, Feb 08, 2005 at 01:53:15PM -0500, Hasnain Mujtaba wrote: > Hi David, > > There's food for thought in your comments. Sanity is very important to > me. So, thanks. > > On a techincal level, I was only curious about this mixing and matching > of partial body length headers and indeterminate encoding. I guess I > will never know for sure why it is that way with 2.x, and perhaps 5.x. It's historical. PGP 2.x came before the partial body length encoding existed, so that's why it doesn't support it at all. David From hmujtaba at forumsys.com Tue Feb 8 20:06:53 2005 From: hmujtaba at forumsys.com (Hasnain Mujtaba) Date: Tue Feb 8 20:03:32 2005 Subject: Partial body length encoding for Compressed packets Message-ID: <4DCE15B9C4E66F4CA967EBF64C53D64D67B401@bstn-exch1.forumsys.com> But PGP2 does support partial body length encoding! Using the --pgp2 option when encrypting, I can see that GPG uses PBL encoding for both encrypted and literal data packets, but not for compressesd. I must be totally wacko, but I don't get it. Why would GPG generate PBL encoded packets for PGP2? -----Original Message----- From: gnupg-users-bounces@gnupg.org [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of David Shaw Sent: Tuesday, February 08, 2005 2:00 PM To: gnupg-users@gnupg.org Subject: Re: Partial body length encoding for Compressed packets On Tue, Feb 08, 2005 at 01:53:15PM -0500, Hasnain Mujtaba wrote: > Hi David, > > There's food for thought in your comments. Sanity is very important to > me. So, thanks. > > On a techincal level, I was only curious about this mixing and matching > of partial body length headers and indeterminate encoding. I guess I > will never know for sure why it is that way with 2.x, and perhaps 5.x. It's historical. PGP 2.x came before the partial body length encoding existed, so that's why it doesn't support it at all. David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From dshaw at jabberwocky.com Tue Feb 8 20:12:48 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Feb 8 20:09:41 2005 Subject: Partial body length encoding for Compressed packets In-Reply-To: <4DCE15B9C4E66F4CA967EBF64C53D64D67B401@bstn-exch1.forumsys.com> References: <4DCE15B9C4E66F4CA967EBF64C53D64D67B401@bstn-exch1.forumsys.com> Message-ID: <20050208191248.GF10858@jabberwocky.com> On Tue, Feb 08, 2005 at 02:06:53PM -0500, Hasnain Mujtaba wrote: > But PGP2 does support partial body length encoding! Using the --pgp2 > option when encrypting, I can see that GPG uses PBL encoding for both > encrypted and literal data packets, but not for compressesd. I must be > totally wacko, but I don't get it. Why would GPG generate PBL encoded > packets for PGP2? PGP2 does not support partial body length packets. GnuPG is forced to use PBL encoding if it does not know the length of a message (say, if you're encrypting stdin or something with no clear size). In that case, regardless of the --pgp2 flag, PGP2 will not be able to decrypt it. David From mconahan at iotest.org Tue Feb 8 20:16:34 2005 From: mconahan at iotest.org (mconahan@iotest.org) Date: Tue Feb 8 20:12:42 2005 Subject: GnuPG ME: How do we use the --keyring GnuPG option via GnuPG ME? In-Reply-To: <41F67AD8.2000503@iotest.org> References: <41F55EEF.7020301@iotest.org> <41F585B5.1030208@comcast.net> <41F67AD8.2000503@iotest.org> Message-ID: <42091012.7080206@iotest.org> On second thought, is it possible to specify an unique "gpg.conf" file for each gpg session? If this could work, this would be a workaround...I wouldn't have to modify the GPGME source. If anybody has any ideas on how to specify a keyring/session using GPGME, please let me know. mconahan@iotest.org wrote: > I could see that your solution would work for an app with a single process, but I need to avoid process collision in my application. In short, I am using GPGME, and each process must have its own "--keyring" and "--secret-keyring". > I'm playing with the idea of modifying the GPGME source, or have my application use GPGME where supported (and use GnuPG directly otherwise...ugh). ...I'm hoping that GPGME will support me on what I need to do. > > > Michael > > > > John Clizbe wrote: > > mconahan@iotest.org wrote: > > > >>> Hi everyone, > >>> > >>> I was wondering if anyone had a clue on how to access the > --keyring GnuPG option via GnuPG ME? > >>> > > > Include it in gpg.conf? From my Win2k development box: > > no-default-keyring > keyring pubring.gpg > secret-keyring O:\GnuPG\secring.gpg > > > -- > John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet > Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 > "Be who you are and say what you feel because those who mind don't matter > and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" > > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From hmujtaba at forumsys.com Tue Feb 8 20:28:53 2005 From: hmujtaba at forumsys.com (Hasnain Mujtaba) Date: Tue Feb 8 20:25:57 2005 Subject: Partial body length encoding for Compressed packets Message-ID: <4DCE15B9C4E66F4CA967EBF64C53D64DC945D2@bstn-exch1.forumsys.com> That explains it! Thanks much. -----Original Message----- From: gnupg-users-bounces@gnupg.org [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of David Shaw Sent: Tuesday, February 08, 2005 2:13 PM To: gnupg-users@gnupg.org Subject: Re: Partial body length encoding for Compressed packets On Tue, Feb 08, 2005 at 02:06:53PM -0500, Hasnain Mujtaba wrote: > But PGP2 does support partial body length encoding! Using the --pgp2 > option when encrypting, I can see that GPG uses PBL encoding for both > encrypted and literal data packets, but not for compressesd. I must be > totally wacko, but I don't get it. Why would GPG generate PBL encoded > packets for PGP2? PGP2 does not support partial body length packets. GnuPG is forced to use PBL encoding if it does not know the length of a message (say, if you're encrypting stdin or something with no clear size). In that case, regardless of the --pgp2 flag, PGP2 will not be able to decrypt it. David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From atom at smasher.org Tue Feb 8 20:51:21 2005 From: atom at smasher.org (Atom Smasher) Date: Tue Feb 8 20:46:54 2005 Subject: Strongest Key, Hash, and Cypher Algorithms In-Reply-To: <200502080135.CAA00593@vulcan.xs4all.nl> References: <200502080135.CAA00593@vulcan.xs4all.nl> Message-ID: <20050208195036.79982.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Tue, 8 Feb 2005, Johan Wevers wrote: > Wesley Tabadore wrote: > >> How about for the asymmetric algorithms supported by GPG? > > The security of RSA and DH are linked: it has been proven that an attack > faster than brute-forcing against one means the other can also be > attacked faster than brute-forcing. > > Wether such an attack is possible at all seems to be an open question. ====================== as i understand it a fast (polynomial time) attack against DH would necessarily apply to RSA, but a fast attack against RSA would not necessarily apply to DH. to clarify for anyone who doesn't know, elgamal is a variation of DH. - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "To consider yourself an environmentalist and still eat meat is like saying you're a philanthropist who doesn't give to charity" -- Howard Lyman -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJCCRg/AAoJEAx/d+cTpVci8fAH/A9PJ7tGiGOgK1G0CSUIip4M vTKimkZjWh2QOoSfa2DPXihyhGJOL9rbS4UG7oA51VNZ3uFtm0divutahk+ZRS5C ShtugsBXB/JvJCV1xnHIapTcuORIoZfuXF9hgY8WBwHedfuQnFmk98UONIWn9AqQ 8jY28x4vd6Q/5ZEMew1Nnnl9PFH1sYnqt13ASKLHcddKQVLK9ZyrndIDvnMPnAEo AVeRPTBm9NiZwaQUoAtNfYf9QwPElmGpeiQCsUPwT2cLC4IpxShMeo41GvuT0dDd ZkhzL+Vzx1r1qHX77V1FHZDLj2p2sb+CaBKQuAhNh83fMk4GJosFuLbMG++rZbQ= =Dm9e -----END PGP SIGNATURE----- From atom at smasher.org Tue Feb 8 21:30:39 2005 From: atom at smasher.org (Atom Smasher) Date: Tue Feb 8 21:26:06 2005 Subject: GnuPG ME: How do we use the --keyring GnuPG option via GnuPG ME? In-Reply-To: <42091012.7080206@iotest.org> References: <41F55EEF.7020301@iotest.org> <41F585B5.1030208@comcast.net> <41F67AD8.2000503@iotest.org> <42091012.7080206@iotest.org> Message-ID: <20050208202953.8886.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Tue, 8 Feb 2005, mconahan@iotest.org wrote: > On second thought, is it possible to specify an unique "gpg.conf" file > for each gpg session? If this could work, this would be a > workaround...I wouldn't have to modify the GPGME source. If anybody has > any ideas on how to specify a keyring/session using GPGME, please let me > know. ========================= --options file Read options from file and do not try to read them from the default options file in the homedir (see --homedir). This option is ignored if used in an options file. - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "The capitalists owned everything in the world, and everyone else was their slave. They owned all the land, all the houses, all the factories, and all the money. If anyone disobeyed them they could throw him into prison, or they could take his job away and starve him to death. When any ordinary person spoke to a capitalist he had to cringe and bow to him, and take off his cap and address him as 'Sir'" -- George Orwell -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJCCSF0AAoJEAx/d+cTpVcimnMH/RcptKwDU7NIpt+SxBeGsU4V ZKk8xRUqFE0WX7LR7Yacbl8OgGX7W0PeTsjNgc2XRw/KtEQts3+GB+qW10WpVSEb WnRDlaZOhczgnFuCpMj5VWjodKxHK0nXU2FgGO4CISK5p/No679Vy8ycZsC4prxl sjCOYUZoVDVMPY55IycVc+Cx8KnosqGSINvGkfz+eF3jDdMYxFzr5EcrF3H4wupm vq1wJEo5+TnmCGkzduxABZdcQ4Ak1sXWVCB5mxw6k4rtExFUZy5Az2sXBFJ0JqaO n1EhhldeQXNZt2cSXjc23uVVc3DjlocVmIMv0bJ21p7YG/g3sXyHtKDxP6RdfnI= =bqVs -----END PGP SIGNATURE----- From JPClizbe at comcast.net Wed Feb 9 00:49:43 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Wed Feb 9 00:49:09 2005 Subject: didn't help either (was: Re: it's not a PATH problem ) In-Reply-To: <20050208170817.GJ21898@pit.ID-43118.user.dfncis.de> References: <20050204164756.GA16960@pit.ID-43118.user.dfncis.de> <000401c50b73$524f4b00$f300a8c0@HOME> <20050208170817.GJ21898@pit.ID-43118.user.dfncis.de> Message-ID: <42095017.5030203@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gregor Zattler wrote: > Hi Kiefer,, > * Kiefer, Sascha [05. Feb. 2005]: >> Hi. >> Installing >> http://www.microsoft.com/downloads/details.aspx?FamilyID=6ae02498-07e9-48f1- >> a5d6-dbfa18d37e0f&DisplayLang=en >> may be helps. > > i installed it, rebooted, cd'ed to \Programme\GNU\GnuPG, did "gpg > --help" --> same problem. Try '.\gpg --help' 'gpg --help' will search the PATH '.\gpg --help' looks in the current directory BTW, --version serves the same purpose without generating as much output and also has some helpful info - -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org GingerBear Consluting PGP/GPG KeyID: 0x608D2A10 "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc1 (MingW32) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCCVAVHQSsSmCNKhARAtKTAJ97SNcPkvKoULUdNMctHT/GDYsh1wCg81ci +4HFaKkyv53WzLvgeTt7OGk= =cdz6 -----END PGP SIGNATURE----- From wk at gnupg.org Wed Feb 9 08:49:03 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Feb 9 08:45:47 2005 Subject: GnuPG ME: How do we use the --keyring GnuPG option via GnuPG ME? In-Reply-To: <42091012.7080206@iotest.org> (mconahan@iotest.org's message of "Tue, 08 Feb 2005 14:16:34 -0500") References: <41F55EEF.7020301@iotest.org> <41F585B5.1030208@comcast.net> <41F67AD8.2000503@iotest.org> <42091012.7080206@iotest.org> Message-ID: <87sm46yxzk.fsf@wheatstone.g10code.de> On Tue, 08 Feb 2005 14:16:34 -0500, mconahan@iotest org said: > On second thought, is it possible to specify an unique "gpg.conf" file > for each gpg session? If this could work, this would be a You won't be able to do that. With a future version you will be able to specify a home directory and thus also another gpg.conf: Noteworthy changes in version 1.1.0 (unreleased) ------------------------------------------------ * You can now configure the backend engine file name and home directory to be used, as default and per context. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ gpgme_set_engine_info NEW gpgme_ctx_get_engine_info NEW gpgme_ctx_set_engine_info NEW ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Salam-Shalom, Werner From johanw at vulcan.xs4all.nl Wed Feb 9 11:38:50 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed Feb 9 12:08:04 2005 Subject: didn't help either (was: Re: it's not a PATH problem ) In-Reply-To: <42095017.5030203@comcast.net> from John Clizbe at "Feb 8, 2005 05:49:43 pm" Message-ID: <200502091038.LAA02492@vulcan.xs4all.nl> John Clizbe wrote: >'.\gpg --help' looks in the current directory On windows, the current directory is always first in the path. You don't have to specify that explicitly as in Unix. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From mconahan at iotest.org Wed Feb 9 15:58:35 2005 From: mconahan at iotest.org (mconahan@iotest.org) Date: Wed Feb 9 15:54:46 2005 Subject: GnuPG ME: How do we use the --keyring GnuPG option via GnuPG ME? In-Reply-To: <87sm46yxzk.fsf@wheatstone.g10code.de> References: <41F55EEF.7020301@iotest.org> <41F585B5.1030208@comcast.net> <41F67AD8.2000503@iotest.org> <42091012.7080206@iotest.org> <87sm46yxzk.fsf@wheatstone.g10code.de> Message-ID: <420A251B.6050406@iotest.org> Werner Koch wrote: >On Tue, 08 Feb 2005 14:16:34 -0500, mconahan@iotest org said: > > > >>On second thought, is it possible to specify an unique "gpg.conf" file >>for each gpg session? If this could work, this would be a >> >> > >You won't be able to do that. With a future version you will be able >to specify a home directory and thus also another gpg.conf: > >Noteworthy changes in version 1.1.0 (unreleased) >------------------------------------------------ > > * You can now configure the backend engine file name and home > directory to be used, as default and per context. > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >gpgme_set_engine_info NEW >gpgme_ctx_get_engine_info NEW >gpgme_ctx_set_engine_info NEW >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > >Salam-Shalom, > > Werner > > > > Doh! Hmmm... For GPGME 'out of the box', is there a way to utilize the GnuPG options "--homedir", "--keyring", "--no-default-keyring", and "--secret-keyring" for a context (at a minmum I need the use of the latter three)? If there is not a way 'out of the box', where in the GPGME source would I have to add the above GnuPG arguments, in order to have them sent to GnuPG along with the rest of the arguments already specified in the context? Would it be the function "build_argv" in rungpg.c? From mike at mcarlson.net Wed Feb 9 16:21:34 2005 From: mike at mcarlson.net (Mike Carlson) Date: Wed Feb 9 17:04:22 2005 Subject: Importing Keys in Outlook/GPA Message-ID: <420A2A7E.1080808@mcarlson.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I use Thunderbird for my daily email needs but I do ocassionally use Outlook because of client requirements and I want to use the key that I generated under Enigmail/GnuPG/Thunderbird in Outlook with GPA (GnuPG-Plugin). I tried using the Import feature of GPA but it doesnt seem to recognize the file I am trying to import. I tried the pub/sec key I exported out of EnigMail and I tried the secring.gpg and pubring.gpg files, none of which worked. Can I import the key I generated earlier into Outlook or do I have to create a new one? Thanks, - --Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) iD8DBQFCCip++MpGcpt053MRAtWMAKCrp/k9u3Si1qHsuZaXHl4Ivuzf+QCePeSa ZHpM01NvRsF7bmsdlhEySrA= =p/gW -----END PGP SIGNATURE----- From texmex at uni.de Wed Feb 9 17:49:50 2005 From: texmex at uni.de (Gregor Zattler) Date: Wed Feb 9 17:46:42 2005 Subject: didn't help either (was: Re: it's not a PATH problem ) In-Reply-To: <42095017.5030203@comcast.net> References: <20050204164756.GA16960@pit.ID-43118.user.dfncis.de> <000401c50b73$524f4b00$f300a8c0@HOME> <20050208170817.GJ21898@pit.ID-43118.user.dfncis.de> <42095017.5030203@comcast.net> Message-ID: <20050209164950.GG17209@pit.ID-43118.user.dfncis.de> Hi John, * John Clizbe [08. Feb. 2005]: > Gregor Zattler wrote: > > * Kiefer, Sascha [05. Feb. 2005]: > >> Hi. > >> Installing > >> http://www.microsoft.com/downloads/details.aspx?FamilyID=6ae02498-07e9-48f1- > >> a5d6-dbfa18d37e0f&DisplayLang=en > >> may be helps. > > > > i installed it, rebooted, cd'ed to \Programme\GNU\GnuPG, did "gpg > > --help" --> same problem. > > Try '.\gpg --help' > > 'gpg --help' will search the PATH > > '.\gpg --help' looks in the current directory > > BTW, --version serves the same purpose without generating as much output > and also has some helpful info Did it: same problem. Gregor From abien at nbmc.de Wed Feb 9 17:37:35 2005 From: abien at nbmc.de (Alexander Bien) Date: Wed Feb 9 18:34:52 2005 Subject: gnupg windows, per user homedir on a terminal server Message-ID: <420A3C4F.4000604@nbmc.de> hello folks, i am trying to install gnupg for windows in a terminal server (2003) env with multiple users. My idea is to have one installation of the binarys, but allow each user to have his/her own keyring in theyr userdir. I understand gnupg support the homedir variable for this purpose: [HKEY_LOCAL_MACHINE\Software\GNU\GNUPG] "HomeDir"="C:\\GnuPG" "gpgProgram"="C:\\GnuPG\\gpg.exe" I tried to set homedir to the folowing value "C:\Documents and Settings\%user%\gnupg\" tests showd me that a fresh set of keyrings is no longer installed to c:\gnupg\, but neither is it installed to the userdir.. it seems its not picking up that setting correctly. or i am simply not providing it in the correct manner. :( What is the suggested procedure to use gnupg in a multi-user env based on Windows? best regards Alex From sk at intertivity.com Wed Feb 9 19:25:03 2005 From: sk at intertivity.com (Kiefer, Sascha) Date: Wed Feb 9 19:21:07 2005 Subject: didn't help either (was: Re: it's not a PATH problem ) In-Reply-To: <20050209164950.GG17209@pit.ID-43118.user.dfncis.de> Message-ID: <000001c50ed4$acb90770$f300a8c0@HOME> Do me a favour and send me your shell32.dll > -----Original Message----- > From: gnupg-users-bounces@gnupg.org > [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of Gregor Zattler > Sent: Mittwoch, 9. Februar 2005 17:50 > To: gnupg-users > Subject: Re: didn't help either (was: Re: it's not a PATH problem ) > > > Hi John, > * John Clizbe [08. Feb. 2005]: > > Gregor Zattler wrote: > > > * Kiefer, Sascha [05. Feb. 2005]: > > >> Hi. > > >> Installing > > >> > http://www.microsoft.com/downloads/details.aspx?FamilyID=6ae02498-0 > > >> 7e9-48f1- > > >> a5d6-dbfa18d37e0f&DisplayLang=en > > >> may be helps. > > > > > > i installed it, rebooted, cd'ed to \Programme\GNU\GnuPG, did "gpg > > > --help" --> same problem. > > > > Try '.\gpg --help' > > > > 'gpg --help' will search the PATH > > > > '.\gpg --help' looks in the current directory > > > > BTW, --version serves the same purpose without generating as much > > output and also has some helpful info > > Did it: same problem. > > Gregor > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From jharris at widomaker.com Wed Feb 9 20:33:19 2005 From: jharris at widomaker.com (Jason Harris) Date: Wed Feb 9 20:29:40 2005 Subject: GD doesn't always accept revocations Message-ID: <20050209193319.GK3466@wilma.widomaker.com> It seems the GD doesn't always accept revocations for keys it stores: %gpg --keyserver keyserver.kjsl.com --recv 3EA5F9EF [snip] %gpg --check-sigs 3EA5F9EF pub 1024D/3EA5F9EF 2004-12-13 [revoked: 2005-02-06] rev! 3EA5F9EF 2005-02-06 Tobias Braunschober <[elided]> uid Tobias Braunschober <> sig!3 3EA5F9EF 2005-02-06 Tobias Braunschober <> sig!3 3EA5F9EF 2004-12-13 Tobias Braunschober <> sig! CA57AD7C 2005-02-05 PGP Global Directory Verification Key 1 signature not checked due to a missing key %gpg --keyserver ldap://keyserver-beta.pgp.com --send-key 3EA5F9EF gpg: sending key 3EA5F9EF to ldap server keyserver-beta.pgp.com Host: keyserver-beta.pgp.com Command: SEND Server: PGP Universal Server Version: 2.0.0 (Build 1014) %gpg --delete-key 3EA5F9EF [snip] %gpg --keyserver ldap://keyserver-beta.pgp.com --recv 3EA5F9EF gpg: requesting key 3EA5F9EF from ldap server keyserver-beta.pgp.com Host: keyserver-beta.pgp.com Command: GET Server: PGP Universal Server Version: 2.0.0 (Build 1014) gpgkeys: LDAP fetch for: (pgpkeyid=3EA5F9EF) gpg: key 3EA5F9EF: public key "Tobias Braunschober <>" imported gpg: Total number processed: 1 gpg: imported: 1 Note that the key is returned from keyserver-beta.pgp.com _without its revocation_: %gpg --check-sigs 3EA5F9EF pub 1024D/3EA5F9EF 2004-12-13 uid Tobias Braunschober <> sig!3 3EA5F9EF 2004-12-13 Tobias Braunschober <> sig! CA57AD7C 2005-02-05 PGP Global Directory Verification Key sub 2048g/2AB8AB81 2004-12-13 sig! 3EA5F9EF 2004-12-13 Tobias Braunschober <> 1 signature not checked due to a missing key -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050209/a12516e6/attachment.pgp From dshaw at jabberwocky.com Wed Feb 9 20:53:58 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Feb 9 20:50:51 2005 Subject: GD doesn't always accept revocations In-Reply-To: <20050209193319.GK3466@wilma.widomaker.com> References: <20050209193319.GK3466@wilma.widomaker.com> Message-ID: <20050209195358.GE13201@jabberwocky.com> On Wed, Feb 09, 2005 at 02:33:19PM -0500, Jason Harris wrote: > > It seems the GD doesn't always accept revocations for keys it stores: > %gpg --keyserver keyserver.kjsl.com --recv 3EA5F9EF > %gpg --keyserver ldap://keyserver-beta.pgp.com --send-key 3EA5F9EF > %gpg --delete-key 3EA5F9EF > %gpg --keyserver ldap://keyserver-beta.pgp.com --recv 3EA5F9EF > Note that the key is returned from keyserver-beta.pgp.com > _without its revocation_: https://keyserver-beta.pgp.com/vkd/VKDHelpPGPCom.html : Can I post a revoked key to the PGP Global Directory? No. The PGP Global Directory includes many features to prevent it from being filled with unusable keys. One of these features is that the directory does not support revoked keys. Instead of revoking your key, simply remove it from the directory. In short, it's a feature. I'm not sure I completely like that feature, but nevertheless, the GD is operating as intended. David From jharris at widomaker.com Wed Feb 9 21:01:11 2005 From: jharris at widomaker.com (Jason Harris) Date: Wed Feb 9 20:57:22 2005 Subject: GD doesn't always accept revocations In-Reply-To: <20050209195358.GE13201@jabberwocky.com> References: <20050209193319.GK3466@wilma.widomaker.com> <20050209195358.GE13201@jabberwocky.com> Message-ID: <20050209200111.GA42975@wilma.widomaker.com> On Wed, Feb 09, 2005 at 02:53:58PM -0500, David Shaw wrote: > On Wed, Feb 09, 2005 at 02:33:19PM -0500, Jason Harris wrote: > > It seems the GD doesn't always accept revocations for keys it stores: > > Note that the key is returned from keyserver-beta.pgp.com > > _without its revocation_: > > https://keyserver-beta.pgp.com/vkd/VKDHelpPGPCom.html : > > Can I post a revoked key to the PGP Global Directory? > > No. The PGP Global Directory includes many features to prevent it > from being filled with unusable keys. One of these features is that > the directory does not support revoked keys. Instead of revoking > your key, simply remove it from the directory. > > In short, it's a feature. I'm not sure I completely like that > feature, but nevertheless, the GD is operating as intended. Revoked keys are supposed to be _removed_ from the GD, period. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050209/5bf2fd7a/attachment-0001.pgp From dshaw at jabberwocky.com Wed Feb 9 21:07:58 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Feb 9 21:04:49 2005 Subject: GD doesn't always accept revocations In-Reply-To: <20050209200111.GA42975@wilma.widomaker.com> References: <20050209193319.GK3466@wilma.widomaker.com> <20050209195358.GE13201@jabberwocky.com> <20050209200111.GA42975@wilma.widomaker.com> Message-ID: <20050209200758.GA13550@jabberwocky.com> On Wed, Feb 09, 2005 at 03:01:11PM -0500, Jason Harris wrote: > On Wed, Feb 09, 2005 at 02:53:58PM -0500, David Shaw wrote: > > On Wed, Feb 09, 2005 at 02:33:19PM -0500, Jason Harris wrote: > > > > It seems the GD doesn't always accept revocations for keys it stores: > > > > Note that the key is returned from keyserver-beta.pgp.com > > > _without its revocation_: > > > > https://keyserver-beta.pgp.com/vkd/VKDHelpPGPCom.html : > > > > Can I post a revoked key to the PGP Global Directory? > > > > No. The PGP Global Directory includes many features to prevent it > > from being filled with unusable keys. One of these features is that > > the directory does not support revoked keys. Instead of revoking > > your key, simply remove it from the directory. > > > > In short, it's a feature. I'm not sure I completely like that > > feature, but nevertheless, the GD is operating as intended. > > Revoked keys are supposed to be _removed_ from the GD, period. Supposed to by whose say-so? Period or what? I'll repeat the quote from the GD: Can I post a revoked key to the PGP Global Directory? No. The PGP Global Directory includes many features to prevent it from being filled with unusable keys. One of these features is that the directory does not support revoked keys. Instead of revoking your key, simply remove it from the directory. They don't do it. They even document their not doing it. You might suggest it to them as a feature, but they don't do it now. I'm not saying I think this is optimal behavior, but the documentation is pretty clear on this point. David From sk at intertivity.com Wed Feb 9 21:22:15 2005 From: sk at intertivity.com (Kiefer, Sascha) Date: Wed Feb 9 21:18:20 2005 Subject: didn't help either (was: Re: it's not a PATH problem ) In-Reply-To: <20050208170817.GJ21898@pit.ID-43118.user.dfncis.de> Message-ID: <001a01c50ee5$0bc92b40$f300a8c0@HOME> Well, i just checked his shell32.dll and it seems that that function SHGetFolderPathA is really not in there. Why is this function needed anyway? > -----Original Message----- > From: gnupg-users-bounces@gnupg.org > [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of Gregor Zattler > Sent: Dienstag, 8. Februar 2005 18:08 > To: gnupg-users > Subject: didn't help either (was: Re: it's not a PATH problem ) > > > Hi Kiefer,, > * Kiefer, Sascha [05. Feb. 2005]: > > Hi. > > Installing > > > http://www.microsoft.com/downloads/details.aspx?FamilyID=6ae02498-07e9 > > -48f1- > > a5d6-dbfa18d37e0f&DisplayLang=en > > may be helps. > > i installed it, rebooted, cd'ed to \Programme\GNU\GnuPG, did > "gpg --help" --> same problem. > > Ciao; gregor > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From jharris at widomaker.com Wed Feb 9 21:26:19 2005 From: jharris at widomaker.com (Jason Harris) Date: Wed Feb 9 21:22:29 2005 Subject: GD doesn't always accept revocations In-Reply-To: <20050209200111.GA42975@wilma.widomaker.com> References: <20050209193319.GK3466@wilma.widomaker.com> <20050209195358.GE13201@jabberwocky.com> <20050209200111.GA42975@wilma.widomaker.com> Message-ID: <20050209202618.GL3466@wilma.widomaker.com> On Wed, Feb 09, 2005 at 03:01:11PM -0500, Jason Harris wrote: > On Wed, Feb 09, 2005 at 02:53:58PM -0500, David Shaw wrote: > > In short, it's a feature. I'm not sure I completely like that > > feature, but nevertheless, the GD is operating as intended. > > Revoked keys are supposed to be _removed_ from the GD, period. [self-reply] Correction: Revoked keys _should be_ _removed_ from the GD, period, in keeping with its stated goals. Obviously, the keyholder didn't heed the FAQ and has left 0x3EA5F9EF on the GD. Unless this is corrected, ldap://keyserver-beta.pgp.com will incorrectly serve the unrevoked version of the key for the next 6 months. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050209/191980d0/attachment.pgp From dshaw at jabberwocky.com Wed Feb 9 21:32:57 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Feb 9 21:29:35 2005 Subject: GD doesn't always accept revocations In-Reply-To: <20050209202618.GL3466@wilma.widomaker.com> References: <20050209193319.GK3466@wilma.widomaker.com> <20050209195358.GE13201@jabberwocky.com> <20050209200111.GA42975@wilma.widomaker.com> <20050209202618.GL3466@wilma.widomaker.com> Message-ID: <20050209203257.GB13550@jabberwocky.com> On Wed, Feb 09, 2005 at 03:26:19PM -0500, Jason Harris wrote: > On Wed, Feb 09, 2005 at 03:01:11PM -0500, Jason Harris wrote: > > On Wed, Feb 09, 2005 at 02:53:58PM -0500, David Shaw wrote: > > > > In short, it's a feature. I'm not sure I completely like that > > > feature, but nevertheless, the GD is operating as intended. > > > > Revoked keys are supposed to be _removed_ from the GD, period. > > [self-reply] > > Correction: Revoked keys _should be_ _removed_ from the GD, period, > in keeping with its stated goals. > > Obviously, the keyholder didn't heed the FAQ and has left 0x3EA5F9EF > on the GD. Unless this is corrected, ldap://keyserver-beta.pgp.com > will incorrectly serve the unrevoked version of the key for the next > 6 months. Yes. I don't think this is the best design. I understand the desire to keep revoked keys off of the GD, but it's not clear what to do in this case (an unrevoked key on the GD is suddenly revoked). Drop the key immediately? Accept the revocation and then drop the key after some time has gone by? I rather like the idea of accepting the revocation, and then immediately causing the key to need to be reverified by the user (as if their 6 month time on the GD was up). This way the user knows what happened, and doing nothing causes the key to fall out of the GD. David From adam00f at ducksburg.com Wed Feb 9 21:45:54 2005 From: adam00f at ducksburg.com (Adam Funk) Date: Wed Feb 9 21:42:04 2005 Subject: unable to execute program `gpgkeys_hkp': Permission denied Message-ID: <200502092045.54635.adam00f@ducksburg.com> I compiled and installed GnuPG 1.4.0. Everything works except interaction with keyservers. When I use --send-key, --recv-key or --refresh, it always fails thus: $ gpg -v --recv-key F09BDAD5 gpg: requesting key F09BDAD5 from hkp server pgp.mit.edu gpg: unable to execute program `gpgkeys_hkp': Permission denied gpg: keyserver internal error gpg: keyserver receive failed: keyserver error How do I fix this? Thanks, Adam From adam00f at ducksburg.com Wed Feb 9 21:58:03 2005 From: adam00f at ducksburg.com (Adam Funk) Date: Wed Feb 9 21:54:13 2005 Subject: Are all the UIDs on a key supposed to be equal? Message-ID: <200502092058.04060.adam00f@ducksburg.com> Erwan David: > You can also revoke uids on your key; which indicates juste a > change of address, but you keep being the same person. If you look > at my key (0xF7001FC7 on public servers), you see it bears > following Ids: I added a UID, revoked another UID, and changed the primary UID, then the key to the MIT keyserver. The keyserver's verbose listing includes the new UID but doesn't indicate the revocation. Is that normal? From swright at physics.adelaide.edu.au Wed Feb 9 22:01:31 2005 From: swright at physics.adelaide.edu.au (Stewart V. Wright) Date: Wed Feb 9 21:58:11 2005 Subject: unable to execute program `gpgkeys_hkp': Permission denied In-Reply-To: <200502092045.54635.adam00f@ducksburg.com> References: <200502092045.54635.adam00f@ducksburg.com> Message-ID: <20050209210131.GE13440@anl.gov> G'day Adam, * Adam Funk [050209 14:52]: > I compiled and installed GnuPG 1.4.0. Everything works except interaction > with keyservers. When I use --send-key, --recv-key or --refresh, it > always fails thus: > > $ gpg -v --recv-key F09BDAD5 > gpg: requesting key F09BDAD5 from hkp server pgp.mit.edu > gpg: unable to execute program `gpgkeys_hkp': Permission denied > gpg: keyserver internal error > gpg: keyserver receive failed: keyserver error > > How do I fix this? I had the same problem. For some reason GnuPG wants these gpgkey_* files in /usr/libexec/gnupg/, but they are installed in /usr/libexec Just symlink them (*) and then submit a bug report - I was and still am too lazy to do it myself. Cheers, S. (*) For completeness something like this should work... cd /usr/libexec/gnupg/ ln -s ../gpgkey_* -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 274 bytes Desc: Digital signature Url : /pipermail/attachments/20050209/696b2ebf/attachment.pgp From jharris at widomaker.com Wed Feb 9 22:14:51 2005 From: jharris at widomaker.com (Jason Harris) Date: Wed Feb 9 22:11:03 2005 Subject: GD doesn't always accept revocations In-Reply-To: <20050209203257.GB13550@jabberwocky.com> References: <20050209193319.GK3466@wilma.widomaker.com> <20050209195358.GE13201@jabberwocky.com> <20050209200111.GA42975@wilma.widomaker.com> <20050209202618.GL3466@wilma.widomaker.com> <20050209203257.GB13550@jabberwocky.com> Message-ID: <20050209211450.GM3466@wilma.widomaker.com> On Wed, Feb 09, 2005 at 03:32:57PM -0500, David Shaw wrote: > On Wed, Feb 09, 2005 at 03:26:19PM -0500, Jason Harris wrote: > > Obviously, the keyholder didn't heed the FAQ and has left 0x3EA5F9EF > > on the GD. Unless this is corrected, ldap://keyserver-beta.pgp.com > > will incorrectly serve the unrevoked version of the key for the next > > 6 months. > > Yes. I don't think this is the best design. I understand the desire > to keep revoked keys off of the GD, but it's not clear what to do in > this case (an unrevoked key on the GD is suddenly revoked). It needs only to verify the revocation and remove the key immediately. > Drop the key immediately? Accept the revocation and then drop the key > after some time has gone by? I rather like the idea of accepting the > revocation, and then immediately causing the key to need to be > reverified by the user (as if their 6 month time on the GD was up). > This way the user knows what happened, and doing nothing causes the > key to fall out of the GD. The key was revoked by the keyholder, so it cannot be re-added to the GD unless its revocation certificate is removed. This is very simple to do with a tool like gpgsplit, and is therefore an easy attack to perpetrate against the GD and keyholders of revoked keys. (I classify it as an attack because it gets the GD to send confirmation emails for "useless" keys, anyone answering the unencrypted challenges causes the GD to store "useless" keys, etc.) This also applies to expired (v4) keys, as long as at least one (earlier) selfsig didn't expire the key. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050209/fcd1584e/attachment.pgp From dshaw at jabberwocky.com Wed Feb 9 22:18:32 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Feb 9 22:15:14 2005 Subject: unable to execute program `gpgkeys_hkp': Permission denied In-Reply-To: <20050209210131.GE13440@anl.gov> References: <200502092045.54635.adam00f@ducksburg.com> <20050209210131.GE13440@anl.gov> Message-ID: <20050209211832.GD13550@jabberwocky.com> On Wed, Feb 09, 2005 at 03:01:31PM -0600, Stewart V. Wright wrote: > G'day Adam, > > * Adam Funk [050209 14:52]: > > I compiled and installed GnuPG 1.4.0. Everything works except interaction > > with keyservers. When I use --send-key, --recv-key or --refresh, it > > always fails thus: > > > > $ gpg -v --recv-key F09BDAD5 > > gpg: requesting key F09BDAD5 from hkp server pgp.mit.edu > > gpg: unable to execute program `gpgkeys_hkp': Permission denied > > gpg: keyserver internal error > > gpg: keyserver receive failed: keyserver error > > > > How do I fix this? > > I had the same problem. For some reason GnuPG wants these gpgkey_* > files in /usr/libexec/gnupg/, but they are installed in /usr/libexec > > Just symlink them (*) and then submit a bug report - I was and still > am too lazy to do it myself. If you don't mention bugs, they can never be fixed. What configure command line did you use originally? Did you use --prefix or something similar? David From torduninja at mail.pf Wed Feb 9 22:20:23 2005 From: torduninja at mail.pf (Maxine Brandt) Date: Wed Feb 9 22:21:52 2005 Subject: didn't help either (was: Re: it's not a PATH problem ) Message-ID: <420A7E97.2070907@mail.pf> Gregor Zattler wrote: >> Try '.\gpg --help' >> >> 'gpg --help' will search the PATH >> >> '.\gpg --help' looks in the current directory >> >> BTW, --version serves the same purpose without generating as much output >> and also has some helpful info > Did it: same problem. The reason for your problem is that under w'98 the SHGetFolderPath is found in shfolder.dll and not in shell32.dll, but the rc1 code has overlooked this particularity. The issue has been reported on the gnupg-devel list: http://marc.theaimsgroup.com/?l=gnupg-devel&m=110751660616663&w=2 Salut Maxine -- OpenPGP keys: http://www.torduninja.tk From dshaw at jabberwocky.com Wed Feb 9 22:25:48 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Feb 9 22:22:30 2005 Subject: GD doesn't always accept revocations In-Reply-To: <20050209211450.GM3466@wilma.widomaker.com> References: <20050209193319.GK3466@wilma.widomaker.com> <20050209195358.GE13201@jabberwocky.com> <20050209200111.GA42975@wilma.widomaker.com> <20050209202618.GL3466@wilma.widomaker.com> <20050209203257.GB13550@jabberwocky.com> <20050209211450.GM3466@wilma.widomaker.com> Message-ID: <20050209212548.GE13550@jabberwocky.com> On Wed, Feb 09, 2005 at 04:14:51PM -0500, Jason Harris wrote: > On Wed, Feb 09, 2005 at 03:32:57PM -0500, David Shaw wrote: > > On Wed, Feb 09, 2005 at 03:26:19PM -0500, Jason Harris wrote: > > > > Obviously, the keyholder didn't heed the FAQ and has left 0x3EA5F9EF > > > on the GD. Unless this is corrected, ldap://keyserver-beta.pgp.com > > > will incorrectly serve the unrevoked version of the key for the next > > > 6 months. > > > > Yes. I don't think this is the best design. I understand the desire > > to keep revoked keys off of the GD, but it's not clear what to do in > > this case (an unrevoked key on the GD is suddenly revoked). > > It needs only to verify the revocation and remove the key immediately. Well, that's one possible answer. Why don't you suggest it to the GD people? > The key was revoked by the keyholder, so it cannot be re-added to the > GD unless its revocation certificate is removed. This is very simple > to do with a tool like gpgsplit, and is therefore an easy attack to > perpetrate against the GD and keyholders of revoked keys. (I classify > it as an attack because it gets the GD to send confirmation emails for > "useless" keys, anyone answering the unencrypted challenges causes the > GD to store "useless" keys, etc.) > > This also applies to expired (v4) keys, as long as at least one (earlier) > selfsig didn't expire the key. Why go through a lot of bother to find an expired or revoked key which you then manipulate into being acceptable? Just make a brand new key with your victim's email address and submit that. It's the same result. David From dshaw at jabberwocky.com Wed Feb 9 22:42:58 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Feb 9 22:39:38 2005 Subject: Are all the UIDs on a key supposed to be equal? In-Reply-To: <200502092058.04060.adam00f@ducksburg.com> References: <200502092058.04060.adam00f@ducksburg.com> Message-ID: <20050209214258.GF13550@jabberwocky.com> On Wed, Feb 09, 2005 at 08:58:03PM +0000, Adam Funk wrote: > Erwan David: > > > You can also revoke uids on your key; which indicates juste a > > change of address, but you keep being the same person. If you look > > at my key (0xF7001FC7 on public servers), you see it bears > > following Ids: > > I added a UID, revoked another UID, and changed the primary UID, then the > key to the MIT keyserver. The keyserver's verbose listing includes the > new UID but doesn't indicate the revocation. Is that normal? I don't think the MIT keyserver shows revoked UIDs as being revoked. David From swright at physics.adelaide.edu.au Wed Feb 9 22:48:34 2005 From: swright at physics.adelaide.edu.au (Stewart V. Wright) Date: Wed Feb 9 22:45:15 2005 Subject: unable to execute program `gpgkeys_hkp': Permission denied In-Reply-To: <20050209211832.GD13550@jabberwocky.com> References: <200502092045.54635.adam00f@ducksburg.com> <20050209210131.GE13440@anl.gov> <20050209211832.GD13550@jabberwocky.com> Message-ID: <20050209214834.GF13440@anl.gov> G'day David, * David Shaw [050209 15:27]: > If you don't mention bugs, they can never be fixed. Mea culpa. > What configure command line did you use originally? Did you use > --prefix or something similar? I'm not sure what Adam did, but I just used the included .spec file to create an rpm and installed that. Oh, the .spec file is faulty too with regards installing the info pages - and I know I reported that for 1.2.6: http://marc.theaimsgroup.com/?l=gnupg-devel&m=109354656722315&w=2 Cheers, S. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 274 bytes Desc: Digital signature Url : /pipermail/attachments/20050209/66b65138/attachment.pgp From jharris at widomaker.com Wed Feb 9 23:38:46 2005 From: jharris at widomaker.com (Jason Harris) Date: Wed Feb 9 23:35:19 2005 Subject: GD doesn't always accept revocations In-Reply-To: <20050209212548.GE13550@jabberwocky.com> References: <20050209193319.GK3466@wilma.widomaker.com> <20050209195358.GE13201@jabberwocky.com> <20050209200111.GA42975@wilma.widomaker.com> <20050209202618.GL3466@wilma.widomaker.com> <20050209203257.GB13550@jabberwocky.com> <20050209211450.GM3466@wilma.widomaker.com> <20050209212548.GE13550@jabberwocky.com> Message-ID: <20050209223846.GN3466@wilma.widomaker.com> On Wed, Feb 09, 2005 at 04:25:48PM -0500, David Shaw wrote: > On Wed, Feb 09, 2005 at 04:14:51PM -0500, Jason Harris wrote: > > It needs only to verify the revocation and remove the key immediately. > > Well, that's one possible answer. Why don't you suggest it to the GD > people? If this isn't already self-evident to them... > Why go through a lot of bother to find an expired or revoked key which > you then manipulate into being acceptable? Just make a brand new key > with your victim's email address and submit that. It's the same > result. For one thing, anyone who followed the GD FAQ and simply removed a key from the GD without revoking it in their own keyring may be duped into confirming the fingerprint of a key they once used and probably still have. The key may or may not be expired, but their encryption client definitely can't heed a revocation that was never generated. For another, why waste good bytes out of /dev/random? Besides, the game is mostly over if the victim must first import a totally unknown key. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050209/a1dd93d7/attachment.pgp From gpg at jason.markley.name Wed Feb 9 23:45:24 2005 From: gpg at jason.markley.name (Jason Markley) Date: Wed Feb 9 23:42:20 2005 Subject: revoking a UID Message-ID: <420A9284.9070104@jason.markley.name> When one revokes a UID to effectivly change addresses, how does that affect the signatures that were on the key? In other words... 1. Generate a key with uid1. 2. Get this key signed by your friends, etc. 3. Generate a new uid, uid2. 4. revoke the old uid, uid1. Will your friends that signed your key origionally still see your key as valid? Will they have to sign the new uid in order to have your key be valid again? What are the security implications of having your friends still see your key as valid when you've revoked the uid that they signed? Thoughts are much appreciated. -Jason From JPClizbe at comcast.net Wed Feb 9 23:47:00 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Wed Feb 9 23:43:46 2005 Subject: gnupg windows, per user homedir on a terminal server In-Reply-To: <420A3C4F.4000604@nbmc.de> References: <420A3C4F.4000604@nbmc.de> Message-ID: <420A92E4.2010603@comcast.net> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 434 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050209/3720988f/signature-0001.pgp From dshaw at jabberwocky.com Wed Feb 9 23:53:47 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Feb 9 23:50:30 2005 Subject: revoking a UID In-Reply-To: <420A9284.9070104@jason.markley.name> References: <420A9284.9070104@jason.markley.name> Message-ID: <20050209225347.GH13550@jabberwocky.com> On Wed, Feb 09, 2005 at 05:45:24PM -0500, Jason Markley wrote: > When one revokes a UID to effectivly change addresses, how does that > affect the signatures that were on the key? > > > In other words... > > 1. Generate a key with uid1. > 2. Get this key signed by your friends, etc. > 3. Generate a new uid, uid2. > 4. revoke the old uid, uid1. > > Will your friends that signed your key origionally still see your key as > valid? No. > Will they have to sign the new uid in order to have your key be > valid again? Yes. > What are the security implications of having your friends still see > your key as valid when you've revoked the uid that they signed? None, since it doesn't happen ;) What people generally call "signing a key" is really "signing a key+uid". If you revoke a uid, then those signatures are no longer meaningful. David From JPClizbe at comcast.net Thu Feb 10 00:25:53 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Thu Feb 10 00:22:45 2005 Subject: gnupg windows, per user homedir on a terminal server In-Reply-To: <420A92E4.2010603@comcast.net> References: <420A3C4F.4000604@nbmc.de> <420A92E4.2010603@comcast.net> Message-ID: <420A9C01.1080906@comcast.net> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 434 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050209/4ec221b8/signature.pgp From dshaw at jabberwocky.com Thu Feb 10 00:29:28 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Feb 10 00:26:19 2005 Subject: GD doesn't always accept revocations In-Reply-To: <20050209223846.GN3466@wilma.widomaker.com> References: <20050209193319.GK3466@wilma.widomaker.com> <20050209195358.GE13201@jabberwocky.com> <20050209200111.GA42975@wilma.widomaker.com> <20050209202618.GL3466@wilma.widomaker.com> <20050209203257.GB13550@jabberwocky.com> <20050209211450.GM3466@wilma.widomaker.com> <20050209212548.GE13550@jabberwocky.com> <20050209223846.GN3466@wilma.widomaker.com> Message-ID: <20050209232928.GI13550@jabberwocky.com> On Wed, Feb 09, 2005 at 05:38:46PM -0500, Jason Harris wrote: > On Wed, Feb 09, 2005 at 04:25:48PM -0500, David Shaw wrote: > > On Wed, Feb 09, 2005 at 04:14:51PM -0500, Jason Harris wrote: > > > > It needs only to verify the revocation and remove the key immediately. > > > > Well, that's one possible answer. Why don't you suggest it to the GD > > people? > > If this isn't already self-evident to them... Maybe it is, and maybe it isn't. If you just want to complain, then I guess you're all set. If you want something actually fixed you should tell them. > > Why go through a lot of bother to find an expired or revoked key which > > you then manipulate into being acceptable? Just make a brand new key > > with your victim's email address and submit that. It's the same > > result. > > For one thing, anyone who followed the GD FAQ and simply removed a key > from the GD without revoking it in their own keyring may be duped into > confirming the fingerprint of a key they once used and probably still > have. The key may or may not be expired, but their encryption client > definitely can't heed a revocation that was never generated. That sounds like a lot of 'ifs' to me. Sure, if you can dupe them into doing something stupid, and if that key had been revoked before, and if they then removed it from the GD, and if they had forgotten they had done so, then maybe you have an attack? It's always possible to come up with an attack if you get to use enough 'ifs'. David From JPClizbe at comcast.net Thu Feb 10 00:32:04 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Thu Feb 10 00:29:00 2005 Subject: gnupg windows, per user homedir on a terminal server In-Reply-To: <420A9C01.1080906@comcast.net> References: <420A3C4F.4000604@nbmc.de> <420A92E4.2010603@comcast.net> <420A9C01.1080906@comcast.net> Message-ID: <420A9D74.1090601@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John Clizbe wrote: > John Clizbe wrote: >> Alexander Bien wrote: >>> hello folks, > > Let's try that attachment one more time. Sorry, PGP/MIME is base-64 encoding the text file. Should've just pasted it in to begin with. Time to go for a walk +++++ Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\GNU\GNUPG] "gpgProgram"="C:\\Program Files\\Gnu\\GnuPG\\gpg.exe" "HomeDir"=hex(2):25,00,41,00,50,00,50,00,44,00,41,00,54,00,41,00,25,00,5c,00,\ 47,00,6e,00,75,00,50,00,47,00,00,00 "Install Directory"="C:\\Program Files\\GNU\\GnuPG" +++++ - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc1 (MingW32) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCCp1zHQSsSmCNKhARAqrXAKC4ZPBODYtWTheSqUYE66278E1rDgCeID4u WxG3og4zhbRCkQ6v/9A11as= =aNkF -----END PGP SIGNATURE----- From jharris at widomaker.com Thu Feb 10 02:25:42 2005 From: jharris at widomaker.com (Jason Harris) Date: Thu Feb 10 02:21:59 2005 Subject: GD doesn't always accept revocations In-Reply-To: <20050209232928.GI13550@jabberwocky.com> References: <20050209193319.GK3466@wilma.widomaker.com> <20050209195358.GE13201@jabberwocky.com> <20050209200111.GA42975@wilma.widomaker.com> <20050209202618.GL3466@wilma.widomaker.com> <20050209203257.GB13550@jabberwocky.com> <20050209211450.GM3466@wilma.widomaker.com> <20050209212548.GE13550@jabberwocky.com> <20050209223846.GN3466@wilma.widomaker.com> <20050209232928.GI13550@jabberwocky.com> Message-ID: <20050210012542.GP3466@wilma.widomaker.com> On Wed, Feb 09, 2005 at 06:29:28PM -0500, David Shaw wrote: > On Wed, Feb 09, 2005 at 05:38:46PM -0500, Jason Harris wrote: > > If this isn't already self-evident to them... > > Maybe it is, and maybe it isn't. If you just want to complain, then I > guess you're all set. If you want something actually fixed you should > tell them. I wasn't complaining. I had a valid question about why the GD wasn't accepting a 0x20 signature and we had a productive conversation about it. I think this particular keyholder DTRT by sending their revoked key to a keyserver that would accept it, and I hope more people read this thread and come to the same conclusion. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050209/dd7e66ac/attachment.pgp From dshaw at jabberwocky.com Thu Feb 10 04:36:06 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Feb 10 04:32:56 2005 Subject: unable to execute program `gpgkeys_hkp': Permission denied In-Reply-To: <20050209214834.GF13440@anl.gov> References: <200502092045.54635.adam00f@ducksburg.com> <20050209210131.GE13440@anl.gov> <20050209211832.GD13550@jabberwocky.com> <20050209214834.GF13440@anl.gov> Message-ID: <20050210033606.GC13965@jabberwocky.com> On Wed, Feb 09, 2005 at 03:48:34PM -0600, Stewart V. Wright wrote: > G'day David, > > * David Shaw [050209 15:27]: > > If you don't mention bugs, they can never be fixed. > > Mea culpa. > > > > What configure command line did you use originally? Did you use > > --prefix or something similar? > > I'm not sure what Adam did, but I just used the included .spec file to > create an rpm and installed that. > > Oh, the .spec file is faulty too with regards installing the info > pages - and I know I reported that for 1.2.6: > > http://marc.theaimsgroup.com/?l=gnupg-devel&m=109354656722315&w=2 Try this spec file. If it works for you, I'll put it in 1.4.1. It works ok on a FC3 box here. David -------------- next part -------------- # # gnupg -- gnu privacy guard # This is a template. The dist target uses it to create the real file. # %define version 1.4.1rc1 %define name gnupg Summary: GNU Utility for data encryption and digital signatures Summary(it): Utility GNU per la sicurezza nelle comunicazioni e nell'archiviazione dei dati. Summary(cs): GNU n?stroj pro ?ifrovanou komunikaci a bezpe?n? ukl?d?n? dat Summary(fr): Utilitaire GNU de chiffrement et d'authentification des communications et des donn?es Summary(pl): Narzedzie GNU do szyfrowania i podpisywania danych Vendor: GNU Privacy Guard Project Name: %{name} Version: %{version} Release: 1 Copyright: GPL Group: Applications/Cryptography Group(cs): Aplikace/?ifrov?n? Group(fr): Applications/Cryptographie Group(it): Applicazioni/Crittografia Source: ftp://ftp.gnupg.org/gcrypt/gnupg/%{name}-%{version}.tar.gz URL: http://www.gnupg.org/ Provides: gpg openpgp Requires(post,preun): /sbin/install-info BuildRoot: %{_tmppath}/rpmbuild_%{name}-%{version} %changelog * Wed Jul 30 2003 David Shaw - Rework much of the spec to use %-macros throughout. - Fix to work properly with RPM 4.1 (all files in buildroot must be packaged) - Package and install info files. - Tweak the English description. - There is no need to install gpgv and gpgsplit setuid root. * Sat Nov 30 2002 David Shaw - Add convert-from-106 script * Sat Oct 26 2002 David Shaw - Use new path for keyserver helpers. - /usr/lib is no longer used for cipher/hash plugins. - Include gpgv, gpgsplit, and the new gnupg.7 man page. * Fri Apr 19 2002 David Shaw - Removed OPTIONS and pubring.asc - no longer used - Added doc/samplekeys.asc * Sun Mar 31 2002 David Shaw - Added the gpgkeys_xxx keyserver helpers. - Added a * to catch variations on the basic gpg man page (gpg, gpgv). - Mark options.skel as a config file. - Do not include the FAQ/faq.html twice (in /doc/ and /share/). * Wed Sep 06 2000 Fabio Coatti - Added Polish description and summary (Kindly provided by Lukasz Stelmach ) * Thu Jul 13 2000 Fabio Coatti - Added a * to catch all formats for man pages (plain, gz, bz2...) * Mon May 01 2000 Fabio Coatti - Some corrections in French description, thanks to Ga?l Qu?ri ; Some corrections to Italian descriptions. * Tue Apr 25 2000 Fabio Coatti - Removed the no longer needed patch for man page by Keith Owens * Wed Mar 1 2000 Petr Kri?tof - Czech descriptions added; some fixes and updates. * Sat Jan 15 2000 Keith Owens - Add missing man page as separate patch instead of updating the tar file. * Mon Dec 27 1999 Fabio Coatti - Upgraded for 1.0.1 (added missing gpg.1 man page) * Sat May 29 1999 Fabio Coatti - Some corrections in French description, thanks to Ga?l Qu?ri * Mon May 17 1999 Fabio Coatti - Added French description, provided by Christophe Labouisse * Thu May 06 1999 Fabio Coatti - Upgraded for 0.9.6 (removed gpgm) * Tue Jan 12 1999 Fabio Coatti - LINGUAS variable is now unset in configure to ensure that all languages will be built. (Thanks to Luca Olivetti ) * Sat Jan 02 1999 Fabio Coatti - Added pl language file. - Included g10/pubring.asc in documentation files. * Sat Dec 19 1998 Fabio Coatti - Modified the spec file provided by Caskey L. Dickson - Now it can be built also by non-root. Installation has to be done as root, gpg is suid. - Added some changes by Ross Golder - Updates for version 0.4.5 of GnuPG (.mo files) %description GnuPG (GNU Privacy Guard) is a GNU utility for encrypting data and creating digital signatures. GnuPG has advanced key management capabilities and is compliant with the proposed OpenPGP Internet standard described in RFC-2440. Since GnuPG doesn't use any patented algorithms, it is not compatible with some versions of PGP 2 which use only the patented IDEA algorithm. See http://www.gnupg.org/why-not-idea.html for information on using IDEA if the patent does not apply to you and you need to be compatible with these versions of PGP 2. %description -l it GnuPG (GNU Privacy Guard) ? una utility GNU per la cifratura di dati e la creazione di firme digitali. Possiede una gestione avanzata delle chiavi ed ? conforme allo standard Internet OpenPGP, descritto nella RFC 2440. Non utilizzando algoritmi brevettati, non ? compatibile con PGP2 (PGP2.x usa solo IDEA, coperto da brevetto mondiale, ed RSA, brevettato negli USA con scadenza 20/09/2000). Questi algoritmi sono utilizzabili da GnuPG tramite moduli esterni. %description -l fr GnuPG est un utilitaire GNU destin? ? chiffrer des donn?es et ? cr?er des signatures ?lectroniques. Il a des capacit?s avanc?es de gestion de cl?s et il est conforme ? la norme propos?e OpenPGP d?crite dans la RFC2440. Comme GnuPG n'utilise pas d'algorithme brevet?, il n'est compatible avec aucune version de PGP2 (PGP2.x ne sait utiliser que l'IDEA brevet? dans le monde entier et RSA, brevet? aux ?tats-Unis jusqu'au 20 septembre 2000). %description -l cs GnuPG je GNU n?stroj pro bezpe?nou komunikaci a ukl?d?n? dat. M??e b?t pou?it na ?ifrov?n? dat a vytv??en? digit?ln?ch podpis?. Obsahuje funkce pro pokro?ilou spr?vu kl??? a vyhovuje navrhovan?mu OpenPGP Internet standardu podle RFC2440. Byl vytvo?en jako kompletn? n?hrada za PGP. Proto?e neobsahuje ?ifrovac? algoritmy IDEA nebo RSA, m??e b?t pou??v?n bez omezen?. Proto?e GnuPG nepou??v? ??dn? patentovan? algoritmus, nem??e b?t ?pln? kompatibiln? s PGP verze 2. PGP 2.x pou??v? algoritmy IDEA (patentov?no celosv?tov?) a RSA (patentov?no ve Spojen?ch st?tech do 20. z??? 2000). Tyto algoritmy lze zav?st do GnuPG pomoc? extern?ch modul?. %description -l pl GnuPG (GNU Privacy Guard) jest nazedziem do szfrowania danych i tworzenia cyfrowych podpis?w. GnuPG posiada zaawansowane mozliwosci obslugi kluczy i jest zgodne z OpenPGP, proponowanym standardem internetowym opisanym w RFC2440. Poniewaz GnuPG nie uzywa zadnych opatentowanych algorytm?w nie jest wiec zgodne z jaka kolwiek wersja PGP2 (PGP2.x kozysta jedynie z algorytm?w: IDEA, opatentowanego na calym swiecie, oraz RSA, kt?rego patent na terenie Stan?w Zjednoczonych wygasa 20 wrzesnia 2000). %prep rm -rf $RPM_BUILD_ROOT %setup %build if test -n "$LINGUAS"; then unset LINGUAS fi %configure --program-prefix=%{?_program_prefix:%{_program_prefix}} \ --libexecdir=%{_libexecdir}/gnupg make %install %makeinstall libexecdir=$RPM_BUILD_ROOT/%{_libexecdir}/gnupg %find_lang %{name} rm %{buildroot}%{_datadir}/%{name}/FAQ rm %{buildroot}%{_datadir}/%{name}/faq.html rm %{buildroot}%{_infodir}/dir %files -f %{name}.lang %defattr (-,root,root) %doc INSTALL AUTHORS COPYING NEWS README THANKS TODO PROJECTS doc/DETAILS %doc doc/FAQ doc/faq.html doc/HACKING doc/OpenPGP doc/samplekeys.asc %doc %attr (0755,root,root) tools/convert-from-106 %config %{_datadir}/%{name}/options.skel %{_mandir}/man1/* %{_mandir}/man7/* %{_infodir}/gpg.info* %{_infodir}/gpgv.info* %attr (4755,root,root) %{_bindir}/gpg %attr (0755,root,root) %{_bindir}/gpgv %attr (0755,root,root) %{_bindir}/gpgsplit %attr (0755,root,root) %{_libexecdir}/gnupg/* %post /sbin/install-info %{_infodir}/gpg.info %{_infodir}/dir 2>/dev/null || : /sbin/install-info %{_infodir}/gpgv.info %{_infodir}/dir 2>/dev/null || : %preun if [ $1 = 0 ]; then /sbin/install-info --delete %{_infodir}/gpg.info \ %{_infodir}/dir 2>/dev/null || : /sbin/install-info --delete %{_infodir}/gpgv.info \ %{_infodir}/dir 2>/dev/null || : fi %clean rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_DIR/%{name}-%{version} From swp5jhu02 at sneakemail.com Wed Feb 9 15:45:00 2005 From: swp5jhu02 at sneakemail.com (=?ISO-8859-1?Q?Peter_Valdemar_M=F8rch?=) Date: Thu Feb 10 10:40:49 2005 Subject: 1.4.0: Howto verify a signed file quickly - without any --homedir... In-Reply-To: <20050208141057.GA10444@jabberwocky.com> References: <42088D30.1060800@sneakemail.com> <20050208141057.GA10444@jabberwocky.com> Message-ID: <420A21EC.9040800@sneakemail.com> David Shaw dshaw-at-jabberwocky.com |Lists| wrote: > It sounds like you are looking for gpgv, which comes with GnuPG. It > does just what you want - verifies files and nothing else. YES! # gpgv --keyring /my/key.ring /some/file Does the trick! Thanks! Peter -- Peter Valdemar M?rch http://www.morch.com From texmex at uni.de Thu Feb 10 14:29:56 2005 From: texmex at uni.de (Gregor Zattler) Date: Thu Feb 10 14:26:42 2005 Subject: didn't help either (was: Re: it's not a PATH problem ) In-Reply-To: <420A7E97.2070907@mail.pf> References: <420A7E97.2070907@mail.pf> Message-ID: <20050210132956.GF15215@pit.ID-43118.user.dfncis.de> Hi Maxine, * Maxine Brandt [09. Feb. 2005]: > Gregor Zattler wrote: > >> Try '.\gpg --help' > >> > >> 'gpg --help' will search the PATH > >> > >> '.\gpg --help' looks in the current directory > >> > >> BTW, --version serves the same purpose without generating as much output > >> and also has some helpful info > > > > Did it: same problem. > > The reason for your problem is that under w'98 the SHGetFolderPath is found in > shfolder.dll and not in shell32.dll, but the rc1 code has overlooked this > particularity. The issue has been reported on the gnupg-devel list: > > http://marc.theaimsgroup.com/?l=gnupg-devel&m=110751660616663&w=2 "my" shfolder.dll is version 5.00.2919.200 and $ grep -i SHGetFolderPath SHFOLDER.DLL Binary file SHFOLDER.DLL matches Gregor From rhea102075 at yahoo.com Thu Feb 10 15:37:09 2005 From: rhea102075 at yahoo.com (Rhea Felipe) Date: Thu Feb 10 16:27:10 2005 Subject: Help with Encryption. Message-ID: <20050210143709.61319.qmail@web90007.mail.scd.yahoo.com> Hi, Im new to GnuPG and email encryption. A friend of mind sent me a public key (0x123ABCD5) and he wants me to encrypt my emails for him. How do I do this? I am using Enigmail with Mozilla Thunderbird Ver. 0.8 thanks. __________________________________ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250 From wk at gnupg.org Thu Feb 10 17:15:12 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Feb 10 17:15:56 2005 Subject: didn't help either In-Reply-To: <20050210132956.GF15215@pit.ID-43118.user.dfncis.de> (Gregor Zattler's message of "Thu, 10 Feb 2005 14:29:56 +0100") References: <420A7E97.2070907@mail.pf> <20050210132956.GF15215@pit.ID-43118.user.dfncis.de> Message-ID: <87y8dwpf1r.fsf@wheatstone.g10code.de> On Thu, 10 Feb 2005 14:29:56 +0100, Gregor Zattler said: > "my" shfolder.dll is version 5.00.2919.200 and meanwhile this has changed in the CVS. We first try to find the fucntion in shell32 and if this fails in shfolder. If this all does not work, no application specific data is used and we fall back to HKCU, HKLM and finally to c:\gnupg. I posted a patch to gnupg-devel@ recently. Salam-Shalom, Werner From wk at gnupg.org Thu Feb 10 17:19:29 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Feb 10 17:16:10 2005 Subject: GnuPG ME: How do we use the --keyring GnuPG option via GnuPG ME? In-Reply-To: <420A251B.6050406@iotest.org> (mconahan@iotest.org's message of "Wed, 09 Feb 2005 09:58:35 -0500") References: <41F55EEF.7020301@iotest.org> <41F585B5.1030208@comcast.net> <41F67AD8.2000503@iotest.org> <42091012.7080206@iotest.org> <87sm46yxzk.fsf@wheatstone.g10code.de> <420A251B.6050406@iotest.org> Message-ID: <87u0okpeum.fsf@wheatstone.g10code.de> On Wed, 09 Feb 2005 09:58:35 -0500, mconahan@iotest org said: > GnuPG options "--homedir", "--keyring", "--no-default-keyring", and > "--secret-keyring" for a context (at a minmum I need the use of the > latter three)? No. We won't even support --keyring in the future because the concept of a keyring may change over time. The only configuration which makes sense is a different homedir. > If there is not a way 'out of the box', where in the GPGME source > would I have to add the above GnuPG arguments, in order to have them > sent to GnuPG along with the rest of the arguments already specified > in the context? Would it be the function "build_argv" in rungpg.c? This should work for you, however there is no guantee that this will work in the future. Better plan ahead and make use of different Homedirs than to switch keyrings. One goal of gpgme is to hide the actual implementation of the engine and the keyring is such a thing. Even the notation of a homedir might eventually be different between gpgme and a backend engine (i.e. gpg). Shalom-Salam, Werner From sk at intertivity.com Thu Feb 10 17:33:06 2005 From: sk at intertivity.com (Sascha Kiefer) Date: Thu Feb 10 17:29:11 2005 Subject: didn't help either In-Reply-To: <20050210132956.GF15215@pit.ID-43118.user.dfncis.de> References: <420A7E97.2070907@mail.pf> <20050210132956.GF15215@pit.ID-43118.user.dfncis.de> Message-ID: <420B8CC2.4020102@intertivity.com> Yes, but your version of gpg doesn't know that the function is not located in shell32.dll but in shfolder.dll Gregor Zattler schrieb: >Hi Maxine, >* Maxine Brandt [09. Feb. 2005]: > > >>Gregor Zattler wrote: >> >> >>>>Try '.\gpg --help' >>>> >>>>'gpg --help' will search the PATH >>>> >>>>'.\gpg --help' looks in the current directory >>>> >>>>BTW, --version serves the same purpose without generating as much output >>>>and also has some helpful info >>>> >>>> >> >> >>>Did it: same problem. >>> >>> >>The reason for your problem is that under w'98 the SHGetFolderPath is found in >>shfolder.dll and not in shell32.dll, but the rc1 code has overlooked this >>particularity. The issue has been reported on the gnupg-devel list: >> >>http://marc.theaimsgroup.com/?l=gnupg-devel&m=110751660616663&w=2 >> >> > >"my" shfolder.dll is version 5.00.2919.200 and >$ grep -i SHGetFolderPath SHFOLDER.DLL >Binary file SHFOLDER.DLL matches > >Gregor > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > From sk at intertivity.com Thu Feb 10 17:51:50 2005 From: sk at intertivity.com (Sascha Kiefer) Date: Thu Feb 10 17:48:01 2005 Subject: Changing the password of a secret key Message-ID: <420B9126.9030606@intertivity.com> hi. tried to change a password of a secret key by calling gpg from a program. Here the way i tried it. Created a file named "uhu". It looks like this: passwd uhu test save where uhu is the old-password and test the newpassword. Then i called gpg: gpg.exe --status-fd 1 --command-fd 0 --edit-key mustermann < uhu The output is the following: [GNUPG:] GET_LINE keyedit.prompt [GNUPG:] GOT_IT Key is protected. [GNUPG:] USERID_HINT DB6D141403B8E2E8 Max Musterman [GNUPG:] NEED_PASSPHRASE DB6D141403B8E2E8 DB6D141403B8E2E8 1 0 You need a passphrase to unlock the secret key for user: "Max Musterman " 1024-bit RSA key, ID 03B8E2E8, created 2005-02-04 [GNUPG:] GET_HIDDEN passphrase.enter [GNUPG:] GOT_IT [GNUPG:] GOOD_PASSPHRASE Enter the new passphrase for this secret key. [GNUPG:] NEED_PASSPHRASE_SYM 3 3 2 [GNUPG:] GET_HIDDEN passphrase.enter [GNUPG:] GOT_IT [GNUPG:] GET_LINE keyedit.prompt [GNUPG:] GOT_IT [GNUPG:] GET_BOOL keyedit.save.okay [GNUPG:] GOT_IT Too me it looks pretty good but that password remained unchanged! Any hints on that? Thank you! From wk at gnupg.org Thu Feb 10 18:55:32 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Feb 10 18:55:55 2005 Subject: Changing the password of a secret key In-Reply-To: <420B9126.9030606@intertivity.com> (Sascha Kiefer's message of "Thu, 10 Feb 2005 17:51:50 +0100") References: <420B9126.9030606@intertivity.com> Message-ID: <878y5wpaej.fsf@wheatstone.g10code.de> On Thu, 10 Feb 2005 17:51:50 +0100, Sascha Kiefer said: > [GNUPG:] GET_LINE keyedit.prompt > [GNUPG:] GOT_IT You send "save" here. > [GNUPG:] GET_BOOL keyedit.save.okay > [GNUPG:] GOT_IT But you missed to send "y" here. It takes the EOF as the default "N" and then exists due to the EOF. Werner From jediknight2 at ec.rr.com Thu Feb 10 18:35:36 2005 From: jediknight2 at ec.rr.com (jediknight2) Date: Thu Feb 10 19:10:36 2005 Subject: Specify output directory during encrypt Message-ID: <8975622.1108056936015.JavaMail.Administrator@ATP2> Is there a way to specify where to output files during the encryption process...for instance if I have files in C:\Testing that I want to encrypt using --multifile and want the encrypted files in C:\Output..can gpg do that directly or am I going to have to use a DOS move command?? From ms419 at freezone.co.uk Thu Feb 10 18:41:55 2005 From: ms419 at freezone.co.uk (ms419@freezone.co.uk) Date: Thu Feb 10 19:19:08 2005 Subject: "http" & "finger" keyserver schemes In-Reply-To: <20050207131930.GA29857@jabberwocky.com> References: <00ABEF23-78C4-11D9-BD46-0003931DA24A@freezone.co.uk> <20050207131930.GA29857@jabberwocky.com> Message-ID: <20050210174155.GA21347@fis.lat> On Mon, Feb 07, 2005 at 08:19:30AM -0500, David Shaw wrote: > On Sun, Feb 06, 2005 at 08:52:00PM -0800, ms419@freezone.co.uk wrote: > > I don't get how to receive keys using using the "http" & "finger" > > keyserver schemes. > > > > I tried some variations on - > > > > > > gpg --keyserver finger:wk@g10code.com --recv-keys > > > > gpg --keyserver "http://eatflamingdeath.com/~dleslie/pubkey.asc" > > --recv-keys > > > > > > - but nothing I tried worked. Receiving keys from "ldap" or "hkp" > > keyservers is no problem - > > > > > > gpg --keyserver ldap://keyserver.pgp.com --search-keys Lypkie > > > > gpg --keyserver hkp://pgp.mit.edu --search-keys Demwell > > > > > > Frustratingly, I couldn't find examples on the web or in the > > documentation of using "http" or "finger" keyserver schemes. Can anyone > > help? > > http and finger schemes are most useful for putting in preferred > keyserver URLs so the key can be automatically refreshed. They're not > really intended for use on the command line, but it's possible to fool > the system into working on the command line by doing something like: > > gpg --keyserver finger:the_finger@example.com --recv-keys 99999999 > > i.e. "receive key 99999999 from finger:the_finger@example.com". The > key that arrives probably won't be 99999999, but it'll arrive anyway. IC - thanks for the excellent information, David & Nicolas! I added a "sig-keyserver-url" & "keyserver-options auto-key-retrieve" to my gpg.conf, & sure enough! verifying data signatures retrieves my key from my preferred keyserver, if it's absent - I also tried signing a friend's key, but either key signing doesn't include my "sig-keyserver-url", or I'm not correctly verifying the signature - "gpg --keyserver-options auto-key-retrieve --list-options show-keyserver-urls --check-sigs" doesn't retrieve the key with which I signed my friend's key, if it's absent. More insight? Thanks! Jack -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : /pipermail/attachments/20050210/b5589b0d/attachment.pgp From mconahan at iotest.org Thu Feb 10 20:29:39 2005 From: mconahan at iotest.org (mconahan@iotest.org) Date: Thu Feb 10 20:25:57 2005 Subject: GnuPG ME: How do we use the --keyring GnuPG option via GnuPG ME? In-Reply-To: <87u0okpeum.fsf@wheatstone.g10code.de> References: <41F55EEF.7020301@iotest.org> <41F585B5.1030208@comcast.net> <41F67AD8.2000503@iotest.org> <42091012.7080206@iotest.org> <87sm46yxzk.fsf@wheatstone.g10code.de> <420A251B.6050406@iotest.org> <87u0okpeum.fsf@wheatstone.g10code.de> Message-ID: <420BB623.4080509@iotest.org> Werner Koch wrote: >On Wed, 09 Feb 2005 09:58:35 -0500, mconahan@iotest org said: > > > >>GnuPG options "--homedir", "--keyring", "--no-default-keyring", and >>"--secret-keyring" for a context (at a minmum I need the use of the >>latter three)? >> >> > >No. We won't even support --keyring in the future because the concept >of a keyring may change over time. The only configuration which makes >sense is a different homedir. > > > >>If there is not a way 'out of the box', where in the GPGME source >>would I have to add the above GnuPG arguments, in order to have them >>sent to GnuPG along with the rest of the arguments already specified >>in the context? Would it be the function "build_argv" in rungpg.c? >> >> > >This should work for you, however there is no guantee that this will >work in the future. Better plan ahead and make use of different >Homedirs than to switch keyrings. One goal of gpgme is to hide the >actual implementation of the engine and the keyring is such a thing. >Even the notation of a homedir might eventually be different between >gpgme and a backend engine (i.e. gpg). > > >Shalom-Salam, > > Werner > > > > Thanks for the feedback - understood. From adam00f at ducksburg.com Thu Feb 10 20:39:15 2005 From: adam00f at ducksburg.com (Adam Funk) Date: Thu Feb 10 20:35:23 2005 Subject: unable to execute program `gpgkeys_hkp': Permission denied In-Reply-To: References: Message-ID: <200502101939.16126.adam00f@ducksburg.com> > > I compiled and installed GnuPG 1.4.0. Everything works except > > interaction with keyservers. When I use --send-key, --recv-key or > > --refresh, it always fails thus: > > > > $ gpg -v --recv-key F09BDAD5 > > gpg: requesting key F09BDAD5 from hkp server pgp.mit.edu > > gpg: unable to execute program `gpgkeys_hkp': Permission denied > > gpg: keyserver internal error > > gpg: keyserver receive failed: keyserver error > > > > How do I fix this? > > I had the same problem. For some reason GnuPG wants these gpgkey_* > files in /usr/libexec/gnupg/, but they are installed in /usr/libexec > > Just symlink them (*) and then submit a bug report - I was and still > am too lazy to do it myself. Hmm. I found all those files in /usr/local/libexec/gnupg/ on my system, but identified a related problem: the /usr/local/libexec and /usr/local/libexec/gnupg directories were not world-executable. "chmod a+x /usr/local/libexec /usr/local/libexec/gnupg" fixed it. Thanks for pointing me in the right direction. Is this a bug in the install? From dshaw at jabberwocky.com Thu Feb 10 21:18:39 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Feb 10 21:15:32 2005 Subject: unable to execute program `gpgkeys_hkp': Permission denied In-Reply-To: <200502101939.16126.adam00f@ducksburg.com> References: <200502101939.16126.adam00f@ducksburg.com> Message-ID: <20050210201839.GB781@jabberwocky.com> On Thu, Feb 10, 2005 at 07:39:15PM +0000, Adam Funk wrote: > > > I compiled and installed GnuPG 1.4.0. Everything works except > > > interaction with keyservers. When I use --send-key, --recv-key or > > > --refresh, it always fails thus: > > > > > > $ gpg -v --recv-key F09BDAD5 > > > gpg: requesting key F09BDAD5 from hkp server pgp.mit.edu > > > gpg: unable to execute program `gpgkeys_hkp': Permission denied > > > gpg: keyserver internal error > > > gpg: keyserver receive failed: keyserver error > > > > > > How do I fix this? > > > > I had the same problem. For some reason GnuPG wants these gpgkey_* > > files in /usr/libexec/gnupg/, but they are installed in /usr/libexec > > > > Just symlink them (*) and then submit a bug report - I was and still > > am too lazy to do it myself. > > Hmm. I found all those files in /usr/local/libexec/gnupg/ on my system, > but identified a related problem: the /usr/local/libexec > and /usr/local/libexec/gnupg directories were not world-executable. > "chmod a+x /usr/local/libexec /usr/local/libexec/gnupg" fixed it. Thanks > for pointing me in the right direction. > > Is this a bug in the install? GnuPG doesn't actually do the install. Rather, automake does. It seems to take your umask into account when doing it through. What is your umask? David From tv at beamnet.de Thu Feb 10 20:13:16 2005 From: tv at beamnet.de (Thomas Viehmann) Date: Thu Feb 10 21:15:48 2005 Subject: GnuPG 1.2 encryption key selection with authentication keys Message-ID: <420BB24C.6010807@beamnet.de> Hi, I've added a triple of subkeys on the OpenPGP card to my key, including an authentication subkey. It seems that GnuPG 1.2 prefers this key for encryption (and with gpg 1.2 I see encryption and signing as capabilities), because I generated it last. Is there a way to make GnuPG 1.2 prefer the actual encryption key by default? Kind regards and thanks in advance T. -- Thomas Viehmann, http://thomas.viehmann.net/ From swright at physics.adelaide.edu.au Thu Feb 10 21:23:41 2005 From: swright at physics.adelaide.edu.au (Stewart V. Wright) Date: Thu Feb 10 21:20:25 2005 Subject: unable to execute program `gpgkeys_hkp': Permission denied In-Reply-To: <20050210033606.GC13965@jabberwocky.com> References: <200502092045.54635.adam00f@ducksburg.com> <20050209210131.GE13440@anl.gov> <20050209211832.GD13550@jabberwocky.com> <20050209214834.GF13440@anl.gov> <20050210033606.GC13965@jabberwocky.com> Message-ID: <20050210202341.GD29994@anl.gov> G'day David, Sorry about the delay in replying, work got in the way of fun! * David Shaw [050209 21:43]: > Try this spec file. If it works for you, I'll put it in 1.4.1. It > works ok on a FC3 box here. Sorry to say, but this still doesn't work on my FC2 box. :-( Two problems: 1) The location of the gpgkeys_* files is still wrong. 2) The info "dir" file still doesn't get created. CAVEAT: I modified the .spec file so that it tries to install the 1.4.0 release - I didn't try 1.4.1rc1 so the first problem might have gone away... I will have a go with 1.4.1rc1 when I get some more time. Explanations ------------ 1) File location problems. This new spec file installs the gpgkeys_* in /usr/libexec/gnupg/ as one would hope, but gpg looks for them in /usr/libexec/gnupg/gnupg/! It looks like there is some doubling up of libexecdir in the spec file and keyserver/Makefile.am... libexecdir in keyserver/Makefile.am is defined as @libexecdir@/@PACKAGE@ which would give the extra layer of gnupg causing the problem. I'll leave the fix as an exercise for the reader! ;-) 2) info "dir" file. I'm not entirely sure that it isn't user error, but I can build RPMs from pretty much everything else without problems. :-( The error I still get from (rpmbuild -bb gnucash.spec) is the following: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [SNIP] make[2]: Nothing to be done for `install-data-am'. make[2]: Leaving directory `/tmp/fedora/tmp/gnupg-1.4.0' make[1]: Leaving directory `/tmp/fedora/tmp/gnupg-1.4.0' + /usr/lib/rpm/redhat/find-lang.sh /tmp/fedora/tmp/rpmbuild_gnupg-1.4.0 gnupg + rm /tmp/fedora/tmp/rpmbuild_gnupg-1.4.0/usr/share/gnupg/FAQ + rm /tmp/fedora/tmp/rpmbuild_gnupg-1.4.0/usr/share/gnupg/faq.html + rm /tmp/fedora/tmp/rpmbuild_gnupg-1.4.0/usr/share/info/dir rm: cannot remove `/tmp/fedora/tmp/rpmbuild_gnupg-1.4.0/usr/share/info/dir': No such file or directory error: Bad exit status from /tmp/fedora/tmp/rpm-tmp.2023 (%install) RPM build errors: Bad exit status from /tmp/fedora/tmp/rpm-tmp.2023 (%install) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ When I comment out the "rm ..../info/dir" line from the spec file the creation of the .rpm goes ahead successfully. As I said, I'm not sure if this is the fault of something I'm doing, or FC2, but GnuPG is the only code that seems to have this problem for me. Cheers, S. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 274 bytes Desc: Digital signature Url : /pipermail/attachments/20050210/1a317229/attachment.pgp From dshaw at jabberwocky.com Thu Feb 10 21:46:12 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Feb 10 21:43:01 2005 Subject: GnuPG 1.2 encryption key selection with authentication keys In-Reply-To: <420BB24C.6010807@beamnet.de> References: <420BB24C.6010807@beamnet.de> Message-ID: <20050210204612.GC781@jabberwocky.com> On Thu, Feb 10, 2005 at 08:13:16PM +0100, Thomas Viehmann wrote: > Hi, > > I've added a triple of subkeys on the OpenPGP card to my key, including > an authentication subkey. It seems that GnuPG 1.2 prefers this key for > encryption (and with gpg 1.2 I see encryption and signing as > capabilities), because I generated it last. > Is there a way to make GnuPG 1.2 prefer the actual encryption key by > default? Upgrade. This was a bug fixed in GnuPG 1.2.7. David From swright at physics.adelaide.edu.au Thu Feb 10 23:58:05 2005 From: swright at physics.adelaide.edu.au (Stewart V. Wright) Date: Thu Feb 10 23:54:54 2005 Subject: unable to execute program `gpgkeys_hkp': Permission denied In-Reply-To: <20050210202341.GD29994@anl.gov> References: <200502092045.54635.adam00f@ducksburg.com> <20050209210131.GE13440@anl.gov> <20050209211832.GD13550@jabberwocky.com> <20050209214834.GF13440@anl.gov> <20050210033606.GC13965@jabberwocky.com> <20050210202341.GD29994@anl.gov> Message-ID: <20050210225805.GF29994@anl.gov> G'day David, Second thoughts on the RPM problem... > 1) File location problems. > > This new spec file installs the gpgkeys_* in /usr/libexec/gnupg/ as > one would hope, but gpg looks for them in /usr/libexec/gnupg/gnupg/! I've just remembered that I can get 1.4.0 to install in a non-standard directory and it works fine (just compiling by hand), so this definitely looks like a problem with the arguments to configure and make in the .spec file. *NOT* a problem with keyserver/Makefile.am like I suggested before. I'll claim that it was a lack of coffee that caused my mistake! I'll have a play around with the spec file and make some more suggestions over the next few days. Cheers, S. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 274 bytes Desc: Digital signature Url : /pipermail/attachments/20050210/ab931395/attachment.pgp From JPClizbe at comcast.net Fri Feb 11 00:08:15 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Fri Feb 11 00:05:00 2005 Subject: Help with Encryption. In-Reply-To: <20050210143709.61319.qmail@web90007.mail.scd.yahoo.com> References: <20050210143709.61319.qmail@web90007.mail.scd.yahoo.com> Message-ID: <420BE95F.3080609@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rhea Felipe wrote: > Hi, Im new to GnuPG and email encryption. A friend of > mind sent me a public key (0x123ABCD5) and he wants me > to encrypt my emails for him. > > How do I do this? > > I am using Enigmail with Mozilla Thunderbird Ver. 0.8 If his email address is on one of the User IDs on the key, you simply compose an email message to him and select to Encryptthe message, either by toggling the key in the lower right of the message composition pane, or by selecting Encrypt from the Enigmail pull-down menu in the same panel. If his email address is does not match any UID, a key selection window should popup so long as 'Display selection when necessary' is selected in Enigmail's preferences. If this is the case, you may wish to define a key selection rule for this recipient. More Enigmail specific help is available at the Enigmail site, http://enigmail.mozdev.org, and the enigmail mailing list, enigmail@mozdev.org. - -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org GingerBear Consluting PGP/GPG KeyID: 0x608D2A10 "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc1 (MingW32) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCC+leHQSsSmCNKhARAoKQAJwPRX7iZUDKtiTXLrOKzG2sqjUBEACgx3dJ AT/C/mFELDtJoUEkqf4f/mQ= =gFHp -----END PGP SIGNATURE----- From finalcut at videotron.ca Thu Feb 10 23:21:17 2005 From: finalcut at videotron.ca (finalcut@videotron.ca) Date: Fri Feb 11 00:22:36 2005 Subject: Trying gnupg with thebat! Message-ID: <1456428286.20050210172117@videotron.ca> Hello all, I've just finished configuring thebat to work with GnuPG but when I enter my password it tells me that converting to utf-8 to CP0 is unavailable. what is the problem? Regards, -- The FinalCut finalcut@videotron.ca Thebat: 3.0.2.10 From bill at cse.ucdavis.edu Thu Feb 10 23:22:42 2005 From: bill at cse.ucdavis.edu (Bill Broadley) Date: Fri Feb 11 00:23:52 2005 Subject: GPG corruption Message-ID: <20050210222242.GE17353@cse.ucdavis.edu> This is with [root@csebeo v]# gpg --version gpg (GnuPG) 1.2.1 I put 12 files into a .tar: tar cvzf b.tar bp* I encrypted them with a symmetric key: gpg -c b.tar The result was fairly large (this is running on an opteron running redhat RHEL): ls -alh b.tar.gpg -rw-r--r-- 1 root root 4.1G Feb 1 23:25 b.tar.gpg Now to decode it: gpg --output b.tar --decrypt b.tar.gpg gpg: CAST5 encrypted data gpg: [don't know]: invalid packet (ctb=75) gpg: uncompressing failed: unknown compress algorithm The resulting file is partially there: $ ls -alh b.tar -rw-r--r-- 1 root root 103M Feb 10 14:16 b.tar Tar seems to think it's valid: tar tvf bg-s01-s12.tar drwxrwxr-x root/root 0 2005-01-28 17:51:28 bpdata/ -rw-r--r-- root/root 36955832 2005-01-16 17:47:40 bpdata/bd.001 Any ideas? -- Bill Broadley Computational Science and Engineering UC Davis From dshaw at jabberwocky.com Fri Feb 11 01:20:02 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Feb 11 01:16:50 2005 Subject: GPG corruption In-Reply-To: <20050210222242.GE17353@cse.ucdavis.edu> References: <20050210222242.GE17353@cse.ucdavis.edu> Message-ID: <20050211002002.GA1476@jabberwocky.com> On Thu, Feb 10, 2005 at 02:22:42PM -0800, Bill Broadley wrote: > > This is with [root@csebeo v]# gpg --version > gpg (GnuPG) 1.2.1 > > I put 12 files into a .tar: > tar cvzf b.tar bp* > > I encrypted them with a symmetric key: > gpg -c b.tar > > The result was fairly large (this is running on an opteron running > redhat RHEL): > ls -alh b.tar.gpg > -rw-r--r-- 1 root root 4.1G Feb 1 23:25 b.tar.gpg Judging by the file size, I think you've been bitten by a 2gig file size limit. GnuPG 1.2.1 is very old. You should upgrade, as that limit was removed (ironically, only 4 days after 1.2.1 was released). David From linux at codehelp.co.uk Fri Feb 11 01:28:54 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Fri Feb 11 01:25:02 2005 Subject: GPG corruption In-Reply-To: <20050210222242.GE17353@cse.ucdavis.edu> References: <20050210222242.GE17353@cse.ucdavis.edu> Message-ID: <200502110028.57734.linux@codehelp.co.uk> On Thursday 10 February 2005 10:22 pm, Bill Broadley wrote: > This is with [root@csebeo v]# gpg --version Why as root???? > gpg (GnuPG) 1.2.1 > > I put 12 files into a .tar: > tar cvzf b.tar bp* If you use -z, you will get a compressed archive - it could be confusing to give this the name .tar which usually refers to an uncompressed archive: .tar.gz for -z > > The resulting file is partially there: > $ ls -alh b.tar > -rw-r--r-- 1 root root 103M Feb 10 14:16 b.tar > > Tar seems to think it's valid: > tar tvf bg-s01-s12.tar Now you've stopped using -z - what's going on? > drwxrwxr-x root/root 0 2005-01-28 17:51:28 bpdata/ > -rw-r--r-- root/root 36955832 2005-01-16 17:47:40 bpdata/bd.001 > > Any ideas? Make absolutely sure what you are doing and use names that help others see what you are doing, also avoid using root whenever possible. -- Neil Williams ============= http://www.dcglug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.neil.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050211/ed1ba78e/attachment.pgp From wesley.tabadore at gmail.com Fri Feb 11 00:49:43 2005 From: wesley.tabadore at gmail.com (Wesley Tabadore) Date: Fri Feb 11 01:54:16 2005 Subject: GPG and GroupWise Message-ID: Anyone using GPG and GroupWise? I know that there are GroupWise plug-ins for PGP, but have not been able to locate any info on GroupWise. Thanks, Wes From sebastian-schubert at gmx.de Fri Feb 11 01:02:08 2005 From: sebastian-schubert at gmx.de (Sebastian Schubert) Date: Fri Feb 11 01:57:04 2005 Subject: newbie questions Message-ID: <200502110102.08337.sebastian-schubert@gmx.de> Hi, I'm new to gpg and I'm sure you can help me. I created two main keys (twice --gen-key) and I added a second user ID to the first one. I can choose which one I take with the -u option. But how can I choose which user ID of the first main key to take? Do I always have to change it with "primary"? I signed a document with the first key and then I decrypted it and gpg gave me both email addresses (I guess you know the English version): gpg: Unterschrift vom Fr 11 Feb 2005 00:22:37 CET, DSA Schl?ssel ID 130EAA7E gpg: Korrekte Unterschrift von "Sebastian Schubert " gpg: alias "Sebastian Schubert " So does it make sense to use several user IDs when everybody can see everything immediately? When I add or delete a user ID, do I have to get the signs for my key again? Thanks for helping me Sebastian From bill at cse.ucdavis.edu Fri Feb 11 02:23:10 2005 From: bill at cse.ucdavis.edu (Bill Broadley) Date: Fri Feb 11 02:19:23 2005 Subject: GPG corruption In-Reply-To: <200502110028.57734.linux@codehelp.co.uk> References: <20050210222242.GE17353@cse.ucdavis.edu> <200502110028.57734.linux@codehelp.co.uk> Message-ID: <20050211012310.GA23953@cse.ucdavis.edu> On Fri, Feb 11, 2005 at 12:28:54AM +0000, Neil Williams wrote: > On Thursday 10 February 2005 10:22 pm, Bill Broadley wrote: > > This is with [root@csebeo v]# gpg --version > > Why as root???? Because as a user I didn't have enough space to keep multiple copies of a 4GB file around for debugging. Fixed. > > gpg (GnuPG) 1.2.1 > > > > I put 12 files into a .tar: > > tar cvzf b.tar bp* > > If you use -z, you will get a compressed archive - it could be confusing to > give this the name .tar which usually refers to an uncompressed archive: > .tar.gz for -z Agreed, I'm reconstructing this from my command history, the original files are gone, er well encrypted. I had tried z, but after realizing I was getting a significant slow down and zero compression I reran the command without the z and ended up with just a .tar file. > > The resulting file is partially there: > > $ ls -alh b.tar > > -rw-r--r-- 1 root root 103M Feb 10 14:16 b.tar > > > > Tar seems to think it's valid: > > tar tvf bg-s01-s12.tar > > Now you've stopped using -z - what's going on? Sorry, I pasted the wrong command from my history, the .tar is not compressed. > > drwxrwxr-x root/root 0 2005-01-28 17:51:28 bpdata/ > > -rw-r--r-- root/root 36955832 2005-01-16 17:47:40 bpdata/bd.001 > > > > Any ideas? > > Make absolutely sure what you are doing and use names that help others see > what you are doing, also avoid using root whenever possible. I encrypted a tar file using gpg -c, and now when I try to decrypt I get: [bill@csebeo v]$ /opt/pkg/gnupg-1.4.0/bin/gpg --output b.tar b.tar.gpg gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: CAST5 encrypted data gpg: encrypted with 1 passphrase gpg: [don't know]: invalid packet (ctb=75) gpg: uncompressing failed: unknown compress algorithm gpg: WARNING: message was not integrity protected [bill@csebeo v]$ ls -alh total 4.2G drwxr-xr-x 2 bill root 4.0K Feb 10 16:44 . drwxr-xr-x 5 bill root 4.0K Feb 8 01:38 .. -rw-rw-r-- 1 bill bill 103M Feb 10 16:44 b.tar -rw-r--r-- 1 bill root 4.1G Feb 1 23:25 b.tar.gpg b.tar seems intact for the first 103MB, and b.tar.gpg seems populated with random looking binary stuff all the way out to 4.1GB. I.e. it's not zero filled over the (possible) 2GB limit. -- Bill Broadley Computational Science and Engineering UC Davis From dshaw at jabberwocky.com Fri Feb 11 02:28:20 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Feb 11 02:24:59 2005 Subject: GPG corruption In-Reply-To: <20050211012310.GA23953@cse.ucdavis.edu> References: <20050210222242.GE17353@cse.ucdavis.edu> <200502110028.57734.linux@codehelp.co.uk> <20050211012310.GA23953@cse.ucdavis.edu> Message-ID: <20050211012820.GA1802@jabberwocky.com> On Thu, Feb 10, 2005 at 05:23:10PM -0800, Bill Broadley wrote: > b.tar seems intact for the first 103MB, and b.tar.gpg seems populated > with random looking binary stuff all the way out to 4.1GB. I.e. it's not > zero filled over the (possible) 2GB limit. It wouldn't be. It's an encoding bug that was fixed in 1.2.2. The data is there, it's just not encoded properly so GnuPG won't read it. David From dshaw at jabberwocky.com Fri Feb 11 02:11:15 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Feb 11 04:46:45 2005 Subject: [Announce] Attack against OpenPGP encryption Message-ID: <20050211011115.GD1476@jabberwocky.com> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From dshaw at jabberwocky.com Fri Feb 11 02:00:17 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Feb 11 04:48:51 2005 Subject: [Announce] Attack against OpenPGP encryption Message-ID: <20050211010017.GC1476@jabberwocky.com> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From kabads at gmail.com Fri Feb 11 08:11:24 2005 From: kabads at gmail.com (Adam Cripps) Date: Fri Feb 11 08:08:07 2005 Subject: Help with Encryption. In-Reply-To: <20050210143709.61319.qmail@web90007.mail.scd.yahoo.com> References: <20050210143709.61319.qmail@web90007.mail.scd.yahoo.com> Message-ID: On Thu, 10 Feb 2005 06:37:09 -0800 (PST), Rhea Felipe wrote: > Hi, Im new to GnuPG and email encryption. A friend of > mind sent me a public key (0x123ABCD5) and he wants me > to encrypt my emails for him. > > How do I do this? > > I am using Enigmail with Mozilla Thunderbird Ver. 0.8 > > thanks. Have you imported your friend's public key into your keyring? Enigmail should allow you to do this. Adam -- http://www.monkeez.org PGP key: 0x7111B833 From adam00f at ducksburg.com Fri Feb 11 08:52:20 2005 From: adam00f at ducksburg.com (Adam Funk) Date: Fri Feb 11 08:48:26 2005 Subject: unable to execute program `gpgkeys_hkp': Permission denied In-Reply-To: References: Message-ID: <200502110752.20696.adam00f@ducksburg.com> On Friday 11 February 2005 00:21, gnupg-users-request@gnupg.org wrote: > > Hmm. ?I found all those files in /usr/local/libexec/gnupg/ on my > > system, but identified a related problem: the /usr/local/libexec > > and /usr/local/libexec/gnupg directories were not world-executable. > > "chmod a+x /usr/local/libexec /usr/local/libexec/gnupg" fixed it. > > ?Thanks for pointing me in the right direction. > > > > Is this a bug in the install? > > GnuPG doesn't actually do the install. ?Rather, automake does. ?It > seems to take your umask into account when doing it through. ?What is > your umask? I did the "./configure" and "make" with 0077, then "su", then "make install" with 0022. From list at rachinsky.de Fri Feb 11 10:54:56 2005 From: list at rachinsky.de (Nicolas Rachinsky) Date: Fri Feb 11 10:51:18 2005 Subject: "http" & "finger" keyserver schemes In-Reply-To: <20050210174155.GA21347@fis.lat> References: <00ABEF23-78C4-11D9-BD46-0003931DA24A@freezone.co.uk> <20050207131930.GA29857@jabberwocky.com> <20050210174155.GA21347@fis.lat> Message-ID: <20050211095456.GA99540@pc5.i.0x5.de> * ms419@freezone.co.uk [2005-02-10 09:41 -0800]: > I also tried signing a friend's key, but either key signing doesn't > include my "sig-keyserver-url", or I'm not correctly verifying the > signature - "gpg --keyserver-options auto-key-retrieve --list-options > show-keyserver-urls --check-sigs" doesn't retrieve the key with which I > signed my friend's key, if it's absent. > > More insight? The option you would need for this would be named cert-keyserver-url. But according to the manpage it does not exist. Nicolas From tv at beamnet.de Fri Feb 11 11:45:02 2005 From: tv at beamnet.de (Thomas Viehmann) Date: Fri Feb 11 11:41:06 2005 Subject: GnuPG 1.2 encryption key selection with authentication keys Message-ID: <20050211.Q1P.33669800@phpgroupware.vomhagen.com> Thanks, David, for the quick answer. David Shaw (dshaw@jabberwocky.com) wrote: > > Is there a way to make GnuPG 1.2 prefer the actual encryption key by > > default? > Upgrade. This was a bug fixed in GnuPG 1.2.7. Unfortunately, my own upgrading won't fix the bug on the side of the encryptor whose preference to use old versions of GnuPG I'm not having much hope of influincing. Is there anything (short of revoking it) I can do to make the authentication less attractive to (the broken versions) of GnuPG? I considered manipulating the encryption key's binding signature to have a newer date, but my guess is that while this would work locally, I'd probably run into trouble with the keyservers. Kind regards Thomas From johanw at vulcan.xs4all.nl Fri Feb 11 14:45:07 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Fri Feb 11 14:41:17 2005 Subject: [Announce] Attack against OpenPGP encryption In-Reply-To: <20050211010017.GC1476@jabberwocky.com> from David Shaw at "Feb 10, 2005 08:00:17 pm" Message-ID: <200502111345.OAA00653@vulcan.xs4all.nl> David Shaw wrote: >3) It might be effective against an automated process that > incorporates OpenPGP decryption, if that process returns errors > back to the sender. [...] > attached two patches to this mail. These patches disable a > portion of the OpenPGP protocol that the attack is exploiting. So the solution is changing the way that errors are reported back to the sender in this case? > These patches will be part of the 1.2.8 and 1.4.1 releases of GnuPG. Any idea when these versions are about to be released? -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From wk at gnupg.org Fri Feb 11 16:21:07 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Feb 11 16:20:52 2005 Subject: [Announce] Attack against OpenPGP encryption In-Reply-To: <200502111345.OAA00653@vulcan.xs4all.nl> (Johan Wevers's message of "Fri, 11 Feb 2005 14:45:07 +0100 (MET)") References: <200502111345.OAA00653@vulcan.xs4all.nl> Message-ID: <87ekfnktr0.fsf@wheatstone.g10code.de> On Fri, 11 Feb 2005 14:45:07 +0100 (MET), Johan Wevers said: > So the solution is changing the way that errors are reported back to the > sender in this case? If you at all need to return an error, make sure that this is just a boolean without additional error diagnostics. In security this is considered state of the art. To hinder oracle attacks, it is general a good design point to delay the responses or batch them up and send them back at fixed intervals. > Any idea when these versions are about to be released? 1.4.1rc2 is planned for this weekend but unexpected things kept me away from working on it. So early next week is more likely. Given that we think that this is not a serious attack in any current real world cases, a 1.2.8 won't be released right away. If there would really be such vulnerable systems, the admins should for sure be on the watch and must have heard about the attack and patch gnupg right away. They are for sure aware about such a system because they need to have a passphrase distribution mechanism installed and running. The odds of a vulnerable passphrase distribution process are higher than those of a successful attack. Recall that this attack won't work with public key encryption. Shalom-Salam, Werner From dshaw at jabberwocky.com Fri Feb 11 17:04:18 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Feb 11 17:01:00 2005 Subject: GnuPG 1.2 encryption key selection with authentication keys In-Reply-To: <20050211.Q1P.33669800@phpgroupware.vomhagen.com> References: <20050211.Q1P.33669800@phpgroupware.vomhagen.com> Message-ID: <20050211160418.GG13140@jabberwocky.com> On Fri, Feb 11, 2005 at 10:45:02AM +0000, Thomas Viehmann wrote: > Thanks, David, for the quick answer. > > David Shaw (dshaw@jabberwocky.com) wrote: > > > Is there a way to make GnuPG 1.2 prefer the actual encryption key by > > > default? > > Upgrade. This was a bug fixed in GnuPG 1.2.7. > Unfortunately, my own upgrading won't fix the bug on the side of the encryptor > whose preference to use old versions of GnuPG I'm not having much hope of > influincing. Is there anything (short of revoking it) I can do to make the > authentication less attractive to (the broken versions) of GnuPG? > I considered manipulating the encryption key's binding signature to have a > newer date, but my guess is that while this would work locally, I'd probably > run into trouble with the keyservers. Unfortunately, manipulating the binding signature by itself won't work. You'd have to manipulate the date field in the key itself, since that is what is used to determine which subkey to use. It's probably easier to revoke that subkey and make a new one which will also make the encryption key the most recent. You could also revoke the authentication subkey, but then you couldn't use it, of course. Note that PGP (even the latest 8.1) has the same bug. The PGP folks have been informed and are working on it. David From cedar at 3web.net Fri Feb 11 18:18:14 2005 From: cedar at 3web.net (C. D. Rok) Date: Fri Feb 11 18:15:16 2005 Subject: [Announce] Attack against OpenPGP encryption In-Reply-To: <200502111345.OAA00653@vulcan.xs4all.nl> References: <200502111345.OAA00653@vulcan.xs4all.nl> Message-ID: <420CE8D6.1080106@3web.net> Johan Wevers wrote: > So the solution is changing the way that errors are reported back to the > sender in this case? It appears to me that the solution is re-exaimnation of the protocol on a more fundamenatl level. In symetric systems, the correspondent is never an adversary, while in public key systems the assumption must be made that the correspondent is *always* also an adversary. CD Rok From malte.gell at gmx.de Fri Feb 11 17:23:48 2005 From: malte.gell at gmx.de (Malte Gell) Date: Fri Feb 11 18:33:39 2005 Subject: [Announce] Attack against OpenPGP encryption In-Reply-To: <20050211010017.GC1476@jabberwocky.com> References: <20050211010017.GC1476@jabberwocky.com> Message-ID: <200502111723.48257.malte.gell@gmx.de> On Friday 11 February 2005 02:00, David Shaw wrote: > Last night, Serge Mister and Robert Zuccherato published a paper > reporting on an attack against OpenPGP symmetric encryption. > [...] > There is a very good writeup on the attack that goes into more depth > at http://www.pgp.com/library/ctocorner/openpgp.html This is really amazing stuff. I just read their PDF and they make a suggestion how a new kind of "quick check" could like like: adding the hash of the symmetric key... I'm not a cryptologist, but this sounds absolutely crazy, this would mean in the future the security of symmetric encryption relies not only on the cipher, but on a hash algorithm... regarding the recent discussions and rumours about hash algorithms in general, is this really safer!? Are there several different ideas what the new "quick check" could look like or is there even already a consesus what it could look like? Regards Malte From wk at gnupg.org Fri Feb 11 19:39:03 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Feb 11 19:35:55 2005 Subject: [Announce] Attack against OpenPGP encryption In-Reply-To: <420CE8D6.1080106@3web.net> (C. D. Rok's message of "Fri, 11 Feb 2005 17:18:14 +0000") References: <200502111345.OAA00653@vulcan.xs4all.nl> <420CE8D6.1080106@3web.net> Message-ID: <874qgjj60o.fsf@wheatstone.g10code.de> On Fri, 11 Feb 2005 17:18:14 +0000, C D Rok said: > on a more fundamenatl level. In symetric systems, the correspondent > is never an adversary, while in public key systems the assumption must You forgot about the man in the middle or here even someone who sniffend the message and replays it. They both would take the same message and modify it which is what the attack is about. Werner From swright at physics.adelaide.edu.au Fri Feb 11 21:20:00 2005 From: swright at physics.adelaide.edu.au (Stewart V. Wright) Date: Fri Feb 11 21:17:04 2005 Subject: [PATCH] gnupg.spec [WAS: unable to execute program `gpgkeys_hkp': Permission denied] In-Reply-To: <20050210225805.GF29994@anl.gov> References: <200502092045.54635.adam00f@ducksburg.com> <20050209210131.GE13440@anl.gov> <20050209211832.GD13550@jabberwocky.com> <20050209214834.GF13440@anl.gov> <20050210033606.GC13965@jabberwocky.com> <20050210202341.GD29994@anl.gov> <20050210225805.GF29994@anl.gov> Message-ID: <20050211202000.GD7710@anl.gov> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 274 bytes Desc: Digital signature Url : /pipermail/attachments/20050211/15fadb17/attachment-0001.pgp From atom at smasher.org Fri Feb 11 22:05:17 2005 From: atom at smasher.org (Atom Smasher) Date: Fri Feb 11 22:00:24 2005 Subject: [Announce] Attack against OpenPGP encryption In-Reply-To: <87ekfnktr0.fsf@wheatstone.g10code.de> References: <200502111345.OAA00653@vulcan.xs4all.nl> <87ekfnktr0.fsf@wheatstone.g10code.de> Message-ID: <20050211210412.77468.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 as is obvious by my questions, i don't understand the math. http://www.pgp.com/library/ctocorner/openpgp.html Consequently, PGP Corporation, GnuPG, and Hush Communications are all disabling the quick check for all public key-encrypted messages and files. However, we are all presently leaving it in for symmetric (passphrase) encrypted messages and files because we believe the benefit of the quick check is greater than the security risk from it. You will see this change in the next software release from each group. what about data that is encrypted with both a symmetric and asymmetric key? In our discussions with Mister and Zuccherato about their attack, we asked if they thought we should revise the protocol to address the problem. They told us they didn't think it was necessary-that an explanation of the issue and how to avoid it was good enough. As implementers of OpenPGP systems, however, we think we should update the protocol. People trust OpenPGP because we handle issues before they become real-world problems... how could this "become" a real world problem? is it conceivable that it might be leveraged into a stronger attack? We are suggesting in the working group that we amend OpenPGP so there is a new symmetric encryption system that has a secure quick check. like using a strong hash for the quick check? wouldn't that also benefit symmetric encryption with no significant increase in computational resources? - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Democracy and capitalism have very different beliefs about the proper distribution of power. One believes in a completely equal distribution of political power, 'one man, one vote', while the other believes that it is the duty of the economically fit to drive the unfit out of business and into economic extinction, and inequalities in purchasing power is what capitalist efficiency is all about. Individuals and firms become efficient to be rich. To put it in its starkest form, capitalism is perfectly compatible with slavery. The American South had such a system for more than two centuries. Democracy is not compatible with slavery." -- Lester Thurow, The Future of Capitalism -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJCDR4TAAoJEAx/d+cTpVciwaQH/AuJ09RtdT3Ta249w7ap8Btc SlfsBaDTSGAQ65lZ9T0cD1T72m7uLB7cmqA3RuDPHYA0OtRDiwnZPqbvY2ApUVeg qzi1FK7d6n2GpTVeqXAmpPqv0w6Ley+dkJTINVnSXEQJd1CluJ1G4ljWCOs4nYbP HmB/wy0Eyq4M2wGncXnBxAiQ1Ck1iwVZpw4tvb40maI5wrQAK72YRcPjHDx8StM0 KiQp11JlkqXvlhOaayuJap7EHm1yzXQFMaekol9bf+gh1Le9NX0PfxvC2ShxR/R7 qyaaOyi8nmiiWq/FNuWmCkXMl+tXATfQKJns2YZzMFg2OIv8rP/o5TcKzCzrQhY= =RN9Y -----END PGP SIGNATURE----- From atom at smasher.org Fri Feb 11 22:25:43 2005 From: atom at smasher.org (Atom Smasher) Date: Fri Feb 11 22:20:50 2005 Subject: set-filename / use-embedded-filename Message-ID: <20050211212440.97270.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 does the embedded file name info only apply to encrypted (and stored) data, but not signed data? in the rfc (2440:5.9) i don't see where it shouldn't apply to signed files. verifying a signed file with "-v" i always see this line: gpg: original file name='' even if i use "--set-filename" when creating a signature. - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Any society which does not insist upon respect for all life must necessarily decay." -- Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJCDSLcAAoJEAx/d+cTpVciLcMH/3/Gna0AqXQ92QWJQLeItuA+ C+eyhtV9LOH5XUoSjEw/zy426ID3RPiX3pKdT4glGtTetQ5+kCbLE7KWAwRueIDM GciW9FNodfFbKYGM5K6wQU4pXNAzsOzEX1iAy0+imWg1kLQkRLMar771NQbrWdmX aftYi4kLuOTElcZNbA2yMt5+cZGGi5Zic8Pz+nEBgUhJLdFx6Hu5VL7+vIlqH6Os 3DDNBTfZ7kfRGZYGSz0bMECq2LnFdXGNNY+rQb3tc+jTxk3LX+GgCWx6gNrQhfg+ 5un/aeBBd5TAtM9J1fIRkd9DoS86a4IOA9DhcI+QGv1NnJUq4G/d3ugMX03Jxaw= =2tzV -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Sat Feb 12 02:18:15 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Feb 12 02:14:56 2005 Subject: [Announce] Attack against OpenPGP encryption In-Reply-To: <20050211210412.77468.qmail@smasher.org> References: <200502111345.OAA00653@vulcan.xs4all.nl> <87ekfnktr0.fsf@wheatstone.g10code.de> <20050211210412.77468.qmail@smasher.org> Message-ID: <20050212011815.GB22367@jabberwocky.com> On Fri, Feb 11, 2005 at 04:05:17PM -0500, Atom Smasher wrote: > as is obvious by my questions, i don't understand the math. > > http://www.pgp.com/library/ctocorner/openpgp.html > > Consequently, PGP Corporation, GnuPG, and Hush Communications are > all disabling the quick check for all public key-encrypted > messages and files. However, we are all presently leaving it in > for symmetric (passphrase) encrypted messages and files because we > believe the benefit of the quick check is greater than the > security risk from it. You will see this change in the next > software release from each group. > > what about data that is encrypted with both a symmetric and asymmetric > key? Even in those cases, the same methodology applies. If the candidate session key came from an assymmetric decryption, then the check is not done. If the candidate came from a passphrase mangling or passphrase-encrypted session key, then the check is done. > In our discussions with Mister and Zuccherato about their attack, > we asked if they thought we should revise the protocol to address > the problem. They told us they didn't think it was necessary-that > an explanation of the issue and how to avoid it was good enough. > > As implementers of OpenPGP systems, however, we think we should > update the protocol. People trust OpenPGP because we handle issues > before they become real-world problems... > > how could this "become" a real world problem? is it conceivable that it > might be leveraged into a stronger attack? Probably not, but once weakness is visible, it's generally good practice to start moving to something better. Look at MD5 - the first weakness was shown in 1996, if I recall. It took 8 years to get to the serious break in 2004, but OpenPGP started migrating away from it back in 1996, so the break wasn't as big a deal. > We are suggesting in the working group that we amend OpenPGP so > there is a new symmetric encryption system that has a secure quick > check. > > like using a strong hash for the quick check? wouldn't that also benefit > symmetric encryption with no significant increase in computational > resources? It wouldn't help or hurt the symmetric encryption. It would just help in being a quick check. David From dshaw at jabberwocky.com Sat Feb 12 02:18:46 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Feb 12 02:15:39 2005 Subject: set-filename / use-embedded-filename In-Reply-To: <20050211212440.97270.qmail@smasher.org> References: <20050211212440.97270.qmail@smasher.org> Message-ID: <20050212011846.GC22367@jabberwocky.com> On Fri, Feb 11, 2005 at 04:25:43PM -0500, Atom Smasher wrote: > does the embedded file name info only apply to encrypted (and stored) > data, but not signed data? in the rfc (2440:5.9) i don't see where it > shouldn't apply to signed files. > > verifying a signed file with "-v" i always see this line: > gpg: original file name='' > even if i use "--set-filename" when creating a signature. I assume you are talking about --clearsign here. --sign does include the embedded file name. --clearsign has no filename, so that field is blank. David From atom at smasher.org Sat Feb 12 03:57:10 2005 From: atom at smasher.org (Atom Smasher) Date: Sat Feb 12 03:52:13 2005 Subject: set-filename / use-embedded-filename In-Reply-To: <20050212011846.GC22367@jabberwocky.com> References: <20050211212440.97270.qmail@smasher.org> <20050212011846.GC22367@jabberwocky.com> Message-ID: <20050212025603.31896.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Fri, 11 Feb 2005, David Shaw wrote: > I assume you are talking about --clearsign here. --sign does include > the embedded file name. --clearsign has no filename, so that field is > blank. ============== ok... so if the signature is both clear and attached, i guess there's no need to include the original file name, huh? - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Politics is the art of preventing people from taking part in affairs which properly concern them." -- Paul Valery -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJCDXCMAAoJEAx/d+cTpVciDMgH/RChkWTl3E8MwtOq86rojhZW VULuP1JdV1U4uIIlJlNhCWmKvVQAhtBXaRf3/IL0HdtZqK9U5FyhxcR0w0WFV3ty 2bbE3W/Z2RfkOFMkFQP0VzevEbhEJ/cSwqDtgzXob8y351yi+cGr1GiEA+mwD3gq Wl1vVvqCncmI5Ea108e17b6Ab2E3c5O2zer/Qav1nHKi7VtV67pr5x5xJxYa4FQY WsVGNAD/wZppZd/NX2U60Lg8SGH//GKoZ8da9oI089hi48gherZafWs3bJRsB/h/ /32K53VsQ8fH2jlBqsFWJKrYGExUUZXI2r2vS0GhTpSydSFiG/9Jr/obExAKKac= =vDfD -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Sat Feb 12 05:25:34 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Feb 12 05:33:43 2005 Subject: set-filename / use-embedded-filename In-Reply-To: <20050212025603.31896.qmail@smasher.org> References: <20050211212440.97270.qmail@smasher.org> <20050212011846.GC22367@jabberwocky.com> <20050212025603.31896.qmail@smasher.org> Message-ID: <20050212042534.GB22456@jabberwocky.com> On Fri, Feb 11, 2005 at 09:57:10PM -0500, Atom Smasher wrote: > On Fri, 11 Feb 2005, David Shaw wrote: > > > I assume you are talking about --clearsign here. --sign does include > > the embedded file name. --clearsign has no filename, so that field is > > blank. > ============== > > ok... so if the signature is both clear and attached, i guess there's no > need to include the original file name, huh? It's not meaningful to have a file name there. The idea behind keeping the original filename around is so you can reconstruct the original file to its pre-encryption state. In the case of clearsigning, the clearsigned document *is* the document, so there is nothing to reconstruct. David From dshaw at jabberwocky.com Sat Feb 12 05:52:40 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Feb 12 05:49:25 2005 Subject: "http" & "finger" keyserver schemes In-Reply-To: <20050210174155.GA21347@fis.lat> References: <00ABEF23-78C4-11D9-BD46-0003931DA24A@freezone.co.uk> <20050207131930.GA29857@jabberwocky.com> <20050210174155.GA21347@fis.lat> Message-ID: <20050212045240.GD22456@jabberwocky.com> On Thu, Feb 10, 2005 at 09:41:55AM -0800, ms419@freezone.co.uk wrote: > I added a "sig-keyserver-url" & "keyserver-options auto-key-retrieve" to > my gpg.conf, & sure enough! verifying data signatures retrieves my > key from my preferred keyserver, if it's absent - > > I also tried signing a friend's key, but either key signing doesn't > include my "sig-keyserver-url", or I'm not correctly verifying the > signature - "gpg --keyserver-options auto-key-retrieve --list-options > show-keyserver-urls --check-sigs" doesn't retrieve the key with which I > signed my friend's key, if it's absent. There is no feature to include a keyserver URL inside a key signature. It's not an impossible thing to do, but there is no support for it currently. David From dshaw at jabberwocky.com Sat Feb 12 06:05:06 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Feb 12 06:01:50 2005 Subject: [PATCH] gnupg.spec [WAS: unable to execute program `gpgkeys_hkp': Permission denied] In-Reply-To: <20050211202000.GD7710@anl.gov> References: <200502092045.54635.adam00f@ducksburg.com> <20050209210131.GE13440@anl.gov> <20050209211832.GD13550@jabberwocky.com> <20050209214834.GF13440@anl.gov> <20050210033606.GC13965@jabberwocky.com> <20050210202341.GD29994@anl.gov> <20050210225805.GF29994@anl.gov> <20050211202000.GD7710@anl.gov> Message-ID: <20050212050506.GE22456@jabberwocky.com> On Fri, Feb 11, 2005 at 02:20:00PM -0600, Stewart V. Wright wrote: > 1) Removed --libexecdir=%{_libexecdir}/gnupg from the configure > option. I'm not entirely sure why it still needs to be there for > the make install, but this is an rpm issue, not an auto{make,conf} > one. It looks like it's needed for the make because the RPM macro for %makeinstall is Being Helpful and overriding the libexecdir variable back to what it was before we overrode it in the first place. > 2) Removed the 'rm %{buildroot}%{_infodir}/dir' line. This file is > not created in the rpm building process, only in the install. I don't think this is correct. Removing that line causes the rpmbuild to fail on my system. Do you have the info package installed? That may be the difference between your box and mine. Try the attached spec. I think it should work now. David -------------- next part -------------- # # gnupg -- gnu privacy guard # This is a template. The dist target uses it to create the real file. # %define version 1.4.1rc1 %define name gnupg Summary: GNU Utility for data encryption and digital signatures Summary(it): Utility GNU per la sicurezza nelle comunicazioni e nell'archiviazione dei dati. Summary(cs): GNU n?stroj pro ?ifrovanou komunikaci a bezpe?n? ukl?d?n? dat Summary(fr): Utilitaire GNU de chiffrement et d'authentification des communications et des donn?es Summary(pl): Narzedzie GNU do szyfrowania i podpisywania danych Vendor: GNU Privacy Guard Project Name: %{name} Version: %{version} Release: 1 Copyright: GPL Group: Applications/Cryptography Group(cs): Aplikace/?ifrov?n? Group(fr): Applications/Cryptographie Group(it): Applicazioni/Crittografia Source: ftp://ftp.gnupg.org/gcrypt/gnupg/%{name}-%{version}.tar.gz URL: http://www.gnupg.org/ Provides: gpg openpgp Requires(post,preun): /sbin/install-info BuildRoot: %{_tmppath}/rpmbuild_%{name}-%{version} %changelog * Wed Feb 09 2005 David Shaw - Fix problem with storing the gpgkeys helpers in libexec, but calling them in libexec/gnupg. * Wed Jul 30 2003 David Shaw - Rework much of the spec to use %-macros throughout. - Fix to work properly with RPM 4.1 (all files in buildroot must be packaged) - Package and install info files. - Tweak the English description. - There is no need to install gpgv and gpgsplit setuid root. * Sat Nov 30 2002 David Shaw - Add convert-from-106 script * Sat Oct 26 2002 David Shaw - Use new path for keyserver helpers. - /usr/lib is no longer used for cipher/hash plugins. - Include gpgv, gpgsplit, and the new gnupg.7 man page. * Fri Apr 19 2002 David Shaw - Removed OPTIONS and pubring.asc - no longer used - Added doc/samplekeys.asc * Sun Mar 31 2002 David Shaw - Added the gpgkeys_xxx keyserver helpers. - Added a * to catch variations on the basic gpg man page (gpg, gpgv). - Mark options.skel as a config file. - Do not include the FAQ/faq.html twice (in /doc/ and /share/). * Wed Sep 06 2000 Fabio Coatti - Added Polish description and summary (Kindly provided by Lukasz Stelmach ) * Thu Jul 13 2000 Fabio Coatti - Added a * to catch all formats for man pages (plain, gz, bz2...) * Mon May 01 2000 Fabio Coatti - Some corrections in French description, thanks to Ga?l Qu?ri ; Some corrections to Italian descriptions. * Tue Apr 25 2000 Fabio Coatti - Removed the no longer needed patch for man page by Keith Owens * Wed Mar 1 2000 Petr Kri?tof - Czech descriptions added; some fixes and updates. * Sat Jan 15 2000 Keith Owens - Add missing man page as separate patch instead of updating the tar file. * Mon Dec 27 1999 Fabio Coatti - Upgraded for 1.0.1 (added missing gpg.1 man page) * Sat May 29 1999 Fabio Coatti - Some corrections in French description, thanks to Ga?l Qu?ri * Mon May 17 1999 Fabio Coatti - Added French description, provided by Christophe Labouisse * Thu May 06 1999 Fabio Coatti - Upgraded for 0.9.6 (removed gpgm) * Tue Jan 12 1999 Fabio Coatti - LINGUAS variable is now unset in configure to ensure that all languages will be built. (Thanks to Luca Olivetti ) * Sat Jan 02 1999 Fabio Coatti - Added pl language file. - Included g10/pubring.asc in documentation files. * Sat Dec 19 1998 Fabio Coatti - Modified the spec file provided by Caskey L. Dickson - Now it can be built also by non-root. Installation has to be done as root, gpg is suid. - Added some changes by Ross Golder - Updates for version 0.4.5 of GnuPG (.mo files) %description GnuPG (GNU Privacy Guard) is a GNU utility for encrypting data and creating digital signatures. GnuPG has advanced key management capabilities and is compliant with the proposed OpenPGP Internet standard described in RFC-2440. Since GnuPG doesn't use any patented algorithms, it is not compatible with some versions of PGP 2 which use only the patented IDEA algorithm. See http://www.gnupg.org/why-not-idea.html for information on using IDEA if the patent does not apply to you and you need to be compatible with these versions of PGP 2. %description -l it GnuPG (GNU Privacy Guard) ? una utility GNU per la cifratura di dati e la creazione di firme digitali. Possiede una gestione avanzata delle chiavi ed ? conforme allo standard Internet OpenPGP, descritto nella RFC 2440. Non utilizzando algoritmi brevettati, non ? compatibile con PGP2 (PGP2.x usa solo IDEA, coperto da brevetto mondiale, ed RSA, brevettato negli USA con scadenza 20/09/2000). Questi algoritmi sono utilizzabili da GnuPG tramite moduli esterni. %description -l fr GnuPG est un utilitaire GNU destin? ? chiffrer des donn?es et ? cr?er des signatures ?lectroniques. Il a des capacit?s avanc?es de gestion de cl?s et il est conforme ? la norme propos?e OpenPGP d?crite dans la RFC2440. Comme GnuPG n'utilise pas d'algorithme brevet?, il n'est compatible avec aucune version de PGP2 (PGP2.x ne sait utiliser que l'IDEA brevet? dans le monde entier et RSA, brevet? aux ?tats-Unis jusqu'au 20 septembre 2000). %description -l cs GnuPG je GNU n?stroj pro bezpe?nou komunikaci a ukl?d?n? dat. M??e b?t pou?it na ?ifrov?n? dat a vytv??en? digit?ln?ch podpis?. Obsahuje funkce pro pokro?ilou spr?vu kl??? a vyhovuje navrhovan?mu OpenPGP Internet standardu podle RFC2440. Byl vytvo?en jako kompletn? n?hrada za PGP. Proto?e neobsahuje ?ifrovac? algoritmy IDEA nebo RSA, m??e b?t pou??v?n bez omezen?. Proto?e GnuPG nepou??v? ??dn? patentovan? algoritmus, nem??e b?t ?pln? kompatibiln? s PGP verze 2. PGP 2.x pou??v? algoritmy IDEA (patentov?no celosv?tov?) a RSA (patentov?no ve Spojen?ch st?tech do 20. z??? 2000). Tyto algoritmy lze zav?st do GnuPG pomoc? extern?ch modul?. %description -l pl GnuPG (GNU Privacy Guard) jest nazedziem do szfrowania danych i tworzenia cyfrowych podpis?w. GnuPG posiada zaawansowane mozliwosci obslugi kluczy i jest zgodne z OpenPGP, proponowanym standardem internetowym opisanym w RFC2440. Poniewaz GnuPG nie uzywa zadnych opatentowanych algorytm?w nie jest wiec zgodne z jaka kolwiek wersja PGP2 (PGP2.x kozysta jedynie z algorytm?w: IDEA, opatentowanego na calym swiecie, oraz RSA, kt?rego patent na terenie Stan?w Zjednoczonych wygasa 20 wrzesnia 2000). %prep rm -rf $RPM_BUILD_ROOT %setup %build if test -n "$LINGUAS"; then unset LINGUAS fi %configure --program-prefix=%{?_program_prefix:%{_program_prefix}} make %install %makeinstall libexecdir=$RPM_BUILD_ROOT/%{_libexecdir}/gnupg %find_lang %{name} rm %{buildroot}%{_datadir}/%{name}/FAQ rm %{buildroot}%{_datadir}/%{name}/faq.html rm -f %{buildroot}%{_infodir}/dir %files -f %{name}.lang %defattr (-,root,root) %doc INSTALL AUTHORS COPYING NEWS README THANKS TODO PROJECTS doc/DETAILS %doc doc/FAQ doc/faq.html doc/HACKING doc/OpenPGP doc/samplekeys.asc %doc %attr (0755,root,root) tools/convert-from-106 %config %{_datadir}/%{name}/options.skel %{_mandir}/man1/* %{_mandir}/man7/* %{_infodir}/gpg.info* %{_infodir}/gpgv.info* %attr (4755,root,root) %{_bindir}/gpg %attr (0755,root,root) %{_bindir}/gpgv %attr (0755,root,root) %{_bindir}/gpgsplit %attr (0755,root,root) %{_libexecdir}/gnupg/* %post /sbin/install-info %{_infodir}/gpg.info %{_infodir}/dir 2>/dev/null || : /sbin/install-info %{_infodir}/gpgv.info %{_infodir}/dir 2>/dev/null || : %preun if [ $1 = 0 ]; then /sbin/install-info --delete %{_infodir}/gpg.info \ %{_infodir}/dir 2>/dev/null || : /sbin/install-info --delete %{_infodir}/gpgv.info \ %{_infodir}/dir 2>/dev/null || : fi %clean rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_DIR/%{name}-%{version} From dshaw at jabberwocky.com Sat Feb 12 06:07:48 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Feb 12 06:04:39 2005 Subject: unable to execute program `gpgkeys_hkp': Permission denied In-Reply-To: <200502110752.20696.adam00f@ducksburg.com> References: <200502110752.20696.adam00f@ducksburg.com> Message-ID: <20050212050748.GF22456@jabberwocky.com> On Fri, Feb 11, 2005 at 07:52:20AM +0000, Adam Funk wrote: > On Friday 11 February 2005 00:21, gnupg-users-request@gnupg.org wrote: > > > Hmm. ?I found all those files in /usr/local/libexec/gnupg/ on my > > > system, but identified a related problem: the /usr/local/libexec > > > and /usr/local/libexec/gnupg directories were not world-executable. > > > "chmod a+x /usr/local/libexec /usr/local/libexec/gnupg" fixed it. > > > ?Thanks for pointing me in the right direction. > > > > > > Is this a bug in the install? > > > > GnuPG doesn't actually do the install. ?Rather, automake does. ?It > > seems to take your umask into account when doing it through. ?What is > > your umask? > > I did the "./configure" and "make" with 0077, then "su", then "make > install" with 0022. That looks sane to me. I don't know. I've never seen this particular problem before. If you do the install over again, does the same thing happen? David From wesley.tabadore at gmail.com Sat Feb 12 23:26:57 2005 From: wesley.tabadore at gmail.com (Wesley Tabadore) Date: Sat Feb 12 23:23:16 2005 Subject: Strongest Key, Hash, and Cypher Algorithms In-Reply-To: <20050210062842.87663.qmail@smasher.org> References: <200502080135.CAA00593@vulcan.xs4all.nl> <20050208195036.79982.qmail@smasher.org> <20050210062842.87663.qmail@smasher.org> Message-ID: > right. when you select (1) and generate a DSA/elgamal key, you're creating > a DSA primary (signing) key with an elgamal (encryption) subkey. > > if you generate an RSA key you have to add subkeys after the primary is > generated. If when I create the RSA key I set the capabilities to both Sign and Encrypt, do I still need to add subkeys after creating the RSA key? What are the benefits if any? I tried using the key to both sign and encrypt and it seems to work. Thanks, Wes On Thu, 10 Feb 2005 01:29:37 -0500 (EST), Atom Smasher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On Wed, 9 Feb 2005, Wesley Tabadore wrote: > > > When generating keys, these are the only options: > > > > (1) DSA and Elgamal (default) > > (2) DSA (sign only) > > (5) RSA (sign only) > > > > However, using the --expert switch, additional options are available as well: > > > > (3) DSA (set your own capabilities) > > (7) RSA (set your own capabilities) > > > > If I chose #7 (RSA), I can choose whether to set the "capabilities of > > the key as any or all of: Sign Encrypt Authenticate. > > > > First, why is this considered an "expert" option? Second, > > Authenticate is off by default when I chose #7, what is the > > Authenticate flag used for and is there a specific reason it is off by > > default? Is an RSA key considered to be any more secure than a DSA > > key? > =============== > > these are mostly questions for dave & werner. i think the expert options > are hidden because most people never use/need them, and hiding them makes > it easier for noobs who will use the defaults anyway. > > the authenticate capability is new, and isn't really used anywhere that i > know of. one of the things that it may be used for in the future is SSH > authentication. > > it is generally considered that DSA (and elgamal) has "more security per > bit" than RSA, but not by a considerable margin. between a 1024 bit RSA > key and a 1024 bit DSA key, they're both just as hard to break (for all > practical purposes). so, since DSA is limited to 1024 bits and RSA > isn't... well, do the math... > > > > Lastly, when I issue a --list-keys command, after generating an RSA > > key (using --expert), I see the following: > > > > pub 4096R/D0915403 2005-02-09 > > uid Wesley Tabadore > > > > However, after generating a DSA and Elgamal key, and then issuing the > > --list-keys command, I get: > > > > pub 1024D/A4FD0FD9 2005-02-03 > > uid Wesley Tabadore > > sub 2048g/715F1580 2005-02-03 > > > > There appears to be an extra key (sub). Am I right in thiking that > > the 1024-bit key above is for signing and the 2048-bit key is for > > encryption? If not, what are they for? > ================ > > right. when you select (1) and generate a DSA/elgamal key, you're creating > a DSA primary (signing) key with an elgamal (encryption) subkey. > > if you generate an RSA key you have to add subkeys after the primary is > generated. > > you can use "pgpdump" to look inside a key and see what it's made of. that > helped me greatly in understanding how this all works. > > - -- > ...atom > > _________________________________________ > PGP key - http://atom.smasher.org/pgp.txt > 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 > ------------------------------------------------- > > "Men occasionally stumble over the truth, > but most of them pick themselves up and > hurry off as if nothing had happened." > -- Winston Churchill > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.0 (FreeBSD) > Comment: What is this gibberish? > Comment: http://atom.smasher.org/links/#digital_signatures > > iQEcBAEBCAAGBQJCCv9WAAoJEAx/d+cTpVcic1kH/2NF9Vdemrc8WIJ9FXLkniGP > EQbtS8qPAdjiHaxY5MxfhG1VptMtgwC8KsapvLfp9ezbaYOLBIHcUrmhmpNm0ExZ > floseIiSPZ1UEJE2dbC3IpsvMQzVKs5kzw5fPi3Vm3oPxKnIQlO0K1E6lhERn/nC > iUNTmojLH/KY/GZlhnZiBWrgggvqebTcizn1OBaiSrimwSzyAlYpWOKUCQGWh/6n > Q1WGrGSWbPcayit5ZPli+doNHi5VWuGT3yJ3Y1Xtgpd+OE28xhAMyj9H1a7S2HxY > kFZ8tbDJuV0tLmtx3euPg02Qu6KtNiA0rEbrm4zG4SNo/U16rSwOv1xqcHo65C0= > =GSSv > -----END PGP SIGNATURE----- > From atom at smasher.org Sat Feb 12 23:49:18 2005 From: atom at smasher.org (Atom Smasher) Date: Sat Feb 12 23:44:15 2005 Subject: Strongest Key, Hash, and Cypher Algorithms In-Reply-To: References: <200502080135.CAA00593@vulcan.xs4all.nl> <20050208195036.79982.qmail@smasher.org> <20050210062842.87663.qmail@smasher.org> Message-ID: <20050212224807.16310.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sat, 12 Feb 2005, Wesley Tabadore wrote: > If when I create the RSA key I set the capabilities to both Sign and > Encrypt, do I still need to add subkeys after creating the RSA key? What > are the benefits if any? > > I tried using the key to both sign and encrypt and it seems to work. ====================== there's nothing wrong with having all capabilities set in the primary key, but it's generally advisable to have an encryption subkey and possibly a signing subkey (and authentication subkey?). - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "That's hard to tell. I think that, you know, I would hope to be able to convince people I could handle the Iraqi situation better." Bush-Gore debate, 11 Oct 2000 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJCDof1AAoJEAx/d+cTpVciHV8H/RDygtQ4U7wg1aL8J/0n6RjP yEf5vi7gk2mmZ8oCdpJUe6bQ0zKO8SFg2XY9elHA7ztC5Jlq2vObk83/316hSWhE G6oLIC3HXbUTZaNFzBH7/A6uH/DVOExyxhOB6JcgQbkthLyiNAxCzo9V4smZRfMT r/TV+V7YfYol4cLVJiEh3vK79uYpbXHyUjhdkieHRJymMHKaI4MUV5iy6QniJ3lK yZl00GFISbU2WLoc/HWsuik62sIytZU8U8iEBP0F/RMvlCAsSm2ZcgXbD1H847eF Jb2Hkq8zC4ngdUxUbI7pIQx1F6hp+JYoszc9DIcx6/bDcD0e/6wQRqi0OLSFlXY= =r+lv -----END PGP SIGNATURE----- From federicotg at gmail.com Sun Feb 13 01:04:24 2005 From: federicotg at gmail.com (Federico Tello Gentile) Date: Sun Feb 13 01:59:32 2005 Subject: Question regarding user identification withing the keyrring Message-ID: <420E9988.4060909@gmail.com> Hi. I am writting a tool to help distribute files securely using cryptography and I am basing my ideas on PGP (in fact its web of trust model). I have a doubt regarding how does such a tool (GPG, PGP) identify users when it has to pick up a public key from the keyrring to verify a signature. Does the signed message provide the signer's public key along with its name and email? Does the system look for the email and name in the reciever's keyring and try to verify the signature with one that matches? I have to decide what information would I use for matching a signed document with a user's certificate, should I use the public key or the email? I know X.509 certificates have a unique Id per certificate issued, but that is because there is a central CA issueing all certs., which is not the case when using GPG. I know this is not related to GPG particularly, but I thought maybe some of you may help me. I hope you understand my question. Thanks you and sorry for bothering you. From federicotg at gmail.com Sun Feb 13 16:39:16 2005 From: federicotg at gmail.com (Federico Tello Gentile) Date: Sun Feb 13 16:34:44 2005 Subject: Question regarding user identification withing the keyrring In-Reply-To: <200502131052.15836.linux@codehelp.co.uk> References: <420E9988.4060909@gmail.com> <200502131052.15836.linux@codehelp.co.uk> Message-ID: <420F74A4.1090107@gmail.com> Neil Williams wrote: >The fingerprint of any OpenPGP key is unique. > > > Thanks, you have clarified this to me. However isn't there a very small chance (of course negligible) that 2 users will generate the same keypair? After all a key is just a computer generated number and each key is independently generated by each user. Anyway, now know I have to use the public key as the keyID or a hash of it, thanks. From erwan at rail.eu.org Sun Feb 13 16:51:55 2005 From: erwan at rail.eu.org (Erwan David) Date: Sun Feb 13 16:48:15 2005 Subject: Question regarding user identification withing the keyrring In-Reply-To: <420F74A4.1090107@gmail.com> References: <420E9988.4060909@gmail.com> <200502131052.15836.linux@codehelp.co.uk> <420F74A4.1090107@gmail.com> Message-ID: <20050213155155.GA28296@nez-casse.depot.rail.eu.org> Le Sun 13/02/2005, Federico Tello Gentile disait > Neil Williams wrote: > > >The fingerprint of any OpenPGP key is unique. > > > > > > > Thanks, you have clarified this to me. However isn't there a very small > chance (of course negligible) that 2 users will generate the same > keypair? After all a key is just a computer generated number and each > key is independently generated by each user. There is also a small chance a cosmic ray will change one bit inside the processor during the calculation. If I remember the probability is higher for the cosmic ray. -- Erwan From wk at gnupg.org Sun Feb 13 17:24:59 2005 From: wk at gnupg.org (Werner Koch) Date: Sun Feb 13 17:21:04 2005 Subject: Question regarding user identification withing the keyrring In-Reply-To: <420E9988.4060909@gmail.com> (Federico Tello Gentile's message of "Sat, 12 Feb 2005 21:04:24 -0300") References: <420E9988.4060909@gmail.com> Message-ID: <877jlcig10.fsf@wheatstone.g10code.de> On Sat, 12 Feb 2005 21:04:24 -0300, Federico Tello Gentile said: > Does the signed message provide the signer's public key along with its > name and email? Does the system look for the email and name in the No, you need to get the public key from elsewhere (usually a keyserver). The key for signature verification is looked up by the keyid. > I have to decide what information would I use for matching a signed > document with a user's certificate, should I use the public key or the > email? Use the fingerprint > I know X.509 certificates have a unique Id per certificate issued, > but Which is not always unique as some CA issues new certificates using the same serial number. Shalom-Salam, Werner From swright at physics.adelaide.edu.au Sun Feb 13 17:25:58 2005 From: swright at physics.adelaide.edu.au (Stewart V. Wright) Date: Sun Feb 13 17:22:42 2005 Subject: [PATCH] gnupg.spec [WAS: unable to execute program `gpgkeys_hkp': Permission denied] In-Reply-To: <20050212050506.GE22456@jabberwocky.com> References: <200502092045.54635.adam00f@ducksburg.com> <20050209210131.GE13440@anl.gov> <20050209211832.GD13550@jabberwocky.com> <20050209214834.GF13440@anl.gov> <20050210033606.GC13965@jabberwocky.com> <20050210202341.GD29994@anl.gov> <20050210225805.GF29994@anl.gov> <20050211202000.GD7710@anl.gov> <20050212050506.GE22456@jabberwocky.com> Message-ID: <20050213162558.GA5569@anl.gov> G'day David, * David Shaw [050211 23:10]: > On Fri, Feb 11, 2005 at 02:20:00PM -0600, Stewart V. Wright wrote: > > > 1) Removed --libexecdir=%{_libexecdir}/gnupg from the configure > > option. I'm not entirely sure why it still needs to be there for > > the make install, but this is an rpm issue, not an auto{make,conf} > > one. > > It looks like it's needed for the make because the RPM macro for > %makeinstall is Being Helpful and overriding the libexecdir variable > back to what it was before we overrode it in the first place. That's the impression I got. > > 2) Removed the 'rm %{buildroot}%{_infodir}/dir' line. This file is > > not created in the rpm building process, only in the install. > > I don't think this is correct. Removing that line causes the rpmbuild > to fail on my system. Do you have the info package installed? That > may be the difference between your box and mine. I do have info installed. I checked that info was working with the previous attempt at an spec file. > Try the attached spec. I think it should work now. Yup. I guess I should have RTFM for rm and just gone with the -f flag... Good catch! Cheers, S. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 274 bytes Desc: Digital signature Url : /pipermail/attachments/20050213/e37c3b27/attachment.pgp From cripto at ecn.org Fri Feb 11 14:42:05 2005 From: cripto at ecn.org (Anonymous) Date: Mon Feb 14 11:04:26 2005 Subject: anything like a --target-directory option? Message-ID: <2f44eb39c78c6e5ce9574a39d83734d5@ecn.org> `gpg path/to/foo.gpg` decrypts to path/to/foo `gpg -d path/to/foo.gpg >target/path/foo` decrypts to the specified destination `gpg --multifile path/to/foo1.gpg path/to/foo2.gpg ...` puts all the decrypted files in path/to/ Is there any way to "bulk-decrypt" a bunch of files to one specified target directory? Thanks. From mconahan at iotest.org Mon Feb 14 18:09:57 2005 From: mconahan at iotest.org (mconahan@iotest.org) Date: Mon Feb 14 18:06:08 2005 Subject: How to encrypt attachments in MIME using inline-PGP Message-ID: <4210DB65.1070001@iotest.org> Hi everyone, If a PGP recipient is using an application that only accepts inline-PGP, how do I contruct the MIME so that I can send attachments. I realize that Enigmail (as do some other apps) does it for you, but I was wondering if anyone knows what the general process is for handling attachments in inline-PGP? Michael From atom at smasher.org Mon Feb 14 18:19:23 2005 From: atom at smasher.org (Atom Smasher) Date: Mon Feb 14 18:14:22 2005 Subject: How to encrypt attachments in MIME using inline-PGP In-Reply-To: <4210DB65.1070001@iotest.org> References: <4210DB65.1070001@iotest.org> Message-ID: <20050214171800.55417.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Mon, 14 Feb 2005, mconahan@iotest.org wrote: > If a PGP recipient is using an application that only accepts > inline-PGP, how do I contruct the MIME so that I can send attachments. > I realize that Enigmail (as do some other apps) does it for you, but I > was wondering if anyone knows what the general process is for handling > attachments in inline-PGP? ===================== encrypt the file(s) you want to attach attach. then attach the encrypted file(s). - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Don't fight it son. Confess quickly! If you hold out too long you could jeopardize your credit rating." -- Brazil -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJCEN2hAAoJEAx/d+cTpVcislEH/3NopAsLFHGRbxtc2uWQ6fZh SrNAQAFag9l2MHGOrjbSbGHVZjsQwTSAyidPQvcvks2NY+wGz6h0xNqg4/UMDcsL ulldVNif2T73lCWVW6qQdrkBj5Z9YbOkWSMRdVrmFk1JPZ2BlwxMvXIerR/lChKz DnSW6sVpQyUZ3gW2Yb5QoKayF/u9bj3kaPIY6Vj5aeMFr5fC6maE8u+dZwF8ByR7 M53350NA+DP3fupoKYYjgDDKY7l6zWnSUX99N5jdQ8GngHW7qru/YjJAcKsqbJqn GDTcNKDCwrPTc7TZSlj+hnnCapnLGkzZhGU+N+wSicTwnvtoC2x6ICUf/CaF/ms= =xk+p -----END PGP SIGNATURE----- From Freedom_Lover at pobox.com Mon Feb 14 22:08:00 2005 From: Freedom_Lover at pobox.com (Todd) Date: Mon Feb 14 22:04:49 2005 Subject: [PATCH] gnupg.spec [WAS: unable to execute program `gpgkeys_hkp': Permission denied] In-Reply-To: <20050212050506.GE22456@jabberwocky.com> References: <200502092045.54635.adam00f@ducksburg.com> <20050209210131.GE13440@anl.gov> <20050209211832.GD13550@jabberwocky.com> <20050209214834.GF13440@anl.gov> <20050210033606.GC13965@jabberwocky.com> <20050210202341.GD29994@anl.gov> <20050210225805.GF29994@anl.gov> <20050211202000.GD7710@anl.gov> <20050212050506.GE22456@jabberwocky.com> Message-ID: <20050214210800.GR4175@psilocybe.teonanacatl.org> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 318 bytes Desc: not available Url : /pipermail/attachments/20050214/b1a2fa86/attachment.pgp From bastien.laporte-riou at medincell.com Tue Feb 15 17:10:17 2005 From: bastien.laporte-riou at medincell.com (Bastien Laporte-Riou) Date: Tue Feb 15 17:05:29 2005 Subject: Backup with encryption Message-ID: <49527f165cb51a4a4dacc1a94acaa97f@www.medincell.com> Hello, I work actually on a system of backup on my server and to secure my data i encrypt it with gnupg. But i have a problem, actually i have export my public key and i don't know how to export my secret-key because if i have a crash on my server all my data could not be decryt because i haven't the secret key i have made a test. Then my question how can i made a backup ok my secret-key to decrypt my data before a crash? Thanks for your answer. Excuse my english i am french. Best Regards. -- ___________________________ Medincell Bastien Laporte-Riou Email : bastien.laporte-riou@medincell.com Web : http://www.medincell.com Sent date : 02.15.2005 ___________________________ Disclaimer - This email and any files transmitted with it are confidential and contain privileged or copyright information. You must not present this message to another party without gaining permission from the sender. If you are not the intended recipient you must not copy, distribute or use this email or the information contained in it for any purpose other than to notify us. If you have received this message in error, please notify the sender immediately, and delete this email from your system. We do not guarantee that this material is free from viruses or any other defects although due care has been taken to minimise the risk. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Medincell. From mail at renelemme.de Tue Feb 15 18:40:59 2005 From: mail at renelemme.de (=?iso-8859-1?q?Ren=E9_Lemme?=) Date: Tue Feb 15 19:28:51 2005 Subject: Changing passphrase Message-ID: <200502151841.06753.mail@renelemme.de> Hello group, what would happen if I would change the passphrase of my sec-key but keep a copy of the sec-key with the old passphrase? Could both sec-key files on different pc's be used? Regards, _rene -- GnupPG Key-ID: 0xBFCC946E download @ www.renelemme.de -- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050215/e7f86752/attachment.pgp From mconahan at zixtestott.com Tue Feb 15 19:41:51 2005 From: mconahan at zixtestott.com (mconahan@zixtestott.com) Date: Tue Feb 15 20:35:21 2005 Subject: Backup with encryption In-Reply-To: <49527f165cb51a4a4dacc1a94acaa97f@www.medincell.com> References: <49527f165cb51a4a4dacc1a94acaa97f@www.medincell.com> Message-ID: <4212426F.4040906@zixtestott.com> Bastien Laporte-Riou wrote: >Hello, > > I work actually on a system of backup on my server and to secure my data i >encrypt it with gnupg. But i have a problem, actually i have export my >public key and i don't know how to export my secret-key because if i have a >crash on my server all my data could not be decryt because i haven't the >secret key i have made a test. Then my question how can i made a backup ok >my secret-key to decrypt my data before a crash? > >Thanks for your answer. > >Excuse my english i am french. > >Best Regards. >-- > > I recommend backing up your public and private keyring files "pubring.gpg" and "secring.gpg" located in your gpg home directory. If your server crashes, simply obain gpg, install, and place your keyring backup files in the gpg home directory, and everything should be cool. From linux at codehelp.co.uk Tue Feb 15 21:00:13 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Tue Feb 15 20:56:14 2005 Subject: Changing passphrase In-Reply-To: <200502151841.06753.mail@renelemme.de> References: <200502151841.06753.mail@renelemme.de> Message-ID: <200502152000.15805.linux@codehelp.co.uk> On Tuesday 15 February 2005 5:40 pm, Ren? Lemme wrote: > Hello group, > > what would happen if I would change the passphrase of my sec-key but keep a > copy of the sec-key with the old passphrase? Could both sec-key files on > different pc's be used? Provided you remember which passphrase is which, yes. Either key can be used to decrypt messages sent to the public key or to make signatures with the one key. But, why not just have two keys? Having two passphrases is no more secure because you can do everything with either passphrase, all you need is the right passphrase - so no change there. -- Neil Williams ============= http://www.dcglug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.neil.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050215/38e7ec28/attachment.pgp From mail at renelemme.de Tue Feb 15 21:18:48 2005 From: mail at renelemme.de (=?utf-8?q?Ren=C3=A9_Lemme?=) Date: Tue Feb 15 21:14:46 2005 Subject: Changing passphrase In-Reply-To: <200502152000.15805.linux@codehelp.co.uk> References: <200502151841.06753.mail@renelemme.de> <200502152000.15805.linux@codehelp.co.uk> Message-ID: <200502152118.57669.mail@renelemme.de> Am Dienstag, 15. Februar 2005 21:00 schrieb Neil Williams: > On Tuesday 15 February 2005 5:40 pm, Ren? Lemme wrote: > > Hello group, > > > > what would happen if I would change the passphrase of my sec-key but keep > > a copy of the sec-key with the old passphrase? Could both sec-key files > > on different pc's be used? > > Provided you remember which passphrase is which, yes. Either key can be > used to decrypt messages sent to the public key or to make signatures with > the one key. > > But, why not just have two keys? > > Having two passphrases is no more secure because you can do everything with > either passphrase, all you need is the right passphrase - so no change > there. Thanks for the answer. Was just wondering if I had to change the passphrase on different pc's at the same time or if I could still use the key with different passphrases before synching them. _rene -- GnupPG Key-ID: 0xBFCC946E download @ www.renelemme.de -- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050215/814875f8/attachment.pgp From linux at codehelp.co.uk Tue Feb 15 22:10:31 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Tue Feb 15 22:06:28 2005 Subject: Changing passphrase In-Reply-To: <200502152118.57669.mail@renelemme.de> References: <200502151841.06753.mail@renelemme.de> <200502152000.15805.linux@codehelp.co.uk> <200502152118.57669.mail@renelemme.de> Message-ID: <200502152110.31903.linux@codehelp.co.uk> On Tuesday 15 February 2005 8:18 pm, Ren? Lemme wrote: > Thanks for the answer. Was just wondering if I had to change the passphrase > on different pc's at the same time or if I could still use the key with > different passphrases before synching them. There is actually no need to synchronise secret keys, once exported, the copy remains valid and doesn't ever need to know about the 'original'. -- Neil Williams ============= http://www.dcglug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.neil.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050215/3734311b/attachment-0001.pgp From greg at turnstep.com Wed Feb 16 05:14:09 2005 From: greg at turnstep.com (Greg Sabino Mullane) Date: Wed Feb 16 06:10:58 2005 Subject: Backup with encryption In-Reply-To: <49527f165cb51a4a4dacc1a94acaa97f@www.medincell.com> Message-ID: <21f9090dfefa95355b0be4e8a3dcc357@biglumber.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I work actually on a system of backup on my server and to secure my data i > encrypt it with gnupg. But i have a problem, actually i have export my > public key and i don't know how to export my secret-key because if i have a > crash on my server all my data could not be decryt because i haven't the > secret key i have made a test. Then my question how can i made a backup ok > my secret-key to decrypt my data before a crash? You could also use plain-old symmetric encryption: gpg -ca yourfile (the "a" is optional but makes the files easy to recognize and send through email) The only thing you have to worry about then is forgetting the password. - -- Greg Sabino Mullane greg@turnstep.com PGP Key: 0x14964AC8 200502152313 http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8 -----BEGIN PGP SIGNATURE----- iD8DBQFCEsjsvJuQZxSWSsgRAqIaAJ9Z1CnI+OtxxyKEtc/cjgj1Lj+pSgCgiz3a RlpFvtf4gpkirWUAHgE5zFw= =bvka -----END PGP SIGNATURE----- From erpo41 at hotpop.com Wed Feb 16 09:48:29 2005 From: erpo41 at hotpop.com (Eric Anopolsky) Date: Wed Feb 16 09:44:00 2005 Subject: SHA1 broken? Message-ID: <1108543709.5827.1.camel@localhost.localdomain> http://it.slashdot.org/it/05/02/16/0146218.shtml?tid=93&tid=172&tid=218 Does anyone know anything about this? From pt at radvis.nu Wed Feb 16 09:42:56 2005 From: pt at radvis.nu (pt@radvis.nu) Date: Wed Feb 16 09:51:10 2005 Subject: How to display fingerprint for secret key Message-ID: <1108543376.26203@ns1.softit.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I did some testing and ended up with two secret keys with the same (short) keyid. Is there any way to display a long keyid or the whole fingerprint? Yours, Per Tunedal -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) - WinPT 0.7.96 Comment: Vad är en pgp-signatur? www.clipanish.com/PGP/pgp.html iD8DBQFCEwtApPsTvNtsBX8RAouOAKCAT8dSqKUt1msx+IVZ+5s1+Eae4gCbBPjd 35iCFJ2jgSOK6+dZBLUi0sU= =XRS3 -----END PGP SIGNATURE----- _________________________________________________ Detta meddelande skickades från SoftIT - Webmail http://www.softit.se From mads at warhead.org.uk Wed Feb 16 14:13:43 2005 From: mads at warhead.org.uk (Mads Munch Hansen) Date: Wed Feb 16 14:19:45 2005 Subject: Backup with encryption In-Reply-To: <21f9090dfefa95355b0be4e8a3dcc357__13267.9878188812$1108530984$gmane$org@biglumber.com> References: <49527f165cb51a4a4dacc1a94acaa97f@www.medincell.com> <21f9090dfefa95355b0be4e8a3dcc357__13267.9878188812$1108530984$gmane$org@biglumber.com> Message-ID: Greg Sabino Mullane wrote: > > >>>I work actually on a system of backup on my server and to secure my data i >>>encrypt it with gnupg. But i have a problem, actually i have export my >>>public key and i don't know how to export my secret-key because if i have a >>>crash on my server all my data could not be decryt because i haven't the >>>secret key i have made a test. Then my question how can i made a backup ok >>>my secret-key to decrypt my data before a crash? > > > You could also use plain-old symmetric encryption: > > gpg -ca yourfile > > (the "a" is optional but makes the files easy to recognize and send through > email) > > The only thing you have to worry about then is forgetting the password. > > -- > Greg Sabino Mullane greg@turnstep.com > PGP Key: 0x14964AC8 200502152313 > http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8 That would mean he would have to input a passphrase everytime he does a backups, or make a script that does it for him, which could be a potential security risk. By using a public key, the backups can be done unatended with no risk of passphrase being compromised if the script(s) are. (it would be a good idea nontheless to keep the secret key on another system though) Regards Mads -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050216/73e2f263/signature.pgp From dshaw at jabberwocky.com Wed Feb 16 15:44:19 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Feb 16 15:40:59 2005 Subject: SHA1 broken? In-Reply-To: <1108543709.5827.1.camel@localhost.localdomain> References: <1108543709.5827.1.camel@localhost.localdomain> Message-ID: <20050216144419.GC21336@jabberwocky.com> On Wed, Feb 16, 2005 at 12:48:29AM -0800, Eric Anopolsky wrote: > http://it.slashdot.org/it/05/02/16/0146218.shtml?tid=93&tid=172&tid=218 > > Does anyone know anything about this? The paper has not been published yet, but the information released thus far indicates the team was able to find a collision in SHA-1 in 2^69 operations. Since SHA-1 should have been resistant to collision to 2^80 operations, this is a very impressive attack. Incidentally, this is same team that was behind the successful attack on MD5. However, in the real world this doesn't seem like a very useful attack. It's rather like someone pointing out that the 100 foot high wall around your house is only 50 feet high. True, the wall is not as tell as claimed, but it's still probably taller than it needs to be. To put this in perspective, the "broken" SHA-1 is stronger than MD5 was thought to be before the MD5 breaks were discovered (MD5 was 2^64). Still, I'm speculating based on the little information that has been released. Nobody really knows all the details yet since the paper hasn't been published. It is not yet known if the attack can be extended to the SHA-2 hashes (SHA-256, SHA-384, and SHA-512). Even if it can be extended, the sheer length of the SHA-2 hashes may render the attack moot in practical terms... or it might not. We just don't know yet. In terms of GnuPG: it's up to you whether you want to switch hashes or not. GnuPG supports all of the SHA-2 hashes, so they are at least available. Be careful you don't run up against compatibility problems: PGP doesn't support 384 or 512, and only recently started supporting 256. GnuPG before 1.2.2 (2003-05-01), doesn't have any of the new hashes. Finally, if you have a DSA signing key (most people do) you are required to use either SHA-1 or RIPEMD/160. RSA signing keys can use any hash. David From dshaw at jabberwocky.com Wed Feb 16 15:45:35 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Feb 16 15:42:24 2005 Subject: How to display fingerprint for secret key In-Reply-To: <1108543376.26203@ns1.softit.net> References: <1108543376.26203@ns1.softit.net> Message-ID: <20050216144535.GD21336@jabberwocky.com> On Wed, Feb 16, 2005 at 09:42:56AM +0100, pt@radvis.nu wrote: > Hi, > I did some testing and ended up with two secret keys with the same (short) > keyid. Is there any way to display a long keyid or the whole fingerprint? gpg --keyid-format long --list-secret-keys gpg --fingerprint --list-secret-keys David From dlc at sevenroot.org Wed Feb 16 15:13:44 2005 From: dlc at sevenroot.org (Darren Chamberlain) Date: Wed Feb 16 16:07:31 2005 Subject: SHA1 broken? In-Reply-To: <1108543709.5827.1.camel@localhost.localdomain> References: <1108543709.5827.1.camel@localhost.localdomain> Message-ID: <20050216141344.GA31989@boston.com> * Eric Anopolsky [2005/02/16 00:48]: > http://it.slashdot.org/it/05/02/16/0146218.shtml?tid=93&tid=172&tid=218 > > Does anyone know anything about this? Bruce Schneier thinks it's probably be true (): SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing. ... The paper isn't generally available yet. At this point I can't tell if the attack is real, but the paper looks good and this is a reputable research team. So this would be when we start putting: digest-algo RIPEMD160 in our gpg.conf, right? (darren) -- The tools we use have a profound (and devious!) influence on our thinking habits, and, therefore, on our thinking abilities. -- Edsger W. Dijkstra -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : /pipermail/attachments/20050216/61a2411d/attachment.pgp From vedaal at hush.com Wed Feb 16 16:22:25 2005 From: vedaal at hush.com (vedaal@hush.com) Date: Wed Feb 16 16:18:34 2005 Subject: sha-1 Message-ID: <200502161522.j1GFMQNh087918@mailserver3.hushmail.com> if sha-1 does turn out to be as weak/broken as md-5, then, would it be possible for the owner of a key to somehow amend an already existing keypair, to change or add to the self-signature with a different trusted hash algorithm ? vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From dshaw at jabberwocky.com Wed Feb 16 16:33:30 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Feb 16 16:30:11 2005 Subject: sha-1 In-Reply-To: <200502161522.j1GFMQNh087918@mailserver3.hushmail.com> References: <200502161522.j1GFMQNh087918@mailserver3.hushmail.com> Message-ID: <20050216153330.GG21336@jabberwocky.com> On Wed, Feb 16, 2005 at 07:22:25AM -0800, vedaal@hush.com wrote: > if sha-1 does turn out to be as weak/broken as md-5, > > then, > would it be possible for the owner of a key > to somehow amend an already existing keypair, > > to change or add to the self-signature > with a different trusted hash algorithm ? For user IDs, that's easy and you can do that now. Just delete your self-sig and re-sign the UID. For subkey self-signatures, you can theoretically do it, but it's probably not worth it. Just revoke the old subkey and make a new one with whatever hash algorithm you like. Be careful though - remember that not all OpenPGP implementations support all hashes. You can easily make your key unusable by some people. The nice thing about SHA-1 is that it is required by the protocol so it always works. David From johanw at vulcan.xs4all.nl Wed Feb 16 16:32:03 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed Feb 16 16:51:40 2005 Subject: SHA1 broken? In-Reply-To: <20050216141344.GA31989@boston.com> from Darren Chamberlain at "Feb 16, 2005 09:13:44 am" Message-ID: <200502161532.QAA01474@vulcan.xs4all.nl> Darren Chamberlain wrote: >So this would be when we start putting: > digest-algo RIPEMD160 >in our gpg.conf, right? How about SHA-256 and 512? Are they based on SHA-1? And how about getting Tiger-192 back? -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From dlc at sevenroot.org Wed Feb 16 16:56:57 2005 From: dlc at sevenroot.org (Darren Chamberlain) Date: Wed Feb 16 16:57:44 2005 Subject: SHA1 broken? In-Reply-To: <200502161532.QAA01474@vulcan.xs4all.nl> References: <20050216141344.GA31989@boston.com> <200502161532.QAA01474@vulcan.xs4all.nl> Message-ID: <581a2c87-4737-47e0-8b48-eac5a09882de@gir.boston.com> * Johan Wevers [2005/02/16 16:32]: > Darren Chamberlain wrote: > > >So this would be when we start putting: > > digest-algo RIPEMD160 > >in our gpg.conf, right? > > How about SHA-256 and 512? Are they based on SHA-1? And how about > getting Tiger-192 back? David Shaw just said[0]: > Finally, if you have a DSA signing key (most people do) you are > required to use either SHA-1 or RIPEMD/160. RSA signing keys can > use any hash. I'm one of "most people", apparently, since gpg threw an error when I specified SHA-256. :) (darren) [0] -- Three things in human life are important: the first is to be kind; the second is to be kind; and the third is to be kind. -- Henry James -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : /pipermail/attachments/20050216/3c828328/attachment.pgp From atom at smasher.org Wed Feb 16 17:13:23 2005 From: atom at smasher.org (Atom Smasher) Date: Wed Feb 16 17:08:00 2005 Subject: SHA1 broken? In-Reply-To: <20050216144419.GC21336@jabberwocky.com> References: <1108543709.5827.1.camel@localhost.localdomain> <20050216144419.GC21336@jabberwocky.com> Message-ID: <20050216161147.43569.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Wed, 16 Feb 2005, David Shaw wrote: > In terms of GnuPG: it's up to you whether you want to switch hashes or > not. GnuPG supports all of the SHA-2 hashes, so they are at least > available. Be careful you don't run up against compatibility problems: > PGP doesn't support 384 or 512, and only recently started supporting > 256. GnuPG before 1.2.2 (2003-05-01), doesn't have any of the new > hashes. Finally, if you have a DSA signing key (most people do) you are > required to use either SHA-1 or RIPEMD/160. RSA signing keys can use > any hash. ==================== there's more to it than that. openPGP specifies SHA-1 (and nothing else) as the hash used to generate key fingerprints, and is what key IDs are derived from. a real threat if this can be extended into a practical attack is substituting a key with a *different* key having the same ID and fingerprint. it would be difficult for average users (and impossible for the current openPGP infrastructure) to tell bob's key from mallory's key that claims to be bob's. it can also be used (if the attack becomes practical) to forge key signatures. mallory can create a bogus key and "sign" it with anyone's real key. this would turn the web of trust into dust. the openPGP spec seemed to have assumed that SHA-1 just wouldn't fail. ever. this was the same mistake made in the original version of pgp that relied on md5. the spec needs to allow a choice of hash algorithms for fingerprints and key IDs, or else we'll play this game every time someone breaks a strong hash algorithm. - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Any sufficiently advanced technology is indistinguishable from magic." -- Arthur C. Clarke -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJCE3EoAAoJEAx/d+cTpVcinwsIAKnjw1AqwY0guPtdxMagoZC2 Rv7mCZt3QnpH4uEaWNLh5R3VImVwOBevW9VdYm+UdMwdmodD79Bc0MyPOaHDuUiP okmo0PigWIht2vGWK7F6xLtUwLUlGyuAWO5w8g/hNCt0ftdb1jUam0wQtqnTTarM B1kyTWU0sHsjyloSh0umQ8kC0nt9nNhLIasp84oIo+D3b0r6yKIWjMS7dHr1hIbx 2gXBdVw01HJng/BtF/THfZwAD2IE+OLNPg4Q6v6QnVf3BGBBPSiiD2mXrizuknA8 RevXGYgBc4plOWOlDmx2ydbRqFHe5obGMGFCk4muFh8veFhPbFxCKvfBwsawi+U= =f0+g -----END PGP SIGNATURE----- From sk at intertivity.com Wed Feb 16 17:12:07 2005 From: sk at intertivity.com (Kiefer, Sascha) Date: Wed Feb 16 17:08:14 2005 Subject: SHA1 broken? In-Reply-To: <20050216144419.GC21336@jabberwocky.com> Message-ID: <000901c51442$44274af0$f300a8c0@HOME> Not really true. If your wall is 100 meters (i dont how to calculate in foot) high, and the ratio is 2^69 / 2^80 then your wall will be about 5 centimeters high. Which is actually a big difference. But it's that it is still higher than the MD5 wall. :) On 16. Februar 2005 15:44, David Shaw wrote: > However, in the real world this doesn't seem like a very > useful attack. It's rather like someone pointing out that > the 100 foot high wall around your house is only 50 feet > high. True, the wall is not as tell as claimed, but it's > still probably taller than it needs to be. To put this in > perspective, the "broken" SHA-1 is stronger than MD5 was > thought to be before the MD5 breaks were discovered (MD5 was 2^64). From dshaw at jabberwocky.com Wed Feb 16 17:19:43 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Feb 16 17:19:51 2005 Subject: SHA1 broken? In-Reply-To: <000901c51442$44274af0$f300a8c0@HOME> References: <20050216144419.GC21336@jabberwocky.com> <000901c51442$44274af0$f300a8c0@HOME> Message-ID: <20050216161943.GA23828@jabberwocky.com> On Wed, Feb 16, 2005 at 05:12:07PM +0100, Kiefer, Sascha wrote: > Not really true. > If your wall is 100 meters (i dont how to calculate in foot) high, > and the ratio is 2^69 / 2^80 then your wall will be about 5 centimeters > high. Which is actually a big difference. But it's that it is still higher > than the MD5 wall. :) Sure, assuming the SHA-1 "wall" was only 100 meters high in the first place... David From sk at intertivity.com Wed Feb 16 17:28:40 2005 From: sk at intertivity.com (Kiefer, Sascha) Date: Wed Feb 16 17:24:54 2005 Subject: SHA1 broken? In-Reply-To: <20050216161943.GA23828@jabberwocky.com> Message-ID: <000501c51444$93922f90$f300a8c0@HOME> Yes... But you started it ... :) Just wanted to say that the difference is enormous. As cpu speed grows (and so on) it's just a matter of time! > On Wed, Feb 16, 2005 at 05:12:07PM +0100, Kiefer, Sascha wrote: > > Not really true. > > If your wall is 100 meters (i dont how to calculate in > foot) high, and > > the ratio is 2^69 / 2^80 then your wall will be about 5 centimeters > > high. Which is actually a big difference. But it's that it is still > > higher than the MD5 wall. :) > > Sure, assuming the SHA-1 "wall" was only 100 meters high in > the first place... > > David > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From dshaw at jabberwocky.com Wed Feb 16 17:56:09 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Feb 16 17:52:56 2005 Subject: SHA1 broken? In-Reply-To: <20050216161147.43569.qmail@smasher.org> References: <1108543709.5827.1.camel@localhost.localdomain> <20050216144419.GC21336@jabberwocky.com> <20050216161147.43569.qmail@smasher.org> Message-ID: <20050216165609.GB23828@jabberwocky.com> On Wed, Feb 16, 2005 at 11:13:23AM -0500, Atom Smasher wrote: > On Wed, 16 Feb 2005, David Shaw wrote: > > > In terms of GnuPG: it's up to you whether you want to switch hashes or > > not. GnuPG supports all of the SHA-2 hashes, so they are at least > > available. Be careful you don't run up against compatibility problems: > > PGP doesn't support 384 or 512, and only recently started supporting > > 256. GnuPG before 1.2.2 (2003-05-01), doesn't have any of the new > > hashes. Finally, if you have a DSA signing key (most people do) you are > > required to use either SHA-1 or RIPEMD/160. RSA signing keys can use > > any hash. > ==================== > > there's more to it than that. openPGP specifies SHA-1 (and nothing else) > as the hash used to generate key fingerprints, and is what key IDs are > derived from. > > a real threat if this can be extended into a practical attack is > substituting a key with a *different* key having the same ID and > fingerprint. it would be difficult for average users (and impossible for > the current openPGP infrastructure) to tell bob's key from mallory's key > that claims to be bob's. > > it can also be used (if the attack becomes practical) to forge key > signatures. mallory can create a bogus key and "sign" it with anyone's > real key. this would turn the web of trust into dust. If you presuppose a workable attack you can conjecture any result you like. Let's not go off the deep end here. Skipping completely over the point that the paper has not been published yet so it can be checked over by the cryptographic community, let's assume that they have indeed done what they claim to have done: demonstrated they can find a collision in 2^69 instead of 2^80 operations. A collision attack. Not a preimage attack. And it's not workable in practice. How many entities have the ability to do 2^69 operations in a sane amount of time? Without more information, it looks to me like we are now in the position we were in with MD5 several years ago. It's not broken in practical terms yet. Attacks don't get worse over time, of course, so we need to start moving to something better. SHA-1 was already being phased out: http://www.fcw.com/fcw/articles/2005/0207/web-hash-02-07-05.asp To be sure, this is bad, but the sky isn't falling yet. David From dshaw at jabberwocky.com Wed Feb 16 17:57:36 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Feb 16 17:54:21 2005 Subject: SHA1 broken? In-Reply-To: <000501c51444$93922f90$f300a8c0@HOME> References: <20050216161943.GA23828@jabberwocky.com> <000501c51444$93922f90$f300a8c0@HOME> Message-ID: <20050216165736.GA23931@jabberwocky.com> On Wed, Feb 16, 2005 at 05:28:40PM +0100, Kiefer, Sascha wrote: > Yes... But you started it ... :) > Just wanted to say that the difference is enormous. > As cpu speed grows (and so on) it's just a matter of time! Yes it is. Assuming this is true, we must start migrating away from SHA-1. Actually, we should start this anyway - even the NIST recommends moving away from SHA-1 for long-term security. David From atom at smasher.org Wed Feb 16 18:20:52 2005 From: atom at smasher.org (Atom Smasher) Date: Wed Feb 16 18:15:37 2005 Subject: SHA1 broken? In-Reply-To: <20050216165609.GB23828@jabberwocky.com> References: <1108543709.5827.1.camel@localhost.localdomain> <20050216144419.GC21336@jabberwocky.com> <20050216161147.43569.qmail@smasher.org> <20050216165609.GB23828@jabberwocky.com> Message-ID: <20050216171915.81275.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Wed, 16 Feb 2005, David Shaw wrote: > Without more information, it looks to me like we are now in the position > we were in with MD5 several years ago. It's not broken in practical > terms yet. Attacks don't get worse over time, of course, so we need to > start moving to something better. SHA-1 was already being phased out: > http://www.fcw.com/fcw/articles/2005/0207/web-hash-02-07-05.asp > > To be sure, this is bad, but the sky isn't falling yet. =============== agreed. my point is really that the fingerprint/ID hash algo shouldn't be carved in stone. like most other parts of the openPGP spec, it should be flexible and user defined (within certain constraints). as time goes by, strong algorithms are proven to be not as strong as originally thought. this has happened to MD5, is now happening to SHA-1, and will just as likely happen to the next generation of hash algorithms. the spec needs to adapt to this landscape, not be re-written every time a hash is broken. the spec has it right where the digest and cipher algorithms are concerned, and that needs to be adapted to fingerprints and key IDs. - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "I've always thought that underpopulated countries in Africa are vastly under-polluted." -- Lawrence Summers, chief economist of the World Bank, explaining why we should export toxic wastes to Third World countries -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJCE4D6AAoJEAx/d+cTpVci2BwIAJaMmw4NGLCEzaTOC6fTqRit 7ymuHFsmGkXScFFnB6V3ELV4PFQEvY0tyw+3ZgFXEYX4/67q/UPQxHpNHzHjjMn8 w/tp7qgKEE6/PKRWsUBJBaXIyZ/6TYmdZIX0XlkJcW2/b2lWWVvo8FcxJ+FjsU+W zBY6YrlFMbn+3f08A8lWp3JUVK1L8iZLaC8fiZ46UpJWnE4Idwt+V5RAGTrocaQR CYCcT8TSl27xMAWHJWcLM5dXnrxOP6fpLCUOhSvR1+YrfnhoWZJRP5rEzA6WPRZi IWTQpy0UmkTqECEtgOcXJOYSYmLEcOScFrw7Hn9j5xeO5U6hioEo/AvF70L1/lc= =v9e1 -----END PGP SIGNATURE----- From dany_list at natzo.com Wed Feb 16 18:45:50 2005 From: dany_list at natzo.com (Dany Nativel) Date: Wed Feb 16 18:42:06 2005 Subject: Backup with encryption In-Reply-To: References: <49527f165cb51a4a4dacc1a94acaa97f@www.medincell.com> <21f9090dfefa95355b0be4e8a3dcc357__13267.9878188812$1108530984$gmane$org@biglumber.com> Message-ID: <421386CE.2030103@natzo.com> What about Duplicity ? http://www.nongnu.org/duplicity/ Dany Mads Munch Hansen wrote: > Greg Sabino Mullane wrote: > >> >> >>>> I work actually on a system of backup on my server and to secure my >>>> data i >>>> encrypt it with gnupg. But i have a problem, actually i have export my >>>> public key and i don't know how to export my secret-key because if >>>> i have a >>>> crash on my server all my data could not be decryt because i >>>> haven't the >>>> secret key i have made a test. Then my question how can i made a >>>> backup ok >>>> my secret-key to decrypt my data before a crash? >>> >> >> >> You could also use plain-old symmetric encryption: >> >> gpg -ca yourfile >> >> (the "a" is optional but makes the files easy to recognize and send >> through >> email) >> >> The only thing you have to worry about then is forgetting the password. >> >> -- >> Greg Sabino Mullane greg@turnstep.com >> PGP Key: 0x14964AC8 200502152313 >> http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8 > > > That would mean he would have to input a passphrase everytime he does a > backups, or make a script that does it for him, which could be a > potential security risk. By using a public key, the backups can be done > unatended with no risk of passphrase being compromised if the script(s) > are. (it would be a good idea nontheless to keep the secret key on > another system though) > > Regards > Mads > >------------------------------------------------------------------------ > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users > > From wk at gnupg.org Wed Feb 16 19:54:35 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Feb 16 19:51:07 2005 Subject: SHA1 broken? In-Reply-To: <20050216165736.GA23931@jabberwocky.com> (David Shaw's message of "Wed, 16 Feb 2005 11:57:36 -0500") References: <20050216161943.GA23828@jabberwocky.com> <000501c51444$93922f90$f300a8c0@HOME> <20050216165736.GA23931@jabberwocky.com> Message-ID: <87u0ocz66s.fsf@wheatstone.g10code.de> On Wed, 16 Feb 2005 11:57:36 -0500, David Shaw said: > Yes it is. Assuming this is true, we must start migrating away from > SHA-1. Actually, we should start this anyway - even the NIST > recommends moving away from SHA-1 for long-term security. The real problem with the breakthrough is, that it seems that they have developed a new cryptoanalytical method and that might pave the way for further improvements. Over the last 2 decades the art of cryptoanalysis has changed dramatically in the area of symmetric ciphers. This will probably also happen to hash algorithms now. There is however a huge problem replace SHA-1 by something else from now to tomorrow: Other algorithms are not as well anaylyzed and compared against SHA-1 as for example AES to DES are; so there is no immediate successor of SHA-1 of whom we can be sure to withstand the possible new techniques. Second, SHA-1 is tightly integrated in many protocols without a fallback algorithms (OpenPGP: fingerprints, MDC, default signature algorithm and more). Salam-Shalom, Werner From wk at gnupg.org Wed Feb 16 19:59:24 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Feb 16 19:56:02 2005 Subject: SHA1 broken? In-Reply-To: <20050216171915.81275.qmail@smasher.org> (Atom Smasher's message of "Wed, 16 Feb 2005 12:20:52 -0500 (EST)") References: <1108543709.5827.1.camel@localhost.localdomain> <20050216144419.GC21336@jabberwocky.com> <20050216161147.43569.qmail@smasher.org> <20050216165609.GB23828@jabberwocky.com> <20050216171915.81275.qmail@smasher.org> Message-ID: <87psz0z5yr.fsf@wheatstone.g10code.de> On Wed, 16 Feb 2005 12:20:52 -0500 (EST), Atom Smasher said: > agreed. my point is really that the fingerprint/ID hash algo shouldn't > be carved in stone. like most other parts of the openPGP spec, it > should be flexible and user defined (within certain constraints). as Flexibility opens the road for rollback attacks. Thus it is sound to rely on one specific algorithm for certain problem domains. Assuming that the SHA-1 collision calculation is simialar to the MD5 one, tehre is even no immediate danger due to the way the fingerprints are calculated: The first block used in the fingerprint calculation is more or less a constant and can't be change to create a working faked key. Shalom-Salam, Werner From wk at gnupg.org Wed Feb 16 20:02:20 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Feb 16 20:01:00 2005 Subject: SHA1 broken? In-Reply-To: <20050216141344.GA31989@boston.com> (Darren Chamberlain's message of "Wed, 16 Feb 2005 09:13:44 -0500") References: <1108543709.5827.1.camel@localhost.localdomain> <20050216141344.GA31989@boston.com> Message-ID: <87ll9oz5tv.fsf@wheatstone.g10code.de> On Wed, 16 Feb 2005 09:13:44 -0500, Darren Chamberlain said: > digest-algo RIPEMD160 > in our gpg.conf, right? Assume that you have the power to create a calculation. What would be your target: A single message or a CA key? I'd go for a CA or other important key. Here we rely on SHA-1 for fingerprint calculation and the fingerprint is that piece of information we almost always use to compare keys. You can't change that. Salam-Shalom, Werner From dshaw at jabberwocky.com Wed Feb 16 20:08:11 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Feb 16 20:05:03 2005 Subject: SHA1 broken? In-Reply-To: <87u0ocz66s.fsf@wheatstone.g10code.de> References: <20050216161943.GA23828@jabberwocky.com> <000501c51444$93922f90$f300a8c0@HOME> <20050216165736.GA23931@jabberwocky.com> <87u0ocz66s.fsf@wheatstone.g10code.de> Message-ID: <20050216190811.GA24054@jabberwocky.com> On Wed, Feb 16, 2005 at 07:54:35PM +0100, Werner Koch wrote: > On Wed, 16 Feb 2005 11:57:36 -0500, David Shaw said: > > > Yes it is. Assuming this is true, we must start migrating away from > > SHA-1. Actually, we should start this anyway - even the NIST > > recommends moving away from SHA-1 for long-term security. > > The real problem with the breakthrough is, that it seems that they > have developed a new cryptoanalytical method and that might pave the > way for further improvements. Over the last 2 decades the art of > cryptoanalysis has changed dramatically in the area of symmetric > ciphers. This will probably also happen to hash algorithms now. > > There is however a huge problem replace SHA-1 by something else from > now to tomorrow: Other algorithms are not as well anaylyzed and > compared against SHA-1 as for example AES to DES are; so there is no > immediate successor of SHA-1 of whom we can be sure to withstand the > possible new techniques. Second, SHA-1 is tightly integrated in many > protocols without a fallback algorithms (OpenPGP: fingerprints, MDC, > default signature algorithm and more). Yes. The update cannot happen overnight. I see this like MD5 a few years back. It is time to start the migration now because it will certainly take several years to complete. As you point out, the first step in the migration is knowing what to migrate to, and that is not at all clear yet. Until we know what we're doing, I think we can do more harm by running around crazy and changing things without careful study. David From jason.barnett at telesuite.com Wed Feb 16 20:22:01 2005 From: jason.barnett at telesuite.com (Jason Barnett) Date: Wed Feb 16 20:21:43 2005 Subject: Newsgroup signing error In-Reply-To: <200502161522.j1GFMQNh087918__19448.459291789$1108567756$gmane$org@mailserver3.hushmail.com> References: <200502161522.j1GFMQNh087918__19448.459291789$1108567756$gmane$org@mailserver3.hushmail.com> Message-ID: vedaal@hush.com wrote: > if sha-1 does turn out to be as weak/broken as md-5, > ... My apologies for responding to this thread instead of starting a new one, but I need to do this as a reply for a test. I am a member of another newsgroup (php.general) where I regularly post messages and sign them. However, I have noticed that some of my messages will sign correctly while others do not. I use Thunderbird 1.0 with Enigmail 0.90.1.1 to post / read messages from that server. So my question is: is this really a news server error or a bug in my news reader? From bogus@does.not.exist.com Thu Feb 3 21:55:48 2005 From: bogus@does.not.exist.com () Date: Wed Feb 16 20:21:43 2005 Subject: No subject Message-ID: when I respond to a message and / or cut out part of the message using ellipses (...). I would assume that a gpg.user newsgroup would be able to handle gpg signed messages correctly so hopefully this message will sign correctly. Then again I've been wrong about other things in the past. ;) > > Promote security and make money with the Hushmail Affiliate Program: > http://www.hushmail.com/about-affiliate?l=427 From jason.barnett at telesuite.com Wed Feb 16 20:35:17 2005 From: jason.barnett at telesuite.com (Jason Barnett) Date: Wed Feb 16 20:33:56 2005 Subject: Newsgroup signing error In-Reply-To: References: <200502161522.j1GFMQNh087918__19448.459291789$1108567756$gmane$org@mailserver3.hushmail.com> Message-ID: Jason Barnett wrote: > I would assume that a gpg.user newsgroup would be able to handle gpg > signed messages correctly so hopefully this message will sign correctly. > Then again I've been wrong about other things in the past. ;) ... I suppose it would be a better test if I had actually signed my message > >>Promote security and make money with the Hushmail Affiliate Program: >>http://www.hushmail.com/about-affiliate?l=427 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 186 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050216/e30bdf6f/signature.pgp From swright at physics.adelaide.edu.au Wed Feb 16 20:54:17 2005 From: swright at physics.adelaide.edu.au (Stewart V. Wright) Date: Wed Feb 16 20:51:02 2005 Subject: Newsgroup signing error In-Reply-To: References: <200502161522.j1GFMQNh087918__19448.459291789$1108567756$gmane$org@mailserver3.hushmail.com> Message-ID: <20050216195417.GD25431@anl.gov> G'day possible Person Impersonating Jason, ;-) * Jason Barnett [050216 13:41]: > I suppose it would be a better test if I had actually signed my > message Your signature failed. Have you tried emailing yourself and then replying with your '...' and checking that? Have you tried using one of the testing newsgroups for testing? Have you tried getting your news from some other online source (like Google)? Have you tried anything except mailing us? It might be useful so we can exclude possible problems...... Oh, just so you know it will work: ... ... ... Cheers, S. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 274 bytes Desc: Digital signature Url : /pipermail/attachments/20050216/228c2cb3/attachment.pgp From jharris at widomaker.com Wed Feb 16 21:05:07 2005 From: jharris at widomaker.com (Jason Harris) Date: Wed Feb 16 21:01:24 2005 Subject: SHA1 broken? In-Reply-To: <87psz0z5yr.fsf@wheatstone.g10code.de> References: <1108543709.5827.1.camel@localhost.localdomain> <20050216144419.GC21336@jabberwocky.com> <20050216161147.43569.qmail@smasher.org> <20050216165609.GB23828@jabberwocky.com> <20050216171915.81275.qmail@smasher.org> <87psz0z5yr.fsf@wheatstone.g10code.de> Message-ID: <20050216200506.GE1184@wilma.widomaker.com> On Wed, Feb 16, 2005 at 07:59:24PM +0100, Werner Koch wrote: > Assuming that the SHA-1 collision calculation is simialar to the MD5 > one, tehre is even no immediate danger due to the way the fingerprints > are calculated: The first block used in the fingerprint calculation is > more or less a constant and can't be change to create a working faked > key. The key creation time can be varied at will, and, I presume, v4 RSA key material can be too, a la v3 "vanity" keyids. But, is duplicating v4 key fingerprints a useful attack? While two v4 keys with the same fingerprint could "steal" userid certifications made by others, any signatures produced by the colliding keys, including selfsigs on their userids, can _not_ be "stolen," TTBOMK. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050216/86a7f44b/attachment.pgp From malte.gell at gmx.de Wed Feb 16 21:38:33 2005 From: malte.gell at gmx.de (Malte Gell) Date: Wed Feb 16 21:35:37 2005 Subject: Newsgroup signing error In-Reply-To: References: <200502161522.j1GFMQNh087918__19448.459291789$1108567756$gmane$org@mailserver3.hushmail.com> Message-ID: <200502162138.55749.malte.gell@gmx.de> On Wednesday 16 February 2005 20:35, Jason Barnett wrote: > I suppose it would be a better test if I had actually signed my > message Your signature failed. Recently David reported an issue with PGP/MIME signatures and GnuPG 1.4, but this is more a MUA issue than a GnuPG issue, see his announcement from Jan-05: http://marc.theaimsgroup.com/?l=gnupg-users&m=110608002711441&w=2 It seems you use Enigmail, could post a new message to the list, but with an inline signature and not PGP/MIME signed? If this signature works then you know it's an Enigmail issue. HTH Malte -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 400 bytes Desc: not available Url : /pipermail/attachments/20050216/aa46ae24/attachment-0001.pgp From johanw at vulcan.xs4all.nl Wed Feb 16 20:59:04 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed Feb 16 22:10:35 2005 Subject: SHA1 broken? In-Reply-To: <20050216161147.43569.qmail@smasher.org> from Atom Smasher at "Feb 16, 2005 11:13:23 am" Message-ID: <200502161959.UAA00501@vulcan.xs4all.nl> Atom Smasher wrote: >the openPGP spec seemed to have assumed that SHA-1 just wouldn't fail. >ever. this was the same mistake made in the original version of pgp that >relied on md5. Well, the original pgp 1.0 used MD4. When that was broken, it got replaced by MD5. This does require the OpenPGP spec to be adapted of course. And in the pgp 1 and 2 age, the web of trust was of course much smaller than it is now, so it required less work. >the spec needs to allow a choice of hash algorithms for fingerprints and >key IDs, or else we'll play this game every time someone breaks a strong >hash algorithm. That would be a more flexible approach than hardwiring a new hashalgo each time the previous one was broken. Perhaps a reason to re-add the 1.0 way of adding encryption and hash functions as dynamic loadable modules to the main program? -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From swright at physics.adelaide.edu.au Wed Feb 16 22:18:24 2005 From: swright at physics.adelaide.edu.au (Stewart V. Wright) Date: Wed Feb 16 22:15:00 2005 Subject: Newsgroup signing error In-Reply-To: <20050216195417.GD25431@anl.gov> References: <200502161522.j1GFMQNh087918__19448.459291789$1108567756$gmane$org@mailserver3.hushmail.com> <20050216195417.GD25431@anl.gov> Message-ID: <20050216211824.GA29469@anl.gov> G'day Paul, (Sending this back to the GnuPG-users list) * Paul Squires [050216 15:08]: > Stewart V. Wright wrote: > > G'day possible Person Impersonating Jason, ;-) > > > > * Jason Barnett [050216 13:41]: > > > >>I suppose it would be a better test if I had actually signed my > >>message > > > > > > Your signature failed. > > Which is odd since as far as /my/ mailer is concerned, it didn't (also > using TB/enigmail). Ah, well, there's your problem then. See the other post about broken mailers... > Guess an MTA must be amending the message somewhere along the line... Nope, just a flakey implementation of RFC-3156. This would make sense as your clear-signed message worked for me. (I gather RFC-3156 is PGP/MIME related from reading David's previous email.) Cheers, S. P.S. It's sooooo easy to be patronising when one uses mutt! ;-) P.P.S I'm intrigued. Does your mailer verify my signature as the previous line ended with a couple of spaces. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 274 bytes Desc: Digital signature Url : /pipermail/attachments/20050216/c007c77a/attachment.pgp From andy at strugglers.net Wed Feb 16 23:23:38 2005 From: andy at strugglers.net (Andy Smith) Date: Thu Feb 17 00:23:27 2005 Subject: subkeys problem Message-ID: <20050216222338.GR82728@caffreys.strugglers.net> Hi folks, I have a gpg key, which can be found at http://strugglers.net/pubkey.asc or on keyservers; 0xBF15490B. A while ago I decided to revoke the encryption key and generate a new encryption key with 2048 bits instead of 1024. I thought it had worked so went ahead and revoked the encryption subkey, 0x9EE99022. The new encryption subkey is 0x604DE5DB. The problem is that, I still receive things encrypted to 0x9EE99022. I tell people to make sure they have imported my key and when they try they tell me that they get "subkey errors". I also note that some keyservers contain a version of my key with no reference to the subkey 0x604DE5DB. I try to upload a new version but nothing seems to happen. Someone said this was something to do with subkeys and that I should use the keyserver subkeys.pgp.net. Using that keyserver I can upload something that does seem to represent my key properly, but others (who also use gpg) cannot get my key from there. So my questions are.. - Did I do something stupid? - Is it recoverable without having revoke my keys entirely and start again with new ones? Thanks, Andy -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20050216/c1766e60/attachment.pgp From dshaw at jabberwocky.com Thu Feb 17 00:38:57 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Feb 17 00:35:45 2005 Subject: subkeys problem In-Reply-To: <20050216222338.GR82728@caffreys.strugglers.net> References: <20050216222338.GR82728@caffreys.strugglers.net> Message-ID: <20050216233857.GB24054@jabberwocky.com> On Wed, Feb 16, 2005 at 10:23:38PM +0000, Andy Smith wrote: > Hi folks, > > I have a gpg key, which can be found at > http://strugglers.net/pubkey.asc or on keyservers; 0xBF15490B. > > A while ago I decided to revoke the encryption key and generate a > new encryption key with 2048 bits instead of 1024. I thought it had > worked so went ahead and revoked the encryption subkey, 0x9EE99022. > The new encryption subkey is 0x604DE5DB. > > The problem is that, I still receive things encrypted to 0x9EE99022. > I tell people to make sure they have imported my key and when they > try they tell me that they get "subkey errors". I also note that > some keyservers contain a version of my key with no reference to the > subkey 0x604DE5DB. I try to upload a new version but nothing seems > to happen. > > Someone said this was something to do with subkeys and that I should > use the keyserver subkeys.pgp.net. Using that keyserver I can > upload something that does seem to represent my key properly, but > others (who also use gpg) cannot get my key from there. I'd need to get a better error report than "subkey errors" to help you, I'm afraid. For what it's worth, I pulled your key from all of the servers that make up subkeys.pgp.net and it was fine on each of them. David From jason.barnett at telesuite.com Thu Feb 17 00:37:57 2005 From: jason.barnett at telesuite.com (Jason Barnett) Date: Thu Feb 17 00:36:27 2005 Subject: Newsgroup signing error In-Reply-To: <20050216195417.GD25431__38779.8776537695$1108583674$gmane$org@anl.gov> References: <200502161522.j1GFMQNh087918__19448.459291789$1108567756$gmane$org@mailserver3.hushmail.com> <20050216195417.GD25431__38779.8776537695$1108583674$gmane$org@anl.gov> Message-ID: Stewart V. Wright wrote: > G'day possible Person Impersonating Jason, ;-) I know, I know. I've just started using GPG and don't have anyone in my web of trust yet... still working on that part :) > > * Jason Barnett [050216 13:41]: > >>I suppose it would be a better test if I had actually signed my >>message > > > Your signature failed. > > > Have you tried emailing yourself and then replying with your '...' > and checking that? Yep... my message gets signed correctly. > > Have you tried using one of the testing newsgroups for testing? I didn't know those existed. I have posted messages to several newgroups, but if you tell me which group(s) are out there for this purpose I will gladly try that. > > Have you tried getting your news from some other online source (like > Google)? I *was* doing everything through my newsreader; I will try that as well. > > Have you tried anything except mailing us? Absolutely! When I first set everything up my first tests were emails to myself to see if I created good signatures. I even tested encryption to make sure that encrypted messages went through ok, and finally I sent messages that were both encrypted *and* signed to myself to see if those checked out ok... which they did. > > It might be useful so we can exclude possible problems...... > > > Oh, just so you know it will work: > > ... ... > Yes, strange I know. I had someone on the Enigmail mailing list suggest that the news server and/or my reader might be adding an extra period after the ellipses. Now mind you I don't know who the culprit is, but I did notice this behavior on several of the failed-signature messages. So, I wrote here in the hopes of testing whether it's a reader issue or a server issue. > ------------------------------------------------------------------------ > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From jason.barnett at telesuite.com Thu Feb 17 00:44:10 2005 From: jason.barnett at telesuite.com (Jason Barnett) Date: Thu Feb 17 00:42:29 2005 Subject: Newsgroup signing error In-Reply-To: <20050216211824.GA29469__37162.4522879303$1108588691$gmane$org@anl.gov> References: <200502161522.j1GFMQNh087918__19448.459291789$1108567756$gmane$org@mailserver3.hushmail.com> <20050216195417.GD25431@anl.gov> <20050216211824.GA29469__37162.4522879303$1108588691$gmane$org@anl.gov> Message-ID: Stewart V. Wright wrote: > G'day Paul, (Sending this back to the GnuPG-users list) > > ... >>> >>>Your signature failed. >> >>Which is odd since as far as /my/ mailer is concerned, it didn't (also >>using TB/enigmail). > > > Ah, well, there's your problem then. See the other post about broken > mailers... > > >>Guess an MTA must be amending the message somewhere along the line... > > > Nope, just a flakey implementation of RFC-3156. This would make sense > as your clear-signed message worked for me. (I gather RFC-3156 is > PGP/MIME related from reading David's previous email.) This makes sense (wish I had read this before my last message to this group!). I have been using PGP/MIME rather than clear-signed messages all along. > > > Cheers, > > S. > > > P.S. It's sooooo easy to be patronising when one uses mutt! ;-) Yeah, yeah. > > P.P.S I'm intrigued. Does your mailer verify my signature > as the previous line ended with a couple of spaces. FYI Thunderbird / Enigmail 0.90.1.1 verified your signature as "UNTRUSTED Good signature from Stewart V. Wright " > > > ------------------------------------------------------------------------ > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From andy at strugglers.net Thu Feb 17 01:05:47 2005 From: andy at strugglers.net (Andy Smith) Date: Thu Feb 17 01:01:57 2005 Subject: subkeys problem In-Reply-To: <20050216233857.GB24054@jabberwocky.com> References: <20050216222338.GR82728@caffreys.strugglers.net> <20050216233857.GB24054@jabberwocky.com> Message-ID: <20050217000547.GU82728@caffreys.strugglers.net> On Wed, Feb 16, 2005 at 06:38:57PM -0500, David Shaw wrote: > I'd need to get a better error report than "subkey errors" to help > you, I'm afraid. > > For what it's worth, I pulled your key from all of the servers that > make up subkeys.pgp.net and it was fine on each of them. Hi David, Thanks for that. If you now attempt to encrypt something to "andy@strugglers.net", do you end up encrypting to the correct key? I will try to get the exact error messages that others report. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20050217/f7b7cb84/attachment.pgp From swright at physics.adelaide.edu.au Thu Feb 17 01:32:35 2005 From: swright at physics.adelaide.edu.au (Stewart V. Wright) Date: Thu Feb 17 01:29:18 2005 Subject: Newsgroup signing error In-Reply-To: References: <200502161522.j1GFMQNh087918__19448.459291789$1108567756$gmane$org@mailserver3.hushmail.com> <20050216195417.GD25431@anl.gov> <20050216211824.GA29469__37162.4522879303$1108588691$gmane$org@anl.gov> Message-ID: <20050217003235.GC29469@anl.gov> G'day Jason, * Jason Barnett [050216 17:55]: > > This makes sense (wish I had read this before my last message to this > group!). I have been using PGP/MIME rather than clear-signed messages > all along. Without wanting to start too much of a argument, it seems from my reading that the preferred way of sending messages should be PGP/MIME. The benefits over inline signatures, including being able to include attachments in the signed message and non-ASCII characters are significant. However, many people will disagree... > > P.P.S I'm intrigued. Does your mailer verify my signature > > as the previous line ended with a couple of spaces. > > FYI Thunderbird / Enigmail 0.90.1.1 verified your signature as > "UNTRUSTED Good signature from Stewart V. Wright > " Well, as they say "every cloud has a silver lining" and at least Thunderbird / Enigmail does the right thing for properly formatted messages. You can now trust what we tell you, even if we can't trust your replies! ;-) Good luck with finding a solution. Cheers, S. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 274 bytes Desc: Digital signature Url : /pipermail/attachments/20050216/2b0827fc/attachment-0001.pgp From jharris at widomaker.com Thu Feb 17 01:34:28 2005 From: jharris at widomaker.com (Jason Harris) Date: Thu Feb 17 01:30:41 2005 Subject: subkeys problem In-Reply-To: <20050216222338.GR82728@caffreys.strugglers.net> References: <20050216222338.GR82728@caffreys.strugglers.net> Message-ID: <20050217003428.GF1184@wilma.widomaker.com> On Wed, Feb 16, 2005 at 10:23:38PM +0000, Andy Smith wrote: > I have a gpg key, which can be found at > http://strugglers.net/pubkey.asc or on keyservers; 0xBF15490B. > A while ago I decided to revoke the encryption key and generate a > new encryption key with 2048 bits instead of 1024. I thought it had > worked so went ahead and revoked the encryption subkey, 0x9EE99022. > The new encryption subkey is 0x604DE5DB. > The problem is that, I still receive things encrypted to 0x9EE99022. > Someone said this was something to do with subkeys and that I should > use the keyserver subkeys.pgp.net. Using that keyserver I can > upload something that does seem to represent my key properly, but > others (who also use gpg) cannot get my key from there. Your key on the SKS servers has a lot of subkey signatures misplaced on userids: %gpg -v --keyserver keyserver.noreply.org --recv 0x604DE5DB gpg: requesting key 604DE5DB from hkp server keyserver.noreply.org Host: keyserver.noreply.org Command: GET gpgkeys: HTTP URL is `hkp://keyserver.noreply.org/pks/lookup?op=get&options=mr&search=0x604DE5DB' gpg: armor header: Version: SKS 1.0.9 gpg: pub 1024D/BF15490B 1998-08-12 Andy J. Smith <[elided]> gpg: key BF15490B: no subkey for subkey revocation signature gpg: key BF15490B: no subkey for key revocation gpg: key BF15490B: no subkey for subkey revocation signature gpg: key BF15490B: no subkey for key revocation gpg: key BF15490B: no subkey for subkey revocation signature gpg: key BF15490B: no subkey for key revocation gpg: key BF15490B: no subkey for subkey revocation signature gpg: key BF15490B: no subkey for key revocation gpg: key BF15490B: no subkey for subkey revocation signature gpg: key BF15490B: no subkey for key revocation gpg: key BF15490B: no subkey for subkey revocation signature gpg: key BF15490B: no subkey for key revocation gpg: key BF15490B: no subkey for subkey revocation signature gpg: key BF15490B: no subkey for key revocation gpg: key BF15490B: no subkey for subkey revocation signature gpg: key BF15490B: no subkey for key revocation gpg: key BF15490B: no subkey for subkey revocation signature gpg: key BF15490B: no subkey for key revocation gpg: key BF15490B: no subkey for subkey revocation signature gpg: key BF15490B: no subkey for key revocation gpg: key BF15490B: no subkey for subkey revocation signature gpg: key BF15490B: no subkey for key revocation gpg: key BF15490B: no subkey for subkey revocation signature gpg: key BF15490B: no subkey for key revocation gpg: key BF15490B: no subkey for subkey revocation signature gpg: key BF15490B: no subkey for key revocation gpg: key BF15490B: invalid subkey binding gpg: key BF15490B: removed multiple subkey binding gpg: key BF15490B: invalid subkey revocation gpg: key BF15490B: invalid subkey binding gpg: key BF15490B: invalid subkey revocation gpg: key BF15490B: invalid subkey revocation gpg: key BF15490B: invalid subkey binding gpg: key BF15490B: invalid subkey binding gpg: key BF15490B: invalid subkey binding gpg: key BF15490B: invalid subkey revocation gpg: key BF15490B: invalid subkey revocation gpg: key BF15490B: invalid subkey binding gpg: key BF15490B: invalid subkey binding gpg: key BF15490B: invalid subkey revocation gpg: key BF15490B: invalid subkey revocation gpg: key BF15490B: subkey signature in wrong place - skipped gpg: key BF15490B: subkey signature in wrong place - skipped gpg: key BF15490B: subkey signature in wrong place - skipped gpg: key BF15490B: subkey signature in wrong place - skipped gpg: key BF15490B: subkey signature in wrong place - skipped gpg: key BF15490B: subkey signature in wrong place - skipped gpg: key BF15490B: subkey signature in wrong place - skipped gpg: key BF15490B: subkey signature in wrong place - skipped gpg: key BF15490B: subkey signature in wrong place - skipped gpg: key BF15490B: subkey signature in wrong place - skipped gpg: key BF15490B: subkey signature in wrong place - skipped gpg: key BF15490B: subkey signature in wrong place - skipped gpg: key BF15490B: subkey signature in wrong place - skipped gpg: key BF15490B: skipped subkey gpg: key BF15490B: public key "Andy Smith " imported gpg: Total number processed: 1 gpg: imported: 1 but it looks like most of its subkeys are in order: %gpg -v ... [snip] sub 2048g/9EE99022 1998-08-12 [revoked: 2002-03-30] sig! BF15490B 1998-08-12 Andy Smith <> rev! BF15490B 2002-03-30 Andy Smith <> sub 2048g/604DE5DB 2004-05-28 sig! BF15490B 2004-05-28 Andy Smith <> sub 4096g/AD7623D2 2002-03-30 [revoked: 2002-03-30] sig! BF15490B 2002-03-30 Andy Smith <> rev! BF15490B 2002-03-30 Andy Smith <> sub 4096G/237C258F 2002-03-30 [revoked: 2004-05-28] sig! BF15490B 2002-03-30 Andy Smith <> rev! BF15490B 2004-05-28 Andy Smith <> sub 4096g/2F6F4447 2002-07-25 [revoked: 2004-05-28] sig! BF15490B 2002-07-25 Andy Smith <> rev! BF15490B 2004-05-28 Andy Smith <> except for that nagging "gpg: key BF15490B: skipped subkey," which would seem to refer to: (NB: output from keyserver.kjsl.com:11371) sub 4096g/788FA859 2002-07-25 [subkey, revoked?] Key fingerprint = 43A9 5BF3 7FF4 76EE 4694 DBCB E47E 70A6 788F A859 sig 0x18 BF15490B 2002-07-25 [keybind, hash: type 2, 7f 15] rev 0x28 BF15490B 2002-07-25 [keybind, hash: type 2, 21 78] rev 0x28 BF15490B 2002-03-30 [keybind, hash: type 2, a9 dd] which only has bad signatures from other subkeys and isn't even importable from http://strugglers.net/pubkey.asc : %gpg --import pubkey.asc gpg: key BF15490B: "Andy Smith " not changed gpg: Total number processed: 1 gpg: unchanged: 1 %gpg -k 788FA859 gpg: error reading key: public key not found -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050216/24fc3020/attachment.pgp From dshaw at jabberwocky.com Thu Feb 17 02:03:12 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Feb 17 02:00:02 2005 Subject: subkeys problem In-Reply-To: <20050217000547.GU82728@caffreys.strugglers.net> References: <20050216222338.GR82728@caffreys.strugglers.net> <20050216233857.GB24054@jabberwocky.com> <20050217000547.GU82728@caffreys.strugglers.net> Message-ID: <20050217010312.GA24504@jabberwocky.com> On Thu, Feb 17, 2005 at 12:05:47AM +0000, Andy Smith wrote: > On Wed, Feb 16, 2005 at 06:38:57PM -0500, David Shaw wrote: > > I'd need to get a better error report than "subkey errors" to help > > you, I'm afraid. > > > > For what it's worth, I pulled your key from all of the servers that > > make up subkeys.pgp.net and it was fine on each of them. > > Hi David, > > Thanks for that. If you now attempt to encrypt something to > "andy@strugglers.net", do you end up encrypting to the correct key? > > I will try to get the exact error messages that others report. Sure, it works fine. To be sure, they key that is stored on the keyserver is full of all sorts of bad data (data in the wrong place, etc), but GnuPG doesn't really care about that, as it skips the bad stuff. The keyserver operators may care to figure out how your key was so mangled, but regular users should just see a good key for you. GnuPG doesn't even print out the warnings about skipping bad data unless you ask for it. David From andy at strugglers.net Thu Feb 17 02:13:58 2005 From: andy at strugglers.net (Andy Smith) Date: Thu Feb 17 02:10:09 2005 Subject: subkeys problem In-Reply-To: <20050217003428.GF1184@wilma.widomaker.com> References: <20050216222338.GR82728@caffreys.strugglers.net> <20050217003428.GF1184@wilma.widomaker.com> Message-ID: <20050217011358.GW82728@caffreys.strugglers.net> Hi Jason, On Wed, Feb 16, 2005 at 07:34:28PM -0500, Jason Harris wrote: > Your key on the SKS servers has a lot of subkey signatures > misplaced on userids: [...] How should I go about cleaning that up? > but it looks like most of its subkeys are in order: [...] > except for that nagging "gpg: key BF15490B: skipped subkey," > which would seem to refer to: > > (NB: output from keyserver.kjsl.com:11371) > sub 4096g/788FA859 2002-07-25 [subkey, revoked?] > Key fingerprint = 43A9 5BF3 7FF4 76EE 4694 DBCB E47E 70A6 788F A859 > sig 0x18 BF15490B 2002-07-25 [keybind, hash: type 2, 7f 15] > rev 0x28 BF15490B 2002-07-25 [keybind, hash: type 2, 21 78] > rev 0x28 BF15490B 2002-03-30 [keybind, hash: type 2, a9 dd] > > which only has bad signatures from other subkeys and isn't even > importable from http://strugglers.net/pubkey.asc : Thanks for that - what would you suggest I do to clean it up a bit though? 0x788FA859 isn't even in my current key and I have no way to remove information from key servers, right? $ gpg --edit-key andy@strugglers.net Secret key is available. pub 1024D/BF15490B created: 1998-08-12 expires: never usage: CS trust: ultimate validity: ultimate sub 2048g/604DE5DB created: 2004-05-28 expires: never usage: E sub 2048g/9EE99022 created: 1998-08-12 revoked: 2002-03-30 usage: E sub 4096g/AD7623D2 created: 2002-03-30 revoked: 2002-03-30 usage: E sub 4096G/237C258F created: 2002-03-30 revoked: 2004-05-28 usage: sub 4096g/2F6F4447 created: 2002-07-25 revoked: 2004-05-28 usage: E -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20050217/67862120/attachment.pgp From andy at strugglers.net Thu Feb 17 02:17:34 2005 From: andy at strugglers.net (Andy Smith) Date: Thu Feb 17 02:13:42 2005 Subject: subkeys problem In-Reply-To: <20050217010312.GA24504@jabberwocky.com> References: <20050216222338.GR82728@caffreys.strugglers.net> <20050216233857.GB24054@jabberwocky.com> <20050217000547.GU82728@caffreys.strugglers.net> <20050217010312.GA24504@jabberwocky.com> Message-ID: <20050217011734.GX82728@caffreys.strugglers.net> On Wed, Feb 16, 2005 at 08:03:12PM -0500, David Shaw wrote: > To be sure, they key that is stored on the keyserver is full of all > sorts of bad data (data in the wrong place, etc), but GnuPG doesn't > really care about that, as it skips the bad stuff. The keyserver > operators may care to figure out how your key was so mangled, but > regular users should just see a good key for you. GnuPG doesn't even > print out the warnings about skipping bad data unless you ask for it. Unfortunately, I now have multiple correspondents who I would like to receive encrypted mail from who cannot import my key at all using gpg so that they can encrypt things to 0x604DE5DB. I will get the exact error messages from them. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20050217/39ababfa/attachment.pgp From dshaw at jabberwocky.com Thu Feb 17 04:18:24 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Feb 17 04:15:06 2005 Subject: [Announce] Second release candidate for 1.4.1 available Message-ID: <20050217031824.GA24720@jabberwocky.com> Hi! We are pleased to announce the availability of a the second release candidate for the forthcoming 1.4.1 version of GnuPG: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc2.tar.bz2 (2.7M) ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc2.tar.bz2.sig ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc1-1.4.1rc2.diff.bz2 (338K) An installer for Windows is also available: ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc2.exe (1.4M) ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc2.exe.sig SHA-1 checksums for the above files are: cfa9d6f4c7a0aa5b58df75e3b5480a8ccf223dea gnupg-1.4.1rc2.tar.bz2 21d4c2ef378e89b87123dc97c90989e8f1e09783 gnupg-1.4.1rc1-1.4.1rc2.diff.bz2 99f3bd0165cbfcbc2b562b42a3e0be64cec09b85 gnupg-w32cli-1.4.1rc2.exe Please try these versions out and report any problems. Noteworthy changes since 1.4.0: * New --rfc2440-text option which controls how text is handled in signatures. This is in response to some problems seen with certain PGP/MIME mail clients and GnuPG version 1.4.0. More details about this are available at . * New "import-unusable-sigs" and "export-unusable-sigs" tags for --import-options and --export-options. These are off by default, which causes GnuPG to not import or export key signatures that are not usable (e.g. expired signatures). * New experimental HTTP, HTTPS, FTP, and FTPS keyserver helper that uses the cURL library to retrieve keys. This is disabled by default, but may be enabled with the configure option --with-libcurl. Without this option, the existing HTTP code is used for HTTP, and HTTPS, FTP, and FTPS are not supported. * When running a --card-status or --card-edit and a public key is available, missing secret key stubs will be created on the fly. Details of the key are listed too. * The implicit packet dumping in double verbose mode is now sent to stderr and not to stdout. * Added countermeasures against the Mister/Zuccherato CFB attack . * [W32] The algorithm for the default home directory changed: First we look at the environment variable GNUPGHOME, if this one is not set, we check whether the registry entry {HKCU,HKLM}\Software\GNU\GnuPG:HomeDir has been set. If this fails we use a GnuPG directory below the standard application data directory (APPDATA) of the current user. Only in the case that this directory cannot be determined, the old default of c:\gnupg will be used. The option --homedir still overrides all of them. * [W32] The locale selection under Windows changed. You need to enter the locale in the registry at HKCU\Software\GNU\GnuPG:Lang. For German you would use "de". If it is not set, GnuPG falls back to HKLM. The languages files "*.mo" are expected in a directory named "gnupg.nls" below the installation directory; that directory must be stored in the registry at the same key as above with the name "Install Directory". * Add new --edit-key command "bkuptocard" to allow restoring a card key from a backup. * The "fetch" command of --card-edit now retrieves the key using the default keyserver if no URL has been stored on the card. Happy Hacking, David, Timo, Werner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 249 bytes Desc: not available Url : /pipermail/attachments/20050216/75b7c48e/attachment.pgp From dshaw at jabberwocky.com Thu Feb 17 04:43:10 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Feb 17 04:39:54 2005 Subject: [PATCH] gnupg.spec [WAS: unable to execute program `gpgkeys_hkp': Permission denied] In-Reply-To: <20050213162558.GA5569@anl.gov> References: <200502092045.54635.adam00f@ducksburg.com> <20050209210131.GE13440@anl.gov> <20050209211832.GD13550@jabberwocky.com> <20050209214834.GF13440@anl.gov> <20050210033606.GC13965@jabberwocky.com> <20050210202341.GD29994@anl.gov> <20050210225805.GF29994@anl.gov> <20050211202000.GD7710@anl.gov> <20050212050506.GE22456@jabberwocky.com> <20050213162558.GA5569@anl.gov> Message-ID: <20050217034310.GF24504@jabberwocky.com> On Sun, Feb 13, 2005 at 10:25:58AM -0600, Stewart V. Wright wrote: > > Try the attached spec. I think it should work now. > > Yup. I guess I should have RTFM for rm and just gone with the -f > flag... Good catch! Ok, good. I've made this change for 1.4.1. David -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 249 bytes Desc: not available Url : /pipermail/attachments/20050216/046ab1b4/attachment.pgp From dshaw at jabberwocky.com Thu Feb 17 04:44:10 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Feb 17 04:40:54 2005 Subject: [PATCH] gnupg.spec [WAS: unable to execute program `gpgkeys_hkp': Permission denied] In-Reply-To: <20050214210800.GR4175@psilocybe.teonanacatl.org> References: <200502092045.54635.adam00f@ducksburg.com> <20050209210131.GE13440@anl.gov> <20050209211832.GD13550@jabberwocky.com> <20050209214834.GF13440@anl.gov> <20050210033606.GC13965@jabberwocky.com> <20050210202341.GD29994@anl.gov> <20050210225805.GF29994@anl.gov> <20050211202000.GD7710@anl.gov> <20050212050506.GE22456@jabberwocky.com> <20050214210800.GR4175@psilocybe.teonanacatl.org> Message-ID: <20050217034410.GG24504@jabberwocky.com> On Mon, Feb 14, 2005 at 04:08:00PM -0500, Todd wrote: > In doing so, it seems like a nicer way to solve this would be to > simply modify two automake files in gnupg to use pkglibexecdir instead > of libexecdir. The attached patch against CVS does this and worked > for me in my simple testing. It allows libexecdir to be set as one > would normally set it and not have to worry about the gnupg subdr > portion. Of course, if one wants to change that seperately from > libexecdir, it can be done by passing pkglibexecdir to make: > > make pkglibexecdir=/usr/anydir/gpg I think this is a good idea. I don't want to mess about with the build this close to the 1.4.1 release, but I will revisit this for 1.4.2. David -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 249 bytes Desc: not available Url : /pipermail/attachments/20050216/a2c9f4e5/attachment-0001.pgp From jharris at widomaker.com Thu Feb 17 05:55:35 2005 From: jharris at widomaker.com (Jason Harris) Date: Thu Feb 17 05:51:48 2005 Subject: subkeys problem In-Reply-To: <20050217011358.GW82728@caffreys.strugglers.net> References: <20050216222338.GR82728@caffreys.strugglers.net> <20050217003428.GF1184@wilma.widomaker.com> <20050217011358.GW82728@caffreys.strugglers.net> Message-ID: <20050217045535.GG1184@wilma.widomaker.com> On Thu, Feb 17, 2005 at 01:13:58AM +0000, Andy Smith wrote: > On Wed, Feb 16, 2005 at 07:34:28PM -0500, Jason Harris wrote: > > Your key on the SKS servers has a lot of subkey signatures > > misplaced on userids: > How should I go about cleaning that up? One would have to modify SKS. But the LDAP keyservers (at least the older ones) have the same problem. > > sub 4096g/788FA859 2002-07-25 [subkey, revoked?] > > Key fingerprint = 43A9 5BF3 7FF4 76EE 4694 DBCB E47E 70A6 788F A859 > Thanks for that - what would you suggest I do to clean it up a bit > though? 0x788FA859 isn't even in my current key and I have no way > to remove information from key servers, right? Right. GPG doesn't import it, so it shouldn't be a problem. However, if you did create that subkey and can find it in a backup somewhere, you should be able to revoke it or begin using it, and/or decrypt any data previously encrypted to it. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050216/76e19c51/attachment.pgp From shavital at mac.com Thu Feb 17 07:36:06 2005 From: shavital at mac.com (Charly Avital) Date: Thu Feb 17 07:32:35 2005 Subject: [Announce] Second release candidate for 1.4.1 available In-Reply-To: <20050217031824.GA24720@jabberwocky.com> References: <20050217031824.GA24720@jabberwocky.com> Message-ID: <89b8ae1cbf0fc4a9ee9dd426892aa737@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Feb 16, 2005, at 10:18 PM, David Shaw wrote: > Hi! > > We are pleased to announce the availability of a the second release > candidate for the forthcoming 1.4.1 version of GnuPG: > > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc2.tar.bz2 > (2.7M) > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc2.tar.bz2.sig > [...] Compiled with idea.c for Mac OS X 10.3.8. Running fine. Thanks. Charly -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc2 (Darwin) Comment: GnuPG for Privacy iD8DBQFCFDti8SG5rMkbCF4RAhYAAKDKxB8Ik6oScyd7Bpkg+CnHR77jZACfWgpk MhMNNv07hMW6GMIZGIOZifo= =gfwk -----END PGP SIGNATURE----- From atom at smasher.org Wed Feb 16 21:56:25 2005 From: atom at smasher.org (Atom Smasher) Date: Thu Feb 17 07:51:23 2005 Subject: SHA-1 break - in perspective Message-ID: <20050216205449.90659.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 this should help put the (alleged until proven otherwise) SHA-1 break into perspective. thanks to Sascha Kiefer for giving me the idea. let's say that unbroken SHA-1 represents a 100 meter (328 ft) wall. if a break allows a collision to be found in merely 2^69 operations (on average), that would mean the wall has crumbled to 4.9 cm (1.9 in) tall. that's broken!! OTOH, let's say that unbroken MD5 represents a 100 meter (328 ft) wall. comparing unbroken MD5 to broken SHA-1 means the wall would actually grow from 100 meters (328 ft) tall to 3.2 km (1.99 miles) tall. SHA-1, even if it's broken enough to find a collision in 2^69 operations (on average), is still stronger than MD5 was ever meant to be. again, using unbroken MD5 as our reference of a 100 meter (328 ft) wall, unbroken SHA-1 would be a wall 6553.6 km (4072 miles) tall. SHA-1 was intended to be incredibly stronger than MD5. - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "IDEA's key length is 128 bits - over twice as long as DES. Assuming that a brute force attack is the most efficient, it would require 2^128 (10^38) encryptions to recover the key. Design a chip that can test a billion keys per second an throw a billion of the them at the problem, and it will still take 10^13 years - that's longer than the age of the universe. An array of 10^24 such chips can find the key in a day, but there aren't enough silicon atoms in the universe to build such a machine. Now we're getting somewhere - although I'd keep my eye on the dark matter debate." -- Bruce Schneier, Applied Cryptography -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJCE7N+AAoJEAx/d+cTpVciBIMH/2XFTi0DMGuhXrwCEvmXvxIN of+aZbdO/vJgDWVR5u7amHOEKf0EBtzhgUxgpFbrGybx26JCx1zL40BfxXxZb6LH AxJhHvCqtZ/XSqQIXBU0fMT9/sicWV/f8sHvlOWCWGCKRdmus0tMSODW9T8vdWaT jrTXvOqnFx2fUKsZiyjwPQQYw9kln7m/MRpon6SiPxmjZFoUWlap/c1OnqjVwpUR xKwczYBZmQdozR24G/pWfVCkbleYcvkPHu/EcV22x9UEiUyHseBxRVgoV0NAV9Ln tzdbBeMPBTUyuCVFlZGXqdMA1+cevpxSt4WsJt8yX+h2VtSzwq2YMqFsA9xeVpg= =I/9u -----END PGP SIGNATURE----- From wk at gnupg.org Thu Feb 17 08:16:56 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Feb 17 08:16:05 2005 Subject: SHA1 broken? In-Reply-To: <20050216200506.GE1184@wilma.widomaker.com> (Jason Harris's message of "Wed, 16 Feb 2005 15:05:07 -0500") References: <1108543709.5827.1.camel@localhost.localdomain> <20050216144419.GC21336@jabberwocky.com> <20050216161147.43569.qmail@smasher.org> <20050216165609.GB23828@jabberwocky.com> <20050216171915.81275.qmail@smasher.org> <87psz0z5yr.fsf@wheatstone.g10code.de> <20050216200506.GE1184@wilma.widomaker.com> Message-ID: <87y8dnwt93.fsf@wheatstone.g10code.de> On Wed, 16 Feb 2005 15:05:07 -0500, Jason Harris said: > The key creation time can be varied at will, and, I presume, v4 RSA That's true. However as long as we don't know how to calculate such a block (and I just guessed that it is similar to the MD5 attack - which is not necessary true) we don't know whether 4 bytes at a fixed offset are sufficient. > key material can be too, a la v3 "vanity" keyids. But, is duplicating No, they are not vulnerable like v3 keyids. > While two v4 keys with the same fingerprint could "steal" userid > certifications made by others, any signatures produced by the > colliding keys, including selfsigs on their userids, can _not_ They world harm the WoT or any other method of checking the identity of a key because you usually compare the fingerprints out of band. Salam-Shalom, Werner From wk at gnupg.org Thu Feb 17 08:20:25 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Feb 17 08:21:05 2005 Subject: SHA1 broken? In-Reply-To: <200502161959.UAA00501@vulcan.xs4all.nl> (Johan Wevers's message of "Wed, 16 Feb 2005 20:59:04 +0100 (MET)") References: <200502161959.UAA00501@vulcan.xs4all.nl> Message-ID: <87u0obwt3a.fsf@wheatstone.g10code.de> On Wed, 16 Feb 2005 20:59:04 +0100 (MET), Johan Wevers said: > That would be a more flexible approach than hardwiring a new hashalgo each > time the previous one was broken. Perhaps a reason to re-add the 1.0 way > of adding encryption and hash functions as dynamic loadable modules to the > main program? The problem is not the software but the protocol. You can't have dynamically loadable sections for an RFC. That would contradict the very reason of having a standard. Shalom-Salam, Werner From sk at intertivity.com Thu Feb 17 09:26:32 2005 From: sk at intertivity.com (Kiefer, Sascha) Date: Thu Feb 17 09:22:35 2005 Subject: SHA-1 break - in perspective In-Reply-To: <20050216205449.90659.qmail@smasher.org> Message-ID: <002501c514ca$6370bfd0$f300a8c0@HOME> Funny it's the same calculation i had last night before i went to bed! So long. Sascha 16. Februar 2005 21:56, Atom Smasher wrote: > To: recipient list not shown: > Subject: SHA-1 break - in perspective > > this should help put the (alleged until proven otherwise) > SHA-1 break into > perspective. thanks to Sascha Kiefer for giving me the idea. > > let's say that unbroken SHA-1 represents a 100 meter (328 ft) > wall. if a > break allows a collision to be found in merely 2^69 operations (on > average), that would mean the wall has crumbled to 4.9 cm > (1.9 in) tall. > that's broken!! > > OTOH, let's say that unbroken MD5 represents a 100 meter (328 > ft) wall. > comparing unbroken MD5 to broken SHA-1 means the wall would > actually grow > from 100 meters (328 ft) tall to 3.2 km (1.99 miles) tall. > SHA-1, even if > it's broken enough to find a collision in 2^69 operations (on > average), is > still stronger than MD5 was ever meant to be. > > again, using unbroken MD5 as our reference of a 100 meter > (328 ft) wall, > unbroken SHA-1 would be a wall 6553.6 km (4072 miles) tall. SHA-1 was > intended to be incredibly stronger than MD5. From og at pre-secure.de Thu Feb 17 11:39:55 2005 From: og at pre-secure.de (Olaf Gellert) Date: Thu Feb 17 11:39:34 2005 Subject: Newsgroup signing error In-Reply-To: References: <200502161522.j1GFMQNh087918__19448.459291789$1108567756$gmane$org@mailserver3.hushmail.com> Message-ID: <4214747B.1010400@pre-secure.de> I do not know what all the others observe with your signature. This is what my enigmail says: UNTRUSTED Good signature from Jason Barnett , Key Id 0x74D2856A So obviously enigmail is able to verify your signature (only that your key is not trusted by GPG, but the signatrue is alright). I use Mozilla 1.7.3 and Enigmail 0.85.0.0 I attached a screenshot so you can see how the email should look like. Maybe some others do have difficulties verifying signatures? Or some crappy mail transfer agent doing some changes to the mail (like converting encodings, newlines, ...)? Olaf Jason Barnett wrote: > Jason Barnett wrote: > >>I would assume that a gpg.user newsgroup would be able to handle gpg >>signed messages correctly so hopefully this message will sign correctly. >> Then again I've been wrong about other things in the past. ;) > > ... > > I suppose it would be a better test if I had actually signed my > message > >>>Promote security and make money with the Hushmail Affiliate Program: >>>http://www.hushmail.com/about-affiliate?l=427 >>> >>> >>>------------------------------------------------------------------------ >>> >>>_______________________________________________ >>>Gnupg-users mailing list >>>Gnupg-users@gnupg.org >>>http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE og@pre-secure.de A daily view on Internet Attacks https://www.ecsirt.net/sensornet -------------- next part -------------- A non-text attachment was scrubbed... Name: signed.png Type: image/png Size: 15101 bytes Desc: not available Url : /pipermail/attachments/20050217/a0f0e8a1/signed-0001.png From sk at intertivity.com Thu Feb 17 15:18:00 2005 From: sk at intertivity.com (Sascha Kiefer) Date: Thu Feb 17 16:00:00 2005 Subject: Extracting UserAttribute (photo) Message-ID: <4214A798.6080607@intertivity.com> David Shaw wrote > > photo-viewer "cat > ~/photoid-for-key-%k.%t" What is the syntax of the photo-viewer parameter? i tried the following: gpg.exe --photo-viewer "C:\Path\Of\Viewer\viewer.exe" --edit mustermann showphoto quit and gpg says: gpg: this platform requires temporary files when calling external programs gpg: unable to display photo ID! As you can see i'm running it on a windows system! Thanks! From sk at intertivity.com Thu Feb 17 16:19:48 2005 From: sk at intertivity.com (Sascha Kiefer) Date: Thu Feb 17 16:16:07 2005 Subject: Extracting UserAttribute (photo) In-Reply-To: <4214A798.6080607@intertivity.com> References: <4214A798.6080607@intertivity.com> Message-ID: <4214B614.5010403@intertivity.com> i found it myself: photo-viewer "C:\Path\Of\Viewer\viewer.exe %I" :) Sascha Kiefer schrieb: > David Shaw wrote > > > > photo-viewer "cat > ~/photoid-for-key-%k.%t" > > What is the syntax of the photo-viewer parameter? > i tried the following: > > gpg.exe --photo-viewer "C:\Path\Of\Viewer\viewer.exe" --edit > mustermann showphoto quit > > and gpg says: > gpg: this platform requires temporary files when calling external > programs > gpg: unable to display photo ID! > > As you can see i'm running it on a windows system! > > Thanks! > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > From dshaw at jabberwocky.com Thu Feb 17 16:18:59 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Feb 17 16:53:24 2005 Subject: Extracting UserAttribute (photo) In-Reply-To: <4214A798.6080607@intertivity.com> References: <4214A798.6080607@intertivity.com> Message-ID: <20050217151859.GA10243@jabberwocky.com> On Thu, Feb 17, 2005 at 03:18:00PM +0100, Sascha Kiefer wrote: > David Shaw wrote > > > > photo-viewer "cat > ~/photoid-for-key-%k.%t" > > What is the syntax of the photo-viewer parameter? > i tried the following: > > gpg.exe --photo-viewer "C:\Path\Of\Viewer\viewer.exe" --edit mustermann > showphoto quit > > and gpg says: > gpg: this platform requires temporary files when calling external programs > gpg: unable to display photo ID! > > As you can see i'm running it on a windows system! Try something like gpg.exe --photo-viewer "C:\Path\Of\Viewer\viewer.exe %i" --edit mustermann The %-escapes are: %i is expanded to a temporary file that contains the photo. %I is the same as %i, but the file isn't deleted afterwards by GnuPG. %k is expanded to the key ID of the key. %K is expanded to the long OpenPGP key ID of the key. %t is expanded to the extension of the image (e.g. "jpg"). %T is expanded to the MIME type of the image (e.g. "image/jpeg"). %f is expanded to the fingerprint of the key. %% is %, of course. David From swright at physics.adelaide.edu.au Thu Feb 17 17:11:48 2005 From: swright at physics.adelaide.edu.au (Stewart V. Wright) Date: Thu Feb 17 17:08:33 2005 Subject: [Announce] Second release candidate for 1.4.1 available In-Reply-To: <20050217031824.GA24720@jabberwocky.com> References: <20050217031824.GA24720@jabberwocky.com> Message-ID: <20050217161148.GA13878@anl.gov> G'day David, * David Shaw [050216 21:24]: > We are pleased to announce the availability of a the second release > candidate for the forthcoming 1.4.1 version of GnuPG: Um... it appears that there was no update of the gnupg.spec file to the one that we iterated to over the last week. The FC2 build of the RPM fails and more importantly it looks like the gpgkeys_* programs will still be installed incorrectly. rc3 here we come! ;-) Cheers, S. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 274 bytes Desc: Digital signature Url : /pipermail/attachments/20050217/01b7bff7/attachment.pgp From sk at intertivity.com Thu Feb 17 17:26:03 2005 From: sk at intertivity.com (Sascha Kiefer) Date: Thu Feb 17 17:22:12 2005 Subject: Multiple signing Message-ID: <4214C59B.5040406@intertivity.com> Is it feasible to sign something with more than one key? And if yes, how is it done? By calling "gpg --sign" n-times using the option default-key? Or is there multiple sign option? Thanks. --sk From dshaw at jabberwocky.com Thu Feb 17 17:19:22 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Feb 17 17:50:51 2005 Subject: [Announce] Second release candidate for 1.4.1 available In-Reply-To: <20050217161148.GA13878@anl.gov> References: <20050217031824.GA24720@jabberwocky.com> <20050217161148.GA13878@anl.gov> Message-ID: <20050217161922.GB10243@jabberwocky.com> On Thu, Feb 17, 2005 at 10:11:48AM -0600, Stewart V. Wright wrote: > G'day David, > > * David Shaw [050216 21:24]: > > We are pleased to announce the availability of a the second release > > candidate for the forthcoming 1.4.1 version of GnuPG: > > Um... it appears that there was no update of the gnupg.spec file to > the one that we iterated to over the last week. No, the new spec is in CVS, but I checked it in just after Werner built 1.4.1rc2. No worries, it will be in 1.4.1. David From linux at codehelp.co.uk Thu Feb 17 18:07:05 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Thu Feb 17 18:03:12 2005 Subject: Multiple signing In-Reply-To: <4214C59B.5040406@intertivity.com> References: <4214C59B.5040406@intertivity.com> Message-ID: <200502171707.06149.linux@codehelp.co.uk> On Thursday 17 February 2005 4:26 pm, Sascha Kiefer wrote: > Is it feasible to sign something with more than one key? $ gpg -u other_key > And if yes, how is it done? By calling "gpg --sign" n-times using the > option default-key? Or is there multiple sign option? Not multiple sign, you simply change the user to the other key one at a time - after all, different keys, different passphrases. Naturally, you need the secret key for the other_key. -- Neil Williams ============= http://www.dcglug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.neil.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050217/bd2befee/attachment.pgp From henkdebruijn at wanadoo.nl Thu Feb 17 18:18:37 2005 From: henkdebruijn at wanadoo.nl (Henk de Bruijn) Date: Thu Feb 17 18:15:25 2005 Subject: [Announce] Second release candidate for 1.4.1 available In-Reply-To: <20050217031824.GA24720@jabberwocky.com> References: <20050217031824.GA24720@jabberwocky.com> Message-ID: <1822865182.20050217181837@wanadoo.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 16 Feb 2005 22:18:24 -0500GMT (17-2-2005, 4:18 +0100, where I live), David Shaw wrote: > We are pleased to announce the availability of a the second release > candidate for the forthcoming 1.4.1 version of GnuPG: > An installer for Windows is also available: > ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc2.exe > (1.4M) > > ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc2.exe.sig > Please try these versions out and report any problems. Up and running but after gpg --version, it shows rc1??? - -- Henk ______________________________________________________________________ The Bat!? Natural Email System v3.0.1.33nl Professional on Windows XP SP2 PGPkey available at http://www.biglumber.com/x/web?qs=0x12069B93DBE6E678 Gossamer Spider Web of Trust GSWoT http://www.gswot.org/ A Progressive and Innovative Web of Trust -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc2 (MingW32) - GPGrelay v0.956 iD8DBQFCFNH6Egabk9vm5ngRAlNtAJ9DZqaMHDm8wjS/LlQGkze6eyLxSgCgkyfQ SpkWatAn01yoNd5gQo6ovzU= =BKMv -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Thu Feb 17 17:52:35 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Feb 17 18:25:42 2005 Subject: Multiple signing In-Reply-To: <4214C59B.5040406@intertivity.com> References: <4214C59B.5040406@intertivity.com> Message-ID: <20050217165235.GA10406@jabberwocky.com> On Thu, Feb 17, 2005 at 05:26:03PM +0100, Sascha Kiefer wrote: > Is it feasible to sign something with more than one key? > And if yes, how is it done? By calling "gpg --sign" n-times using the > option default-key? Or is there multiple sign option? gpg -u key1 -u key2 -u key3 --sign foo.txt David From Freedom_Lover at pobox.com Thu Feb 17 18:36:34 2005 From: Freedom_Lover at pobox.com (Todd) Date: Thu Feb 17 18:33:21 2005 Subject: [PATCH] gnupg.spec [WAS: unable to execute program `gpgkeys_hkp': Permission denied] In-Reply-To: <20050217034410.GG24504@jabberwocky.com> References: <20050209210131.GE13440@anl.gov> <20050209211832.GD13550@jabberwocky.com> <20050209214834.GF13440@anl.gov> <20050210033606.GC13965@jabberwocky.com> <20050210202341.GD29994@anl.gov> <20050210225805.GF29994@anl.gov> <20050211202000.GD7710@anl.gov> <20050212050506.GE22456@jabberwocky.com> <20050214210800.GR4175@psilocybe.teonanacatl.org> <20050217034410.GG24504@jabberwocky.com> Message-ID: <20050217173634.GC26827@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shaw wrote: > On Mon, Feb 14, 2005 at 04:08:00PM -0500, Todd wrote: > >> In doing so, it seems like a nicer way to solve this would be to >> simply modify two automake files in gnupg to use pkglibexecdir instead >> of libexecdir. The attached patch against CVS does this and worked >> for me in my simple testing. It allows libexecdir to be set as one >> would normally set it and not have to worry about the gnupg subdr >> portion. Of course, if one wants to change that seperately from >> libexecdir, it can be done by passing pkglibexecdir to make: >> >> make pkglibexecdir=/usr/anydir/gpg > > I think this is a good idea. I don't want to mess about with the > build this close to the 1.4.1 release, but I will revisit this for > 1.4.2. Awwww, what's wrong with mucking around with .am files when a release is imminent? What could possibly go awry? Hehehe. Cool though. Hope it'll work out for 1.4.2 and make it a little simpler to package GnuPG with various distro packaging tools. Thanks again for all the work you guys do on GnuPG (yourself, Timo, Werner, and any unnamed contributors of code)! - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== Ah! Useless! Every one of you! Fine. I will defend myself and to hell with all of you! -- Stewie Griffin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc2 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iG0EARECAC0FAkIU1iImGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt ei5hc2MACgkQuv+09NZUB1rr/QCgkWqcErFUgY7O3kjiQ6uTlP5tLUwAnje8K4sF 3FgcK0iE9B5HeLSc34KH =Xx4R -----END PGP SIGNATURE----- From sk at intertivity.com Thu Feb 17 19:22:44 2005 From: sk at intertivity.com (Kiefer, Sascha) Date: Thu Feb 17 19:18:48 2005 Subject: Multiple signing In-Reply-To: <20050217165235.GA10406@jabberwocky.com> Message-ID: <002201c5151d$acd767c0$f300a8c0@HOME> Thanks! > gpg -u key1 -u key2 -u key3 --sign foo.txt From dshaw at jabberwocky.com Thu Feb 17 19:44:05 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Feb 17 19:40:51 2005 Subject: [Announce] Second release candidate for 1.4.1 available In-Reply-To: <1822865182.20050217181837@wanadoo.nl> References: <20050217031824.GA24720@jabberwocky.com> <1822865182.20050217181837@wanadoo.nl> Message-ID: <20050217184405.GA18817@jabberwocky.com> On Thu, Feb 17, 2005 at 06:18:37PM +0100, Henk de Bruijn wrote: > On Wed, 16 Feb 2005 22:18:24 -0500GMT (17-2-2005, 4:18 +0100, where I > live), David Shaw wrote: > > > We are pleased to announce the availability of a the second release > > candidate for the forthcoming 1.4.1 version of GnuPG: > > > An installer for Windows is also available: > > > ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc2.exe > > (1.4M) > > > > ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc2.exe.sig > > > Please try these versions out and report any problems. > > Up and running but after gpg --version, it shows rc1??? On Win32 or Unix? It certainly says rc2 on Unix. David From henkdebruijn at wanadoo.nl Thu Feb 17 21:04:05 2005 From: henkdebruijn at wanadoo.nl (Henk de Bruijn) Date: Thu Feb 17 21:00:10 2005 Subject: [Announce] Second release candidate for 1.4.1 available In-Reply-To: <20050217184405.GA18817@jabberwocky.com> References: <20050217031824.GA24720@jabberwocky.com> <1822865182.20050217181837@wanadoo.nl> <20050217184405.GA18817@jabberwocky.com> Message-ID: <2367620.20050217210405@wanadoo.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > On Thu, Feb 17, 2005 at 06:18:37PM +0100, Henk de Bruijn wrote: >> Up and running but after gpg --version, it shows rc1??? > On Win32 or Unix? It certainly says rc2 on Unix. On Win32 - -- Henk ______________________________________________________________________ The Bat!? Natural Email System v3.0.1.33nl Professional on Windows XP SP2 PGPkey available at http://www.biglumber.com/x/web?qs=0x12069B93DBE6E678 Gossamer Spider Web of Trust GSWoT http://www.gswot.org/ A Progressive and Innovative Web of Trust -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc2 (MingW32) - GPGrelay v0.956 iD8DBQFCFPi2Egabk9vm5ngRAqrNAJ9PNwcOfISU2nIfwZvSSxJzt+mligCeMt4d aV6VZ70Zt839Fgo++vQ5FNY= =7baU -----END PGP SIGNATURE----- From henkdebruijn at wanadoo.nl Thu Feb 17 21:20:44 2005 From: henkdebruijn at wanadoo.nl (Henk de Bruijn) Date: Thu Feb 17 21:16:53 2005 Subject: [Announce] Second release candidate for 1.4.1 available In-Reply-To: <20050217184405.GA18817@jabberwocky.com> References: <20050217031824.GA24720@jabberwocky.com> <1822865182.20050217181837@wanadoo.nl> <20050217184405.GA18817@jabberwocky.com> Message-ID: <1905164793.20050217212044@wanadoo.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 17 Feb 2005 13:44:05 -0500GMT (17-2-2005, 19:44 +0100, where I live), David Shaw wrote: > On Thu, Feb 17, 2005 at 06:18:37PM +0100, Henk de Bruijn wrote: >> On Wed, 16 Feb 2005 22:18:24 -0500GMT (17-2-2005, 4:18 +0100, where I >> live), David Shaw wrote: >> >> > We are pleased to announce the availability of a the second release >> > candidate for the forthcoming 1.4.1 version of GnuPG: >> >> > An installer for Windows is also available: >> >> > ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc2.exe >> > (1.4M) >> > >> > >> ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc2.exe.sig >> >> > Please try these versions out and report any problems. >> >> Up and running but after gpg --version, it shows rc1??? > On Win32 or Unix? It certainly says rc2 on Unix. I noticed at the end of my message: - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc2 (MingW32) - GPGrelay v0.956 But still as I wrote after: gpg -- version it says rc1 - -- Henk ______________________________________________________________________ The Bat!? Natural Email System v3.0.1.33nl Professional on Windows XP SP2 PGPkey available at http://www.biglumber.com/x/web?qs=0x12069B93DBE6E678 Gossamer Spider Web of Trust GSWoT http://www.gswot.org/ A Progressive and Innovative Web of Trust -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc2 (MingW32) - GPGrelay v0.956 iD4DBQFCFPydEgabk9vm5ngRApkcAKDwL+D8fYMQSm7S4+h4UtM/0B5q2wCXSv4T BIUGoW5L92Ycm4qXLmYRRA== =zRw0 -----END PGP SIGNATURE----- From mads at warhead.org.uk Thu Feb 17 21:46:05 2005 From: mads at warhead.org.uk (Mads Munch Hansen) Date: Thu Feb 17 21:42:47 2005 Subject: Backup with encryption In-Reply-To: <421386CE.2030103__49615.0734521963$1108578977$gmane$org@natzo.com> References: <49527f165cb51a4a4dacc1a94acaa97f@www.medincell.com> <21f9090dfefa95355b0be4e8a3dcc357__13267.9878188812$1108530984$gmane$org@biglumber.com> <421386CE.2030103__49615.0734521963$1108578977$gmane$org@natzo.com> Message-ID: Dany Nativel wrote: > What about Duplicity ? > > http://www.nongnu.org/duplicity/ > > Dany > > > Mads Munch Hansen wrote: > >> That would mean he would have to input a passphrase everytime he does a >> backups, or make a script that does it for him, which could be a >> potential security risk. By using a public key, the backups can be done >> unatended with no risk of passphrase being compromised if the script(s) >> are. (it would be a good idea nontheless to keep the secret key on >> another system though) >> >> Regards >> Mads From what I (causually) read on the site I coulden't determine weather it used symetric encrytpion or not.. Are you familiar with it? - Mads -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050217/fd8ce70b/signature.pgp From jharris at widomaker.com Thu Feb 17 22:05:56 2005 From: jharris at widomaker.com (Jason Harris) Date: Thu Feb 17 22:02:08 2005 Subject: SHA1 broken? In-Reply-To: <87y8dnwt93.fsf@wheatstone.g10code.de> References: <1108543709.5827.1.camel@localhost.localdomain> <20050216144419.GC21336@jabberwocky.com> <20050216161147.43569.qmail@smasher.org> <20050216165609.GB23828@jabberwocky.com> <20050216171915.81275.qmail@smasher.org> <87psz0z5yr.fsf@wheatstone.g10code.de> <20050216200506.GE1184@wilma.widomaker.com> <87y8dnwt93.fsf@wheatstone.g10code.de> Message-ID: <20050217210556.GJ1184@wilma.widomaker.com> On Thu, Feb 17, 2005 at 08:16:56AM +0100, Werner Koch wrote: > On Wed, 16 Feb 2005 15:05:07 -0500, Jason Harris said: > > The key creation time can be varied at will, and, I presume, v4 RSA > > That's true. However as long as we don't know how to calculate such a > block (and I just guessed that it is similar to the MD5 attack - which > is not necessary true) we don't know whether 4 bytes at a fixed offset > are sufficient. > > > key material can be too, a la v3 "vanity" keyids. But, is duplicating > > No, they are not vulnerable like v3 keyids. If RSA key material can be successfully manipulated to produce a desired result in a v3 key, why can't it also be manipulated in a v4 key? Granted, the desired result is a SHA-1 collision, but being able to modify key material opens up most of a v4 pubkey packet to manipulation. > > While two v4 keys with the same fingerprint could "steal" userid > > certifications made by others, any signatures produced by the > > colliding keys, including selfsigs on their userids, can _not_ > > They world harm the WoT or any other method of checking the identity > of a key because you usually compare the fingerprints out of band. Of course. However, if the key creation time, type, and number of bits are checked, they may be found to be different among keys with identical fingerprints. If not, we will have to "pgpdump -i" them to detect changes in the key material. Either way, each key with a colliding fingerprint can be placed in a keyring individually and used to check signatures purportedly from the key. If any of the key material - not just timestamps - varies among the keys, one should be able to isolate the key that actually made the valid signature (or, if you prefer, makes the signature valid). -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050217/ea26ed00/attachment.pgp From dany_list at natzo.com Thu Feb 17 22:26:09 2005 From: dany_list at natzo.com (Dany Nativel) Date: Thu Feb 17 22:22:17 2005 Subject: Backup with encryption In-Reply-To: References: <49527f165cb51a4a4dacc1a94acaa97f@www.medincell.com> <21f9090dfefa95355b0be4e8a3dcc357__13267.9878188812$1108530984$gmane$org@biglumber.com> <421386CE.2030103__49615.0734521963$1108578977$gmane$org@natzo.com> Message-ID: <42150BF1.503@natzo.com> According to the man page, you can choose the one you like : * --encrypt-key */key/ When backing up, encrypt to the given public key, instead of using symmetric (traditional) encryption. Can be specified multiple times. BTW, I use rdiff-backup (http://www.nongnu.org/rdiff-backup/) which doesn't offer any encrytpion but provides a very efficient way to perform incremental backups. Cheers Dany Mads Munch Hansen wrote: > Dany Nativel wrote: > >> What about Duplicity ? >> >> http://www.nongnu.org/duplicity/ >> >> Dany >> >> >> Mads Munch Hansen wrote: >> >>> That would mean he would have to input a passphrase everytime he does a >>> backups, or make a script that does it for him, which could be a >>> potential security risk. By using a public key, the backups can be done >>> unatended with no risk of passphrase being compromised if the script(s) >>> are. (it would be a good idea nontheless to keep the secret key on >>> another system though) >>> >>> Regards >>> Mads >> > > > From what I (causually) read on the site I coulden't determine weather > it used symetric encrytpion or not.. Are you familiar with it? > > - Mads > >------------------------------------------------------------------------ > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users > > From erwan at rail.eu.org Thu Feb 17 22:38:52 2005 From: erwan at rail.eu.org (Erwan David) Date: Thu Feb 17 22:34:57 2005 Subject: Backup with encryption In-Reply-To: <42150BF1.503@natzo.com> References: <49527f165cb51a4a4dacc1a94acaa97f@www.medincell.com> <21f9090dfefa95355b0be4e8a3dcc357__13267.9878188812$1108530984$gmane$org@biglumber.com> <421386CE.2030103__49615.0734521963$1108578977$gmane$org@natzo.com> <42150BF1.503@natzo.com> Message-ID: <20050217213852.GC11656@ratagaz.depot.rail.eu.org> Le Thu 17/02/2005, Dany Nativel disait > > According to the man page, you can choose the one you like : > * > --encrypt-key */key/ > When backing up, encrypt to the given public key, instead of using > symmetric (traditional) encryption. Can be specified multiple times. > > BTW, I use rdiff-backup (http://www.nongnu.org/rdiff-backup/) which > doesn't offer any encrytpion but provides a very efficient way to > perform incremental backups. I use tar f -|gpg for my backups. And I encrypt with my public key. My private key is stored on a USB key for security. -- Erwan From greg at turnstep.com Fri Feb 18 00:50:50 2005 From: greg at turnstep.com (Greg Sabino Mullane) Date: Fri Feb 18 00:47:32 2005 Subject: Backup with encryption In-Reply-To: Message-ID: <837f63a836715c1f158db58dfdc294b4@biglumber.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mads wrote: > Greg Sabino Mullane wrote: > .. >> gpg -ca yourfile > .. >> The only thing you have to worry about then is forgetting the password. > > That would mean he would have to input a passphrase everytime he does a > backups, or make a script that does it for him, which could be a > potential security risk. Sure, but if you have access to the script and the password, you also more than likely have access to the unencrypted files you are backing up, so the additional risk is not really there. A possibly better "best of both worlds" way is to simply create a private/public keypair just for the backups, handled with different security requirements than your personal key. - -- Greg Sabino Mullane greg@turnstep.com PGP Key: 0x14964AC8 200502171850 http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8 -----BEGIN PGP SIGNATURE----- iD8DBQFCFS5bvJuQZxSWSsgRAkxuAJ98qK/cZ+Yx/F6Si+L0Vr41HUZcZQCcCBpx 0MK+cPZxZYxiVDwa1rltpZM= =T0/H -----END PGP SIGNATURE----- From erwan at rail.eu.org Fri Feb 18 01:27:57 2005 From: erwan at rail.eu.org (Erwan David) Date: Fri Feb 18 01:24:07 2005 Subject: Backup with encryption In-Reply-To: <837f63a836715c1f158db58dfdc294b4@biglumber.com> References: <837f63a836715c1f158db58dfdc294b4@biglumber.com> Message-ID: <20050218002757.GC12235@ratagaz.depot.rail.eu.org> Le Thu 17/02/2005, Greg Sabino Mullane disait > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Mads wrote: > > Greg Sabino Mullane wrote: > > .. > >> gpg -ca yourfile > > .. > >> The only thing you have to worry about then is forgetting the password. > > > > That would mean he would have to input a passphrase everytime he does a > > backups, or make a script that does it for him, which could be a > > potential security risk. > > Sure, but if you have access to the script and the password, you also > more than likely have access to the unencrypted files you are backing up, > so the additional risk is not really there. A possibly better "best of both > worlds" way is to simply create a private/public keypair just for the > backups, handled with different security requirements than your personal > key. for backup you only need the public key, so no problem to let a script use it. I doubt you do unattented recovery, so you can handle your private key as usual in this case. -- Erwan From henkdebruijn at wanadoo.nl Fri Feb 18 04:20:04 2005 From: henkdebruijn at wanadoo.nl (Henk de Bruijn) Date: Fri Feb 18 04:16:21 2005 Subject: [Announce] Second release candidate for 1.4.1 available In-Reply-To: <20050217184405.GA18817@jabberwocky.com> References: <20050217031824.GA24720@jabberwocky.com> <1822865182.20050217181837@wanadoo.nl> <20050217184405.GA18817@jabberwocky.com> Message-ID: <1208545917.20050218042004@wanadoo.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 17 Feb 2005 13:44:05 -0500GMT (17-2-2005, 19:44 +0100, where I live), David Shaw wrote: > On Thu, Feb 17, 2005 at 06:18:37PM +0100, Henk de Bruijn wrote: >> Up and running but after gpg --version, it shows rc1??? > On Win32 or Unix? It certainly says rc2 on Unix. Checked again and found two versions of gpg.exe, solved that and I think it is now ok. - -- Henk ______________________________________________________________________ The Bat!? Natural Email System v3.0.1.33nl Professional on Windows XP SP2 PGPkey available at http://www.biglumber.com/x/web?qs=0x12069B93DBE6E678 Gossamer Spider Web of Trust GSWoT http://www.gswot.org/ A Progressive and Innovative Web of Trust -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc2 (MingW32) - GPGrelay v0.956 iD8DBQFCFV7tEgabk9vm5ngRAnygAKCOkootlzFRIE0sw4Q5dIngZLncvwCg6b5H u3va+dhuczWV1cGZ7QNvjls= =82y9 -----END PGP SIGNATURE----- From texmex at uni.de Fri Feb 18 14:29:41 2005 From: texmex at uni.de (Gregor Zattler) Date: Fri Feb 18 14:26:23 2005 Subject: Second release candidate for 1.4.1 available In-Reply-To: <20050217031824.GA24720@jabberwocky.com> References: <20050217031824.GA24720@jabberwocky.com> Message-ID: <20050218132941.GH31904@pit.ID-43118.user.dfncis.de> Hi David, * David Shaw [16. Feb. 2005]: > Hi! > > We are pleased to announce the availability of a the second release > candidate for the forthcoming 1.4.1 version of GnuPG: > > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc2.tar.bz2 (2.7M) > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc2.tar.bz2.sig > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.4.1rc1-1.4.1rc2.diff.bz2 (338K) > > An installer for Windows is also available: > > ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc2.exe (1.4M) > ftp://ftp.gnupg.org/gcrypt/alpha/binary/gnupg-w32cli-1.4.1rc2.exe.sig The problem I reported in <20050203143651.GD19332@pit.ID-43118.user.dfncis.de> does not occour in rc2. The dialog for language selection opens with an empty selection but it's possible to select a language from the list. Thanks. From texmex at uni.de Fri Feb 18 15:06:22 2005 From: texmex at uni.de (Gregor Zattler) Date: Fri Feb 18 15:03:05 2005 Subject: RSA signing keys (was: Re: SHA1 broken?) In-Reply-To: <20050216144419.GC21336@jabberwocky.com> References: <1108543709.5827.1.camel@localhost.localdomain> <20050216144419.GC21336@jabberwocky.com> Message-ID: <20050218140622.GL31904@pit.ID-43118.user.dfncis.de> Hi David, * David Shaw [16. Feb. 2005]: > In terms of GnuPG: it's up to you whether you want to switch hashes or > not. GnuPG supports all of the SHA-2 hashes, so they are at least > available. Be careful you don't run up against compatibility > problems: PGP doesn't support 384 or 512, and only recently started > supporting 256. GnuPG before 1.2.2 (2003-05-01), doesn't have any of > the new hashes. Finally, if you have a DSA signing key (most people > do) you are required to use either SHA-1 or RIPEMD/160. RSA signing > keys can use any hash. Do you advise to use RSA signing keys with gnupg 1.4.1? Will the default key type change? Gregor From wk at gnupg.org Fri Feb 18 16:01:46 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Feb 18 16:01:07 2005 Subject: SHA1 broken? In-Reply-To: <20050217210556.GJ1184@wilma.widomaker.com> (Jason Harris's message of "Thu, 17 Feb 2005 16:05:56 -0500") References: <1108543709.5827.1.camel@localhost.localdomain> <20050216144419.GC21336@jabberwocky.com> <20050216161147.43569.qmail@smasher.org> <20050216165609.GB23828@jabberwocky.com> <20050216171915.81275.qmail@smasher.org> <87psz0z5yr.fsf@wheatstone.g10code.de> <20050216200506.GE1184@wilma.widomaker.com> <87y8dnwt93.fsf@wheatstone.g10code.de> <20050217210556.GJ1184@wilma.widomaker.com> Message-ID: <87sm3tdi91.fsf@wheatstone.g10code.de> On Thu, 17 Feb 2005 16:05:56 -0500, Jason Harris said: > If RSA key material can be successfully manipulated to produce a > desired result in a v3 key, why can't it also be manipulated in > a v4 key? Granted, the desired result is a SHA-1 collision, but Because the v4 format fixes the flaw with the length of the parameters and the way the fingerprint and keyid is calculated. > Of course. However, if the key creation time, type, and number of > bits are checked, they may be found to be different among keys with Well that means to reintroduce the requirement for that checking for v4 keys again. For a different reason of course. And well, with the SHA-1 weakness you still won't be able to find a second preimage for a given key. Salam-Shalom, Werner From wk at gnupg.org Fri Feb 18 16:18:44 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Feb 18 16:15:59 2005 Subject: RSA signing keys In-Reply-To: <20050218140622.GL31904@pit.ID-43118.user.dfncis.de> (Gregor Zattler's message of "Fri, 18 Feb 2005 15:06:22 +0100") References: <1108543709.5827.1.camel@localhost.localdomain> <20050216144419.GC21336@jabberwocky.com> <20050218140622.GL31904@pit.ID-43118.user.dfncis.de> Message-ID: <87k6p5dhgr.fsf@wheatstone.g10code.de> On Fri, 18 Feb 2005 15:06:22 +0100, Gregor Zattler said: > Do you advise to use RSA signing keys with gnupg 1.4.1? Will the > default key type change? No. DSS is the default signing algorithm and a MUST for all OpenPGP applications; thus it is suggested to do that. Not all OpenPGP applications are able to handle RSA signed messages. And now please repeat all: The security of a system is limited by its weakest link! Does anyone really believe that a collission attack (i.e. a method to produce 2 different text with the same hash value) is a danger? I am 100% sure that there are more severe bugs in GnuPG or other software used during the build and its use that are far easier to exploit than a 2^69 workload with incredibale amounts of required storage. Let alone rubber hose attacks and blackmailing. Shalom-Salam, Werner From quillo1978 at gmail.com Fri Feb 18 17:55:34 2005 From: quillo1978 at gmail.com (Quillo) Date: Fri Feb 18 18:43:07 2005 Subject: general question about gnupg Message-ID: <1108745734.3777.157.camel@localhost.localdomain> Hi all, I'm a beginner in these encryption and security issues and, while with all the available documentation most of my user questions are solved, but I'm looking for something (I don't know if) not very common and I don't really know what should I look for. I have a server which, due to database events, sends automatically emails with some info. I would like that these emails are sent GPG/PGP signed (not encrypted), what kind of software should I look for? The servers (both database and smtp) are running windows and the emails are generated with ASPmail. Any clues would be very appreciated. Thanks a lot Angel From sk at intertivity.com Fri Feb 18 19:25:33 2005 From: sk at intertivity.com (Kiefer, Sascha) Date: Fri Feb 18 19:21:51 2005 Subject: general question about gnupg In-Reply-To: <1108745734.3777.157.camel@localhost.localdomain> Message-ID: <000801c515e7$3c41c8a0$f300a8c0@HOME> Hi, The company i work for is providing such software. Please go to https://www.ams.lu and look for eCrypt! esskar > -----Original Message----- > From: gnupg-users-bounces@gnupg.org > [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of Quillo > Sent: Freitag, 18. Februar 2005 17:56 > To: gnupg-users@gnupg.org > Subject: general question about gnupg > > > > Hi all, > > I'm a beginner in these encryption and security issues and, > while with all the available documentation most of my user > questions are solved, but I'm looking for something (I don't > know if) not very common and I don't really know what should > I look for. > > I have a server which, due to database events, sends > automatically emails with some info. I would like that these > emails are sent GPG/PGP signed (not encrypted), what kind of > software should I look for? The servers (both database and > smtp) are running windows and the emails are generated with > ASPmail. Any clues would be very appreciated. > > Thanks a lot > > Angel > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From amilivojevic at pbl.ca Fri Feb 18 19:17:18 2005 From: amilivojevic at pbl.ca (Aleksandar Milivojevic) Date: Fri Feb 18 19:50:16 2005 Subject: SHA1 broken? In-Reply-To: <000901c51442$44274af0$f300a8c0@HOME> References: <000901c51442$44274af0$f300a8c0@HOME> Message-ID: <4216312E.5070608@pbl.ca> Kiefer, Sascha wrote: > Not really true. > If your wall is 100 meters (i dont how to calculate in foot) high, > and the ratio is 2^69 / 2^80 then your wall will be about 5 centimeters > high. Which is actually a big difference. But it's that it is still higher > than the MD5 wall. :) Sascha, North Americans don't dig really well into prefixes of metric system. An example is that I always ask for 200 grams of mortadela in local stores. Asking for 20 dekagrams (as I would do back home in Europe) is beyond conversion abilities of average North American. And this is in Canada where metric system is officialy in use. I can only imagine how bad the things are south of the border. So, to put things in perspective, 100 meter (328 feet) wall becomes 0.05 meter (aprox. 1 31/32 inch) wall. -- Aleksandar Milivojevic Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7 From johanw at vulcan.xs4all.nl Fri Feb 18 22:30:57 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Fri Feb 18 22:27:04 2005 Subject: SHA1 broken? In-Reply-To: <4216312E.5070608@pbl.ca> from Aleksandar Milivojevic at "Feb 18, 2005 12:17:18 pm" Message-ID: <200502182130.WAA00455@vulcan.xs4all.nl> Aleksandar Milivojevic wrote: >local stores. Asking for 20 dekagrams (as I would do back home in >Europe) I never realised that the prefix "deca" was used in practise at all. I've always learned it to be a prefix that exists only formally. What country are you from? -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From ajgpgml at tesla.inka.de Sat Feb 19 19:34:47 2005 From: ajgpgml at tesla.inka.de (Andreas John) Date: Sat Feb 19 20:12:24 2005 Subject: Problem: Charsets in 1.4.1rc2 References: <20050217031824.GA24720@jabberwocky.com> Message-ID: <002801c516b1$bddfa420$bad855d9@tesla> Hi! The charsets are handled very good (thanks to iconv.dll), but unfortunately it seems like copepage-issues with system-strings aren't taken into account: In the win98-console (CP850) I'll type "gpg test.txt.asc" to verify a test-signature: gpg: NOTE: THIS IS A DEVELOPMENT VERSION! gpg: It is only intended for test purposes and should NOT be gpg: used in a production environment or with production keys! Datei 'x.txt' existiert bereits. Overwrite? (y/N) y gpg: Signature made 02/19/05 19:25:15 (MEZ) Mitteleurop?ische Zeit using RSA key ID A5FF6560 gpg: Good signature from "test ?????? " Note the time-string: It should read "Mitteleurop?ische Zeit" (the UserID displays the right umlauts as expected). Bye! From dany_list at natzo.com Sun Feb 20 01:19:49 2005 From: dany_list at natzo.com (Dany Nativel) Date: Sun Feb 20 01:16:01 2005 Subject: Advice for Web of Trust policy Message-ID: <4217D7A5.4050106@natzo.com> Hello, I've been playing around with the OpenPGP card and I'm now ready to go live. I'd like to get into the web of trust but I don't know which way to go : 1) Like most GnuPG users, dedicated off-line signing key for signing other people's keys and my subkeys pros : - not connected... that says all! cons: - doesn't prevent from keyboard logger (passphrase) - signing key can be physically duplicated (brute force attack possible) 2) OpenPGP card for both signing and encrypting pros : - One card for both web of trust and everyday's encryption/signing - Not easy to duplicate key's secret material (but not impossible though ;)) - No complex passphrase to rememeber + automatic lock-down after 3 attempts - Easier to use with services like biglumber.com because the signing key is linked to an email address and also has an encryption subkey. Some people will only give you a cert level 2 if the key is only a signing key. cons: - Card is going to be used on a machine connected to the Internet. How is my policy (single OpenPGP card for everything) going to be accepted by the community ? Is this going to be seen as a threat to the web of trust ? Maybe I can get the advantage of 1) by only signing other people's keys with OpenPGP SmartCard, a LiveCD and no network) Thanks for your feedback Best regards Dany From jharris at widomaker.com Mon Feb 21 05:11:19 2005 From: jharris at widomaker.com (Jason Harris) Date: Mon Feb 21 05:07:44 2005 Subject: new (2005-02-20) keyanalyze results (+sigcheck) Message-ID: <20050221041118.GK1184@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2005-02-20/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: f1225de00d781e8085ece0582d1831c851fac5c3 11374632 preprocess.keys f51610b0ce7c4a366815da4f7f3b2ca69d7fa0d8 7180829 othersets.txt cd476b90cb529aa2ed8af209d17d150d50a59861 2881738 msd-sorted.txt ee7513d6673185c48dd654a1e8e683b1f7c8788f 1450 index.html 35d7a133eb27256452a8518f37531890ee861b79 2290 keyring_stats bdbc375a04b7459e2ec00a604fdaa93e9c339e7c 1134193 msd-sorted.txt.bz2 7527d827043a2bca798ef07ae1b0b1e117e310d2 26 other.txt b8f332cb8de8fb0df5e48d5071eb17128e4bc944 1544651 othersets.txt.bz2 04987163435d134ebba953a2749a857128e7e652 4598371 preprocess.keys.bz2 2f42b4d597ada29bdc9e92679978f18f6acc6a55 11488 status.txt 84502f71c3cf4c20418be9700a514bcefcbecc37 211626 top1000table.html 6bafd68aac66b0d195ffc7f1b45145740bfb28a9 30367 top1000table.html.gz c7d0cb9f2b17c9bc94ace7d49a89d92454735ca7 10991 top50table.html c491dc78d8d9a4192c33dc0097385ef842b6d57b 2369 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050220/e615cb0e/attachment.pgp From spifftraq at gmail.com Mon Feb 21 08:04:19 2005 From: spifftraq at gmail.com (Spiff Traq) Date: Mon Feb 21 09:00:55 2005 Subject: SHA1 broken? In-Reply-To: <200502182130.WAA00455@vulcan.xs4all.nl> References: <4216312E.5070608@pbl.ca> <200502182130.WAA00455@vulcan.xs4all.nl> Message-ID: <11e5220b05022023045379c373@mail.gmail.com> > Aleksandar Milivojevic wrote: > >local stores. Asking for 20 dekagrams (as I would do back home in > >Europe) > I never realised that the prefix "deca" was used in practise at all. > I've always learned it to be a prefix that exists only formally. > What country are you from? Here in sweden we use it, we natives spell it 'hekto' regards J?rgen From asmart at kingsdown.swindon.sch.uk Mon Feb 21 09:06:30 2005 From: asmart at kingsdown.swindon.sch.uk (Andy Smart) Date: Mon Feb 21 09:44:26 2005 Subject: SHA1 broken? In-Reply-To: <4216312E.5070608@pbl.ca> References: <000901c51442$44274af0$f300a8c0@HOME> <4216312E.5070608@pbl.ca> Message-ID: <42199686.6060604@kingsdown.swindon.sch.uk> I once asked an American friend when the US was going to metricate - his reply was "When Hell freezes over buddy"; as a result of 4 years in the UK he was convinced metric was easier but said that he couldn't see any reason for the US to change :-) Aleksandar Milivojevic wrote: > Kiefer, Sascha wrote: > >> Not really true. >> If your wall is 100 meters (i dont how to calculate in foot) high, >> and the ratio is 2^69 / 2^80 then your wall will be about 5 >> centimeters high. Which is actually a big difference. But it's that it >> is still higher >> than the MD5 wall. :) > > > Sascha, North Americans don't dig really well into prefixes of metric > system. An example is that I always ask for 200 grams of mortadela in > local stores. Asking for 20 dekagrams (as I would do back home in > Europe) is beyond conversion abilities of average North American. And > this is in Canada where metric system is officialy in use. I can only > imagine how bad the things are south of the border. So, to put things > in perspective, 100 meter (328 feet) wall becomes 0.05 meter (aprox. 1 > 31/32 inch) wall. > -------------- next part -------------- A non-text attachment was scrubbed... Name: asmart.vcf Type: text/x-vcard Size: 313 bytes Desc: not available Url : /pipermail/attachments/20050221/746f1c18/asmart.vcf From technojoecoolusa at charter.net Mon Feb 21 10:36:58 2005 From: technojoecoolusa at charter.net (Joseph D. Wagner) Date: Mon Feb 21 11:11:59 2005 Subject: Unable to Sign Packages Message-ID: <3rr3e8$i91lk3@mxip10a.cluster1.charter.net> While attempting to sign an RPM package I created using the command: rpm --addsign _packagename_ I got an error message saying the pass phrase is invalid. I deleted the contents of the ~/.gnupg directory, which should have completely deleted the key. I generated a new key using the command: gpg --gen-key and entered "123" as the passphrase. No effect. I still get an error message that tells me the pass phrase is wrong. I know I'm typing "123" correctly, so what else could be set incorrectly that would give me this error message? ~/.rpmmacros is as follows: %_signature gpg %_gpg_path /home/joseph/.gnupg %_gpg_name Joseph D. Wagner (For Use with Fedora Core 3) TIA. Joseph D. Wagner From sk at intertivity.com Mon Feb 21 11:18:43 2005 From: sk at intertivity.com (Kiefer, Sascha) Date: Mon Feb 21 11:14:40 2005 Subject: SHA1 broken? In-Reply-To: <87sm3tdi91.fsf@wheatstone.g10code.de> Message-ID: <002701c517fe$b933f810$f300a8c0@HOME> I just read that the PGP Corporation will advance to SHA-256 and SHA-512 (http://www.pgp.com/news/sha1.html). From martin.pfister at gmx.net Sat Feb 19 15:53:35 2005 From: martin.pfister at gmx.net (Martin Pfister) Date: Mon Feb 21 11:21:25 2005 Subject: Outlook 2003 problem Message-ID: http://www.equipmente.de/viewtopic.php?t=642 Regards, Martin From kha at treskal.com Mon Feb 21 09:24:25 2005 From: kha at treskal.com (Karl =?iso-8859-1?Q?Hasselstr=F6m?=) Date: Mon Feb 21 11:21:32 2005 Subject: SHA1 broken? In-Reply-To: <11e5220b05022023045379c373@mail.gmail.com> References: <4216312E.5070608@pbl.ca> <200502182130.WAA00455@vulcan.xs4all.nl> <11e5220b05022023045379c373@mail.gmail.com> Message-ID: <20050221082425.GB10276@malin> On 2005-02-21 08:04:19 +0100, Spiff Traq wrote: > > Aleksandar Milivojevic wrote: > > > > > local stores. Asking for 20 dekagrams (as I would do back home > > > in Europe) > > > > I never realised that the prefix "deca" was used in practise at > > all. I've always learned it to be a prefix that exists only > > formally. What country are you from? > > Here in sweden we use it, we natives spell it 'hekto' Not quite. One hectogram is 100 grams (this is one "hekto" in Swedish). One decagram is 10 grams. I think the only place I've ever seen the prefix "deca" used is in the Dune books by Frank Herbert, where they measure water in decaliters. -- Karl Hasselstr?m, kha@treskal.com www.treskal.com/kalle From samuel at Update.UU.SE Mon Feb 21 11:28:37 2005 From: samuel at Update.UU.SE (Samuel ]slund) Date: Mon Feb 21 11:25:04 2005 Subject: [OT] Re: SHA1 broken? In-Reply-To: <11e5220b05022023045379c373@mail.gmail.com> References: <4216312E.5070608@pbl.ca> <200502182130.WAA00455@vulcan.xs4all.nl> <11e5220b05022023045379c373@mail.gmail.com> Message-ID: <20050221102837.GA27114@Update.UU.SE> On Mon, Feb 21, 2005 at 08:04:19AM +0100, Spiff Traq wrote: > > Aleksandar Milivojevic wrote: > > >local stores. Asking for 20 dekagrams (as I would do back home in > > >Europe) > > I never realised that the prefix "deca" was used in practise at all. > > I've always learned it to be a prefix that exists only formally. > > What country are you from? > > Here in sweden we use it, we natives spell it 'hekto' A 'hekto' is very closely associated with 100g of weight, if I heard it used for measuring any thing else (except a square a with 100 meters side 'hektar') it would be a little bit surprising. //Samuel From amilivojevic at pbl.ca Mon Feb 21 20:10:52 2005 From: amilivojevic at pbl.ca (Aleksandar Milivojevic) Date: Mon Feb 21 20:07:34 2005 Subject: SHA1 broken? In-Reply-To: <200502182130.WAA00455@vulcan.xs4all.nl> References: <200502182130.WAA00455@vulcan.xs4all.nl> Message-ID: <1109013052.421a323cd5e27@webmail2> Quoting Johan Wevers Date: Fri, 18 Feb 2005 22:30:57 > Aleksandar Milivojevic wrote: > > >local stores. Asking for 20 dekagrams (as I would do back home in > >Europe) > > I never realised that the prefix "deca" was used in practise at all. > I've always learned it to be a prefix that exists only formally. > What country are you from? From bogus@does.not.exist.com Sat Feb 19 18:06:40 2005 From: bogus@does.not.exist.com () Date: Mon Feb 21 20:07:35 2005 Subject: No subject Message-ID: quantities of cheese and salami when you go to buy them in stores. Most of other prefixes are used too. Deci for lenght and volume (usual glass sizes are 1, 2 or 3 decliters), I heard hekto (hecto in english?) used for larger volumes of liquids (for example, by smaller wine makers). Basically, I preatty much heard of almost all the prefixes in normal range (from nano to tera) used for various porupuses. -- Aleksandar Milivojevic Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7 From FHubeny at wittbiomedical.com Mon Feb 21 13:52:07 2005 From: FHubeny at wittbiomedical.com (Frank Hubeny) Date: Tue Feb 22 12:33:25 2005 Subject: gpg141rc1, and rc2 home directory problems Message-ID: Hello Group; I have found a possible problem with the two release candidates for GPG141. It has to do with the home directory. If I uninstall 141, and then remove the home directory. When I reinstall the program and try to make a key I get a error about no directory available. I found that the uninstaller does not remove the registry entries for 141. If I uninstall gpg141, remove the home directory, then remove the registry enties for gpg141. Then I can reinstall gpg141 and the home directory is installed at installation. Small problem I know. But many Window users will not clean up their registry, it is sort of a no no for most users who are told not to do so unless they know what to remove, and how to do so. The work around I found is to just add manually the directory and then all is well. Frank Hubeny RMA Technician Manufacturing Dept. Witt Biomedical Corp. 800.669.1328 ext. 179 fhubeny@wittbiomedical.com From james at jolt.co.uk Tue Feb 22 12:18:17 2005 From: james at jolt.co.uk (James Davis) Date: Tue Feb 22 13:10:26 2005 Subject: gpg: Oops; keylost! Message-ID: <421B14F9.3090704@jolt.co.uk> I get the following error from GPG which is preventing Enigmail from displaying my public keyring. E:/gnupg\pubring.gpg -------------------- gpg: Oops; key lost! followed by a list of mine and my colleague's key. What's causing this error and how can I fix it? I've searched the web but with little luck. Thanks, James From dshaw at jabberwocky.com Tue Feb 22 14:46:52 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Feb 22 14:43:41 2005 Subject: gpg: Oops; keylost! In-Reply-To: <421B14F9.3090704@jolt.co.uk> References: <421B14F9.3090704@jolt.co.uk> Message-ID: <20050222134652.GB31030@jabberwocky.com> On Tue, Feb 22, 2005 at 11:18:17AM +0000, James Davis wrote: > I get the following error from GPG which is preventing Enigmail from > displaying my public keyring. > > E:/gnupg\pubring.gpg > -------------------- > gpg: Oops; key lost! > > followed by a list of mine and my colleague's key. Can you send what GnuPG prints after that error? It indicates what happened. In general, though, your pubring.gpg is probably corrupt. David From DBSMITH at OhioHealth.com Tue Feb 22 16:19:20 2005 From: DBSMITH at OhioHealth.com (DBSMITH@OhioHealth.com) Date: Tue Feb 22 16:15:33 2005 Subject: question on multiple public keys In-Reply-To: <20031015115220.GB1859@jabberwocky.com> Message-ID: All Is there a way that we can add a second key to my file for gpg encryption? Our DBA in the Import Team needs to have this done so that he can open our file as well. When this person is out of the office, no one else is able to access your file unless they can access his computer. We would like to add another user to the keyring so that he can access your data as well. please advise! THANK YOU, I looked through some emails I saved and found this: Yes, this is possible. In each user's gpg.conf file, add a line reading: keyring /path/to/the/shared/keyring.gpg Note that when importing a key, each user will import to their own local keyring unless they specifically state they want to import to the shared keyring. Likely you don't want the shared keyring to be imported to by random users, so making it read-only is appropriate. Derek B. Smith OhioHealth IT UNIX / TSM / EDM Teams 614-566-4145 From technojoecoolusa at charter.net Tue Feb 22 17:08:37 2005 From: technojoecoolusa at charter.net (Joseph D. Wagner) Date: Tue Feb 22 17:04:19 2005 Subject: Unable to Sign RPM Packages Message-ID: <3rr0ks$j2ah1t@mxip05a.cluster1.charter.net> I posted this a few days ago, but I didn't get any response. --------------------------------------------------------------------------- While attempting to sign an RPM package I created using the command: rpm --addsign _packagename_ I got an error message saying the pass phrase is invalid. I deleted the contents of the ~/.gnupg directory, which should have completely deleted the key. I generated a new key using the command: gpg --gen-key and entered "123" as the passphrase. No effect. I still get an error message that tells me the pass phrase is wrong. I know I'm typing "123" correctly, so what else could be set incorrectly that would give me this error message? ~/.rpmmacros is as follows: %_signature gpg %_gpg_path /home/joseph/.gnupg %_gpg_name Joseph D. Wagner (For Use with Fedora Core 3) TIA. Joseph D. Wagner From brunij at earthlink.net Wed Feb 23 02:41:48 2005 From: brunij at earthlink.net (Joseph Bruni) Date: Wed Feb 23 03:11:57 2005 Subject: question on multiple public keys In-Reply-To: References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Another solution would be to make sure that you encrypt the file to all the users who should be able to decrypt that file. You can have multiple "--recipient" entries on the command line. Check out the "group" functions as well to simplify this process. - -Joe On Feb 22, 2005, at 8:19 AM, DBSMITH@OhioHealth.com wrote: > All > > Is there a way that we can add a second key to my file for gpg > encryption? > Our DBA in the Import Team needs to have this done so that he can open > our > file as well. When this person is out of the office, no one else is > able > to access your file unless they can access his computer. We would > like to > add another user to the keyring so that he can access your data as > well. > > please advise! > > THANK YOU, > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (Darwin) iQEVAwUBQhvfYlGV1jrNVRjHAQg2Qwf/WrjFsFIHIcRqA7pUKfz7V1SHumURD9kj IJShLCzbPSukB7K5tGQcKoM2o4UzqznFiArmev7Nj+0j2GJepPufpMVKsqzes4VI uH6fjKlcJNktObx0/CsQI59QPWZ91NQplgzGTx+YJsnlVO/cvl4j1SnXvthgPug6 GRtdSWk0AFp4lHtTDPm9qHT9cHuuSanrQqc5McrZLAXWARtqChOy8hj69n6hEREd e2MXGHwxH6NgfIfjleECQXV7OPALyEZXhB1Q366O0Cq7YkFOUUTUuIwXI/tpO1/o o6KVOLDGXt1Y9u92lneaQpmtxvKITf7QxRKrHsZDkdLbp+KXh6pEsQ== =Nl6j -----END PGP SIGNATURE----- From dhcalva at comcast.net Wed Feb 23 15:57:38 2005 From: dhcalva at comcast.net (David Calvarese) Date: Wed Feb 23 16:29:31 2005 Subject: gpg.conf Message-ID: <421C99E2.8060509@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hey all, I was wondering if there's any place on the web (or anywhere) that I can find out all the parameters that can be used in the gpg.conf file and their syntax. Especially parameters dealing with cipher/hash/compression preferences. Daev -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCHJniSlxKVhydU2ARA9ZDAJwLLynAeWuU2hu17ICiGDhHw6CxPACghbGq 4ut3/8ZMgBnBgCnmeVNob3o= =Bf/9 -----END PGP SIGNATURE----- From atom at smasher.org Wed Feb 23 16:43:27 2005 From: atom at smasher.org (Atom Smasher) Date: Wed Feb 23 16:39:29 2005 Subject: gpg.conf In-Reply-To: <421C99E2.8060509@comcast.net> References: <421C99E2.8060509@comcast.net> Message-ID: <20050223154307.14952.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On Wed, 23 Feb 2005, David Calvarese wrote: > I was wondering if there's any place on the web (or anywhere) that I can > find out all the parameters that can be used in the gpg.conf file and > their syntax. Especially parameters dealing with > cipher/hash/compression preferences. ================ it's all in the man page. just about all of the long options can be used in the config file, just leave off the two leading dashes. - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "If you take out the killings, Washington actually has a very very low crime rate." -- M. Barry, Mayor of Washington, DC -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBAwAGBQJCHKSlAAoJEAx/d+cTpVci28EIAJ1e1hSNxsabDyy2jDCi481F VXwVrDZDqCVsJqLuypJi4lVWceqTc+FNDd8EhPb1vPIXtmKxxa2n4CbDf3DGQnKy bCltisstlkGzr17D2MO3Rs0ufmzhcLUgchPd57PeVwUFAANmIX9ZQU2wQtvAEQo7 UF/UaUUKLZhRT/iBX0eiLja+P410uYZcaSfgbsgiotCk3P/NMQUG8Axf2lzYtcLr bb51RZ79GuZCMZNgC2ifZqRbWjkBZUVhmZVpB2Q3hecLxRfIU7NQAvmREJKgZ6UH BbLQ+nakdwHEFA1cPGMjqun2A6PHqOJEWCbyq4fGVB66XQmlPkKEmctGy3gpFUI= =KIzE -----END PGP SIGNATURE----- From sckbr at alltel.net Wed Feb 23 18:56:31 2005 From: sckbr at alltel.net (Bob) Date: Wed Feb 23 20:07:52 2005 Subject: Revocation certificate created? Message-ID: <421CC3CF.90501@alltel.net> Where have I created this revocation certificate, that I might copy and remove it from my H/D? -- Bob From pt at radvis.nu Wed Feb 23 20:24:38 2005 From: pt at radvis.nu (Per Tunedal Casual) Date: Wed Feb 23 20:18:17 2005 Subject: SHA1 broken? Message-ID: <6.1.2.0.2.20050223202432.03bf8640@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi I read their pressrelease as a statement that they will implement the same features as in the latest release of GnuPG (1.4.0). There is nothing about the hottest topic: signing of keys (self signatures and signatures from others) Per Tunedal Keyid: 0xAE053BE0 Fingerprint: D70D 9057 A985 4944 2191 995A 2D74 F09D AE05 3BE0 At 11:18 2005-02-21, you wrote: >I just read that the PGP Corporation will advance to >SHA-256 and SHA-512 (http://www.pgp.com/news/sha1.html). > > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) - GPGrelay v0.955 Comment: Vad är en PGP-signatur? www.clipanish.com/PGP/pgp.html iD8DBQFCHNiUpPsTvNtsBX8RAj/YAKCU22cKZnjl1WJMol4kvOBewljSKwCfT7ZE zaTqzM6v7jvh9eiXBXgjglI= =twXu -----END PGP SIGNATURE----- From zuxy.meng at gmail.com Wed Feb 23 20:34:50 2005 From: zuxy.meng at gmail.com (Zuxy) Date: Wed Feb 23 20:31:26 2005 Subject: gpg.conf In-Reply-To: <421C99E2.8060509@comcast.net> References: <421C99E2.8060509@comcast.net> Message-ID: On Wed, 23 Feb 2005 09:57:38 -0500, David Calvarese wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > Hey all, > > I was wondering if there's any place on the web (or anywhere) that I can > find out all the parameters that can be used in the gpg.conf file and > their syntax. Especially parameters dealing with > cipher/hash/compression preferences. > My FC3 distro includes a vim syntax file for gpg.conf which might help. -- Zuxy Beauty is truth, While truth is beauty. PGP KeyID: E8555ED6 From cs at rubeo.nl Wed Feb 23 19:47:50 2005 From: cs at rubeo.nl (Cees) Date: Wed Feb 23 20:44:14 2005 Subject: HI all! Message-ID: <1741006316.20050223194750@rubeo.nl> Het is woensdag 23 februari 2005 en 19:46:16 uur : Hi gnupg-users, just a little testing message to see if I'm there... and also a check to see if my signature still remains BAD for no reason at all. Am having a little trouble with gnupg to get this to work properly. -- regards, Cees Never run after buses or women: you'll always get left behind. __________________________________________________________________________________________ The Bat! 3.0.9.1 Deep Alpha [A12F0392] running on Windows XP 5.1 build 2600 Service Pack 2 Deze mail is afkomstig uit het Rubeodomein en dus gegarandeerd virusvrij! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 186 bytes Desc: not available Url : /pipermail/attachments/20050223/3c0342a0/attachment-0001.pgp From j.breier at gmx.de Wed Feb 23 23:26:16 2005 From: j.breier at gmx.de (Jakob) Date: Thu Feb 24 00:14:24 2005 Subject: Which key type for offline signing key + how to get a trusted copy of gpg signing key Message-ID: <421D0308.9050701@gmx.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I want to create a key only used for key signing (on an offline system with Knoppix). As I recently read that 1024bit DSA-keys are quite small for long time security (let's say 10 years) I wondered whether I should use a 4048bit RSA-key instead. Is there any reason not to do so? The Knoppix version I use only comes with GPG 1.2.4 or similar. I would like to upgrade to GPG 1.4, but have no idea how to get a verified copy of the GPG signing key (57548DCD). How did you verify your first copy of this key? Sorry for my english, and thanks for any replies. Jakob Breier. __________ 2005-02-23 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (MingW32) iD8DBQFCHQK5kQFTRHuGzGgRAuVzAJ98w//E9x2zXUIQwNvX0oLUQJAmMQCfcNdj lX7R4Iz5+fhzsDLgeCI/ceg= =iFXx -----END PGP SIGNATURE----- From timemaster at sillydog.org Thu Feb 24 06:31:56 2005 From: timemaster at sillydog.org (David Vallier) Date: Thu Feb 24 06:28:15 2005 Subject: HI all! In-Reply-To: <1741006316.20050223194750@rubeo.nl> References: <1741006316.20050223194750@rubeo.nl> Message-ID: <421D66CC.8020006@sillydog.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cees wrote: >Het is woensdag 23 februari 2005 en 19:46:16 uur : > >Hi gnupg-users, > > just a little testing message to see if I'm there... > and also a check to see if my signature still remains BAD for no reason > at all. Am having a little trouble with gnupg to get this to work > properly. > > >---------------------------------------------------------------------- > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users It showed bad over here, this is the error dialog from Enigmail; gpg: unexpected armor: -----BEGIN PGP MESSAGE-----\r\n gpg: Signature made 02/23/05 11:47:50 Mountain Standard Time gpg: using DSA key 1E0D0B2F31F37526 gpg: requesting key 1E0D0B2F31F37526 from hkp server sks.keyserver.penguin.de gpg: key 1E0D0B2F31F37526: public key "Cees Schouten (Rubeo) " imported [GNUPG:] IMPORTED 1E0D0B2F31F37526 Cees Schouten (Rubeo) [GNUPG:] IMPORT_OK 1 994E630646B53E8430E8C2131E0D0B2F31F37526 gpg: Total number processed: 1 gpg: imported: 1 [GNUPG:] IMPORT_RES 1 0 1 0 0 0 0 0 0 0 0 0 0 0 [GNUPG:] BADSIG 1E0D0B2F31F37526 Cees Schouten (Rubeo) gpg: BAD signature from "Cees Schouten (Rubeo) " Maybe the above will help -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) iEYEARECAAYFAkIdZswACgkQCT6ogSjnGK/2pwCeIa+CTKtUWoE1QgGL+4eG8NBe iNMAoLqNIeRz8IhoT8IphCej/nIkeHjx =nGO/ -----END PGP SIGNATURE----- From wk at gnupg.org Thu Feb 24 09:46:37 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Feb 24 09:46:16 2005 Subject: Which key type for offline signing key + how to get a trusted copy of gpg signing key In-Reply-To: <421D0308.9050701@gmx.de> (j.breier@gmx.de's message of "Wed, 23 Feb 2005 23:26:16 +0100") References: <421D0308.9050701@gmx.de> Message-ID: <873bvm73bm.fsf@wheatstone.g10code.de> On Wed, 23 Feb 2005 23:26:16 +0100, Jakob said: > with Knoppix). As I recently read that 1024bit DSA-keys are quite > small for long time security (let's say 10 years) I wondered whether I > should use a 4048bit RSA-key instead. Is there any reason not to do so? Nowadays it seems that the hash algorithms are the major weakness digital signatures; so a longer KEy does gain you anything excpept for preety long and slow signatures. You might want to use a 2k RSA key so that you can use SHA-256. However, the only MUST algorithm for signing in OpenPGP is DSA and SHA-1 so by using RSA not everyone will be able to make use of your key sigtnatures. > verified copy of the GPG signing key (57548DCD). How did you verify Signed by me and my key is pretty well connected in the web of trust - go and check the signatures on my key. See Mail header for the canonical source of my key in case your keyserver is old and dusted. Shalom-Salam, Werner -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : /pipermail/attachments/20050224/a3329c12/attachment.pgp From a_entin at hotmail.com Tue Feb 22 17:14:55 2005 From: a_entin at hotmail.com (Ari Entin) Date: Thu Feb 24 11:05:03 2005 Subject: Problem With Decrypting Messages In Outlook 2003 w/ Gdata plugin Message-ID: Hi, * Forgive me if this is a repost. I do not believe the original went through. * I am having problems with decrypting a plain text messages in Outlook 2003: When opening the message, the plugin prompts or my passphrase. I type it and then message then appears unencrypted. When I choose to decrypt the message, I get an error stating "The message is neither encrypted nor signed." If I include attachments, they decrypt just fine! Its seems to be limited to text messages. Note that the message types were all in plain next (not HTML or RTF) and Word editing is turned OFF. I have tried on a few different PC's, OS's, etc. Same problem! Anyone aware of this issue or knows of a cure? Thanks! Environment: * OS - Windows XP * GNUPG version - Tried both 1.2.5 & 1.4.0a * Outlook Plugin - Gdata G10 v. 0.94 * Outlook version: Tried both Outlook 2000 & 2003. * Shell - GPG Shell v. 3.32 Ari Entin From ml at bitfalle.org Thu Feb 24 13:52:10 2005 From: ml at bitfalle.org (markus reichelt) Date: Thu Feb 24 13:48:55 2005 Subject: Chemnitzer Linuxtage 2005 Message-ID: <20050224125210.GA12113@dantooine> Hi list, this might be of interest to German subscribers. In 9 days there's the "Chemnitzer Linux-Tage 2005". http://chemnitzer.linux-tage.de/2005/info/ Of course there will be a Key Signing Party again, but you have to send in your public key(s) by tomorrow at he latest if you want to participate. I'll attend so maybe see you there. -- Bastard Administrator in $hell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050224/38af853d/attachment.pgp From sk at intertivity.com Thu Feb 24 14:17:41 2005 From: sk at intertivity.com (Sascha Kiefer) Date: Thu Feb 24 14:13:55 2005 Subject: Chemnitzer Linuxtage 2005 In-Reply-To: <20050224125210.GA12113@dantooine> References: <20050224125210.GA12113@dantooine> Message-ID: <421DD3F5.8060509@intertivity.com> Well, i will not be at the "Chemnitzer Linux-Tage 2005" but i will be at the "12. Workshop 'Sicherheit in vernetzten Systemen'" of DFN-CERT ( http://www.dfn-cert.de/events/ws/2005/ ).** Is anybody else going to be there? Have esskar markus reichelt schrieb: >Hi list, > >this might be of interest to German subscribers. > >In 9 days there's the "Chemnitzer Linux-Tage 2005". >http://chemnitzer.linux-tage.de/2005/info/ > >Of course there will be a Key Signing Party again, but you have to >send in your public key(s) by tomorrow at he latest if you want to >participate. > >I'll attend so maybe see you there. > > > > >------------------------------------------------------------------------ > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users > > From og at pre-secure.de Thu Feb 24 18:34:16 2005 From: og at pre-secure.de (Olaf Gellert) Date: Thu Feb 24 18:34:45 2005 Subject: Chemnitzer Linuxtage 2005 In-Reply-To: <421DD3F5.8060509@intertivity.com> References: <20050224125210.GA12113@dantooine> <421DD3F5.8060509@intertivity.com> Message-ID: <421E1018.1010709@pre-secure.de> Sascha Kiefer wrote: > Well, i will not be at the "Chemnitzer Linux-Tage 2005" but > i will be at the "12. Workshop 'Sicherheit in vernetzten Systemen'" of > DFN-CERT ( http://www.dfn-cert.de/events/ws/2005/ ).** > Is anybody else going to be there? Yes, me and the other guys from DFN-CERT and PRESECURE, a good opportunity to push your key far up in the web of trust... :-) I think there will be no explicit keysigning party as in the last two years, so bring your keyinfos (keyID, userID and fingerprint, and better a few copies of this) and your passport with you... my keyIDs: 4403EB31, 799241C1, 48285EB9 & AFD42D45 Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE og@pre-secure.de A daily view on Internet Attacks https://www.ecsirt.net/sensornet From sk at intertivity.com Thu Feb 24 20:32:03 2005 From: sk at intertivity.com (Kiefer, Sascha) Date: Thu Feb 24 20:28:03 2005 Subject: Check if file is a key file Message-ID: <001901c51aa7$84e2e4d0$f300a8c0@HOME> Hi you, As i'm writing a program that automates the gnupg stuff and i want to achive the following: I have a file. Maybe it is a valid key file or it is not. But i want that gnupg finds it out for me. My idea was to use dry-run and import: if gnupg is possible to import something then I'm sure the file is a key file (or at least, it has an key in it). This works fine if the file contains just one key but if the file contains about 1000-5000 Key,s things are getting slow. So is there a command that tests a file? Thanks. Sascha From og at pre-secure.de Thu Feb 24 21:34:14 2005 From: og at pre-secure.de (Olaf Gellert) Date: Thu Feb 24 21:34:19 2005 Subject: Check if file is a key file In-Reply-To: <001901c51aa7$84e2e4d0$f300a8c0@HOME> References: <001901c51aa7$84e2e4d0$f300a8c0@HOME> Message-ID: <421E3A46.2040101@pre-secure.de> Kiefer, Sascha wrote: > As i'm writing a program that automates the gnupg stuff and i want to achive > the following: > I have a file. Maybe it is a valid key file or it is not. But i want that > gnupg finds > it out for me. My idea was to use dry-run and import: if gnupg is possible > to import > something then I'm sure the file is a key file (or at least, it has an key > in it). > This works fine if the file contains just one key but if the file contains > about 1000-5000 > Key,s things are getting slow. So is there a command that tests a file? What else could the file be? If I just use the unix command "file" on some files, I already get the following: > file .gnupg/pubring.gpg .gnupg/pubring.gpg: data > file .gnupg/secring.gpg .gnupg/secring.gpg: PGP key security ring > file gellert.asc gellert.asc: PGP armored data public key block So it does not recognize a GPG public keyring, but it does recognize secret keyrings and ASCII-armored keys. Or do you need something that really checks if the file contains a VALID key? Cheers, Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE og@pre-secure.de A daily view on Internet Attacks https://www.ecsirt.net/sensornet From sk at intertivity.com Thu Feb 24 21:45:02 2005 From: sk at intertivity.com (Kiefer, Sascha) Date: Thu Feb 24 21:41:17 2005 Subject: Check if file is a key file In-Reply-To: <421E3A46.2040101@pre-secure.de> Message-ID: <000701c51ab1$b6fb8e40$f300a8c0@HOME> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yep. It can be X.509 certificate, or a PKCS#12 file; they will be handled differently. Or maybe somebody selects a totally different file, and so on! Bye the way, i'm looking for a windows solution. > -----Original Message----- > From: Olaf Gellert [mailto:og@pre-secure.de] > Sent: Donnerstag, 24. Februar 2005 21:34 > To: sk@intertivity.com > Cc: gnupg-users@gnupg.org > Subject: Re: Check if file is a key file > > > Kiefer, Sascha wrote: > > > As i'm writing a program that automates the gnupg stuff and > i want to > > achive the following: I have a file. Maybe it is a valid > key file or > > it is not. But i want that gnupg finds > > it out for me. My idea was to use dry-run and import: if > gnupg is possible > > to import > > something then I'm sure the file is a key file (or at > least, it has an key > > in it). > > This works fine if the file contains just one key but if > the file contains > > about 1000-5000 > > Key,s things are getting slow. So is there a command that > tests a file? > > What else could the file be? If I just use the unix command > "file" on some files, I already get the following: > > > file .gnupg/pubring.gpg > .gnupg/pubring.gpg: data > > file .gnupg/secring.gpg > .gnupg/secring.gpg: PGP key security ring > > file gellert.asc > gellert.asc: PGP armored data public key block > > So it does not recognize a GPG public keyring, but it > does recognize secret keyrings and ASCII-armored keys. > > Or do you need something that really checks if the > file contains a VALID key? > > Cheers, Olaf > > -- > Dipl.Inform. Olaf Gellert PRESECURE (R) > Senior Researcher, Consulting GmbH > Phone: (+49) 0700 / PRESECURE og@pre-secure.de > > A daily view on Internet Attacks > https://www.ecsirt.net/sensornet > -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQh48zQInDejiptdCEQJ8hgCgzkdMW04wIarv15d+S8hMXQbo8VMAoL7F DFTS+BDD3SAaa/F46Te+kcyO =9x/V -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Thu Feb 24 23:15:26 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Feb 24 23:12:21 2005 Subject: gpg.conf In-Reply-To: <421C99E2.8060509@comcast.net> References: <421C99E2.8060509@comcast.net> Message-ID: <20050224221526.GB29245@jabberwocky.com> On Wed, Feb 23, 2005 at 09:57:38AM -0500, David Calvarese wrote: > Hey all, > > I was wondering if there's any place on the web (or anywhere) that I can > find out all the parameters that can be used in the gpg.conf file and > their syntax. Especially parameters dealing with > cipher/hash/compression preferences. The man page gives all the options, but if someone is looking for a nice project to do, a web page with each option and commentary would be a great thing to point people to when they have questions. David From dshaw at jabberwocky.com Thu Feb 24 23:16:56 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Feb 24 23:13:31 2005 Subject: Unable to Sign RPM Packages In-Reply-To: <3rr0ks$j2ah1t@mxip05a.cluster1.charter.net> References: <3rr0ks$j2ah1t@mxip05a.cluster1.charter.net> Message-ID: <20050224221656.GC29245@jabberwocky.com> On Tue, Feb 22, 2005 at 10:08:37AM -0600, Joseph D. Wagner wrote: > I posted this a few days ago, but I didn't get any response. > > --------------------------------------------------------------------------- > > While attempting to sign an RPM package I created using the command: > > rpm --addsign _packagename_ > > I got an error message saying the pass phrase is invalid. > > I deleted the contents of the ~/.gnupg directory, which should have completely deleted the key. I generated a new key using the command: > > gpg --gen-key > > and entered "123" as the passphrase. > > No effect. I still get an error message that tells me the pass > phrase is wrong. I know I'm typing "123" correctly, so what else > could be set incorrectly that would give me this error message? > > ~/.rpmmacros is as follows: > > %_signature gpg > %_gpg_path /home/joseph/.gnupg > %_gpg_name Joseph D. Wagner (For Use with Fedora Core 3) Do things work properly without rpm calling gpg for you? That is, can you sign any old file 'gpg --sign foo' ? If so, then you need to ask the rpm folks for help, since gpg is working properly. David From dhcalva at comcast.net Fri Feb 25 02:04:39 2005 From: dhcalva at comcast.net (David Calvarese) Date: Fri Feb 25 02:36:00 2005 Subject: gpg.conf In-Reply-To: <20050224221526.GB29245@jabberwocky.com> References: <421C99E2.8060509@comcast.net> <20050224221526.GB29245@jabberwocky.com> Message-ID: <421E79A7.4000004@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 David Shaw wrote: > On Wed, Feb 23, 2005 at 09:57:38AM -0500, David Calvarese wrote: >> Hey all, >> >> I was wondering if there's any place on the web (or anywhere) that I can >> find out all the parameters that can be used in the gpg.conf file and >> their syntax. Especially parameters dealing with >> cipher/hash/compression preferences. > > The man page gives all the options, but if someone is looking for a > nice project to do, a web page with each option and commentary would > be a great thing to point people to when they have questions. That would be great to have. In fact, that's about what I was looking for. The man page is also a lot to slog through to find something. I'm surprised there isn't a 'man gpg.conf' file like there is for a lot of other programs. - -- Dave Calvarese PGP Key Available at http://home.comcast.net/~dhcalva/DavidCalvarese-dh.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCHnmkSlxKVhydU2ARAxUtAJ9cMn3vWgng1iQp/JiezvFPtsI1MwCeL/rN 4ppDSzixVndbxuPpnyA/BWM= =ZzHc -----END PGP SIGNATURE----- From wk at gnupg.org Fri Feb 25 10:18:52 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Feb 25 10:16:12 2005 Subject: gpg.conf In-Reply-To: <20050224221526.GB29245@jabberwocky.com> (David Shaw's message of "Thu, 24 Feb 2005 17:15:26 -0500") References: <421C99E2.8060509@comcast.net> <20050224221526.GB29245@jabberwocky.com> Message-ID: <87fyzl2e0z.fsf@wheatstone.g10code.de> On Thu, 24 Feb 2005 17:15:26 -0500, David Shaw said: > The man page gives all the options, but if someone is looking for a > nice project to do, a web page with each option and commentary would > be a great thing to point people to when they have questions. Indeed. I'll ask the web people who we can do that the best way. It would also be a nice project to enhance the outdated Gnu Privacy Handbook. Salam-Shalom, Werner From sk at intertivity.com Fri Feb 25 10:51:36 2005 From: sk at intertivity.com (Sascha Kiefer) Date: Fri Feb 25 10:47:41 2005 Subject: WARNING: key contains preferences for unavailable Message-ID: <421EF528.9020102@intertivity.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, some keys - spezially the ones created with PGP - throw the above warning when they are imported. I know that i shutdown the message using --batch and --quiet but lets say i want to use this key for encrypting or signing will it work or will i be asked again? Thanks. Sascha -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQh71EAInDejiptdCEQKBjQCfZ7d3UTD8oHqK2wihl6UlHU+pYyIAmwVP WhxhG58lyA+xiS1tgHNJDA+4 =pqTm -----END PGP SIGNATURE----- From quillo1978 at gmail.com Fri Feb 25 11:06:08 2005 From: quillo1978 at gmail.com (Quillo) Date: Fri Feb 25 11:01:31 2005 Subject: GPG for windows Message-ID: <1109325968.4002.24.camel@localhost.localdomain> Hi, Can anybody recommend me what software should I install for a windows outlook machine? It's for people completely new to gpg and I need it to be simple and robust, not neccesarily flexible and powerful. I have downloaded the windows client from gnupg.org and the Gdata plugin for outlook, but I don't know if it's the best option for my needs. Thanks a lot Angel From patrick at mozilla-enigmail.org Fri Feb 25 11:50:14 2005 From: patrick at mozilla-enigmail.org (Patrick Brunschwig) Date: Fri Feb 25 12:31:19 2005 Subject: Revocation certificate created? In-Reply-To: <421CC3CF.90501__44754.7800526538$1109191889$gmane$org@alltel.net> References: <421CC3CF.90501__44754.7800526538$1109191889$gmane$org@alltel.net> Message-ID: <421F02E6.8030000@mozilla-enigmail.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bob wrote: > Where have I created this revocation certificate, that I might copy and > remove it from my H/D? Wherever you saved it :-) Enigmail does not have a default location. You can search on your harddisk for all *.asc files to find it. - -Patrick -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCHwLm2KgHx8zsInsRAhsKAKCJfmRkT4GMFgyMZ9GqN3ABsSGmCACgwaVV lMefCUlEEzmfks2bJ+Qln6U= =CLdw -----END PGP SIGNATURE----- From johanw at vulcan.xs4all.nl Fri Feb 25 13:36:22 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Fri Feb 25 13:41:45 2005 Subject: WARNING: key contains preferences for unavailable In-Reply-To: <421EF528.9020102@intertivity.com> from Sascha Kiefer at "Feb 25, 2005 10:51:36 am" Message-ID: <200502251236.NAA04231@vulcan.xs4all.nl> Sascha Kiefer wrote: >I know that i shutdown the message using --batch and --quiet but lets say i >want to use this key for encrypting or signing will it work or will i be >asked again? I don't know. I guess the key has preferences for IDEA, that GnuPG doesn't support ot of the box. Install the IDEA plugin or place idea.c in the cipher dir before compiling and you support it. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From dshaw at jabberwocky.com Fri Feb 25 14:48:47 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Feb 25 14:45:34 2005 Subject: WARNING: key contains preferences for unavailable In-Reply-To: <421EF528.9020102@intertivity.com> References: <421EF528.9020102@intertivity.com> Message-ID: <20050225134847.GA29689@jabberwocky.com> On Fri, Feb 25, 2005 at 10:51:36AM +0100, Sascha Kiefer wrote: > Hi, > > some keys - spezially the ones created with PGP - throw the above > warning when they are imported. I know that i shutdown the message > using --batch and --quiet but lets say i want to use this key for > encrypting or signing will it work or will i be asked again? That warning message means pretty much what it says. PGP creates keys with preferences that advertise the use of algorithms that GnuPG doesn't support. GnuPG is warning you that if you use that public key without fixing the preferences, someone may try and follow those incorrect preferences and send you something you can't decrypt. Since you mention PGP, it's probably a case of missing IDEA. Note this only happens when importing a secret key along with a public key (or importing a secret key for which you already have a public key or vice versa). You should answer 'yes' to the question and allow GnuPG to fix your preferences. David From sk at intertivity.com Fri Feb 25 15:02:07 2005 From: sk at intertivity.com (Sascha Kiefer) Date: Fri Feb 25 14:58:20 2005 Subject: WARNING: key contains preferences for unavailable In-Reply-To: <20050225134847.GA29689@jabberwocky.com> References: <421EF528.9020102@intertivity.com> <20050225134847.GA29689@jabberwocky.com> Message-ID: <421F2FDF.9050100@intertivity.com> But then I have to (re-)submit the key, right? David Shaw schrieb: >You should answer 'yes' to the question and allow GnuPG to fix your >preferences. > > From dshaw at jabberwocky.com Fri Feb 25 15:11:06 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Feb 25 15:07:48 2005 Subject: WARNING: key contains preferences for unavailable In-Reply-To: <421F2FDF.9050100@intertivity.com> References: <421EF528.9020102@intertivity.com> <20050225134847.GA29689@jabberwocky.com> <421F2FDF.9050100@intertivity.com> Message-ID: <20050225141105.GB29689@jabberwocky.com> On Fri, Feb 25, 2005 at 03:02:07PM +0100, Sascha Kiefer wrote: > David Shaw schrieb: > > >You should answer 'yes' to the question and allow GnuPG to fix your > >preferences. > But then I have to (re-)submit the key, right? To a keyserver or to who you are communicating with? Yes. The point is that your correspondent will use those preferences to decide what algorithms to use when communicating with you. He or she needs this updated key to get the correct algorithm list. David From DougChamberlin at Earthlink.net Fri Feb 25 14:47:56 2005 From: DougChamberlin at Earthlink.net (Doug Chamberlin) Date: Fri Feb 25 15:18:18 2005 Subject: Moving key rings? Message-ID: <5.2.0.9.2.20050225084003.03aeae90@mail.andoversoftware.org> I have installed GPG on a development machine and used this configuration to generate a key pair. I have also imported public keys from others. I now need to copy the key rings being used to a production machine. Do I have to export my secret key and import it on the production machine (along with the other public keys)? Can't I just copy the entire GnuPG directory to the new machine and expect everything to work fine? Using Windows XP 2000 and GPG 1.4.0 From dshaw at jabberwocky.com Fri Feb 25 15:30:40 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Feb 25 15:27:15 2005 Subject: Moving key rings? In-Reply-To: <5.2.0.9.2.20050225084003.03aeae90@mail.andoversoftware.org> References: <5.2.0.9.2.20050225084003.03aeae90@mail.andoversoftware.org> Message-ID: <20050225143040.GC29689@jabberwocky.com> On Fri, Feb 25, 2005 at 08:47:56AM -0500, Doug Chamberlin wrote: > I have installed GPG on a development machine and used this configuration > to generate a key pair. I have also imported public keys from others. > > I now need to copy the key rings being used to a production machine. > > Do I have to export my secret key and import it on the production machine > (along with the other public keys)? Can't I just copy the entire GnuPG > directory to the new machine and expect everything to work fine? Yes. (exporting and reimporting works also) David From JPClizbe at comcast.net Fri Feb 25 18:34:33 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Fri Feb 25 18:31:12 2005 Subject: GPG for windows In-Reply-To: <1109325968.4002.24.camel@localhost.localdomain> References: <1109325968.4002.24.camel@localhost.localdomain> Message-ID: <421F61A9.5030104@comcast.net> Quillo wrote: > Hi, > > Can anybody recommend me what software should I install for a windows outlook machine? It's for people completely new to gpg and I need it to be simple and robust, not neccesarily flexible and powerful. > > I have downloaded the windows client from gnupg.org and the Gdata > plugin for outlook, but I don't know if it's the best option for my > needs. The only other option for Outlook is PGP. If other clients are an option, take a look at Thunderbird + Enigmail. Information on Enigmail is at http://enigmail.mozdev.org. Another client that I've heard supports GnuPG is The Bat. -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10 "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 434 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050225/aeccc6d7/signature.pgp From JPClizbe at comcast.net Fri Feb 25 18:35:24 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Fri Feb 25 18:32:02 2005 Subject: Moving key rings? In-Reply-To: <5.2.0.9.2.20050225084003.03aeae90@mail.andoversoftware.org> References: <5.2.0.9.2.20050225084003.03aeae90@mail.andoversoftware.org> Message-ID: <421F61DC.2090408@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Doug Chamberlin wrote: > I have installed GPG on a development machine and used this configuration > to generate a key pair. I have also imported public keys from others. > > I now need to copy the key rings being used to a production machine. > > Do I have to export my secret key and import it on the production machine > (along with the other public keys)? Can't I just copy the entire GnuPG > directory to the new machine and expect everything to work fine? Yes copying will work. You need the three *.gpg files as well as gpg.conf. You can also copy the secret and public keyrings to a temp directory on the new machine and import them directly. The caveat on importing or export/importing is that secret keys are not merged and ultimate trust will need to set set for each keypair. > Using Windows XP 2000 and GPG 1.4.0 - -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10 "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc1 (MingW32) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCH2HaHQSsSmCNKhARAnOaAJ9RZGzYQGQOL9sBZ5AhOT0pqbOxTgCfXMgz 6d/5gXOTu5VKT8VFmZ/kY5U= =vJPO -----END PGP SIGNATURE----- From finalcut at videotron.ca Fri Feb 25 18:40:01 2005 From: finalcut at videotron.ca (The Final Cut) Date: Fri Feb 25 18:37:33 2005 Subject: Checking signature on thebat email client Message-ID: <1459044394.20050225124001@videotron.ca> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, how can I make gnupg look on internet for signature if I want to verify signature from users? When I clic the check icon, a popup accur saying can't verify. Is it possible to make it look on key websites? thanks - -- The FinalCut finalcut@videotron.ca TheBat 3.0.2.10 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc2 (MingW32) iD8DBQFCH2L1mZdOAsVmU04RAsVaAJ474RlanZZesOL7ZB+LAtNNoBwJfgCgldmg e9ZkfjKDx75ehymzr0X0B9c= =FlMs -----END PGP SIGNATURE----- From linux at codehelp.co.uk Fri Feb 25 19:16:39 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Fri Feb 25 19:13:02 2005 Subject: Checking signature on thebat email client In-Reply-To: <1459044394.20050225124001@videotron.ca> References: <1459044394.20050225124001@videotron.ca> Message-ID: <200502251816.40360.linux@codehelp.co.uk> On Friday 25 February 2005 5:40 pm, The Final Cut wrote: > gpgkeys: key 99974E02C566534E not found on keyserver > Hello, how can I make gnupg look on internet for signature if I want to > verify signature from users? Put this in your .gnupg/gpg.conf keyserver hkp://subkeys.pgp.net keyserver-options auto-key-retrieve > When I clic the check icon, a popup accur saying can't verify. Is it > possible to make it look on key websites? You meant keyservers. You also need to send your public key to a keyserver: > gpgkeys: key 99974E02C566534E not found on keyserver $ gpg --keyserver subkeys.pgp.net --send-key 0xC566534E -- Neil Williams ============= http://www.dcglug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.neil.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050225/fc5fa534/attachment.pgp From mreese at calarts.edu Fri Feb 25 20:01:39 2005 From: mreese at calarts.edu (Melissa Reese) Date: Fri Feb 25 20:52:28 2005 Subject: GPG for windows In-Reply-To: <421F61A9.5030104@comcast.net> References: <1109325968.4002.24.camel@localhost.localdomain> <421F61A9.5030104@comcast.net> Message-ID: <562501.20050225110139@calarts.edu> Hi John, On Friday, February 25, 2005, at 9:34:33 AM PST, you wrote: > Another client that I've heard supports GnuPG is The Bat. Indeed it does. Full integration with either GnuPG or PGP, including PGP/MIME with both. The integrated support for both is built in, so there's no need for third party plug-ins. Though Windows users can use GnuPG as a purely command line program as well, there are a couple of GUI front ends that can make it just as easy, and in some ways better than using PGP in Windows (in my opinion). Though it's not open source, "GPGshell" is a great GUI front end for GnuPG in Windows, and just like PGPtray, PGPkeys, etc., can be used with any email client or text editor, and also includes shell support. Over the years, I've kept an eye on WinPT as well, and while this one is open source, I've just never been as satisfied with it as I've been with GPGshell, which I feel has always been both more polished and more stable than WinPT. Windows users of GnuPG interested in a GUI front end for GnuPG can find GPGshell or WinPT here: GPGshell: http://www.jumaros.de/rsoft/index.html WinPT: http://winpt.sourceforge.net/en/ -- Melissa PGP public keys: mailto:pgp_keys@gmx.co.uk?subject=0xFB04F2E9&Body=Please%20send%20keys -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available Url : /pipermail/attachments/20050225/3431a3f8/attachment.pgp From dhcalva at comcast.net Fri Feb 25 21:10:02 2005 From: dhcalva at comcast.net (David Calvarese) Date: Fri Feb 25 21:06:55 2005 Subject: GPG for windows In-Reply-To: <562501.20050225110139@calarts.edu> References: <1109325968.4002.24.camel@localhost.localdomain> <421F61A9.5030104@comcast.net> <562501.20050225110139@calarts.edu> Message-ID: <421F861A.7070405@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Melissa Reese wrote: > Hi John, > > On Friday, February 25, 2005, at 9:34:33 AM PST, you wrote: > >> Another client that I've heard supports GnuPG is The Bat. > > Indeed it does. Full integration with either GnuPG or PGP, including > PGP/MIME with both. The integrated support for both is built in, so > there's no need for third party plug-ins. One Caveat, The Bat! has a few quirks and things that need fixed with it's GnuPG support that work right when using PGP. They're bad enough that I'm now using Thunderbird with Enigmail for email. - -- Dave Calvarese PGP Key Available at http://home.comcast.net/~dhcalva/DavidCalvarese-DH.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCH4YYSlxKVhydU2ARA0M6AJ9CrOj7VPXEYLhYPQA8N1rjDAuejwCggU4b wVSPEcrqBEIqj2LDmCuwlHA= =NCbt -----END PGP SIGNATURE----- From ml at bitfalle.org Fri Feb 25 21:57:26 2005 From: ml at bitfalle.org (markus reichelt) Date: Fri Feb 25 21:54:27 2005 Subject: GPG for windows In-Reply-To: <421F861A.7070405@comcast.net> References: <1109325968.4002.24.camel@localhost.localdomain> <421F61A9.5030104@comcast.net> <562501.20050225110139@calarts.edu> <421F861A.7070405@comcast.net> Message-ID: <20050225205726.GA6482@dantooine> David Calvarese wrote: > > Indeed it does. Full integration with either GnuPG or PGP, including > > PGP/MIME with both. The integrated support for both is built in, so > > there's no need for third party plug-ins. > > One Caveat, The Bat! has a few quirks and things that need fixed with > it's GnuPG support that work right when using PGP. They're bad enough > that I'm now using Thunderbird with Enigmail for email. well, tried out the bat! first, then enigmail... now I'm using mutt... guess why :-) now if only Opera would support GnuPG... *sigh* -- Bastard Administrator in $hell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050225/96f38ac0/attachment-0001.pgp From mreese at calarts.edu Fri Feb 25 22:13:11 2005 From: mreese at calarts.edu (Melissa Reese) Date: Fri Feb 25 22:09:44 2005 Subject: GPG for windows In-Reply-To: <20050225205726.GA6482@dantooine> References: <1109325968.4002.24.camel@localhost.localdomain> <421F61A9.5030104@comcast.net> <562501.20050225110139@calarts.edu> <421F861A.7070405@comcast.net> <20050225205726.GA6482@dantooine> Message-ID: <1184388110.20050225131311@calarts.edu> Hi Markus, On Friday, February 25, 2005, at 12:57:26 PM PST, you wrote: > well, tried out the bat! first, then enigmail... now I'm using > mutt... guess why :-) Well, I've tried Mutt (in Linux), along with all sorts of other email clients in both Windows and Linux, and I've come to the conclusion that I'll use a particular email client first and foremost *because of how it can handle email*, then I'll decide the best way to use GnuPG and/or PGP with it. Since GnuPG can be dealt with via command line and/or third party GUI front ends in Windows, and like PGP, can be used with any email client/text editor regardless of integration/plug-in status, I'd much rather stick with an email client I feel is the best for my *email management*, and use GnuPG or PGP with it in whichever way works best after that. Seamless email client integration with GnuPG or PGP, or the lack thereof, is not enough of a reason for me to switch to a different email client. :-) -- Melissa PGP public keys: mailto:pgp_keys@gmx.co.uk?subject=0xFB04F2E9&Body=Please%20send%20keys -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available Url : /pipermail/attachments/20050225/c9f65921/attachment.pgp From dhcalva at comcast.net Fri Feb 25 22:08:15 2005 From: dhcalva at comcast.net (David Calvarese) Date: Fri Feb 25 22:41:50 2005 Subject: GPG for windows In-Reply-To: <20050225205726.GA6482@dantooine> References: <1109325968.4002.24.camel@localhost.localdomain> <421F61A9.5030104@comcast.net> <562501.20050225110139@calarts.edu> <421F861A.7070405@comcast.net> <20050225205726.GA6482@dantooine> Message-ID: <421F93BF.4050508@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 markus reichelt wrote: > David Calvarese wrote: > well, tried out the bat! first, then enigmail... now I'm using > mutt... guess why :-) Ahhh! I remember Mutt fondly from when I used Linux all the time. As I have an IMAP server, Mutt doesn't really do it for me. What didn't you like about TBird with Enigmail? > now if only Opera would support GnuPG... *sigh* That'd be a nice thing. :) I accidently sent this to Markus on his email account... Anyone know how to get TBird to send mail to the group when I click reply? This seems to be the only mailing list I have a problem with. - -- Dave Calvarese PGP Key Available at http://home.comcast.net/~dhcalva/DavidCalvarese-DH.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCH5O6SlxKVhydU2ARA4T8AJ41vZPf1elvspBypKozt82WpCPlyQCff0um vsCPCtIRhb+d1IDyDEwwWZc= =SoLX -----END PGP SIGNATURE----- From ml at bitfalle.org Fri Feb 25 22:46:28 2005 From: ml at bitfalle.org (markus reichelt) Date: Fri Feb 25 22:43:10 2005 Subject: GPG for windows In-Reply-To: <1184388110.20050225131311@calarts.edu> References: <1109325968.4002.24.camel@localhost.localdomain> <421F61A9.5030104@comcast.net> <562501.20050225110139@calarts.edu> <421F861A.7070405@comcast.net> <20050225205726.GA6482@dantooine> <1184388110.20050225131311@calarts.edu> Message-ID: <20050225214627.GA7557@dantooine> Melissa Reese wrote: > Well, I've tried Mutt (in Linux), along with all sorts of other email > clients in both Windows and Linux, and I've come to the conclusion > that I'll use a particular email client first and foremost *because of > how it can handle email*, then I'll decide the best way to use GnuPG > and/or PGP with it. same here, only that I include GnuPG handling as obligatory and not negotiable. Additionally I'm really fond of plain ascii-configs, it's a kind of fetish - I'm sure of that after years of testing ;-) So, while we are discussing email clients (not) able of handling GnuPG correctly/at all, the most complete listing I've found is at http://www.bretschneidernet.de/tips/secmua.html.en -- Bastard Administrator in $hell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050225/fd96f274/attachment.pgp From ml at bitfalle.org Fri Feb 25 23:07:35 2005 From: ml at bitfalle.org (markus reichelt) Date: Fri Feb 25 23:04:22 2005 Subject: GPG for windows In-Reply-To: <421F93BF.4050508@comcast.net> References: <1109325968.4002.24.camel@localhost.localdomain> <421F61A9.5030104@comcast.net> <562501.20050225110139@calarts.edu> <421F861A.7070405@comcast.net> <20050225205726.GA6482@dantooine> <421F93BF.4050508@comcast.net> Message-ID: <20050225220735.GA7828@dantooine> David Calvarese wrote: > Ahhh! I remember Mutt fondly from when I used Linux all the time. > As I have an IMAP server, Mutt doesn't really do it for me. What > didn't you like about TBird with Enigmail? I prefer an email client on the console, in a screen session to be precise. On my servers I have seldom a GUI available. > > now if only Opera would support GnuPG... *sigh* > > That'd be a nice thing. :) Yeah, I could exchange encrypted emails with the rest of the family :) Somehow they stick to Opera and can't be bothered with TB > I accidently sent this to Markus on his email account... Anyone know > how to get TBird to send mail to the group when I click reply? This > seems to be the only mailing list I have a problem with. recently, Jason Barnett posted on this list: "T-bird does indeed allow you to reply to newsgroups. Just change the To: header from the dropdown box." Does it work for you? -- Bastard Administrator in $hell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050225/cf8f14e5/attachment.pgp From j.breier at gmx.de Sat Feb 26 00:26:06 2005 From: j.breier at gmx.de (Jakob) Date: Sat Feb 26 00:14:09 2005 Subject: Which key type for offline signing key + how to get a trusted copy of gpg signing key In-Reply-To: <873bvm73bm.fsf@wheatstone.g10code.de> References: <421D0308.9050701@gmx.de> <873bvm73bm.fsf@wheatstone.g10code.de> Message-ID: <421FB40E.8090005@gmx.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Werner Koch wrote: > On Wed, 23 Feb 2005 23:26:16 +0100, Jakob said: > >>[I want to create a key only used for key signing (on an offline >> system] >> with Knoppix). As I recently read that 1024bit DSA-keys are quite >> small for long time security (let's say 10 years) I wondered whether I >> should use a 4048bit RSA-key instead. Is there any reason not to do so? > > > Nowadays it seems that the hash algorithms are the major weakness > digital signatures; so a longer KEy does gain you anything excpept for > preety long and slow signatures. You might want to use a 2k RSA key > so that you can use SHA-256. However, the only MUST algorithm for > signing in > OpenPGP is DSA and SHA-1 so by using RSA not everyone will be able to > make use of your key sigtnatures. > Just to be sure: PGP-*keys* are hashed before they are signed? I thought they are signed in the same way as checksums are so that this key does not sign any checksums at all. >> verified copy of the GPG signing key (57548DCD). How did you verify > > > Signed by me and my key is pretty well connected in the web of trust - > go and check the signatures on my key. See Mail header for the > canonical source of my key in case your keyserver is old and dusted. > > > Shalom-Salam, > > Werner Sorry for the latency. An hour ago I realised that the reply function didn't work properly. Jakob. __________ 2005-02-26 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (MingW32) iD8DBQFCH7PLkQFTRHuGzGgRAluxAJ4nmBhEafQH7g2vnVNb/zAqf1yyOQCgywOC wK5Ecepq0RYty2v1XgKWj64= =k9Lx -----END PGP SIGNATURE----- From dhcalva at comcast.net Sat Feb 26 00:26:36 2005 From: dhcalva at comcast.net (David Calvarese) Date: Sat Feb 26 00:23:04 2005 Subject: GPG for windows In-Reply-To: <20050225220735.GA7828@dantooine> References: <1109325968.4002.24.camel@localhost.localdomain> <421F61A9.5030104@comcast.net> <562501.20050225110139@calarts.edu> <421F861A.7070405@comcast.net> <20050225205726.GA6482@dantooine> <421F93BF.4050508@comcast.net> <20050225220735.GA7828@dantooine> Message-ID: <421FB42C.7070205@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 markus reichelt wrote: >> I accidently sent this to Markus on his email account... Anyone know >> how to get TBird to send mail to the group when I click reply? This >> seems to be the only mailing list I have a problem with. > > recently, Jason Barnett posted on this list: > > "T-bird does indeed allow you to reply to newsgroups. Just change > the To: header from the dropdown box." > > Does it work for you? Wrong kind of group. Don't have any problems with newsgroups, it's replying to this list that's a problem. When I click reply, it addresses it to you and not to the mailing list. All the other mailing lists I'm on don't have this problem. It looks as if Tbird isn't honoring the Mail-Followup-To header. - -- Dave Calvarese PGP Key Available at http://home.comcast.net/~dhcalva/DavidCalvarese-DH.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCH7QpSlxKVhydU2ARA4WzAJ9xKe9TtLjg9n1nv1jTwezBlYtOjwCfdM8x vClqaeK1XGfD/guQKBLkGXw= =X3QW -----END PGP SIGNATURE----- From finalcut at videotron.ca Sat Feb 26 01:51:09 2005 From: finalcut at videotron.ca (The Final Cut) Date: Sat Feb 26 01:47:32 2005 Subject: Checking signature on thebat email client In-Reply-To: <200502251816.40360.linux@codehelp.co.uk> References: <1459044394.20050225124001@videotron.ca> <200502251816.40360.linux@codehelp.co.uk> Message-ID: <516485231.20050225195109@videotron.ca> Hello gnupg-users@gnupg.org On Friday, February 25, 2005, at 1:16:39 PM You wrote: NW> Put this in your .gnupg/gpg.conf NW> keyserver hkp://subkeys.pgp.net NW> keyserver-options auto-key-retrieve where is located this file withing xp? I have looked in applications data\gnupg where is all the gpg files and its not there >> When I clic the check icon, a popup accur saying can't verify. Is it >> possible to make it look on key websites? NW> You meant keyservers. NW> You also need to send your public key to a keyserver: >> gpgkeys: key 99974E02C566534E not found on keyserver NW> $ gpg --keyserver subkeys.pgp.net --send-key 0xC566534E thanks -- The Final Cut finalcut@videotron.ca Thebat: 3.0.2.10 From mwlucas at blackhelicopters.org Sun Feb 27 00:27:42 2005 From: mwlucas at blackhelicopters.org (Michael W. Lucas) Date: Sun Feb 27 00:23:54 2005 Subject: GnuPG book prepub reviewers wanted Message-ID: <20050226232742.GB75147@bewilderbeast.blackhelicopters.org> Hello, I'm in the midst of writing a very small book about GnuPG, called "GPG for the Desperate." It's modeled after my earlier "Cisco Routers for the Desperate." This book will cover the lowest common denominator of GnuPG usage for the computer-literate user. I've hit that point where it would be helpful to have outsiders take a look at what's been finished of the book, and at later chapters as I finish them. If you're interested, please take a look at http://www.blackhelicopters.org/~mwlucas/reviewers.html for a brief description of what's involved. If you're still interested, please reply directly to me -- no need to clutter the list with this stuff. Thanks, ==ml -- Michael W. Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org http://www.BlackHelicopters.org/~mwlucas/ Latest book: Cisco Routers for the Desperate http://www.CiscoRoutersForTheDesperate.com From vedaal at hush.com Sun Feb 27 05:10:09 2005 From: vedaal at hush.com (vedaal@hush.com) Date: Sun Feb 27 05:06:21 2005 Subject: GPG for windows Message-ID: <200502270410.j1R4ACGW065399@mailserver2.hushmail.com> >Message: 7 >Date: Fri, 25 Feb 2005 11:01:39 -0800 >From: Melissa Reese >Subject: Re: GPG for windows >To: gnupg-users@gnupg.org >Message-ID: <562501.20050225110139@calarts.edu> >Content-Type: text/plain; charset="us-ascii" [...] >Over the years, I've kept an eye on WinPT as well, and while this >one >is open source, I've just never been as satisfied with it as I've >been >with GPGshell, [...] >WinPT: http://winpt.sourceforge.net/en/ the most recent winpt's have not been there for some time now, they are on Timo's site here: http://www.stud.uni-hannover.de/~twoaday/winpt.html while i agree with you that gpgshell has a 'smooth' PGP feel to it, if the last time you checked winpt was from the sourceforge site, you might consider looking at it again from the other link new advantages: (1) complete installer package, so that gnupg new users don't need to play with registry settings [caveat: this makes it harder to install gpgshell afterwards, as there are some windows path details that gpgshell is fussy about, if you already have gpgshell installed, just install winpt without the gnupg installer] (2) ability to see all keys and keyid's that the message is encrypted to, directly from the decryption window [gpgshell either just gives a passphrase entry window if you want to see the passphrase as you are typing it, but doesn't tell you which 'keyid' or even which key it is for, or it gives you the gnupg command line interface to enter the passphrase], also, winpt does not require the passphrase to be cached, in order to let you see the passphrase as you are typing it in, and allows this for 'all' gnupg functions; key generation passwords, key editing password changing, signing a key, etc. (3) ability to choose between the primary signing key, and the signing subkey [gpgshell uses the gnupg default of using the latest signing subkey for signing, regardless of clicking on the 'primary' signing key] (4) the key editing functions are all selectable in the key editing window, [gpgshell key editing just transfers you to the gnupg command line key editing interface] (5) winpt provides 'wiping' to the same standards as eraser (DoD or Gutmann settings) smart card and encrypted disc containers (similar to pgpdisk and scramdisc) will be added in future versions i would suggest trying 'both' gpgshell and winpt and let users decide which they are happier with, they can always keep 'both' and switch back and forth for whatever they find more convenient vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From lporter at hdsmith.com Sun Feb 27 05:03:55 2005 From: lporter at hdsmith.com (lporter@hdsmith.com) Date: Sun Feb 27 05:08:44 2005 Subject: Auto Reply to your message ... Message-ID: <420AC99A00011215@HDSPRIME.hdsmith.com> ----- The following text is an automated response to your message ----- I am on vacation from February 28 through March 4, returing Monday March 7th. If it is an EDI emergency or HD Smith techinal support emergency, please email helpdesk@hdsmith.com. I will try to check my email periodically. From og at pre-secure.de Sun Feb 27 10:21:17 2005 From: og at pre-secure.de (Olaf Gellert) Date: Sun Feb 27 10:22:00 2005 Subject: GPG scdaemon help Message-ID: <4221910D.7030201@pre-secure.de> Hi all, just a request for a few short hints: I have some USB-tokens (eg. Aladdin eToken Pro, Safenet iKey3000) which seem to work with OpenSC. Is there any FAQ or tutorial or helpful information on how to make this work with the smartcard daemon of GPG? Cheers, Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE og@pre-secure.de A daily view on Internet Attacks https://www.ecsirt.net/sensornet From jharris at widomaker.com Mon Feb 28 00:06:23 2005 From: jharris at widomaker.com (Jason Harris) Date: Mon Feb 28 00:02:36 2005 Subject: useless test keys and keyservers Message-ID: <20050227230623.GA5390@wilma.widomaker.com> People, please don't upload useless test keys like the one shown below to keyservers. Clearly, this tester didn't even bother to search for information on this subject before sending this key to keyserver.linux.it (an SKS server). Also, please refrain from creating test keys to check their propagation through the synchronizing keyservers. If a key is missing from any particular keyserver which is otherwise well-synchronized, one cannot determine the cause without reviewing one more more log files on one or more keyservers. Thank you. pub 1024D/A7B58AD1 2005-02-27 TestKey3576 (multisubkey test) Key fingerprint = 5187 8E72 3EF1 D072 E4B7 06D3 FF23 DE7D A7B5 8AD1 New! attempt to lookup keyholder on biglumber.com. sig 0x13 A7B58AD1 2005-02-27 [pkey expires 2005-03-02] [selfsig] sub 1024g/18935DD5 2005-02-27 [subkey] Key fingerprint = 6A33 C42A 4D99 ECE1 5E94 44E8 588D CFA0 1893 5DD5 sig 0x18 A7B58AD1 2005-02-27 [skey expires 2005-03-02] [keybind, hash: type 2, 19 66] sub 1024D/D0B614E8 2005-02-27 [subkey] Key fingerprint = 89F1 2C9D DA78 5B50 1B47 2B92 2793 F402 D0B6 14E8 sig 0x18 A7B58AD1 2005-02-27 [skey expires 2005-03-02] [keybind, hash: type 2, 64 27] sig 0x18 A7B58AD1 2005-02-27 [skey expires 2005-03-02] [keybind, hash: type 2, 19 66] -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050227/bfbe7f71/attachment.pgp From minnesotan at runbox.com Mon Feb 28 05:18:02 2005 From: minnesotan at runbox.com (Randy Burns) Date: Mon Feb 28 06:14:41 2005 Subject: useless test keys and keyservers Message-ID: <20050228041802.80056.qmail@web50909.mail.yahoo.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hello Jason, I wish all pgp keys could automatically be purged from keyservers on the anniversary of their creation. Then, key owners would know that obsolete keys will eventually disappear, and know when their actively searched-for keys (fresh keys as well as freshly-revoked keys) need to be uploaded again--always just after the anniversary of their creation. That way, key uploads get spread throughout the whole year. Wouldn't that be a good thing? Randy Sunday, February 27, 2005, 5:06:23 PM, you wrote: > People, please don't upload useless test keys like the one > shown below to keyservers. Clearly, this tester didn't even > bother to search for information on this subject before sending > this key to keyserver.linux.it (an SKS server). > Also, please refrain from creating test keys to check their > propagation through the synchronizing keyservers. If a key is > missing from any particular keyserver which is otherwise > well-synchronized, one cannot determine the cause without > reviewing one more more log files on one or more keyservers. > Thank you. > pub 1024D/A7B58AD1 2005-02-27 TestKey3576 (multisubkey test) > Key fingerprint = 5187 8E72 > 3EF1 D072 E4B7 06D3 FF23 DE7D A7B5 8AD1 New! attempt to > lookup keyholder on biglumber.com. sig 0x13 A7B58AD1 > 2005-02-27 [pkey expires 2005-03-02] [selfsig] sub > 1024g/18935DD5 2005-02-27 [subkey] Key fingerprint = 6A33 > C42A 4D99 ECE1 5E94 44E8 588D CFA0 1893 5DD5 sig 0x18 > A7B58AD1 2005-02-27 [skey expires 2005-03-02] [keybind, hash: > type 2, 19 66] sub 1024D/D0B614E8 2005-02-27 [subkey] Key > fingerprint = 89F1 2C9D DA78 5B50 1B47 2B92 2793 F402 D0B6 > 14E8 sig 0x18 A7B58AD1 2005-02-27 [skey expires 2005-03-02] > [keybind, hash: type 2, 64 27] sig 0x18 A7B58AD1 2005-02-27 > [skey expires 2005-03-02] [keybind, hash: type 2, 19 66] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc2 (MingW32) - GPGshell v3.32 Comment: Public Keys: www.geocities.com/burns98/pgp iD8DBQFCIpqlO1wFkBRYxW8RA2KPAJ9tf1XasFGV7cqCImYwvVkkWbZrJgCgz86O /wW90N5NDRSozt0sveJ7O1U= =DwWg -----END PGP SIGNATURE----- From twoaday at gmx.net Mon Feb 28 10:37:09 2005 From: twoaday at gmx.net (Timo Schulz) Date: Mon Feb 28 11:44:40 2005 Subject: GPG for windows In-Reply-To: <562501.20050225110139@calarts.edu> References: <1109325968.4002.24.camel@localhost.localdomain> <421F61A9.5030104@comcast.net> <562501.20050225110139@calarts.edu> Message-ID: <4222E645.3030306@gmx.net> Melissa Reese wrote: > WinPT: http://winpt.sourceforge.net/en/ The _new_ primary WinPT site is now http://www.winpt.org. (It is not redirected any longer to the SF.net website!) Timo From shatadal at vfemail.net Mon Feb 28 11:37:45 2005 From: shatadal at vfemail.net (Shatadal) Date: Mon Feb 28 12:34:52 2005 Subject: GnuPG and registry keys Message-ID: <4222F479.8080103@vfemail.net> I got interested in this issue when I was trying out the PortableThunderbird-Enigmail project (http://dev.weavervsworld.com/projects/ptbirdeniggpg/). When I started it up I got the following message "PortableThunderbird has detected the GNUPG key in HKEY_LOCAL_MACHINE PortableThunderbird writes values to the GNUPG key in HKEY_CURRENT_USER, this allows non-admin users to use Portable Thunderbird with Enigmail/GPG. Having the GNUPG key in both HKLM and HKCU may cause undesired behaviour. Delete HKLM\Software\GNU\GNUPG and continue?" When I checked my registry I saw that I do have both the keys. Could this cause any problems in using GnuPG? I use GnuPG from a non-administrator account. Thanks, Shatadal. From mwood at IUPUI.Edu Mon Feb 28 15:09:00 2005 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Mon Feb 28 15:51:11 2005 Subject: GnuPG and registry keys In-Reply-To: <4222F479.8080103@vfemail.net> References: <4222F479.8080103@vfemail.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 28 Feb 2005, Shatadal wrote: [snip] > "PortableThunderbird has detected the GNUPG key in HKEY_LOCAL_MACHINE > PortableThunderbird writes values to the GNUPG key in HKEY_CURRENT_USER, > this allows non-admin users to use Portable Thunderbird with Enigmail/GPG. > Having the GNUPG key in both HKLM and HKCU may cause undesired behaviour. If PortableThunderbird behaves undesirably in such circumstances, it is improperly designed. Tell them to read the Logo Requirements again. User settings go in HKCU, and systemwide settings go in HKLM, and if some software is confused by the presence of both then it must be rewritten to correctly implement this distinction, at which time the confusion will vanish. > Delete HKLM\Software\GNU\GNUPG and continue?" This is definitely bad behavior. Every "designed for Windows xxx" product creates such a key for itself. Only that product's uninstaller should remove such keys. - -- Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu Open-source executable: $0.00. Source: $0.00 Control: priceless! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/ iD8DBQFCIyYAs/NR4JuTKG8RAnnbAJ96jpE1vw2icRN9zb6Tx5fi7OEs8gCeLuq3 Pzdw81PJMywO/PoW9GdZ2RA= =2vm1 -----END PGP SIGNATURE----- From dhcalva at fastmail.us Mon Feb 28 15:33:06 2005 From: dhcalva at fastmail.us (David Calvarese) Date: Mon Feb 28 16:27:52 2005 Subject: useless test keys and keyservers In-Reply-To: <20050228041802.80056.qmail@web50909.mail.yahoo.com> References: <20050228041802.80056.qmail@web50909.mail.yahoo.com> Message-ID: <42232BA2.9030902@fastmail.us> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Randy Burns wrote: > Hello Jason, > > I wish all pgp keys could automatically be purged from keyservers > on the anniversary of their creation. Then, key owners would know > that obsolete keys will eventually disappear, and know when their > actively searched-for keys (fresh keys as well as freshly-revoked > keys) need to be uploaded again--always just after the > anniversary of their creation. That way, key uploads get spread > throughout the whole year. Wouldn't that be a good thing? How about just purging a Key that's had no activity in X amount of time, say Six months? On a side note, does anyone know of any way to get Thunderbird (And presumably other email clients as well) to reply to the list address instead of the person writing the email for this list? This seems to be the only one I'm having a problem with. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users - -- Dave Calvarese Member of E-mailaholics International PGP Key Available at http://home.comcast.net/~dhcalva/DavidCalvarese-DH.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCIyuhSlxKVhydU2ARA4TUAJ4ocLTjNLYdbAwB8n0XXX3OHViMjgCffmSx 6WDenhCAQef7Pf2g/uls5eM= =iPfE -----END PGP SIGNATURE----- From minnesotan at runbox.com Mon Feb 28 17:53:01 2005 From: minnesotan at runbox.com (Randy Burns) Date: Mon Feb 28 17:49:43 2005 Subject: useless test keys and keyservers In-Reply-To: <200502280747.27681.linux@codehelp.co.uk> Message-ID: <20050228165302.11208.qmail@web50903.mail.yahoo.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 via private email: On Monday 28 February 2005 4:18 am, Randy Burns wrote: >> I wish all pgp keys could automatically be purged from keyservers >> on the anniversary of their creation. > But then many, many keys would be unavailable at any one time. > With only 365 days a year and so many tens of thousands of > keys, that's a lot of keys every single day. Could some keys be flagged, to not to be deleted ever? Keep a list of such keys for your keyserver (that would propagate with synchronization)? Why not? Examples: 0x614239DC 9/7/2000 [expired: 1/1/2001)] PGP Security Software Release Key 2000 0xB0C6598E 1/2/2001 [expired: 1/1/2002)] PGP Security Software Release Key 2001 I think so. Or, maybe, have two kinds of keyservers--expiring database keyservers and non-expiring database keyservers? PGP Global Directory could be that, except that they limit keys to one key per email address. > The point with a keyserver is that the key is always available > and always up to date. It's especially important that revoked > and expired keys are continuously available - when someone > queries for a key that has been revoked, it is imperative that > the keyserver always gives a definitive answer. "Sorry, I'm > waiting for that one to be sent back but last time I saw it, it > was revoked" is not good enough. > An attacker would know the anniversary date and could put up an > attacked key in it's place - in the lagtime before the real > owner connects to the internet, the wrong key is in use. After > all, the attacker has the key before it is revoked and is > unlikely to knowingly refresh the key to import the revocation > certificate so his copy will be unrevoked - he can just as > easily put that onto the keyserver as the real owner. Isn't that something to be aware of in any case? > Your purge could result in many attacked (and currently > revoked) keys suddenly becoming usable again - the real owner > may not keep a copy of their revoked key if they don't have > much data that was encrypted to that key before the attack. The > attacker certainly does have an unrevoked copy, public and > secret. I think it's the responsibility of the person who revoked it to to keep the revocations out there. Once nobody has searched for a key in five years, however, why have it in the database, revoked or not? > Then you've got the whole keyserver synchronisation to consider > - by your reasoning, the key would disappear completely from > every keyserver at the same time! If you change the date of > removal so that each keyserver purges at a different time, the > key will be refreshed from another keyserver at next sync, > rather than from the user so you lose the entire point of your > proposal. >> Then, key owners would know that obsolete keys will >> eventually disappear, and know when their actively >> searched-for keys (fresh keys as well as freshly-revoked keys) >> need to be uploaded again--always just after the anniversary >> of their creation. That way, key uploads get spread throughout >> the whole year. > But many keys don't change year to year - there's nothing wrong > with that. Just because a key doesn't change, there's no reason > to think it's out of use. >> Wouldn't that be a good thing? > No, it would be a very BAD thing - it's part of the controversy > over PGP GD. > If you want to use a keyserver that implements that kind of > policy, fine, just be very careful to use a full-size keyserver > to refresh your keys in case someone revoked their key > coincidentally just before the arbitrary creation anniversary > date. Fine. I'm not opposed to having both types of keyserver. Also, since anybody can upload the keys. If your key is signed by twenty keys, then you could keep those keys in circulation along with your own if you notice that too many of the signatures on your key are listed as "unknown." Just an idea. But, if PGP ever gains wide use--to the point where 200 million internet users know what it is and how to use it--then something will need to be done to prune back all the dead keys, I would think. Best, Randy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc2 (MingW32) - GPGshell v3.32 Comment: Public Keys: www.geocities.com/burns98/pgp iD8DBQFCI0szO1wFkBRYxW8RA60IAJ0XQ+sMSUpRtO3uj/g+PuBoe5ziLgCfVoJJ 1sd13DArml29lMXtZj23eqo= =qZ6M -----END PGP SIGNATURE----- From lporter at hdsmith.com Mon Feb 28 17:47:40 2005 From: lporter at hdsmith.com (lporter@hdsmith.com) Date: Mon Feb 28 17:52:29 2005 Subject: Auto Reply to your message ... Message-ID: <420AC99A00011D0C@HDSPRIME.hdsmith.com> ----- The following text is an automated response to your message ----- I am on vacation from February 28 through March 4, returing Monday March 7th. If it is an EDI emergency or HD Smith techinal support emergency, please email helpdesk@hdsmith.com. I will try to check my email periodically. From linux at codehelp.co.uk Mon Feb 28 18:16:31 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Mon Feb 28 18:13:05 2005 Subject: useless test keys and keyservers In-Reply-To: <20050228041802.80056.qmail@web50909.mail.yahoo.com> References: <20050228041802.80056.qmail@web50909.mail.yahoo.com> Message-ID: <200502281716.36315.linux@codehelp.co.uk> On Monday 28 February 2005 4:18 am, Randy Burns wrote: > I wish all pgp keys could automatically be purged from keyservers > on the anniversary of their creation. Sorry, I didn't check the reply address - this was meant for the list. But then many, many keys would be unavailable at any one time. With only 365 days a year and so many tens of thousands of keys, that's a lot of keys every single day. The point with a keyserver is that the key is always available and always up to date. It's especially important that revoked and expired keys are continuously available - when someone queries for a key that has been revoked, it is imperative that the keyserver always gives a definitive answer. "Sorry, I'm waiting for that one to be sent back but last time I saw it, it was revoked" is not good enough. An attacker would know the anniversary date and could put up an attacked key in it's place - in the lagtime before the real owner connects to the internet, the wrong key is in use. After all, the attacker has the key before it is revoked and is unlikely to knowingly refresh the key to import the revocation certificate so his copy will be unrevoked - he can just as easily put that onto the keyserver as the real owner. Your purge could result in many attacked (and currently revoked) keys suddenly becoming usable again - the real owner may not keep a copy of their revoked key if they don't have much data that was encrypted to that key before the attack. The attacker certainly does have an unrevoked copy, public and secret. Then you've got the whole keyserver synchronisation to consider - by your reasoning, the key would disappear completely from every keyserver at the same time! If you change the date of removal so that each keyserver purges at a different time, the key will be refreshed from another keyserver at next sync, rather than from the user so you lose the entire point of your proposal. > Then, key owners would know > that obsolete keys will eventually disappear, and know when their > actively searched-for keys (fresh keys as well as freshly-revoked > keys) need to be uploaded again--always just after the > anniversary of their creation. That way, key uploads get spread > throughout the whole year. But many keys don't change year to year - there's nothing wrong with that. Just because a key doesn't change, there's no reason to think it's out of use. > Wouldn't that be a good thing? > No, it would be a very BAD thing - it's part of the controversy over PGP GD. If you want to use a keyserver that implements that kind of policy, fine, just be very careful to use a full-size keyserver to refresh your keys in case someone revoked their key coincidentally just before the arbitrary creation anniversary date. -- Neil Williams ============= http://www.dcglug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.neil.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050228/50717c07/attachment.pgp From linux at codehelp.co.uk Mon Feb 28 18:30:17 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Mon Feb 28 18:26:50 2005 Subject: useless test keys and keyservers In-Reply-To: <20050228165302.11208.qmail@web50903.mail.yahoo.com> References: <20050228165302.11208.qmail@web50903.mail.yahoo.com> Message-ID: <200502281730.21417.linux@codehelp.co.uk> On Monday 28 February 2005 4:53 pm, Randy Burns wrote: > Could some keys be flagged, to not to be deleted ever? Keep a > list of such keys for your keyserver (that would propagate with > synchronization)? Why not? Which? Who decides? > Examples: > > 0x614239DC 9/7/2000 [expired: 1/1/2001)] PGP Security Software > Release Key 2000 > > 0xB0C6598E 1/2/2001 [expired: 1/1/2002)] PGP Security Software > Release Key 2001 > > I think so. But signatures made by those keys will still be around in 5 years time and people will want to know who the signatory was. All keys need to be kept - you can't tell if a key is out of use simply by waiting for the owner to respond. If the key owner has lost the passphrase or simply moved email account, the key is orphaned but there is no easy way of detecting these. > Or, maybe, have two kinds of keyservers--expiring database > keyservers and non-expiring database keyservers? As I said, if you do this, the expiring keyserver is prevented from every synchronising with the non-expiring and that means everyone using the expiring keyserver has to check the non-expiring one anyway. > > An attacker would know the anniversary date and could put up an > > attacked key in it's place - in the lagtime before the real > > owner connects to the internet, the wrong key is in use. After > > all, the attacker has the key before it is revoked and is > > unlikely to knowingly refresh the key to import the revocation > > certificate so his copy will be unrevoked - he can just as > > easily put that onto the keyserver as the real owner. > > Isn't that something to be aware of in any case? No, because if the key is never deleted from the keyserver, uploading an unrevoked version doesn't UNDO the revocation. A revoked key stays revoked. > > Your purge could result in many attacked (and currently > > revoked) keys suddenly becoming usable again - the real owner > > may not keep a copy of their revoked key if they don't have > > much data that was encrypted to that key before the attack. The > > attacker certainly does have an unrevoked copy, public and > > secret. > > I think it's the responsibility of the person who revoked it to > to keep the revocations out there. And how are they meant to do that if the keyserver deletes it? > Once nobody has searched for a > key in five years, however, why have it in the database, revoked > or not? That requires massive logs of which keys have been searched and then you include all those that search for "Joe Bloggs" or "0xDEADBEEF" - they get lots of hits, but do all of those count? > Fine. I'm not opposed to having both types of keyserver. I don't want any keyserver to delete anything - even if the owner doesn't want it around there are others who might, particularly if the key has made any kind of public signature. Useless test keys are a problem, agreed, but creating an automated filter that can tell the difference is v.hard. If keys start disappearing from keyservers when they are still in use, we'll all end up having to use keys on personal websites and the whole thing becomes even more burdensome. > Also, > since anybody can upload the keys. If your key is signed by > twenty keys, then you could keep those keys in circulation along > with your own if you notice that too many of the signatures on > your key are listed as "unknown." ?? What is the point of that?? People sign my key without any prompting and without any verification already. (Note to anyone reading this: Please do NOT sign my key until we meet face to face.) > Just an idea. But, if PGP ever gains wide use--to the point where > 200 million internet users know what it is and how to use > it--then something will need to be done to prune back all the > dead keys, I would think. -- Neil Williams ============= http://www.dcglug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.neil.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050228/f2763c45/attachment.pgp From henkdebruijn at wanadoo.nl Mon Feb 28 18:58:25 2005 From: henkdebruijn at wanadoo.nl (Henk de Bruijn) Date: Mon Feb 28 18:54:49 2005 Subject: GPG for windows In-Reply-To: <4222E645.3030306@gmx.net> References: <1109325968.4002.24.camel@localhost.localdomain> <421F61A9.5030104@comcast.net> <562501.20050225110139@calarts.edu> <4222E645.3030306@gmx.net> Message-ID: <1946253126.20050228185825@wanadoo.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 28 Feb 2005 10:37:09 +0100GMT (28-2-2005, 10:37 +0100, where I live), Timo Schulz wrote: > Melissa Reese wrote: >> WinPT: http://winpt.sourceforge.net/en/ > The _new_ primary WinPT site is now http://www.winpt.org. > (It is not redirected any longer to the SF.net website!) I am using GnuPG 1.4.1rc2 with GPGshell 3.32 Is it possible to use/try WinPT next to them? What/which version should I download? - -- Henk ______________________________________________________________________ The Bat!? Natural Email System v3.0.1.33nl Professional on Windows XP SP2 PGPkey available at http://www.biglumber.com/x/web?qs=0x12069B93DBE6E678 Gossamer Spider Web of Trust GSWoT http://www.gswot.org/ A Progressive and Innovative Web of Trust -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1rc2 (MingW32) - GPGrelay v0.956 iD8DBQFCI1vVEgabk9vm5ngRAuu7AJ0aODBNeShA/bvfrGpUmAW5L1s+fQCg5uza CxrkJuuhwVuDbUPy6ObI0ls= =4vWb -----END PGP SIGNATURE----- From mreese at calarts.edu Mon Feb 28 19:19:00 2005 From: mreese at calarts.edu (Melissa Reese) Date: Mon Feb 28 19:15:51 2005 Subject: useless test keys and keyservers In-Reply-To: <42232BA2.9030902@fastmail.us> References: <20050228041802.80056.qmail@web50909.mail.yahoo.com> <42232BA2.9030902@fastmail.us> Message-ID: <1729174158.20050228101900@calarts.edu> Hi David, On Monday, February 28, 2005, at 6:33:06 AM PST, you wrote: > How about just purging a Key that's had no activity in X amount of > time, say Six months? I think Neil made some interesting points about the automatic purging option, but I am very interested in a couple things the new PGP Global Directory beta makes possible, which allows a key owner to not only remove their own keys from the keyserver, but also to decide whether or not their keys are uploaded to the keyserver in the first place. These are two things I've been wanting to see for a long time, and wouldn't mind if all the keyservers adopted these options. > On a side note, does anyone know of any way to get Thunderbird (And > presumably other email clients as well) to reply to the list address > instead of the person writing the email for this list? This seems to > be the only one I'm having a problem with. I'll have to look into the possibilities of Thunderbird some more, but in my default email client, "The Bat!", I can accomplish this in a few different ways; by using macros in a reply template based on the folder (any reply message generated when replying to a message from my "gnupg users Inbox" folder), address book entry template, or "quick template" (which can be invoked manually). I've also created a "quick template" that I can invoke manually if I want to reply off-list to the original sender of a message instead of to the list. Many lists will generate their own "reply to" header, in which case I wouldn't need to do what I've described above, but for this list and a couple others, I need to use template macros to get reply messages like this to automatically put the list address in the "To" field of reply messages. -- Melissa PGP public keys: mailto:pgp_keys@gmx.co.uk?subject=0xFB04F2E9&Body=Please%20send%20keys -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available Url : /pipermail/attachments/20050228/ea13b913/attachment.pgp From linux at codehelp.co.uk Mon Feb 28 19:49:07 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Mon Feb 28 19:45:39 2005 Subject: useless test keys and keyservers In-Reply-To: <1729174158.20050228101900@calarts.edu> References: <20050228041802.80056.qmail@web50909.mail.yahoo.com> <42232BA2.9030902@fastmail.us> <1729174158.20050228101900@calarts.edu> Message-ID: <200502281849.12565.linux@codehelp.co.uk> On Monday 28 February 2005 6:19 pm, Melissa Reese wrote: > I think Neil made some interesting points about the automatic purging > option, Melissa, could you put your key on a keyserver somewhere? :-) > but I am very interested in a couple things the new PGP Global > Directory beta makes possible, which allows a key owner to not only > remove their own keys from the keyserver, I don't like that option - I can't see any benefit to the ordinary user who simply wants to check the signatures on my key. Plus the GD puts masses of useless signatures on your key too - my key is one of those that will never go on GD. It's fortunate that GD have implemented the non-owner-refuse-submission as this is the only way of protecting your keys from their signature attacks. > but also to decide whether > or not their keys are uploaded to the keyserver in the first place. IMHO, anyone who signs emails to a public mailing list should make their public key available with the minimum of fuss. This, to me, means putting it on one of the recommended keyservers, e.g. subkeys.pgp.net :-)) > These are two things I've been wanting to see for a long time, and > wouldn't mind if all the keyservers adopted these options. All keyservers support the option to not upload your key - it's just that once a key is public, there's no real way of stopping it being submitted by someone else. Thereagain, if the key IS public, it should be on a public keyserver - that's my case. -- Neil Williams ============= http://www.dcglug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.neil.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050228/2c046c01/attachment.pgp From brunij at earthlink.net Mon Feb 28 20:29:10 2005 From: brunij at earthlink.net (Joseph Bruni) Date: Mon Feb 28 21:04:05 2005 Subject: building gnupg 1.4.0 Message-ID: <18942834.1109618951414.JavaMail.root@grover.psp.pas.earthlink.net> When attempting to build gnupg 1.4.0 on os x 10.4 I receive the following compile error: ttyio.c: In function 'init_ttyfp': ttyio.c:166: error: 'rl_catch_signals' undeclared (first use in this function) Is rl_catch_signals part of gnupg or part of the OS? -Joe From andriash at telus.net Mon Feb 28 18:45:18 2005 From: andriash at telus.net (Nick Andriash) Date: Mon Feb 28 21:10:44 2005 Subject: useless test keys and keyservers In-Reply-To: <42232BA2.9030902@fastmail.us> References: <20050228041802.80056.qmail@web50909.mail.yahoo.com> <42232BA2.9030902@fastmail.us> Message-ID: <20050228104240.425F.ANDRIASH@telus.net> Hello David Calvarese, On Monday, February 28 2005 at 07:33 AM PDT, you wrote: > On a side note, does anyone know of any way to get Thunderbird (And > presumably other email clients as well) to reply to the list address > instead of the person writing the email for this list? This seems to be > the only one I'm having a problem with. This List is the only one I had a problem with as well, but it was simple to resolve using Becky because all one has to do is supply the List Address in the "Reply To" line under Folder Properties. Other Mailers such as The Bat use Templates, and it too has an easy resolve by creating an address template. -- ~~Nick Andriash~~ Creston, B.C. Canada From lporter at hdsmith.com Mon Feb 28 21:07:06 2005 From: lporter at hdsmith.com (lporter@hdsmith.com) Date: Mon Feb 28 21:11:57 2005 Subject: Auto Reply to your message ... Message-ID: <420AC99A00012278@HDSPRIME.hdsmith.com> ----- The following text is an automated response to your message ----- I am on vacation from February 28 through March 4, returing Monday March 7th. If it is an EDI emergency or HD Smith techinal support emergency, please email helpdesk@hdsmith.com. I will try to check my email periodically. From swright at physics.adelaide.edu.au Mon Feb 28 21:29:36 2005 From: swright at physics.adelaide.edu.au (Stewart V. Wright) Date: Mon Feb 28 21:26:18 2005 Subject: building gnupg 1.4.0 In-Reply-To: <18942834.1109618951414.JavaMail.root@grover.psp.pas.earthlink.net> References: <18942834.1109618951414.JavaMail.root@grover.psp.pas.earthlink.net> Message-ID: <20050228202936.GA3136@anl.gov> G'day Joseph, * Joseph Bruni [050228 14:24]: > Is rl_catch_signals part of gnupg or part of the OS? Have you heard of a website called Google? www.google.com Try searching for 'rl_catch_signals'. The 4th link suggested is a GnuPG related one.......... http://lists.gnupg.org/pipermail/gnupg-users/2004-December/024056.html Does this fix your problem? S. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 274 bytes Desc: Digital signature Url : /pipermail/attachments/20050228/523b1cd6/attachment.pgp From dshaw at jabberwocky.com Mon Feb 28 21:30:39 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Feb 28 21:27:16 2005 Subject: building gnupg 1.4.0 In-Reply-To: <18942834.1109618951414.JavaMail.root@grover.psp.pas.earthlink.net> References: <18942834.1109618951414.JavaMail.root@grover.psp.pas.earthlink.net> Message-ID: <20050228203039.GB14484@jabberwocky.com> On Mon, Feb 28, 2005 at 12:29:10PM -0700, Joseph Bruni wrote: > When attempting to build gnupg 1.4.0 on os x 10.4 I receive the following compile error: > > ttyio.c: In function 'init_ttyfp': > ttyio.c:166: error: 'rl_catch_signals' undeclared (first use in this function) > > Is rl_catch_signals part of gnupg or part of the OS? It's part of readline. This is fixed in 1.4.1, but in the meantime, try building with ./configure --without-readline David From cyrus at 80d.org Mon Feb 28 22:40:10 2005 From: cyrus at 80d.org (Cyrus Yunker) Date: Mon Feb 28 23:29:42 2005 Subject: Stopping Useless Keys Message-ID: <20050228214010.GF93960@80d.org> One thing that could be done to minimize the number of useless keys propagating out onto the keyservers is to track down the authors of the multitude of "GPG HOWTO" articles out there. They should be asked to change their articles that instruct new users to immediately upload their keys as soon as they are created. Key management cannot usually be handled properly in a simple 2 part article from a technology web magazine. Most users should first be informed on how to make choices on how they are going to use their keys (personal / work or just for encrypting backups), what lifetime they expect for any given key, how distribution is handled, what signatures are, etc. Subkeys should be explained properly. THEN, and only then, should an article go into key generation procedures. Users should be encouraged to use manual distribution, by email or otherwise, at the outset as they get comfortable with gpg and the like. It is at this time when keyprefs can be properly setup, signatures from friends can be obtained, testing can be done with other types of OpenPGP implementations, and their uid list can stabilize somewhat. Authors should encourage key expiry dates of one or two years (if they are to be uploaded) for the user to become comfortable with gpg and ensure that any mistakes will eventually fall by the wayside (and out of precious keyserver storage). Ironing out keyprefs, etc. before the key is uploaded will reduce future storage requirements for the keyservers. (Only the last sig-packet is displayed but in most cases all previous remain if my thinking is correct. This includes keeping around old uids, expiry dates, etc.) Users should also receive an intro on the keyserver system and be encouraged NOT to upload test keys but to play with them manually on their own machines or with friends only. When users determine within one or two years they'd like to continue to use gpg/pgp, they can upload any new signatures or uid list changes, keypref URLs, etc. and update their key expiry date to a time farther in the future. This would encourage people to backup their keys and generate revocation certificates and file them away rather than letting them vaporize with the latest disk crash. This may be difficult to do but I believe a campaign could be started if anybody would be interested in taking on such a project. Users of this mailing list and other places could be asked to search the web for any articles (and author links) that instruct users to immediately upload their keys after creation. These could be collected, duplicates removed, and verified. Another distributed or collective effort could send the authors notice on what "the community" would like their readers to do along with some prepared text on how the keyserver operate. Please excuse my old keys. Too much experimentation on my part has clogged up the keyservers as well. I've learned a great deal since then. Cyrus -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20050228/0efb0aa4/attachment.pgp