From jeff+gnupg at jeffenstein.dyndns.org Sat Jan 1 13:03:59 2005 From: jeff+gnupg at jeffenstein.dyndns.org (Jeff Fisher) Date: Sat Jan 1 12:58:29 2005 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <20041231031712.GJ12645@jabberwocky.com> References: <200412291854.TAA00416@vulcan.xs4all.nl> <20041230014443.GU30683@jabberwocky.com> <20041230043512.GE684@wilma.widomaker.com> <20041230000801.N31825@willy.wonka> <41D45C00.6030204@toehold.com> <20041230202915.34191.qmail@suspicious.org> <41D46857.7050905@toehold.com> <20041230210032.GG12645@jabberwocky.com> <20041230213657.GB14687@frogger.jeffnet> <20041231031712.GJ12645@jabberwocky.com> Message-ID: <20050101120359.GA21733@frogger.jeffnet> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, Dec 30, 2004 at 10:17:12PM -0500, David Shaw wrote: > On Thu, Dec 30, 2004 at 10:36:57PM +0100, Jeff Fisher wrote: > > On Thu, Dec 30, 2004 at 04:00:32PM -0500, David Shaw wrote: > > > > > > Still, how would you go about checking the identity of a key that > > > identifies itself only as "PGP Global Directory Verification Key" ? I > > > can certainly understand that you signed the Robot CA key, but signing > > > the GD key seems to be a leap of faith rather than actual hard > > > knowledge. > > > > It's signing keys left and right, which started this whole > > discussion. Is there any doubt that this particular key is anything > > but what it purportes to be? If so, where are the real signatures > > from the real key that is supposed to be fullfilling this role? > > There is a difference between believing something personally, and > making a public statement about that same something. The first is > opinion. The second needs proof. > > Key 57548DCD is the key that signs new GnuPG releases. I believe that > this key belongs to Werner. It would be absurdly difficult for it to > be some imposter since there have been however many GnuPG releases > over the past few years, all signed by this key. Realistically, it is > utterly obvious that Werner is the key owner. Would I sign this key > without meeting Werner? No. The difference between the two here is that the key 57548DCD purportes to be Werner Koch (gnupg sig) , not "GnuPG release signing key." It is intended for a role, but also has a link to a real person and an e-mail address. For this key, you would need to verify all three bits of information for signing. However, for key CA57AD7C, the only bit of information on the key is: "PGP Global Directory Verification Key." To verify this, you only need to confirm that it is fulfilling this role. Indeed, there is no way that meeting someone in meatspace can confirm this, without that person abusing the intended role for this key, thus eroding trust in it. In the above case, if they key had said only "GnuPG release signing key", and had a history of signing the gnupg releases, that would be the only verification needed to identify the key as what it purportes to be. Verifying that person X has control of this key is superfluous to verfifying it's role. - -- Me - jeff@jeffenstein.dyndns.org -----BEGIN PGP SIGNATURE----- iQIVAwUBQdaRrxwPMBUZyYf1AQhbYhAApR+5NpcnkzXK1MegLe7OcrR8FREUtBlf AaTQtoPYB+UrZ10elTUKUDJJTlN0XE+AZKvVhvN4rN/OyARweYM0sMIOmhl2+EMb h1tT1axGXAHapGWsvQ+bkk8lfq77h1hkE/jEB91Rlg1D+lSdELS3k5IF5Q8IcnSl wTsgQ3o1eRGldd30CT+GONuggbgOTpjwZXarRspODlsLZvQM9z+/AvjX9sea8KI4 o1PWMLB+WhuF7ghvn0/O2DZvRkP9FZvRha4kLQrydVv9iG5L5djMZmwD6fj22I4q 9nrM4F27olVjuIc8KPnYqOpbTB7J59ppFWy4rj73dDNggYZp6BgHjRRfAMIDYAPG THOzQj6wRjFaTkDj10uprDNmIXU0sOOQVDo/3sbQ619tnkmjRfjq9S2lqhZ90jbp FU3Nlv1NjkHh4HsSYZVmJD0bQNWg7Jesak449XvCjcavaP1ix62gApsdXpi2cj82 OZfXQL72BmQvBjn65Tb+aBcH+2+OG4+Tkx3p9vR9ehVgVr1Wje5P12zqtS1RmzUs RDXiN6cFJO99iN2IIsr9wedoXhoVXiPDOfyqGIuHfXL56zeUrf363L8MqdSC6Q8e i8sj8puGgcGP9EPs/bAUNnbLRKCGamT9GyG5C3LbP81ZCRKWUOmb/v4odsl8zkpO gnc29n0Ozk0= =4crS -----END PGP SIGNATURE----- From jeff+gnupg at jeffenstein.dyndns.org Sat Jan 1 13:05:01 2005 From: jeff+gnupg at jeffenstein.dyndns.org (Jeff Fisher) Date: Sat Jan 1 12:59:31 2005 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <20041230215507.74028.qmail@suspicious.org> References: <200412291854.TAA00416@vulcan.xs4all.nl> <20041230014443.GU30683@jabberwocky.com> <20041230043512.GE684@wilma.widomaker.com> <20041230000801.N31825@willy.wonka> <41D45C00.6030204@toehold.com> <20041230202915.34191.qmail@suspicious.org> <41D46857.7050905@toehold.com> <20041230210032.GG12645@jabberwocky.com> <20041230213657.GB14687@frogger.jeffnet> <20041230215507.74028.qmail@suspicious.org> Message-ID: <20050101120501.GB21733@frogger.jeffnet> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, Dec 30, 2004 at 04:57:36PM -0500, Atom 'Smasher' wrote: > On Thu, 30 Dec 2004, Jeff Fisher wrote: > > > It's signing keys left and right, which started this whole discussion. > > Is there any doubt that this particular key is anything but what it > > purportes to be? If so, where are the real signatures from the real key > > that is supposed to be fullfilling this role? > > > > For most of us, we're assuming that there is not an adversary with > > infinite resources out to get us. If there were, I would not trust any > > signatures except my own, or those of personally trusted associates. > > (And probably not gnupg itself or this computer, but there it is...) > =============================== > > i (or anyone) can generate a key that's identified as "PGP Global > Directory Verification Key" and sign any number of keys with it. one can > even get a list of keys that have exchanged signatures with the real key > and sign all of them. that doesn't make it the real thing, but it sure > would cause a lot of confusion. However, you couldn't replace the real signatures from this key without breaking into keyserver.pgp.com. You couldn't replace the role that this key is serving without comprimising the very servers where the secret key has to be stored.[1] Also, anybody with a spare 5 minutes can verify that this key does indeed sign their key when it is submitted to keyserver.pgp.com. I just did, and I see only a single signature from "PGP Global Directory Verification Key", which matches the key I just downloaded from their website. > > if i sign your key, and you sign bob's key, that doesn't mean that i > should go and sign bob's key (unless i first verify it with bob). sure, i > can trace a path from me to bob, but that's very different than signing > bob's key because of that path. The difference is that people can directly verify the PGP directory key, which is not the case in your example. > > signing a key is a statement that one has checked and verified that the > key really belongs to the person or group identified by the key. unless > that verification is actually done, the only statement being made is that > someone is issuing bad signatures. So, you don't believe keys can exist for roles. I do. Anybody who uses https in a browser without first clearing the CA list does. Tens of governments do. Hundreds (or possibly thousands) of companies do. Numbers don't make it right, but they do define what actually works in the real world. [1] Ok, there are dns attacks, but we won't go into all the possibilities here... - -- Me - jeff@jeffenstein.dyndns.org -----BEGIN PGP SIGNATURE----- iQIVAwUBQdaR7BwPMBUZyYf1AQiBuw//WL5wsDc3D/J1rCotOV0ie2L+RV4wPc+t tDSFJQnhA4dyDC9bWFJSJhWB957Wje7OIKaehXdTKtY+5IOcb9U73+Qhtl2Oij+t Nr+S4RFrTBpro72Pvmw5+rDLGRoT3qjqiMbr3eRDhtqwB3DpVPJm68ExcS9ClcaL UsmyPnFoDTQlqn4BVVOlygjBxAtxeHeMI9AnmAKhsvduRPWxSHn91wB4uddJbgVT 7EiHxaJWNv+RMpnhUt1Q8vk9nVPpMjrjPAH3jEnpooBTp9nVTOVNJ2YZj9TRMFk/ aZyOTqXuuRU+98mmsu6+x2rXWuNNlKYLU50QQmoRcF1V+Jyhm9Z6Pia0u/MchMBq pBUNrqjA4Vm0XBsUaJVpVHYQMdwfBSrDNiHhRed5BJmh5qN12ZCWkghNqaUMD3hD hN1CauCMX7gvULgaL19x62/kSF4ib8PP4s9CS2Av6ODqSFO0IGt923yB4neVATAk D5g0zBHZ/XTbMKVlHBymOypU3PIU3nNz8bOFm+MsNbdt4Q+o+we+MGUp4MFNLiUj mJQGmm0eS1fH1msYR29k7bUi7ooyqa2LR+PKA9ijAG+O2+5SS5KO65I8IntcezR2 xjdQbyM6XBOj8OjsTY4ZDnlSk/OMEOuP3qNtoxGGwv0MFz5m/73gm5o+lkW9PXX4 gA5e0tQQx7I= =UrBm -----END PGP SIGNATURE----- From ndof at gmx.li Sat Jan 1 13:45:13 2005 From: ndof at gmx.li (=?ISO-8859-1?Q?Hans_M=FCller?=) Date: Sat Jan 1 13:42:13 2005 Subject: gpg and the new PGP keyserver Message-ID: <41D69B59.7020609@gmx.li> Hello, I can not send or receive any keys from keyserver.pgp.com or keyserver-beta.pgp.com when I try gpg --send-keys BD7C8AA1 --keyserver ldap://keyserver-beta.pgp.com I only get this: gpg: WARNING: nothing exported gpg: WARNING: nothing exported gpgkeys: error retrieving LDAP server info: No such object gpg: keyserver internal error gpg: keyserver send failed: keyserver error when i try gpg --refresh-keys BD7C8AA1 --keyserver ldap://keyserver-beta.pgp.com I get this: gpg: refreshing 1 key from ldap://keyserver-beta.pgp.com gpgkeys: error retrieving LDAP server info: No such object gpg: no valid OpenPGP data found. gpg: Total number processed: 0 gpg: keyserver internal error gpg: keyserver refresh failed: keyserver error any ideas?? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 890 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050101/9ae29b1e/signature.bin From linux at codehelp.co.uk Sat Jan 1 14:31:35 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Sat Jan 1 14:27:57 2005 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <20050101120359.GA21733@frogger.jeffnet> References: <200412291854.TAA00416@vulcan.xs4all.nl> <20041231031712.GJ12645@jabberwocky.com> <20050101120359.GA21733@frogger.jeffnet> Message-ID: <200501011331.38747.linux@codehelp.co.uk> On Saturday 01 January 2005 12:03 pm, Jeff Fisher wrote: > The difference between the two here is that the key 57548DCD purportes to > be Werner Koch (gnupg sig) , not "GnuPG release signing > key." It is intended for a role, but also has a link to a real person and > an e-mail address. For this key, you would need to verify all three bits > of information for signing. > > However, for key CA57AD7C, the only bit of information on the key is: "PGP > Global Directory Verification Key." To verify this, you only need to > confirm that it is fulfilling this role. But you cannot do that, you cannot prove to me that it is that key. There is no way that I can verify the key because I cannot verify the UID. As David said, it is trivial to create yet another PGP Global Directory Verification Key - how can you prove which one is 'real'? As it would be my own key, created under false pretences, I could introduce it to PGP GD and sign whatever I wanted with it. Without verifying the UID you cannot verify the key. Without verifying the key, you cannot prove that the key is genuine. Without proof that the key is genuine, you must NOT sign the key!!! > Indeed, there is no way that > meeting someone in meatspace can confirm this, without that person abusing > the intended role for this key, thus eroding trust in it. Exactly, so the key is impossible for those outside PGP to verify. Unless you have inside knowledge of who really created that key and who has access to the secret key, you CANNOT verify that key. > In the above > case, if they key had said only "GnuPG release signing key", and had a > history of signing the gnupg releases, that would be the only verification > needed to identify the key as what it purportes to be. Rubbish - it's not verifying the key at all, it's merely recognising what it purports to be. No verification has been achieved, no proof has been shown because none exists. You must have inside knowledge before you can sign this key - the UID alone is insufficient and cannot be positively identified. > Verifying that > person X has control of this key is superfluous to verfifying it's role. True, but that also means that this key CANNOT be verified. I despair at those who are willing to sign unverifiable keys, I will NOT sign any key that cannot be properly verified to me. I can prove that every signature I have made was verified - positively identified as that physical person, that precise key, that email address. I fail to see that anyone can ever deem it reasonable to sign keys when verification hasn't even taken place. A signature is NOT for your benefit - it is a testament to others that YOU have positively identified that person, that key and that UID and that you can PROVE your verification. People need to be able to use signatures, signing a key that is not identifiable to a physical person is pointless. Only a fool signs without verifying the physical person. If no physical person can be identified, it should never be signed! Simple! Don't sign it unless you can prove it! -- Neil Williams ============= http://www.dclug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050101/620a4cf4/attachment.bin From linux at codehelp.co.uk Sat Jan 1 14:42:57 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Sat Jan 1 14:39:18 2005 Subject: RFE: Unsignable keys Message-ID: <200501011342.59945.linux@codehelp.co.uk> Request for Enhancement / Comments: GnuPG. Would it be possible to create an --expert option to generate a key that CANNOT be signed (under any circumstances) unless BOTH secret keys are available? (signer has to have secret key anyway, these special keys would also need the signee secret key in the same keyring). $ gpg --expert-unsignable --gen-key or $ gpg --expert-verification --gen-key This could be useful for corporate and verification keys that would then be used to sign other keys but could only be signed by keys owned by the original key owner. These signatures could be used to bring the key into the WoT without allowing any of the noise that pollutes current robot / impersonal keys. If the PGP Global Directory Verification Key was unsignable, only those with access to the secret key within PGP GD would be able to sign it. Anyone else would get a telling off from GnuPG: "This is a verification key - it cannot be verified or signed without access to it's secret key. Your request to sign this key has been ignored." (I haven't looked at the OpenPGP spec, it probably breaks it but as an --expert option, GnuPG already supports other options that allow operation outside the strict spec.) Comments? -- Neil Williams ============= http://www.dclug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050101/b3205548/attachment.bin From dshaw at jabberwocky.com Sat Jan 1 15:13:43 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Jan 1 15:10:49 2005 Subject: gpg and the new PGP keyserver In-Reply-To: <41D69B59.7020609@gmx.li> References: <41D69B59.7020609@gmx.li> Message-ID: <20050101141343.GA27719@jabberwocky.com> On Sat, Jan 01, 2005 at 01:45:13PM +0100, Hans M?ller wrote: > Hello, I can not send or receive any keys from keyserver.pgp.com or > keyserver-beta.pgp.com > when I try > gpg --send-keys BD7C8AA1 --keyserver ldap://keyserver-beta.pgp.com > I only get this: > gpg: WARNING: nothing exported > gpg: WARNING: nothing exported > gpgkeys: error retrieving LDAP server info: No such object > gpg: keyserver internal error > gpg: keyserver send failed: keyserver error > > when i try > gpg --refresh-keys BD7C8AA1 --keyserver ldap://keyserver-beta.pgp.com > I get this: > gpg: refreshing 1 key from ldap://keyserver-beta.pgp.com > gpgkeys: error retrieving LDAP server info: No such object > gpg: no valid OpenPGP data found. > gpg: Total number processed: 0 > gpg: keyserver internal error > gpg: keyserver refresh failed: keyserver error > > any ideas?? Upgrade. PGP used to have two LDAP keyserver. The old one at ldap://keyserver.pgp.com was compatible with any version of GnuPG. The new one ldap://keyserver-beta.pgp.com is only compatible with 1.4 or later. Recently, the keyserver.pgp.com hardware melted down, so they pointed the keyserver.pgp.com name at the keyserver-beta.pgp.com server. This breaks things for GnuPG users unless they are using 1.4. David From dshaw at jabberwocky.com Sat Jan 1 15:52:03 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Jan 1 15:48:55 2005 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <20050101120359.GA21733@frogger.jeffnet> References: <20041230014443.GU30683@jabberwocky.com> <20041230043512.GE684@wilma.widomaker.com> <20041230000801.N31825@willy.wonka> <41D45C00.6030204@toehold.com> <20041230202915.34191.qmail@suspicious.org> <41D46857.7050905@toehold.com> <20041230210032.GG12645@jabberwocky.com> <20041230213657.GB14687@frogger.jeffnet> <20041231031712.GJ12645@jabberwocky.com> <20050101120359.GA21733@frogger.jeffnet> Message-ID: <20050101145203.GD22611@jabberwocky.com> On Sat, Jan 01, 2005 at 01:03:59PM +0100, Jeff Fisher wrote: > However, for key CA57AD7C, the only bit of information on the key > is: "PGP Global Directory Verification Key." To verify this, you > only need to confirm that it is fulfilling this role. Indeed, there > is no way that meeting someone in meatspace can confirm this, > without that person abusing the intended role for this key, thus > eroding trust in it. In the above case, if they key had said only > "GnuPG release signing key", and had a history of signing the gnupg > releases, that would be the only verification needed to identify the > key as what it purportes to be. Verifying that person X has control > of this key is superfluous to verfifying it's role. This is a general problem with signing any key that does not have a direct mapping to a human being. I did not give a good example of the problem by citing keys that do have direct mappings to human beings. So let me use your example of the GD key: For me, refusing to believe it is the "real" GD key is fairly silly, of course, not least because its action is very obvious. We can all see the signatures it issues. It's available on a few web sites. Heck, it even *comes with GnuPG* as one of the sample keys. However, personally believing this key is the right one, and being willing to testify to others that this key is the right one is not the same thing. It's a fine point. I do not wish to give the impression that I am right and others wrong in drawing this point here. The existence of the "ownertrust" concept in the web of trust speaks to the varying opinions about when to sign. For me, signing the GD key without some higher level of proof (and it is not clear what that could be for a key that does not identify a human being), would be akin to signing a key because someone else I knew signed it. David From jeff+gnupg at jeffenstein.dyndns.org Sat Jan 1 16:34:51 2005 From: jeff+gnupg at jeffenstein.dyndns.org (Jeff Fisher) Date: Sat Jan 1 16:36:18 2005 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <200501011331.38747.linux@codehelp.co.uk> References: <200412291854.TAA00416@vulcan.xs4all.nl> <20041231031712.GJ12645@jabberwocky.com> <20050101120359.GA21733@frogger.jeffnet> <200501011331.38747.linux@codehelp.co.uk> Message-ID: <20050101153451.GC21733@frogger.jeffnet> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sat, Jan 01, 2005 at 01:31:35PM +0000, Neil Williams wrote: > > But you cannot do that, you cannot prove to me that it is that key. There is > no way that I can verify the key because I cannot verify the UID. As David > said, it is trivial to create yet another PGP Global Directory Verification > Key - how can you prove which one is 'real'? What you're really saying is that it can't be proven to a level you are willing to accept. Fortunately, PGP/GnuPG doesn't dictate this, so people can follow whatever trust model they are willing to accept. I (and others I've worked with) willing to accept that roles exist, and that roles cannot neccessarily be associated to a single person. You (and others on this list) are not. That's this discussion in a nutshell. To use the X.509/SSL model, have you ever done a transaction involving money in a web browser? If you have, you've implicitly told the other end of the transaction that you trust the key (and backed it up with a monetary value). Did you personally verify the root CA that signed the web server's certificate. Or, did you even verify the web server's certificate? Did you correlate either to a real-world person? Of course you didn't; you couldn't because they are a role associated with more than one person, and those people may or may not change more often than the key itself. No, it's not the same system, but it has the same concept of trusting keys that are signed by others, and keys being associated with people or entities. > As it would be my own key, > created under false pretences, I could introduce it to PGP GD and sign > whatever I wanted with it. But you couldn't put it on the PGP web site, or sign every key that is submitted to the PGP global directory, and modify the keys in the directory to remove the valid signature, making yours look correct. Yes, you can create a key that looks correct, but you can't use that key in the intended role. Anybody can create a president@whitehouse.gov key. However, nobody will trust it because that key does not sign messages coming from president@whitehouse.gov or respond to messages encrypted to president@whitehouse.gov. The real PGP directory key acts in a way consistent with it's name, which (to the people using the directory) proves it's identity. > ... > > In the above > > case, if they key had said only "GnuPG release signing key", and had a > > history of signing the gnupg releases, that would be the only verification > > needed to identify the key as what it purportes to be. > > Rubbish - it's not verifying the key at all, it's merely recognising what it > purports to be. Ok, if the definition of verify is not 'prove that something is what it claims to be', please fill me in. Oxford lists, "establish the truth or correctness of by examination." How would you verify a toll booth is what it says it is? It's identity is it's function. It's identity is not who is in the booth. > No verification has been achieved, no proof has been shown > because none exists. You must have inside knowledge before you can sign this > key - the UID alone is insufficient and cannot be positively identified. > > > Verifying that > > person X has control of this key is superfluous to verfifying it's role. > > True, but that also means that this key CANNOT be verified. For the toll booth example, do you need to know who built the toll booth to verify that it is indeed a toll booth? Even when travelling in a foreign country? Would you refuse to pay if you could not verify this? On to another example, SSH. Arguably much more popular than PGP/GnuPG, with the same concept of a key identifying an entity. How do you verify a host's key? Do you have to insist that a host corresponds to a person or group of people? Do you go to your local system administrator to verify the fingerprint of the key? How do you verify that he administrates that system, as most organizations have multiple system administration groups? In the ~7 years that I've been using ssh in system administration, I have yet to have a single person come to me for this verification, or even hear of it happening. > > I despair at those who are willing to sign unverifiable keys, I will NOT sign > any key that cannot be properly verified to me. I can prove that every > signature I have made was verified - positively identified as that physical > person, that precise key, that email address. > > I fail to see that anyone can ever deem it reasonable to sign keys when > verification hasn't even taken place. > > A signature is NOT for your benefit - it is a testament to others that YOU > have positively identified that person, that key and that UID and that you > can PROVE your verification. > > People need to be able to use signatures, signing a key that is not > identifiable to a physical person is pointless. Only a fool signs without > verifying the physical person. If no physical person can be identified, it > should never be signed! Simple! You're forgetting that not everybody wants the same level of verification, or has the same ideas about what verification means. In the two instances where I've helped set up PGP to be used in a corporate environment (for payroll and customer billing info), the verfication process was: 1) Received key on disk via fedex. 2) Made a test transaction. 3) Called the contact at the remote company to verify that the transaction did indeed arrive and they were able to process it. In either of these cases, the management would never have accepted, 'person x signed the key, so we can trust it', regardless of the identity of person x. In neither case was there a person's name on the key. Yet the financial departement at both companies was willing to accept this idea of verification, and back that up with large sums of money -- after if was verified to their level of satisfaction. Are you willing to do the same with the WoT? > > Don't sign it unless you can prove it! > ... to a satisfactory level. That you have your idea of verfication and what you are willing to accept is fine. I have a different idea. You can use yours, and I can use mine. All this means is that I don't trust your signatures and you don't trust my signatures, and life goes on. - -- Me - jeff@jeffenstein.dyndns.org -----BEGIN PGP SIGNATURE----- iQIVAwUBQdbDGxwPMBUZyYf1AQhwcRAAhB2XaWScarQ6KuSgRb9fZXuxBPXryClL x0tdG0hJGtuPq+7DusXtQf/Rx8Pupp/fexUXOG6ZuW15zV0QM9q5h4dwoTudmoSg Xhnyg9VG7dIgfvVdSdOQcSLgQ0/kllj0DrZq5yna0P+IzkTIPFB6ZqVZm5v+stJ8 GylSEPWlR2jKnEvxleU/gggA+gc6/gunU057VuQLoLErreMPfKbsW0SJ5TKwLu1i YUzF1d6F6z2TgXxb7lD+qjjSAH00ojL5KTXeBsWGrNYqnSAx53/vk1o+eDnVGnYP D7rQDZM5iuMeETuChZ2eFSome/cdBEDfKTOZEE858PBlbaznns4TFZANzwg5lUCK oLleTSgdpxCt6TH0lumla/McjLg/5jZV7ik7d/8JU2w7AXHBIS3kaOPCCZABtM2S ZfkVWoXtwk9xWmLgIjx/SMQwn6ennH60Gn2jF8CNleHG0W4Uol6JBsMWKhQUUnn4 HLj+ZfXpYGNmdfZDVh0ueSkv1CHsq18UNaXf0JYxyfAyuvepMPylJdvEb0v8hdaJ fWPZbaerohdA1kiDRTWSe8Q0m6xo7qqnL6w23AB2iMQA1ht9Kw0YyVpvkFp89xoy qmKvscgl4Bk6PcHa1Fj9VU9AP9Y+LB3AnF4WZXSK2xHT1+hfHgDLa/6UxmVD1ZEq 14xYl5QasyU= =u/AJ -----END PGP SIGNATURE----- From jharris at widomaker.com Sat Jan 1 16:45:33 2005 From: jharris at widomaker.com (Jason Harris) Date: Sat Jan 1 16:42:09 2005 Subject: gpg and the new PGP keyserver In-Reply-To: <41D69B59.7020609@gmx.li> References: <41D69B59.7020609@gmx.li> Message-ID: <20050101154533.GH684@wilma.widomaker.com> On Sat, Jan 01, 2005 at 01:45:13PM +0100, Hans M?ller wrote: > Hello, I can not send or receive any keys from keyserver.pgp.com or > keyserver-beta.pgp.com > when I try > gpg --send-keys BD7C8AA1 --keyserver ldap://keyserver-beta.pgp.com > I only get this: > gpg: WARNING: nothing exported > gpg: WARNING: nothing exported > gpgkeys: error retrieving LDAP server info: No such object > gpg: keyserver internal error > gpg: keyserver send failed: keyserver error Your argument order is wrong. Everything after --send-keys is treated as a keyid/userid. With a default keyserver set, I get: %gpg --send-keys BD7C8AA1 --keyserver ldap://keyserver-beta.pgp.com gpg: "ldap://keyserver-beta.pgp.com" not a key ID: skipping gpg: "--keyserver" not a key ID: skipping gpg: sending key BD7C8AA1 to hkp server keyserver.kjsl.com Host: keyserver.kjsl.com Command: SEND gpgkeys: HTTP URL is `hkp://keyserver.kjsl.com/pks/add' > when i try > gpg --refresh-keys BD7C8AA1 --keyserver ldap://keyserver-beta.pgp.com > I get this: > gpg: refreshing 1 key from ldap://keyserver-beta.pgp.com > gpgkeys: error retrieving LDAP server info: No such object > gpg: no valid OpenPGP data found. > gpg: Total number processed: 0 > gpg: keyserver internal error > gpg: keyserver refresh failed: keyserver error Again, bad argument order, but if you were to set a default keyserver, you'd probably fetch the key anyway: %gpg --refresh-keys BD7C8AA1 --keyserver ldap://keyserver-beta.pgp.com %gpg: refreshing 1 key from hkp://keyserver.kjsl.com %gpg: requesting key BD7C8AA1 from hkp server keyserver.kjsl.com %Host: keyserver.kjsl.com %Command: GET %gpgkeys: HTTP URL is `hkp://keyserver.kjsl.com/pks/lookup?op=get&options=mr&search=0xBD7C8AA1' %gpg: key BD7C8AA1: "Hans M?ller " not changed %gpg: Total number processed: 1 %gpg: unchanged: 1 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050101/b1241784/attachment.bin From dshaw at jabberwocky.com Sat Jan 1 17:23:57 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Jan 1 17:21:01 2005 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <20050101120501.GB21733@frogger.jeffnet> References: <20041230014443.GU30683@jabberwocky.com> <20041230043512.GE684@wilma.widomaker.com> <20041230000801.N31825@willy.wonka> <41D45C00.6030204@toehold.com> <20041230202915.34191.qmail@suspicious.org> <41D46857.7050905@toehold.com> <20041230210032.GG12645@jabberwocky.com> <20041230213657.GB14687@frogger.jeffnet> <20041230215507.74028.qmail@suspicious.org> <20050101120501.GB21733@frogger.jeffnet> Message-ID: <20050101162357.GE22611@jabberwocky.com> On Sat, Jan 01, 2005 at 01:05:01PM +0100, Jeff Fisher wrote: > On Thu, Dec 30, 2004 at 04:57:36PM -0500, Atom 'Smasher' wrote: > > signing a key is a statement that one has checked and verified > > that the key really belongs to the person or group identified by > > the key. unless that verification is actually done, the only > > statement being made is that someone is issuing bad signatures. > > So, you don't believe keys can exist for roles. I do. Anybody who > uses https in a browser without first clearing the CA list does. > Tens of governments do. Hundreds (or possibly thousands) of > companies do. Numbers don't make it right, but they do define what > actually works in the real world. I think that's a bit of a straw man there. Nobody that I see in this discussion is plugging their ears and chanting "la la la la la" about the concept of role or robot keys. Keys clearly exist for roles and robots, and they are clearly widely used. The original question I asked was not "how can you ever trust a role key?", but "how can you sign a role key?" There is a difference between trusting and using a role or robot key for oneself, and publicly standing up and asserting that belief for the world. Please understand: I'm not criticizing your stance here, and I don't particularly care if I persuade you or anybody to my way of thinking. I'm genuinely interested in the opinions and rationales of people who have given this problem thought and then arrived at a different conclusion than I did. That conclusion, if anyone cares, is that I will happily sign a role or robot key if I have actual proof (rather than just firm belief) that the role or robot key is the right one. I would, and have, signed a no-human-name hostmaster or postmaster key if I worked at the company they were for. In that case, I was in a position to say publicly that I knew the key was correct. I won't sign the GD key without being in that position, though I quite happily use and believe the GD key is the right one. Let me ask you this: did you sign the GD key? If not, why not? Clearly you believe, as I do, that it is the right key. David From mwood at IUPUI.Edu Sat Jan 1 17:40:29 2005 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Sat Jan 1 17:36:57 2005 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <200501011331.38747.linux@codehelp.co.uk> References: <200412291854.TAA00416@vulcan.xs4all.nl> <20041231031712.GJ12645@jabberwocky.com> <20050101120359.GA21733@frogger.jeffnet> <200501011331.38747.linux@codehelp.co.uk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 1 Jan 2005, Neil Williams wrote: > But you cannot do that, you cannot prove to me that it is that key. There is > no way that I can verify the key because I cannot verify the UID. As David > said, it is trivial to create yet another PGP Global Directory Verification > Key - how can you prove which one is 'real'? As it would be my own key, > created under false pretences, I could introduce it to PGP GD and sign > whatever I wanted with it. So, looking up PGP Corporation in the phone book, calling their corporate headquarters, and verifying the fingerprint with a person wouldn't help? - -- Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu Open-source executable: $0.00. Source: $0.00 Control: priceless! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/ iD8DBQFB1tKDs/NR4JuTKG8RAoqOAJ4puwcVldS5k2CMETCEht10TWeQagCfbEfK IteOwkjbRZKqeFNoV72J5lQ= =phYY -----END PGP SIGNATURE----- From linux at codehelp.co.uk Sat Jan 1 17:47:21 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Sat Jan 1 17:45:45 2005 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <20050101153451.GC21733@frogger.jeffnet> References: <200412291854.TAA00416@vulcan.xs4all.nl> <200501011331.38747.linux@codehelp.co.uk> <20050101153451.GC21733@frogger.jeffnet> Message-ID: <200501011647.24539.linux@codehelp.co.uk> On Saturday 01 January 2005 3:34 pm, Jeff Fisher wrote: > On Sat, Jan 01, 2005 at 01:31:35PM +0000, Neil Williams wrote: > > But you cannot do that, you cannot prove to me that it is that key. There > > is no way that I can verify the key because I cannot verify the UID. As > > David said, it is trivial to create yet another PGP Global Directory > > Verification Key - how can you prove which one is 'real'? > > What you're really saying is that it can't be proven to a level you are > willing to accept. Fortunately, PGP/GnuPG doesn't dictate this, so people > can follow whatever trust model they are willing to accept. That's true, but there's no harm in putting up reasons for users to *think* about the trust model. > I (and others > I've worked with) willing to accept that roles exist, and that roles cannot > neccessarily be associated to a single person. You (and others on this > list) are not. That's this discussion in a nutshell. IMHO, you'd be better off with an x.509 Thawte key - their trust model is closer to yours. You are willing to trust a key only on the say so of a corporate entity - that's a Thawte and x.509 model, not GnuPG. > > To use the X.509/SSL model, GnuPG doesn't use the x.509 model - that's the entire point. The two models cannot be reconciled, the fundamentals are different and comparisons are void. This is the flaw in the PGP GD - they are trying to square a circle. > No, it's not the same system, but it has the same concept of trusting keys Completely the opposite concept of trusting keys. x.509 you/I trust Thawte etc. to verify the person. GnuPG I do that myself. The two have different models, different uses. Nothing wrong with either, it just pays to understand which model you will follow. > > As it would be my own key, > > created under false pretences, I could introduce it to PGP GD and sign > > whatever I wanted with it. > > But you couldn't put it on the PGP web site, or sign every key that is > submitted to the PGP global directory, Why not? It's a simple matter of programming. (bash/cron in this case) and a decent connection. There'd be no need to set a passphrase on the false key so my system could sign maybe 1,000 a minute? i.e. I'd be creating a second robot - a false one. Just as capable as the one on the site already. Any software method of signing can be copied and reimplemented elsewhere. > and modify the keys in the directory > to remove the valid signature, making yours look correct. No need - with all keys signed twice, who can tell which is genuine? You're now reduced to checking only a fingerprint - the keyid can easily be duplicated. Just run a script on --gen-key until /dev/random provides the right input to output the required 8 characters. Duplicate keyid's already exist - 0xDEADBEEF is almost common. > Yes, you can > create a key that looks correct, but you can't use that key in the intended > role. If I had time, I probably would. > Anybody can create a president@whitehouse.gov key. However, nobody > will trust it because that key does not sign messages coming from > president@whitehouse.gov or respond to messages encrypted to > president@whitehouse.gov. So you are trusting your entire verification to whether someone can hack an email account or forge the From: address???? I can send from any address I like, it's only a case of changing the email client config! Hacking an email account is not exactly hard - depending on the user. A dictionary attack will deal with most ordinary users. How many people use 'password' for their email? How many people are actually going to wait for email verification of the PGP GD key before signing it anyway? The documentation makes no mention of it and encourages users to sign without it. > The real PGP directory key acts in a way > consistent with it's name, which (to the people using the directory) proves > it's identity. Only if your trust model is x.509. > Ok, if the definition of verify is not 'prove that something is what it > claims to be', please fill me in. Oxford lists, "establish the truth or > correctness of by examination." How would you verify a toll booth is what > it says it is? It's identity is it's function. It's identity is not who is > in the booth. Wrong model. A signature verifies a PERSON. Before I sign a key, I establish the correctness of the identification of that person by examining photo ID, verification of the email address (using CA bot) and verify the fingerprint using a print out handed to me by that person face-to-face at the time of photo ID verification. If any stage fails, I don't sign. > For the toll booth example, do you need to know who built the toll booth to > verify that it is indeed a toll booth? Even when travelling in a foreign > country? Would you refuse to pay if you could not verify this? For the last time, I'm verifying a PERSON, not just the key. x.509 requires you only to verify the key as issued by Thawte etc. OpenPGP requires you to verify the UID - the PERSON. > > On to another example, SSH. Still the same model as x.509. Please get your head around the OpenPGP trust model - it's not about corporate bodies or material objects, it's about one individual trusting another individual. > You're forgetting that not everybody wants the same level of verification, > or has the same ideas about what verification means. Doesn't mean I can't help inform those people of an alternative viewpoint. > In the two instances where I've helped set up PGP to be used in a corporate > environment (for payroll and customer billing info), the verfication > process was: > > 1) Received key on disk via fedex. > 2) Made a test transaction. > 3) Called the contact at the remote company to verify that the transaction > did indeed arrive and they were able to process it. > > In either of these cases, the management would never have accepted, 'person > x signed the key, so we can trust it', regardless of the identity of person You should consider using x.509 for those situations - GnuPG is built on a PERSONAL WoT. > > Don't sign it unless you can prove it! > > ... to a satisfactory level. No, unless you can prove it 'beyond a reasonable doubt'. Again, people want to be able to RELY on your signatures. This is why GnuPG has a trust level that the user has to set themselves - when I meet someone for a keysigning, I make an assessment of how well they verify my key, how they take care of their own key and set my trust accordingly. Yes, passports can be forged - there are limits. > That you have your idea of verfication and what you are willing to accept > is fine. I have a different idea. You can use yours, and I can use mine. As long as you don't make pointless signatures that dilute the trust. Your signatures can affect my trust model - that is why I'm taking time out to reply to the thread. > All this means is that I don't trust your signatures and you don't trust my > signatures, and life goes on. I really think you should look at Thawte - you've entirely missed the personal aspect of the GnuPG trust model. It's about Bob trusting Neil who trusts Anne. It's about Bob assessing how carefully Neil verifies keys so that he can decide whether he should set Neil's key to fully trusted and therefore trust Anne's key. (I am not a number) :-) -- Neil Williams ============= http://www.dclug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050101/584d87fc/attachment-0001.bin From linux at codehelp.co.uk Sat Jan 1 18:22:33 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Sat Jan 1 18:18:57 2005 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: References: <200412291854.TAA00416@vulcan.xs4all.nl> <200501011331.38747.linux@codehelp.co.uk> Message-ID: <200501011722.36419.linux@codehelp.co.uk> On Saturday 01 January 2005 4:40 pm, Mark H. Wood wrote: > On Sat, 1 Jan 2005, Neil Williams wrote: > > But you cannot do that, you cannot prove to me that it is that key. There > > is no way that I can verify the key because I cannot verify the UID. As > > David said, it is trivial to create yet another PGP Global Directory > > Verification Key - how can you prove which one is 'real'? As it would be > > my own key, created under false pretences, I could introduce it to PGP GD > > and sign whatever I wanted with it. > > So, looking up PGP Corporation in the phone book, calling their corporate > headquarters, and verifying the fingerprint with a person wouldn't help? 1. You are still trusting an unknown person you've never met to give you the right information, just on the basis of their employer. 2. How many people will even do that? (And can you imagine the response from reception if we all did?) It's still about trusting an individual - if you don't meet, you will never know if it's actually the right person. David's explained why he'd sign a robot key if he was in a privileged position with the owner of the key - so would I in the same situation because there would be >=1 person who I could verify as individual(s). Like David, I'd never sign a non-individual key otherwise. > In that case, I was in a position to say > publicly that I knew the key was correct. That's my main point - I only sign if I can honestly and publicly declare that I KNOW and have proven that it is the correct key for the UID. That is what I believe a signature to be. I would hope that everyone would be willing to trust my key and keys that I have signed on this basis: Verify me and have confidence that the keys that I have signed are known to have been good at the time of signing. Until you've verified my key and me (or someone who has signed my key) as an individual, you cannot hope to prove that this signature is made by the person claimed in the key UIDs. You could ring me on the 'phone and ask, but you still haven't verified me - just my phone number. It could be anyone at the end of the phone, there's not even much certainty that you'd get the right number without knowing me. -- Neil Williams ============= http://www.dclug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050101/bbdcd5c2/attachment.bin From jeff+gnupg at jeffenstein.dyndns.org Sat Jan 1 19:00:12 2005 From: jeff+gnupg at jeffenstein.dyndns.org (Jeff Fisher) Date: Sat Jan 1 18:54:43 2005 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <20050101162357.GE22611@jabberwocky.com> References: <20041230043512.GE684@wilma.widomaker.com> <20041230000801.N31825@willy.wonka> <41D45C00.6030204@toehold.com> <20041230202915.34191.qmail@suspicious.org> <41D46857.7050905@toehold.com> <20041230210032.GG12645@jabberwocky.com> <20041230213657.GB14687@frogger.jeffnet> <20041230215507.74028.qmail@suspicious.org> <20050101120501.GB21733@frogger.jeffnet> <20050101162357.GE22611@jabberwocky.com> Message-ID: <20050101180012.GD21733@frogger.jeffnet> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sat, Jan 01, 2005 at 11:23:57AM -0500, David Shaw wrote: > On Sat, Jan 01, 2005 at 01:05:01PM +0100, Jeff Fisher wrote: > > > > So, you don't believe keys can exist for roles. I do. Anybody who > > uses https in a browser without first clearing the CA list does. > > Tens of governments do. Hundreds (or possibly thousands) of > > companies do. Numbers don't make it right, but they do define what > > actually works in the real world. > > I think that's a bit of a straw man there. Nobody that I see in this > discussion is plugging their ears and chanting "la la la la la" about > the concept of role or robot keys. Keys clearly exist for roles and > robots, and they are clearly widely used. > > The original question I asked was not "how can you ever trust a role > key?", but "how can you sign a role key?" There is a difference > between trusting and using a role or robot key for oneself, and > publicly standing up and asserting that belief for the world. > > ... > > That conclusion, if anyone cares, is that I will happily sign a role > or robot key if I have actual proof (rather than just firm belief) > that the role or robot key is the right one. I would, and have, > signed a no-human-name hostmaster or postmaster key if I worked at the > company they were for. In that case, I was in a position to say > publicly that I knew the key was correct. > > I won't sign the GD key without being in that position, though I quite > happily use and believe the GD key is the right one. Let me ask you > this: did you sign the GD key? If not, why not? Clearly you believe, > as I do, that it is the right key. Ok, so I might have gone to far with the role argument there... For me, in this case, the key and the role are the same thing. The key only exists for the role, and the role can only be effectively done by using a key. If you trust the key to do the role, then I see a very small difference between trusting it personally and telling your neigbor that you do so. My opinions on key trust: If it is just used for e-mail, then I only care that the key matches the e-mail address. The only keys trusted as introducers on my keyring are the ones that verify this. Had I met the person at a conference or at a training course, I would demand no more than that -- they are in the same class or conference because they are physically present. Beyond that, they can call themselves almost any name they want, as I am not trusting them with anything that depends on their name. However, if it is used for business / transactions, then I will not trust anything but personally verifying the identity of the key, or a trusted third party doing the same (but not through key signing). For the ssl example in another e-mail, this is getting the URL for the bank from their literature, or a similar method. If they used pgp, I would get the fingerprint from their brochure. While gpg is a great tool for encrypting and verifying e-mail, I don't put any more trust in the WoT than I would had I met the same people on the street. If I don't know someone personally, I wouldn't trust them to vouch for another person. For the record, the only keys I have non-locally signed keys of close friends. For the rest, I have only signed them locally to get rid of the 'untrusted signature' message (they've sent 20 messages that verified good, they must be doing something right), or in the case of Robot CA's, to mark them as trusted introducers. My setup probably needs some tuning to verify this is working correctly, but as stated above, I won't trust anything sensitive to pgp unless I really trust the person, and have personally verified the key. I would have no problem publicly signing a Robot CA key, but because I wouldn't trust an unknown third party (and thus assume others are similar), I haven't seen much utility in doing so. If I believed anybody out there had any trust in my key, then I would publicly sign them; of course after I had verified they were working as advertised by having a key signed by them. For those who've gotten this far, how many would or would not trust the WoT (meaning beyond a friend/aquaintance, or beyond someone vouched for by a friend/aquaintance) for transactions involving money or sensitive information? I'm curious if I'm just to cynical or paranoid. - -- Me - jeff@jeffenstein.dyndns.org -----BEGIN PGP SIGNATURE----- iQIVAwUBQdblLBwPMBUZyYf1AQgiBg//TcDlQKfAhSLuHVMFBhJLz8qrJg3gkSYG vOER930sSyq8ZZ+zLLuA/Ih34jr/7Ktt0nfXK5YCTmdmwsPguoezl5F+VPSTwzBE OwXyY59dtH7xkYLYXfYGrYg7TX2+PGK8gklyQgeYSxKuqk7fKwM5XoJvcjx22tY9 eA/TH/CYLC9LifOeDtFRvaSm6N4UACXHmH2aHDGbmubAxTSqcBxPrtgJX6ObN22q /TlIZ0HayU+KoUzSyNUxWuPBjwPpMD3MfSI9gMAyoEWj/xN6WH3/AMDj5Bhxq/1q PANdC/hUKYbtD1MlL+EQFaPa5jBYQlL/4IJSiWsTSy21kXEQX6m1+rDBDmjgtkKD orWdxIEWl/+RRv+PZ1Hsr/21UQM/Gx/A2FEE5meZBlZEeuQUlC89YAwhcS17Kaiy a3oouduhars+0E2mi5GzeV0gTSHyoNO+Tw15NLnp0ae5LdK7nqephGHEWZmPhE+i joocxKSbKolEZ62O31eu6fKIcvam+P2cizXKedHbgddpx319/Co6N8tApMCGv2lt i4pQQgVXC9ayT+xmJNXt+BiJajJyinUu8Xkpc/ZqDzhKjS8YN+/EEMEmCjp9MdfY YSDx1XN3Rfnlgwl4N07OCGp9vXEGvf/v4WBrLbdntQ2dg6NBLegWGT8xo5huTMQZ CNoFcOUzOlk= =l0v2 -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Sat Jan 1 18:58:36 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Jan 1 18:55:42 2005 Subject: RFE: Unsignable keys In-Reply-To: <200501011342.59945.linux@codehelp.co.uk> References: <200501011342.59945.linux@codehelp.co.uk> Message-ID: <20050101175836.GF22611@jabberwocky.com> On Sat, Jan 01, 2005 at 01:42:57PM +0000, Neil Williams wrote: > Request for Enhancement / Comments: GnuPG. > > Would it be possible to create an --expert option to generate a key that > CANNOT be signed (under any circumstances) unless BOTH secret keys are > available? (signer has to have secret key anyway, these special keys would > also need the signee secret key in the same keyring). [..] > This could be useful for corporate and verification keys that would then be > used to sign other keys but could only be signed by keys owned by the > original key owner. These signatures could be used to bring the key into the > WoT without allowing any of the noise that pollutes current robot / > impersonal keys. > > If the PGP Global Directory Verification Key was unsignable, only those with > access to the secret key within PGP GD would be able to sign it. > > Anyone else would get a telling off from GnuPG: > "This is a verification key - it cannot be verified or signed without access > to it's secret key. Your request to sign this key has been ignored." What you suggest is not impossible, but has a number of caveats when done as part of OpenPGP. The signature math of OpenPGP does not cover this sort of case, so such a flag would need to be somewhat advisory. This isn't to say that advisory flags are useless: most things like this in OpenPGP are advisory, and they work fairly well. There are quite a few ways to do this, each with their plusses and minuses, but it comes down to the interoperability question. It would have to be part of OpenPGP (and not GnuPG-specific) if it was to really work, and some consideration would have to be given to what the semantics were when an old implementation ignored the flag and signed anyway. David From jeff+gnupg at jeffenstein.dyndns.org Sat Jan 1 19:01:47 2005 From: jeff+gnupg at jeffenstein.dyndns.org (Jeff Fisher) Date: Sat Jan 1 18:56:20 2005 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <200501011722.36419.linux@codehelp.co.uk> References: <200412291854.TAA00416@vulcan.xs4all.nl> <200501011331.38747.linux@codehelp.co.uk> <200501011722.36419.linux@codehelp.co.uk> Message-ID: <20050101180147.GE21733@frogger.jeffnet> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sat, Jan 01, 2005 at 05:22:33PM +0000, Neil Williams wrote: > On Saturday 01 January 2005 4:40 pm, Mark H. Wood wrote: > > On Sat, 1 Jan 2005, Neil Williams wrote: > > > But you cannot do that, you cannot prove to me that it is that key. There > > > is no way that I can verify the key because I cannot verify the UID. As > > > David said, it is trivial to create yet another PGP Global Directory > > > Verification Key - how can you prove which one is 'real'? As it would be > > > my own key, created under false pretences, I could introduce it to PGP GD > > > and sign whatever I wanted with it. > > > > So, looking up PGP Corporation in the phone book, calling their corporate > > headquarters, and verifying the fingerprint with a person wouldn't help? > > 1. You are still trusting an unknown person you've never met to give you the > right information, just on the basis of their employer. > ... > It's still about trusting an individual - if you don't meet, you will never > know if it's actually the right person. But how do you verify that person created the key, or wrote the application? You would have to either trust them to tell you the truth, or interview tens of people that work at their company, assuming you trusted their HR department to tell you that they do work there, and that they are in the correct department. - -- Me - jeff@jeffenstein.dyndns.org -----BEGIN PGP SIGNATURE----- iQIVAwUBQdblixwPMBUZyYf1AQgv4w/8DFHM/U2EiSuhvxw5F3vCtZvfXHTjmjJp ypoEJMGHnfaf277rujoWtcMWYo04OKriGIWfHTpBwHnSVe3un3u5iZOLE/JU4t1D byUkMrifC6AZ3ASOh4hhZzD65Ohn8+hB2Bl7ofFdKaoJL9wS7kpupC5sriWSkdcC N/r7FrFDW0fEPPjgUuKuBUu9O0OHfd6L7Z3REjLvPY6bWsL+24ZjZipqd6OEccZ+ 2X0ceUTvhBO1qldt/XTRfRZ4Wihzl2+gxmO30EpVWtVykmJ1laj5kesz51lF/8No uhJM59gbyDm53/vbwUmozs30GmTvZ1fpaoJ5VjQPKLQoCLBv4Aabm96Pit20yCkS 8oMJTXNztuAanpsBh03tSZFCTzea0iIiq+q5ezGm3NAwdNMaRw1CjIi1oVzVj3Qo /V/CQ3fnxFctV11Jwr+3/DN5+Ph7Vr0gCb+ZFIHyZrMrmGBzGUxA1QBbM0wrRGlz BYjo1kA/sRxqx3q8MW2TPyhbd9Ef2dEXo2zRSGo3eKbEHgWs5DMWbMRnjhGslLwO CkvQwVozAJlSjdtpyW4Zqj5CKecg8fNup4MxSrUpfLSMumeGk1u1c+DGFGo3zu6E IH6ub237ZosDOglOOjmrbEbq37HsVLijlRjUB3yIzVJMGIAjEjHeJx8FdWRmn2Xk h8BAPIhgF/M= =6CxW -----END PGP SIGNATURE----- From ndof at gmx.li Sat Jan 1 21:07:56 2005 From: ndof at gmx.li (=?ISO-8859-1?Q?Hans_M=FCller?=) Date: Sat Jan 1 21:05:17 2005 Subject: gpg and the new PGP keyserver In-Reply-To: <20050101141343.GA27719@jabberwocky.com> References: <41D69B59.7020609@gmx.li> <20050101141343.GA27719@jabberwocky.com> Message-ID: <41D7031C.9060201@gmx.li> Yes upgrade was it. Thanks. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 890 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050101/9595849e/signature.bin From linux at codehelp.co.uk Sat Jan 1 21:33:56 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Sat Jan 1 21:30:23 2005 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <20050101180012.GD21733@frogger.jeffnet> References: <20041230043512.GE684@wilma.widomaker.com> <20050101162357.GE22611@jabberwocky.com> <20050101180012.GD21733@frogger.jeffnet> Message-ID: <200501012033.59170.linux@codehelp.co.uk> On Saturday 01 January 2005 6:00 pm, Jeff Fisher wrote: > For me, in this case, the key and the role are the same thing. That's the problem, right there. A signature is not for YOUR benefit! You need to take on board how signatures are used by others. To others, the key and the role, the key and the person, are completely separate. > The key > only exists for the role, and the role can only be effectively done by > using a key. If you trust the key to do the role, then I see a very small > difference between trusting it personally and telling your neigbor that you > do so. There's a massive difference between trusting someone individually and declaring to the world that you have proof of that trust. Besides, it's not just your neighbour, it's me. :-) > > My opinions on key trust: > > If it is just used for e-mail, then I only care that the key matches the > e-mail address. You've lost the plot again!! :-) A signature is not for your benefit - it's done for the benefit of others so you have to disregard any notion of how YOU expect the signature to be used! The capacity is NOT in the system to say that your signatures should always be untrusted - basically because the system is of the opinion that untrustworthy signatures shouldn't be made in the first place! :-)) > The only keys trusted as introducers on my keyring are the > ones that verify this. Had I met the person at a conference or at a > training course, I would demand no more than that -- they are in the same > class or conference because they are physically present. Beyond that, they > can call themselves almost any name they want, as I am not trusting them > with anything that depends on their name. ?? OK, if you haven't verified photo ID and their fingerprint, I think I understand that, and agree. > > However, if it is used for business / transactions, then I will not trust > anything but personally verifying the identity of the key, or a trusted > third party doing the same (but not through key signing). For the ssl Leave x.509 out of this - it doesn't apply to the issues. The confusion is about keysigning of individual keys that are used by machines. Never sign them! > example in another e-mail, this is getting the URL for the bank from their > literature, or a similar method. If they used pgp, I would get the > fingerprint from their brochure. ??? I hope you are not saying you'd make an exportable signature on their key on just that basis??? If you have to trust that key and REALLY feel you *can*, make a LOCAL signature and it won't be exported. Local signatures can be for your benefit. Normal (exportable) signatures are for the benefit of the rest of us. > > While gpg is a great tool for encrypting and verifying e-mail, I don't put > any more trust in the WoT than I would had I met the same people on the > street. Fine - that's how we all deal with it. I trust only those I've signed and some of the ones that those people have signed, depending on an assessment of how careful the person is at verifying keys and people. > If I don't know someone personally, I wouldn't trust them to vouch > for another person. Absolutely correct. I trust Philip Hands because I've met him, verified his photo ID and his email and his fingerprint. He's done the same with me and my keys. Philip has signed other people (lots and lots) but a lot of those I never need to contact. If I do, then Philip's signature on their key does mean that I can trust their key for email encryption. (I don't send really sensitive stuff). I would never trust someone else who was signed by someone signed by Philip. i.e. this is a one-level thing: I trust Philip, I trust those he's signed but I can't trust *those* people to verify keys when they sign. The WoT is not about trusting the entire strong set. Out of 24,000 keys in the strong set, I trust maybe <100. I've met 22. > For the record, the only keys I have non-locally signed keys of close > friends. I only have keys at full trust if I've met them and signed their key, plus one or two who have been signed by those that I already trust. All the keys from this list that get pulled in on --auto-retrieve get cleared out each month with a nice little cron task. > For the rest, I have only signed them locally to get rid of the > 'untrusted signature' message (they've sent 20 messages that verified good, > they must be doing something right) Hmm, that's not my take on it, but hey, those are local signatures so I really don't care what you do with those. > , or in the case of Robot CA's, to mark > them as trusted introducers. My setup probably needs some tuning to verify > this is working correctly, but as stated above, I won't trust anything > sensitive to pgp unless I really trust the person, and have personally > verified the key. Fine - so why are we discussing this at all?? You use local signatures for times when you want to trust someone that gpg cannot trust directly, you only trust other keys when you know the person, where is the problem? Just keep to local signatures and don't send unverified signatures to keyservers. Easy. > I would have no problem publicly signing a Robot CA key, Ah, now that's where we differ. Please, consider only using a local signature if you really must sign any robot key or the PGP GD key. You cannot prove to me that you verified the PGP GD key so your signature on that key would automatically be untrustworthy. Only those who work with the people who have access to the secret key for that key should sign it. Anyone else is free to sign it locally. That's my view. > but because I > wouldn't trust an unknown third party (and thus assume others are similar), > I haven't seen much utility in doing so. If I believed anybody out there > had any trust in my key, then I would publicly sign them; of course after I > had verified they were working as advertised by having a key signed by > them. I hope you'd do the full keysigning protocol of verifying the identity of the person too! If it's someone you don't already know, you really need to see photo ID, get a printed copy of their fingerprint face to face and verify their email address. > > For those who've gotten this far, how many would or would not trust the WoT > (meaning beyond a friend/aquaintance, or beyond someone vouched for by a > friend/aquaintance) for transactions involving money or sensitive > information? I'm curious if I'm just to cynical or paranoid. Your paranoia is unlikely to be darker than mine. :-) The WoT is not a take-it-or-leave-it all or nothing construct. You retrieve those keys that you know belong to people you already trust. You set your personal trust level to tell GnuPG how much you trust that person to verify someone else's key and ALL other keys, if you don't know the person, tell GnuPG "don't know". There's an option in the trust that explicitly uses "don't know". It's not a cop-out, it is a vitally important setting. -- Neil Williams ============= http://www.dclug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050101/9d173465/attachment-0001.bin From linux at codehelp.co.uk Sat Jan 1 21:40:56 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Sat Jan 1 21:37:15 2005 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <20050101180147.GE21733@frogger.jeffnet> References: <200412291854.TAA00416@vulcan.xs4all.nl> <200501011722.36419.linux@codehelp.co.uk> <20050101180147.GE21733@frogger.jeffnet> Message-ID: <200501012040.56447.linux@codehelp.co.uk> On Saturday 01 January 2005 6:01 pm, Jeff Fisher wrote: > > > So, looking up PGP Corporation in the phone book, calling their > > > corporate headquarters, and verifying the fingerprint with a person > > > wouldn't help? > > > > 1. You are still trusting an unknown person you've never met to give you > > the right information, just on the basis of their employer. > > ... > > It's still about trusting an individual - if you don't meet, you will > > never know if it's actually the right person. > > But how do you verify that person created the key, or wrote the > application? What, at PGP? I'd never sign their key anyway. :-) I have to meet someone face to face, verify their photo ID, receive a printed copy of their key fingerprint and then verify their email address (using CA bot unless I already have email correspondence) and then I'll sign a key. Seriously, I would never sign any key that cannot be verified as above. I have not and will not sign any automated or corporate keys that cannot be tied to one specific individual who can be independently verified. I cannot prove the verification of any such keys so I will not put myself in a position where someone might be excused for using such a proof. It doesn't stop me using encryption to those people that I need to use encryption, it doesn't stop others trusting my key on my software. I continue to seek out keysignings to increase the number of people who can trust my key and I jealously guard both the key and the system that allows people to trust my key. > You would have to either trust them to tell you the truth, or > interview tens of people that work at their company, assuming you trusted > their HR department to tell you that they do work there, and that they are > in the correct department. No, you simply don't, ever, sign their key. If you must, use a local. -- Neil Williams ============= http://www.dclug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050101/792a7187/attachment.bin From jdbeyer at exit109.com Sat Jan 1 22:08:27 2005 From: jdbeyer at exit109.com (Jean-David Beyer) Date: Sat Jan 1 22:04:41 2005 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <200501011722.36419.linux@codehelp.co.uk> References: <200412291854.TAA00416@vulcan.xs4all.nl> <200501011331.38747.linux@codehelp.co.uk> <200501011722.36419.linux@codehelp.co.uk> Message-ID: <41D7114B.5030103@exit109.com> Neil Williams wrote (in part): > Until you've verified my key and me (or someone who has signed my key) as an > individual, you cannot hope to prove that this signature is made by the > person claimed in the key UIDs. > > You could ring me on the 'phone and ask, but you still haven't verified me - > just my phone number. It could be anyone at the end of the phone, there's not > even much certainty that you'd get the right number without knowing me. > This is something I still do not understant about the WOT and signing other people's keys. I even signed a person's key once. I did not know him, but we met face-to-face and he brought his US Government Passport that had his picture in it and it matched him quite well. Simililarly, I brought my US Government Passport that had my picture in it and I even wore the same sweater that I wore when the picture was taken. He brought his fingerprint, as I did mine. We then exchanged signed encrypted e-mails where I sent him a message with an encrypted string in it that looks like something the password in the /etc/shadow file which he encrypted and sent back. It matched. But really, I do not know who he is. I am not claiming I signed his key with insufficient care. But I may have. I know he has access to the private key corresponding to the fingerprint he showed me. Is that enough? For all I know, the poor owner of the machine(s) where that secret key resides is tied up in a warehouse somewhere, and this guy is a fraud. (I really doubt it of course, but if forced to testify in court, I could not really swear to it.) So I have signed only one person's key, and only he has signed mine. I get no use from gnupg because no one I know has the slightest interest in secure communications. I would like to believe this is more than a hobby for some propeller heads (even though I am considered to be one of them), and _it should be_. Why is it that so many people make paranoid sounds about security but will not take even the first steps to get some? -- .~. Jean-David Beyer Registered Linux User 85642. /V\ Registered Machine 241939. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 15:55:00 up 1 day, 5:13, 4 users, load average: 3.18, 3.20, 2.88 From jdbeyer at exit109.com Sun Jan 2 03:54:53 2005 From: jdbeyer at exit109.com (Jean-David Beyer) Date: Sun Jan 2 04:11:41 2005 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <200501012335.45054.linux@codehelp.co.uk> References: <200412291854.TAA00416@vulcan.xs4all.nl> <200501011722.36419.linux@codehelp.co.uk> <41D7112D.3060008@exit109.com> <200501012335.45054.linux@codehelp.co.uk> Message-ID: <41D7627D.4030007@exit109.com> Neil Williams wrote (in part): > On Saturday 01 January 2005 9:07 pm, you wrote: > >>This is something I still do not understant about the WOT and signing >>other people's keys. I even signed a person's key once. I did not know >>him, but we met face-to-face and he brought his US Government Passport >>that had his picture in it and it matched him quite well. Simililarly, I >>brought my US Government Passport that had my picture in it and I even >>wore the same sweater that I wore when the picture was taken. He brought >>his fingerprint, as I did mine. We then exchanged signed encrypted e-mails >>where I sent him a message with an encrypted string in it that looks like >>something the password in the /etc/shadow file which he encrypted and sent >>back. It matched. > >>But really, I do not know who he is. I am not claiming I signed his key >>with insufficient care. But I may have. I know he has access to the >>private key corresponding to the fingerprint he showed me. Is that enough? > > Yes. It's not a statement of his character, just a statement that he is > correctly identified by the key UID and that he can prove his identity. He is pretty clearly the guy on his passport. He gave me the fingerprint and pgp-key id that he wanted signed. I get e-mail clearly signed and encrypted with that key. That e-mail can be decrypted with the public key corresponding to that key id on keyservers. > > You presumably had a chance to chat to him, you corresponded at least briefly > by email . . . It takes a little effort to keep things going - whatever > brought you together is presumably a common interest, it doesn't hurt to > remain in communication. As far as I know, our only common interest was to get signatures other than our own on our keys. >>For all I know, the poor owner of the machine(s) where that secret key >>resides is tied up in a warehouse somewhere, and this guy is a fraud. > > He would still need the passphrase, not just access to the secret key. Thank you: I forgot about that. I hope his passphrase is at least as difficult as mine. > > He would also need to have changed the key UID to match the identity on the > photo ID that he provided for you to see. The keyserver will show this - it > doesn't delete old UID's, most just add the new one. > > The easiest way to allay your fears is to continue communication with him - > signed and occasionally encrypted. Also, don't worry about this being the > only one - as you get more signatures, the reliance on any one dud becomes > less important. > > Once you get signed by a key in the strong set, it reduces further. This whole > WoT is about weight of numbers. > >>So I have signed only one person's key, and only he has signed mine. I get >>no use from gnupg because no one I know has the slightest interest in >>secure communications. > > > You're on the list, it would be useful to sign your messages to the list. I guess so, but I use the mailer in Mozilla, and I can never find a version of enigmail that works with the Mozilla I have. > > (BTW, did you mean for this to come only to me? No: I bungled it, but realized it (too late) and sent a copy to the list. > Can we keep replies on the > list so that everyone benefits, please?) Yes: I still cannot get used to the fact that on this mailing list if I click "Reply" it replies to the person, even though I got the e-mail from the list. I wish it would not do that. The other mailing lists to which I subscribe reply to the list. I see there is a *Mail-Followup-To: gnupg-users@gnupg.org* header, but not the usual *Reply-To:* My guess is that Mozilla honors Reply-To but not the other. > > The best way of getting your key in use is to use it! > :-) Yes, but other lists complain bitterly if messages are signed. > > Get across to biglumber (URL in my sig) and enter your key. That will at least > make it clear to others in your area and allow you to see who else is > interested in your locality. See if your local LUG has keysignings, get along > to a nearby Expo or conference. These things take time and you can't expect > signatures to drop out of the air. I have entered my key on biglumber in the past. Also, you and I have exchanged keys, even though you are unable to say if I am who I say I am. > > You need to let people see that you have a key and like to use it. > > Stick your key ID in your sig. Sign all your email. No good. If I sign e-mail to AOL users, and include any attachment of any kind, they cannot handle it because AOL's brain-damaged e-mail software assumes all attachments are of the same type. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ Registered Machine 241939. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 20:55:00 up 1 day, 10:13, 3 users, load average: 4.19, 4.22, 4.10 From texmex at uni.de Sun Jan 2 10:57:40 2005 From: texmex at uni.de (Gregor Zattler) Date: Sun Jan 2 14:38:33 2005 Subject: RFE: Unsignable keys In-Reply-To: <20050101175836.GF22611@jabberwocky.com> References: <200501011342.59945.linux@codehelp.co.uk> <20050101175836.GF22611@jabberwocky.com> Message-ID: <20050102095740.GB3739@pit.ID-43118.user.dfncis.de> Hi David, * David Shaw [01. Jan. 2005]: > On Sat, Jan 01, 2005 at 01:42:57PM +0000, Neil Williams wrote: > > Request for Enhancement / Comments: GnuPG. > > > > Would it be possible to create an --expert option to generate a key that > > CANNOT be signed (under any circumstances) unless BOTH secret keys are > > available? (signer has to have secret key anyway, these special keys would > > also need the signee secret key in the same keyring). [...] > What you suggest is not impossible, but has a number of caveats when > done as part of OpenPGP. The signature math of OpenPGP does not cover > this sort of case, so such a flag would need to be somewhat advisory. But then it is possible to add such signature with some knowledge and a hex editor or an older implementation? > This isn't to say that advisory flags are useless: most things like > this in OpenPGP are advisory, and they work fairly well. > > There are quite a few ways to do this, each with their plusses and > minuses, but it comes down to the interoperability question. It would > have to be part of OpenPGP (and not GnuPG-specific) if it was to > really work, and some consideration would have to be given to what the > semantics were when an old implementation ignored the flag and signed > anyway. This special signature needs a special marker an older implementation does not provide. Newer implementation ignores such signatures without correct marker. But isn't this an example where shared secrets are useful? Is there any hope of shared secrets being part of OpenPGP in the future? Gregor From linux at codehelp.co.uk Sun Jan 2 11:15:16 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Sun Jan 2 14:38:38 2005 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <41D7627D.4030007@exit109.com> References: <200412291854.TAA00416@vulcan.xs4all.nl> <200501012335.45054.linux@codehelp.co.uk> <41D7627D.4030007@exit109.com> Message-ID: <200501021015.22539.linux@codehelp.co.uk> On Sunday 02 January 2005 2:54 am, Jean-David Beyer wrote: > > You're on the list, it would be useful to sign your messages to the list. > > I guess so, but I use the mailer in Mozilla, and I can never find a > version of enigmail that works with the Mozilla I have. I've got Enigmail working with Mozilla and Thunderbird. Check that out, it should work and it can work. > Yes: I still cannot get used to the fact that on this mailing list if I > click "Reply" it replies to the person, even though I got the e-mail from > the list. I wish it would not do that. The other mailing lists to which I > subscribe reply to the list. This list is using the usual behaviour of GNU/Linux mailing lists, it's not unusual at all. The other lists you describe are probably hacking their config to satisfy requests like that - the discussion is as old as the list and I don't see either position changing. Mozilla doesn't handle it as well as some others, KMail handles it perfectly. Reply on this list, and KMail replies to the list because the folder is configured that way. > I see there is a *Mail-Followup-To: gnupg-users@gnupg.org* header, but not > the usual *Reply-To:* My guess is that Mozilla honors Reply-To but not the > other. Try reply all. > > > The best way of getting your key in use is to use it! > > > > :-) > > Yes, but other lists complain bitterly if messages are signed. Tough! I sign everything - especially on lists where it annoys OE users. I use it to make a point. Use a different email address for lists with lots of OE users and then you can configure that account to either not sign or to sign in the deprecated inline format that will break occasionally. I have linux@ for GNU/Linux lists that have a propensity for GNU/Linux email clients, I have a different account at the same domain for lists with a propensity of broken MS email clients. :-) > > > Get across to biglumber (URL in my sig) and enter your key. That will at > > least make it clear to others in your area and allow you to see who else > > is interested in your locality. See if your local LUG has keysignings, > > get along to a nearby Expo or conference. These things take time and you > > can't expect signatures to drop out of the air. > > I have entered my key on biglumber in the past. Also, you and I have > exchanged keys, even though you are unable to say if I am who I say I am. ?? I've had your key in the past, yes, we haven't exchanged keys in the sense of fingerprints for a keysigning. > No good. If I sign e-mail to AOL users, and include any attachment of any > kind, they cannot handle it because AOL's brain-damaged e-mail software > assumes all attachments are of the same type. Sign inline. How often do you send attachments anyway? -- Neil Williams ============= http://www.dclug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050102/75809112/attachment.bin From mwood at IUPUI.Edu Sun Jan 2 18:09:22 2005 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Sun Jan 2 19:02:10 2005 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <200501011722.36419.linux@codehelp.co.uk> References: <200412291854.TAA00416@vulcan.xs4all.nl> <200501011331.38747.linux@codehelp.co.uk> <200501011722.36419.linux@codehelp.co.uk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 1 Jan 2005, Neil Williams wrote: > On Saturday 01 January 2005 4:40 pm, Mark H. Wood wrote: > > So, looking up PGP Corporation in the phone book, calling their corporate > > headquarters, and verifying the fingerprint with a person wouldn't help? > > 1. You are still trusting an unknown person you've never met to give you the > right information, just on the basis of their employer. How is this different from trusting an unknown person I've never met (before) on the basis of his being able to produce a couple of cards which have his likeness (more or less) and the name he gave me? One reason I haven't been to any keysigning parties is that I wouldn't trust my ability to verify someone's identity. *All personal identification is role-based.* It just depends on which role is important to you. Do you care that I'm the child of my parents? employed by a certain employer? the author of a body of emails? the person living at suchandso address? the person who bought the property at suchandso address? the person who put money into your bank, or borrowed money from your bank? Those are all me. It's reasonable for various entities to care about some of those roles and not others, and to be satisfied with any sufficiently trustworthy binding to the significant role regardless of any bindings to any other roles. My bank doesn't care whose high-school grades those are. "Who are you" is a devilish difficult question to answer, or even to understand. And no matter how you verify someone's identity, you're still playing probabilities. Someone could knife me in an alley, destroy the body, submit to plastic surgery until he looks and sounds just like me, learn my handwriting and my style and habits, and essentially become me in any way you might test. He's got my primary identity documents, after all. How likely is that, though? Now how likely is it that someone marched into PGP's HQ, shot the receptionist, and is calmly sitting by the phone while guards are running to find out what the noise was, just when my call comes in? (How likely is it that the receptionist is allowed to verify the company's key fingerprints anyway?) Bad guys *could* do all kinds of sneaky things, but how likely is it, what would it cost them, and would they be able to recover the cost (including the cost of being found out)? Is it worth the expectation of trading a nice job for a cell to trick me (that is, nobody) into signing a bogus key purporting to be from a low-security thing like this? An artificial person is a lot easier to check out than a natural person. Have *you* been eyeballed by SEC, D&B, the states of California and (probably) Delaware, and a host of commercial banks? I haven't. Having established that PGP is likely on the up and up, how likely is it that they wouldn't take reasonable care with the security of one of their services' keys, given that their entire income stream is based on a reputation for reasonable security? I'd be more likely to trust an unknown person bound to a large business by a trusted introducer (the telco) than an unknown person with only his own name for identification, when the former's job and freedom are on the line and the latter's likely not. - -- Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu Open-source executable: $0.00. Source: $0.00 Control: priceless! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/ iD8DBQFB2CrKs/NR4JuTKG8RAnb9AJ4nZlajoOciTDoypuBiK8VkeE9dtgCgkTEy I250cSL5Fk3iao8rCZavBtQ= =oZU2 -----END PGP SIGNATURE----- From jeff+gnupg at jeffenstein.dyndns.org Sat Jan 1 22:40:27 2005 From: jeff+gnupg at jeffenstein.dyndns.org (Jeff Fisher) Date: Sun Jan 2 19:02:20 2005 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <200501012033.59170.linux@codehelp.co.uk> References: <20041230043512.GE684@wilma.widomaker.com> <20050101162357.GE22611@jabberwocky.com> <20050101180012.GD21733@frogger.jeffnet> <200501012033.59170.linux@codehelp.co.uk> Message-ID: <20050101214027.GG21733@frogger.jeffnet> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sat, Jan 01, 2005 at 08:33:56PM +0000, Neil Williams wrote: > On Saturday 01 January 2005 6:00 pm, Jeff Fisher wrote: > > For me, in this case, the key and the role are the same thing. > > That's the problem, right there. A signature is not for YOUR benefit! You need > to take on board how signatures are used by others. To others, the key and > the role, the key and the person, are completely separate. In this case, there is no person. There is a corporate entity, a keyserver, and a web server. No person. The key exists for the role. The trust in the role would be very limited without the key. _In this case_, the key and the role, even though they are not the same thing, are inseperable. Take away one, and the other has little reason to exist. I'm not saying that is the general case, I'm just stating my opinion of this particular case. For the general role based case, my opinion is that some these keys can be verified to a level that I would be confident enough to publicly sign them. > The capacity is NOT in the system to say that your signatures should always be > untrusted - basically because the system is of the opinion that untrustworthy > signatures shouldn't be made in the first place! > :-)) Ah, but the capacity is in the system to do just that. Edit the trust of a key, and there is an option 'I do NOT trust'. I would think there is something similar in the PGP code. I haven't looked at the code, but I would hope this setting overrides any trust earned from signatures on a key. Indeed, the default is to not trust signatures unless you have a close link in the WoT. Trust is earned, based on the rules and signatures that _you_ make _yourself_. > > However, if it is used for business / transactions, then I will not trust > > anything but personally verifying the identity of the key, or a trusted > > third party doing the same (but not through key signing). For the ssl > > Leave x.509 out of this - it doesn't apply to the issues. I'm saying that I don't trust signatures at all in this case. From anybody. In this case. X.509 or PGP is irrelevant to the issue. > The confusion is about keysigning of individual keys that are used by > machines. Never sign them! The set 'keys used by machines', and 'role-based keys' are not neccesarily equal. My opinion is that people should be able to make the choice of what keys to sign (publicly or privately) individually. Fortunately, barring massive changes to the OpenPGP spec and current implementations, this is the case. > > example in another e-mail, this is getting the URL for the bank from their > > literature, or a similar method. If they used pgp, I would get the > > fingerprint from their brochure. > > ??? I hope you are not saying you'd make an exportable signature on their key > on just that basis??? Ok, if you walk into your local branch of the bank, and they have a poster with their PGP fingerprint, how much more authoritative do you need? If you're trusting the signature with your money, aren't you already saying to the world that you have confidence that this key is the bank's key? And no, I would not make an exportable signature based on that, as I would expect people to verify the key themselves when it's that important. > > , or in the case of Robot CA's, to mark > > them as trusted introducers. My setup probably needs some tuning to verify > > this is working correctly, but as stated above, I won't trust anything > > sensitive to pgp unless I really trust the person, and have personally > > verified the key. > > Fine - so why are we discussing this at all?? Because I believe that someone could trust a role-based key enough to broadcast that fact to the world. That does not seem to be the commonly held opinion on this list. > > The WoT is not a take-it-or-leave-it all or nothing construct. You retrieve > those keys that you know belong to people you already trust. You set your > personal trust level to tell GnuPG how much you trust that person to verify > someone else's key and ALL other keys, if you don't know the person, tell > GnuPG "don't know". There's an option in the trust that explicitly uses > "don't know". It's not a cop-out, it is a vitally important setting. If my signing policy can break your WoT, then there is something wrong with it at the conceptual level. I don't think this is the case. Based on the difference in opinions, I don't think I would ever have enough signatures close enough to your own to make my key in any way trusted on your keyring. In this way, the WoT is working perfectly. Without any work on your end, you won't trust any of my signatures, and they won't enter into the trust calculations on your keyring. Great, ain't it? - -- Me - jeff@jeffenstein.dyndns.org -----BEGIN PGP SIGNATURE----- iQIVAwUBQdcYyxwPMBUZyYf1AQiKuBAAhGSrDcuZf/gfUT0IMP3iMjy+EIQrl6x0 zC/4Yyz5VRZPCJlP2otfXWlNALiI/rf+6swlriz+9q8jiPQ/mYgKk0WaHbQq2/MD 3zeDtmD2nFDyy4CZ0GgeBqFXpLD/v5i/SKyQIpzhHyoGhMd4+EkyMOdmGXvaHd6C LOCJDb4nKJqS0ZxeCqTd7/MIV3e6LdGDPADHkERrmwOJnHf3tjk7nNje5cvkfpVt nTz16fg9pBB/1/IbzZL2kQbSuUkrxwPYkkngSY+KvS0erQcBsAtdfQAbFwIL3Vm9 Eyzp13fKplg8VxhVNCWpRz2MVrxnf4hKOuddg3K+D8mAPPj11bErJCbcQB8DmbzL YPezghRFRWA7uDjMpp9oVrggYH9RIMsx2src6t4HYvUYlKz8zLdFWmXx/MJHPIax r+vqH6vh/mm/Z1sACRsgartM/Ovlzlkf5y6F/3wbqmTlWoKqHS02EbkSbAMy97wv my7xuJHLZbRGUyMMKB3FWX3xQujDxPk3wYC3zG3hJKX9FoTJLyZJ/XYiCCv0KtsV F3CE7U+Nylps+AYemIN12Cw7VWotWQTQ7BqZSjV0ZKT1SmWyF4z5S+M46omLE5sU +azmd3eFiYut5je3Q7iC5IRA1WCHUMp/nnAvmmgnsbVQNXUYX05tBycgOGswK6kg 7VIOG1OGKIM= =lKhc -----END PGP SIGNATURE----- From jharris at widomaker.com Sun Jan 2 21:54:19 2005 From: jharris at widomaker.com (Jason Harris) Date: Sun Jan 2 21:50:53 2005 Subject: Global Directory signatures (was Re: GPG wants to check trustdb every day) In-Reply-To: <20041230175107.GF684@wilma.widomaker.com> <20041231024822.GA17056@jabberwocky.com> References: <20041230043512.GE684@wilma.widomaker.com> <20041230051945.GY30683@jabberwocky.com> <20041230175107.GF684@wilma.widomaker.com> <20041229153400.GJ30683@jabberwocky.com> <200412291854.TAA00416@vulcan.xs4all.nl> <20041230014443.GU30683@jabberwocky.com> <20041230043512.GE684@wilma.widomaker.com> <20041230051945.GY30683@jabberwocky.com> <20041230175107.GF684@wilma.widomaker.com> <20041231024822.GA17056@jabberwocky.com> Message-ID: <20050102205419.GI684@wilma.widomaker.com> On Thu, Dec 30, 2004 at 09:48:22PM -0500, David Shaw wrote: > Which shows that people aren't actively bridging keys, or you'd have > vastly more than 120 signatures issused by the GD key on the keyserver Regardless of your particular semantics of "actively bridging keys," signatures from 0xCA57AD7C are showing up on the regular keyservers. Having read the FAQ for GD, I believe pgp.com sees the 14 day expirations as a real feature and won't be changing that value anytime soon. If so, it may be reasonable for regular keyservers to remove all signatures by the GD key that have expired, or perhaps not to store any at all. Clearly, such expired signatures only serve to bloat keys on users' keyrings and regular keyservers. A much better design would be to issue yearly signatures and revoke them when a key is removed from the GD. This way, multiple GD signatures are caused (mostly) by the users' actions and/or inactions. Also, the GD should store expired and revoked keys. Users who rely solely on the GD keyserver now must search for each key by email address before encrypting to it or trusting a signature from it. If a key is expired by a signature not yet downloaded from GD, but the key is already gone from the GD, how else is a user to know the key has expired? Worse, if a key has been compromised, how is the keyholder supposed to record that fact with the GD? Refreshing one's keyring only from the GD only using keyids cannot reveal unusable keys. > net. Far more than 120 people use the GD. Indeed, given the "hardware meltdown" of the non-GD pgp.com keyserver, they are now quite the captive audience. I particularly hope there is more hardware available for the GD so that a loss of data doesn't cause a sudden spike in signatures [re]issued by the GD. On Thu, Dec 30, 2004 at 12:51:08PM -0500, Jason Harris wrote: > NB: Pulling 0xF7447263 from keyserver.pgp.com just now didn't add a > new sig. by 0xCA57AD7C, so it looks like the 8 day bug/feature is gone. Gah! 0x839B8AD7 is a recent example to the contrary: sig! CA57AD7C 2004-12-31 PGP Global Directory Verification Key sig! CA57AD7C 2005-01-02 PGP Global Directory Verification Key -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050102/4ec1fb71/attachment.bin From DenisMcCauley at ifrance.com Sun Jan 2 22:05:07 2005 From: DenisMcCauley at ifrance.com (Denis McCauley) Date: Sun Jan 2 22:04:42 2005 Subject: GPG 1.40a renameing errors Message-ID: <41D86203.7040609@ifrance.com> Greetings, The following message is forwarded on behalf of a person who is not a member of this group. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Hello Group; I have found a problem with the new version of GPG. I can duplicate it every time I change the trustDB. I have reverted back to " GPG 1.25 ", and do not have this renameing error. I also notice that in the latest version I will loose the file " pubring.bak ", even if I copy the file " pubring.gpg to pubring.bak ". the new version does however have a file called " pubring.tmp ". I will try to be real specific in what I did to get this error so you may check it out for yourself. In GPGshell: First: Launch keys, highlight a key that you want to change the trust value on. Then go into edit, and change, or add a value. When you exit GPG will automatically adjust the trustDB. You should get a error. Second: Export a keypair that do this to make sure you have a backup. Then delete the pair from you keyring. Go into the trust menue, and chose update. This will remove the entry from your trust database. Then import the keypair back into you keyring. Go into edit and asign a trust value. GPG will automatically adjust the database when you exit. You should see a error. Third: Back up your TrustDB. Go into Windows and delete the file " trustdb.gpg". Then go into GPGshell and import ythe back up copy. You should get a error. I hope this will help you out. I am going back to "GPG 1.25" untill their is a fix for the new version. Eithe from " nullify, or GnuPG " , or until someone shows me what I am doing wrong. - - -- <>< <>< <>< Greetings From: Frank D. Hubeny GSWoT Assurer Palm Bay, Florida USA My Public Key: http://www.biglumber.com/x/web?pk=C0F3E7E59ED67E0CE9500A087577FCCD63E3F723 _____________________________________________________________________ Envie de discuter gratuitement avec vos amis ? Téléchargez Yahoo! Messenger http://yahoo.ifrance.com From jeff+gnupg at jeffenstein.dyndns.org Sat Jan 1 22:40:35 2005 From: jeff+gnupg at jeffenstein.dyndns.org (Jeff Fisher) Date: Sun Jan 2 22:27:38 2005 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <200501011647.24539.linux@codehelp.co.uk> References: <200412291854.TAA00416@vulcan.xs4all.nl> <200501011331.38747.linux@codehelp.co.uk> <20050101153451.GC21733@frogger.jeffnet> <200501011647.24539.linux@codehelp.co.uk> Message-ID: <20050101214035.GH21733@frogger.jeffnet> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sat, Jan 01, 2005 at 04:47:21PM +0000, Neil Williams wrote: > > IMHO, you'd be better off with an x.509 Thawte key - their trust model is > closer to yours. I also don't put too much stock in them verifying the identity for me either. There have been too many cases of certificates issued based on false credentials. > > You are willing to trust a key only on the say so of a corporate entity - > that's a Thawte and x.509 model, not GnuPG. Fortunately GnuPG can work with my trust model, which is that I trust myself, friends, and (for work stuff) others at my company. Works like a champ for that. > > > > To use the X.509/SSL model, > > GnuPG doesn't use the x.509 model - that's the entire point. The two models > cannot be reconciled, the fundamentals are different and comparisons are > void. This is the flaw in the PGP GD - they are trying to square a circle. GnuPG (and PGP in general) can work with either model. In effect, the X.509 model is only a more limited version of the PGP model, where only a certain type of key can be trusted. The difference is that the pgp way lets the user choose the model, and X.509 does not (easily). > > > As it would be my own key, > > > created under false pretences, I could introduce it to PGP GD and sign > > > whatever I wanted with it. > > > > But you couldn't put it on the PGP web site, or sign every key that is > > submitted to the PGP global directory, > > Why not? It's a simple matter of programming. (bash/cron in this case) and a > decent connection. There'd be no need to set a passphrase on the false key so > my system could sign maybe 1,000 a minute? i.e. I'd be creating a second > robot - a false one. Just as capable as the one on the site already. But that still won't erase the original signatures on the key. It will now have two signatures from different key ID's, which would most likely quickly be noticed by the maintainers. You also didn't answer how you would get it behind all of those links on the PGP website. > > Any software method of signing can be copied and reimplemented elsewhere. > > > and modify the keys in the directory > > to remove the valid signature, making yours look correct. > > No need - with all keys signed twice, who can tell which is genuine? You're > now reduced to checking only a fingerprint - the keyid can easily be > duplicated. Just run a script on --gen-key until /dev/random provides the > right input to output the required 8 characters. Duplicate keyid's already > exist - 0xDEADBEEF is almost common. Only 5 keys on the key servers. Apparently not too common. Could be done, but it wouldn't go unnoticed for long, and once the key was removed from the keyserver, you have to start from zero. I haven't tried it, but I'm guessing it takes a while to generate the neccessary ~2 billion key pairs on average to have a collision. It's certainly not the low hanging fruit in this model. > > > Anybody can create a president@whitehouse.gov key. However, nobody > > will trust it because that key does not sign messages coming from > > president@whitehouse.gov or respond to messages encrypted to > > president@whitehouse.gov. > > So you are trusting your entire verification to whether someone can hack an > email account or forge the From: address???? For anything I would trust in normal e-mail, yes. > > > Ok, if the definition of verify is not 'prove that something is what it > > claims to be', please fill me in. Oxford lists, "establish the truth or > > correctness of by examination." How would you verify a toll booth is what > > it says it is? It's identity is it's function. It's identity is not who is > > in the booth. > > Wrong model. A signature verifies a PERSON. A singature verifies a user-id, which may or may not correspond to a single person. Do a keysearch on 'corporate', or go to most computer security sites (including microsft, hp, etc), and you will find PGP keys that to not have a person's name on them, and do not correspond to a person, yet they are in daily use, and trusted with the security of (possibly) hundreds of thousands of computer system's security. Whether or not you personally trust it enough to sign it, you have to agreee that a user-id can correspond to a role, and that hundreds, or possibly thousands of people have enough trust in this to publicly sign user-ids that correspond to a role. > > > > On to another example, SSH. > > Still the same model as x.509. Please get your head around the OpenPGP trust > model - it's not about corporate bodies or material objects, it's about one > individual trusting another individual. SSH does not have the same model as X.509. Not even close. There is no concept of certification in SSH, there is only host and unix user key pairs. It can rely on keys put in place by the administrator, but this is rarely used because it is difficult to maintain, can be overriden by the user, and is almost impossible to cross administrative domains. It does use the OpenSSL libraries, but only for the cryptographic primitives, not for the protocol level. OpenPGP verification of keys has recently been added, so it could be said (very loosely) that it corresponds more to the pgp model than to the X.509 model. > > You're forgetting that not everybody wants the same level of verification, > > or has the same ideas about what verification means. > > Doesn't mean I can't help inform those people of an alternative viewpoint. That I don't have a problem with, but you're putting forth your system as the only valid alternative. This just isn't the case. > > > In the two instances where I've helped set up PGP to be used in a corporate > > environment (for payroll and customer billing info), the verfication > > process was: > > > > 1) Received key on disk via fedex. > > 2) Made a test transaction. > > 3) Called the contact at the remote company to verify that the transaction > > did indeed arrive and they were able to process it. > > > > In either of these cases, the management would never have accepted, 'person > > x signed the key, so we can trust it', regardless of the identity of person > > You should consider using x.509 for those situations - GnuPG is built on a > PERSONAL WoT. X.509 is very painful to use for files transferred by anything but SSL. Non-interactive secure SSL more difficult to setup than PGP for the same purpose. PGP lets the file reside on unsecure medium in the middle without being comprimised (for example, mail servers or ftp servers). PGP can be more easily adapted to secure non-interactive use, though the gap is closing on that one. > > > > Don't sign it unless you can prove it! > > > > ... to a satisfactory level. > > No, unless you can prove it 'beyond a reasonable doubt'. Again, subjective. If it wasn't, most trials would be a lot shorter. > > Again, people want to be able to RELY on your signatures. This is why GnuPG > has a trust level that the user has to set themselves - when I meet someone > for a keysigning, I make an assessment of how well they verify my key, how > they take care of their own key and set my trust accordingly. > ... > Your signatures can affect my trust model - that is why I'm taking time out to > reply to the thread. In this respect, the WoT is working. With my attitude towards keysinging, I would never have enough signatures on my key from keys you trust to make it to trusted status on your keyring. If I could, then there is something wrong with the concept. You can use the keyparty model; I don't have any problem with that. However, I won't participate in it. PGP works with a web of trust, but it does not define the size of the web, or how to build it; that is up to the user. My web looks very different than yours, but I'm willing to live with that. > > > All this means is that I don't trust your signatures and you don't trust my > > signatures, and life goes on. > > I really think you should look at Thawte - you've entirely missed the personal > aspect of the GnuPG trust model. > > It's about Bob trusting Neil who trusts Anne. It's about Bob assessing how > carefully Neil verifies keys so that he can decide whether he should set > Neil's key to fully trusted and therefore trust Anne's key. Yes, this works for as much as you would trust Bob's trust. Me, I would only trust Bob to introduce me to Neil. I'm more paranoid and don't trust Neil unless I know him, and GnuPG works just fine for me that way also, with only a single option changed from the default. I've _personalized_ it to my trust preferences, which are not far from the default. The X.509 examples were just to point out that most people on the list have probably used a system where they have implicitly stated their trust (backing it up with money; more trusting than just signing a key) in a not-personally-known third party, but refuse to do so in this case. Regardless of the system in use, it is effectively the same leap of faith; trusting 'Bob' - the browser authors, who trust 'Neil' - the CA, to introduce you to someone else who will take your money. Only in this case, 'Bob' is the role of browser author, and 'Neil' is the role-based key of Thawte, or Verisign, or ABA.ECOM. In any case, I'm not trying to tell people they should trust role based keys, I'm just trying to point out that some people do, and are willing to tell the world that this is the case. Whether you are willing to do so is up to you, and whether I am willing to do so is entirely up to me. - -- Me - jeff@jeffenstein.dyndns.org -----BEGIN PGP SIGNATURE----- iQIVAwUBQdcY0xwPMBUZyYf1AQirfg/+PV5N9/g4GlWGW8POIUNjl5d/zIqlvoBz fpRBPVCpl+OmxvtB0E7r3PhC4FlTdziGY5Cg1OYyRJaXUiBeD4qj6avlY5tbQBAB mqQ8hPzSE7sp96AfZdSXtCZxIzfxcs+j/S6nEBHU1tDjuYDKVBQsWxkgQDFaD+Fe r+R2v1mzZwq8ux7Ooj61MbVZFiJ18GwNpe42OoIEq2HNZnEk0B9EP8VcT24UZtHL OA5PkECZgpnGg26Bp4V09+I24Lqal3uoqqQEx5HmKIOueQJjGsLPr7GW0W+egH7E QPqxY6X+7YqdsfaMuMoWub2ajEJSAhom08kTrK+ZpJS+ofeiQbMEPgtlW9KXArpV PQ1PokUXS0Jn/sxlN1FxAf1wlXL5hRG4vALLq/d/0M9LTiLjoivZu/tflpKb+vno bcyow7aSG4TZBc6jr8lI6mdewqEi4ZgSMrvt0L0Fa6S4+2kxXZK1TwhyYnqmJf0x 5Xzx5LNDNwJXKvu3Z49OtaQ/4BnehPoon/sSe0X2Mm1t9Woptmxv7z24mBrxuKST qZADc9mDRMJ3JwHMQiGoeOz68wkYgHCz7c5C2/Xi0Sr/wZ6UqWw0JieRnA9RV7BE 7jaGP+Df0Lba2etTzrOWwAt9NHDPxoiLStnBgmVRGgCmiG2hFSQjLR1rBrCsFXoD bREB29NBb4I= =9Ovt -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Mon Jan 3 00:44:51 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Jan 3 00:41:57 2005 Subject: Global Directory signatures (was Re: GPG wants to check trustdb every day) In-Reply-To: <20050102205419.GI684@wilma.widomaker.com> References: <20041230051945.GY30683@jabberwocky.com> <20041230175107.GF684@wilma.widomaker.com> <20041229153400.GJ30683@jabberwocky.com> <200412291854.TAA00416@vulcan.xs4all.nl> <20041230014443.GU30683@jabberwocky.com> <20041230043512.GE684@wilma.widomaker.com> <20041230051945.GY30683@jabberwocky.com> <20041230175107.GF684@wilma.widomaker.com> <20041231024822.GA17056@jabberwocky.com> <20050102205419.GI684@wilma.widomaker.com> Message-ID: <20050102234450.GC28182@jabberwocky.com> On Sun, Jan 02, 2005 at 03:54:19PM -0500, Jason Harris wrote: > On Thu, Dec 30, 2004 at 09:48:22PM -0500, David Shaw wrote: > > > Which shows that people aren't actively bridging keys, or you'd have > > vastly more than 120 signatures issused by the GD key on the keyserver > > Regardless of your particular semantics of "actively bridging keys," > signatures from 0xCA57AD7C are showing up on the regular keyservers. I'm fairly sure you understand the difference between "active" and "passive", and if not, it should be quite clear from the context. I'm not going to explain it again. I'm happy to continue having this discussion, but if you would rather play "neener neener neener" games, I'd just as soon pass. I'd rather do something productive. > Having read the FAQ for GD, I believe pgp.com sees the 14 day > expirations as a real feature and won't be changing that value > anytime soon. If so, it may be reasonable for regular keyservers to > remove all signatures by the GD key that have expired, or perhaps > not to store any at all. Clearly, such expired signatures only > serve to bloat keys on users' keyrings and regular keyservers. > > A much better design would be to issue yearly signatures and revoke > them when a key is removed from the GD. This way, multiple GD > signatures are caused (mostly) by the users' actions and/or > inactions. I'm not as sure as you that the 14 day expiration is intended to be permanent. It may be, as it does very well serve to cap the time after a key has been retrieved from the server but before the client must go back for a refresh. The GD works on 6 month increments, so a 6 month signature would seem to be the obvious duration to use, but that of course does not handle as well the case where the key is removed from the GD (or replaced within the GD) before 6 months is up. > Also, the GD should store expired and revoked keys. Users who rely > solely on the GD keyserver now must search for each key by email > address before encrypting to it or trusting a signature from it. If > a key is expired by a signature not yet downloaded from GD, but the > key is already gone from the GD, how else is a user to know the key > has expired? The user would be forced back to the GD for a new 14-day signature at which point they would discover that the key is missing so no new signature would be available. This makes the key invalid in their trust calculations. > Worse, if a key has been compromised, how is the keyholder supposed > to record that fact with the GD? I don't think that is the intent of the GD. Rather, the idea is that if you find a key on the GD, it is a usable key. Period. If a key isn't usable (revoked, expired, etc), it should not be on the GD at all. A compromised key would presumably be removed from the GD by the owner so it could not be served at all. > Refreshing one's keyring only from the GD only using keyids cannot > reveal unusable keys. As before, if the key itself no longer exists on the GD, you will not get another 14-day signature, and the key will become invalid to you. Sure, you could dream up a scenario where a key was revoked and then removed from the GD so the actual revocation was only posted to the keyserver net, but note that the GD did the right thing for its design here - it stopped serving the revoked key. It is not responsible for serving the revocation, since it only serves keys that are usable. Shortly after all this happens, the 14-day signature expires and the GD is completely uninvolved. Remember that the GD is intended to be the "keyserver of last resort" for new users. If it isn't on the GD (or the 3-4 places PGP looks before it falls over to the GD), the key doesn't exist. David From dshaw at jabberwocky.com Mon Jan 3 00:51:04 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Jan 3 00:47:58 2005 Subject: RFE: Unsignable keys In-Reply-To: <20050102095740.GB3739@pit.ID-43118.user.dfncis.de> References: <200501011342.59945.linux@codehelp.co.uk> <20050101175836.GF22611@jabberwocky.com> <20050102095740.GB3739@pit.ID-43118.user.dfncis.de> Message-ID: <20050102235104.GD28182@jabberwocky.com> On Sun, Jan 02, 2005 at 10:57:40AM +0100, Gregor Zattler wrote: > Hi David, > * David Shaw [01. Jan. 2005]: > > On Sat, Jan 01, 2005 at 01:42:57PM +0000, Neil Williams wrote: > > > Request for Enhancement / Comments: GnuPG. > > > > > > Would it be possible to create an --expert option to generate a key that > > > CANNOT be signed (under any circumstances) unless BOTH secret keys are > > > available? (signer has to have secret key anyway, these special keys would > > > also need the signee secret key in the same keyring). > [...] > > What you suggest is not impossible, but has a number of caveats when > > done as part of OpenPGP. The signature math of OpenPGP does not cover > > this sort of case, so such a flag would need to be somewhat advisory. > > But then it is possible to add such signature with some knowledge > and a hex editor or an older implementation? No, the flags are protected by a signature. Think of something like the "designated revoker" data. It is part of a self-signature on the key itself. It is advisory in the sense that no part of the math requires an implementation to honor it. Honoring it is part of the protocol instead. > But isn't this an example where shared secrets are useful? Is there > any hope of shared secrets being part of OpenPGP in the future? Maybe. The new RFC is very unlikely to specify different signature math, but who knows what the future will bring? David From johanw at vulcan.xs4all.nl Sun Jan 2 20:09:13 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Mon Jan 3 00:56:35 2005 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <200501011722.36419.linux@codehelp.co.uk> from Neil Williams at "Jan 1, 2005 05:22:33 pm" Message-ID: <200501021909.UAA00517@vulcan.xs4all.nl> Neil Williams wrote: >It's still about trusting an individual - if you don't meet, you will never >know if it's actually the right person. Well, if you do meet, how do you know? Asking for a passport and driving license? They can be more easily falsified than pgp signatures. In fact, in Romania an entire industry is aimed at that. The point is, if you don't know someone personally for a long time, identity information can be falsified. If you want to sign someones key based on paper ID's, I don't see why that would be more secure than looking up a company name in the phonebook and call them. >I would hope that everyone would be willing to trust my key and keys that I >have signed on this basis: Verify me and have confidence that the keys that I >have signed are known to have been good at the time of signing. If it comes at really important situations where my life might be at stake, I don't see why I would trust anyone I have not met personally. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From greg at turnstep.com Mon Jan 3 01:36:02 2005 From: greg at turnstep.com (Greg Sabino Mullane) Date: Mon Jan 3 05:13:37 2005 Subject: Global Directory signatures In-Reply-To: <20041231154422.GA22611@jabberwocky.com> Message-ID: <0ffe33619cd71a389401d42fbb4c1637@biglumber.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I'm curious about the details. What keyserver protocol are you > planning to use to communicate with the outside world? (http like the > current biglumber? hkp? ldap?) Probably all three, in limited capacities. > A simple solution to all of this is to allow some modifications to > take place on keys without key owner approval: signature revocations > (only if the original signature exists on the key), key revocations > (anytime), and designated revocations (only from a designated > revoker). Note that 'sensitive' designated revocations come with > their own designated revoker status. Yes, that's the route I am going to take: revocations will trump everything else. However, the revoked sig will be more difficult to implement as we'll have to somehow store the revoked sig separate and then add it in if someone does a "remove-and-replace" update to their key without it. - -- Greg Sabino Mullane greg@turnstep.com PGP Key: 0x14964AC8 200501021936 http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8 -----BEGIN PGP SIGNATURE----- iD8DBQFB2JPTvJuQZxSWSsgRAkJwAJ9nmRYJ8Z4HyQFaKpQuQJZuQLLo6wCfT4P1 Kct2KrEhI1jSuunhT0EuYJY= =azQB -----END PGP SIGNATURE----- From xwck at oreka.com Mon Jan 3 01:26:57 2005 From: xwck at oreka.com (Alain Bench) Date: Mon Jan 3 05:13:46 2005 Subject: current charset guessing Message-ID: <20050103002657.GA32265@oreka.com> Hello, I try to use GnuPG 1.4 on an old Linux libc5 without CODESET in nl_langinfo(). GnuPG defaults to iso-8859-1 whatever locale. As I use various locales, I'd need a way to guess current charset. Libiconv 1.9.2 can guess using libcharset:locale_charset(), when empty {from,to}code. But setting ??charset ""?? in gpg.conf still gives iso-8859-1. Is there a way to guess current charset when CODESET lacks? BTW looking at util/strgutil.c:set_native_charset(), there is a pair of wrong charset aliasing, at least when iconv is available: - On Win32 the name for Latin-1 is not CP1252, but CP28591. - Latin-9 is not Latin-1. Bye! Alain. -- When you want to reply to a mailing list, please avoid doing so from a digest. This often builds incorrect references and breaks threads. From greg at turnstep.com Mon Jan 3 03:20:28 2005 From: greg at turnstep.com (Greg Sabino Mullane) Date: Mon Jan 3 05:13:55 2005 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: <20050101180012.GD21733@frogger.jeffnet> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > For those who've gotten this far, how many would or would not trust the WoT > (meaning beyond a friend/aquaintance, or beyond someone vouched for by a > friend/aquaintance) for transactions involving money or sensitive > information? I'm curious if I'm just to cynical or paranoid. I'd trust it to a point. It all depends on the context, and there are certainly usually other easier means of verification, but I'd be pretty sure that someone well integrated into the WoT is who they say they are. People certainly do transactions all the time with even less assurance that that. I do use the WoT regularly as far as verifying open-source software (and closed-source too in theory, although I have not come across any myself). Having someone with a key in the strong set and a Googleable history of key usage is a nice verification that the software you downloaded is what you think it is. Preventing a malware/trojan/virus/backdoor this way probably falls into the "sensitive information" category. - -- Greg Sabino Mullane greg@turnstep.com PGP Key: 0x14964AC8 200501022115 http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8 -----BEGIN PGP SIGNATURE----- iD8DBQFB2KwuvJuQZxSWSsgRAqISAJwM7+VeF4qbxEw6CgAuRNPe47WE/gCeOVkb yBrKsymAd7/Pl4dv4WWtmrI= =2sW2 -----END PGP SIGNATURE----- From jharris at widomaker.com Mon Jan 3 05:33:47 2005 From: jharris at widomaker.com (Jason Harris) Date: Mon Jan 3 05:30:16 2005 Subject: Global Directory signatures (was Re: GPG wants to check trustdb every day) In-Reply-To: <20050102234450.GC28182@jabberwocky.com> References: <20041230175107.GF684@wilma.widomaker.com> <20041229153400.GJ30683@jabberwocky.com> <200412291854.TAA00416@vulcan.xs4all.nl> <20041230014443.GU30683@jabberwocky.com> <20041230043512.GE684@wilma.widomaker.com> <20041230051945.GY30683@jabberwocky.com> <20041230175107.GF684@wilma.widomaker.com> <20041231024822.GA17056@jabberwocky.com> <20050102205419.GI684@wilma.widomaker.com> <20050102234450.GC28182@jabberwocky.com> Message-ID: <20050103043347.GJ684@wilma.widomaker.com> On Sun, Jan 02, 2005 at 06:44:51PM -0500, David Shaw wrote: > On Sun, Jan 02, 2005 at 03:54:19PM -0500, Jason Harris wrote: > > Regardless of your particular semantics of "actively bridging keys," > > signatures from 0xCA57AD7C are showing up on the regular keyservers. > > I'm fairly sure you understand the difference between "active" and > "passive", and if not, it should be quite clear from the context. I'm > not going to explain it again. > > I'm happy to continue having this discussion, but if you would rather > play "neener neener neener" games, I'd just as soon pass. I'd rather > do something productive. No. Determining who (keyholders v. key users) copies keys from keyserver.pgp.com to the regular keyservers is not important to me. It was not clear to me that that's what you've meant, hopefully, all along. Likewise, if I haven't been sufficiently clear, I only care _that_ the GD signatures clutter my pks and SKS databases. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050102/7f253a15/attachment.bin From kordosky at hep.ucl.ac.uk Mon Jan 3 09:05:29 2005 From: kordosky at hep.ucl.ac.uk (Mike Kordosky) Date: Mon Jan 3 09:05:05 2005 Subject: problem using keys created with 1.2.1 with 1.0.6 Message-ID: Hi, I'm attempting to use a key generated with gpg 1.2.1 with the older 1.0.6. Upgrading the older version is not an option now, but it will be done at some point in the nearish future. More specifically, I'm trying to use the key with the PINE mail client via pinegpg. I create the keys on the 1.2.1 system using all the default options. I export my keys from the 1.2.1 system with: gpg --armor --export --output pub.asc gpg --armor --export-secret-key --output priv.asc I import the keys on the 1.0.6 system with: gpg --import pub.asc gpg --import --allow-secret-key-import priv.asc When trying to sign a message I see the output: gpg: Warning: using insecure memory! gpg: protection algorithm 254 is not supported gpg: no default secret key: unknown cipher algorithm gpg: [stdin]: clearsign failed: unknown cipher algorithm comparing the packets I find: 1.2.1: . . . skey[3]: [1024 bits] iter+salt S2K, algo: 3, SHA1 protection, hash: 2, salt: . . . 1.0.6: . . . skey[3]: [1024 bits] simple S2K, algo: 254, hash: 1 . . . Perhaps it's pertinent? I also get an error if I encrypt a file (with my public key) on the 1.0.6 system and then try to decrypt it: kordosky> gpg --decrypt junk.txt.gpg gpg: Warning: using insecure memory! gpg: protection algorithm 254 is not supported gpg: encrypted with 1024-bit ELG-E key, ID 1481FD78, created 2005-01-03 "Michael Kordosky " gpg: public key decryption failed: unknown cipher algorithm gpg: decryption failed: secret key not available gpg: [don't know]: invalid packet (ctb=29) I surmize that the error isn't associated with pinegpg or pine. Is this the sign of an unreconcilable incompatibility or is there something I can do? I could generate the keys on the 1.0.6 system, though I've been advised that this is somewhat of a no-no. Regards, Mike Kordosky -- kordosky@fnal.gov // High Energy Physics Lab ...................// University College London From teenieberry at worldnet.att.net Sun Jan 2 15:52:02 2005 From: teenieberry at worldnet.att.net (FRANK HUBENY) Date: Mon Jan 3 09:07:54 2005 Subject: gpg 1.40a renameing and loose of pubring.bak Message-ID: <005701c4f0da$ac62f640$d32d4e0c@administ0b8aee> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello; I am not a member of this group. I was advised to post my problem here. With "gpg 1.40a", I would get a renameing error. I also would loose my "pubring.bak". This happens anytime I remove a complete keypair, or assign a trust value to a public key in my keyring. It was verified for me by another user who gets the same error. I reverted back to "gpg 1.25", and these errors disapear. I am useing GPG on a Windows 2000 Pro service pack 4 installed PC. Useing both the command line, and GPGshell version "3.31". - - -- <>< <>< <>< Greetings From: Frank D. Hubeny GSWoT Assurer Palm Bay, Florida USA My Public Key: http://www.biglumber.com/x/web?pk=C0F3E7E59ED67E0CE9500A087577FCCD63E3F723 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) - GPGrelay v0.955 iD8DBQFB2AqwdXf8zWPj9yMRAihNAJ4k69/PYWDXd9ehjReF8jAqsVp3pACgmB/S lhk/pETVG7v0QFHqNmgz9F4= =TiNR -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Mon Jan 3 14:28:16 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Jan 3 16:02:26 2005 Subject: problem using keys created with 1.2.1 with 1.0.6 In-Reply-To: References: Message-ID: <20050103132815.GE28182@jabberwocky.com> On Mon, Jan 03, 2005 at 08:05:29AM +0000, Mike Kordosky wrote: > Hi, > > I'm attempting to use a key generated with gpg 1.2.1 with the older 1.0.6. > Upgrading the older version is not an option now, but it will be done at > some point in the nearish future. [..] > Is this the sign of an unreconcilable incompatibility or is there > something I can do? I could generate the keys on the 1.0.6 system, though > I've been advised that this is somewhat of a no-no. The OpenPGP protection algorithm for secret keys changed after the 1.0.6 release. To import a later key into 1.0.6, edit the later key using the later gpg via 'gpg --simple-sk-checksum --edit (thekey)', change the passphrase via 'passwd' (you may even use the same passphrase if you like), then 'save'. The password change is simply to cause gpg to decrypt and reencrypt the key. The --simple-sk-checksum tells it to use the old format when it reencrypts. Now export the key and you can import it into 1.0.6. David From dshaw at jabberwocky.com Mon Jan 3 16:26:56 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Jan 3 16:24:52 2005 Subject: Encrypting a file to multiple recipients In-Reply-To: <77B168ACB35B1C4CA3A4CF5A4C67D3C70A1CDD85@zbr05exm02.jag.br.mot.com> References: <77B168ACB35B1C4CA3A4CF5A4C67D3C70A1CDD85@zbr05exm02.jag.br.mot.com> Message-ID: <20050103152656.GH28182@jabberwocky.com> On Thu, Dec 30, 2004 at 02:26:38PM -0200, Mazzer Cassio-ACM125 wrote: > Hi, > > I'm trying to encrypt a file using a list of recipients. > > For instance, I have a file called test.txt and I want to encrypt this file to send to multiple recipients (recipient_01 and recipient_02). > > I'm using the following command line (I have tested and it works): > > gpg --yes -r "recipient_01" -r "recipient_02" -e test.txt -o test_encrypted.txt.gpg. > > This command works fine. > > However, I'd like to know if I really have to repeat the "-r" before each recipient or if there is a way of executing this command typing something like > gpg --yes -r--list-recipients "recipient_01" "recipient_02" -e test.txt You need to put a '-r' before every recipient. However, if you frequently use the same list of recipients, you can stick something like this into your gpg.conf file: group my_list_of_people = recipient_01 recipient_02 Then you can use '-r my_list_of_people' and get both recipients in one shot. David From dshaw at jabberwocky.com Mon Jan 3 16:42:17 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Jan 3 16:39:14 2005 Subject: Global Directory signatures (was Re: GPG wants to check trustdb every day) In-Reply-To: <20050103043347.GJ684@wilma.widomaker.com> References: <20041229153400.GJ30683@jabberwocky.com> <200412291854.TAA00416@vulcan.xs4all.nl> <20041230014443.GU30683@jabberwocky.com> <20041230043512.GE684@wilma.widomaker.com> <20041230051945.GY30683@jabberwocky.com> <20041230175107.GF684@wilma.widomaker.com> <20041231024822.GA17056@jabberwocky.com> <20050102205419.GI684@wilma.widomaker.com> <20050102234450.GC28182@jabberwocky.com> <20050103043347.GJ684@wilma.widomaker.com> Message-ID: <20050103154217.GI28182@jabberwocky.com> On Sun, Jan 02, 2005 at 11:33:47PM -0500, Jason Harris wrote: > On Sun, Jan 02, 2005 at 06:44:51PM -0500, David Shaw wrote: > > On Sun, Jan 02, 2005 at 03:54:19PM -0500, Jason Harris wrote: > > > > Regardless of your particular semantics of "actively bridging keys," > > > signatures from 0xCA57AD7C are showing up on the regular keyservers. > > > > I'm fairly sure you understand the difference between "active" and > > "passive", and if not, it should be quite clear from the context. I'm > > not going to explain it again. > > > > I'm happy to continue having this discussion, but if you would rather > > play "neener neener neener" games, I'd just as soon pass. I'd rather > > do something productive. > > No. Determining who (keyholders v. key users) copies keys from > keyserver.pgp.com to the regular keyservers is not important to me. > It was not clear to me that that's what you've meant, hopefully, > all along. Likewise, if I haven't been sufficiently clear, I only > care _that_ the GD signatures clutter my pks and SKS databases. Lovely. Moving on then, do you see this as something you can resolve in your keyserver? I've made the change in GnuPG to not import or export expired signatures by default. This is a limited fix, of course, due to the overlap between an old GD sig expiring and a new GD sig being issued. It strikes me that if the goal is to keep the keyservers clean, then the keyservers need to take action. There is only so much that clients can do here. Incidentally, my concern is slightly larger than what you state above. It is interesting to me *who* copies keys, but also to *what extent* the keys are copied. If the key owner copied the key, we can perhaps assume they meant to do it; it's their key. If a key recipient did it, we cannot make this assumption. Given current keyservers, we can't tell the difference so the point is academic, but no matter who does the copying, a few signatures aren't going to wreak havoc (you mentioned you had seen extra signatures showing up on only 120 keys thus far), but a large number of copied keys start looking messy. David From cedar at 3web.net Mon Jan 3 02:57:45 2005 From: cedar at 3web.net (C. D. Rok) Date: Mon Jan 3 19:00:58 2005 Subject: signing a robot's key In-Reply-To: <20050101145203.GD22611@jabberwocky.com> References: <20041230014443.GU30683@jabberwocky.com> <20041230043512.GE684@wilma.widomaker.com> <20041230000801.N31825@willy.wonka> <41D45C00.6030204@toehold.com> <20041230202915.34191.qmail@suspicious.org> <41D46857.7050905@toehold.com> <20041230210032.GG12645@jabberwocky.com> <20041230213657.GB14687@frogger.jeffnet> <20041231031712.GJ12645@jabberwocky.com> <20050101120359.GA21733@frogger.jeffnet> <20050101145203.GD22611@jabberwocky.com> Message-ID: <41D8A699.9060502@3web.net> David Shaw wrote: > This is a general problem with signing any key that does not have a > direct mapping to a human being. Isn't it absurd - under any cicumstances - to invite non-humans into the WOT? cdRok From dshaw at jabberwocky.com Mon Jan 3 19:14:47 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Mon Jan 3 19:13:41 2005 Subject: signing a robot's key In-Reply-To: <41D8A699.9060502@3web.net> References: <20041230000801.N31825@willy.wonka> <41D45C00.6030204@toehold.com> <20041230202915.34191.qmail@suspicious.org> <41D46857.7050905@toehold.com> <20041230210032.GG12645@jabberwocky.com> <20041230213657.GB14687@frogger.jeffnet> <20041231031712.GJ12645@jabberwocky.com> <20050101120359.GA21733@frogger.jeffnet> <20050101145203.GD22611@jabberwocky.com> <41D8A699.9060502@3web.net> Message-ID: <20050103181447.GK28182@jabberwocky.com> On Mon, Jan 03, 2005 at 01:57:45AM +0000, C. D. Rok wrote: > David Shaw wrote: > > >This is a general problem with signing any key that does not have a > >direct mapping to a human being. > > Isn't it absurd - under any cicumstances - to invite non-humans into > the WOT? A key that does not have a direct mapping to a human being could be something like 'postmaster'. There are humans somewhere there, just not a direct mapping to one of them. Even so, there are non-humans in the WoT right now, and have been for quite a while. Even back as far as 1994, there was the SLED signing service. David From johanw at vulcan.xs4all.nl Mon Jan 3 19:56:49 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Mon Jan 3 20:37:33 2005 Subject: signing a robot's key In-Reply-To: <41D8A699.9060502@3web.net> from "C. D. Rok" at "Jan 3, 2005 01:57:45 am" Message-ID: <200501031856.TAA15038@vulcan.xs4all.nl> C. D. Rok wrote: >> This is a general problem with signing any key that does not have a >> direct mapping to a human being. >Isn't it absurd - under any cicumstances - to invite non-humans into >the WOT? I have no problems with intelligent aliens in the WOT if we meet them. Unless, of course, they have methods of breaking RSA and DH. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From jdbeyer at exit109.com Mon Jan 3 15:11:15 2005 From: jdbeyer at exit109.com (Jean-David Beyer) Date: Mon Jan 3 21:45:31 2005 Subject: signing a robot's key - was: Re: Global Directory signatures In-Reply-To: References: <200412291854.TAA00416@vulcan.xs4all.nl> <200501011331.38747.linux@codehelp.co.uk> <200501011722.36419.linux@codehelp.co.uk> Message-ID: <41D95283.3050908@exit109.com> Mark H. Wood wrote (in part): > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Sat, 1 Jan 2005, Neil Williams wrote: > >>On Saturday 01 January 2005 4:40 pm, Mark H. Wood wrote: >> >>>So, looking up PGP Corporation in the phone book, calling their corporate >>>headquarters, and verifying the fingerprint with a person wouldn't help? >> >>1. You are still trusting an unknown person you've never met to give you the >>right information, just on the basis of their employer. > > > How is this different from trusting an unknown person I've never met > (before) on the basis of his being able to produce a couple of cards which > have his likeness (more or less) and the name he gave me? One reason I > haven't been to any keysigning parties is that I wouldn't trust my ability > to verify someone's identity. > > An artificial person is a lot easier to check out than a natural person. > Have *you* been eyeballed by SEC, D&B, the states of California and > (probably) Delaware, and a host of commercial banks? I haven't. Having > established that PGP is likely on the up and up, how likely is it that > they wouldn't take reasonable care with the security of one of their > services' keys, given that their entire income stream is based on a > reputation for reasonable security? > I was eyeballed by the FBI when I became a U.S.Citizen, and again when I needed a SECRET security clearance with the U.S.Navy's Bureau of Weapons (I think it was called). But you know, that may not prove anything either. Because what is my primary document that proves I am me? And who is ME anyway? To establish my identity to the INS, I provided a notarized slip of paper from my grade school giving my name and date of birth. And my grade school and high school diploma. I do not remember if I had my college degree in hand yet (though I had earned it). But the board of education got that date from my father who told them. He had no documents to prove it (my birth certificate was destroyed in WW-II by the Nazis). So, if I were a hyperskeptic, I could not be sure the guy I grew up with is really my father, nor could I really know my exact age. But the Bureau of Weapons was satisfied that I (or whoever they thought they investigated) would not betray their secrets. And how did I get access to their secrets? I went to where the secrets were kept, told my name to the person at the desk at the front door, where guards with submachine guns were standing around, and they asked where my clearance was. I told them Johnsville, MD., they telephoned someone, and I walked in. They did not even check my driver's license (no photo id in those days) to see if I were who I said I was. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 08:55:00 up 2 days, 22:14, 3 users, load average: 4.26, 4.24, 4.19 From chd at chud.net Tue Jan 4 00:58:07 2005 From: chd at chud.net (Chris De Young) Date: Tue Jan 4 00:54:30 2005 Subject: Compression when encrypting the output of tar? Message-ID: <41D9DC0F.7000208@chud.net> Am I correct in thinking that tar already compresses data and that I am better off using "--compress 0" when using GPG to encrypt the output of tar on the fly? (I'm using: $ tar -cvf - /dir | gpg --symmetric --cipher-algo AES256 --output encrypted-tarfile.gpg ) Thanks! -C -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050103/43e89899/signature.bin From rlaager at wiktel.com Tue Jan 4 01:12:43 2005 From: rlaager at wiktel.com (Richard Laager) Date: Tue Jan 4 01:09:14 2005 Subject: Compression when encrypting the output of tar? In-Reply-To: <41D9DC0F.7000208@chud.net> References: <41D9DC0F.7000208@chud.net> Message-ID: <1104797564.3869.20.camel@localhost> On Mon, 2005-01-03 at 16:58 -0700, Chris De Young wrote: > Am I correct in thinking that tar already compresses data and that I am > better off using "--compress 0" when using GPG to encrypt the output of tar > on the fly? No. Tar does not compress data by default. You have to either pipe the output through a compression program or use the -z or -j flag which asks tar to pipe the output through gzip or bzip2, respectively. Richard -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : /pipermail/attachments/20050103/ed5634a3/attachment-0001.bin From patrick.brunschwig at gmx.net Sun Jan 2 15:40:03 2005 From: patrick.brunschwig at gmx.net (Patrick) Date: Tue Jan 4 04:02:47 2005 Subject: Issues with adding UID's Message-ID: <41D807C3.5000109@gmx.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have found two issues related to adding UID's: 1. If I have a key with no UID explicitly set as primary UID, then adding a UID will set the new one as 1st UID. I would have expected the original 1st UID to stay at position 1. 2. Following scenario: I have 2 computers, both using the same secret key. Now, I add a UID on the 1st computer. I export the new key (both secret and public key) and import both at the second computer. The new UID appears correctly on the 2nd PC, but when I use "gpg --edit-key ... toggle", the new UID is not visible. Furthermore, I cannot use "gpg -u ". I have done some testing, and found that the new UID is only "fully" available if I first delete the secret and public key from my keyring and then import the updated key. I think both issues are bugs, or do I miss something? - -Patrick -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB2Ae+2KgHx8zsInsRAn7/AJ9L/P95ELDJ8Ti1N5m83qcHrhPhqwCgpyzC 6cjB0stCiDvNUkuHKO8UqwA= =2kSU -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Tue Jan 4 04:36:24 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Jan 4 04:33:34 2005 Subject: Issues with adding UID's In-Reply-To: <41D807C3.5000109@gmx.net> References: <41D807C3.5000109@gmx.net> Message-ID: <20050104033624.GN28182@jabberwocky.com> On Sun, Jan 02, 2005 at 03:40:03PM +0100, Patrick wrote: > I have found two issues related to adding UID's: > > 1. If I have a key with no UID explicitly set as primary UID, then > adding a UID will set the new one as 1st UID. I would have expected the > original 1st UID to stay at position 1. This is intentional. If no UID is explicitly set as primary, then GnuPG uses the most recent UID as the primary. The reason is that if someone (for example) gets a new email address, the new UID *should* be the primary one. It's certainly possible to come up with an argument why the old UID should be primary, just as there is an argument why the new UID should be primary. The solution is to remove the ambiguity, and set the primary UID flag when you want a particular UID to be primary. > 2. Following scenario: I have 2 computers, both using the same > secret key. Now, I add a UID on the 1st computer. I export the new > key (both secret and public key) and import both at the second > computer. The new UID appears correctly on the 2nd PC, but when I > use "gpg --edit-key ... toggle", the new UID is not > visible. Furthermore, I cannot use "gpg -u ". I have done > some testing, and found that the new UID is only "fully" available > if I first delete the secret and public key from my keyring and then > import the updated key. Just the secret key. GnuPG doesn't do merging of secret keys, so you can't export it one place and merge it into another without deleting the target first. David From esr at snark.thyrsus.com Mon Jan 3 17:50:00 2005 From: esr at snark.thyrsus.com (Eric S. Raymond) Date: Tue Jan 4 09:00:11 2005 Subject: Problems attemoting to use GPG with a USB watch Message-ID: <200501031650.j03Go0PF028817@snark.thyrsus.com> I got a DiskGO USB watch for Christmas. I put it on my wishlist with the goal of moving my GPG keyring onto it, using GNUPGHOME to direct gpg to look there. The idea, of course, is to avoid having clear copies of my secret key live on computers that might be breached while I'm not around. I'm using Fedora Core 3, which automounts the watch as a USB storage device accessible through the SCSI layer. It gets mouunted as /media/usbdisk. I My keyring lives in a directory on the watch named gpg (without leading period). Thuism, when the watch is mounted, the keyring is accessible as /media/usbdisk/gpg. The last line of this listing shows that the watch is mounted as a SCSI filesystem: esr@snark:~/svn/gpsd/trunk$ df Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda2 15583200 8321808 6469792 57% / /dev/sda1 101086 16596 79271 18% /boot none 517036 0 517036 0% /dev/shm /dev/sdb5 17639188 14717996 2025172 88% /home minx:/home 25964096 15494624 9150560 63% /nfs/minx/home minx:/usr/local 25964096 15494624 9150560 63% /nfs/minx/local grelber:/home 115377664 85171136 24345632 78% /nfs/grelber/home grelber:/usr/local 37848096 7250720 28674784 21% /nfs/grelber/local /dev/sdc1 127456 318 127138 1% /media/usbdisk This listing shows that the files are accessible and permissions are correct: /media/usbdisk: total 2 drwx------ 2 esr esr 2048 Jan 3 11:28 gpg /media/usbdisk/gpg: total 316 -rwxr-xr-x 1 esr esr 18 Mar 12 1999 pgp.cfg -rwxr-xr-x 1 esr esr 157532 Mar 1 2000 pubring.bak -rwxr-xr-x 1 esr esr 157532 Mar 7 2000 pubring.pkr -rwxr-xr-x 1 esr esr 512 Mar 7 2000 randseed.bin -rwxr-xr-x 1 esr esr 1769 Jan 14 2000 secring.bak -rwxr-xr-x 1 esr esr 1769 Jan 14 2000 secring.skr I then put GNUPGHOME=/media/usbdisk/gpg; export GNUPGHOME in my .bash_profile. Unfortunately, this seems not to work. Here are the messages I get when trying to use the keyring on the watch: gpg: lock not made: link() failed: Operation not permitted gpg: can't lock `/media/usbdisk/gpg/secring.gpg' gpg: DBG: oops, `/media/usbdisk/gpg/secring.gpg.lock' is not locked gpg: keyblock resource `/media/usbdisk/gpg/secring.gpg': general error gpg: lock not made: link() failed: Operation not permitted gpg: can't lock `/media/usbdisk/gpg/pubring.gpg' gpg: DBG: oops, `/media/usbdisk/gpg/pubring.gpg.lock' is not locked gpg: keyblock resource `/media/usbdisk/gpg/pubring.gpg': general error gpg: encrypted with ELG-E key, ID 5E995ED4 gpg: decryption failed: secret key not available Any suggestions? -- Eric S. Raymond Let us hope our weapons are never needed --but do not forget what the common people knew when they demanded the Bill of Rights: An armed citizenry is the first defense, the best defense, and the final defense against tyranny. If guns are outlawed, only the government will have guns. Only the police, the secret police, the military, the hired servants of our rulers. Only the government -- and a few outlaws. I intend to be among the outlaws. -- Edward Abbey, "Abbey's Road", 1979 From kabads at gmail.com Tue Jan 4 09:20:13 2005 From: kabads at gmail.com (Adam Cripps) Date: Tue Jan 4 09:17:38 2005 Subject: Problems attemoting to use GPG with a USB watch In-Reply-To: <200501031650.j03Go0PF028817@snark.thyrsus.com> References: <200501031650.j03Go0PF028817@snark.thyrsus.com> Message-ID: On Mon, 3 Jan 2005 11:50:00 -0500, Eric S. Raymond wrote: > I got a DiskGO USB watch for Christmas. I put it on my wishlist > with the goal of moving my GPG keyring onto it, using GNUPGHOME > to direct gpg to look there. The idea, of course, is to avoid having > clear copies of my secret key live on computers that might be breached > while I'm not around. > > I'm using Fedora Core 3, which automounts the watch as a USB storage > device accessible through the SCSI layer. It gets mouunted as > /media/usbdisk. I My keyring lives in a directory on the watch > named gpg (without leading period). Thuism, when the watch is > mounted, the keyring is accessible as /media/usbdisk/gpg. > > The last line of this listing shows that the watch is mounted as a > SCSI filesystem: > > esr@snark:~/svn/gpsd/trunk$ df > Filesystem 1K-blocks Used Available Use% Mounted on > /dev/sda2 15583200 8321808 6469792 57% / > /dev/sda1 101086 16596 79271 18% /boot > none 517036 0 517036 0% /dev/shm > /dev/sdb5 17639188 14717996 2025172 88% /home > minx:/home 25964096 15494624 9150560 63% /nfs/minx/home > minx:/usr/local 25964096 15494624 9150560 63% /nfs/minx/local > grelber:/home 115377664 85171136 24345632 78% /nfs/grelber/home > grelber:/usr/local 37848096 7250720 28674784 21% /nfs/grelber/local > /dev/sdc1 127456 318 127138 1% /media/usbdisk > > This listing shows that the files are accessible and permissions > are correct: > > /media/usbdisk: > total 2 > drwx------ 2 esr esr 2048 Jan 3 11:28 gpg > > /media/usbdisk/gpg: > total 316 > -rwxr-xr-x 1 esr esr 18 Mar 12 1999 pgp.cfg > -rwxr-xr-x 1 esr esr 157532 Mar 1 2000 pubring.bak > -rwxr-xr-x 1 esr esr 157532 Mar 7 2000 pubring.pkr > -rwxr-xr-x 1 esr esr 512 Mar 7 2000 randseed.bin > -rwxr-xr-x 1 esr esr 1769 Jan 14 2000 secring.bak > -rwxr-xr-x 1 esr esr 1769 Jan 14 2000 secring.skr > > I then put GNUPGHOME=/media/usbdisk/gpg; export GNUPGHOME in > my .bash_profile. > > Unfortunately, this seems not to work. Here are the messages I > get when trying to use the keyring on the watch: > > gpg: lock not made: link() failed: Operation not permitted > gpg: can't lock `/media/usbdisk/gpg/secring.gpg' > gpg: DBG: oops, `/media/usbdisk/gpg/secring.gpg.lock' is not locked > gpg: keyblock resource `/media/usbdisk/gpg/secring.gpg': general error > gpg: lock not made: link() failed: Operation not permitted > gpg: can't lock `/media/usbdisk/gpg/pubring.gpg' > gpg: DBG: oops, `/media/usbdisk/gpg/pubring.gpg.lock' is not locked > gpg: keyblock resource `/media/usbdisk/gpg/pubring.gpg': general error > gpg: encrypted with ELG-E key, ID 5E995ED4 > gpg: decryption failed: secret key not available > > Any suggestions? > -- > Eric S. Raymond > > Let us hope our weapons are never needed --but do not forget what > the common people knew when they demanded the Bill of Rights: An > armed citizenry is the first defense, the best defense, and the > final defense against tyranny. > If guns are outlawed, only the government will have guns. Only > the police, the secret police, the military, the hired servants of > our rulers. Only the government -- and a few outlaws. I intend to > be among the outlaws. > -- Edward Abbey, "Abbey's Road", 1979 > Eric, instead of setting $GNUPGHOME, have you tried just setting 'secret keyring /path/to/secring.gpg' in your gpg.conf file? I did this the other day (with a similar present) and it works fine for me. Adam -- http://www.monkeez.org GPG key: 7111B833 From kabads at gmail.com Tue Jan 4 09:24:27 2005 From: kabads at gmail.com (Adam Cripps) Date: Tue Jan 4 09:21:26 2005 Subject: Problems attemoting to use GPG with a USB watch In-Reply-To: References: <200501031650.j03Go0PF028817@snark.thyrsus.com> Message-ID: On Tue, 4 Jan 2005 08:20:13 +0000, Adam Cripps wrote: > On Mon, 3 Jan 2005 11:50:00 -0500, Eric S. Raymond > wrote: > > I got a DiskGO USB watch for Christmas. I put it on my wishlist > > with the goal of moving my GPG keyring onto it, using GNUPGHOME > > to direct gpg to look there. The idea, of course, is to avoid having > > clear copies of my secret key live on computers that might be breached > > while I'm not around. > > > > I'm using Fedora Core 3, which automounts the watch as a USB storage > > device accessible through the SCSI layer. It gets mouunted as > > /media/usbdisk. I My keyring lives in a directory on the watch > > named gpg (without leading period). Thuism, when the watch is > > mounted, the keyring is accessible as /media/usbdisk/gpg. > > > > The last line of this listing shows that the watch is mounted as a > > SCSI filesystem: > > > > esr@snark:~/svn/gpsd/trunk$ df > > Filesystem 1K-blocks Used Available Use% Mounted on > > /dev/sda2 15583200 8321808 6469792 57% / > > /dev/sda1 101086 16596 79271 18% /boot > > none 517036 0 517036 0% /dev/shm > > /dev/sdb5 17639188 14717996 2025172 88% /home > > minx:/home 25964096 15494624 9150560 63% /nfs/minx/home > > minx:/usr/local 25964096 15494624 9150560 63% /nfs/minx/local > > grelber:/home 115377664 85171136 24345632 78% /nfs/grelber/home > > grelber:/usr/local 37848096 7250720 28674784 21% /nfs/grelber/local > > /dev/sdc1 127456 318 127138 1% /media/usbdisk > > > > This listing shows that the files are accessible and permissions > > are correct: > > > > /media/usbdisk: > > total 2 > > drwx------ 2 esr esr 2048 Jan 3 11:28 gpg > > > > /media/usbdisk/gpg: > > total 316 > > -rwxr-xr-x 1 esr esr 18 Mar 12 1999 pgp.cfg > > -rwxr-xr-x 1 esr esr 157532 Mar 1 2000 pubring.bak > > -rwxr-xr-x 1 esr esr 157532 Mar 7 2000 pubring.pkr > > -rwxr-xr-x 1 esr esr 512 Mar 7 2000 randseed.bin > > -rwxr-xr-x 1 esr esr 1769 Jan 14 2000 secring.bak > > -rwxr-xr-x 1 esr esr 1769 Jan 14 2000 secring.skr > > > > I then put GNUPGHOME=/media/usbdisk/gpg; export GNUPGHOME in > > my .bash_profile. > > > > Unfortunately, this seems not to work. Here are the messages I > > get when trying to use the keyring on the watch: > > > > gpg: lock not made: link() failed: Operation not permitted > > gpg: can't lock `/media/usbdisk/gpg/secring.gpg' > > gpg: DBG: oops, `/media/usbdisk/gpg/secring.gpg.lock' is not locked > > gpg: keyblock resource `/media/usbdisk/gpg/secring.gpg': general error > > gpg: lock not made: link() failed: Operation not permitted > > gpg: can't lock `/media/usbdisk/gpg/pubring.gpg' > > gpg: DBG: oops, `/media/usbdisk/gpg/pubring.gpg.lock' is not locked > > gpg: keyblock resource `/media/usbdisk/gpg/pubring.gpg': general error > > gpg: encrypted with ELG-E key, ID 5E995ED4 > > gpg: decryption failed: secret key not available > > > > Any suggestions? > > -- > > Eric S. Raymond > > > > Let us hope our weapons are never needed --but do not forget what > > the common people knew when they demanded the Bill of Rights: An > > armed citizenry is the first defense, the best defense, and the > > final defense against tyranny. > > If guns are outlawed, only the government will have guns. Only > > the police, the secret police, the military, the hired servants of > > our rulers. Only the government -- and a few outlaws. I intend to > > be among the outlaws. > > -- Edward Abbey, "Abbey's Road", 1979 > > > > Eric, > > instead of setting $GNUPGHOME, have you tried just setting > > 'secret keyring /path/to/secring.gpg' > > in your gpg.conf file? I did this the other day (with a similar > present) and it works fine for me. > Hehe -- it's too early here - that should read 'secret-keyring /path/to/secring.gpg' (added missing hyphen). Adam -- http://www.monkeez.org GPG key: 7111B833 From dgc at uchicago.edu Tue Jan 4 09:48:45 2005 From: dgc at uchicago.edu (David Champion) Date: Tue Jan 4 09:45:21 2005 Subject: Problems attemoting to use GPG with a USB watch In-Reply-To: <200501031650.j03Go0PF028817@snark.thyrsus.com> References: <200501031650.j03Go0PF028817@snark.thyrsus.com> Message-ID: <20050104084845.GQ9233@monkey.uchicago.edu> * On 2005.01.03, in <200501031650.j03Go0PF028817@snark.thyrsus.com>, * "Eric S. Raymond" wrote: > Unfortunately, this seems not to work. Here are the messages I > get when trying to use the keyring on the watch: > > gpg: lock not made: link() failed: Operation not permitted > gpg: can't lock `/media/usbdisk/gpg/secring.gpg' > gpg: DBG: oops, `/media/usbdisk/gpg/secring.gpg.lock' is not locked > gpg: keyblock resource `/media/usbdisk/gpg/secring.gpg': general error > gpg: lock not made: link() failed: Operation not permitted > gpg: can't lock `/media/usbdisk/gpg/pubring.gpg' > gpg: DBG: oops, `/media/usbdisk/gpg/pubring.gpg.lock' is not locked > gpg: keyblock resource `/media/usbdisk/gpg/pubring.gpg': general error > gpg: encrypted with ELG-E key, ID 5E995ED4 > gpg: decryption failed: secret key not available Is the USB device formatted with a FAT/VFAT filesystem? (It looks like it is, and that's the default with all NVRAM USB storage devices I've seen.) You might try adding --lock-never --no-permission-warning to the command line (or lock-never and no-permission-warning to $GNUPGHOME/options). I have a somewhat more complicated variation of this on my USB keychain, and it works; but without this I see errors similar to yours. -- -D. dgc@uchicago.edu NSIT::ENSS "There are things in this country that the market will not provide .... things that are not profitable, but that still serve a value. The most important thing that we can do is to treat Americans as citizens, not just consumers." -- Bill Moyers From dgc at uchicago.edu Tue Jan 4 10:47:07 2005 From: dgc at uchicago.edu (David Champion) Date: Tue Jan 4 10:43:35 2005 Subject: Problems attemoting to use GPG with a USB watch In-Reply-To: <20050104084747.GA11474@thyrsus.com> References: <200501031650.j03Go0PF028817@snark.thyrsus.com> <20050104084845.GQ9233@monkey.uchicago.edu> <20050104084747.GA11474@thyrsus.com> Message-ID: <20050104094707.GR9233@monkey.uchicago.edu> * On 2005.01.04, in <20050104084747.GA11474@thyrsus.com>, * "Eric S. Raymond" wrote: > > The hack Adam Cripps mentioned to locate the secret key only on the > device using the conf file seems simpler. Agreed, if it's a real solution. I'm not sure I've ever tried that, particularly, so I can't say. I just went directly for the "stop the trigger" approach. > Just out of curiosity...could the device be reformatted with mkfs? If > so, is there any good reason not to make it into a normal ext3 volume? You can. Whether there's a good reason [not] to do so is relative, of course. When I first got a USB keychain I tried reformatting to ext2, but now I keep it as FAT32 so that I can use the same keyring on any of my operating systems[1] and with very minimal runtimes[2]. If you're happily using only systems that speak ext3, then there's probably no particular reason not to use ext3 on the USB drive -- but for the little value that it gains you to do so, I'm not sure it makes sense to emplace that restriction if it's not already there. I haven't found that using a filesystem more "natural" to the host OS makes usage any more or less convenient. My USB drive has statically-linked gpg executables for several platforms on it, and multiple keyrings. (That's where "somewhat more complicated" comes in; there's a shell script driver that accumulates options and backends and such.) One goal of this arrangement is that I can perform certain tasks on marginally-trusted systems outside my governance. Using a broadly-available filesystem helps assure that remains an option, so that I can consider whether it's wise independently of whether it's possible. :) This is perhaps somewhat off-topic, but it explains where my value system comes from. [1] Mainly MacOS and a couple of BSDs; but also sundry experimental platforms, and Windows and Linux when I must. [2] For example, booted from floppy or mini-CD. -- -D. dgc@uchicago.edu NSIT::ENSS "There are things in this country that the market will not provide .... things that are not profitable, but that still serve a value. The most important thing that we can do is to treat Americans as citizens, not just consumers." -- Bill Moyers From esr at thyrsus.com Tue Jan 4 09:35:07 2005 From: esr at thyrsus.com (Eric S. Raymond) Date: Tue Jan 4 12:53:32 2005 Subject: Problems attemoting to use GPG with a USB watch In-Reply-To: References: <200501031650.j03Go0PF028817@snark.thyrsus.com> Message-ID: <20050104083507.GC11374@thyrsus.com> Adam Cripps : > > instead of setting $GNUPGHOME, have you tried just setting > > > > 'secret keyring /path/to/secring.gpg' > > > > in your gpg.conf file? I did this the other day (with a similar > > present) and it works fine for me. > > > > Hehe -- it's too early here - that should read > > 'secret-keyring /path/to/secring.gpg' Thanks, I'll try that. It would still be nice to know why the locking thing didn't work, though. -- Eric S. Raymond From esr at thyrsus.com Tue Jan 4 09:47:47 2005 From: esr at thyrsus.com (Eric S. Raymond) Date: Tue Jan 4 12:53:35 2005 Subject: Problems attemoting to use GPG with a USB watch In-Reply-To: <20050104084845.GQ9233@monkey.uchicago.edu> References: <200501031650.j03Go0PF028817@snark.thyrsus.com> <20050104084845.GQ9233@monkey.uchicago.edu> Message-ID: <20050104084747.GA11474@thyrsus.com> David Champion : > Is the USB device formatted with a FAT/VFAT filesystem? (It looks like > it is, and that's the default with all NVRAM USB storage devices I've > seen.) I don't know for sure, but it seems not unlikely. > You might try adding --lock-never --no-permission-warning to the command > line (or lock-never and no-permission-warning to $GNUPGHOME/options). I > have a somewhat more complicated variation of this on my USB keychain, > and it works; but without this I see errors similar to yours. The hack Adam Cripps mentioned to locate the secret key only on the device using the conf file seems simpler. Just out of curiosity...could the device be reformatted with mkfs? If so, is there any good reason not to make it into a normal ext3 volume? -- Eric S. Raymond From chsv at mncp.net Tue Jan 4 16:18:48 2005 From: chsv at mncp.net (Stanislav Chernyshev) Date: Tue Jan 4 16:16:47 2005 Subject: GnuPG and LDAP keyserver Message-ID: <41DAB3D8.9090709@mncp.net> Hi all users of GnuPG. This is my second question about gnupg and enigmail and LDAP keyserver. When I wish search public key on my corporate PGP keyserver ( Version 7.0 for Windows NT/2000 and UNIX Copyright (c) 1998-2000 by Networks Associates technology, Inc., and its Affiliated Companies) I see: --------------------begin cut--------------------------------------- C:\gnupg>gpg --keyserver ldap://ws2195.mncp.net --search-key chsv gpg: searching for "chsv" from ldap server ws2195.mncp.net (1) Stanislav Chernyshev 2048 bit DSA key D2031C82, created: 2005-01-04 Keys 1-1 of 1 for "chsv". Enter number(s), N)ext, or Q)uit > 1 gpg: requesting key D2031C82 from ldap server ws2195.mncp.net gpg: no valid OpenPGP data found. gpg: Total number processed: 0 ------------- end cut ------------------------------------------------ The key created with GNUPG v. 1.4.0 but PGP keyserver change header on my public key from -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.0 (MingW32) to -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGPsdk 2.0.1 Copyright (C) 2000 Networks Associates Technology, Inc. All rights reserved. When, I wrote this letter on mailing-list "enigmail@mozdev.org", to me have answered ------------ begin cut------------------------ I can only imagine that the keyserver you're using is not fully OpenPGP compliant. For more details, you better ask the GnuPG users list ; there are several experts on key servers subscribed to that list. ------------ end cut ------------------------- What can I do or where is find fully OpenPGP complaint keyserver? What is this " no valid OpenPGP data found"? Best regards Stanislav Chernyshev. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.6.8 - Release Date: 03.01.2005 From dshaw at jabberwocky.com Tue Jan 4 17:05:25 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Jan 4 17:02:46 2005 Subject: GnuPG and LDAP keyserver In-Reply-To: <41DAB3D8.9090709@mncp.net> References: <41DAB3D8.9090709@mncp.net> Message-ID: <20050104160525.GA20047@jabberwocky.com> On Tue, Jan 04, 2005 at 05:18:48PM +0200, Stanislav Chernyshev wrote: > Hi all users of GnuPG. > This is my second question about gnupg and enigmail and LDAP keyserver. > When I wish search public key on my corporate PGP keyserver ( Version > 7.0 for Windows NT/2000 and UNIX Copyright (c) 1998-2000 by Networks > Associates technology, Inc., and its Affiliated Companies) > > I see: > --------------------begin cut--------------------------------------- > C:\gnupg>gpg --keyserver ldap://ws2195.mncp.net --search-key chsv > gpg: searching for "chsv" from ldap server ws2195.mncp.net > (1) Stanislav Chernyshev > 2048 bit DSA key D2031C82, created: 2005-01-04 > Keys 1-1 of 1 for "chsv". Enter number(s), N)ext, or Q)uit > 1 > gpg: requesting key D2031C82 from ldap server ws2195.mncp.net > gpg: no valid OpenPGP data found. > gpg: Total number processed: 0 > ------------- end cut ------------------------------------------------ This is a strange response. Can you add: --debug 1024 --keyserver-options keep-temp-files to your command line and then send me the "tempin.txt" and "tempout.txt" files? They will end up in wherever your temp directory is. Look for the log line beginning "args expanded to" for the whole path. David From dshaw at jabberwocky.com Tue Jan 4 17:40:21 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Jan 4 17:37:28 2005 Subject: Problems attemoting to use GPG with a USB watch In-Reply-To: <20050104083507.GC11374@thyrsus.com> References: <200501031650.j03Go0PF028817@snark.thyrsus.com> <20050104083507.GC11374@thyrsus.com> Message-ID: <20050104164021.GB20047@jabberwocky.com> On Tue, Jan 04, 2005 at 03:35:07AM -0500, Eric S. Raymond wrote: > Adam Cripps : > > > instead of setting $GNUPGHOME, have you tried just setting > > > > > > 'secret keyring /path/to/secring.gpg' > > > > > > in your gpg.conf file? I did this the other day (with a similar > > > present) and it works fine for me. > > > > > > > Hehe -- it's too early here - that should read > > > > 'secret-keyring /path/to/secring.gpg' > > Thanks, I'll try that. It would still be nice to know why the locking > thing didn't work, though. I don't think this will work without further effort (or at least, I'd be rather surprised if it did). Perhaps Adam's secring.gpg is read-only. The reason why the locking didn't work is that your watch is formatted as a VFAT filesystem, as David Champion guessed. GnuPG uses link() as part of its file locking scheme, and VFAT doesn't support links. You have a number of options, one is to use --lock-never as David Champion suggested; you will of course have to take care not to run two instances of gpg at the same time. The other option is to make the secret keyring read-only. Read-only files have no need for locks, and thus are ignored by the locking code. Of course, read-only files are read-only, so that may not be useful to you if you want to actually manipulate your keyring on the watch frequently. Or you could reformat your watch as ext2 or 3 (or really, anything that supports hard links). David From dgc at uchicago.edu Tue Jan 4 19:52:41 2005 From: dgc at uchicago.edu (David Champion) Date: Tue Jan 4 19:53:40 2005 Subject: Problems attemoting to use GPG with a USB watch In-Reply-To: <20050104161648.GA7114@thyrsus.com> References: <200501031650.j03Go0PF028817@snark.thyrsus.com> <20050104084845.GQ9233@monkey.uchicago.edu> <20050104084747.GA11474@thyrsus.com> <20050104094707.GR9233@monkey.uchicago.edu> <20050104161648.GA7114@thyrsus.com> Message-ID: <20050104185241.GS9233@monkey.uchicago.edu> * On 2005.01.04, in <20050104161648.GA7114@thyrsus.com>, * "Eric S. Raymond" wrote: > Is it possible to use USB mass storage as a boot device? If so, it seems > to me that putting some kind of BusyBox-based microdistribution on it > could serve the same purpose. I believe it's possible on PCs, depending on the BIOS on the platform in question. Not all machines support it, including all machines that aren't PCs. :) -- -D. dgc@uchicago.edu NSIT::ENSS "There are things in this country that the market will not provide .... things that are not profitable, but that still serve a value. The most important thing that we can do is to treat Americans as citizens, not just consumers." -- Bill Moyers From acormany at yahoo.com Tue Jan 4 15:55:50 2005 From: acormany at yahoo.com (Adam Cormany) Date: Tue Jan 4 21:27:44 2005 Subject: New to GPG Message-ID: <20050104145550.64423.qmail@web12822.mail.yahoo.com> I've installed GPG 1.2.1 onto AIX 4.3.3. I also have GPG 1.4.0 installed on a Windows NT 4.0 workstation. My goal is to encrypt a file on the AIX box and decrypt the file on the Windows box. I would prefer to not have to enter the passphrase on the Windows box if possible to try to automate the process of decryption. I have done the following: On AIX: 1) Installed GPG 2) gpg --gen-key, created my key-pair with 1024 bit DSA and ElGamal, with a passphrase. 3) gpg --output key.out --export 4) Created an ASCII test file named "testfile" 5) gpg --recipient "Adam Cormany" --output test.out --sign --armor --yes --no-version --comment "Created by Adam on `date`" --encrypt testfile 6) FTP'd key.out (in binary) and test.out (in ASCII) to Windows box. On Windows: 1) Installed GPG 2) gpg --import key.out (imported successfully) 3) gpg --edit-key "Adam Cormany", trust, 5, y, quit 4) gpg --output testd.out --decrypt test.out I receive the following error when doing step 4: gpg: decryption failed: secret key not available Could someone please tell me what step I'm missing or if I'm incorrectly trying to encrypt from AIX and decrypting to Windows? Thanks in advance, Adam __________________________________ Do you Yahoo!? Yahoo! Mail - now with 250MB free storage. Learn more. http://info.mail.yahoo.com/mail_250 From zwon at severodvinsk.ru Tue Jan 4 23:03:21 2005 From: zwon at severodvinsk.ru (Pawel Shajdo) Date: Tue Jan 4 23:11:01 2005 Subject: New to GPG In-Reply-To: <20050104145550.64423.qmail@web12822.mail.yahoo.com> References: <20050104145550.64423.qmail@web12822.mail.yahoo.com> Message-ID: <20050104220321.GA1315@sky.schizandra.ru> On Tue, Jan 04, 2005 at 06:55:50AM -0800, Adam Cormany wrote: > I've installed GPG 1.2.1 onto AIX 4.3.3. I also have > GPG 1.4.0 installed on a Windows NT 4.0 workstation. > My goal is to encrypt a file on the AIX box and > decrypt the file on the Windows box. I would prefer to > not have to enter the passphrase on the Windows box if this is not good idea > possible to try to automate the process of decryption. > > I have done the following: > On AIX: > 1) Installed GPG > 2) gpg --gen-key, created my key-pair with 1024 bit > DSA and ElGamal, with a passphrase. > 3) gpg --output key.out --export --export is export only public key. for decryption you need secret. use --export-secret-keys > 4) Created an ASCII test file named "testfile" > 5) gpg --recipient "Adam Cormany" --output test.out > --sign --armor --yes --no-version --comment "Created > by Adam on `date`" --encrypt testfile > 6) FTP'd key.out (in binary) and test.out (in ASCII) > to Windows box. better use floppy Vale! -- Pawel I. Shajdo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 432 bytes Desc: not available Url : /pipermail/attachments/20050105/66f37d62/attachment.bin From thomas-gmaneSpam at kuehne.cn Tue Jan 4 23:17:26 2005 From: thomas-gmaneSpam at kuehne.cn (Thomas Kuehne) Date: Tue Jan 4 23:18:08 2005 Subject: New to GPG In-Reply-To: <20050104145550.64423.qmail@web12822.mail.yahoo.com> References: <20050104145550.64423.qmail@web12822.mail.yahoo.com> Message-ID: Adam Cormany wrote: > I've installed GPG 1.2.1 onto AIX 4.3.3. I also have > GPG 1.4.0 installed on a Windows NT 4.0 workstation. > My goal is to encrypt a file on the AIX box and > decrypt the file on the Windows box. I would prefer to > not have to enter the passphrase on the Windows box if > possible to try to automate the process of decryption. > > I have done the following: > On AIX: > 1) Installed GPG > 2) gpg --gen-key, created my key-pair with 1024 bit > DSA and ElGamal, with a passphrase. > 3) gpg --output key.out --export > 4) Created an ASCII test file named "testfile" > 5) gpg --recipient "Adam Cormany" --output test.out > --sign --armor --yes --no-version --comment "Created > by Adam on `date`" --encrypt testfile > 6) FTP'd key.out (in binary) and test.out (in ASCII) > to Windows box. > > On Windows: > 1) Installed GPG > 2) gpg --import key.out (imported successfully) > 3) gpg --edit-key "Adam Cormany", trust, 5, y, quit > 4) gpg --output testd.out --decrypt test.out > I receive the following error when doing step 4: > gpg: decryption failed: secret key not available For decryption you need the private key. Use --export-secret-key on the AIX box and import the result on the Windows box. Thomas -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 155 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050104/44d0cfd1/signature-0001.bin From JPClizbe at comcast.net Tue Jan 4 23:23:09 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Tue Jan 4 23:20:23 2005 Subject: New to GPG In-Reply-To: <20050104145550.64423.qmail@web12822.mail.yahoo.com> References: <20050104145550.64423.qmail@web12822.mail.yahoo.com> Message-ID: <41DB174D.6040002@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Adam Cormany wrote: > I've installed GPG 1.2.1 onto AIX 4.3.3. I also have > GPG 1.4.0 installed on a Windows NT 4.0 workstation. > My goal is to encrypt a file on the AIX box and > decrypt the file on the Windows box. I would prefer to > not have to enter the passphrase on the Windows box if > possible to try to automate the process of decryption. > > > > Could someone please tell me what step I'm missing or > if I'm incorrectly trying to encrypt from AIX and > decrypting to Windows? Your export didn't export your secret key. Exporting secret keys has certain security risks. See --export-secret-key in the 1.4.0 man page. BTW, you want to make positive you have 1.4.0a on the Windows box. On your windows box, open a CMD window and run gpg --list-secret-keys and gpg --list-keys I bet only the public key is there. I don't know your network setup, but you could more easily transfer the public and secret keyring files (in binary) over a secure network connection (scp or sftp) or on a FAT formatted floppy. If the transfer is always going to be from the AIX box to the NT box, you don't need nor do you *REALLY* want your secret key on the AIX box. Generate a keypair sans passphrase on the NT box and export the PUBLIC key to the AIX box. Use that to encrypt TO the NT box. Each secret key should have only one home - especially one with no passphrase. If you are encrypting data both ways consider a pair of keypairs (easily extended to more machines), with each machine having it's own public+secret keypair along with the public key(s) of the machine(s) it's sending encypted files. You can even sign and encrypt using the two keypair scheme: AIX uses its secret key to sign the file, then encrypts it to NT's public key. The encrypted data is transferred. NT then uses its secret key to decrypt the file and AIX's public key to verify the signature. This is a good approach if you're emailing the files. But if you're transferring directly from one machine to the other with no relays, you may want to look at OpenSSH and scp or sftp as a better mousetrap to more easily solve this problem. Regards. - -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Gir-r-r-r-rl" is like this Universal Gay term, like 'Aloha' or 'Shalom'. - Margaret Cho "Only the truly intelligent know when they are being stupid." -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1-cvs-2005-01-03 (Windows 2000 Pro SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFB2xdLHQSsSmCNKhARAguRAKCUMsedvWgd9vxvo55s6ffvXZi6cgCeNT+1 wf/tY/44KWpIlp9lB0gRjG4= =/org -----END PGP SIGNATURE----- From chsv at mncp.net Tue Jan 4 14:53:42 2005 From: chsv at mncp.net (Stanislav Chernyshev) Date: Wed Jan 5 08:48:57 2005 Subject: GnuPG and LDAP keyserver Message-ID: <41DA9FE6.8060705@mncp.net> Hi all users of GnuPG. This is my second question about gnupg and enigmail and LDAP keyserver. When I wish search public key on my corporate PGP keyserver ( Version 7.0 for Windows NT/2000 and UNIX Copyright (c) 1998-2000 by Networks Associates technology, Inc., and its Affiliated Companies) I see: --------------------begin cut--------------------------------------- C:\gnupg>gpg --keyserver ldap://ws2195.mncp.net --search-key chsv gpg: searching for "chsv" from ldap server ws2195.mncp.net (1) Stanislav Chernyshev 2048 bit DSA key D2031C82, created: 2005-01-04 Keys 1-1 of 1 for "chsv". Enter number(s), N)ext, or Q)uit > 1 gpg: requesting key D2031C82 from ldap server ws2195.mncp.net gpg: no valid OpenPGP data found. gpg: Total number processed: 0 ------------- end cut ------------------------------------------------ The key created with GNUPG v. 1.4.0 but PGP keyserver change header on my public key from -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.0 (MingW32) to -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGPsdk 2.0.1 Copyright (C) 2000 Networks Associates Technology, Inc. All rights reserved. When, I wrote this letter on mailing-list "enigmail@mozdev.org", to me have answered ------------ begin cut------------------------ I can only imagine that the keyserver you're using is not fully OpenPGP compliant. For more details, you better ask the GnuPG users list ; there are several experts on key servers subscribed to that list. ------------ end cut ------------------------- What can I do or where is find fully OpenPGP complaint keyserver. What is this " no valid OpenPGP data found" ? Best regards Stanislav Chernyshev. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.6.8 - Release Date: 03.01.2005 From esr at thyrsus.com Tue Jan 4 17:16:48 2005 From: esr at thyrsus.com (Eric S. Raymond) Date: Wed Jan 5 08:49:01 2005 Subject: Problems attemoting to use GPG with a USB watch In-Reply-To: <20050104094707.GR9233@monkey.uchicago.edu> References: <200501031650.j03Go0PF028817@snark.thyrsus.com> <20050104084845.GQ9233@monkey.uchicago.edu> <20050104084747.GA11474@thyrsus.com> <20050104094707.GR9233@monkey.uchicago.edu> Message-ID: <20050104161648.GA7114@thyrsus.com> David Champion : > My USB drive has statically-linked gpg executables for several platforms > on it, and multiple keyrings. (That's where "somewhat more complicated" > comes in; there's a shell script driver that accumulates options and > backends and such.) One goal of this arrangement is that I can perform > certain tasks on marginally-trusted systems outside my governance. Using > a broadly-available filesystem helps assure that remains an option, so > that I can consider whether it's wise independently of whether it's > possible. :) Is it possible to use USB mass storage as a boot device? If so, it seems to me that putting some kind of BusyBox-based microdistribution on it could serve the same purpose. -- Eric S. Raymond From chsv at mncp.net Wed Jan 5 10:51:40 2005 From: chsv at mncp.net (Stanislav Chernyshev) Date: Wed Jan 5 10:50:02 2005 Subject: GnuPG and LDAP keyserver Message-ID: <41DBB8AC.3020004@mncp.net> Hi all users of GnuPG. When I run GPG with options --keep-temp-file, I has noticed, that by transfer of a key on a server the service information and symbol CR is added To the end of each line. In initial armor it is not present. At import of this file, when I clean all CR and service information, all is good. ARMOR EXPORT FILES -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.0 (MingW32) mQGiBEHbs5URBAC6BJZaEJYZHWC42cCtkxfwhqlqtcnwN+DPo5hiTeyzj+jen6aL OwY9BanvkSyKykHmvqLuR37pTt/R98PJXuUR5/+bxbMW38tUtYG2eFMuNaVGa3/Q m/pQ+yAN5cV9LsStdjiBLwxqtNKu+VRLvke0V3Z5pMT5qY2StiYWV1ZYdwCgt+UL RYsNJBVcPxGpzbW6+m2oUosEAI42xdCoiZmBamytnDhesdlsMgPLvLzdnTAOjL+Z vnlnByLZ8Eu186RHuJjf0Oo+1+zVxDLb8pAkH5+f20JjTq8NPkIScZkssryBW30s ouJYIaF7ZeVWAYQbtxnsX7eMv+tAAgmEmJ0jGExLDSP7bPkgqE8m+Sk0qFku1oYT jhEqBACRAj8qW48dflWoHQ7vqx9PZGN7OaLjxhx/wBxScUyFwijcDl5T7sp+ORb0 setvsDVZOaD+x32Ma4EjNuMgjwhhd9nxJhnAlrrTH6WJ7sxCHJdCcX+x4KEMjpzr d9/b2E7wmwZe4uONiqmd5ACGOsdw289iFbCNKdN8J8fW8pI6P7QZdGVzdCBmaWxl IDx0ZXN0QHRlc3QuY29tPohdBBMRAgAeBQJB27OVAhsDBgsJCAcDAgMVAgMDFgIB Ah4BAheAAAoJEHNZY1k8Lh1nYCAAmgNO7bFQjJbOdetg/iO9DFKdo+uUAJdXGl3k tM//ew8llxykvOA4DvsouQINBEHbs78QCADH0IDthlpn16Z+C3sLuycnHr+o3/Y/ jInYPzrd5aMIJZ9BU7BnQ+7PCsYyIWl1TMhbGDJB4d1CznVNdZJbx6CZP0Sj+2GB AQ8QFrqSP/EUkfrSC+zdDe5P6Jp7WNp+egnqBwHENJ3PhGjEA7iYvMoIfQG1Brdk XK4vRTSQY9DCprfjSF3QfMvb68hS5yuKwdJr4iMIfa0uD89guWdRZu3C/FOsOkSo KpI45We3G/7RRJxpktMvXG00PHgklYkYS7K94F/yUaQG643VF3bHNFvRhr7z0B4p rd+G9k6ddti5GK+x2+WN/lY0FTIQVOrnpWo3DxtGEeyT+i+2JhBNJ6+LAAMFCAC0 lq1PUbdP6THD46XRyuE8xV+AMAUhjBLi/v/CXpMb/qdIb6HbK7aNS2pTwn9XW7Uk 60/4yXaKJ5XOdniz0b9AHhKuB2KFfVynwE/WpABQgKS5zmulQ33WvkjRp0T0du60 ADuXTC4KNTxCj3JwglSR7cGgyfUGHORMCIC8+wZD/Cs6fuhPPQqaC9kNmjSNV2F/ E63Djo+xBRpgAzSDfbUcZJ8yIysyb9qjVtk64tI4y8soubM8yZVeyNwzxISTdLRB Y4IbuTLhsLIDmEY5jXcYx/GrYKPtWC+7ltU4jVxkc6gMKmWVM/3ByYQXpLlX16He dvoSir8Tm3y66LwgFTlYiEkEGBECAAkFAkHbs78CGwwACgkQc1ljWTwuHWfHtgCe LnrBgAqd44qusS+V/LkynOyl8pgAoJSuXo/VOM3htfcdqn0fhSB8yT+T =3is6 -----END PGP PUBLIC KEY BLOCK----- File tempin.txt (sending to keyserver) # This is a GnuPG 1.4.0 keyserver communications file VERSION 1 PROGRAM 1.4.0 SCHEME ldap HOST ws2195.mncp.net PATH / OPTION include-revoked OPTION include-subkeys OPTION try-dns-srv COMMAND SEND INFO 735963593C2E1D67 BEGIN pub:735963593C2E1D67:17:1024:1104917397:0: uid:test file :1104917397:0: sig:735963593C2E1D67:13:1104917397:0 sub:4DF6D529928280A1:16:2048:1104917439:0: INFO 735963593C2E1D67 END KEY 3C2E1D67 BEGIN -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.0 (MingW32) mQGiBEHbs5URBAC6BJZaEJYZHWC42cCtkxfwhqlqtcnwN+DPo5hiTeyzj+jen6aL OwY9BanvkSyKykHmvqLuR37pTt/R98PJXuUR5/+bxbMW38tUtYG2eFMuNaVGa3/Q m/pQ+yAN5cV9LsStdjiBLwxqtNKu+VRLvke0V3Z5pMT5qY2StiYWV1ZYdwCgt+UL RYsNJBVcPxGpzbW6+m2oUosEAI42xdCoiZmBamytnDhesdlsMgPLvLzdnTAOjL+Z vnlnByLZ8Eu186RHuJjf0Oo+1+zVxDLb8pAkH5+f20JjTq8NPkIScZkssryBW30s ouJYIaF7ZeVWAYQbtxnsX7eMv+tAAgmEmJ0jGExLDSP7bPkgqE8m+Sk0qFku1oYT jhEqBACRAj8qW48dflWoHQ7vqx9PZGN7OaLjxhx/wBxScUyFwijcDl5T7sp+ORb0 setvsDVZOaD+x32Ma4EjNuMgjwhhd9nxJhnAlrrTH6WJ7sxCHJdCcX+x4KEMjpzr d9/b2E7wmwZe4uONiqmd5ACGOsdw289iFbCNKdN8J8fW8pI6P7QZdGVzdCBmaWxl IDx0ZXN0QHRlc3QuY29tPohdBBMRAgAeBQJB27OVAhsDBgsJCAcDAgMVAgMDFgIB Ah4BAheAAAoJEHNZY1k8Lh1nYCAAmgNO7bFQjJbOdetg/iO9DFKdo+uUAJdXGl3k tM//ew8llxykvOA4DvsouQINBEHbs78QCADH0IDthlpn16Z+C3sLuycnHr+o3/Y/ jInYPzrd5aMIJZ9BU7BnQ+7PCsYyIWl1TMhbGDJB4d1CznVNdZJbx6CZP0Sj+2GB AQ8QFrqSP/EUkfrSC+zdDe5P6Jp7WNp+egnqBwHENJ3PhGjEA7iYvMoIfQG1Brdk XK4vRTSQY9DCprfjSF3QfMvb68hS5yuKwdJr4iMIfa0uD89guWdRZu3C/FOsOkSo KpI45We3G/7RRJxpktMvXG00PHgklYkYS7K94F/yUaQG643VF3bHNFvRhr7z0B4p rd+G9k6ddti5GK+x2+WN/lY0FTIQVOrnpWo3DxtGEeyT+i+2JhBNJ6+LAAMFCAC0 lq1PUbdP6THD46XRyuE8xV+AMAUhjBLi/v/CXpMb/qdIb6HbK7aNS2pTwn9XW7Uk 60/4yXaKJ5XOdniz0b9AHhKuB2KFfVynwE/WpABQgKS5zmulQ33WvkjRp0T0du60 ADuXTC4KNTxCj3JwglSR7cGgyfUGHORMCIC8+wZD/Cs6fuhPPQqaC9kNmjSNV2F/ E63Djo+xBRpgAzSDfbUcZJ8yIysyb9qjVtk64tI4y8soubM8yZVeyNwzxISTdLRB Y4IbuTLhsLIDmEY5jXcYx/GrYKPtWC+7ltU4jVxkc6gMKmWVM/3ByYQXpLlX16He dvoSir8Tm3y66LwgFTlYiEkEGBECAAkFAkHbs78CGwwACgkQc1ljWTwuHWfHtgCe LnrBgAqd44qusS+V/LkynOyl8pgAoJSuXo/VOM3htfcdqn0fhSB8yT+T =3is6 -----END PGP PUBLIC KEY BLOCK----- KEY 3C2E1D67 END File tempout.txt (recieved from keyserver) VERSION 1 PROGRAM 1.4.0 INFO 735963593C2E1D67 BEGIN pub:735963593C2E1D67::::: INFO 735963593C2E1D67 END KEY 0x735963593C2E1D67 BEGIN -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGPsdk 2.0.1 Copyright (C) 2000 Networks Associates Technology, Inc. All rights reserved. mQGiBEHbs5URBAC6BJZaEJYZHWC42cCtkxfwhqlqtcnwN+DPo5hiTeyzj+jen6aL OwY9BanvkSyKykHmvqLuR37pTt/R98PJXuUR5/+bxbMW38tUtYG2eFMuNaVGa3/Q m/pQ+yAN5cV9LsStdjiBLwxqtNKu+VRLvke0V3Z5pMT5qY2StiYWV1ZYdwCgt+UL RYsNJBVcPxGpzbW6+m2oUosEAI42xdCoiZmBamytnDhesdlsMgPLvLzdnTAOjL+Z vnlnByLZ8Eu186RHuJjf0Oo+1+zVxDLb8pAkH5+f20JjTq8NPkIScZkssryBW30s ouJYIaF7ZeVWAYQbtxnsX7eMv+tAAgmEmJ0jGExLDSP7bPkgqE8m+Sk0qFku1oYT jhEqBACRAj8qW48dflWoHQ7vqx9PZGN7OaLjxhx/wBxScUyFwijcDl5T7sp+ORb0 setvsDVZOaD+x32Ma4EjNuMgjwhhd9nxJhnAlrrTH6WJ7sxCHJdCcX+x4KEMjpzr d9/b2E7wmwZe4uONiqmd5ACGOsdw289iFbCNKdN8J8fW8pI6P7QZdGVzdCBmaWxl IDx0ZXN0QHRlc3QuY29tPohdBBMRAgAeBQJB27OVAhsDBgsJCAcDAgMVAgMDFgIB Ah4BAheAAAoJEHNZY1k8Lh1nYCAAmgNO7bFQjJbOdetg/iO9DFKdo+uUAJdXGl3k tM//ew8llxykvOA4DvsouQINBEHbs78QCADH0IDthlpn16Z+C3sLuycnHr+o3/Y/ jInYPzrd5aMIJZ9BU7BnQ+7PCsYyIWl1TMhbGDJB4d1CznVNdZJbx6CZP0Sj+2GB AQ8QFrqSP/EUkfrSC+zdDe5P6Jp7WNp+egnqBwHENJ3PhGjEA7iYvMoIfQG1Brdk XK4vRTSQY9DCprfjSF3QfMvb68hS5yuKwdJr4iMIfa0uD89guWdRZu3C/FOsOkSo KpI45We3G/7RRJxpktMvXG00PHgklYkYS7K94F/yUaQG643VF3bHNFvRhr7z0B4p rd+G9k6ddti5GK+x2+WN/lY0FTIQVOrnpWo3DxtGEeyT+i+2JhBNJ6+LAAMFCAC0 lq1PUbdP6THD46XRyuE8xV+AMAUhjBLi/v/CXpMb/qdIb6HbK7aNS2pTwn9XW7Uk 60/4yXaKJ5XOdniz0b9AHhKuB2KFfVynwE/WpABQgKS5zmulQ33WvkjRp0T0du60 ADuXTC4KNTxCj3JwglSR7cGgyfUGHORMCIC8+wZD/Cs6fuhPPQqaC9kNmjSNV2F/ E63Djo+xBRpgAzSDfbUcZJ8yIysyb9qjVtk64tI4y8soubM8yZVeyNwzxISTdLRB Y4IbuTLhsLIDmEY5jXcYx/GrYKPtWC+7ltU4jVxkc6gMKmWVM/3ByYQXpLlX16He dvoSir8Tm3y66LwgFTlYiEkEGBECAAkFAkHbs78CGwwACgkQc1ljWTwuHWfHtgCe LnrBgAqd44qusS+V/LkynOyl8pgAoJSuXo/VOM3htfcdqn0fhSB8yT+T =3is6 -----END PGP PUBLIC KEY BLOCK----- KEY 0x735963593C2E1D67 END How to clean a symbol CR ? Best regards Stanislav Chernyshev. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.6.8 - Release Date: 03.01.2005 From dshaw at jabberwocky.com Wed Jan 5 17:08:56 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Jan 5 23:00:44 2005 Subject: GnuPG and LDAP keyserver In-Reply-To: <41DBB8AC.3020004@mncp.net> References: <41DBB8AC.3020004@mncp.net> Message-ID: <20050105160855.GB31435@jabberwocky.com> On Wed, Jan 05, 2005 at 11:51:40AM +0200, Stanislav Chernyshev wrote: > Hi all users of GnuPG. > When I run GPG with options --keep-temp-file, > I has noticed, that by transfer of a key on a server > the service information and symbol CR is added > To the end of each line. > In initial armor it is not present. > At import of this file, when I clean all CR and service information, all > is good. Looks like two problems here. First, the LDAP handler is manipulating line endings. Second, GPG itself isn't relaxed enough to accept the key anyway. Did you compile your own GPG? If I send you a patch, can you compile and test it? David From timemaster at sillydog.org Thu Jan 6 03:46:42 2005 From: timemaster at sillydog.org (David Vallier) Date: Thu Jan 6 03:29:38 2005 Subject: GPG 140a Message-ID: <41DCA692.6060206@sillydog.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Why is it that when I try create a "sig" file gpg tells me that there is no default secret key secret key not available? The very first line of the conf file reads: default-key 0x7AE47C2F279E785B Every related to gpg is either in the register or in the path.. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) iQEcBAEBAgAGBQJB3KaSAAoJEIHgYkVq3DYFG7AH/0TAbiiPZ1tWc83zbbjqJrmz J/pQebflPhJXs6TnZkHq2I+uJ7E3lJ3yHW9NXobykkPDQ2XaitlcvU0KtY1Qx5V7 ID8/ee94GIBOtlJSk8bwGlXNA+2UIbrrcGoz+tjGx/9gyXuUm4t5UWNcGkNuf8y5 ePt7StEN4qY+1VJ/AbsDk7V89MJMGHaiScCY4Z9YaLJ18NgwrMC2IVgcWknTcbcR H4JWml5KckeVUc9LICgi2DCjt4eeffh7UbhEo/2bPJRURqqFLGyrcrf/41VRHq1P 5f4w4Sfquq8z1j7NSjkVsPiqnspg6QR4LeN1qzElY938rB1WKpkkpz/cMC9dekE= =YdGd -----END PGP SIGNATURE----- From ndof at gmx.li Thu Jan 6 09:35:05 2005 From: ndof at gmx.li (=?ISO-8859-1?Q?Hans_M=FCller?=) Date: Thu Jan 6 09:32:27 2005 Subject: GPG 140a In-Reply-To: <41DCA692.6060206@sillydog.org> References: <41DCA692.6060206@sillydog.org> Message-ID: <41DCF839.60403@gmx.li> try a gpg --list-secret-keys to show yous sk's. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 890 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050106/5f2e8991/signature.bin From wk at gnupg.org Thu Jan 6 12:22:43 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Jan 6 12:20:38 2005 Subject: current charset guessing In-Reply-To: <20050103002657.GA32265@oreka.com> (Alain Bench's message of "Mon, 3 Jan 2005 01:26:57 +0100 (CET)") References: <20050103002657.GA32265@oreka.com> Message-ID: <874qhudcos.fsf@wheatstone.g10code.de> On Mon, 3 Jan 2005 01:26:57 +0100 (CET), Alain Bench said: > Is there a way to guess current charset when CODESET lacks? Please try the attached patch. > BTW looking at util/strgutil.c:set_native_charset(), there is a pair > of wrong charset aliasing, at least when iconv is available: > - On Win32 the name for Latin-1 is not CP1252, but CP28591. My reference says 1252 thus mapping 1252 to Latin-1 is correct. If CP28591 is also a Latin-1 encoding, libiconv should handle this. > - Latin-9 is not Latin-1. You mean Latin-15 is not Latin-1? Right: I have remove that. Shalom-Salam, Werner -------------- next part -------------- 2005-01-06 Werner Koch * strgutil.c (set_native_charset): Assume that ASCII, ANSI_X3.4-1968 and 646 are actually meant as Latin-1. If nl_langinfo is not available get the charset from environment variables. For W32 use GetACP as error fallback. Removed Latin-15 to Latin-1 aliasing. Index: util/strgutil.c =================================================================== RCS file: /cvs/gnupg/gnupg/util/strgutil.c,v retrieving revision 1.46 diff -u -r1.46 strgutil.c --- util/strgutil.c 20 Dec 2004 08:55:03 -0000 1.46 +++ util/strgutil.c 6 Jan 2005 11:21:41 -0000 @@ -144,6 +144,8 @@ { log_info (_("error loading `%s': %s\n"), "iconv.dll", dlerror ()); + log_info(_("please see http://www.gnupg.org/download/iconv.html " + "for more information\n")); iconv_open = NULL; iconv = NULL; iconv_close = NULL; @@ -479,14 +481,19 @@ if (!newset) { #ifdef _WIN32 static char codepage[30]; + unsigned int cpno; /* We are a console program thus we need to use the - GetConsoleOutputCP fucntion and not the the GetACP which + GetConsoleOutputCP function and not the the GetACP which would give the codepage for a GUI program. Note this is not a bulletproof detection because GetConsoleCP might - retrun a different one for console input. Not sure how to - cope with that. */ - sprintf (codepage, "CP%u", (unsigned int)GetConsoleOutputCP ()); + return a different one for console input. Not sure how to + cope with that. If the console Code page is not known we + fall back to the system code page. */ + cpno = GetConsoleOutputCP (); + if (!cpno) + cpno = GetACP (); + sprintf (codepage, "CP%u", cpno ); /* If it is the Windows name for Latin-1 we use the standard name instead to avoid loading of iconv.dll. Unfortunately it is often CP850 and we don't have a custom translation @@ -498,9 +505,32 @@ #else #ifdef HAVE_LANGINFO_CODESET newset = nl_langinfo (CODESET); -#else - newset = "iso-8859-1"; -#endif +#else /* !HAVE_LANGINFO_CODESET */ + /* Try to get the used charset from environment variables. */ + static char codepage[30]; + const char *lc, *dot, *mod; + + strcpy (codepage, "iso-8859-1"); + lc = getenv ("LC_ALL"); + if (!lc || !*lc) { + lc = getenv ("LC_CTYPE"); + if (!lc || !*lc) + lc = getenv ("LANG"); + } + if (lc && *lc) { + dot = strchr (lc, '.'); + if (dot) { + mod = strchr (++dot, '@'); + if (!mod) + mod = dot + strlen (dot); + if (mod - dot < sizeof codepage && dot != mod) { + memcpy (codepage, dot, mod - dot); + codepage [mod - dot] = 0; + } + } + } + newset = codepage; +#endif /* !HAVE_LANGINFO_CODESET */ #endif } @@ -511,9 +541,18 @@ newset++; } + /* Note that we silently assume that plain ASCII is actually meant + as Latin-1. This makes sense because many Unix system don't + have their locale set up properly and thus would get annoying + error messages and we have to handle all the "bug" + reports. Latin-1 has always been the character set used for 8 + bit characters on Unix systems. */ if( !*newset || !ascii_strcasecmp (newset, "8859-1" ) - || !ascii_strcasecmp (newset, "8859-15" ) ) { + || !ascii_strcasecmp (newset, "646" ) + || !ascii_strcasecmp (newset, "ASCII" ) + || !ascii_strcasecmp (newset, "ANSI_X3.4-1968" ) + ) { active_charset_name = "iso-8859-1"; no_translation = 0; active_charset = NULL; From ndof at gmx.li Thu Jan 6 13:01:29 2005 From: ndof at gmx.li (=?ISO-8859-1?Q?Hans_M=FCller?=) Date: Thu Jan 6 12:58:19 2005 Subject: GPG 140a In-Reply-To: <41DD1211.4020606@sillydog.org> References: <41DCA692.6060206@sillydog.org> <41DCF839.60403@gmx.li> <41DD1211.4020606@sillydog.org> Message-ID: <41DD2899.4040701@gmx.li> please post only to the list!! can you send us the output of gpg --list-secret-keys to see if the key is valid. ----------------------------------------------------------------------- >> > It listed the key all right, I just can't get it to create a "sig" file > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 890 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050106/26896d6a/signature.bin From ml at bitfalle.org Thu Jan 6 15:53:58 2005 From: ml at bitfalle.org (markus reichelt) Date: Thu Jan 6 15:51:16 2005 Subject: GPG 140a In-Reply-To: <41DD2899.4040701@gmx.li> References: <41DCA692.6060206@sillydog.org> <41DCF839.60403@gmx.li> <41DD1211.4020606@sillydog.org> <41DD2899.4040701@gmx.li> Message-ID: <20050106145358.GA5259@dantooine> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hans M?ller wrote: > please post only to the list!! agreed :-) but mails from you both lack a correct "Mail-Followup-To: gnupg-users@gnupg.org" header if Mail-Followup-To: is missing, most people reply to either From: or Reply-To: please activate that setting in your MUA, or if this is not possible use software that is able to handle mailing lists - -- Bastard Administrator in $hell -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFB3VEGLMyTO8Kj/uQRAgGMAJ9IivzehndceH+nYtgO64L2ghfEyQCeLs9N aYiUe2xFfFAv/YovCNMF5SI= =U21V -----END PGP SIGNATURE----- From thomas-gmane at kuehne.cn Thu Jan 6 17:31:32 2005 From: thomas-gmane at kuehne.cn (Thomas Kuehne) Date: Thu Jan 6 17:49:25 2005 Subject: GPG <> PGP6 subkey selection Message-ID: Situation: Existing DSA(1024)/Elgamal(2048) key. Target: Adding a RSA(4096) signature and a RSA(4096) encryption subkey. Problem: PGP6 does only support 2048 RSA keys. Is ther any way to tell GnuPG to use the RSA keys while PGP6 uses the DSA/Elgamal keys? If I import only the DSA/Elgamal public part into PGP6 it does work, but fails if the whole public key is imported. Thomas -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 155 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050106/04e1d9e5/signature.bin From patrick.marquetecken at pandora.be Thu Jan 6 18:58:19 2005 From: patrick.marquetecken at pandora.be (Patrick Marquetecken) Date: Thu Jan 6 18:54:49 2005 Subject: Subkey - second email address Message-ID: <20050106185819.5bf4bef0@Inteprid> Hi, I have a primary key, with my personal email address, i would like to have a subkey with my email address at work is this possible? I have tried addkey but this is without a email address. TIA Patrick -- "Is the crew always this difficult?" -- Doctor "I don't know, Doc, it's my first mission" -- Kim (Caretaker) Fingerprint = 2792 057F C445 9486 F932 3AEA D3A3 1B0C 1059 273B ICQ# 316932703 Registered Linux User #44550 http://counter.li.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050106/33c7f106/attachment.bin From patrick.marquetecken at pandora.be Thu Jan 6 19:25:09 2005 From: patrick.marquetecken at pandora.be (Patrick Marquetecken) Date: Thu Jan 6 19:21:32 2005 Subject: Subkey - second email address -solved In-Reply-To: <20050106185819.5bf4bef0@Inteprid> References: <20050106185819.5bf4bef0@Inteprid> Message-ID: <20050106192509.21767ac7@Inteprid> Howcould i mis it gpg --edit-key xxxxxx adduid Patrick On Thu, 6 Jan 2005 18:58:19 +0100 Patrick Marquetecken wrote: > Hi, > > I have a primary key, with my personal email address, i would like to have a subkey with my email address at work is this possible? > I have tried addkey but this is without a email address. > > TIA > Patrick > -- > "Is the crew always this difficult?" > -- Doctor > "I don't know, Doc, it's my first mission" > -- Kim (Caretaker) > > Fingerprint = 2792 057F C445 9486 F932 3AEA D3A3 1B0C 1059 273B > ICQ# 316932703 > Registered Linux User #44550 > http://counter.li.org > -- "Live long and prosper, Spock." -- T'Pau "I shall do neither. I have killed my captain, and my friend." -- Spock Fingerprint = 2792 057F C445 9486 F932 3AEA D3A3 1B0C 1059 273B ICQ# 316932703 Registered Linux User #44550 http://counter.li.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050106/79f4d627/attachment.bin From Pie_Oh_Pah at gmx.net Thu Jan 6 19:29:19 2005 From: Pie_Oh_Pah at gmx.net (Victor Banatean) Date: Thu Jan 6 19:25:35 2005 Subject: Subkey - second email address In-Reply-To: <20050106185819.5bf4bef0@Inteprid> References: <20050106185819.5bf4bef0@Inteprid> Message-ID: <41DD837F.7010404@gmx.net> Hi Patrick, Patrick Marquetecken wrote: >Hi, > >I have a primary key, with my personal email address, i would like to have a subkey with my email address at work is this possible? > > has it to be another key? If not you could add a new user id to your current primary key, as a result you have added a new email adr. to this key. Hope this helps. Victor From eocsor at gmail.com Thu Jan 6 19:31:18 2005 From: eocsor at gmail.com (Roscoe) Date: Thu Jan 6 19:27:58 2005 Subject: Subkey - second email address In-Reply-To: <20050106185819.5bf4bef0@Inteprid> References: <20050106185819.5bf4bef0@Inteprid> Message-ID: adduid I suspect is what you want. On Thu, 6 Jan 2005 18:58:19 +0100, Patrick Marquetecken wrote: > Hi, > > I have a primary key, with my personal email address, i would like to have a subkey with my email address at work is this possible? > I have tried addkey but this is without a email address. > > TIA > Patrick > -- > "Is the crew always this difficult?" > -- Doctor > "I don't know, Doc, it's my first mission" > -- Kim (Caretaker) > > Fingerprint = 2792 057F C445 9486 F932 3AEA D3A3 1B0C 1059 273B > ICQ# 316932703 > Registered Linux User #44550 > http://counter.li.org > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > > From linux at codehelp.co.uk Thu Jan 6 20:04:00 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Thu Jan 6 20:00:27 2005 Subject: Subkey - second email address In-Reply-To: <20050106185819.5bf4bef0@Inteprid> References: <20050106185819.5bf4bef0@Inteprid> Message-ID: <200501061904.03852.linux@codehelp.co.uk> On Thursday 06 January 2005 5:58 pm, Patrick Marquetecken wrote: > Hi, > > I have a primary key, with my personal email address, i would like to have > a subkey with my email address at work is this possible? Usuallly, you'd just add a UID. If you want a second subkey so that people encrypting to your work email address would use a different key to those encrypting to your home email address, that's probably a job for a second key. It means always having both secret keys available as well. > I have tried > addkey but this is without a email address. adduid from the --edit-key menu. --addkey adds a subkey that can be used if you have a short expiry on your encryption key compared to the main key, or to use different algorithm preferences. Only adduid or a second key will list both work and home email addresses. > > TIA > Patrick -- Neil Williams ============= http://www.dclug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050106/cea8c3c7/attachment.bin From timemaster at sillydog.org Thu Jan 6 20:57:36 2005 From: timemaster at sillydog.org (David Vallier) Date: Thu Jan 6 20:40:52 2005 Subject: GPG 140a In-Reply-To: <20050106145358.GA5259@dantooine> References: <41DCA692.6060206@sillydog.org> <41DCF839.60403@gmx.li> <41DD1211.4020606@sillydog.org> <41DD2899.4040701@gmx.li> <20050106145358.GA5259@dantooine> Message-ID: <41DD9830.8060105@sillydog.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 markus reichelt wrote: | Hans M?ller wrote: | |> please post only to the list!! | | | agreed :-) but mails from you both lack a correct | "Mail-Followup-To: gnupg-users@gnupg.org" header | | if Mail-Followup-To: is missing, most people reply to either From: | or Reply-To: | | please activate that setting in your MUA, or if this is not | possible use software that is able to handle mailing lists | Sorry folks I just realized that this list doesn't have a proper reply to header, so when I click on reply it's sent to the _originator_ of the message. If theres a way to change that in Thunderbird 1.0 please let me know. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) iQEcBAEBAgAGBQJB3ZgwAAoJEIHgYkVq3DYFIKIIAKD3+0FLUFsVRgaGdn/0zSz9 wZWnveFLhk4Jnk4SWBf8W9xU/5B+m4GD0PTGZWXESfLQF3P+8VCmmmn5yV9kdXOK dCx2PuJs19M0TLygi+4I2tdFIqX+wY2AufKSDGQ8GvVYgy4LHiEkvmsvxh58Y9b3 1EQgNJuDMUxsvfwyGZM5HqVB74b/2SjqPqRR0xkW/a7ZzBkC2ry/bH10uurZ+xgk YSw02dvSDszcTVi2+poxIjWdxUfzAoDEy3IxkPcyEY7tVTLGN0P8VT4VwmWD+6zi 1wqHLV8LENveBWoi4mOTt9N71oWSJpzYQ2A12SvWZnYNiaB7GqnZdhm5/bsCOxc= =dmry -----END PGP SIGNATURE----- From kabads at gmail.com Thu Jan 6 20:47:34 2005 From: kabads at gmail.com (Adam Cripps) Date: Thu Jan 6 20:44:48 2005 Subject: GPG 140a In-Reply-To: <41DD9830.8060105@sillydog.org> References: <41DCA692.6060206@sillydog.org> <41DCF839.60403@gmx.li> <41DD1211.4020606@sillydog.org> <41DD2899.4040701@gmx.li> <20050106145358.GA5259@dantooine> <41DD9830.8060105@sillydog.org> Message-ID: On Thu, 06 Jan 2005 12:57:36 -0700, David Vallier wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > markus reichelt wrote: > > | Hans M?ller wrote: > | > |> please post only to the list!! > | > | > | agreed :-) but mails from you both lack a correct > | "Mail-Followup-To: gnupg-users@gnupg.org" header > | > | if Mail-Followup-To: is missing, most people reply to either From: > | or Reply-To: > | > | please activate that setting in your MUA, or if this is not > | possible use software that is able to handle mailing lists > | > Sorry folks I just realized that this list doesn't have a proper reply > to header, so when I click on reply it's sent to the _originator_ of > the message. > > If theres a way to change that in Thunderbird 1.0 please let me know. > It's possibly a setting in the mailman server which gives the main reply-to: header as the originator and not the list. Adam -- http://www.monkeez.org GPG key: 7111B833 From ml at bitfalle.org Thu Jan 6 21:36:37 2005 From: ml at bitfalle.org (markus reichelt) Date: Thu Jan 6 21:35:36 2005 Subject: GPG 140a In-Reply-To: <41DD9830.8060105@sillydog.org> References: <41DCA692.6060206@sillydog.org> <41DCF839.60403@gmx.li> <41DD1211.4020606@sillydog.org> <41DD2899.4040701@gmx.li> <20050106145358.GA5259@dantooine> <41DD9830.8060105@sillydog.org> Message-ID: <20050106203636.GA7024@dantooine> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Vallier wrote: > Sorry folks I just realized that this list doesn't have a proper > reply to header, so when I click on reply it's sent to the > _originator_ of the message. I guess that would be a good feature for those who use Mozilla and thelike. The status quo isn't a problem for mutt though. A quick workaround would be to set the Reply-To: header manually to the list address in one's own setup. > If theres a way to change that in Thunderbird 1.0 please let me > know. sorry, I'm a die-hard mutt fan ;-) - -- Bastard Administrator in $hell -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFB3aFULMyTO8Kj/uQRAhKUAJ4+4fP5Y9NelE1GTzAqkMlRbmx74ACeOANH R9rCSfOSJchNvtRFtRhcrTw= =DxBV -----END PGP SIGNATURE----- From ml at bitfalle.org Thu Jan 6 21:39:58 2005 From: ml at bitfalle.org (markus reichelt) Date: Thu Jan 6 21:36:55 2005 Subject: gpg-plugin for Opera? Message-ID: <20050106203958.GB7024@dantooine> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm just wondering if there's plugin for Opera? Some friends would like to use gpg, but only if it could be integrated into Opera. A search came up negative. Is Opera support planned in the near future? - -- Bastard Administrator in $hell -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFB3aIeLMyTO8Kj/uQRAqSBAJoDL7imQmS09aUjCbccUyMdyRxzEQCdFlvh Afw3mbOIqf4jlBERDE4ATOU= =/V0R -----END PGP SIGNATURE----- From ndof at gmx.li Thu Jan 6 22:14:52 2005 From: ndof at gmx.li (=?ISO-8859-1?Q?Hans_M=FCller?=) Date: Thu Jan 6 22:11:51 2005 Subject: GPG 140a In-Reply-To: <41DD94CB.3030804@sillydog.org> References: <41DCA692.6060206@sillydog.org> <41DCF839.60403@gmx.li> <41DD1211.4020606@sillydog.org> <41DD2899.4040701@gmx.li> <41DD94CB.3030804@sillydog.org> Message-ID: <41DDAA4C.5000206@gmx.li> and 5E11D9137F4D989D is your default key? David Vallier schrieb: > Hans M?ller wrote: > > | please post only to the list!! > | can you send us the output of > | gpg --list-secret-keys > | to see if the key is valid. > | > | ----------------------------------------------------------------------- > > Here you go.. > > > sec 1024D/5E11D9137F4D989D 2005-01-03 [expires: 2007-01-03] > uid David Vallier (TANSTAAFL) > > uid David Vallier (TANSTAAFL) > > uid David Vallier (TANSTAAFL) > > uid David Vallier (TANSTAAFL) > > ssb 2048g/97C9F87AF00414D4 2005-01-03 > ssb 2048R/81E062456ADC3605 2005-01-03 > > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 890 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050106/2e819747/signature.bin From timemaster at sillydog.org Thu Jan 6 23:48:25 2005 From: timemaster at sillydog.org (David Vallier) Date: Thu Jan 6 23:31:53 2005 Subject: GPG 140a In-Reply-To: <41DDAA4C.5000206@gmx.li> References: <41DCA692.6060206@sillydog.org> <41DCF839.60403@gmx.li> <41DD1211.4020606@sillydog.org> <41DD2899.4040701@gmx.li> <41DD94CB.3030804@sillydog.org> <41DDAA4C.5000206@gmx.li> Message-ID: <41DDC039.2030809@sillydog.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hans M?ller wrote: | and 5E11D9137F4D989D is your default key? | David Vallier schrieb: | |> Hans M?ller wrote: |> |> | please post only to the list!! |> | can you send us the output of |> | gpg --list-secret-keys |> | to see if the key is valid. |> | |> | |> ----------------------------------------------------------------------- |> |> |> Here you go.. |> |> |> sec 1024D/5E11D9137F4D989D 2005-01-03 [expires: 2007-01-03] |> uid David Vallier (TANSTAAFL) Actually from everything I can see using key managers 7AE47C2F279E785B is supposed to be the default, thats the way everything else is set, where and what the 5E11D9137F4D989D is I have no idea, everything else is correct. Or is GPG showing a different format of the same key then GPGshell and Enigmail? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) iQEcBAEBAgAGBQJB3cA5AAoJEIHgYkVq3DYFINQH/3N4/UUTIze7DQXALC0N1NOj Gjg7eHZo7mST6MI3hYJHU3Ib59eSifZ2ws3p1O//5epIdhviWYHRkhX+fVB5XY2c lS+yVlpC+03jhpQlBHsOJQtN31GWqwuB2Tpd/DkjdSJ495UWogEM0l3PZTdZt++M +O29YRLiXAsDV82ZnG5XaygFHS5lo48jVnNTbXIhq5WY7+rShYxcKEM+vx3CNM64 APQGH4bl23LZkYsDNXkofR8VhelTiWn5l/DqBlu18gyGUm7YNeC7ejhAwFCJ6YmU 6RrIyrX39HY5qdsqcjrZIoyphNaZehgxJdNTQgsGISe+DBPdwwg+zZ3895Nge6E= =BZEv -----END PGP SIGNATURE----- From jharris at widomaker.com Fri Jan 7 01:27:11 2005 From: jharris at widomaker.com (Jason Harris) Date: Fri Jan 7 01:23:38 2005 Subject: Global Directory signatures (was Re: GPG wants to check trustdb every day) In-Reply-To: <20050103154217.GI28182@jabberwocky.com> References: <200412291854.TAA00416@vulcan.xs4all.nl> <20041230014443.GU30683@jabberwocky.com> <20041230043512.GE684@wilma.widomaker.com> <20041230051945.GY30683@jabberwocky.com> <20041230175107.GF684@wilma.widomaker.com> <20041231024822.GA17056@jabberwocky.com> <20050102205419.GI684@wilma.widomaker.com> <20050102234450.GC28182@jabberwocky.com> <20050103043347.GJ684@wilma.widomaker.com> <20050103154217.GI28182@jabberwocky.com> Message-ID: <20050107002710.GO684@wilma.widomaker.com> On Mon, Jan 03, 2005 at 10:42:17AM -0500, David Shaw wrote: > On Sun, Jan 02, 2005 at 11:33:47PM -0500, Jason Harris wrote: > > No. Determining who (keyholders v. key users) copies keys from > > keyserver.pgp.com to the regular keyservers is not important to me. > Lovely. Moving on then, do you see this as something you can resolve > in your keyserver? I've made the change in GnuPG to not import or > export expired signatures by default. This is a limited fix, of > course, due to the overlap between an old GD sig expiring and a new GD > sig being issued. It strikes me that if the goal is to keep the > keyservers clean, then the keyservers need to take action. There is > only so much that clients can do here. It should be a very easy fix in pks, yes, but until all servers in subkeys.pgp.net, for example, strip signatures by 0xCA57AD7C in the exact same way, I think the main effect will be to confuse people. Ideally, keyserver.pgp.com will stop issuing daily signatures, like 0xEF27ED5F shows it is still doing: sig! CA57AD7C 2005-01-05 PGP Global Directory Verification Key sig! CA57AD7C 2005-01-05 PGP Global Directory Verification Key sig! CA57AD7C 2005-01-04 PGP Global Directory Verification Key and then address its biweekly signatures. As you said, if a key isn't on keyserver.pgp.com, then it is not considered usable by that keyserver, so what is the point in issuing such short-lived, yet exportable, signatures in the first place? Even using yearly signatures, the keyserver needn't export them to know that it has signed each key. IINM, the signatures could be marked non- exportable but still be sent to and used by PGP and GPG users that want 0xCA57AD7C in their personal WoT. Then, those signatures wouldn't be exported by encryption clients to the regular keyservers and it wouldn't matter how often they are [re]issued. As well, all regular keyservers could discard any non-exportable signatures they are sent, which would be a lot better than hard-coding keyids and retention policies for specific, nuisance, automated keysigners. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050106/704f5cba/attachment.bin From dshaw at jabberwocky.com Fri Jan 7 04:22:02 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Jan 7 04:19:07 2005 Subject: Weakness in the keyserver network (Was Re: Global Directory signatures) In-Reply-To: <20050107002710.GO684@wilma.widomaker.com> References: <20041230014443.GU30683@jabberwocky.com> <20041230043512.GE684@wilma.widomaker.com> <20041230051945.GY30683@jabberwocky.com> <20041230175107.GF684@wilma.widomaker.com> <20041231024822.GA17056@jabberwocky.com> <20050102205419.GI684@wilma.widomaker.com> <20050102234450.GC28182@jabberwocky.com> <20050103043347.GJ684@wilma.widomaker.com> <20050103154217.GI28182@jabberwocky.com> <20050107002710.GO684@wilma.widomaker.com> Message-ID: <20050107032202.GB14846@jabberwocky.com> On Thu, Jan 06, 2005 at 07:27:11PM -0500, Jason Harris wrote: > As you said, if a key isn't on keyserver.pgp.com, then it is not > considered usable by that keyserver, so what is the point in issuing > such short-lived, yet exportable, signatures in the first place? > Even using yearly signatures, the keyserver needn't export them to > know that it has signed each key. IINM, the signatures could be > marked non- exportable but still be sent to and used by PGP and GPG > users that want 0xCA57AD7C in their personal WoT. Then, those > signatures wouldn't be exported by encryption clients to the regular > keyservers and it wouldn't matter how often they are [re]issued. As > well, all regular keyservers could discard any non-exportable > signatures they are sent, which would be a lot better than > hard-coding keyids and retention policies for specific, nuisance, > automated keysigners. The whole meaning of non-exportable is that the signatures are, well, non-exportable. Having the GD issue non-exportable signatures rather defeats the point of the thing. Forgetting for a minute the protocol issues with this, a simple practical reason why this won't work is that GnuPG won't import a non-exportable signature without modifying the config, and PGP won't do it at all. Mandating code changes in the clients isn't going to happen since it would require all GD users to upgrade, which is unrealistic. You call the GD a "nuisance". I don't agree. We can have that discussion if you like, but perhaps more interesting is that the GD, nuisance or not, is illuminating weaknesses in the keyserver network. The keyserver network is dependent on clients being well-behaved. That's a recipe for abuse if I ever saw one. To make an extreme example, say there was a rogue signer, pumping out thousands of signatures a day onto the keyserver network, all set to expire in a week. Due to the design of the web of trust, there is no real impact on it. However, there is an ugliness to all those signatures. UI displays (e.g. vindex) are rendered almost useless. Over time, this approaches a denial of service when the signed keys get so big they can't easily be downloaded. The keyserver database gets huge. Lots of bandwidth is used to sync all of those signatures between the various nodes in the keyserver net. It gets messy fast. Now, to be sure, this isn't a brand new keyserver attack that nobody ever thought of, plus the GD is nowhere near as bad as my example above. The GD behavior (being a very prolific signer, with no particular effort taken to prevent signatures leaking from the GD onto the keyserver net) is just a reminder that the keyserver net is vulnerable to this sort of flooding. If you need a reason other than someone just being mean, spammers could fairly easily get keyservers to display their ads with this sort of flooding. There's incentive right there. You'll forgive me for not going into excessive detail how exactly to do it, I hope :) David From jharris at widomaker.com Fri Jan 7 05:16:40 2005 From: jharris at widomaker.com (Jason Harris) Date: Fri Jan 7 05:13:04 2005 Subject: Weakness in the keyserver network (Was Re: Global Directory signatures) In-Reply-To: <20050107032202.GB14846@jabberwocky.com> References: <20041230043512.GE684@wilma.widomaker.com> <20041230051945.GY30683@jabberwocky.com> <20041230175107.GF684@wilma.widomaker.com> <20041231024822.GA17056@jabberwocky.com> <20050102205419.GI684@wilma.widomaker.com> <20050102234450.GC28182@jabberwocky.com> <20050103043347.GJ684@wilma.widomaker.com> <20050103154217.GI28182@jabberwocky.com> <20050107002710.GO684@wilma.widomaker.com> <20050107032202.GB14846@jabberwocky.com> Message-ID: <20050107041640.GP684@wilma.widomaker.com> On Thu, Jan 06, 2005 at 10:22:02PM -0500, David Shaw wrote: > On Thu, Jan 06, 2005 at 07:27:11PM -0500, Jason Harris wrote: > The whole meaning of non-exportable is that the signatures are, well, > non-exportable. Having the GD issue non-exportable signatures rather > defeats the point of the thing. Forgetting for a minute the protocol > issues with this, a simple practical reason why this won't work is > that GnuPG won't import a non-exportable signature without modifying > the config, and PGP won't do it at all. Mandating code changes in the > clients isn't going to happen since it would require all GD users to > upgrade, which is unrealistic. OK, so GPG users are ahead of the curve because we had to upgrade to 1.4.0 to talk to this new keyserver anyway. > You call the GD a "nuisance". I don't agree. We can have that > discussion if you like, but perhaps more interesting is that the GD, Oh no, our positions are very clear on this point. (Besides, didn't you say they consulted with you about the GD? :) > nuisance or not, is illuminating weaknesses in the keyserver network. > The keyserver network is dependent on clients being well-behaved. > That's a recipe for abuse if I ever saw one. So, you can DoS a webserver without even modifying content on it. How is this news? > To make an extreme example, say there was a rogue signer, pumping out > thousands of signatures a day onto the keyserver network, all set to > expire in a week. Due to the design of the web of trust, there is no > real impact on it. However, there is an ugliness to all those > signatures. UI displays (e.g. vindex) are rendered almost useless. > Over time, this approaches a denial of service when the signed keys > get so big they can't easily be downloaded. The keyserver database > gets huge. Lots of bandwidth is used to sync all of those signatures > between the various nodes in the keyserver net. It gets messy fast. Right, but let someone open some free webmail accounts, create some [Open]PGP keys, start placing keys on the GD, and start signing every key they find there. Even better, use a dyndns service and create unlimited email accounts all from the comfort of your own DSL line. > Now, to be sure, this isn't a brand new keyserver attack that nobody > ever thought of, plus the GD is nowhere near as bad as my example Or is it? Uploading garbage keys is still a DoS attack. > above. The GD behavior (being a very prolific signer, with no > particular effort taken to prevent signatures leaking from the GD onto > the keyserver net) is just a reminder that the keyserver net is > vulnerable to this sort of flooding. Right, but adding cryptographic checks and enforcing no-modify flags will just shift the DoS attack to uploading garbage keys instead of bloating existing keys. Of course, if we come to that, real no- modify checks will trump the GD by keeping signatures from bogus keys from littering actual keys. > If you need a reason other than someone just being mean, spammers > could fairly easily get keyservers to display their ads with this sort > of flooding. There's incentive right there. You'll forgive me for > not going into excessive detail how exactly to do it, I hope :) I'm betting they'll do that with photo IDs first. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050106/e76e93e1/attachment-0001.bin From dshaw at jabberwocky.com Fri Jan 7 06:01:33 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Jan 7 05:58:29 2005 Subject: Weakness in the keyserver network (Was Re: Global Directory signatures) In-Reply-To: <20050107041640.GP684@wilma.widomaker.com> References: <20041230051945.GY30683@jabberwocky.com> <20041230175107.GF684@wilma.widomaker.com> <20041231024822.GA17056@jabberwocky.com> <20050102205419.GI684@wilma.widomaker.com> <20050102234450.GC28182@jabberwocky.com> <20050103043347.GJ684@wilma.widomaker.com> <20050103154217.GI28182@jabberwocky.com> <20050107002710.GO684@wilma.widomaker.com> <20050107032202.GB14846@jabberwocky.com> <20050107041640.GP684@wilma.widomaker.com> Message-ID: <20050107050133.GE14846@jabberwocky.com> On Thu, Jan 06, 2005 at 11:16:40PM -0500, Jason Harris wrote: > On Thu, Jan 06, 2005 at 10:22:02PM -0500, David Shaw wrote: > > On Thu, Jan 06, 2005 at 07:27:11PM -0500, Jason Harris wrote: > > > The whole meaning of non-exportable is that the signatures are, well, > > non-exportable. Having the GD issue non-exportable signatures rather > > defeats the point of the thing. Forgetting for a minute the protocol > > issues with this, a simple practical reason why this won't work is > > that GnuPG won't import a non-exportable signature without modifying > > the config, and PGP won't do it at all. Mandating code changes in the > > clients isn't going to happen since it would require all GD users to > > upgrade, which is unrealistic. > > OK, so GPG users are ahead of the curve because we had to upgrade > to 1.4.0 to talk to this new keyserver anyway. No, you can use any version of GPG through the web interface. The new LDAP stuff in 1.4 just lets you search the keyserver directly. Incidentally, the new LDAP code wasn't added to talk to the GD. It was added to allow users to store their keys in their own LDAP servers. Corporate environments are big on this. It just so happens that the GD uses the same LDAP schema, so it all worked painlessly. > > You call the GD a "nuisance". I don't agree. We can have that > > discussion if you like, but perhaps more interesting is that the GD, > > Oh no, our positions are very clear on this point. (Besides, didn't > you say they consulted with you about the GD? :) Lightly consulted. I suggested some ways to handle signature and designated revocations. No idea if they were already doing it in a safe way, but we discussed it. > > nuisance or not, is illuminating weaknesses in the keyserver network. > > The keyserver network is dependent on clients being well-behaved. > > That's a recipe for abuse if I ever saw one. > > So, you can DoS a webserver without even modifying content on it. > How is this news? It's not. Nor is that the point. The point is that the keyserver net was vulnerable, but nobody really cared. Now there is something that will eventually cause a problem due to this vulnerability. Plus, the comparison is apples and oranges. Hammering a web server with requests versus uploading terabytes of garbage data that will be replicated faithfully among many servers. Pretty nice amplification there for an attack. > > To make an extreme example, say there was a rogue signer, pumping out > > thousands of signatures a day onto the keyserver network, all set to > > expire in a week. Due to the design of the web of trust, there is no > > real impact on it. However, there is an ugliness to all those > > signatures. UI displays (e.g. vindex) are rendered almost useless. > > Over time, this approaches a denial of service when the signed keys > > get so big they can't easily be downloaded. The keyserver database > > gets huge. Lots of bandwidth is used to sync all of those signatures > > between the various nodes in the keyserver net. It gets messy fast. > > Right, but let someone open some free webmail accounts, create some > [Open]PGP keys, start placing keys on the GD, and start signing every > key they find there. > > Even better, use a dyndns service and create unlimited email accounts > all from the comfort of your own DSL line. Quite so, but this is a massively more difficult attack against the GD than it is against the keyserver net. The GD requires mailback authentication, so the pace of adding keys cannot be nearly what it is on the keyserver net where you can just add keys directly 24/7. Plus, remember that unlike the keyserver net, the GD is under the control of a single entity. Abuse it too much, and they can simply lock you out and refuse to accept more keys and/or key approval web hits from your IPs. That simple response doesn't work on the keyserver net, where you'd need to get all operators to agree to block an abuser, plus the abuser can resort to other means of getting the keys in (email would be a good way in). It's not impossible to block an attacker from sending to the keyserver net, but it is certainly vastly more difficult. > > Now, to be sure, this isn't a brand new keyserver attack that nobody > > ever thought of, plus the GD is nowhere near as bad as my example > > Or is it? Uploading garbage keys is still a DoS attack. *You* have decided that the GD output is garbage. Many other people clearly don't think so. Can we please get past the "it's bad" "no, it isn't" ? I'm not going to convince you, and you're not going to convince me, so why bother? We both agree that there is an unfortunate impact on the keyserver net, so let's at least try and accomplish something useful here. > > above. The GD behavior (being a very prolific signer, with no > > particular effort taken to prevent signatures leaking from the GD onto > > the keyserver net) is just a reminder that the keyserver net is > > vulnerable to this sort of flooding. > > Right, but adding cryptographic checks and enforcing no-modify flags > will just shift the DoS attack to uploading garbage keys instead of > bloating existing keys. Of course, if we come to that, real no- > modify checks will trump the GD by keeping signatures from bogus > keys from littering actual keys. Who said anything about cryptographic checks? That's just one way to handle the problem, and it opens you up to a DoS like you say. Why not start with something like not accepting or sending out expired sigs? Periodically, vacuum expired sigs from the database. You don't need crypto for that. There is lots more that can be done, including just ditching any GD signatures before they even get to the database. That doesn't require crypto either. Doing sig trickery like this will help with the GD problem, but it's not much of a defense against a general flooding attack, unfortunately. > > If you need a reason other than someone just being mean, spammers > > could fairly easily get keyservers to display their ads with this sort > > of flooding. There's incentive right there. You'll forgive me for > > not going into excessive detail how exactly to do it, I hope :) > > I'm betting they'll do that with photo IDs first. Which is why it's not a good idea for keyservers to display photo IDs from unauthenticated keys in searches. The biglumber keyserver does this right. David From dshaw at jabberwocky.com Fri Jan 7 06:02:59 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Jan 7 05:59:51 2005 Subject: GPG <> PGP6 subkey selection In-Reply-To: References: Message-ID: <20050107050259.GF14846@jabberwocky.com> On Thu, Jan 06, 2005 at 05:31:32PM +0100, Thomas Kuehne wrote: > Situation: > Existing DSA(1024)/Elgamal(2048) key. > > Target: > Adding a RSA(4096) signature and a RSA(4096) encryption subkey. > > Problem: > PGP6 does only support 2048 RSA keys. > > Is ther any way to tell GnuPG to use the RSA keys while PGP6 uses the > DSA/Elgamal keys? If I import only the DSA/Elgamal public part into PGP6 > it does work, but fails if the whole public key is imported. Unless told otherwise, GnuPG will use the most recent subkeys, so if I understand what you are asking, you don't need to do anything for GnuPG to use the new subkeys. David From thomas-gmane at kuehne.cn Fri Jan 7 07:50:19 2005 From: thomas-gmane at kuehne.cn (Thomas Kuehne) Date: Fri Jan 7 07:44:48 2005 Subject: GPG <> PGP6 subkey selection In-Reply-To: <20050107050259.GF14846@jabberwocky.com> References: <20050107050259.GF14846@jabberwocky.com> Message-ID: David Shaw wrote: > On Thu, Jan 06, 2005 at 05:31:32PM +0100, Thomas Kuehne wrote: > >>Situation: >>Existing DSA(1024)/Elgamal(2048) key. >> >>Target: >>Adding a RSA(4096) signature and a RSA(4096) encryption subkey. >> >>Problem: >>PGP6 does only support 2048 RSA keys. >> >>Is ther any way to tell GnuPG to use the RSA keys while PGP6 uses the >>DSA/Elgamal keys? If I import only the DSA/Elgamal public part into PGP6 >>it does work, but fails if the whole public key is imported. > > > Unless told otherwise, GnuPG will use the most recent subkeys, so if I > understand what you are asking, you don't need to do anything for > GnuPG to use the new subkeys. Yes. It seems like PGP6 does the same, but after rejecting the the newer(to big) fails to use the older key... Thomas -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 155 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050107/a8ef5644/signature.bin From johanw at vulcan.xs4all.nl Fri Jan 7 14:13:39 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Fri Jan 7 14:09:23 2005 Subject: Weakness in the keyserver network (Was Re: Global Directory signatures) In-Reply-To: <20050107032202.GB14846@jabberwocky.com> from David Shaw at "Jan 6, 2005 10:22:02 pm" Message-ID: <200501071313.OAA02352@vulcan.xs4all.nl> David Shaw wrote: >To make an extreme example, say there was a rogue signer, pumping out >thousands of signatures a day onto the keyserver network, all set to >expire in a week. Or worse, signatures that don't expire at all. If they're from 10000 different keys, it's much more difficult to get rid of them. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From dshaw at jabberwocky.com Fri Jan 7 14:37:43 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Jan 7 14:48:08 2005 Subject: Weakness in the keyserver network (Was Re: Global Directory signatures) In-Reply-To: <200501071313.OAA02352@vulcan.xs4all.nl> References: <20050107032202.GB14846@jabberwocky.com> <200501071313.OAA02352@vulcan.xs4all.nl> Message-ID: <20050107133743.GG14846@jabberwocky.com> On Fri, Jan 07, 2005 at 02:13:39PM +0100, Johan Wevers wrote: > David Shaw wrote: > > >To make an extreme example, say there was a rogue signer, pumping out > >thousands of signatures a day onto the keyserver network, all set to > >expire in a week. > > Or worse, signatures that don't expire at all. If they're from 10000 > different keys, it's much more difficult to get rid of them. Indeed. Honestly, I'm not sure of what the answer is here, or even if there is one without a redesign of the keyserver net. A CA that leaks onto the keyserver net can be handled fine by a "no sigs from key xxxxx" rule, but an attacker would use using different keys to make the sigs to get around the rule (or just upload different keys directly). David From xwck at oreka.com Fri Jan 7 18:23:34 2005 From: xwck at oreka.com (Alain Bench) Date: Fri Jan 7 18:31:09 2005 Subject: current charset guessing In-Reply-To: <874qhudcos.fsf@wheatstone.g10code.de> References: <20050103002657.GA32265@oreka.com> <874qhudcos.fsf@wheatstone.g10code.de> Message-ID: <20050107172334.GA14032@oreka.com> On Thursday, January 6, 2005 at 12:22:43 PM +0100, Werner Koch wrote: > On Mon, 3 Jan 2005 01:26:57 +0100 (CET), Alain Bench said: >> to guess current charset when CODESET lacks? > Please try the attached patch. Thanks: It works in many cases, but fails on implicit charsets, ambiguous names, or platform specific spellings. Examples: | $ LC_CTYPE=pl_PL gpg -vvv --some-function | gpg: using character set `iso-8859-1' | [...] Works in Latin-1 while real pl_PL implicit charset is Latin-2. | $ LC_CTYPE=ja_JP.EUC gpg -vvv | gpg: conversion from `utf-8' to `EUC' not available We know from context it's EUC-JP, but iconv can't decide if it's EUC-JP, EUC-KR, EUC-CN, EUC-TW, or EUC-JISX0213. | $ LC_CTYPE=fr_FR.iso885915@euro gpg -vvv | gpg: conversion from `utf-8' to `iso885915' not available This "alias" of Latin-9 is not known to libiconv 1.9.2, which knows only six of them: | $ iconv -l | grep ISO-8859-15 | ISO-8859-15 ISO-IR-203 ISO8859-15 ISO_8859-15 ISO_8859-15:1998 LATIN-9 Note in such locales, "make check" also fails: | $ make check | [...] | Making all in checks | make[2]: Entering directory `/tmp/gnupg-1.4.0/checks' | echo '#!/bin/sh' >./gpg_dearmor | echo "../g10/gpg --no-options --no-greeting \ | --no-secmem-warning --batch --dearmor" >>./gpg_dearmor | chmod 755 ./gpg_dearmor | ./gpg_dearmor > ./pubring.gpg < ./pubring.asc | gpg: conversion from `utf-8' to `cp-1252' not available | make[2]: *** [pubring.gpg] Error 2 | make[2]: Leaving directory `/tmp/gnupg-1.4.0/checks' | make[1]: *** [all-recursive] Error 1 | make[1]: Leaving directory `/tmp/gnupg-1.4.0' | make: *** [all] Error 2 Those platform specific charset spellings are quite common. That's why libcharset does some sanitizing. And why Mutt has big internal table of aliases, and provides "iconv-hook" command so users can add to this table. BTW the output of nl_langinfo(CODESET) also needs sanitizing on some platforms. Libcharset's locale_charset() does itself the appropriate nl_langinfo(CODESET), GetACP(), DosQueryCp() on OS/2, setlocale(LC_ALL, ""), getenv() parsing, and canonicalization thru internal alias table, or external $LIBDIR/charset.alias file. >> On Win32 the name for Latin-1 is not CP1252, but CP28591. > My reference says 1252 thus mapping 1252 to Latin-1 is correct. CP-1252 is a superset of Latin-1 with 27 more chars. Example one can write "Lec?ur" (oe ligature) in CP-1252, not in Latin-1: | $ grep U0153 glibc-2.3.3/localedata/charmaps/CP1252 | /x9c LATIN SMALL LIGATURE OE | $ echo -e "\234" | iconv -f cp1252 -t iso-8859-1 | iconv: (stdin): cannot convert I'd say treating CP-1252 as Latin-1 is good enough and better than nothing when iconv is unavailable. But it's suboptimal when iconv is there. And could even lead to wrongly and unnoticably insert UTF-8 control chars inside a key UID. Think Mr Lec?ur enters his name: | $ echo -ne "\234" | iconv -f iso-8859-1 -t utf-8 | hex | C2 9C | $ grep U009C glibc-2.3.3/localedata/charmaps/UTF-8 | /xc2/x9c STRING TERMINATOR (ST) That's obviously wrong, but when Mr Lec?ur enters or displays his UID (in same conditions), everything seems correct to him. Other people see garbage, though. > If CP28591 is also a Latin-1 encoding, libiconv should handle this. I agree libiconv probably should handle CP28591 as an alias of Latin-1. But it does not (straight binaries gnupg-w32cli-1.4.0a.zip and libiconv-1.9.1.dll.zip from gnupg.org, on Win2000sp4 cmd.exe): | C:\>chcp | Page de codes active?: 28591 | | C:\>gpg -vvv | gpg: conversion from `utf-8' to `CP28591' not available Looking in libiconv 1.9.2 source: No such alias. But in libiconv-1.9.2/libcharset/lib/localcharset.c there is a whole set of aliases: | /* Determine a canonical name for the current locale's character encoding. | # if defined WIN32 | cp = "CP936" "\0" "GBK" "\0" | "CP1361" "\0" "JOHAB" "\0" | "CP20127" "\0" "ASCII" "\0" | "CP20866" "\0" "KOI8-R" "\0" | "CP21866" "\0" "KOI8-RU" "\0" | "CP28591" "\0" "ISO-8859-1" "\0" | "CP28592" "\0" "ISO-8859-2" "\0" | "CP28593" "\0" "ISO-8859-3" "\0" | "CP28594" "\0" "ISO-8859-4" "\0" | "CP28595" "\0" "ISO-8859-5" "\0" | "CP28596" "\0" "ISO-8859-6" "\0" | "CP28597" "\0" "ISO-8859-7" "\0" | "CP28598" "\0" "ISO-8859-8" "\0" | "CP28599" "\0" "ISO-8859-9" "\0" | "CP28605" "\0" "ISO-8859-15" "\0"; | # endif >> Latin-9 is not Latin-1. > Right: I have remove that. Good: Thanks. ISO-8859-15 is Latin-9, just to confuse us: | ISO-8859-1 Latin-1 | ISO-8859-2 Latin-2 | ISO-8859-3 Latin-3 | ISO-8859-4 Latin-4 | ISO-8859-5 Cyrillic | ISO-8859-6 Arabic | ISO-8859-7 Greek | ISO-8859-8 Hebrew | ISO-8859-9 Latin-5 | ISO-8859-10 Latin-6 | ISO-8859-11 Thai | ISO-8859-13 Latin-7 | ISO-8859-14 Latin-8 | ISO-8859-15 Latin-9 | ISO-8859-16 Latin-10 > For W32 use GetACP as error fallback. Hum... Libcharset seems to call GetACP() only, never GetConsoleOutputCP(). IIUC that would be false for console apps? I'm unable to check due to no MinGW32 compiler. Probably 850 and 1252 mismatch by default :-(. > we silently assume that plain ASCII is actually meant as Latin-1. This > makes sense because many Unix system don't have their locale set up > properly and thus would get annoying error messages and we have to > handle all the "bug" reports. Latin-1 has always been the character > set used for 8 bit characters on Unix systems. US-Ascii is not Latin-1. I frequently use a 7 bits terminal in a LANG=fr_FR.us-ascii locale, with or without //TRANSLITeration. That false aliasing would break it. It would also break any case where locales are unset and charset is different. Bad idea, I'd say. Bye! Alain. -- Everything about locales on Sven Mascheck's excellent site at new location . The little tester utility is at . From eocsor at gmail.com Fri Jan 7 19:38:49 2005 From: eocsor at gmail.com (Roscoe) Date: Fri Jan 7 19:35:14 2005 Subject: gpg-plugin for Opera? In-Reply-To: <20050106203958.GB7024@dantooine> References: <20050106203958.GB7024@dantooine> Message-ID: Should not the question be directed towards the Opera dev team? And go along the lines of: "Is gpg support planned in the near future?" On Thu, 6 Jan 2005 21:39:58 +0100, markus reichelt wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I'm just wondering if there's plugin for Opera? Some friends would > like to use gpg, but only if it could be integrated into Opera. A > search came up negative. Is Opera support planned in the near future? > > - -- > Bastard Administrator in $hell > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (GNU/Linux) > > iD8DBQFB3aIeLMyTO8Kj/uQRAqSBAJoDL7imQmS09aUjCbccUyMdyRxzEQCdFlvh > Afw3mbOIqf4jlBERDE4ATOU= > =/V0R > -----END PGP SIGNATURE----- > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From jharris at widomaker.com Fri Jan 7 23:00:08 2005 From: jharris at widomaker.com (Jason Harris) Date: Fri Jan 7 22:56:35 2005 Subject: Weakness in the keyserver network (Was Re: Global Directory signatures) In-Reply-To: <20050107050133.GE14846@jabberwocky.com> References: <20041230175107.GF684@wilma.widomaker.com> <20041231024822.GA17056@jabberwocky.com> <20050102205419.GI684@wilma.widomaker.com> <20050102234450.GC28182@jabberwocky.com> <20050103043347.GJ684@wilma.widomaker.com> <20050103154217.GI28182@jabberwocky.com> <20050107002710.GO684@wilma.widomaker.com> <20050107032202.GB14846@jabberwocky.com> <20050107041640.GP684@wilma.widomaker.com> <20050107050133.GE14846@jabberwocky.com> Message-ID: <20050107220007.GR684@wilma.widomaker.com> On Fri, Jan 07, 2005 at 12:01:33AM -0500, David Shaw wrote: > On Thu, Jan 06, 2005 at 11:16:40PM -0500, Jason Harris wrote: > > So, you can DoS a webserver without even modifying content on it. > > How is this news? > > It's not. Nor is that the point. The point is that the keyserver net > was vulnerable, but nobody really cared. Now there is something that > will eventually cause a problem due to this vulnerability. Plus, the You should specifically point out that you're referring to the GD here. > > Right, but let someone open some free webmail accounts, create some > > [Open]PGP keys, start placing keys on the GD, and start signing every > > key they find there. > Quite so, but this is a massively more difficult attack against the GD > than it is against the keyserver net. The GD requires mailback > authentication, so the pace of adding keys cannot be nearly what it is > on the keyserver net where you can just add keys directly 24/7. So it will take a bit more programming to make the GD accept the bogus keys. Or, maybe throwing keys at the GD and having it spam the world will be a sufficiently entertaining attack. > Plus, remember that unlike the keyserver net, the GD is under the > control of a single entity. Abuse it too much, and they can simply > lock you out and refuse to accept more keys and/or key approval web > hits from your IPs. That simple response doesn't work on the > keyserver net, where you'd need to get all operators to agree to block > an abuser, plus the abuser can resort to other means of getting the > keys in (email would be a good way in). It's not impossible to block > an attacker from sending to the keyserver net, but it is certainly > vastly more difficult. [Don't forget, David, I administer one pks and one SKS keyserver.] If you want to run a pks server where you have to put all new keys in via pksclient, go for it. Automating emailed updates of existing keys is doable with programs running totally outside the keyserver, even to the point of implementing no-modify. Require signatures from your own RobotCA key if you want to. I don't consider any of this difficult, but I will not like having to implement it only to thwart attacks. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050107/db22effd/attachment.bin From dshaw at jabberwocky.com Fri Jan 7 23:41:25 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Jan 7 23:38:22 2005 Subject: Weakness in the keyserver network (Was Re: Global Directory signatures) In-Reply-To: <20050107220007.GR684@wilma.widomaker.com> References: <20041231024822.GA17056@jabberwocky.com> <20050102205419.GI684@wilma.widomaker.com> <20050102234450.GC28182@jabberwocky.com> <20050103043347.GJ684@wilma.widomaker.com> <20050103154217.GI28182@jabberwocky.com> <20050107002710.GO684@wilma.widomaker.com> <20050107032202.GB14846@jabberwocky.com> <20050107041640.GP684@wilma.widomaker.com> <20050107050133.GE14846@jabberwocky.com> <20050107220007.GR684@wilma.widomaker.com> Message-ID: <20050107224124.GA2088@jabberwocky.com> On Fri, Jan 07, 2005 at 05:00:08PM -0500, Jason Harris wrote: > On Fri, Jan 07, 2005 at 12:01:33AM -0500, David Shaw wrote: > > On Thu, Jan 06, 2005 at 11:16:40PM -0500, Jason Harris wrote: > > > > So, you can DoS a webserver without even modifying content on it. > > > How is this news? > > > > It's not. Nor is that the point. The point is that the keyserver net > > was vulnerable, but nobody really cared. Now there is something that > > will eventually cause a problem due to this vulnerability. Plus, the > > You should specifically point out that you're referring to the GD here. > > > > Right, but let someone open some free webmail accounts, create some > > > [Open]PGP keys, start placing keys on the GD, and start signing every > > > key they find there. > > > Quite so, but this is a massively more difficult attack against the GD > > than it is against the keyserver net. The GD requires mailback > > authentication, so the pace of adding keys cannot be nearly what it is > > on the keyserver net where you can just add keys directly 24/7. > > So it will take a bit more programming to make the GD accept the bogus > keys. Or, maybe throwing keys at the GD and having it spam the world > will be a sufficiently entertaining attack. I give up. When you actually want to discuss possible solutions for the problem at hand, let me know. I'm not all that interested in the "The GD is eeeeeevil, and if it just disappeared the world would be the Way I Want It To Be" stuff. Fact: The GD exists. Fact: It makes signatures. Fact: They leak. Now, you can deal with the facts, or you can complain. Thus far, all I'm seeing is complaining, and that bores me, so... bye. David From jharris at widomaker.com Sat Jan 8 05:49:05 2005 From: jharris at widomaker.com (Jason Harris) Date: Sat Jan 8 05:45:39 2005 Subject: Weakness in the keyserver network (Was Re: Global Directory signatures) In-Reply-To: <20050107224124.GA2088@jabberwocky.com> References: <20050102205419.GI684@wilma.widomaker.com> <20050102234450.GC28182@jabberwocky.com> <20050103043347.GJ684@wilma.widomaker.com> <20050103154217.GI28182@jabberwocky.com> <20050107002710.GO684@wilma.widomaker.com> <20050107032202.GB14846@jabberwocky.com> <20050107041640.GP684@wilma.widomaker.com> <20050107050133.GE14846@jabberwocky.com> <20050107220007.GR684@wilma.widomaker.com> <20050107224124.GA2088@jabberwocky.com> Message-ID: <20050108044905.GS684@wilma.widomaker.com> On Fri, Jan 07, 2005 at 05:41:25PM -0500, David Shaw wrote: > On Fri, Jan 07, 2005 at 05:00:08PM -0500, Jason Harris wrote: > > So it will take a bit more programming to make the GD accept the bogus > > keys. Or, maybe throwing keys at the GD and having it spam the world > > will be a sufficiently entertaining attack. > > I give up. When you actually want to discuss possible solutions for > the problem at hand, let me know. I'm not all that interested in the > "The GD is eeeeeevil, and if it just disappeared the world would be > the Way I Want It To Be" stuff. You misunderstand... > Fact: The GD exists. > Fact: It makes signatures. > Fact: They leak. I don't dispute those facts. However, we had stopped discussing them and moved on to DoS attacks on keyservers, lest you forget. I was merely saying that sending keys to the GD will make it generate unwanted bulk/commercial/confirmation/whatever emails, i.e., spam. Even if these confirmation mails go unanswered and don't DoS the GD by adding lots of bogus keys to its database, one may still consider making the GD send lots of email to unwitting victims to be a sufficiently entertaining (DoS, against the email recipients, and by chewing the GD's bandwidth) attack. Also, if some people take the bait and bump their actual keys off the GD by responding to the attacker-induced confirmations, I think the attackers would be even more entertained. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050107/1a897840/attachment.bin From scc4fun at spamcop.net Sat Jan 8 10:01:43 2005 From: scc4fun at spamcop.net (Sean C. C.) Date: Sat Jan 8 09:58:34 2005 Subject: GnuPG for Win (XP) Installation Message-ID: <41DFA177.8050403@spamcop.net> I downloaded the gnupg for windows freeware. But am a little confused about the installation process. I have PGP installed also, but plan on uninstalling it. I don't know if that affects GPG and its installation at all. Anyways, I downloaded the zip and sig. The sig I ended up doing nothing with. I extracted the zip and according to the readme.w32 file copied the exe's to directory c:\gnupg. I also double-clicked on the .reg file to add those keys to my registry. I'm not sure what else I need to do. When I try to use the enigmail plugin for Thunderbird 1.0 it tells me that gpg can't find 'iconv.dll'. It was not included in the .zip file and the readme.w32 does not mention it at all. In fact, the doesn't explicitly say to move any files to the C:\gnupg directory only to create it (or another directory of my choosing) and create the registry keys. Since I followed the instructions I'm *assuming* that the included registry keys should work. For what I'm not sure. Then to enter gpg and see what happens. Well, it would appear that when I did that from "my documents" it created public and secret keyrings in the c:\gnupg folder. Below is what happens when I try to create a key: C:\>cd gnupg C:\gnupg>gpg --gen-key gpg: error loading `iconv.dll': The specified module could not be found. gpg (GnuPG) 1.4.0; Copyright (C) 2004 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) Your selection? Any help would be appreciated. Thank you, Somewhat Clueless Consumer From psiphur-gmane at yahoo.co.uk Sat Jan 8 11:28:47 2005 From: psiphur-gmane at yahoo.co.uk (Peter Drysdale) Date: Sat Jan 8 11:27:52 2005 Subject: GnuPG for Win (XP) Installation In-Reply-To: <41DFA177.8050403__8573.93987612358$1105175781$gmane$org@spamcop.net> References: <41DFA177.8050403__8573.93987612358$1105175781$gmane$org@spamcop.net> Message-ID: I think setup instructions can be found elsewhere in this list, but if you want some comprehensive installation intructions you could use: http://enigmail.mozdev.org/gpgconf.html Those are the instructions from the enigmail site, and since you mention you are also using that I don't feel bad just redirecting you to them. ;) From zvrba at globalnet.hr Sat Jan 8 17:13:34 2005 From: zvrba at globalnet.hr (Zeljko Vrba) Date: Sat Jan 8 17:21:24 2005 Subject: OpenPGP javacard implementation Message-ID: <41E006AE.1030802@globalnet.hr> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hi! I have written a prototype OpenPGP applet for the Javacard platform. The ~ homepage of the project is: http://www.core-dump.com.hr/index.pl?node_id=421 In the package are all relevant instructions on how to test it against the gpg and Sun's emulated reference Javacard implementation. I need help in porting and testing to real cards. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB4AauUIHQih3H6ZQRAwm0AJ4n/Kl5QA6K5VaPwO9sbZrWB3Q56wCgiqxy 1aQiMd5NNRPGyAQj77UMcC8= =dBPu -----END PGP SIGNATURE----- From timemaster at sillydog.org Sun Jan 9 02:48:01 2005 From: timemaster at sillydog.org (David Vallier) Date: Sun Jan 9 02:30:15 2005 Subject: Gpg error Message-ID: <41E08D51.9000203@sillydog.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Well since my other question didn't get answered maybe someone can answer why gpg is giving me this error? Assertion failed: Keyblock->pkt->pkttype == PKT_PUBLIC_KEY, file keyring.c, line 1388 abnormal program termination Thats the exact msg I receve when I try to update the trust.db -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) iQEcBAEBAgAGBQJB4I1QAAoJEIHgYkVq3DYFfTgH/Aqbgqx5bUgJ6A+0AU/RMSsN /aCXksOXpOXOrUsrWteijunzsUxJfONXgzig90uyto94pGP6PI+VC9GxWt6YFlm+ c2FP3p4h6zo9vFDXs7pyRUTK+/PaDa7XvrEApsk3u0bzVHWgW2slKOg9YxhpUKd0 1QrXQpXtvM6J4YPbcsGczgxR6LCdHlnsy0+nl55VFEEFPjQMxLucgfPdXkjPcyyN 3s0xJVwXDwg78Qfwc1J5tTS4l8dutbfTJg6YWhgBNaSPUrNR3h9mAB0PoC+x7yq5 dSFWvy8QFHSX2F9z+6Fu4QiwHtOFZ47SeHp7BDjbP3e3cU3EGlIPQRk9d8Tdask= =cQTs -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Sun Jan 9 03:20:24 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Jan 9 03:27:40 2005 Subject: Gpg error In-Reply-To: <41E08D51.9000203@sillydog.org> References: <41E08D51.9000203@sillydog.org> Message-ID: <20050109022024.GA12681@jabberwocky.com> On Sat, Jan 08, 2005 at 06:48:01PM -0700, David Vallier wrote: > Assertion failed: Keyblock->pkt->pkttype == PKT_PUBLIC_KEY, file > keyring.c, line 1388 > > abnormal program termination > > Thats the exact msg I receve when I try to update the trust.db Hard to say, but as a guess you have your public and secret keyrings switched, or somehow ended up with a secret key in your public keyring. Do other things work properly? David From JPClizbe at comcast.net Sun Jan 9 12:24:18 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Sun Jan 9 12:24:32 2005 Subject: GnuPG for Win (XP) Installation In-Reply-To: <41DFA177.8050403@spamcop.net> References: <41DFA177.8050403@spamcop.net> Message-ID: <41E11462.2090005@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sean C. C. wrote: > I downloaded the gnupg for windows freeware. But am a little confused > about the installation process. I have PGP installed also, but plan on > uninstalling it. I don't know if that affects GPG and its installation > at all. Since you're using Thunderbird and inquirying about GnuPG, I'll make the short leap-of-faith that you're also wanting to use Enigmail. More about that a bit later... There is no need to uninstall PGP. GnuPG and PGP coexist rather well. You can also share the same keyring files. I use the PGPkeys GUI to manipulate my keys and then GnUPG+Enigmail to sign and/or encrypt. > Anyways, I downloaded the zip and sig. The sig I ended up doing nothing > with. I extracted the zip and according to the readme.w32 file copied > the exe's to directory c:\gnupg. I also double-clicked on the .reg file > to add those keys to my registry. I'm not sure what else I need to do. > When I try to use the enigmail plugin for Thunderbird 1.0 it tells me > that gpg can't find 'iconv.dll'. It was not included in the .zip file > and the readme.w32 does not mention it at all. The .sig is for verifying you have an uncorrupt/unaltered download. Bit of a catch-22 for a new install. You may wish to checkout the GnuPG install and config page for Enigmail at http://enigmail.mozdev.org/gpgconf.html. It was written by a couple of the Enigmail team experienced at answering the "HELP!!!!" questions from Windows users. It was written from the viewpoint of installing GnuPG in the most multi-user manner and follows most current Windows file location advice. (ObDisclaimer: I am biased - I co-wrote it with Barry Porter.) What you have already will most likely work, so don't start over unless you feel compelled. iconv.dll - covered on gpgconf page above. Download ftp://ftp.gnupg.org/gcrypt/binary/libiconv-1.9.1.dll.zip, extract iconv.dll to same directory with GnuPG executables. Warning will go away. > In fact, the doesn't explicitly say to move any files to the C:\gnupg > directory only to create it (or another directory of my choosing) and > create the registry keys. Since I followed the instructions I'm > *assuming* that the included registry keys should work. For what I'm not > sure. Then to enter gpg and see what happens. Well, it would appear that > when I did that from "my documents" it created public and secret > keyrings in the c:\gnupg folder. The registry keys control where GnuPG looks for some of its files. The HomeDir registry key controls where GnuPG looks for/writes keyring files (This is not 100% the case, but it'll do for 99.9% of the cases). In your case C:\GnuPG. The default location of the translation files (*.mo) would be C:\GnuPG\Locale in this case. > > Below is what happens when I try to create a key: No real need to create a new keypair, unless you want the practice. Your old PGP keypair will work. Once Gnupg is working well enough that 'gpg --version' works, 0) Open a DOS Window (run CMD.EXE) 1) cd to the directotory where your PGP keyrings (pubring.pkr & secring.skr) live. 2) Import your PGP keys to GnuPG: gpg --import secring.skr gpg --import pubring.pkr 3) You'll need to go in and assign "ultimate" trust to each public/Secret keypair - this is analogous to PGP's implied trust key setting. gpg --edit 0xDecafBad trust <-- replace DecafBad with the keyID of each keypair 5 <-- for Ultimate y <-- yes you REALLY want to do this save <-- to save and exit The Enigmail mailing list/newsgroup is a good resource for any additional questions that may arise. The Yahoo! PGP-Basics group can help you with getting GnuPG & PGP to coexist. - -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Gir-r-r-r-rl" is like this Universal Gay term, like 'Aloha' or 'Shalom'. - Margaret Cho "Only the truly intelligent know when they are being stupid." -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Annoy John Asscraft -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFB4RRhHQSsSmCNKhARAt8rAJ9Quya2izqip9lg/IvtkSGOwerUQQCg8ffp 6VYfvgd6Jl9xGCJtkLCAJtk= =ue5l -----END PGP SIGNATURE----- From mr_mojo_rising at earthlink.net Sun Jan 9 13:17:23 2005 From: mr_mojo_rising at earthlink.net (Mojo Rising) Date: Sun Jan 9 13:13:42 2005 Subject: GNU Privacy Assistant and http proxy: possible? Message-ID: <41E120D3.7080302@earthlink.net> I'm running GPA 0.7.0 and it doesn't seem to respect my globally-defined http_proxy setting. gpg utilizes it fine and the proxy responds, so I know http_proxy is set and valid. Is there any way to get GPA to use an http proxy? From jharris at widomaker.com Sun Jan 9 20:47:14 2005 From: jharris at widomaker.com (Jason Harris) Date: Sun Jan 9 20:43:38 2005 Subject: GD returns expired key Message-ID: <20050109194714.GU684@wilma.widomaker.com> I recommended (earlier on this list) that it should, so I'm happy to report that the GD retains and returns an expired key: %gpg --keyserver ldap://keyserver-beta.pgp.com --recv ADCF7E94 gpg: requesting key ADCF7E94 from ldap server keyserver-beta.pgp.com Host: keyserver-beta.pgp.com Command: GET Server: PGP Universal Server Version: 2.0.0 (Build 1014) gpgkeys: LDAP fetch for: (pgpkeyid=ADCF7E94) gpg: key ADCF7E94: public key "Johannes M. Posel " imported gpg: Total number processed: 1 gpg: imported: 1 %gpg --check-sigs ADCF7E94 pub 1024D/ADCF7E94 2001-10-20 [expired: 2004-12-23)] uid Johannes M. Posel sig! ADCF7E94 2004-09-18 Johannes M. Posel sig! X CA57AD7C 2004-12-12 PGP Global Directory Verification Key uid Johannes Posel (GnuPG Key) sig!3 ADCF7E94 2002-12-25 Johannes M. Posel sig!3 ADCF7E94 2002-12-25 Johannes M. Posel sig! X CA57AD7C 2004-12-12 PGP Global Directory Verification Key uid Johannes M. Posel sig! ADCF7E94 2004-09-18 Johannes M. Posel sig! X CA57AD7C 2004-12-12 PGP Global Directory Verification Key 7 signatures not checked due to missing keys -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050109/22e1ffe2/attachment.bin From timemaster at sillydog.org Sun Jan 9 22:45:24 2005 From: timemaster at sillydog.org (David Vallier) Date: Sun Jan 9 22:27:35 2005 Subject: Gpg error In-Reply-To: <20050109022024.GA12681@jabberwocky.com> References: <41E08D51.9000203@sillydog.org> <20050109022024.GA12681@jabberwocky.com> Message-ID: <41E1A5F4.1080807@sillydog.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shaw wrote: | On Sat, Jan 08, 2005 at 06:48:01PM -0700, David Vallier wrote: | |> Assertion failed: Keyblock->pkt->pkttype == PKT_PUBLIC_KEY, file |> keyring.c, line 1388 |> |> abnormal program termination |> |> Thats the exact msg I receve when I try to update the trust.db | | | Hard to say, but as a guess you have your public and secret | keyrings switched, or somehow ended up with a secret key in your | public keyring. Do other things work properly? | Some things do other things don't, Depends on what I want to do, So if a secret key got switched to public is there anything I can do to fix it?? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) iQEcBAEBAgAGBQJB4aX0AAoJEIHgYkVq3DYF9qIH/0A2yF15C11mTKRRIKPIKbQs alQYnldCwm+u5tKq5asyGhEZdU3/P0DrLblSX3cXsHJJfCsrtGhqIxYEuw29Or55 MdiBflnVudDXioYcm2AgFe11aju3KBSd+BKfrVjb+fOQFOEJxj45ik2GjpayqkNK e4hEd5Sf0uuTugSSTqvX0AZzB6RHCp0TEAvhAFu701tmG6OqADtpR9lU2qnCQYlZ HNVhMPQzGS9xzhs6xc0lgdXSnE7B+p0nZrnEhL2hfgAjmTWqM5GT+2pMqG4n3Of+ HTSG6nHlloCA80SD0rUxZVbSqQ9yaByQMCw4W50zbV4OJGutGRVjHmpKxEDuD2s= =mQhv -----END PGP SIGNATURE----- From jharris at widomaker.com Mon Jan 10 02:12:51 2005 From: jharris at widomaker.com (Jason Harris) Date: Mon Jan 10 02:09:43 2005 Subject: new (2005-01-09) keyanalyze results (+sigcheck) Message-ID: <20050110011250.GV684@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2005-01-09/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: 658948785011c55f68bf4f67c39d1ed1c819aad3 11154420 preprocess.keys d6a011258aafe5f7355603c52f752957eaef429b 7072079 othersets.txt f62004b94d2ae95e8245e64e4c6adb468fdfd3fd 2804184 msd-sorted.txt b0f152cbac2bff77aeed70a933fec6d7ac3e7b71 1484 index.html f1c596f958d43ae0e243c67e85929776b49b8da8 2290 keyring_stats add037d17f967fb334e4d7255332a390771f884e 1104523 msd-sorted.txt.bz2 5ef9a4e7903df352d3832f6b5e111c21aafbda08 26 other.txt fa33ddf774f5e4e39771ce0a92922c0e1463727e 1518797 othersets.txt.bz2 3642e5c6910ad0c5f67603d522362b8c81d71bbb 4502856 preprocess.keys.bz2 ccb7e6998d4d1756bb584e5990131e02d3fc610c 11175 status.txt b648be977e856096973861a69b56605e66275775 211761 top1000table.html 8dd7b21440f844261c2bedec8a6592fd7d86ae1e 30638 top1000table.html.gz 468b3dc7c8d8fce9f72e69b8ad09eb4949c186b3 10971 top50table.html 8f2af7da70c78b730924fb751298bb9dd7a3a6e7 2449 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050109/454454e7/attachment.bin From cedar at 3web.net Mon Jan 10 01:54:55 2005 From: cedar at 3web.net (C. D. Rok) Date: Mon Jan 10 02:11:38 2005 Subject: GPG on USB drive Message-ID: <41E1D25F.8010405@3web.net> From a blurb in their press release (at http://www.u3.com/): ... The goal of U3 LLC, based in Redwood City, California, is to transform the USB flash drive market from simple storage devices into exciting new consumer products that people can use to carry, store and launch their own applications and data on any PC wherever they go... Also of interest in this context: http://www.mozilla.org/press/mozilla-2005-01-07.html There have been many discussions on this forum - a lengthy one just a couple of weeks back - about the problems faced by many users who need to run GPG in 'media-centric' (as opposed to 'computer-centric') "modus operandi". It was my impression at the time that the developers of GPG were convinced such use should be discouraged. While I do not believe that whatever U3 consortium will hatch will necessarily be the best way to go about it - for instance, there is no multi-OS "statement of principle" in what was published so far - the project does demonstrate a computer usage trend that GPG development team should no longer ignore. CD Rok From jeff+gnupg at jeffenstein.dyndns.org Mon Jan 10 07:57:17 2005 From: jeff+gnupg at jeffenstein.dyndns.org (Jeff Fisher) Date: Mon Jan 10 07:50:23 2005 Subject: GD returns expired key In-Reply-To: <20050109194714.GU684@wilma.widomaker.com> References: <20050109194714.GU684@wilma.widomaker.com> Message-ID: <20050110065717.GC13368@frogger.jeffnet> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sun, Jan 09, 2005 at 02:47:14PM -0500, Jason Harris wrote: > > I recommended (earlier on this list) that it should, so I'm happy to > report that the GD retains and returns an expired key: It will also show revoked uid's as if they are usable, and try to verify them. I sent a bug report on their web form, but haven't gotten any feedback in over a week... - -- jeff@jeffenstein.dyndns.org "People ask me 'What does Unix have that Windows doesn't?' My response: 'Twenty years of public code review.'" --David Hankins -----BEGIN PGP SIGNATURE----- iQIVAwUBQeInTRwPMBUZyYf1AQhEHw//cR1oau/0s8YdPzpDywiv+6VBs9qveqI4 4sT1cOrgUdktN5ZgyqoEZJEghFkXMj3qztBwkyirpa7gOsMw7yG/VL14T9fJIQ1t 0DU0EJJM4p5/BgEVRmhjR3LIOVP/i18DpC60YMq9ZaLi7sXCIIPqME+H/LNZkAgM Bhk3Xxsz1ZKoWuYQB06NrYWpjZe+x7PxsoiGZOa+wwjkZzwkLFkQO7sJ6vkK/k8V L+eNYUVD6NFAkTd7PPzegns5req3xOhxJre1IqiTS3W/uNstrtQHsDm0v8li7Fu9 V6T0U2IBJUjAoP2+tBcdj4ZJovLbfymXMCQzf79rBvKwvnkhY0TFbbTQL7r5hO1H ciulslK/dm1WDqiJFEWYr9lL3EVVbQIbUYJwD/ps6R5O0/edg2HwjLjSiUgblaxY RFaFDamANSz0dIq6UNh4RN0rrGSYhq/CA5Kqy/f2Bej+pKh//Bd5TBEjyduw7bka 27uhhfDPwEvhQXLbHB5QIUgldTcRMB/mgbr1C0t/zDZrwDWsmvJnZ/gbMBblQ7W7 6NyMAZ2mjFyOSs6fQUZo+LiE5nqBm05NB+x0lAUb4cd7QAr/hQ8WWrql7/JVjYns KlvcOuoUmLiEMvyfRR5+v21Ir6QlHXlh8rr0lLSk/21mp0uXXaaUdRJStCIAzUUR wgCihdWj05g= =Iz6x -----END PGP SIGNATURE----- From mo at g10code.com Sun Jan 9 15:03:22 2005 From: mo at g10code.com (Moritz Schulte) Date: Mon Jan 10 12:55:56 2005 Subject: [Announce] Libgcrypt 1.2.1 released Message-ID: <20050109140322.GB16385@sarkutty> Skipped content of type multipart/signed-------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From gnupg-users-owner at gnupg.org Mon Jan 10 10:28:33 2005 From: gnupg-users-owner at gnupg.org (gnupg-users-owner@gnupg.org) Date: Mon Jan 10 12:56:04 2005 Subject: [Fwd: OpenPGP javacard implementation] Message-ID: <20050110092833.GC27919@cypress.com> ----- Forwarded message from Zeljko Vrba ----- Message-ID: <41E0066F.5090602@globalnet.hr> Date: Sat, 08 Jan 2005 17:12:31 +0100 From: Zeljko Vrba MIME-Version: 1.0 To: gnupg-users-owner@gnupg.org, gnupg-devel-owner@gnupg.org Subject: OpenPGP javacard implementation X-Enigmail-Version: 0.89.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hi! I have written a prototype OpenPGP applet for the Javacard platform. The ~ homepage of the project is: http://www.core-dump.com.hr/index.pl?node_id=421 In the package are all relevant instructions on how to test it against the gpg and Sun's emulated reference Javacard implementation. I need help in porting and testing to real cards. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB4AZvUIHQih3H6ZQRAyauAKCziv7Fk8SqL2R0DsjOACaJDTuSNgCfdh1g sKZ9XFcf0KoGmSSF/v2CKk8= =sFAt -----END PGP SIGNATURE----- ----- End forwarded message ----- From wk at gnupg.org Mon Jan 10 15:15:11 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Jan 10 15:15:33 2005 Subject: Gpg error In-Reply-To: <41E1A5F4.1080807@sillydog.org> (David Vallier's message of "Sun, 09 Jan 2005 14:45:24 -0700") References: <41E08D51.9000203@sillydog.org> <20050109022024.GA12681@jabberwocky.com> <41E1A5F4.1080807@sillydog.org> Message-ID: <87wtule5g0.fsf@wheatstone.g10code.de> On Sun, 09 Jan 2005 14:45:24 -0700, David Vallier said: > Some things do other things don't, Depends on what I want to do, So if > a secret key got switched to public is there anything I can do to fix it?? You need quite some expierence to do that. gpgsplit is the tool to use: Decomposite the public keyring and replace the secret (sub)key packets with their public counterparts, the cat everything back together. Using a backup will be far easier. However you need to figure out what went wrong in the first place. gpg --list-packets keyring should also give some insight. Werner From wk at gnupg.org Mon Jan 10 15:15:54 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Jan 10 15:15:58 2005 Subject: GNU Privacy Assistant and http proxy: possible? In-Reply-To: <41E120D3.7080302@earthlink.net> (Mojo Rising's message of "Sun, 09 Jan 2005 06:17:23 -0600") References: <41E120D3.7080302@earthlink.net> Message-ID: <87sm59e5et.fsf@wheatstone.g10code.de> On Sun, 09 Jan 2005 06:17:23 -0600, Mojo Rising said: > I'm running GPA 0.7.0 and it doesn't seem to respect my > globally-defined http_proxy setting. gpg utilizes it fine and the > proxy responds, so I know http_proxy is set and valid. gpg requires the option honor-http-ptroxy in the ~/.gnupg/gpg.conf Werner From mr_mojo_rising at earthlink.net Mon Jan 10 15:52:47 2005 From: mr_mojo_rising at earthlink.net (Mojo Rising) Date: Mon Jan 10 18:45:31 2005 Subject: GNU Privacy Assistant and http proxy: possible? In-Reply-To: <87sm59e5et.fsf@wheatstone.g10code.de> References: <41E120D3.7080302@earthlink.net> <87sm59e5et.fsf@wheatstone.g10code.de> Message-ID: <41E296BF.5080409@earthlink.net> Werner Koch wrote: > On Sun, 09 Jan 2005 06:17:23 -0600, Mojo Rising said: > > >>I'm running GPA 0.7.0 and it doesn't seem to respect my >>globally-defined http_proxy setting. gpg utilizes it fine and the >>proxy responds, so I know http_proxy is set and valid. > > > gpg requires the option > > honor-http-ptroxy > > in the ~/.gnupg/gpg.conf Thanks, but I already had that in gpg.conf and that's why gpg correctly uses http_proxy as I stated. The problem is that GPA doesn't seem to be using that setting. When I try to send a key to a keyserver with GPA it says it's unable to connect to the keyserver -- even though I've set it to use the same keyserver I successfully used with plain gpg. Here's the relevant line in my gpg.conf: keyserver-options honor-http-proxy broken-http-proxy Any more ideas? From torduninja at mail.pf Mon Jan 10 21:27:18 2005 From: torduninja at mail.pf (Maxine Brandt) Date: Mon Jan 10 21:29:01 2005 Subject: GPG on USB drive Message-ID: <41E2E526.9010504@mail.pf> On Mon, 10 Jan 2005 00:54:55 +0000 "C. D. Rok" wrote: > From a blurb in their press release (at http://www.u3.com/): > ... > The goal of U3 LLC, based in Redwood City, California, is to transform > the USB flash drive market from simple storage devices into exciting new > consumer products that people can use to carry, store and launch their > own applications and data on any PC wherever they go... > > Also of interest in this context: > http://www.mozilla.org/press/mozilla-2005-01-07.html > > There have been many discussions on this forum - a lengthy one just a > couple of weeks back - about the problems faced by many users who need > to run GPG in 'media-centric' (as opposed to 'computer-centric') > "modus operandi". It was my impression at the time that the developers > of GPG were convinced such use should be discouraged. > If you're referring to the wide-ranging discussion in November last year, that's not my impression of the developers' attitude (take Werner Koch's quick reaction to the problem iconv.dll caused for our GPG on a floppy project, GPG TO GO, for example). A 'media-centric' version of GPG (or any other application) will always have limited functionality, and may never be possible, for two reasons. The first is that it must come with its own OS or else use the host machine's OS. If it uses it's own OS, the host machine must allow it to boot, and if you're not the controller of that machine you won't be able to enable this. The medium OS must also be able to write to the host system, which isn't possible Windows-to-*NIX or *NIX-to-NTFS (at least not without third-party helpers, which for the moment, aren't reliable. The second reason is network connections. If you're not the controller of the host machine, applications won't be allowed to pass a firewall. However, if you're thinking in terms of a Windows version of GPG that will run from a removable drive on any Windows system, there's an apparently very simple way to achieve this - just remove all mention of "c:" in the "HAVE_DRIVE_LETTERS" section of the "configure" file and do a Windows compilation. The GnuPG home directory becomes simply "gnupg" whatever drive letter your removable medium is assigned, and you can use the regular command-line procedure. I've been testing such a compilation of 1.4.0 for e-mail and file ecnryption for three weeks now without any problem, though it has a few particularities which leave me with a lingering doubt that there may be a nasty surprise waiting somewhere. (Maybe Werner or David could comment on that). Salut Maxine From cedar at 3web.net Mon Jan 10 23:06:53 2005 From: cedar at 3web.net (C. D. Rok) Date: Mon Jan 10 23:40:31 2005 Subject: GPG on USB drive In-Reply-To: <41E2E526.9010504@mail.pf> References: <41E2E526.9010504@mail.pf> Message-ID: <41E2FC7D.4090605@3web.net> Maxine Brandt wrote: > If you're referring to the wide-ranging discussion in November last year, > that's not my impression of the developers' attitude (take Werner Koch's > quick > reaction to the problem iconv.dll caused for our GPG on a floppy > project, GPG > TO GO, for example). I was off in my timing, and I am in no way inclined to criticize GPG developers. All I was trying to point out is that "media-centric" use is becoming so common that it should not be left to hacking by the "aftermarket" - it should be part of the design, sanctioned and put in place by those best in the position to do so: GPG developers. > A 'media-centric' version of GPG (or any other application) will always > have limited functionality, and may never be possible, for two reasons. > > The first is that it must come with its own OS or else use the host > machine's OS. If it uses it's own OS, the host machine must allow it to > boot, and if you're not the controller of that machine you won't be able > to enable this. The medium OS must also be able to write to the host > system, which isn't possible Windows-to-*NIX or *NIX-to-NTFS (at least > not without third-party helpers, which for the moment, aren't reliable. > > The second reason is network connections. If you're not the controller > of the host machine, applications won't be allowed to pass a firewall. I would assume operation without booting, under "host" OS, most often one of tthe Win32 variants, but see no reason not to include Linux and OSX. The filesystem would have to be VFAT; and it would contain all the software and data required to operate POP/SMTP mail and encrypt/decrypt text, thus no writing to the file system of the host should be necessary. In such operation GPG would be self-contained and strictly isolated from the NET, only the mail client would be net- aware (note that the announced Thunderbird variant, mentioned in the original post, already assumes this would be possible - if not always, then in a sufficient number of instances to make it practical). CDRok From gpg at jason.markley.name Tue Jan 11 00:22:51 2005 From: gpg at jason.markley.name (Jason Markley) Date: Tue Jan 11 01:26:22 2005 Subject: 1.4.0a won't retrieve key from keyserver? Message-ID: <41E30E4B.5070109@jason.markley.name> I've just noticed a problem that I'm having with the windows version (1.4.0a). I can't seem to import any keys from the keyserver. I can search the server, see the key, but when I select the key to import, i get this.... gpg: requesting key from hkp keyserver gpg: no valid OpenPGP data found. gpg: Total number processed: 0 but if i run the same command through a gpg-1.2.5 installation, the process completes and correctly imports the key i selected from the search. Did something change in 1.4.0a in the way gpg gets keys from a keyserver? Thanks in advance. -Jason gpg@jason.markley.name From dshaw at jabberwocky.com Tue Jan 11 04:06:13 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Jan 11 04:11:26 2005 Subject: 1.4.0a won't retrieve key from keyserver? In-Reply-To: <41E30E4B.5070109@jason.markley.name> References: <41E30E4B.5070109@jason.markley.name> Message-ID: <20050111030612.GA28753@jabberwocky.com> On Mon, Jan 10, 2005 at 06:22:51PM -0500, Jason Markley wrote: > I've just noticed a problem that I'm having with the windows version > (1.4.0a). I can't seem to import any keys from the keyserver. I can > search the server, see the key, but when I select the key to import, i get > this.... > > gpg: requesting key from hkp keyserver > gpg: no valid OpenPGP data found. > gpg: Total number processed: 0 > > > but if i run the same command through a gpg-1.2.5 installation, the > process completes and correctly imports the key i selected from the search. > > > Did something change in 1.4.0a in the way gpg gets keys from a keyserver? Yes. The keyserver stuff is pretty significantly different, but many people are using 1.4.0a on win32 without a problem. Can you re-run the keyserver that failed command with '--keyserver-options keep-temp-files' set? Reply with the tempin.txt and tempout.txt files. The tempin.txt and tempout.txt files will end up in a directory named gpg-XXXXXX under your temp dir (usually c:\windows\temp). David From johanw at vulcan.xs4all.nl Tue Jan 11 11:34:06 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Tue Jan 11 13:47:47 2005 Subject: GPG on USB drive In-Reply-To: <41E2FC7D.4090605@3web.net> from "C. D. Rok" at "Jan 10, 2005 10:06:53 pm" Message-ID: <200501111034.LAA02523@vulcan.xs4all.nl> C. D. Rok wrote: >The filesystem would have to be VFAT; I agree, they all support this well. With some options that prevent locking gpg can handle this well. >In such operation GPG would be self-contained and strictly isolated from >the NET, Not really, the host OS can acces gpg files. And it's not really necessary to try to isolate gpg from the internet if the host setup allows things like keyserver access. >only the mail client would be net- aware If possible on the host. This depends strongly on the host (typical a machine at work). Sometimes you'll have to use your own SMTP server if you would want to use email, sometimes you'll have to configure strange ports, sometimes only webmail is possible and often only a pre-installed application will work. And sometimes you'll have to store the message on the portable device and mail it from home, in cases the machine doesn't have internet access at all. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From gpg at jason.markley.name Tue Jan 11 13:55:21 2005 From: gpg at jason.markley.name (Jason Markley) Date: Tue Jan 11 14:13:09 2005 Subject: 1.4.0a won't retrieve key from keyserver? In-Reply-To: <20050111030612.GA28753@jabberwocky.com> References: <41E30E4B.5070109@jason.markley.name> <20050111030612.GA28753@jabberwocky.com> Message-ID: <41E3CCB9.2030803@jason.markley.name> Here ya go....hope this helps..... -Jason David Shaw wrote: > On Mon, Jan 10, 2005 at 06:22:51PM -0500, Jason Markley wrote: > >>I've just noticed a problem that I'm having with the windows version >>(1.4.0a). I can't seem to import any keys from the keyserver. I can >>search the server, see the key, but when I select the key to import, i get >>this.... >> >>gpg: requesting key from hkp keyserver >>gpg: no valid OpenPGP data found. >>gpg: Total number processed: 0 >> >> >>but if i run the same command through a gpg-1.2.5 installation, the >>process completes and correctly imports the key i selected from the search. >> >> >>Did something change in 1.4.0a in the way gpg gets keys from a keyserver? > > > Yes. The keyserver stuff is pretty significantly different, but many > people are using 1.4.0a on win32 without a problem. > > Can you re-run the keyserver that failed command with > '--keyserver-options keep-temp-files' set? Reply with the tempin.txt > and tempout.txt files. The tempin.txt and tempout.txt files will end > up in a directory named gpg-XXXXXX under your temp dir (usually > c:\windows\temp). > > David > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- # This is a GnuPG 1.4.0 keyserver communications file VERSION 1 PROGRAM 1.4.0 SCHEME hkp HOST PATH / OPTION include-revoked OPTION include-subkeys OPTION try-dns-srv COMMAND GET 0x -------------- next part -------------- VERSION 1 PROGRAM 1.4.0 KEY 0x BEGIN -----BEGIN PGP PUBLIC KEY BLOCK-----Version: PGPsdk 2.0.1 Copyright (C) 2000 Networks Associates Technology, Inc. All rights reserved. .... .... .... -----END PGP PUBLIC KEY BLOCK----- KEY 0x END From wk at gnupg.org Tue Jan 11 14:25:16 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Jan 11 14:25:33 2005 Subject: GNU Privacy Assistant and http proxy: possible? In-Reply-To: <41E296BF.5080409@earthlink.net> (Mojo Rising's message of "Mon, 10 Jan 2005 08:52:47 -0600") References: <41E120D3.7080302@earthlink.net> <87sm59e5et.fsf@wheatstone.g10code.de> <41E296BF.5080409@earthlink.net> Message-ID: <878y70ayir.fsf@wheatstone.g10code.de> On Mon, 10 Jan 2005 08:52:47 -0600, Mojo Rising said: > keyserver-options honor-http-proxy broken-http-proxy > Any more ideas? IIRC, GPA uses the keyserver helpers directly and thus would need to pass it down to the helpers. I CCed Miguel, maybe he has time to look at it. Shalom-Salam, Werner From wk at gnupg.org Tue Jan 11 14:28:28 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Jan 11 14:25:51 2005 Subject: GPG on USB drive In-Reply-To: <41E2E526.9010504@mail.pf> (Maxine Brandt's message of "Mon, 10 Jan 2005 10:27:18 -1000") References: <41E2E526.9010504@mail.pf> Message-ID: <874qhoaydf.fsf@wheatstone.g10code.de> On Mon, 10 Jan 2005 10:27:18 -1000, Maxine Brandt said: > I've been testing such a compilation of 1.4.0 for e-mail and file > ecnryption for three weeks now without any problem, though it has a > few particularities which leave me with a lingering doubt that there > may be a nasty surprise waiting somewhere. (Maybe Werner or David You will get all the usual problem with relative filenames. If you are only using one driver dropping the drive letter should not harm. Werner From wk at gnupg.org Tue Jan 11 14:35:15 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Jan 11 17:04:23 2005 Subject: GPG on USB drive In-Reply-To: <41E2FC7D.4090605@3web.net> (C. D. Rok's message of "Mon, 10 Jan 2005 22:06:53 +0000") References: <41E2E526.9010504@mail.pf> <41E2FC7D.4090605@3web.net> Message-ID: <87zmzg9jho.fsf@wheatstone.g10code.de> On Mon, 10 Jan 2005 22:06:53 +0000, C D Rok said: > OSX. The filesystem would have to be VFAT; and it would contain all the > software and data required to operate POP/SMTP mail and encrypt/decrypt > text, thus no writing to the file system of the host should be necessary. > In such operation GPG would be self-contained and strictly isolated from > the NET, only the mail client would be net- aware (note that the announced I fail to see the advantge of it; it's easier to install it directly on the host system and just put the data (keyrings) on the USB drive. If you are not allowed to do that I wonder why you are allowed to use an USB drive or why you trust the machine at all. BTW, the next binary release of GnuPG for W32 will come with a graphical installer. Werner From dshaw at jabberwocky.com Tue Jan 11 17:07:58 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Jan 11 17:09:34 2005 Subject: 1.4.0a won't retrieve key from keyserver? In-Reply-To: <41E3CCB9.2030803@jason.markley.name> References: <41E30E4B.5070109@jason.markley.name> <20050111030612.GA28753@jabberwocky.com> <41E3CCB9.2030803@jason.markley.name> Message-ID: <20050111160757.GC6496@jabberwocky.com> On Tue, Jan 11, 2005 at 07:55:21AM -0500, Jason Markley wrote: > Here ya go....hope this helps..... Ah, this is a win32-specific bug that was fixed already. The fix will be part of 1.4.1. David From wk at gnupg.org Tue Jan 11 15:54:43 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Jan 11 18:11:34 2005 Subject: current charset guessing In-Reply-To: <20050107172334.GA14032@oreka.com> (Alain Bench's message of "Fri, 7 Jan 2005 18:23:34 +0100 (CET)") References: <20050103002657.GA32265@oreka.com> <874qhudcos.fsf@wheatstone.g10code.de> <20050107172334.GA14032@oreka.com> Message-ID: <87vfa49ft8.fsf@wheatstone.g10code.de> On Fri, 7 Jan 2005 18:23:34 +0100 (CET), Alain Bench said: > Thanks: It works in many cases, but fails on implicit charsets, > ambiguous names, or platform specific spellings. Examples: Okay. I looked at it but to fix this we would need to reimplement everything from libiconv or check whether a proper libiconv is available. This is something we should not not. > Note in such locales, "make check" also fails: > | ./gpg_dearmor > ./pubring.gpg < ./pubring.asc > | gpg: conversion from `utf-8' to `cp-1252' not available That should not anymore fail because it has been changed to a warning. > table. BTW the output of nl_langinfo(CODESET) also needs sanitizing on > some platforms. Well, this is something libiconv should care about and not GnuPG. > CP-1252 is a superset of Latin-1 with 27 more chars. Example one can > write "Lec?ur" (oe ligature) in CP-1252, not in Latin-1: I see. Removed that. > I'd say treating CP-1252 as Latin-1 is good enough and better than > nothing when iconv is unavailable. But it's suboptimal when iconv is We better make shure that iconv is available. > Looking in libiconv 1.9.2 source: No such alias. But in > libiconv-1.9.2/libcharset/lib/localcharset.c there is a whole set of > aliases: I adapted that list and use it for Windows. > Good: Thanks. ISO-8859-15 is Latin-9, just to confuse us: Thanks. > Hum... Libcharset seems to call GetACP() only, never > GetConsoleOutputCP(). IIUC that would be false for console apps? I'm GetConsoleOutputCP is the correct thing to do but it does not harm to fall back to getACP. > US-Ascii is not Latin-1. I frequently use a 7 bits terminal in a > LANG=fr_FR.us-ascii locale, with or without //TRANSLITeration. That > false aliasing would break it. It would also break any case where > locales are unset and charset is different. Bad idea, I'd say. That is right but we got a lot of complaints about these warnings from US people and it seesm reasonable that many more machines are not configured properly for Latin-1 than those who are explicitly using ascii. Given that keys may contain any characters and as a user you don't have any control over it becuase this is a public information, assuming Latin-1 still seems to be working solution for me. I considere to make a installer based version of iconv.dll to ease installation and give hints during GnupG installation on the need of that dll. The 1.4.1 binary distribution will use an NSIS based installer. Salam-Shalom, Werner From torduninja at mail.pf Tue Jan 11 17:43:08 2005 From: torduninja at mail.pf (Maxine Brandt) Date: Tue Jan 11 20:54:33 2005 Subject: GPG on USB drive In-Reply-To: <874qhoaydf.fsf@wheatstone.g10code.de> References: <41E2E526.9010504@mail.pf> <874qhoaydf.fsf@wheatstone.g10code.de> Message-ID: <41E4021C.90204@mail.pf> Werner Koch wrote: > On Mon, 10 Jan 2005 10:27:18 -1000, Maxine Brandt said: > > >>I've been testing such a compilation of 1.4.0 for e-mail and file >>ecnryption for three weeks now without any problem, though it has a >>few particularities which leave me with a lingering doubt that there >>may be a nasty surprise waiting somewhere. (Maybe Werner or David > > > You will get all the usual problem with relative filenames. If you > are only using one driver dropping the drive letter should not harm. > > Werner Thanks Werner. The relative filenames issue is one of the "particularities" I referred to. Salut Maxine -- OpenPGP keys: http://www.torduninja.tk From torduninja at mail.pf Tue Jan 11 22:36:59 2005 From: torduninja at mail.pf (Maxine Brandt) Date: Tue Jan 11 22:38:50 2005 Subject: GPG on USB drive In-Reply-To: References: Message-ID: <41E446FB.8040503@mail.pf> On Mon, 10 Jan 2005 22:06:53 +0000 "C. D. Rok" wrote: > In such operation GPG would be self-contained and strictly isolated from > the NET, only the mail client would be net- aware (note that the announced > Thunderbird variant, mentioned in the original post, already assumes > this would be possible - if not always, then in a sufficient number of > instances to make it practical). That's not my experience. In my area there are five places with public computer access and in none of them can the portable Thunderbird or the gpg keyserver helpers get past the firewall. I've also raised the question with the IT people at three companies and the answer in each case was basically: if it's possible our firewall's ****. But as far as work computers are concerned, J.C.A. Wevers in another post in this thread goes into some detail of posibilities, but they depend on what user permissions the host system has set. Salut Maxine From DBSMITH at OhioHealth.com Tue Jan 11 23:38:58 2005 From: DBSMITH at OhioHealth.com (DBSMITH@OhioHealth.com) Date: Wed Jan 12 01:10:36 2005 Subject: gpg process In-Reply-To: <41E446FB.8040503@mail.pf> Message-ID: When encryption a file does it actually open the file? At a minimum I assume it needs read access? What is the process as gpg is starting the encryption and during encryption? thanks, Derek B. Smith OhioHealth IT UNIX / TSM / EDM Teams From johanw at vulcan.xs4all.nl Wed Jan 12 00:16:56 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed Jan 12 05:47:15 2005 Subject: GPG on USB drive In-Reply-To: <87zmzg9jho.fsf@wheatstone.g10code.de> from Werner Koch at "Jan 11, 2005 02:35:15 pm" Message-ID: <200501112316.AAA00435@vulcan.xs4all.nl> Werner Koch wrote: >If you are not allowed to do that I wonder why you are allowed to use >an USB drive or why you trust the machine at all. Both questions can usually be answered with "poor administrators". Insufficient knowledge to disable USB ports, and not cunning enough to install snooping software. I've seen that situation in workplaces often enough. >BTW, the next binary release of GnuPG for W32 will come with a >graphical installer. I hope a manual install will still be possible, so a small installation package without all unnecessary stuff (gpgv.exe, language files, iconv.dll) and all executables compressed by upx can still be created (maybe compressing the executables isn't a bad idea for the basic install anyway?). -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From zuxy.meng at gmail.com Wed Jan 12 07:12:48 2005 From: zuxy.meng at gmail.com (Zuxy) Date: Wed Jan 12 08:07:26 2005 Subject: Is there a gpgkeys_mailto for Win32? In-Reply-To: <20041230041200.GW30683@jabberwocky.com> References: <20041229191739.GK30683@jabberwocky.com> <200412292036.VAA00953@vulcan.xs4all.nl> <20041230012239.GT30683@jabberwocky.com> <20041230041200.GW30683@jabberwocky.com> Message-ID: Or we can use simple MAPI instead. #include #include int main() { MapiRecipDesc rcp[1]; rcp[0].ulReserved = 0; rcp[0].ulRecipClass = MAPI_TO; rcp[0].lpszName = "Nice Keyserver"; rcp[0].lpszAddress = "keyserver@keyserver.net"; rcp[0].ulEIDSize = 0; MapiMessage msg; msg.ulReserved = 0; msg.lpszSubject = "Addkey"; msg.lpszNoteText = "Blah blah blah patati patata"; msg.nRecipCount = 1; msg.lpRecips = rcp; msg.nFileCount = 0; MAPISendMail(0, 0, &msg, MAPI_LOGON_UI, 0); } Linked against libmapi32.a. lpszNoteText dosen't have the 2K limit, I suppose. On Wed, 29 Dec 2004 23:12:00 -0500, David Shaw wrote: > Looks like using mailto: is a non-starter whether from ShellExecute() > or WSH. The limit is 2k, and even smaller on some older versions of > win32. 2k isn't enough to do much more than submit the very smallest > of keys. -- Zuxy Beauty is truth, While truth is beauty. PGP KeyID: E8555ED6 From dshaw at jabberwocky.com Wed Jan 12 03:48:30 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Jan 12 09:43:19 2005 Subject: gpg process In-Reply-To: References: <41E446FB.8040503@mail.pf> Message-ID: <20050112024830.GA10773@jabberwocky.com> On Tue, Jan 11, 2005 at 05:38:58PM -0500, DBSMITH@OhioHealth.com wrote: > When encryption a file does it actually open the file? At a minimum I > assume it needs read access? > What is the process as gpg is starting the encryption and during > encryption? Yes, gpg needs to be able to read the file to encrypt it. It opens the file, filters it through the ciphers, and writes a new (now, encrypted) copy out. David From wk at gnupg.org Wed Jan 12 12:32:14 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Jan 12 13:20:18 2005 Subject: GPG on USB drive In-Reply-To: <200501112316.AAA00435@vulcan.xs4all.nl> (Johan Wevers's message of "Wed, 12 Jan 2005 00:16:56 +0100 (MET)") References: <200501112316.AAA00435@vulcan.xs4all.nl> Message-ID: <873bx66fy9.fsf@wheatstone.g10code.de> On Wed, 12 Jan 2005 00:16:56 +0100 (MET), Johan Wevers said: > I hope a manual install will still be possible, so a small installation > package without all unnecessary stuff (gpgv.exe, language files, > iconv.dll) and all executables compressed by upx can still be created Frankly, I don't want to distribute a separate ZIP file once the installer is ready. > (maybe compressing the executables isn't a bad idea for the basic install > anyway?). The current installer is 879k whereas the ZIP file is ~1.6M. The LZMA compressor of NSIS is pretty neat. I tried adding the iconv.dll but this one doesn't compress that well, so we will just give a hint to install it or download it from the installer. Werner From dshaw at jabberwocky.com Wed Jan 12 22:58:37 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Jan 12 23:33:45 2005 Subject: Is there a gpgkeys_mailto for Win32? In-Reply-To: References: <20041229191739.GK30683@jabberwocky.com> <200412292036.VAA00953@vulcan.xs4all.nl> <20041230012239.GT30683@jabberwocky.com> <20041230041200.GW30683@jabberwocky.com> Message-ID: <20050112215837.GA25136@jabberwocky.com> On Wed, Jan 12, 2005 at 02:12:48PM +0800, Zuxy wrote: > Or we can use simple MAPI instead. > Linked against libmapi32.a. lpszNoteText dosen't have the 2K limit, I suppose. Hmm. What win32 platforms have MAPISendMail() present? David From johanw at vulcan.xs4all.nl Thu Jan 13 00:03:12 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Jan 13 00:58:34 2005 Subject: Is there a gpgkeys_mailto for Win32? In-Reply-To: <20050112215837.GA25136@jabberwocky.com> from David Shaw at "Jan 12, 2005 04:58:37 pm" Message-ID: <200501122303.AAA00515@vulcan.xs4all.nl> David Shaw wrote: >Hmm. What win32 platforms have MAPISendMail() present? If it's not general (I'll have to look), can't you link it statically? -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From johanw at vulcan.xs4all.nl Thu Jan 13 00:01:14 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Jan 13 01:04:43 2005 Subject: GPG on USB drive In-Reply-To: <873bx66fy9.fsf@wheatstone.g10code.de> from Werner Koch at "Jan 12, 2005 12:32:14 pm" Message-ID: <200501122301.AAA00502@vulcan.xs4all.nl> Werner Koch wrote: >Frankly, I don't want to distribute a separate ZIP file once the >installer is ready. I didn't imply that. But I hope the separate files will be easily extractable from the installation package, so I can put the necessary files in a zipfile myself (and add idea.dll). >> (maybe compressing the executables isn't a bad idea for the basic install >> anyway?). >The current installer is 879k whereas the ZIP file is ~1.6M. I mean having the extracted gpg.exe compressed, outside the installation package, with an executable compressor like upx. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From FHubeny at wittbiomedical.com Wed Jan 12 21:29:24 2005 From: FHubeny at wittbiomedical.com (Frank Hubeny) Date: Thu Jan 13 02:22:01 2005 Subject: gpg version 1.40a on w2kp and winxp Message-ID: Hello All; I hope that I am not just missing something here. But I have been getting a renameing error with the latest version of gpg for windows. I have tried on three separate pc's running W2KP, and Win XP. I have also downloaded the version multiple times, and someone who compiles gpg sent me a copy. All do the same thing anytime I do anything that changes the trust DB. I have not seen anyone else post this problem. It must be hard to debug a OS that you all may not even use. Is there a debug feature that I might enable then send you the output. If I am doing something wrong, please let me know. I have since reverted back to version "1.25 for windows". Frank Hubeny RMA Technician Manufacturing Dept. Witt Biomedical Corp. 800.669.1328 ext. 179 fhubeny@wittbiomedical.com From zuxy.meng at gmail.com Thu Jan 13 04:14:59 2005 From: zuxy.meng at gmail.com (Zuxy) Date: Thu Jan 13 07:21:02 2005 Subject: Is there a gpgkeys_mailto for Win32? In-Reply-To: <20050112215837.GA25136@jabberwocky.com> References: <20041229191739.GK30683@jabberwocky.com> <200412292036.VAA00953@vulcan.xs4all.nl> <20041230012239.GT30683@jabberwocky.com> <20041230041200.GW30683@jabberwocky.com> <20050112215837.GA25136@jabberwocky.com> Message-ID: On Wed, 12 Jan 2005 16:58:37 -0500, David Shaw wrote: > > Hmm. What win32 platforms have MAPISendMail() present? > Internet Explorer 5.x and above will install mapi32.dll under %SystemRoot%\system32, which acts as a central dispatcher for MAPI calls. So when you call it, MAPISendMail() is actually handled by an email client that supports MAPI (OE by default, might be Eudora or Netscape too). And if there's no MAPI handler, mapi32.dll will fail gracefully. Anyway you can check the existence of mapi32.dll in run time with a LoadLibrary() call. -- Zuxy Beauty is truth, While truth is beauty. PGP KeyID: E8555ED6 From wk at gnupg.org Thu Jan 13 08:22:44 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Jan 13 09:39:31 2005 Subject: Is there a gpgkeys_mailto for Win32? In-Reply-To: <20050112215837.GA25136@jabberwocky.com> (David Shaw's message of "Wed, 12 Jan 2005 16:58:37 -0500") References: <20041229191739.GK30683@jabberwocky.com> <200412292036.VAA00953@vulcan.xs4all.nl> <20041230012239.GT30683@jabberwocky.com> <20041230041200.GW30683@jabberwocky.com> <20050112215837.GA25136@jabberwocky.com> Message-ID: <87brbt23p7.fsf@wheatstone.g10code.de> On Wed, 12 Jan 2005 16:58:37 -0500, David Shaw said: > Hmm. What win32 platforms have MAPISendMail() present? I don't think that this matters. We can build it as a helper and if mapi is not available it simply won't work. The forthcoming installer could even print a warning in that case or don't install this helper. Werner From FHubeny at wittbiomedical.com Thu Jan 13 13:08:49 2005 From: FHubeny at wittbiomedical.com (Frank Hubeny) Date: Thu Jan 13 14:21:06 2005 Subject: gpg version 1.40a on w2kp and winxp Message-ID: Werner Wrote: On Wed, 12 Jan 2005 15:29:24 -0500, Frank Hubeny said: > I hope that I am not just missing something here. But I have been > getting a renameing error with the latest version of gpg for windows. I > have tried on three separate pc's running W2KP, and Win XP. We have several such reports but not yet figured out the problem. Frankly I have not yet replicated it as there are other tasks as well. > I have not seen anyone else post this problem. It must be hard to debug > a OS that you all may not even use. Is there a debug feature that I I have a Laptop running W2000 close to my keyboard and use this one for testing. Debugging is not a problem as gdb runs fine on that box. My Response: Thank you I thought I was going nuts. If this helps out. I run Windows 2000 Pro with service pack 4, and Win XP has I believe service pack 1a. I was perhaps unclear about the debugging. Is there a debug feature that I may use on my PC to help ? If so I would be glad to do so. Thanks again for your response ! FRANK From npellegr at numericable.fr Thu Jan 13 15:03:48 2005 From: npellegr at numericable.fr (npellegr@numericable.fr) Date: Thu Jan 13 16:00:30 2005 Subject: (no subject) Message-ID: <1105625028.41e67fc44cfe6@webmail.numericable.fr> Hi, I'm using gnupg with a RSA key pair and SHA-1 as the hash algorithm. My pair needs my public key but doesn't want to install Gnupg because he's got his own cryptotool. I'd like to give him : 1) my public RSA key. 2) the key signature. I want to do it myself => RSA(Kpriv,SHA-1(Kpub)) My pair should be able to : 1) to use the public key I sent to decode the signature. 2) to compute the SHA-1 sum of the public key I sent. 3) to compare the 2 sums. I do know this is not enough to be sure this is my REAL public key (a known CA signed certificate would be useful) but that's better than nothing. So i need to cypher the hash sum of my public key by using my secret key. (c=m^d [n]) I took a look to the gnupg sources and especially /cypher/rsa.c and I can see a static function "secret" that does exactly what I need. => static void secret(MPI output, MPI input, RSA_secret_key *skey ) My question is : is it planned to enable users to use this function with GnuPG/RSA users via the command line or should I modify GnuPG myself (but I wouldn't have a standard GnuPG solution) ? Nicolas Pellegrin From wk at gnupg.org Thu Jan 13 15:20:50 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Jan 13 16:08:34 2005 Subject: gpg version 1.40a on w2kp and winxp In-Reply-To: (Frank Hubeny's message of "Thu, 13 Jan 2005 07:08:49 -0500") References: Message-ID: <87k6qhxvel.fsf@wheatstone.g10code.de> On Thu, 13 Jan 2005 07:08:49 -0500, Frank Hubeny said: > I was perhaps unclear about the debugging. Is there a debug feature > that I may use on my PC to help ? If so I would be glad to do so. I am pretty sure that I will be able to replicate it. It is most likely an attempt to double open a file or to rename to an existing file. Werner From twoaday at freakmail.de Thu Jan 13 07:04:41 2005 From: twoaday at freakmail.de (Timo Schulz) Date: Thu Jan 13 16:28:07 2005 Subject: Is there a gpgkeys_mailto for Win32? In-Reply-To: <20050112215837.GA25136@jabberwocky.com> References: <20041229191739.GK30683@jabberwocky.com> <200412292036.VAA00953@vulcan.xs4all.nl> <20041230012239.GT30683@jabberwocky.com> <20041230041200.GW30683@jabberwocky.com> <20050112215837.GA25136@jabberwocky.com> Message-ID: <20050113060441.GB375@daredevil.joesixpack.net> On Wed Jan 12 2005; 16:58, David Shaw wrote: > > Linked against libmapi32.a. lpszNoteText dosen't have the 2K limit, > > I suppose. > > Hmm. What win32 platforms have MAPISendMail() present? The MAPI API (which includes this function) should be available on every Windows machine >= Win95(b). Timo From dshaw at jabberwocky.com Thu Jan 13 15:58:34 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Jan 13 16:43:58 2005 Subject: Is there a gpgkeys_mailto for Win32? In-Reply-To: <87brbt23p7.fsf@wheatstone.g10code.de> References: <20041229191739.GK30683@jabberwocky.com> <200412292036.VAA00953@vulcan.xs4all.nl> <20041230012239.GT30683@jabberwocky.com> <20041230041200.GW30683@jabberwocky.com> <20050112215837.GA25136@jabberwocky.com> <87brbt23p7.fsf@wheatstone.g10code.de> Message-ID: <20050113145834.GC25632@jabberwocky.com> On Thu, Jan 13, 2005 at 08:22:44AM +0100, Werner Koch wrote: > On Wed, 12 Jan 2005 16:58:37 -0500, David Shaw said: > > > Hmm. What win32 platforms have MAPISendMail() present? > > I don't think that this matters. We can build it as a helper and if > mapi is not available it simply won't work. The forthcoming installer > could even print a warning in that case or don't install this helper. That's a good point. I'll take a look at moving gpgkeys_mailto to C, but I'll need a few volunteers to help test the win32 part. I don't have easy access to a win32 box any longer. David From wk at gnupg.org Thu Jan 13 16:55:03 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Jan 13 16:50:28 2005 Subject: (no subject) In-Reply-To: <1105625028.41e67fc44cfe6@webmail.numericable.fr> (npellegr@numericable.fr's message of "Thu, 13 Jan 2005 15:03:48 +0100") References: <1105625028.41e67fc44cfe6@webmail.numericable.fr> Message-ID: <87u0plwch4.fsf@wheatstone.g10code.de> On Thu, 13 Jan 2005 15:03:48 +0100, npellegr said: > My question is : is it planned to enable users to use this function with > GnuPG/RSA users via the command line or should I modify GnuPG myself (but I > wouldn't have a standard GnuPG solution) ? It is not planned for two reason: GnuPG uses the OpenPGP protocol and not just plain RSA. Second, direct use of RSA is dangerous and might lead to data and key compromise. Don't do that! Salam-Shalom, Werner From npellegr at numericable.fr Thu Jan 13 18:03:31 2005 From: npellegr at numericable.fr (npellegr@numericable.fr) Date: Thu Jan 13 18:00:15 2005 Subject: Non gpgusers compatibility In-Reply-To: <87k6qhxvel.fsf@wheatstone.g10code.de> References: <87k6qhxvel.fsf@wheatstone.g10code.de> Message-ID: <1105635811.41e6a9e3468a5@webmail.numericable.fr> Sorry - I forgot to type the subject last time ! Thank's Werner I understand now . So I should demand to use OpenPGP protocol. Is there any X509 compatibility ? (even if the certificate'd be autosigned anyway ...) Nicolas Pellegrin Selon Werner Koch : > On Thu, 13 Jan 2005 07:08:49 -0500, Frank Hubeny said: > > > I was perhaps unclear about the debugging. Is there a debug feature > > that I may use on my PC to help ? If so I would be glad to do so. > > I am pretty sure that I will be able to replicate it. It is most > likely an attempt to double open a file or to rename to an existing > file. > > Werner > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From rmalayter at bai.org Thu Jan 13 18:38:34 2005 From: rmalayter at bai.org (Ryan Malayter) Date: Thu Jan 13 19:09:48 2005 Subject: Is there a gpgkeys_mailto for Win32? Message-ID: <792DE28E91F6EA42B4663AE761C41C2A0379A36C@cliff.bai.org> From bogus@does.not.exist.com Thu Jan 13 12:38:57 2005 From: bogus@does.not.exist.com () Date: Thu Jan 13 19:09:48 2005 Subject: No subject Message-ID: >The MAPI API (which includes this function) should be=20 >available on every >Windows machine >=3D Win95(b). I know Simple MAPI has been deprecated by MS, with only Extended MAPI and the CDO object library being supported in future Windows/Office/Exchange versions. I'm not sure if Extended MAPI is any different than Simple MAPI from the programmer's perspective; we've been using CDO on our projects here for more than 5 years.=20 See http://support.microsoft.com/kb/200018/EN-US/ for a bit more info. Maybe the native-SMTP-based CDONTS library would be a better choice? I think it is available on all Windows 2000 and later. Regards, Ryan=20 From xwck at oreka.com Fri Jan 14 10:19:46 2005 From: xwck at oreka.com (Alain Bench) Date: Fri Jan 14 11:21:13 2005 Subject: unconvertable chars display glitches Message-ID: <20050114091946.GA29125@oreka.com> Hello, Testing Debian Woody Glibc iconv 2.2.5 and GnuPG 1.4, /Ren? Lec?ur/ made a test key (comes here attached). His UID contains 2 well-formed UTF-8 special chars: An '?' (e acute) and a '?' (oe ligature). Perfect display in a locale having both chars, like with CP-1252 charset: | $ gpg -vvv --list-keys "Ren?" | gpg: using character set `CP1252' | gpg: using PGP trust model | pub 512D/882B59FD 2005-01-08 | uid Ren? Lec?ur But in a locale where only the e acute exists, like with charset CP-857 (Turkish): | $ gpg -vvv --list-keys "Ren?" | gpg: using character set `IBM857' | gpg: using PGP trust model | pub 512D/882B59FD 2005-01-08 | gpg: conversion from `utf-8' to `IBM857' failed: Invalid or incomplete multibyte or wide character | uid Ren? Lec\xc5\x93ur - The warning line about failed conversion may perhaps not be really necessary in such simple unconvertability case: The \hex display of raw UTF-8 may well be sufficient? - The '?' (U acute) in place of '?' in "Ren?" is wrong. Fallback to Latin-1 conversion of full string if one char only was unconvertable seems not optimal here. Probably a display like that might be clearer: | $ gpg -vvv --list-keys "Ren?" | gpg: using character set `IBM857' | gpg: using PGP trust model | pub 512D/882B59FD 2005-01-08 | uid Ren? Lec\xc5\x93ur Bye! Alain. -- When you post a new message, beginning a new topic, use the "mail" or "post" or "new message" functions. When you reply or followup, use the "reply" or "followup" functions. Do not do the one for the other, this breaks or hijacks threads. -------------- next part -------------- A non-text attachment was scrubbed... Name: ReneLecoeur.key Type: application/pgp-keys Size: 589 bytes Desc: not available Url : /pipermail/attachments/20050114/f23b4530/ReneLecoeur.key From pm at linuxindia.org Fri Jan 14 15:09:09 2005 From: pm at linuxindia.org (Parag Mehta) Date: Fri Jan 14 15:41:29 2005 Subject: Is there a gpgkeys_mailto for Win32? In-Reply-To: <20050113145834.GC25632@jabberwocky.com> References: <20041229191739.GK30683@jabberwocky.com> <200412292036.VAA00953@vulcan.xs4all.nl> <20041230012239.GT30683@jabberwocky.com> <20041230041200.GW30683@jabberwocky.com> <20050112215837.GA25136@jabberwocky.com> <87brbt23p7.fsf@wheatstone.g10code.de> <20050113145834.GC25632@jabberwocky.com> Message-ID: <41E7D285.7070506@linuxindia.org> Hi David David Shaw said the following on 1/13/2005 6:58 AM: > On Thu, Jan 13, 2005 at 08:22:44AM +0100, Werner Koch wrote: > That's a good point. I'll take a look at moving gpgkeys_mailto to C, > but I'll need a few volunteers to help test the win32 part. I don't > have easy access to a win32 box any longer. I volunteer for testing the gpgkeys_mailto, since i have win box on my machine. let me know. ~Parag From markivs2003 at yahoo.com Fri Jan 14 15:14:05 2005 From: markivs2003 at yahoo.com (Mark Ivs) Date: Fri Jan 14 16:10:51 2005 Subject: signing and encrypting newbie question Message-ID: <20050114141405.76351.qmail@web50705.mail.yahoo.com> Hello, I am a very new to PGP. So please bare with my question if it is really simple. I am working on a project where I need to put some signed encrypted files on an ftp site and our customer will ftp it from there. Here is what they want me to do. Please let me know if it is do-able. We have already exchanged our public keys. Their public key is added to our key ring. Before placing the files on our ftp site for their retrieval, customer wants me to SIGN the files with our public key and ENCRYPT it using their public key. Please let me know if this is doable and if it makes sense. If so can some one how it can be done? I know how to encrypt the files but I don't understand how to encrypt and sign the files. Thanks a lot in advance. For just encryption this is what I tried(it works): gpg --recipient "XXX" --output $rootpath\\$filepgp --encrypt $rootpath\\encrypted\\$file`; -Mark __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From patrick.marquetecken at pandora.be Fri Jan 14 15:29:19 2005 From: patrick.marquetecken at pandora.be (Patrick Marquetecken) Date: Fri Jan 14 16:31:54 2005 Subject: GNupg not working on tru64 Message-ID: <20050114152919.00006c1c@SXPBELUX.NET> Hi, We have installed gnupg-1.0.7.Tru64-v5.1A on a HP True 65 5.1 and it won't encrypt, it starts but never ends. We have tried precompiled sources, compiled the source itselve but the result is always the same. I don't seem to find a random_seed file coud this be the problem? I have the idee that gnupg is something missing. TIA Patrick From markh at compro.net Fri Jan 14 15:47:32 2005 From: markh at compro.net (Mark Hounschell) Date: Fri Jan 14 16:32:38 2005 Subject: gnupg interferance? Message-ID: <41E7DB84.4060100@compro.net> I have a very strange problem that appears to have something to do with gnupg. First I'll tell you I know nothing about gnupg. I am running SuSE 9.2 BTW. I don't clain to know much about how X and kde get started but if there is a .gnupg directory present in my home directory and I am logging it at the console via KDM, my kde session appears to start via the following command: gpg-agent --daemon --no-detach --keep-display ssh-agent /etc/X11/xinit/xinitrc If the .gnupg directory does not exsist my session starts with the following command: ssh-agent /etc/X11/xinit/xinitrc Whenn my session starts via the gpg-agent, no realtime signals can be received by any of my applications. If I move the .gnupg directory aside and re-login via KDM I can receive realtime signals from within my applications until such time as this .gnupg directory mysteriously reappears. Also if I login from run level 3 or just ssh into the box, my applications receive realtime signals OK. The contents of that .gnupg directory are: markh@harley:~> ls -Ral .gnupg/ .gnupg/: total 24 drwx------ 3 markh users 4096 2005-01-12 16:01 . drwxr-xr-x 47 markh users 4096 2005-01-12 16:04 .. -rw------- 1 markh users 8538 2005-01-12 10:11 gpg.conf drwx------ 2 markh users 4096 2005-01-12 15:59 private-keys-v1.d -rw------- 1 markh users 0 2005-01-12 10:11 pubring.gpg .gnupg/private-keys-v1.d: total 8 drwx------ 2 markh users 4096 2005-01-12 15:59 . drwx------ 3 markh users 4096 2005-01-12 16:01 .. I have not modified anything in this directory. I am very confused as to why anything concerning gnupg could affect the recept of realtime signals within an application. A simple sample application that fails to recieve a realtime signal is follows: #include #include #include long i; /* global variables */ void SIGhandler(int); /* RT-SIGNAL handler */ void SIGhandler(int sig) { i = 1; } int main(void) { printf("About to send signal\n"); signal(SIGRTMIN + 5, SIGhandler); /* setup handler */ raise(SIGRTMIN + 5); /* fire the signal */ if (i == 1) { printf("We received out signal\n"); } else { printf("We did not receive the signal Oops...\n"); } exit(0); } I have duplicated this on multiple SuSE-9.2 machines. What causes this directory to be re-created days after I move it aside? How could gnupg affect my environment such that applications I execute cannot receive realtime signals. The same program using SIGUSR1 or SIGUSR2 will function ok? It seems only realtime signals are affected? markh@harley:~> rpm -qa | grep gpg gpg2-1.9.10-3 gpg-1.2.5-3 gpgme-0.9.0-2 libgpg-error-0.7-6 libgpg-error-devel-0.7-6 gpg-pubkey-9c800aca-40d8063e gpg-pubkey-3d25d3d9-36e12d04 Thanks and regards confused Mark From shaun.lipscombe at gmsl.co.uk Fri Jan 14 16:38:22 2005 From: shaun.lipscombe at gmsl.co.uk (Shaun Lipscombe) Date: Fri Jan 14 17:15:38 2005 Subject: signing and encrypting newbie question In-Reply-To: <20050114141405.76351.qmail@web50705.mail.yahoo.com> References: <20050114141405.76351.qmail@web50705.mail.yahoo.com> Message-ID: <20050114153822.GA21644@mail.gasops.co.uk> * Mark Ivs wrote: > Hello, > I am a very new to PGP. So please bare with my > question if it is really simple. > > I am working on a project where I need to put some > signed encrypted files on an ftp site and our customer > will ftp it from there. > > Here is what they want me to do. Please let me know if > it is do-able. > > We have already exchanged our public keys. Their > public key is added to our key ring. Before placing > the files on our ftp site for their retrieval, > customer wants me to SIGN the files with our public > key and ENCRYPT it using their public key. Doesn't make sense signing the files with your public key since the only person able to verify them would be you.. you sign with your private key. gpg --sign will sign the file with your private key gpg --clearsign will sign the file and leave it in an ascii format (you didn't say wether the files are binary or ascii) so use whichever you need. to encrypt and sign its gpg --encrypt --sign --recipient 'blah' From shaun.lipscombe at gmsl.co.uk Fri Jan 14 16:55:05 2005 From: shaun.lipscombe at gmsl.co.uk (Shaun Lipscombe) Date: Fri Jan 14 17:15:43 2005 Subject: Encrypt & Sign Message-ID: <20050114155504.GC21644@mail.gasops.co.uk> Is there any particular reason why one must be done before the other? I.E. Sign & Encrypt over Encrypt & Sign. Does signing encrypted data help people determin the key for example (just guessing) From shaun.lipscombe at gmsl.co.uk Fri Jan 14 16:39:57 2005 From: shaun.lipscombe at gmsl.co.uk (Shaun Lipscombe) Date: Fri Jan 14 17:15:50 2005 Subject: signing and encrypting newbie question In-Reply-To: <20050114141405.76351.qmail@web50705.mail.yahoo.com> References: <20050114141405.76351.qmail@web50705.mail.yahoo.com> Message-ID: <20050114153957.GB21644@mail.gasops.co.uk> * Mark Ivs wrote: > Hello, > I am a very new to PGP. So please bare with my > question if it is really simple. Also... if you are just looking for a way to use FTP in a secure manner then perhaps what you are doing is overkill and you can look at sFTP , FTP over SSL, or using ssh to create a tunnel to secure the two FTP channels. Just an idea. From dshaw at jabberwocky.com Fri Jan 14 17:25:59 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Jan 14 17:56:58 2005 Subject: Encrypt & Sign In-Reply-To: <20050114155504.GC21644@mail.gasops.co.uk> References: <20050114155504.GC21644@mail.gasops.co.uk> Message-ID: <20050114162559.GA1003@jabberwocky.com> On Fri, Jan 14, 2005 at 03:55:05PM +0000, Shaun Lipscombe wrote: > Is there any particular reason why one must be done before the other? > > I.E. Sign & Encrypt over Encrypt & Sign. > > Does signing encrypted data help people determin the key for example > (just guessing) The reason is that by doing sign & encrypt (that is, sign a document and then encrypt the signed document) you protect the identity of the signer. There is no particular reason why one is better than the other, but generally people like the identity protection aspect of S&E. David From linux at codehelp.co.uk Fri Jan 14 17:14:29 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Fri Jan 14 18:07:08 2005 Subject: signing and encrypting newbie question In-Reply-To: <20050114141405.76351.qmail@web50705.mail.yahoo.com> References: <20050114141405.76351.qmail@web50705.mail.yahoo.com> Message-ID: <200501141614.29622.linux@codehelp.co.uk> On Friday 14 January 2005 2:14 pm, Mark Ivs wrote: > Hello, > I am a very new to PGP. So please bare with my > question if it is really simple. > For just encryption this is what I tried(it works): > gpg --recipient "XXX" --output $rootpath\\$filepgp > --encrypt $rootpath\\encrypted\\$file`; You can use one operation, just add -s : gpg -asr 8F455606 -e qof-test.c (I usually use -a as well - I encrypt mostly text files.) When decrypted, this will print the validity of the signature at the end of the output. You can separate the two when decrypting: gpg --decrypt qof-test.c.asc > qof-test.c The file will be created and the signature validity displayed. More commonly, use two operations. Encrypt the file, then sign the encrypted file using gpg -ab -a outputs the signature in ASCII text -b creates a detached signature. You'll then have two files to send up. $ gpg -r 8F455606 -e qof-test.c $ gpg -ab qof-test.c.gpg $ ls -l qof* -rw-r--r-- 1 neil neil 2699 2005-01-14 16:01 qof-test.c -rw-r--r-- 1 neil neil 1743 2005-01-14 16:02 qof-test.c.gpg -rw-r--r-- 1 neil neil 189 2005-01-14 16:02 qof-test.c.gpg.asc qof-test.c.gpg qof-test.c.gpg.asc The .asc file is the signature, typically it's 189 bytes. You don't need to sign keys to verify the signature. Just download both files into the same directory and use: $ gpg --verify qof-test.c.gpg.asc gpg: Signature made Fri 14 Jan 2005 16:02:57 GMT using DSA key ID 28BCB3E3 gpg: Good signature from "Neil Williams (CodeHelp) " ... GnuPG will assume that qof-test.c.gpg is the file that has been signed. Once the signature is verified, the file can be decrypted: $ gpg --decrypt qof-test.c.gpg -- Neil Williams ============= http://www.dcglug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050114/23fc18d2/attachment.pgp From eddie at roosenmaallen.com Fri Jan 14 16:47:16 2005 From: eddie at roosenmaallen.com (Eddie Roosenmaallen) Date: Fri Jan 14 18:18:01 2005 Subject: signing and encrypting newbie question In-Reply-To: <20050114141405.76351.qmail@web50705.mail.yahoo.com> References: <20050114141405.76351.qmail@web50705.mail.yahoo.com> Message-ID: <41E7E984.6050901@roosenmaallen.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Mark, To sign the file using your own key, you just need to add --sign to the command, eg. gpg --recipient "XXX" --output $rootpath\\$filepgp - --encrypt --sign $rootpath\\encrypted\\$file` Peace, Eddie Roosenmaallen Mark Ivs wrote: > Hello, > I am a very new to PGP. So please bare with my > question if it is really simple. > > I am working on a project where I need to put some > signed encrypted files on an ftp site and our customer > will ftp it from there. > > Here is what they want me to do. Please let me know if > it is do-able. > > We have already exchanged our public keys. Their > public key is added to our key ring. Before placing > the files on our ftp site for their retrieval, > customer wants me to SIGN the files with our public > key and ENCRYPT it using their public key. > > Please let me know if this is doable and if it makes > sense. If so can some one how it can be done? I know > how to encrypt the files but I don't understand how to > encrypt and sign the files. Thanks a lot in advance. > > For just encryption this is what I tried(it works): > gpg --recipient "XXX" --output $rootpath\\$filepgp > --encrypt $rootpath\\encrypted\\$file`; > > -Mark > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB5+mEtGGqbMwazQURArvrAKCe+IJ2yEKJ6+F15D2HrH/1LJW7lQCePkin yxMvBxNBMSleAoTtvvy6ZwA= =h6hf -----END PGP SIGNATURE----- From fox3ec208 at wideopenwest.com Fri Jan 14 17:54:38 2005 From: fox3ec208 at wideopenwest.com (fox3ec208@wideopenwest.com) Date: Fri Jan 14 18:25:58 2005 Subject: signing and encrypting newbie question In-Reply-To: <20050114153957.GB21644@mail.gasops.co.uk> References: <20050114141405.76351.qmail@web50705.mail.yahoo.com> <20050114153957.GB21644@mail.gasops.co.uk> Message-ID: <200501141154.42477.fox3ec208@wideopenwest.com> On Friday 14 January 2005 10:39, Shaun Lipscombe wrote: > * Mark Ivs wrote: > > Hello, > > I am a very new to PGP. So please bare with my > > question if it is really simple. > > Also... if you are just looking for a way to use FTP in a secure manner > then perhaps what you are doing is overkill and you can look at sFTP , > FTP over SSL, or using ssh to create a tunnel to secure the two FTP > channels. Also, if you are indeed going to use FTP ascii armor the encryption -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050114/e703bbb1/attachment.pgp From shaun.lipscombe at gmsl.co.uk Fri Jan 14 18:28:34 2005 From: shaun.lipscombe at gmsl.co.uk (Shaun Lipscombe) Date: Fri Jan 14 18:26:38 2005 Subject: signing and encrypting newbie question In-Reply-To: <200501141614.29622.linux@codehelp.co.uk> References: <20050114141405.76351.qmail@web50705.mail.yahoo.com> <200501141614.29622.linux@codehelp.co.uk> Message-ID: <20050114172834.GA24738@mail.gasops.co.uk> * Neil Williams wrote: > More commonly, use two operations. Encrypt the file, then sign the encrypted > file using > > gpg -ab > Why is it you cant use clearsign and encrypt at the same time if the file is text and you want it signed THEN encrypted? From wk at gnupg.org Fri Jan 14 18:39:22 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Jan 14 18:35:27 2005 Subject: GNupg not working on tru64 In-Reply-To: <20050114152919.00006c1c@SXPBELUX.NET> (Patrick Marquetecken's message of "Fri, 14 Jan 2005 15:29:19 +0100") References: <20050114152919.00006c1c@SXPBELUX.NET> Message-ID: <87fz13vrjp.fsf@wheatstone.g10code.de> On Fri, 14 Jan 2005 15:29:19 +0100, Patrick Marquetecken said: > We have installed gnupg-1.0.7.Tru64-v5.1A on a HP True 65 5.1 and it won't encrypt, it starts but never ends. You need to ask the vendor ;-) > We have tried precompiled sources, compiled the source itselve but the result is always the same. > I don't seem to find a random_seed file coud this be the problem? > I have the idee that gnupg is something missing. I don't know how thisn version has been configured, but given that it is free software you have all sources and required tools to build it. So you can check. The random-seed is not required but a cache gpg creates if possible. You might want to fire up truss to see what files gpg opens. My guess is that it has been configured for use with EGD and you have not installed it or the socket has the wrong permissions. If it is not a workstation you should generate some disk activity (e.g. running: fdisk /usr -print) to hel the entropy gatherer. Shalom-Salam, Werner From wk at gnupg.org Fri Jan 14 19:07:29 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Jan 14 19:05:24 2005 Subject: gnupg interferance? In-Reply-To: <41E7DB84.4060100@compro.net> (Mark Hounschell's message of "Fri, 14 Jan 2005 09:47:32 -0500") References: <41E7DB84.4060100@compro.net> Message-ID: <87brbrvq8u.fsf@wheatstone.g10code.de> On Fri, 14 Jan 2005 09:47:32 -0500, Mark Hounschell said: > I have duplicated this on multiple SuSE-9.2 machines. What causes this > directory to be re-created days after I move it aside? How could gnupg No idea. > affect my environment such that applications I execute cannot receive > realtime signals. The same program using SIGUSR1 or SIGUSR2 will You probably inherited a blocking mask with those signals blocked. Use sigprocmask to unblock the signal. Salam-Shalom, Werner From wk at gnupg.org Fri Jan 14 19:11:13 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Jan 14 19:10:29 2005 Subject: Encrypt & Sign In-Reply-To: <20050114162559.GA1003@jabberwocky.com> (David Shaw's message of "Fri, 14 Jan 2005 11:25:59 -0500") References: <20050114155504.GC21644@mail.gasops.co.uk> <20050114162559.GA1003@jabberwocky.com> Message-ID: <877jmfvq2m.fsf@wheatstone.g10code.de> On Fri, 14 Jan 2005 11:25:59 -0500, David Shaw said: > signer. There is no particular reason why one is better than the > other, but generally people like the identity protection aspect of There is one reason: If you store texts in the clear you still can keep the signature intact. If you encrypt and sign then this won't be possible. To implement that you should - for practical reasons - not use the combined method of gpg but the standard PGP/MIME method of encrypting an PGP/MIME signed message. Shalom-Salam, Werner From wk at gnupg.org Fri Jan 14 19:14:31 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Jan 14 19:10:38 2005 Subject: unconvertable chars display glitches In-Reply-To: <20050114091946.GA29125@oreka.com> (Alain Bench's message of "Fri, 14 Jan 2005 10:19:46 +0100 (CET)") References: <20050114091946.GA29125@oreka.com> Message-ID: <873bx3vpx4.fsf@wheatstone.g10code.de> On Fri, 14 Jan 2005 10:19:46 +0100 (CET), Alain Bench said: > UTF-8 special chars: An '?' (e acute) and a '?' (oe ligature). Perfect > display in a locale having both chars, like with CP-1252 charset: That is due to wrong aliasing Latin-1 to CP-1252; it has already been removed in the CVS version. > - The warning line about failed conversion may perhaps not be really > necessary in such simple unconvertability case: The \hex display of raw > UTF-8 may well be sufficient? We can't do anything about it. The warning is issued from deep inside of gpg and not while printing the user ID. Thanks, Werner From wk at gnupg.org Fri Jan 14 19:16:33 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Jan 14 19:15:27 2005 Subject: Non gpgusers compatibility In-Reply-To: <1105635811.41e6a9e3468a5@webmail.numericable.fr> (npellegr@numericable.fr's message of "Thu, 13 Jan 2005 18:03:31 +0100") References: <87k6qhxvel.fsf@wheatstone.g10code.de> <1105635811.41e6a9e3468a5@webmail.numericable.fr> Message-ID: <87y8evub9a.fsf@wheatstone.g10code.de> On Thu, 13 Jan 2005 18:03:31 +0100, npellegr said: > Is there any X509 compatibility ? (even if the certificate'd be autosigned > anyway ...) No. There is X.509 and there is OpenPGP. They are not compatible in any way. The only thing you could do is to use the same key material and create an X.509 certificate (or well 2, one for signing and one for encryption) and an OpenPGP certificate. However this does only make sense if you have limited storage space for the private key. Salam-Shalom, Werner From vishalrao at gmail.com Fri Jan 14 18:49:38 2005 From: vishalrao at gmail.com (Vishal Rao) Date: Fri Jan 14 19:46:20 2005 Subject: Encrypt & Sign In-Reply-To: <20050114162559.GA1003@jabberwocky.com> References: <20050114155504.GC21644@mail.gasops.co.uk> <20050114162559.GA1003@jabberwocky.com> Message-ID: On Fri, 14 Jan 2005 11:25:59 -0500, David Shaw wrote: > The reason is that by doing sign & encrypt (that is, sign a document > and then encrypt the signed document) you protect the identity of the > signer. There is no particular reason why one is better than the > other, but generally people like the identity protection aspect of > S&E. Also, is there a legal significance of signing clear data rather than encrypted data? (Signer clearly knows what he signed) With OpenPGP or PKI? -- "Thou shalt not follow the null pointer for at it's end madness and chaos lie." From dshaw at jabberwocky.com Fri Jan 14 20:10:01 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Fri Jan 14 20:06:49 2005 Subject: Encrypt & Sign In-Reply-To: References: <20050114155504.GC21644@mail.gasops.co.uk> <20050114162559.GA1003@jabberwocky.com> Message-ID: <20050114191001.GA1160@jabberwocky.com> On Fri, Jan 14, 2005 at 11:19:38PM +0530, Vishal Rao wrote: > On Fri, 14 Jan 2005 11:25:59 -0500, David Shaw wrote: > > The reason is that by doing sign & encrypt (that is, sign a document > > and then encrypt the signed document) you protect the identity of the > > signer. There is no particular reason why one is better than the > > other, but generally people like the identity protection aspect of > > S&E. > > Also, is there a legal significance of signing clear data rather than > encrypted data? (Signer clearly knows what he signed) With OpenPGP or > PKI? Maybe, maybe not. It depends on what you can persuade the legal system where it happened what the significance of it should be ;) David From markivs2003 at yahoo.com Fri Jan 14 22:24:06 2005 From: markivs2003 at yahoo.com (Mark Ivs) Date: Fri Jan 14 22:20:45 2005 Subject: Signing files Message-ID: <20050114212406.13259.qmail@web50707.mail.yahoo.com> Hello, Can you llease clarify this... Lets say, I have GnuPG installed in machine A. I created a public key from machine A and I sent it to my customer. I received their Public key also. I need to encrypt and sign the files and put it in my ftp site and my customer will ftp it from there. I am going to encrypt the files using their public key and sign it using my private key. The problem is, this encryption program will run on Machine B. I have installed GnuPG in Machine B also. I am thinking I can add the public key created from Machine A to my key ring in Machine B. I know the passphrase for the key I generated from Machine A. For me to sign the files, do I need anything else from Machine A? private key or other files?? Please let me know. Thanks in advance. -Mark __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From atom at suspicious.org Fri Jan 14 21:32:05 2005 From: atom at suspicious.org (Atom 'Smasher') Date: Fri Jan 14 22:24:12 2005 Subject: Encrypt & Sign In-Reply-To: References: <20050114155504.GC21644@mail.gasops.co.uk> <20050114162559.GA1003@jabberwocky.com> Message-ID: <20050114202800.8470.qmail@suspicious.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Fri, 14 Jan 2005, Vishal Rao wrote: > Also, is there a legal significance of signing clear data rather than > encrypted data? (Signer clearly knows what he signed) With OpenPGP or > PKI? =================== in a techno-philosophical sense, you never *really* know what you're signing unless you do the math by hand... Why Digital Signatures Are Not Signatures http://www.schneier.com/crypto-gram-0011.html#1 - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Simply stated, there is no doubt that Saddam Hussein now has weapons of mass destruction." -- Dick Cheney, 26 August 2002 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJB6CxLAAoJEAx/d+cTpVciZgcIAJONVCQlta5IAVlaK8WXfy4R Pazcy/3NPMigo03fadLUqxJH/gaZ8kOd48F7YQPv4aQ1kU5ltiyJV8SrCMkg2wn1 wPR5rdPh0cgemrNQyOFwxVNdYqgkORnDxJ/H5hQ9jyFGHJCSmbTrbVwS0GN/SImm EsLuzYljZ7KayUblyn/3Hkb8glMPnYt4LGnSC3OXPzlz2yYDH3jtiNs3Mpn+xmkd 6Qen4FGZyOSZIVYS8DvHff8cAz5mre08oElltHOYAFYevA31VfhplUMKfHLGm9di t4PIfBzotaaGOX0niWvRwwZoQNaEbZiU2My5z0UHpgi8/M68xR7X2vtQ+IjlWMY= =ZrSt -----END PGP SIGNATURE----- From fox3ec208 at wideopenwest.com Fri Jan 14 22:36:08 2005 From: fox3ec208 at wideopenwest.com (fox3ec208@wideopenwest.com) Date: Fri Jan 14 22:32:59 2005 Subject: Signing files In-Reply-To: <20050114212406.13259.qmail@web50707.mail.yahoo.com> References: <20050114212406.13259.qmail@web50707.mail.yahoo.com> Message-ID: <200501141636.15124.fox3ec208@wideopenwest.com> On Friday 14 January 2005 16:24, Mark Ivs wrote: > Hello, > Can you llease clarify this... > > Lets say, I have GnuPG installed in machine A. I > created a public key from machine A and I sent it to > my customer. I received their Public key also. > > I need to encrypt and sign the files and put it in my > ftp site and my customer will ftp it from there. > I am going to encrypt the files using their public key > and sign it using my private key. > > The problem is, this encryption program will run on > Machine B. I have installed GnuPG in Machine B also. I > am thinking I can add the public key created from > Machine A to my key ring in Machine B. I know the > passphrase for the key I generated from Machine A. For > me to sign the files, do I need anything else from > Machine A? private key or other files?? > > Please let me know. Thanks in advance. > You should NEVER exchange any thing but PUBLIC keys! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050114/e71cc14d/attachment.pgp From linux at codehelp.co.uk Fri Jan 14 23:48:14 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Fri Jan 14 23:44:16 2005 Subject: Signing files In-Reply-To: <20050114212406.13259.qmail@web50707.mail.yahoo.com> References: <20050114212406.13259.qmail@web50707.mail.yahoo.com> Message-ID: <200501142248.17149.linux@codehelp.co.uk> On Friday 14 January 2005 9:24 pm, Mark Ivs wrote: > Hello, > Can you llease clarify this... > > Lets say, I have GnuPG installed in machine A. I > created a public key from machine A and I sent it to > my customer. I received their Public key also. Don't forget, when you create a key you create a secret key too - that's what signs the file and you never need to send that to anyone. The public key is sufficient to verify the signature without being able to create it. > I need to encrypt and sign the files and put it in my > ftp site and my customer will ftp it from there. Home machine: has your keypair, public and secret and the public key for the customer. Sign and encrypt the files here. FTP host: No need to install GnuPG, just copy the signed and encrypted files to that machine. Customer: Downloads the files using FTP to his local machine. His copy of your PUBLIC key verifies the signature, his SECRET key decrypts the contents. If I signed and encrypted an email to you, I'd sign and encrypt it here where both my public and secret keys exist. None of the servers in between need know anything about GnuPG to handle the email, it just gets copied around (intact) from one to another until it arrives in your inbox. You then verify the signature on the email using a copy of my public key and you decrypt the contents using your secret key. That's all there is to it. > I am going to encrypt the files using their public key > and sign it using my private key. You sign it on your local machine and send it to the FTP site already signed. The FTP server does NOT need to do anything to the file(s) except make it available. > > The problem is, this encryption program will run on > Machine B. ? So? That doesn't stop you signing the files on your local machine (whichever that is) and sending the files signed! Signed files only need GnuPG when they need to be verified - i.e. by the recipient. The server knows nothing about GnuPG and that's the way it should stay. > I have installed GnuPG in Machine B also. I > am thinking I can add the public key created from > Machine A to my key ring in Machine B. No need. The files are already signed and encrypted, the machines in between don't need to know anything about the contents of the file or the encryption. The customer already has your public key, that's all that is required. Keep your secret key where it is and sign the files on that machine. > I know the > passphrase for the key I generated from Machine A. For > me to sign the files, do I need anything else from > Machine A? Sign the files ON Machine A! There is no reason to sign anywhere else. Sign where the secret key was created, don't copy the secret key to any remote machines and copy the files to the FTP server, already signed. > private key or other files?? > > Please let me know. Thanks in advance. -- Neil Williams ============= http://www.dcglug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050114/83375d92/attachment.pgp From linux at codehelp.co.uk Sat Jan 15 00:30:10 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Sat Jan 15 00:26:20 2005 Subject: Encrypt & Sign In-Reply-To: <20050114202800.8470.qmail@suspicious.org> References: <20050114155504.GC21644@mail.gasops.co.uk> <20050114202800.8470.qmail@suspicious.org> Message-ID: <200501142330.12875.linux@codehelp.co.uk> On Friday 14 January 2005 8:32 pm, Atom 'Smasher' wrote: > On Fri, 14 Jan 2005, Vishal Rao wrote: > > Also, is there a legal significance of signing clear data rather than > > encrypted data? (Signer clearly knows what he signed) With OpenPGP or > > PKI? > > =================== > > in a techno-philosophical sense, you never *really* know what you're > signing unless you do the math by hand... That's disingenious Atom - the premise of the article is a rogue program. Isn't that why we use free software? That's why we verify GnuPG carefully before installing, why we have the source code to inspect to allay precisely these fears. Despite what the article says, it is NOT possible for someone else to sign this email with this key. Anyone who has had their key signed by my key(s) will be able to determine that I consented to the signature made on this email and it's content. The whole point of the WoT is to tie the person to the key. Tying the person to the key ties the person to the computer used to access the key and hence the circle is complete. I would challenge anyone to prove that I did not sign and consent to the precise and complete content of the signed component of this message. Just because someone else can create a *similar* key with no passphrase that can be used to sign anything, doesn't mean that MY signature is any less valid. It relies on my key being trusted. A false key can never duplicate the trust - that is why there was so much discussion about the GD keyserver, anything that affects key signatures is of concern. The WoT is fundamental to how GnuPG and PGP work. If the GD had threatened to weaken the WoT, the fuss was fully justified. As it happens, the discussion has still raised important issues. > Solving this problem requires a trusted signing computer Not true. It requires trust in the key and the person identified in the key. It also requires that you update that key to check for revocation. I can sign my email from any computer to which I copy my secret key. Part of trusting a key is trusting that the key holder won't do something stupid like copy their secret key to a public location. That's why face-to-face verification is so useful, it allows time to discuss issues and make that assessment. All that is needed to be trusted is the key holder - that s/he can be trusted to manage their key properly and carefully and to take reasonable precautions against leaving their secret key somewhere that anyone else has access. > Digital signatures prove, mathematically, that a secret value known as the > private key was present in a computer at the time Alice's signature was > calculated. It is a small step from that to assume that Alice entered that > key into the computer at the time of signing. But it is a much larger step > to assume that Alice intended a particular document to be signed. That step is covered by revocation. > Because the computer is not trusted, I cannot rely on it to show me what it > is doing or do what I tell it to. The computer does not need to be trusted, it's the keyholder and his/her behaviour that is trusted by those who have signed the key. Both parties can trust the code because the code can be inspected. > And > without a tamperproof computer trusted by Alice, Access to the secret key doesn't equate to compromise of the key - there's still the passphrase. Or is he asserting that a keyboard sniffer is also required now? How's that different to someone copying a written signature and taking measures, in advance, to get a usable copy? > you can expect "digital > signature experts" to show up in court contesting a lot of digital > signatures. All he's saying, in a lengthy and confused fashion, is that you can't trust a signature made by an untrusted key. Wow, big news. The key isn't trusted, so why should you trust the signatures???? You can't! All these emails that show up in yellow in KMail (signature mathematically valid but key untrusted) - the signatures are nice but cannot be trusted as the key is untrusted. I sign emails because there are people out there who HAVE signed my key and had their key signed with mine. They are the only ones who can truly say that my signatures are genuine and reliable. They know me, they have all met me (those who are cross-signed) and all talked about how keys are handled and used. Others on this list will be able to trust my key because of people they have met. For everyone else (including you, Atom), my signatures are useful but cannot be used to prove that I sent it - only that the signature is valid but you cannot trust the key. It isn't enough that I can encrypt to those people, they need to know that it is ME sending the information, not just that someone has got their public key and chosen to encrypt the content with it. That's why I sign and encrypt to those people - I know only they can read it, they know only I could have sent it. None of that is possible without keysignings and the WoT. > Why Digital Signatures Are Not Signatures > http://www.schneier.com/crypto-gram-0011.html#1 It IS better than a physical signature - he makes the point himself that a written signature still has to be verified by an external authority - be it the person under oath or a handwriting expert - to prove that it is a genuine signature. Handwritten signatures are easily copied. Digital signatures cannot be copied. Having a perfect digital reproduction of my written signature could get you into all kinds of situations in my place. Having a perfect digital reproduction of my digital signature gets you nowhere. (Some people put images of their written signature in their keys - seemed crazy to me, as if trying to certify the key with a weaker form of verification!) If you've been signed by my key, my digital signature is better than any written signature. No-one can hide the content of this email from me before signing (as you can with paper), no-one can tamper with this email and change the content without the signature being broken (as you can with paper). You have to know me pretty well to recognise my written signature - I sign so many things it often changes (as my bank can testify)! Nothing is completely secure, but the combination of the WoT and digital signatures CAN be used to prove that a document was knowingly signed by an identifiable, physical person who has been independently verified by multiple other people and who is named in the key that made the signature. What paper signature can do the same? Of course this is a signature, it is a verifiable and tamper-proof seal created uniquely by me and which can be uniquely tied to me as a physical person - no matter what computers were used in the generation process. The fact that you are not currently one of those people who CAN trust my key is not for want of trying, you don't seem to have many signatures on your key. I'm doing my bit, are you? -- Neil Williams ============= http://www.dcglug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050114/9cbda653/attachment.pgp From xwck at oreka.com Sat Jan 15 01:17:10 2005 From: xwck at oreka.com (Alain Bench) Date: Sat Jan 15 12:29:56 2005 Subject: current charset guessing In-Reply-To: <87vfa49ft8.fsf@wheatstone.g10code.de> References: <20050103002657.GA32265@oreka.com> <874qhudcos.fsf@wheatstone.g10code.de> <20050107172334.GA14032@oreka.com> <87vfa49ft8.fsf@wheatstone.g10code.de> Message-ID: <20050115001710.GA31744@oreka.com> On Tuesday, January 11, 2005 at 3:54:43 PM +0100, Werner Koch wrote: > On Fri, 7 Jan 2005 18:23:34 +0100 (CET), Alain Bench said: >> fails on implicit charsets, ambiguous names, or platform specific >> spellings. > we would need to reimplement everything from libiconv or check whether > a proper libiconv is available. I assume you meant libcharset. Yes: Reimplement, or reuse it, use it if available, or even provide it. After all it's already squatting in the tarball: gnupg-1.4.0/intl/localcharset.c :-) But beware of the Win32 OEM/ANSI mismatch problem. >> nl_langinfo(CODESET) also needs sanitizing > this is something libiconv should care about Libcharset, yes. Also libiconv accepts some limited common aliases as parameters, and that helps, but not in all cases. A platform specific iconv *should* accept the same names that were output by its nl_langinfo(CODESET), or so I hope. Hybrid cases are complicated. Example: Allegedly some versions of AIX may report "IBM-850" CODESET. That's unknown to libiconv 1.9.2 who knows 4 aliases: | $ iconv -l | grep 850 | 850 CP850 IBM850 CSPC850MULTILINGUAL But on AIX, libcharset canonicalises "IBM-850" to "CP850" and reports this known name. >> "make check" also fails > changed to a warning. >> in CP-1252, not in Latin-1 > Removed that. >> there is a whole set of aliases [28591 =3D=3D L1] > I adapted that list and use it for Windows. Great! Thank you. :-) >> Libcharset seems to call GetACP() only, never GetConsoleOutputCP(). >> IIUC that would be false for console apps? > GetConsoleOutputCP is the correct thing to do but it does not harm to > fall back to getACP. I wonder how The Bat!=99 can make GetConsoleOutputCP() return 0 when needed. FreeConsole() to detach, or something like that? I wonder how to decide which function applies, OCP or ACP. I mean: Typically one gives 850 the other 1252. When you run in text mode, that's typically in a console: OEM CP 850 is good. But try to run GnuPG w32cli-1.4.0a in the default rxvt of MSYS-1.0.10. That rxvt is a Latin-1 terminal, but GetConsoleOutputCP() and GnuPG still report CP850, and of course umlauts are garbled (real key on keyservers): | $ gpg -vvv --list-keys BD7C8AA1 | pub 4096R/BD7C8AA1 2005-01-01 [expires: 2005-12-31] | uid Hans M=81ller | sub 4096R/0958388C 2005-01-01 [expires: 2005-12-31] | | gpg: using character set `CP850' | gpg: using PGP trust model Normally should be "M=FCller" (u umlaut). BTW I wonder why stdout/stderr are reordered. >> US-Ascii is not Latin-1. > we got a lot of complaints about these warnings from US people and it > seesm reasonable that many more machines are not configured properly > for Latin-1 than those who are explicitly using ascii. Tolerance for misconfigured systems is good, but maybe not at the cost of breaking legitimate usage, even rare. May I make two proposals: -1) Get rid of the warning message on simple display of unconvertable chars. Unconfigured locale people would see (faked here): | $ gpg -vvv --list-keys 0x882B59FD | gpg: using character set `ASCII' | gpg: using PGP trust model | pub 512D/882B59FD 2005-01-08 | uid Ren\xc3\xa9 Lec\xc5\x93ur No more annoying warning, but a strange accents display that may lead them to read the doc and fix locale. Doc may point to Sven Mascheck's site, and provide quick "export LANG=3Den_US" hint. -2) Make and document a special "novars" case: Where locale variables are applicable (not Win32), if all 3 of LC_ALL, LC_CTYPE, and LANG are unset, and so far guessed charset is US-Ascii, then charset =3D Latin-1. In -vvv mode, unconf guys would be hinted (again faked output): | $ gpg -vvv --list-keys "Ren=E9" | gpg: using character set `ISO-8859-1' novars fallback: see http://expla= nations | gpg: using PGP trust model | pub 512D/882B59FD 2005-01-08 | uid Ren=E9 Lec\xc5\x93ur No more annoying warning, and accents hopefully displayed at best possible, even in these adverse conditions. Harmless for normal guys. Bye! Alain. --=20 When you want to reply to a mailing list, please avoid doing so with Lotus Notes 5. This lacks necessary references and breaks threads. From markivs2003 at yahoo.com Sat Jan 15 18:26:00 2005 From: markivs2003 at yahoo.com (Mark Ivs) Date: Sat Jan 15 18:22:41 2005 Subject: 2 ways of signing files Message-ID: <20050115172600.32106.qmail@web50706.mail.yahoo.com> Hello, I would like to know if there are 2 ways of signing. Please take a look at the following scenarios. Scenario 1: I add Blake's public key to my key ring. I can do the following 2 steps to edit and sign Blake's public key. 1. gpg --edit-key blake@cyb.org 2. Command> sign This will sign the key. So, now I can encrypt the file by doing the following... 'gpg --recipient "blake@cyb.org" --output $rootpath\\$filepgp --encrypt $rootpath\\encrypted\\$datafile` When Blake gets the encrypted file, does it mean that the file is also signed? Scenario 2: I can encrypt and sign by doing the following. 'gpg --recipient "XXX" --output $rootpath\\$filepgp --sign --encrypt $rootpath\\encrypted\\$datafile` Can someone please tell me if scenario 1 and 2 are basically doing the same thing? Thanks in advance. -Mark __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From dshaw at jabberwocky.com Sat Jan 15 19:06:34 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Jan 15 19:03:24 2005 Subject: 2 ways of signing files In-Reply-To: <20050115172600.32106.qmail@web50706.mail.yahoo.com> References: <20050115172600.32106.qmail@web50706.mail.yahoo.com> Message-ID: <20050115180634.GH20414@jabberwocky.com> On Sat, Jan 15, 2005 at 09:26:00AM -0800, Mark Ivs wrote: > Hello, > I would like to know if there are 2 ways of signing. > Please take a look at the following scenarios. > > Scenario 1: > I add Blake's public key to my key ring. I can do the > following 2 steps to edit and sign Blake's public key. > 1. gpg --edit-key blake@cyb.org > 2. Command> sign > This will sign the key. So, now I can encrypt the file > by doing the following... > 'gpg --recipient "blake@cyb.org" --output > $rootpath\\$filepgp --encrypt > $rootpath\\encrypted\\$datafile` > > When Blake gets the encrypted file, does it mean that > the file is also signed? > > Scenario 2: > I can encrypt and sign by doing the following. > 'gpg --recipient "XXX" --output $rootpath\\$filepgp > --sign --encrypt $rootpath\\encrypted\\$datafile` > > Can someone please tell me if scenario 1 and 2 are > basically doing the same thing? No. They are completely different and unrelated. Scenario 1 is you signing Blake's key. Scenario 2 is you signing a document. The first is you making a statement about Blake's key. The second is you making a statement about the document you are encrypting. David From linux at codehelp.co.uk Sat Jan 15 19:18:30 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Sat Jan 15 19:14:38 2005 Subject: 2 ways of signing files In-Reply-To: <20050115172600.32106.qmail@web50706.mail.yahoo.com> References: <20050115172600.32106.qmail@web50706.mail.yahoo.com> Message-ID: <200501151818.30837.linux@codehelp.co.uk> On Saturday 15 January 2005 5:26 pm, Mark Ivs wrote: > Hello, > I would like to know if there are 2 ways of signing. > Please take a look at the following scenarios. > > Scenario 1: > I add Blake's public key to my key ring. I can do the > following 2 steps to edit and sign Blake's public key. > 1. gpg --edit-key blake@cyb.org > 2. Command> sign > This will sign the key. Yes, the key, not the file. > So, now I can encrypt the file > by doing the following... > 'gpg --recipient "blake@cyb.org" --output > $rootpath\\$filepgp --encrypt > $rootpath\\encrypted\\$datafile` There is no command there to sign the file, it'll just be encrypted. You need to specify the -s or -b options etc. 'gpg -s --recipient "blake@cyb.org" --output $rootpath\\$filepgp --encrypt $rootpath\\encrypted\\$datafile` > > When Blake gets the encrypted file, does it mean that > the file is also signed? No. > > Scenario 2: > I can encrypt and sign by doing the following. > 'gpg --recipient "XXX" --output $rootpath\\$filepgp > --sign --encrypt $rootpath\\encrypted\\$datafile` You've specified --sign so it will be signed. > > Can someone please tell me if scenario 1 and 2 are > basically doing the same thing? No. Signing a key is nothing to do with signing a file. Before you sign a key you should verify the key under keysigning protocols. If you just want to sign it to encrypt to it (despite not being able to trust it), you can use a local signature. (non-exportable). -- Neil Williams ============= http://www.dcglug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050115/b3282579/attachment.pgp From xwck at oreka.com Sat Jan 15 14:36:15 2005 From: xwck at oreka.com (Alain Bench) Date: Sat Jan 15 19:36:27 2005 Subject: unconvertable chars display glitches In-Reply-To: <873bx3vpx4.fsf@wheatstone.g10code.de> References: <20050114091946.GA29125@oreka.com> <873bx3vpx4.fsf@wheatstone.g10code.de> Message-ID: <20050115133614.GA1192@oreka.com> On Friday, January 14, 2005 at 7:14:31 PM +0100, Werner Koch wrote: > On Fri, 14 Jan 2005 10:19:46 +0100 (CET), Alain Bench said: >> An '?' (e acute) and a '?' (oe ligature). Perfect display in a locale >> having both chars, like with CP-1252 charset > That is due to wrong aliasing Latin-1 to CP-1252 No: The said alias in GnuPG 1.4 was Win32-specific, while my example is on Woody. The -vvv line "gpg: using character set `CP1252'" confirms alias was not involved. Besides, this first part was an example of *good* display, only to later highlight the incorrect display on CP-857. >> The warning line about failed conversion may perhaps not be really >> necessary > We can't do anything about it. Ah zut. It is not helpfull, and sometimes fills the screen when printed repeatedly for each UID reprint (like in --list-sigs). BTW another minor glitch, on Woody, GnuPG 1.4, CP-1252 locale: | $ gpg -vvv --with-colons --list-keys "Ren?" | gpg: using character set `CP1252' | [...] | pub:-:512:17:FC713EC9882B59FD:2005-01-08:::-:Ren?? Lec?\x93ur ::scaSCA: --with-colons outputs UTF-8 bytes: Feature. But why is one byte \x93 escaped? 93 is printable in this locale. Bye! Alain. -- Mutt muttrc tip for mailing lists: set followup_to=yes and declare the list as - subscribe list@ddress if you are subscribed and don't want courtesy copy. - lists list@ddress if you are not subscribed or want a courtesy copy. From stefan at fuhrmann.homedns.org Sat Jan 15 19:24:04 2005 From: stefan at fuhrmann.homedns.org (stefan) Date: Sat Jan 15 21:44:50 2005 Subject: import keys from PGP 8.03 Message-ID: <1105813444.3668.5.camel@localhost.localdomain> Hello List, I'am trying to get the gnupg running on ubuntu Linux. I want to use Evolution as mail client. I have a PGP key that I had imported from PGP 8.03 to gnupg. And I can't encrypt or sign I got the message that the secure key is missing but when I have a look with "gpg --list-keys" all seems to be okay. What is wrong?? I tried gpa , but the gui comes up with the question if I want to create a key or not and then the gui stand complitily still. It seems that my imported key is not the default key. But I set it over the bash "gpg --default-key name" but here I get the possibility to write text. I can't see that my selected key is default. I want to use ubuntu as my desktop environment, it's made for this and I test it now. And it's important to me to get a running encrytion. Please, can someone help me with this issues?? tia stefan From mail at mark-kirchner.de Sat Jan 15 19:20:02 2005 From: mail at mark-kirchner.de (Mark Kirchner) Date: Sat Jan 15 22:00:43 2005 Subject: 2 ways of signing files In-Reply-To: <20050115172600.32106.qmail@web50706.mail.yahoo.com> References: <20050115172600.32106.qmail@web50706.mail.yahoo.com> Message-ID: <1528844565.20050115192002@mark-kirchner.de> Hi, On Saturday, January 15, 2005, 6:26:00 PM, Mark wrote: > I would like to know if there are 2 ways of signing. > Please take a look at the following scenarios. > > Scenario 1: > I add Blake's public key to my key ring. I can do the > following 2 steps to edit and sign Blake's public key. > 1. gpg --edit-key blake@cyb.org > 2. Command>> sign > This will sign the key. So, now I can encrypt the file > by doing the following... > 'gpg --recipient "blake@cyb.org" --output > $rootpath\\$filepgp --encrypt > $rootpath\\encrypted\\$datafile` > > When Blake gets the encrypted file, does it mean that > the file is also signed? No. You signed Blake's key, but not "$datafile". > Scenario 2: > I can encrypt and sign by doing the following. > 'gpg --recipient "XXX" --output $rootpath\\$filepgp > --sign --encrypt $rootpath\\encrypted\\$datafile` This time you signed "$datafile" (but not Blake's key). > Can someone please tell me if scenario 1 and 2 are > basically doing the same thing? Absolutely not. Signing a key (scenario 1) means: "I certify that this key belongs to Blake". You should (normally) do this only if you are _absolutely_ sure that the keyholder (in control of the (secret) key that says it belongs to "Blake") is really "Blake". Usually this involves meeting with Blake, checking government issued ID, verifing the fingerprint of the key and making sure that Blake is in control of the E-Mail-Adress that is associated with the user-id "Blake". Signing data (scenario 2) is used to make sure that no one (except yourself) can modify the signed data without your signature becoming invalid. HTH. Regards, Mark Kirchner -- _____________________________________________________________ Key (0x19DC86D3): http://www.mark-kirchner.de/keys/key-mk.asc From eocsor at gmail.com Sun Jan 16 02:04:02 2005 From: eocsor at gmail.com (Roscoe) Date: Sun Jan 16 03:00:14 2005 Subject: import keys from PGP 8.03 In-Reply-To: <1105813444.3668.5.camel@localhost.localdomain> References: <1105813444.3668.5.camel@localhost.localdomain> Message-ID: But does gpg --list-secret-keys say anything? My uneducated guess is that you only imported your public key. On Sat, 15 Jan 2005 19:24:04 +0100, stefan wrote: > Hello List, > > I'am trying to get the gnupg running on ubuntu Linux. I want to use > Evolution as mail client. > > I have a PGP key that I had imported from PGP 8.03 to gnupg. And I > can't encrypt or sign I got the message that the secure key is missing > but when I have a look with "gpg --list-keys" all seems to be okay. > What is wrong?? > > I tried gpa , but the gui comes up with the question if I want to create > a key or not and then the gui stand complitily still. > > It seems that my imported key is not the default key. But I set it over > the bash "gpg --default-key name" but here I get the possibility to > write text. I can't see that my selected key is default. > > I want to use ubuntu as my desktop environment, it's made for this and I > test it now. And it's important to me to get a running encrytion. > > Please, can someone help me with this issues?? > > tia > stefan > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From markivs2003 at yahoo.com Sun Jan 16 06:11:24 2005 From: markivs2003 at yahoo.com (Mark Ivs) Date: Sun Jan 16 06:08:03 2005 Subject: auto sign files Message-ID: <20050116051124.39581.qmail@web50707.mail.yahoo.com> Hello, I have the following line in my perl script that signs and encrypt files. 'gpg --recipient "XXX" --output $rootpath\\$filepgp --sign --encrypt $rootpath\\encrypted\\$datafile` When I run the perl script from command prompt it asks me to enter the passphrase. When I enter the passphrase it signs and finally encrypts the files. That's all good. The problem is I need to run my perl script as a batch file through Windows NT scheduled task, which is scheduled to run few times a day. That means I cannot manually type the passphrase everytime. So, I was wondering if there is a way to enter the passphrase in the above gpg command itself. Or is there any other solution to this problem? I believe others must have ran into this issue before, since it looks like a common problem. As always thank you soo much in advance. I am new to this group and this is one of the BEST group! -Mark __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From JPClizbe at comcast.net Sun Jan 16 06:39:35 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Sun Jan 16 07:10:16 2005 Subject: import keys from PGP 8.03 In-Reply-To: <1105813444.3668.5.camel@localhost.localdomain> References: <1105813444.3668.5.camel@localhost.localdomain> Message-ID: <41E9FE17.4000508@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 stefan wrote: > Hello List, > > I'am trying to get the gnupg running on ubuntu Linux. I want to use > Evolution as mail client. > > I have a PGP key that I had imported from PGP 8.03 to gnupg. And I > can't encrypt or sign I got the message that the secure key is missing > but when I have a look with "gpg --list-keys" all seems to be okay. > What is wrong?? cd to directory where your PGP keyring files are located: gpg --import secring.skr gpg --import pubring.pkr then for each key /pair/, ('gpg --list-secret-keys' should have some output now.) you'll need to set the key pair to Ulimate trust, this is analogous to PGP's 'Implicit Trust' Setting: gpg --edit-key 0xDecafBad trust 5 <-- '5' for ultimate y <-- 'y'es REALLY do it save <-- save chnages and exit > > I tried gpa , but the gui comes up with the question if I want to create > a key or not and then the gui stand complitily still. > > It seems that my imported key is not the default key. But I set it over > the bash "gpg --default-key name" but here I get the possibility to > write text. I can't see that my selected key is default. default-key is best set in your gpg.conf file. Ditto comment, keyserver, keyserver-options, default-recipient-self, /permanent/ encrypt-to settings, etc... - -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Gir-r-r-r-rl" is like this Universal Gay term, like 'Aloha' or 'Shalom'. - Margaret Cho "Only the truly intelligent know when they are being stupid." -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1-cvs-2005-01-14 (Windows 2000 Pro SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Annoy John Asscraft -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFB6f4VHQSsSmCNKhARApaOAKD7hfIcqFtShKPjSB2ZqcnPKMwGqwCdHLdx o6CEz2eMPQ7HI3a7euEqxbU= =Y0cw -----END PGP SIGNATURE----- From linux at codehelp.co.uk Sun Jan 16 12:01:01 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Sun Jan 16 11:57:02 2005 Subject: auto sign files In-Reply-To: <20050116051124.39581.qmail@web50707.mail.yahoo.com> References: <20050116051124.39581.qmail@web50707.mail.yahoo.com> Message-ID: <200501161101.03872.linux@codehelp.co.uk> On Sunday 16 January 2005 5:11 am, Mark Ivs wrote: > Hello, > I have the following line in my perl script that signs > and encrypt files. Signing is a personal act, that's why it requires a passphrase. If you want to sign automatically, use a non-personal key that doesn't have ANY passphrase set. You cannot trust any machine to sign FOR you, recording the passphrase in any form of script is simply insecure. There is no difference between using a passphrase in clear text in the script and using no passphrase at all! You wouldn't consider a key without a passphrase as secure - why do you think storing the passphrase in clear text is going to be OK? (Or do you keep your current passphrase on a post-it note on your monitor for everyone to read?) :-) You said nothing all through this about automating this process - you've talked only of signing files manually. It's a completely different issue. 1. You cannot sign a personal signature automatically (because you have to be there). 2. Any machine operated signature isn't worth verifying because the script will sign anything it's told to sign. A signature made by a script doesn't verify anything - it just means that the script is functioning. Anyone with authorised or unauthorised access to the machine can sign the files - no matter what they contain. You're not even doing this on a secure system, it's Windows! You have no idea if that box is already compromised. There could be someone with a trojan already available who could put their own files on that box and the script would sign the files!!! You'd be sending your customer a signed and encrypted TROJAN! Best of all, the attacker would have absolute anonymity because he'd be putting files on YOUR machine and using YOUR key! Explain to your 'customer' - the choices are: 1. Files are only encrypted, not signed at all. 2. Files are signed with a machine-only worthless signature. 3. Files are only released when you are awake. Any other option is untenable and explain why. Don't accept a customer who would be happy with the attack described above - s/he will quickly blame you if it happens and their machines get attacked via your poor signature process. If there's money involved, it's imperative that you do not open yourself to this risk - by not signing any files automatically - or s/he will have every reason to sue you for negligence. Do you have that kind of money? A signature made by a machine cannot be trusted because the key cannot be trusted - the machine will sign everything that is thrown at it. We've had this discussion before about the GD - people's trust models vary but that's mine. If you can't sign the file personally, don't sign the file at all. How often are these files changing? What on earth are you actually doing? > The problem is I need to run my perl script as a batch > file through Windows NT scheduled task, Why not make it easier for an attacker to find the passphrase by putting the passphrase and the secret key on your home page? This is NOT a secure way of using a key! > which is > scheduled to run few times a day. Then change the schedule. I do this every day - I let the script do everything up to the point where a signature is required for the final file. Then it waits and only proceeds if the signature file can be found and verified. Verifying a signature doesn't require the passphrase, just the public key. You can be notified or reminded by email, even SMS if you configure it (and pay for it IIRC). > That means I cannot > manually type the passphrase everytime. So, I was > wondering if there is a way to enter the passphrase in > the above gpg command itself. Or is there any other > solution to this problem? Not securely. > I believe others must have > ran into this issue before, since it looks like a > common problem. Only for those who don't have a clear understanding of security and the reasons for signing files. Decide clearly whether you want to sign these files : 1. as a person - in which case YOU need to be there. OR 2. as a script - in which case use a separate key and advise your customer that the signature is worse than useless should your machine be compromised. Naturally, you would assure your customer you would make every effort to prevent such an attack but that you cannot guarantee that the machine has NOT been attacked when the automated signature is made (because you won't be logged in at the time to check). The customer MUST be clear that this would be a MACHINE signature and it has NO correlation with you as an individual - or any other individual. You cannot be held personally responsible for the content of the signed files. (So what's the point?) If they are willing to accept that, they have only themselves to blame. To me, such signatures are worse than useless. -- Neil Williams ============= http://www.dcglug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050116/c8d4ac09/attachment.pgp From Stefan at fuhrmann.homedns.org Sun Jan 16 15:03:28 2005 From: Stefan at fuhrmann.homedns.org (Stefan Fuhrmann) Date: Sun Jan 16 14:58:56 2005 Subject: import keys from PGP 8.03 Message-ID: <1105851478.3500.5.camel@localhost.localdomain> thanks for answering!!! I solved the Problem now. I failure was that I imported the keys over root Terminal. I just imported the keys with normal user account than I had to trust again. that was it. Cool-- now it works. thanks stefan ********************************* Interessed to a linux desktop distro?? Try http://ubuntulinux.org based on debian! Try the LIVE-CD. Booting from cdrom, no installation needed to have a look!! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Dies ist ein digital signierter Nachrichtenteil Url : /pipermail/attachments/20050116/2495d83e/attachment.pgp From markivs2003 at yahoo.com Sun Jan 16 19:06:44 2005 From: markivs2003 at yahoo.com (Mark Ivs) Date: Sun Jan 16 19:03:32 2005 Subject: auto sign files In-Reply-To: <200501161101.03872.linux@codehelp.co.uk> Message-ID: <20050116180645.64707.qmail@web50705.mail.yahoo.com> Neil, Thank you for your detailed explanation of why it's very bad idea to sign it using a script. I am going to present the concerns to people involved and let them be fully aware of the risks. My guess is they are going to tell our customer that since this is an automated process, we can only encrypt it but not encrypt & sign. Earlier, I was thinking auto signing files was possible in a secure way after reading the documentation in the link below. http://www.gnupg.org/(en)/documentation/faqs.html#q4.14 Is that FAQ question about auto-signing keys or auto-signing files? Can you please clarify? > If you want to > sign automatically, use a non-personal key that > doesn't have ANY passphrase set. What does that mean? > 2. as a script - in which case use a separate key > and advise your customer > that the signature is worse than useless should your > machine be compromised. Now that I understand the risks involved, I wouldn't use a script to auto sign files. But still I am curious to know how you would do it. Btw, I don't have my passphrase on a post-it note :) Thanks again. -M --- Neil Williams wrote: > On Sunday 16 January 2005 5:11 am, Mark Ivs wrote: > > Hello, > > I have the following line in my perl script that > signs > > and encrypt files. > > Signing is a personal act, that's why it requires a > passphrase. If you want to > sign automatically, use a non-personal key that > doesn't have ANY passphrase > set. You cannot trust any machine to sign FOR you, > recording the passphrase > in any form of script is simply insecure. There is > no difference between > using a passphrase in clear text in the script and > using no passphrase at > all! You wouldn't consider a key without a > passphrase as secure - why do you > think storing the passphrase in clear text is going > to be OK? > > (Or do you keep your current passphrase on a post-it > note on your monitor for > everyone to read?) > :-) > > You said nothing all through this about automating > this process - you've > talked only of signing files manually. It's a > completely different issue. > > 1. You cannot sign a personal signature > automatically (because you have to be > there). > 2. Any machine operated signature isn't worth > verifying because the script > will sign anything it's told to sign. > > A signature made by a script doesn't verify anything > - it just means that the > script is functioning. Anyone with authorised or > unauthorised access to the > machine can sign the files - no matter what they > contain. > > You're not even doing this on a secure system, it's > Windows! You have no idea > if that box is already compromised. There could be > someone with a trojan > already available who could put their own files on > that box and the script > would sign the files!!! You'd be sending your > customer a signed and encrypted > TROJAN! Best of all, the attacker would have > absolute anonymity because he'd > be putting files on YOUR machine and using YOUR key! > > Explain to your 'customer' - the choices are: > 1. Files are only encrypted, not signed at all. > 2. Files are signed with a machine-only worthless > signature. > 3. Files are only released when you are awake. > > Any other option is untenable and explain why. Don't > accept a customer who > would be happy with the attack described above - > s/he will quickly blame you > if it happens and their machines get attacked via > your poor signature > process. If there's money involved, it's imperative > that you do not open > yourself to this risk - by not signing any files > automatically - or s/he will > have every reason to sue you for negligence. Do you > have that kind of money? > > A signature made by a machine cannot be trusted > because the key cannot be > trusted - the machine will sign everything that is > thrown at it. > > We've had this discussion before about the GD - > people's trust models vary but > that's mine. > > If you can't sign the file personally, don't sign > the file at all. > > How often are these files changing? What on earth > are you actually doing? > > > The problem is I need to run my perl script as a > batch > > file through Windows NT scheduled task, > > Why not make it easier for an attacker to find the > passphrase by putting the > passphrase and the secret key on your home page? > This is NOT a secure way of > using a key! > > > which is > > scheduled to run few times a day. > > Then change the schedule. I do this every day - I > let the script do everything > up to the point where a signature is required for > the final file. Then it > waits and only proceeds if the signature file can be > found and verified. > > Verifying a signature doesn't require the > passphrase, just the public key. > > You can be notified or reminded by email, even SMS > if you configure it (and > pay for it IIRC). > > > That means I cannot > > manually type the passphrase everytime. So, I was > > wondering if there is a way to enter the > passphrase in > > the above gpg command itself. Or is there any > other > > solution to this problem? > > Not securely. > > > I believe others must have > > ran into this issue before, since it looks like a > > common problem. > > Only for those who don't have a clear understanding > of security and the > reasons for signing files. > > Decide clearly whether you want to sign these files > : > > 1. as a person - in which case YOU need to be there. > OR > 2. as a script - in which case use a separate key > and advise your customer > that the signature is worse than useless should your > machine be compromised. > > Naturally, you would assure your customer you would > make every effort to > prevent such an attack but that you cannot guarantee > that the machine has NOT > been attacked when the automated signature is made > (because you won't be > logged in at the time to check). > > The customer MUST be clear that this would be a > MACHINE signature and it has > NO correlation with you as an individual - or any > other individual. You > cannot be held personally responsible for the > content of the signed files. > (So what's the point?) > > If they are willing to accept that, they have only > themselves to blame. To me, > such signatures are worse than useless. > > -- > > Neil Williams > ============= > http://www.dcglug.org.uk/ > http://www.nosoftwarepatents.com/ > http://sourceforge.net/projects/isbnsearch/ > http://www.williamsleesmill.me.uk/ > http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 > > > ATTACHMENT part 1.2 application/pgp-signature > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > __________________________________ Do you Yahoo!? Yahoo! Mail - 250MB free storage. Do more. Manage less. http://info.mail.yahoo.com/mail_250 From linux at codehelp.co.uk Sun Jan 16 21:06:26 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Sun Jan 16 21:02:28 2005 Subject: auto sign files In-Reply-To: <20050116180645.64707.qmail@web50705.mail.yahoo.com> References: <20050116180645.64707.qmail@web50705.mail.yahoo.com> Message-ID: <200501162006.28709.linux@codehelp.co.uk> On Sunday 16 January 2005 6:06 pm, Mark Ivs wrote: > Earlier, I was thinking auto signing files was > possible in a secure way after reading the > documentation in the link below. > http://www.gnupg.org/(en)/documentation/faqs.html#q4.14 > Is that FAQ question about auto-signing keys auto-signing keys is always a bad idea - how can you automate the keysigning verification? Only the PGP GD and robot keys have done that and the results are not always welcomed. By all means use automation to assist in keysigning protocols, I use the scripts from Peter Palfrader (cabot on Debian), but automation IMHO, should never replace personal verification and involvement. I've got various GnuPG automated environment scripts and processes - NONE have access to any secret keys. I can't think of a single situation where a secret key is actually necessary in an automated environment. There is always a better, more secure, method. Convenience is the nemesis of security. > or > auto-signing files? Can you please clarify? "You should use the option --batch and don't use passphrases as there is usually no way to store it more securely than on the secret keyring itself. " This is the use of keys without passphrases to which I referred. The FAQ clearly takes you through how to remove the passphrase. The consequences are as I mentioned - the signature in this case is merely asserting that the script is functioning. Anyone can create another key with the same details and sign their files - so it comes down to checking the fingerprint of the signing key. As you have no way of verifying the key against a person, if the website is hacked and the displayed fingerprint altered, users would have no way to know. The FAQ is clear on the risks: " It's also a good idea to install an intrusion detection system so that you hopefully get a notice of an successful intrusion, so that you in turn can revoke all the subkeys installed on that machine and install new subkeys. " i.e. automated environments require additional security layers, increased vigilance and egg-on-face apologies when they go wrong. Personally, I just don't think it's ever worth the risk - far better to copy the files to your machine, sign the files personally, then copy them to the public machine. Secret keys and public servers just don't mix. -- Neil Williams ============= http://www.dcglug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050116/dcc36808/attachment.pgp From dshaw at jabberwocky.com Sun Jan 16 22:11:50 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Jan 16 22:08:52 2005 Subject: auto sign files In-Reply-To: <20050116180645.64707.qmail@web50705.mail.yahoo.com> References: <200501161101.03872.linux@codehelp.co.uk> <20050116180645.64707.qmail@web50705.mail.yahoo.com> Message-ID: <20050116211150.GA25210@jabberwocky.com> On Sun, Jan 16, 2005 at 10:06:44AM -0800, Mark Ivs wrote: > Neil, > Thank you for your detailed explanation of why it's > very bad idea to sign it using a script. > I am going to present the concerns to people involved > and let them be fully aware of the risks. My guess is > they are going to tell our customer that since this is > an automated process, we can only encrypt it but not > encrypt & sign. > > Earlier, I was thinking auto signing files was > possible in a secure way after reading the > documentation in the link below. > http://www.gnupg.org/(en)/documentation/faqs.html#q4.14 > Is that FAQ question about auto-signing keys or > auto-signing files? Can you please clarify? > > > If you want to > > sign automatically, use a non-personal key that > > doesn't have ANY passphrase set. > What does that mean? > > > 2. as a script - in which case use a separate key > > and advise your customer > > that the signature is worse than useless should your > > machine be compromised. > Now that I understand the risks involved, I wouldn't > use a script to auto sign files. > But still I am curious to know how you would do it. Hold on here... this is getting a little hysterical. There is nothing at all wrong with signing from a script, automated signing, or any variation thereof. Just like any signing, the crucial bit is to understand what you are doing, and why, and what the risks are. Once you have that understanding, determine if the risks are acceptable to you or not. Just as it is a mistake to relax your guard too much, it is also a mistake to be so secure that you can't actually get your work done. The risks of automated signing are mainly that someone may break into your machine and steal your key. They can then use this signature in various ways to impersonate the script that is making the signatures. Take a moment to think about why you want the setup you describe, and what would happen if the key was stolen. Remember that once the message leaves your unattended signing machine it is identical to the message that would leave the machine if you had 50 armed police officers guarding you as you typed in your 4-paragraph passphrase. David From dwerder at gmx.net Sun Jan 16 22:10:03 2005 From: dwerder at gmx.net (Dominik Werder) Date: Sun Jan 16 23:04:36 2005 Subject: gnupg and the windows command line Message-ID: Hello! I wonder how you tell the gpg command line tool on windows that you have finished typing and that it should start encrypting, Ctrl-D as EOF doesn't work, it just prints "^D".. thank you! Dominik From dshaw at jabberwocky.com Sun Jan 16 23:16:24 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sun Jan 16 23:13:16 2005 Subject: gnupg and the windows command line In-Reply-To: References: Message-ID: <20050116221624.GA26392@jabberwocky.com> On Sun, Jan 16, 2005 at 10:10:03PM +0100, Dominik Werder wrote: > Hello! > > I wonder how you tell the gpg command line tool on windows that you have > finished typing and that it should start encrypting, Ctrl-D as EOF doesn't > work, it just prints "^D".. Ctrl-Z, I believe. David From dwerder at gmx.net Sun Jan 16 23:53:57 2005 From: dwerder at gmx.net (Dominik Werder) Date: Sun Jan 16 23:48:27 2005 Subject: gnupg and the windows command line In-Reply-To: <20050116221624.GA26392@jabberwocky.com> References: <20050116221624.GA26392@jabberwocky.com> Message-ID: >> I wonder how you tell the gpg command line tool on windows that you have >> finished typing and that it should start encrypting, Ctrl-D as EOF >> doesn't >> work, it just prints "^D".. > > Ctrl-Z, I believe. Thanks! I'll try this :) bye! Dominik From JPClizbe at comcast.net Mon Jan 17 01:47:33 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Mon Jan 17 01:44:17 2005 Subject: gnupg and the windows command line In-Reply-To: References: Message-ID: <41EB0B25.9060906@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dominik Werder wrote: > Hello! > > I wonder how you tell the gpg command line tool on windows that you have > finished typing and that it should start encrypting, Ctrl-D as EOF doesn't > work, it just prints "^D".. Ctrl-Z is the EOF on Windows. You may have to follow it with 'Enter'. - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1-cvs-2005-01-14 (Windows 2000 Pro SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Annoy John Asscraft -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFB6wskHQSsSmCNKhARAinZAJ9iCf+UNzljWgmpYrcIo2rDFVNizwCfUWYB eFYQ2GXK3Ch07HdMySUa4J8= =ML3l -----END PGP SIGNATURE----- From atom at smasher.org Mon Jan 17 01:02:13 2005 From: atom at smasher.org (Atom Smasher) Date: Mon Jan 17 01:54:05 2005 Subject: Encrypt & Sign In-Reply-To: <200501142330.12875.linux@codehelp.co.uk> References: <20050114155504.GC21644@mail.gasops.co.uk> <20050114202800.8470.qmail@suspicious.org> <200501142330.12875.linux@codehelp.co.uk> Message-ID: <20050116235755.14615.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Fri, 14 Jan 2005, Neil Williams wrote: >> in a techno-philosophical sense, you never *really* know what you're >> signing unless you do the math by hand... > > That's disingenious Atom - the premise of the article is a rogue > program. Isn't that why we use free software? That's why we verify GnuPG > carefully before installing, why we have the source code to inspect to > allay precisely these fears. ================= as a practical matter, you're mostly correct. as a nitty-gritty technical and philosophical matter there's still a gap. also, just because some of us use open source tools doesn't mean everyone does... and open source isn't magically secure. some people use gpg/pgp on shared machines, or machines that they don't have exclusive root access to. some people use public terminals to access their secure machine and their secret keys. there are plenty of things that could (in theory and practice) come between an individual and their key. it's the responsibility of key owners to make sure their keys aren't compromised. if keys are compromised then the responsible thing to do is revoke those keys. - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- fascism: n. A system of government that exercises a dictatorship of the extreme right, typically through the merging of state and business leadership, together with belligerent nationalism. -- The American Heritage Dictionary, 1983 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJB6wCKAAoJEAx/d+cTpVci1OIH/3mLV+RDpDcTVPg1d+z4I5TX FEQPrz3PTwqAs7N9BKrLMssjTq/iBuJzRwW7NRTK36mUz0JydEFFPww1VFUw0Z4T aXV0WKAXFSzu8DxkdPlDLZ2MXTvpoMJK5pB1G7ui8RvuW2CSn+ryzl1h/x1h3Rmm ayAJbdT5MD7Q8m+Qq0DHbLftCoIXs4jjyuKbNlg6NSJA1Bxeoqj7pYAyBaT6bvJL IJ7+Lg7lz1ERsgGiFCAF+5oH96rveCbHaZfh0psk7uwFgcFBZbPMKDo3ca+BbE9S JQ0cREIoso2q8ipxCDmX8qEDmktQKP+44FTkMRgiF7+ADTz7y6I3/mX9Cewdb5U= =2Lch -----END PGP SIGNATURE----- From dcc at sweetclicks.com Mon Jan 17 04:22:25 2005 From: dcc at sweetclicks.com (Darryl C. Conliffe) Date: Mon Jan 17 05:26:16 2005 Subject: 1.4.0a won't retrieve key from keyserver? In-Reply-To: <20050111160757.GC6496@jabberwocky.com> References: <41E30E4B.5070109@jason.markley.name> <20050111030612.GA28753@jabberwocky.com> <41E3CCB9.2030803@jason.markley.name> <20050111160757.GC6496@jabberwocky.com> Message-ID: <41EB2F71.4040104@sweetclicks.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Shaw wrote: |On Tue, Jan 11, 2005 at 07:55:21AM -0500, Jason Markley wrote: | |>Here ya go....hope this helps..... | | |Ah, this is a win32-specific bug that was fixed already. The fix will |be part of 1.4.1. | Any idea when 1.4.1 is available? Is there a published list of known bugs in 1.4.0a? - -- Darryl Conliffe dcc@sweetclicks.com GPG Key: 0x531A10E6 Thunderbird ver 1.0 (20041206) - Enigmail ver 0.90.0.0 - GPG 1.4.0a http://www.biglumber.com/x/web?pk=8DEEF330010625DC5B4234EAB082AB73531A10E6 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB6y80sIKrc1MaEOYRAvLPAJ4sk1J8/bF2K3jlGyJGQlnk1NmTYwCfeYYJ ez1DX0MI6u67NRm357B6bNU= =iik9 -----END PGP SIGNATURE----- From torduninja at mail.pf Mon Jan 17 06:21:05 2005 From: torduninja at mail.pf (Maxine Brandt) Date: Mon Jan 17 07:01:42 2005 Subject: GPG TO GO update Message-ID: <41EB4B41.1080701@mail.pf> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings, The GPG TO GO pages at http://www.torduninja.tk have been updated, and there's a download available which uses a version of GPG-1.4.0. This has been compiled to run from any removable medium, whatever drive letter this is assigned, with no need to specify the gnupg home directory in each command. There's also a mirror site at http://gpg2go.ifrance.com Salut Maxine - -- OpenPGP keys: http://www.torduninja.tk -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0-gpg2go (MingW32) iD8DBQFB60s9KBY/R6nbCcARAnR8AJ9wJ+0SbVts9mOORPCgA582k5zvMQCePDMU 7Ldnk8IB4+b1lY7M6epgH4I= =dv/7 -----END PGP SIGNATURE----- From thomas at tzis.net Mon Jan 17 16:58:22 2005 From: thomas at tzis.net (Thomas Zangl - Home) Date: Mon Jan 17 17:30:38 2005 Subject: How to handle multipart messages (RFC 2440) and verify them with GnuPG? Message-ID: Hi! I am currently writing some kind of parser which extracts and attemps to verify email messages signed / encrypted with GnuPG. Simple messages with just a plain/text body surrounded by a PGP signature work quite good. I now have got a more complex mail. Please see here: http://intern.tzi.dhs.org/gpg_test.txt I played around but I cannot extract the neccessary mime parts for verifying them with GnuPG. I always get "gpg: BAD signature from ..." I played around with the message but I did not yet figured it out which parts of the message are relevant for GnuPG (read: which parts are covered by the GnuPG signature). I would really appriciate any help :) I already spent 2 days with this :-/ (RFC 1847, 2015, 2440 and 3156 do not have such an example..) TIA! -- ---------------------------------------------------------------- ,yours Thomas Zangl -thomas@tzi.dhs.org- -TZ1-6BONE- -http://tzi.dhs.org - http://www.borg-kindberg.ac.at Use YAMC! now! Get it at http://www.borg-kindberg.ac.at/yamc/ From sddoyle at attglobal.net Sun Jan 16 14:20:08 2005 From: sddoyle at attglobal.net (Stephen Doyle) Date: Mon Jan 17 17:57:13 2005 Subject: GPG 1.4.0 - GPA 0.7.0 - GPGME 1.0.2 Interactions Message-ID: <41EA6A08.3000201@attglobal.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have installed GPG 1.4.0, and wanted to try out GPA, too. When I ./configure'd the GPA files, I got a compile error saying my install couldn't find GPGME, and it stopped. Specifically, the last 3 lines of the GPA config.log said: configure:8918: checking for GPGME - version >= 0.4.3 configure:8961: result: no configure:8963: error: Cannot find an up to date GPGME So I went back to the website, downloaded GPGME 1.0.2, and when I ./configure'd it, it died with the lines: configure:21760: checking for GPG Error - version >= 0.5 configure:21792: result: no configure:21794: error: libgpg-error was not found Is there a way around this? It appears that my system has a file called gpg-error in /usr/bin, and that's in the path. Thanks. Steve Doyle -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFB6moIzEObbv7zSWMRApnYAKDXyO+Ea0USKpgCd5AvfavRDKwtwgCfYA5y 4HfhEy3zHee2S2RBEFaQ0Bs= =bcr+ -----END PGP SIGNATURE----- From wk at gnupg.org Mon Jan 17 18:22:43 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Jan 17 18:20:26 2005 Subject: How to handle multipart messages (RFC 2440) and verify them with GnuPG? In-Reply-To: (Thomas Zangl's message of "Mon, 17 Jan 2005 16:58:22 +0100") References: Message-ID: <87acr8x95o.fsf@wheatstone.g10code.de> On Mon, 17 Jan 2005 16:58:22 +0100, "Thomas Zangl said: > I would really appriciate any help :) I already spent 2 days with this > :-/ (RFC 1847, 2015, 2440 and 3156 do not have such an example..) 2015 and 3156 do have such an example. Your code only contains another MIME container as signed part but that does'nt change anything for your parser. Recall that you need to keep track of the different boundaries; either by ignoring inner ones or by stacking them up. --===============1665861114== Signed material begin with the next line Content-Type: multipart/signed; protocol="application/pgp-sig micalg="pgp-sha1"; boundary="Signature=_Wed__21_Apr_2004_14_50_01_+0200_9MNZ --Signature=_Wed__21_Apr_2004_14_50_01_+0200_9MNZCzKQbjy2uvTB Content-Type: multipart/mixed; boundary="Multipart=_Wed__21_Apr_2004_14_50_01_+0200_3HRe --Multipart=_Wed__21_Apr_2004_14_50_01_+0200_3HRerX7GyNmeh+LG Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 7bit Hi! The attached patch fixes a bug when playing ogm files with su [...] --Multipart=_Wed__21_Apr_2004_14_50_01_+0200_3HRerX7GyNmeh+LG Content-Type: application/octet-stream; name="demux_ogg.c.patch" Content-Disposition: attachment; filename="demux_ogg.c.patch" Content-Transfer-Encoding: base64 SW5kZXg6IGxpYm1wZGVtdXgvZGVtdXhfb2dnLmMKPT09PT09PT09PT09PT09P09 [...] --Multipart=_Wed__21_Apr_2004_14_50_01_+0200_3HRerX7GyNmeh+LG-- Signed material ends with the previous line or to be exact just before the final line feed of that line. In other words: the linefeed before the next boundary belongs to the boundary an is not part of the signed material. --Signature=_Wed__21_Apr_2004_14_50_01_+0200_9MNZCzKQbjy2uvTB You may throw the follwiong part in its entire into gpg. Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAhm3+t65wZuOiwM0RAvGSAJ9hYixM+1Dr0h2+zcMi5rTMCBrdKgCg1dyg chI/5Uiw82YnoHhXnhcil6E= =wpqs -----END PGP SIGNATURE----- --Signature=_Wed__21_Apr_2004_14_50_01_+0200_9MNZCzKQbjy2uvTB-- gnupg 1.9 has an uncompleted tools/gpgparsemail.c which shows how to parse MIME encrypted or signed messages. Hth, Werner From wk at gnupg.org Mon Jan 17 18:25:21 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Jan 17 18:25:25 2005 Subject: GPG 1.4.0 - GPA 0.7.0 - GPGME 1.0.2 Interactions In-Reply-To: <41EA6A08.3000201@attglobal.net> (Stephen Doyle's message of "Sun, 16 Jan 2005 14:20:08 +0100") References: <41EA6A08.3000201@attglobal.net> Message-ID: <87651wx91a.fsf@wheatstone.g10code.de> On Sun, 16 Jan 2005 14:20:08 +0100, Stephen Doyle said: > configure:21794: error: libgpg-error was not found > Is there a way around this? It appears that my system has a file called > gpg-error in /usr/bin, and that's in the path. You need the development package of gpg-error too; Under Debian that package is called libgpg-error-dev. Shalom-Salam, Werner From thomas at tzis.net Mon Jan 17 19:10:30 2005 From: thomas at tzis.net (Thomas Zangl - Home) Date: Mon Jan 17 19:06:49 2005 Subject: How to handle multipart messages (RFC 2440) and verify them with GnuPG? In-Reply-To: <87acr8x95o.fsf@wheatstone.g10code.de> Message-ID: On Mon, 17 Jan 2005 18:22:43 +0100, "Werner Koch" wrote: >2015 and 3156 do have such an example. Your code only contains >another MIME container as signed part but that does'nt change anything >for your parser. Recall that you need to keep track of the different >boundaries; either by ignoring inner ones or by stacking them up. Thank your for the example. I tried it but it does not work :-/ (I might remember that I already tried this because of an idea in the RFCs mentioned above). Here are the 2 files with which I play around: http://intern.tzi.dhs.org/test.sig http://intern.tzi.dhs.org/test.eml Command line for testing: gpg --verify D:\test.sig D:\test.eml (I always get: "gpg: BAD signature from ..") >gnupg 1.9 has an uncompleted tools/gpgparsemail.c which shows how to >parse MIME encrypted or signed messages. I will look at it. Thank you anyway :) -- ---------------------------------------------------------------- ,yours Thomas Zangl -thomas@tzi.dhs.org- -TZ1-6BONE- -http://tzi.dhs.org - http://www.borg-kindberg.ac.at Use YAMC! now! Get it at http://www.borg-kindberg.ac.at/yamc/ From markivs2003 at yahoo.com Mon Jan 17 19:28:28 2005 From: markivs2003 at yahoo.com (Mark Ivs) Date: Mon Jan 17 19:25:14 2005 Subject: auto sign files In-Reply-To: <20050116211150.GA25210@jabberwocky.com> Message-ID: <20050117182828.32758.qmail@web50705.mail.yahoo.com> David and Jim, Thank you very much for the response. For automated signing to work, I followed the instruction in http://www.gnupg.org/(en)/documentation/faqs.html#q4.14 I followed the steps in the instructions and when I try the following command, gpg --recipient "XXX" --output $rootpath\\$filepgp --batch --encrypt --sign $rootpath\\encrypted\\$file I get the following error: gpg: secret key parts are not available gpg: no default secret key: general error gpg: MYFILE-2004.pdf: sign+encrypt failed: general error Here's what I did to configure... 1. Let's say my pub key id is AAA. To Create sub key, I typed: gpg --edit-key AAA addkey > DSA type 3. Let's say the sub-key I created has keyid 999 2. Listed keys: gpg --list-keys. It shows 1 pub and 2 subs keys gpg --export-secret-subkeys --no-comment 999 >secring.auto 3. Exported the sub-key by using the command: gpg --export-secret-subkeys --no-comment 999 >secring.auto 3. Copied secring.auto, pubring.gpg and pgp.exe to a C:\TEMP dir. 4. Renamed secring.auto it to secring.gpg 5. gpg --homedir . --edit 999 6. command> passwd. It prompted for passpharase and I entered it. Then it propmted for new passphrase. I simply hit enter key without typing anything. Did it again when asked for confirmation. 7. I didn't delete the other sub-key. 8. Install secring.gpg as the secret keyring by typing gpg --allow-secret-key-import -import C:\TEMP\secring.gpg Can anyone please tell me where I am going wrong. Thank you sooo much in advance! -M __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From pschott at drivefinancial.com Mon Jan 17 19:16:12 2005 From: pschott at drivefinancial.com (Peter Schott) Date: Mon Jan 17 19:59:22 2005 Subject: Wrapper/module for Python & Windows Message-ID: <4E28ECEE2E06784AA8921F82878C889E02422D74@DFSTXEXCH3.dfs.com> Anyone know if one exists? I've got a workaround that uses a shell command to build a command-line and exec it, but no native module/wrapper code. The only module I've been able to find is one from SourceForge that will work on Linux/Unix, but not in Windows due to some dependency modules that don't exist in Windows. If anyone's got something that works in a more native fashion and can pass that on, I'd appreciate it. Thanks. Peter A. Schott drive financial services Database Administrator p: 214.237.3567 c: 214.734.1792 f: 214.237.3791 email: pschott@drivefinancial.com ___________________________________________________________________________________ This e-mail is covered by the Electronic Communications Privacy Act, 18 U.S.C. Sections 2510-2521. The information contained in this e-mail is confidential and intended only for use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this message in error or there are any problems please notify the originator immediately. The unauthorized use, disclosure, copying or alteration of this message is strictly forbidden. This mail and any attachments have been scanned for viruses prior to leaving the Drive Financial Services network. Drive Financial Services will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any virus being passed on. ___________________________________________________________________________________ From wk at gnupg.org Tue Jan 18 09:39:40 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Jan 18 09:35:31 2005 Subject: How to handle multipart messages (RFC 2440) and verify them with GnuPG? In-Reply-To: (Thomas Zangl's message of "Mon, 17 Jan 2005 19:10:30 +0100") References: Message-ID: <87mzv7uo4z.fsf@wheatstone.g10code.de> On Mon, 17 Jan 2005 19:10:30 +0100, "Thomas Zangl said: > Here are the 2 files with which I play around: > http://intern.tzi.dhs.org/test.sig > http://intern.tzi.dhs.org/test.eml I have not the time to look into this. You might want to use the option --debug 512 while creating the message and during verify. It creates files named dbgmd* in the current directory with the hashed (i.e. signed) data. Compare them. Salam-Shalom, Werner From sagraluz at sagraluzzatto.com.br Tue Jan 18 06:58:00 2005 From: sagraluz at sagraluzzatto.com.br (Editora Sagra Luzzatto Virtual - Rodrigo Padula) Date: Tue Jan 18 09:39:15 2005 Subject: Gnupg with php Message-ID: <41ECA568.9000407@sagraluzzatto.com.br> How do I do to encrypt a message using GNUPG with PHP?? ASS: Rodrigo Padula From kabads at gmail.com Tue Jan 18 10:08:55 2005 From: kabads at gmail.com (Adam Cripps) Date: Tue Jan 18 11:05:38 2005 Subject: auto sign files In-Reply-To: <20050116211150.GA25210@jabberwocky.com> References: <200501161101.03872.linux@codehelp.co.uk> <20050116180645.64707.qmail@web50705.mail.yahoo.com> <20050116211150.GA25210@jabberwocky.com> Message-ID: On Sun, 16 Jan 2005 16:11:50 -0500, David Shaw wrote: > On Sun, Jan 16, 2005 at 10:06:44AM -0800, Mark Ivs wrote: > > Neil, > > Thank you for your detailed explanation of why it's > > very bad idea to sign it using a script. > > I am going to present the concerns to people involved > > and let them be fully aware of the risks. My guess is > > they are going to tell our customer that since this is > > an automated process, we can only encrypt it but not > > encrypt & sign. > > > > Earlier, I was thinking auto signing files was > > possible in a secure way after reading the > > documentation in the link below. > > http://www.gnupg.org/(en)/documentation/faqs.html#q4.14 > > Is that FAQ question about auto-signing keys or > > auto-signing files? Can you please clarify? > > > > > If you want to > > > sign automatically, use a non-personal key that > > > doesn't have ANY passphrase set. > > What does that mean? > > > > > 2. as a script - in which case use a separate key > > > and advise your customer > > > that the signature is worse than useless should your > > > machine be compromised. > > Now that I understand the risks involved, I wouldn't > > use a script to auto sign files. > > But still I am curious to know how you would do it. > > Hold on here... this is getting a little hysterical. > > There is nothing at all wrong with signing from a script, automated > signing, or any variation thereof. Just like any signing, the crucial > bit is to understand what you are doing, and why, and what the risks > are. Once you have that understanding, determine if the risks are > acceptable to you or not. Just as it is a mistake to relax your guard > too much, it is also a mistake to be so secure that you can't actually > get your work done. > > The risks of automated signing are mainly that someone may break into > your machine and steal your key. They can then use this signature in > various ways to impersonate the script that is making the signatures. > Take a moment to think about why you want the setup you describe, and > what would happen if the key was stolen. Remember that once the > message leaves your unattended signing machine it is identical to the > message that would leave the machine if you had 50 armed police > officers guarding you as you typed in your 4-paragraph passphrase. > > David > As a newbie in this area, I understand that there are at least two types of security - the most desirable security and more secure than now. This scenario fits in to the latter. Sure, automated signing is not desirable as it still has flaws within it if someone cracks your machine. But the alternative may be sending out unsigned files, which is even less secure (assuming that they have still broken in to your machine). Done properly, the automated signing can add another layer of security that needs to be cracked. Does this sound reasonable? Adam -- http://www.monkeez.org GPG key: 7111B833 From mr_mojo_rising at earthlink.net Tue Jan 18 10:46:42 2005 From: mr_mojo_rising at earthlink.net (Mojo Rising) Date: Tue Jan 18 11:49:04 2005 Subject: GPA & keyserver setting Message-ID: <41ECDB02.3030209@earthlink.net> I still can't get GPA to submit a key to a keyserver using the proxy specified by my http_proxy setting. I'm starting to think perhaps http_proxy is being respected by GPA after all, and instead it's the DNS lookup for the keyserver that's causing the failure. Does GPA perform its own DNS lookup on the URL of the keyserver before it attempts to send the key via gpg? That could be a problem because the particular keyserver URL I'm specifying needs to be DNS resolved via the proxy (SOCKS 4A/5), otherwise the lookup will fail. gpg itself handles the DNS lookup correctly using my proxy. Is there a way to make GPA defer to gpg for DNS lookup? From wk at gnupg.org Tue Jan 18 12:29:23 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Jan 18 12:25:24 2005 Subject: GPA & keyserver setting In-Reply-To: <41ECDB02.3030209@earthlink.net> (Mojo Rising's message of "Tue, 18 Jan 2005 03:46:42 -0600") References: <41ECDB02.3030209@earthlink.net> Message-ID: <87wtubt1po.fsf@wheatstone.g10code.de> On Tue, 18 Jan 2005 03:46:42 -0600, Mojo Rising said: > I still can't get GPA to submit a key to a keyserver using the proxy > specified by my http_proxy setting. I'm starting to think perhaps > http_proxy is being respected by GPA after all, and instead it's the IIRC, GPA does not use gpg for keyserver access. Please check the source to see what's going on. Shalom-Salam, Werner From wk at gnupg.org Tue Jan 18 12:31:40 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Jan 18 12:30:25 2005 Subject: 1.4.0a won't retrieve key from keyserver? In-Reply-To: <41EB2F71.4040104@sweetclicks.com> (Darryl C. Conliffe's message of "Sun, 16 Jan 2005 22:22:25 -0500") References: <41E30E4B.5070109@jason.markley.name> <20050111030612.GA28753@jabberwocky.com> <41E3CCB9.2030803@jason.markley.name> <20050111160757.GC6496@jabberwocky.com> <41EB2F71.4040104@sweetclicks.com> Message-ID: <87sm4zt1lv.fsf@wheatstone.g10code.de> On Sun, 16 Jan 2005 22:22:25 -0500, Darryl C Conliffe said: > Any idea when 1.4.1 is available? Is there a published list of known > bugs in 1.4.0a? Bugs are listed in the bug tracker at bugs.gnupg.org. Outstanding tasks are: charset things, a small bug with the smartcard and finishing the installer. Werner From linux at codehelp.co.uk Tue Jan 18 13:18:20 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Tue Jan 18 13:14:21 2005 Subject: Gnupg with php In-Reply-To: <41ECA568.9000407@sagraluzzatto.com.br> References: <41ECA568.9000407@sagraluzzatto.com.br> Message-ID: <200501181218.20779.linux@codehelp.co.uk> On Tuesday 18 January 2005 5:58 am, Editora Sagra Luzzatto Virtual - Rodrigo Padula wrote: > How do I do to encrypt a message using GNUPG with PHP?? > > ASS: Rodrigo Padula Please at least Google for the answer before posting: http://business-php.com/opensource/gpg_encrypt/ There are lots of other articles too: http://www.google.co.uk/search?q=gnupg+php -- Neil Williams ============= http://www.dcglug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050118/4bb9ef9b/attachment.pgp From linux at codehelp.co.uk Tue Jan 18 13:33:18 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Tue Jan 18 13:29:20 2005 Subject: auto sign files In-Reply-To: References: <200501161101.03872.linux@codehelp.co.uk> <20050116211150.GA25210@jabberwocky.com> Message-ID: <200501181233.21400.linux@codehelp.co.uk> On Tuesday 18 January 2005 9:08 am, Adam Cripps wrote: > As a newbie in this area, I understand that there are at least two > types of security - the most desirable security and more secure than > now. This scenario fits in to the latter. Wrong - it falls into the security trap of being LESS secure than current. > Sure, automated signing is not desirable as it still has flaws within > it if someone cracks your machine. But the alternative may be sending > out unsigned files, which is even less secure No, it's to send signed files that are copied in to place from a private machine. Keep private keys on private machines. > (assuming that they have > still broken in to your machine). Done properly, the automated signing > can add another layer of security that needs to be cracked. Does this > sound reasonable? No, because to use automated signing, the passphrase must be kept somewhere on the automated (public) system in a clear-text form or the key set to not ask for a passphrase at all. Just reading the script will be enough to identify the passphrase. Therefore automated signatures give a FALSE sense of security. As soon as the machine is compromised, the script is readable, the key identifiable, the passphrase known. oops. Automated signing removes any protection from the secret key itself. It's worse than non-signing because any compromise of the box is automatically a compromise of the key. Once an attacker can read the script, the passphrase (if any) becomes obvious, the secret key is easily located (because the script has to be able to find it) and the attacker can use the key as his/her own. Worse, the script would continue operating and issuing signatures AFTER the attack - no-one would have to know - including on files that are put onto the now compromised machine and dutifully SIGNED with YOUR key by your script! The extra layer of security doesn't exist because if the script knows the passphrase, anyone who can break into the machine and read the script ALSO has the passphrase. What you've introduced is a single point of failure for key AND machine. Signing only provides an extra layer of security to the files IF the secret key is NOT on that machine. (Having a secret key with a passphrase that the script does not know is pointless.) Automated signing INCREASES the security burden of the machine, it requires all sorts of extra precautions and intrusion detection systems to protect the (now) vulnerable key. -- Neil Williams ============= http://www.dcglug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050118/74f1b176/attachment-0001.pgp From clbianco at tiscalinet.it Tue Jan 18 12:28:04 2005 From: clbianco at tiscalinet.it (Carlo Luciano Bianco) Date: Tue Jan 18 13:49:16 2005 Subject: Using GnuPG to sign web pages. Message-ID: Dear all, We have put online a brief tutorial on a possible use of GnuPG (or any other OpenPGP-compliant software) to sign web pages. It is at: Suggestions and comments are welcome! -- | Carlo Luciano Bianco | ICQ UIN: 109517158 | |______________________| Home page: | |GPG DSA/ElG 1024/4096:|_________________________________________________| |KeyID:0x5324A0DA - Fingerprint:8B00C61034120506111B143DEDBF71B45324A0DA | From clbianco at tiscalinet.it Tue Jan 18 13:22:00 2005 From: clbianco at tiscalinet.it (Carlo Luciano Bianco) Date: Tue Jan 18 13:52:40 2005 Subject: GPG on USB drive References: <200501112316.AAA00435@vulcan.xs4all.nl> <873bx66fy9.fsf@wheatstone.g10code.de> Message-ID: Il /12 gen 2005/, *Werner Koch* ha scritto: > Frankly, I don't want to distribute a separate ZIP file once the > installer is ready. Are you sure? I think it can be useful, anyway... > The current installer is 879k whereas the ZIP file is ~1.6M. The LZMA > compressor of NSIS is pretty neat. I tried adding the iconv.dll > but this one doesn't compress that well, so we will just give a hint > to install it or download it from the installer. And what about distributing a .7z (www.7-zip.org) file instead of a .zip one? The LZMA 7z archive with all 1.4.0a distribution *and* iconv.dll is 1.2MB, i.e. much less than the zip archive without iconv.dll. And the 1.4.0a distribution alone is compressed in 765KB. The sfx stub is less that 70KB. -- | Carlo Luciano Bianco | ICQ UIN: 109517158 | |______________________| Home page: | |GPG DSA/ElG 1024/4096:|_________________________________________________| |KeyID:0x5324A0DA - Fingerprint:8B00C61034120506111B143DEDBF71B45324A0DA | From thomas at northernsecurity.net Tue Jan 18 13:47:44 2005 From: thomas at northernsecurity.net (Thomas =?iso-8859-1?Q?Sj=F6gren?=) Date: Tue Jan 18 14:33:31 2005 Subject: auto sign files In-Reply-To: <200501181233.21400.linux@codehelp.co.uk> References: <200501161101.03872.linux@codehelp.co.uk> <20050116211150.GA25210@jabberwocky.com> <200501181233.21400.linux@codehelp.co.uk> Message-ID: <20050118124744.GA8048@northernsecurity.net> On Tue, Jan 18, 2005 at 12:33:18PM +0000, Neil Williams wrote: > Just reading the script will be enough to identify > the passphrase. Therefore automated signatures give a FALSE sense of > security. As soon as the machine is compromised, the script is readable, the > key identifiable, the passphrase known. oops. Not supporting automating signatures but SHC[1] might be worth checking out. LinuxSecurity.com got an article[2] about it as well. [1] http://www.datsi.fi.upm.es/%7Efrosal/sources/shc.html [2] http://www.linuxsecurity.com/content/view/117920/49/ /Thomas -- == Encrypted e-mails preferred | GPG KeyID: 114AA85C -- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: Digital signature Url : /pipermail/attachments/20050118/164a0502/attachment.pgp From linux at codehelp.co.uk Tue Jan 18 14:55:36 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Tue Jan 18 14:51:48 2005 Subject: Using GnuPG to sign web pages. In-Reply-To: References: Message-ID: <200501181355.39350.linux@codehelp.co.uk> On Tuesday 18 January 2005 11:28 am, Carlo Luciano Bianco wrote: > Dear all, > > We have put online a brief tutorial on a possible use of GnuPG (or any > other OpenPGP-compliant software) to sign web pages. It is at: > > > > Suggestions and comments are welcome! Section about checksums: Why not use a valid attribute like title or id instead of inventing chksum? Title will show up in a tool-tip, id can be used as a link. Now what we need is a method for displaying the validity of the signature within the main browser application window. Maybe a little script to sit in the Konqueror Tools menu? It already supports HTML validation with W3C and lots of other tools, this could be added. -- Neil Williams ============= http://www.dcglug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050118/856ccb18/attachment.pgp From markivs2003 at yahoo.com Tue Jan 18 15:03:19 2005 From: markivs2003 at yahoo.com (Mark Ivs) Date: Tue Jan 18 14:59:59 2005 Subject: capture gpg return value Message-ID: <20050118140319.45494.qmail@web50707.mail.yahoo.com> Hello, Is there a way to know if the encryption was successful? I tried the following... $errorval = 'gpg --recipient "XXX" --output $rootpath\\output\\$filepgp --encrypt $rootpath\\encrypted\\$file'; if($errorval) { do something.... } errorval doesn't seem to have any value, so it never goes into the if statement. The problem I am facing is, when the output folder already has the encrypted files(from previous run), I get the following error on the console. "gpg: myfile.csv: encrypt failed: file exists" I want to capture that error inside my if statement and log it. Thanks in advance. Mark __________________________________ Do you Yahoo!? Yahoo! Mail - 250MB free storage. Do more. Manage less. http://info.mail.yahoo.com/mail_250 From atom at smasher.org Tue Jan 18 15:51:08 2005 From: atom at smasher.org (Atom Smasher) Date: Tue Jan 18 15:42:58 2005 Subject: Gnupg with php In-Reply-To: <41ECA568.9000407@sagraluzzatto.com.br> References: <41ECA568.9000407@sagraluzzatto.com.br> Message-ID: <20050118144644.3024.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Tue, 18 Jan 2005, Editora Sagra Luzzatto Virtual - Rodrigo Padula wrote: > How do I do to encrypt a message using GNUPG with PHP?? ================== http://business-php.com/opensource/gpg_encrypt/ - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "I'm against capital punishment, look what happened to Jesus." -- Bumper sticker -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJB7SJjAAoJEAx/d+cTpVcijPsH/iSa6IklQwemU9Aoi3cM280P Noa75nOJIuNgc2IQD+69pzIOKbjKaH+DWgk6k2QdPEtS8zeMo8V5ZHwj4vzc3siV 5gZDkKmWy84Wkdu/LBxSwahKRYw3YWNERTrCxhj51s9vsPQ9pWCDgw49oaLBXZnR +/WL2+1IG1RPl/iDyd7RRTsoSC8xO3gcBWzT+a05lCO2C9scxz9q6S4hQfPq3nuW JcgFrKny5SrVPUzjR5rChHC7rTIA756Rftl51K8yxrTKIlSfV23l3ByYrDrzMC/g e/BegxjB/j18EJRgjKAHECTKFGq9er8LaPfUOH6BfMMZGWVhA5+JhoHHR8qWBt0= =xbe+ -----END PGP SIGNATURE----- From gpg at jason.markley.name Tue Jan 18 14:42:54 2005 From: gpg at jason.markley.name (Jason Markley) Date: Tue Jan 18 15:43:15 2005 Subject: 1.4.0a won't retrieve key from keyserver? In-Reply-To: <87sm4zt1lv.fsf@wheatstone.g10code.de> References: <41E30E4B.5070109@jason.markley.name> <20050111030612.GA28753@jabberwocky.com> <41E3CCB9.2030803@jason.markley.name> <20050111160757.GC6496@jabberwocky.com> <41EB2F71.4040104@sweetclicks.com> <87sm4zt1lv.fsf@wheatstone.g10code.de> Message-ID: <41ED125E.9000503@jason.markley.name> bugs.gnupg.org wants a loging/pass ???? Again, any idea when 1.4.1 will be available? Werner Koch wrote: > On Sun, 16 Jan 2005 22:22:25 -0500, Darryl C Conliffe said: > > >>Any idea when 1.4.1 is available? Is there a published list of known >>bugs in 1.4.0a? > > > Bugs are listed in the bug tracker at bugs.gnupg.org. > Outstanding tasks are: charset things, a small bug with the smartcard > and finishing the installer. > > Werner > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From wk at gnupg.org Tue Jan 18 16:29:03 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Jan 18 16:25:26 2005 Subject: 1.4.0a won't retrieve key from keyserver? In-Reply-To: <41ED125E.9000503@jason.markley.name> (Jason Markley's message of "Tue, 18 Jan 2005 08:42:54 -0500") References: <41E30E4B.5070109@jason.markley.name> <20050111030612.GA28753@jabberwocky.com> <41E3CCB9.2030803@jason.markley.name> <20050111160757.GC6496@jabberwocky.com> <41EB2F71.4040104@sweetclicks.com> <87sm4zt1lv.fsf@wheatstone.g10code.de> <41ED125E.9000503@jason.markley.name> Message-ID: <87zmz6sqm8.fsf@wheatstone.g10code.de> On Tue, 18 Jan 2005 08:42:54 -0500, Jason Markley said: > bugs.gnupg.org wants a loging/pass ???? Please read the web page. > Again, any idea when 1.4.1 will be available? as soon as it is ready. Salam-Shalom, Werner From wk at gnupg.org Tue Jan 18 16:48:50 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Jan 18 16:45:26 2005 Subject: unconvertable chars display glitches In-Reply-To: <20050115133614.GA1192@oreka.com> (Alain Bench's message of "Sat, 15 Jan 2005 14:36:15 +0100 (CET)") References: <20050114091946.GA29125@oreka.com> <873bx3vpx4.fsf@wheatstone.g10code.de> <20050115133614.GA1192@oreka.com> Message-ID: <87fz0yspp9.fsf@wheatstone.g10code.de> On Sat, 15 Jan 2005 14:36:15 +0100 (CET), Alain Bench said: > Ah zut. It is not helpfull, and sometimes fills the screen when > printed repeatedly for each UID reprint (like in --list-sigs). Won't get printed more than one time now. > --with-colons outputs UTF-8 bytes: Feature. But why is one byte \x93 > escaped? 93 is printable in this locale. Because 0x80-0x9F are not defined and might be used for control characters. Shalom-Salam, Werner From wk at gnupg.org Tue Jan 18 16:47:17 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Jan 18 16:45:33 2005 Subject: current charset guessing In-Reply-To: <20050115001710.GA31744@oreka.com> (Alain Bench's message of "Sat, 15 Jan 2005 01:17:10 +0100 (CET)") References: <20050103002657.GA32265@oreka.com> <874qhudcos.fsf@wheatstone.g10code.de> <20050107172334.GA14032@oreka.com> <87vfa49ft8.fsf@wheatstone.g10code.de> <20050115001710.GA31744@oreka.com> Message-ID: <87k6qaspru.fsf@wheatstone.g10code.de> On Sat, 15 Jan 2005 01:17:10 +0100 (CET), Alain Bench said: > I assume you meant libcharset. Yes: Reimplement, or reuse it, use it > if available, or even provide it. After all it's already squatting in > the tarball: gnupg-1.4.0/intl/localcharset.c :-) Onmost systems it is not used and it will raise problems when installing with --disable-nls. > I wonder how The Bat! can make GetConsoleOutputCP() return 0 when > needed. FreeConsole() to detach, or something like that? I don't know. Frontends are better adviced using --charset > I wonder how to decide which function applies, OCP or ACP. I mean: > Typically one gives 850 the other 1252. When you run in text mode, Not in most countries. > Normally should be "M?ller" (u umlaut). BTW I wonder why > stdout/stderr are reordered. Due to buffering issues. > cost of breaking legitimate usage, even rare. May I make two proposals: > -1) Get rid of the warning message on simple display of unconvertable > chars. Unconfigured locale people would see (faked here): > -2) Make and document a special "novars" case: Where locale variables > are applicable (not Win32), if all 3 of LC_ALL, LC_CTYPE, and LANG are > unset, and so far guessed charset is US-Ascii, then charset = Latin-1. GNU also defines LANGUAGE; this gets to complicated. > | $ gpg -vvv --list-keys "Ren?" > | gpg: using character set `ISO-8859-1' novars fallback: see http://explanations What I did now is to display a warning only once and print a pointer to a web page. Salam-Shalom, Werner From mwlucas at blackhelicopters.org Tue Jan 18 16:43:12 2005 From: mwlucas at blackhelicopters.org (Michael W. Lucas) Date: Tue Jan 18 17:26:09 2005 Subject: 1.4.0a won't retrieve key from keyserver? In-Reply-To: <87zmz6sqm8.fsf@wheatstone.g10code.de> References: <41E30E4B.5070109@jason.markley.name> <20050111030612.GA28753@jabberwocky.com> <41E3CCB9.2030803@jason.markley.name> <20050111160757.GC6496@jabberwocky.com> <41EB2F71.4040104@sweetclicks.com> <87sm4zt1lv.fsf@wheatstone.g10code.de> <41ED125E.9000503@jason.markley.name> <87zmz6sqm8.fsf@wheatstone.g10code.de> Message-ID: <20050118154312.GA70083@bewilderbeast.blackhelicopters.org> On Tue, Jan 18, 2005 at 04:29:03PM +0100, Werner Koch wrote: > On Tue, 18 Jan 2005 08:42:54 -0500, Jason Markley said: > > > bugs.gnupg.org wants a loging/pass ???? > > Please read the web page. Not much to read: Login User Name: Password: Database: This is in Firefox 1.0. -- Michael W. Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org http://www.BlackHelicopters.org/~mwlucas/ Latest book: Cisco Routers for the Desperate http://www.CiscoRoutersForTheDesperate.com From Freedom_Lover at pobox.com Tue Jan 18 17:44:00 2005 From: Freedom_Lover at pobox.com (Todd) Date: Tue Jan 18 18:17:55 2005 Subject: 1.4.0a won't retrieve key from keyserver? In-Reply-To: <20050118154312.GA70083@bewilderbeast.blackhelicopters.org> References: <41E30E4B.5070109@jason.markley.name> <20050111030612.GA28753@jabberwocky.com> <41E3CCB9.2030803@jason.markley.name> <20050111160757.GC6496@jabberwocky.com> <41EB2F71.4040104@sweetclicks.com> <87sm4zt1lv.fsf@wheatstone.g10code.de> <41ED125E.9000503@jason.markley.name> <87zmz6sqm8.fsf@wheatstone.g10code.de> <20050118154312.GA70083@bewilderbeast.blackhelicopters.org> Message-ID: <20050118164400.GA4229@psilocybe.teonanacatl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael W. Lucas wrote: > On Tue, Jan 18, 2005 at 04:29:03PM +0100, Werner Koch wrote: >> On Tue, 18 Jan 2005 08:42:54 -0500, Jason Markley said: >>> >>> bugs.gnupg.org wants a loging/pass ???? >> >> Please read the web page. > > Not much to read: > > Login > User Name: > Password: > Database: Werner probably meant to read the main gnupg.org page. There's a link to the bug tracking system there and it tells you to use guest to login (as username and password, I found through trial and error). http://www.gnupg.org/(en)/documentation/bts.html We recently started using a new bug tracking system which can be found at bugs.gnupg.org. Please, query the database before you create a new bug report. You need to login using the the `guest' account. - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== All of us could take a lesson from the weather. It pays no attention to criticism. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iG0EARECAC0FAkHtPNAmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt ei5hc2MACgkQuv+09NZUB1qWyQCbBP7udcbZj2e8jMv+BUuviEWwTq0An3oWVV+/ jd2AMFjF/xQ6yjkAQdkt =tegg -----END PGP SIGNATURE----- From wk at gnupg.org Tue Jan 18 20:37:25 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Jan 18 20:35:26 2005 Subject: 1.4.0a won't retrieve key from keyserver? In-Reply-To: <20050118154312.GA70083@bewilderbeast.blackhelicopters.org> (Michael W. Lucas's message of "Tue, 18 Jan 2005 10:43:12 -0500") References: <41E30E4B.5070109@jason.markley.name> <20050111030612.GA28753@jabberwocky.com> <41E3CCB9.2030803@jason.markley.name> <20050111160757.GC6496@jabberwocky.com> <41EB2F71.4040104@sweetclicks.com> <87sm4zt1lv.fsf@wheatstone.g10code.de> <41ED125E.9000503@jason.markley.name> <87zmz6sqm8.fsf@wheatstone.g10code.de> <20050118154312.GA70083@bewilderbeast.blackhelicopters.org> Message-ID: <87ekgir0ju.fsf@wheatstone.g10code.de> On Tue, 18 Jan 2005 10:43:12 -0500, Michael W Lucas said: > Not much to read: Oh sorry. Just checked. The machine updates also overwrite the old configuration which explicitly stated that you should login with guest/guest. Fill fix that too. Werner From dshaw at jabberwocky.com Tue Jan 18 20:21:15 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Jan 18 20:57:04 2005 Subject: auto sign files In-Reply-To: References: <200501161101.03872.linux@codehelp.co.uk> <20050116180645.64707.qmail@web50705.mail.yahoo.com> <20050116211150.GA25210@jabberwocky.com> Message-ID: <20050118192115.GC11587@jabberwocky.com> On Tue, Jan 18, 2005 at 09:08:55AM +0000, Adam Cripps wrote: > As a newbie in this area, I understand that there are at least two > types of security - the most desirable security and more secure than > now. This scenario fits in to the latter. > > Sure, automated signing is not desirable as it still has flaws > within it if someone cracks your machine. But the alternative may be > sending out unsigned files, which is even less secure (assuming that > they have still broken in to your machine). Done properly, the > automated signing can add another layer of security that needs to be > cracked. Does this sound reasonable? Pretty much. It depends on the overall system in which the signature is being used. There aren't any hard and fast rules, except that you must look at the whole system and not just a part. For example, in the automated signing example, the recipient is part of the system, and therefore needs to know that the signatures are being issued by a machine. The recipient can then decide what necessary countermeasures (if any) are warranted against the chance of a compromised key. David From dshaw at jabberwocky.com Tue Jan 18 21:24:52 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Jan 18 21:21:53 2005 Subject: GnuPG 1.4.0 and PGP/MIME signatures Message-ID: <20050118202452.GB19466@jabberwocky.com> Shortly after the release of GnuPG 1.4.0, an unexpected problem was reported while using it with mail programs that support PGP/MIME. After some research, it turned out that some mail programs did not perfectly follow the PGP/MIME specification, RFC-3156. The end result was that PGP/MIME signatures made with one of these programs and GnuPG 1.4.0 were not always verifiable on other mail programs that did fully follow the specification. The PGP/MIME specification requires that end-of-line whitespace (generally spaces) be protected against removal by the signing program. It turns out that several programs were using GnuPG to remove the end-of-line whitespace rather than protecting it themselves. Most of these mail programs were fixed shortly after the 1.4.0 release. Nevertheless, to give some time to the mail program developers who have not yet implemented a fix, GnuPG 1.4.1 will contain a new option: --rfc2440-text. This option, which is on by default, causes GnuPG to use the old text encoding that was used in the 1.2.x and 1.3.x releases of GnuPG. At some point in the future, after there has been sufficient time for the various mail programs to fix the problem and release an update, this option will be switched off. In the meantime, once 1.4.1 is out, an easy way to tell if your particular mail program correctly implements PGP/MIME signing is to set --no-rfc2440-text, and send yourself a signed message that has a number of blank spaces at the end of a line. Then, set --rfc2440-text and attempt to verify the signature. If the signature does not verify correctly, you may wish to contact the developer of your mail program for an update. David From dshaw at jabberwocky.com Tue Jan 18 21:32:54 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Tue Jan 18 21:29:57 2005 Subject: Is there a gpgkeys_mailto for Win32? In-Reply-To: <792DE28E91F6EA42B4663AE761C41C2A0379A36C@cliff.bai.org> References: <792DE28E91F6EA42B4663AE761C41C2A0379A36C@cliff.bai.org> Message-ID: <20050118203254.GA19541@jabberwocky.com> I have a general question with all these discussions of gpgkeys_mailto. What is the interest here? Are people actually *using* the email keyserver helper from GPG, or is this just a desire to improve Win32 support in general? It seems to me that the email keyserver helper is a pretty lousy way to get keys from GPG. All GPG does for you is send an email with a particular subject line. It doesn't even import the key when it eventually arrives. David From jeff+gnupg at jeffenstein.dyndns.org Tue Jan 18 21:05:03 2005 From: jeff+gnupg at jeffenstein.dyndns.org (Jeff Fisher) Date: Tue Jan 18 22:04:05 2005 Subject: auto sign files In-Reply-To: <200501181233.21400.linux@codehelp.co.uk> References: <200501161101.03872.linux@codehelp.co.uk> <20050116211150.GA25210@jabberwocky.com> <200501181233.21400.linux@codehelp.co.uk> Message-ID: <20050118200503.GA4079@frogger.jeffnet> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Tue, Jan 18, 2005 at 12:33:18PM +0000, Neil Williams wrote: > On Tuesday 18 January 2005 9:08 am, Adam Cripps wrote: > > As a newbie in this area, I understand that there are at least two > > types of security - the most desirable security and more secure than > > now. This scenario fits in to the latter. > > Wrong - it falls into the security trap of being LESS secure than current. How is it less secure? It is encrypted before it leaves the machine, and you can guarantee that it was either signed by the script, or signed by someone who broke into the machine. If it's the latter case, all bets are off, because they could steal your private key and passphrase at will anyway, even if you're using pgp off of a usb key and following all of the other recommended practices. > > > Sure, automated signing is not desirable as it still has flaws within > > it if someone cracks your machine. But the alternative may be sending > > out unsigned files, which is even less secure > > No, it's to send signed files that are copied in to place from a private > machine. > > Keep private keys on private machines. I belive the original problem was to automate this. If you've never managed a production environment, automation means no private machines. As Adam said... This is more secure than the alternative. If the machine is compromised, the key is comprimised, whether or not somebody is typing in the passphrase manually. With automation, the only added risk is opening this to the authorized administrators of the machine, who would have the passphrase anyway. Perhaps the machine will be a bit more open, but if it's comprimised, the data that is being encrypted is comprimised anyway, regardless of encryption. To digress a bit, there is a concept in the real world called 'good enough'. It means that most company's security is not as tight as what is needed for the banking industry, which is not as tight as what is needed for the military, which is not as tight as what is needed for three-letter-agencies. Pick your spot in this scale, but don't force others to work up or down to this same level. Just a general impression -- I get the feeling you are trying to scare newbies away, rather than help them start using gnupg. Not everybody can or will use gnupg to your standards, and if you say "It's my way or the hiway", you won't get many converts. - -- jeff@jeffenstein.org http://www.jeffenstein.org/ I want a bionic duck that strikes terror into the hearts of men, not a bionic duck that looks like a lollipop. -- Defect, found on kuro5hin -----BEGIN PGP SIGNATURE----- iQIVAwUBQe1r7hwPMBUZyYf1AQha3g//Tbf4G5x3hsaWgKqArATzxEQlbdVEL2c+ FNsUWaO20Trsv6PhIxpaG/uQZoG2bVncRfE9KiSl2n8oeaAbSq9dKUwvJa8XgAzP wMNO8f1YCnXb95WvZptE5a3mU237CIvy52wJsZsfwusnYM8Fwrmd1l4vyYZmhP9e vI0NF24KtqBffvboXtNbxXzedgm7ihrU9XZvcCv5CewcqPEtXBGDRMaIkMGeJ2cw KXJepx9Hs71jAVCHAZx8scqX1TJSqGgtni30dxfYOhhto2F0Q9Hmbjh5RlnhMVAh WZOnQqR1/ZI1Uav0omFg3aqxBJCk9Fs+We5VIlGYSaH8VIydpAFeMGRr4Wjw68qJ yPzeAKAToipovFQH7f9Zq8lcLJEKM1HQaoyDJLnTqZE7xR6W2vCt2FZYS4Mced9z S4tDp1a72WhylNQJ8jQirKpLbhRL/LYgHySknIlmLiGw6jfC10IL/yUvmmXGejBM 1HhdNRb80egIDv70aiqww7B0V7+scw1r51YfxI63Pt6bELbR2qGrlYajIF4Ojhhk QPOgHkXJt3o1nOwTsVF3YMXHUHtT8Vos20+R+EGpqOpvGbqrRpnG5yJrziKiWr9h SWepiW2vcy+F0UacNo4vK8vtztu6BC1LQH2LBuusxMnfIhaoqN3vWm//lNLk3yW/ 8VIclDmyFuk= =8cfh -----END PGP SIGNATURE----- From clbianco at tiscalinet.it Tue Jan 18 23:08:58 2005 From: clbianco at tiscalinet.it (Carlo Luciano Bianco) Date: Tue Jan 18 23:10:11 2005 Subject: Using GnuPG to sign web pages. References: <200501181355.39350.linux__34285.0195280791$1106056693$gmane$org@codehelp.co.uk> Message-ID: Il /18 gen 2005/, *Neil Williams* ha scritto: > On Tuesday 18 January 2005 11:28 am, Carlo Luciano Bianco wrote: >> Dear all, >> >> We have put online a brief tutorial on a possible use of GnuPG (or any >> other OpenPGP-compliant software) to sign web pages. It is at: [...] > Section about checksums: Why not use a valid attribute like title or id > instead of inventing chksum? Title will show up in a tool-tip, id can be > used as a link. First of all, thank you for your feedback! I am just the English translator of the page (originally in Italian), but I am actively discussing this matter with the author (i.e. TJL73). IMVHO the most "clean" solution at this stage is the first one, i.e. writing the checksums in a table in the "comment" section together with the OpenPGP signature (I think I will do this in my web pages, for the moment). But inserting them in the "img" tag makes easier to write a plug-in to check them automatically in the browser window, that's why TJL73 added that last section. Both "title" and "id" have already their intended meaning, but there is a thread on the it.comp.sicurezza.crittografia newsgroup (an Italian newsgroup about encryption) where we are discussing, also with TJL73, possible solutions using XHTML instead of HTML4. > Now what we need is a method for displaying the validity of the > signature within the main browser application window. > > Maybe a little script to sit in the Konqueror Tools menu? Maybe, or maybe a Firefox extension... ;-) -- | Carlo Luciano Bianco | ICQ UIN: 109517158 | |______________________| Home page: | |GPG DSA/ElG 1024/4096:|_________________________________________________| |KeyID:0x5324A0DA - Fingerprint:8B00C61034120506111B143DEDBF71B45324A0DA | From linux at codehelp.co.uk Tue Jan 18 23:48:14 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Tue Jan 18 23:44:18 2005 Subject: auto sign files In-Reply-To: <20050118200503.GA4079@frogger.jeffnet> References: <200501161101.03872.linux@codehelp.co.uk> <200501181233.21400.linux@codehelp.co.uk> <20050118200503.GA4079@frogger.jeffnet> Message-ID: <200501182248.16786.linux@codehelp.co.uk> On Tuesday 18 January 2005 8:05 pm, Jeff Fisher wrote: > On Tue, Jan 18, 2005 at 12:33:18PM +0000, Neil Williams wrote: > > On Tuesday 18 January 2005 9:08 am, Adam Cripps wrote: > > > As a newbie in this area, I understand that there are at least two > > > types of security - the most desirable security and more secure than > > > now. This scenario fits in to the latter. > > > > Wrong - it falls into the security trap of being LESS secure than > > current. > > How is it less secure? Because security is more than just that one machine - from the perspective of the recipient, 'security' encompasses the whole transaction - from creating the file to installing the decrypted contents. If the file is changed before encryption (or used to replace a genuine encrypted file) and signed using an automated process, security has been breached. Yet the customer will receive no indication of the breach, therefore, from his/her perspective, the transaction using the automated process was insecure. S/He will rightly claim that you should have anticipated that such a breach would not be evident to them and should have taken steps to avoid such a situation. Therefore, the automated process has required the installation and monitoring of yet another layer of security to monitor intrusions - something that would not be a problem (even thought it would be wise to install) if the files could not be signed automatically. > It is encrypted before it leaves the machine, The original case was a file on a remote machine. This machine could be attacked. An attacker could easily replace the file, the details of the checksum that would be listed on the webpage of the site and, if the files are signed automatically, could also sign his own files to replace the originals, using the script. S/He wouldn't need to decrypt the original files, just overwrite them with his/her own and use the script to identify the key to be used for encryption of his own content. Encryption is no protection in this scenario. Encryption is a red herring - if the source of an encrypted transmission is not secure, the encryption is pointless - this is all about the signatures. The only reason to encrypt these files is to determine who can decrypt the downloaded files - it does not protect the files on the server itself once an attacker has root/admin privileges. > and > you can guarantee that it was either signed by the script, or signed by > someone who broke into the machine. If it's the latter case, all bets are > off, Exactly. The recipient cannot tell if the machine has been compromised (the signature on an attacker's file would validate as well as an original file because the attacker can use the script). Therefore, as the recipient, the fact that the signature verifies is NO indication that the contents are as expected. The signature then provides a false sense of security - waiting to catch out the unwary who take the signature to mean that the file is safe to use. It would be more secure (overall) to be open and leave it unsigned - then the recipient is under no doubts that the content should be checked. From the perspective of the recipient (the customer in the original case), a signature made after an attack on the server should NOT verify. The fact that it DOES, means that the signature is entirely worthless. Acknowledging the risk leads to better overall security than trying to wish it away or obscure it under meaningless wrappers like automated signatures. The recipient would not know - the checksum would be OK, the signature would be valid, the file would be encrypted to his/her public key - everything would check out until it was decrypted. Oops. Far better to only have the secret key on a private machine. Copy the original files to that machine. Sign them there. Copy the files to the public host. Encrypt them anywhere along that line, by preference. Now the public host cannot be used to authenticate files created by the attacker - the recipient is alerted by the use of the wrong keyid or a bad signature, BEFORE decryption. Security, from the perspective of the recipient, is much improved. Change the perspective a little - this has all centred on the remote machine. Think about this from the perspective of the recipient. In the original situation, the recipient (customer) was requiring encryption and signatures specifically in order to have some assurance about the security of the contents. If you automate the signing, the recipient can no longer be sure that the file contains what it is meant to contain, despite both the signature (using the script on the compromised machine) and the encryption (using the same script). No decryption is necessary, replacement files containing trojans or backdoors will look the same if padded to the same archive size as the expected file. That isn't hard - stick some (abusive) text at the end until you get the right file size. It'll look the same, the filename is easy, the same encryption key can be used, the signature will verify but the contents are not what is expected. Isn't that the definitive Trojan Horse? This can only happen because the admin of the remote machine chose an insecure method to sign the files. Keep the secret key off the remote machine and even if the server is attacked, the attacker cannot move the attack onto the customer's machines. Think about it - attack one server, replace the files with your own that create backdoors from every customer machine back to the attacked server - or another one somewhere else. Put some useful content in there as filler/spoiler, maybe output some complicated error message about a bad copy operation or whatever. This is a real threat - it's the idea behind all the internet worms that were used for DoS attacks and/or now used for sending spam. If the customer machines cannot be compromised (because the attacker can't sign the files with the right key), the attack stops at the server. Excellent news for you. Your customers are safe, the original encrypted files can easily be identified and are easily verified to detect any tampering. A few careful deletions, restoring a few files from elswhere, you're back up and running before some of your customers even notice. All this comes undone if the attacker can create identical files with his/her own content to replace the genuine files. Now, even when you do discover the attack, you have to consider the key and all files on that server as compromised. There is no way to protect the key or older files that may contain genuine content, you'd have to decrypt them individually to verify them. All the signatures are valid because they are all generated using the same script. Your downtime goes through the roof as you try to replace maybe tens of thousands of customer files - many of which may be perfectly usable. NOT GOOD! > > Keep private keys on private machines. > > I belive the original problem was to automate this. If you've never > managed a production environment, automation means no private machines. Precisely. Automation and convenience usually result in lower security. It's a compromise. > As Adam said... This is more secure than the alternative. If the machine > is compromised, the key is comprimised, whether or not somebody is typing > in the passphrase manually. Important distinction here. If the key is only ever kept on a private machine, an attack on the public machine hosting the files does NOT compromise the key. Two machines - the private machine with the secret key and the public machine that hosts the final files. Plus the bonus of not having any automated signatures on the public machine - improves security and helps you out after any attack. > To digress a bit, there is a concept in the real world called 'good > enough'. It means that most company's security is not as tight as what is > needed for the banking industry, which is not as tight as what is needed > for the military, which is not as tight as what is needed for > three-letter-agencies. Pick your spot in this scale, but don't force others > to work up or down to this same level. Equally don't hide the implications of getting the assessment wrong. We cannot presume to know what is good enough for the original enquirer - let them hear the opinion of those with different security needs and make their own decisions. As long as the decision is made in full knowledge of the possible problems, the group has served the enquirer well. If we hide the more complex problems from everyone, or fudge the issues or palm people off with soft security, how does that serve to further the use of GnuPG? > Just a general impression -- I get the feeling you are trying to scare > newbies away, rather than help them start using gnupg. Not everybody can > or will use gnupg to your standards, and if you say "It's my way or the > hiway", you won't get many converts. Never the intention, but those who ask about using a security program should be able to get a response from those who have higher security needs. It doesn't hurt to make the dangers known. -- Neil Williams ============= http://www.dcglug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050118/63a3a3cb/attachment-0001.pgp From DBSMITH at OhioHealth.com Tue Jan 18 23:36:11 2005 From: DBSMITH at OhioHealth.com (DBSMITH@OhioHealth.com) Date: Wed Jan 19 00:17:45 2005 Subject: any data file Message-ID: I am running AIX 5.2 and gpg version 1.2.1. When I encrypt a file and a vendor decrypts it, this person is saying that the file does not have carriage returns in it, in other words it is a file with a bunch of continuous lines. The particular version of the vendor is pgp 8. Is there a parameter to help with this such as - -pgp8 or - -utf8-strings? Should I upgrade to a newer version? Which one? thank you, Derek B. Smith OhioHealth IT UNIX / TSM / EDM Teams From dshaw at jabberwocky.com Wed Jan 19 00:32:25 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Jan 19 00:29:24 2005 Subject: any data file In-Reply-To: References: Message-ID: <20050118233225.GB19599@jabberwocky.com> On Tue, Jan 18, 2005 at 05:36:11PM -0500, DBSMITH@OhioHealth.com wrote: > I am running AIX 5.2 and gpg version 1.2.1. When I encrypt a file and a > vendor decrypts it, this person is saying that the file does not have > carriage returns in it, in other words it is a file with a bunch of > continuous lines. > The particular version of the vendor is pgp 8. > > Is there a parameter to help with this such as - -pgp8 or - -utf8-strings? > Should I upgrade to a newer version? Which one? The parameter you are looking for is --textmode. That option tells GnuPG to use canonical text format to send, and tells PGP 8 to un-canonicalize on the receiving side. David From timemaster at sillydog.org Wed Jan 19 00:51:36 2005 From: timemaster at sillydog.org (David Vallier) Date: Wed Jan 19 01:30:52 2005 Subject: Using GnuPG to sign web pages. Message-ID: <41EDA108.4020307@sillydog.org> > We have put online a brief tutorial on a possible use of GnuPG (or any other >OpenPGP-compliant software) to sign web pages. It is at: Very Nicly done. For once someone wrote a tutorial thats very easy to understand :) From johanw at vulcan.xs4all.nl Wed Jan 19 00:39:20 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Wed Jan 19 01:36:48 2005 Subject: Is there a gpgkeys_mailto for Win32? In-Reply-To: <20050118203254.GA19541@jabberwocky.com> from David Shaw at "Jan 18, 2005 03:32:54 pm" Message-ID: <200501182339.AAA00939@vulcan.xs4all.nl> David Shaw wrote: >I have a general question with all these discussions of >gpgkeys_mailto. What is the interest here? Are people actually >*using* the email keyserver helper from GPG, or is this just a desire >to improve Win32 support in general? I'm not using it (neither on win32 nor Linux), I only tried to answer win32 programming questions when they were posted in this group. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From DBSMITH at OhioHealth.com Wed Jan 19 02:38:24 2005 From: DBSMITH at OhioHealth.com (DBSMITH@OhioHealth.com) Date: Wed Jan 19 02:34:35 2005 Subject: any data file In-Reply-To: <20050118233225.GB19599@jabberwocky.com> Message-ID: ok great thanks! Does everyone recommend I upgrade? thanks again, Derek B. Smith OhioHealth IT UNIX / TSM / EDM Teams David Shaw To Sent by: gnupg-users@gnupg.org gnupg-users-bounc cc es@gnupg.org Subject Re: any data file 01/18/2005 06:32 PM On Tue, Jan 18, 2005 at 05:36:11PM -0500, DBSMITH@OhioHealth.com wrote: > I am running AIX 5.2 and gpg version 1.2.1. When I encrypt a file and a > vendor decrypts it, this person is saying that the file does not have > carriage returns in it, in other words it is a file with a bunch of > continuous lines. > The particular version of the vendor is pgp 8. > > Is there a parameter to help with this such as - -pgp8 or - -utf8-strings? > Should I upgrade to a newer version? Which one? The parameter you are looking for is --textmode. That option tells GnuPG to use canonical text format to send, and tells PGP 8 to un-canonicalize on the receiving side. David _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From rodrigopadula at sagraluzzatto.com.br Tue Jan 18 21:25:12 2005 From: rodrigopadula at sagraluzzatto.com.br (Rodrigo Padula - Editora Sagra Luzzatto Virtual) Date: Wed Jan 19 03:07:23 2005 Subject: Gnupg with ThunderBird Message-ID: <41ED70A8.6070805@sagraluzzatto.com.br> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello !!!! I am giving a small contribution for the project Gnupg. I am creating a configuration course, installation and integration of Gnupg with ThunderBird. Visit www.metalpesado.com.br/gunix - -- +================================================+ ~ RODRIGO PADULA DE OLIVEIRA ~ (o- BACHARELANDO EM SISTEMAS DE INFORMA??O ~ //\ FACULDADE METODISTA GRANBERY - FMG ~ V_/_ ~ PostgreSQL - PHP - Linux - Java +================================================+ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB7XCo8arYxsJpZ0URAiyWAJ91rSWoSSfMEP+dY9Tf5nmNjIUvsACgkSCt +0I1TLrbuvozUpZcjDDBG/s= =ruuM -----END PGP SIGNATURE----- From JPClizbe at comcast.net Wed Jan 19 03:31:21 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Wed Jan 19 04:42:58 2005 Subject: Gnupg with ThunderBird In-Reply-To: <41ED70A8.6070805@sagraluzzatto.com.br> References: <41ED70A8.6070805@sagraluzzatto.com.br> Message-ID: <41EDC679.60608@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rodrigo Padula - Editora Sagra Luzzatto Virtual wrote: > Hello !!!! > > I am giving a small contribution for the project Gnupg. > > I am creating a configuration course, installation and integration of > Gnupg with ThunderBird. You may want to take a look at http://enigmail.mozdev.org/gpgconf.html Perhaps you could help us localize the site to Portugese? - -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 Onion Horoscope for Libra, 2004-11-24 Libra (Sept. 23 - Oct. 23): Take heart: There are people with bigger problems than yours, and acting like you care about them will get you laid. "Religion is for people afraid of going to hell. Spirtuality is for people who have been there." -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1-cvs-2005-01-14 (Windows 2000 Pro SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Annoy John Asscraft -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFB7cZ4HQSsSmCNKhARAvDQAKC18fYCi/pIhBbg/DRLx+k1rEs/jACgsxQ9 JjbCX6ApdnDfvoJitAPMasM= =qOEi -----END PGP SIGNATURE----- From jeff+gnupg at jeffenstein.dyndns.org Wed Jan 19 09:24:21 2005 From: jeff+gnupg at jeffenstein.dyndns.org (Jeff Fisher) Date: Wed Jan 19 09:19:29 2005 Subject: auto sign files In-Reply-To: <200501182248.16786.linux@codehelp.co.uk> References: <200501161101.03872.linux@codehelp.co.uk> <200501181233.21400.linux@codehelp.co.uk> <20050118200503.GA4079@frogger.jeffnet> <200501182248.16786.linux@codehelp.co.uk> Message-ID: <20050119082421.GB4079@frogger.jeffnet> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Tue, Jan 18, 2005 at 10:48:14PM +0000, Neil Williams wrote: > On Tuesday 18 January 2005 8:05 pm, Jeff Fisher wrote: > > > It is encrypted before it leaves the machine, > > The original case was a file on a remote machine. Actually the original post didn't state anything about the file, only that he wants to sign them automatically. Nothing about where they came from or where they are going. I probably went too far in assuming that he was sending them somewhere. > > > and > > you can guarantee that it was either signed by the script, or signed by > > someone who broke into the machine. If it's the latter case, all bets are > > off, > > Exactly. The recipient cannot tell if the machine has been compromised (the > signature on an attacker's file would validate as well as an original file > because the attacker can use the script). But this is the general case. It's irrelevant whether the machine is private or not, whether it is automated or not. If the machine holding the private keys is comprimised, the signatures are suspect. There are any number of key loggers for NT/XP, builtin tty snoop programs for unix, etc... The only risk this particular usage adds is _authorized users_ of this machine. If user x's machine is comprimised, it makes no difference if he has a three paragraph pass phrase, or if he is incredibly prudent in what he signs; his key is no longer secure and all signatures verified after this are suspect. > > > As Adam said... This is more secure than the alternative. If the machine > > is compromised, the key is comprimised, whether or not somebody is typing > > in the passphrase manually. > > Important distinction here. If the key is only ever kept on a private machine, If this is a corporate environment, there are no private machines. If the machines are not managed by some sort of administration group, then there will be many more security problems than verifying these files... > > Just a general impression -- I get the feeling you are trying to scare > > newbies away, rather than help them start using gnupg. Not everybody can > > or will use gnupg to your standards, and if you say "It's my way or the > > hiway", you won't get many converts. > > Never the intention, but those who ask about using a security program should > be able to get a response from those who have higher security needs. It > doesn't hurt to make the dangers known. The problem is that you said this is less secure, without knowing the original posters requirements. It's like watching a Michael Moore film or a George Bush speech. When presented with half the facts and lots of opinion, with no distinction between the two, people are not going to make good decisions. - -- jeff@jeffenstein.org http://www.jeffenstein.org/ Prof: So the American government went to IBM to come up with a data encryption standard and they came up with ... Student: EBCDIC! -----BEGIN PGP SIGNATURE----- iQIVAwUBQe4ZNRwPMBUZyYf1AQjyHg/+KpDsgJLqbJvfNH9uSRhhLerIYNUMdrq2 MaAmm04S11hVR+tasCKAfECIcsqIvUI9rPlbBz5vH8q+cFCUvIR3TvKP51nQgUh7 KxklQRGV/E5Aw0SgNPZRI0+8Y2kmLZQvf7mRRtGyQqlgjspQf5aE6NrFAJiNa7+X ZkJ291pLkfQLMe8tQ7DF7qJeag591s5XDZzRT+yn01RweUDEuRNufUElqRtIs5ME gQ/orK8HfCmSXQgAj7fR8jWXhIw8veBI2ZlagxSP+yqXBqRMagMdizuRwS5LumH7 CtaZ/2vr8Ve2mb5gZksjtCaj7pvgj+lbgUjdX5z4EcuYgEGrdRErZ9i09SZ298D1 ZhW22FOum5cmESbcj5/1P8D8YpzmT5snFvT4KlfG7jA/seY/AHRJz37U3rI07XEV gElZLS6y20fT97M8JwpFOLXej2FGYzclr+wWJ20cU7zSFGU+KzM166mzhhiLFpqb OLNx4hmXjqOM+g6LjZbXhBDEdQy4RUw1OERuJm151lc8Lke6fJc+YHNqwj5itCpt +ZSdtRuucb0XSMwD2G4ZygvT43Vs+cA/HsTNcE5g8V8LT3HrCFrICSoEawzDYpiB K65+RKVBC1MaBCbUkbHkAwXxuLwgvti1fRaaExwkvhxX2xUE/RpaTeDoxP0Zxn52 sYJqq0t5zEI= =9ULi -----END PGP SIGNATURE----- From bastien.laporte-riou at medincell.com Wed Jan 19 09:31:06 2005 From: bastien.laporte-riou at medincell.com (Bastien Laporte-Riou) Date: Wed Jan 19 10:32:34 2005 Subject: Problem access /dev/tty Message-ID: Hello, I have just install the last version of the gnupg and then when i want to use the command gpg --gen-key i have un error message : "gpg : cannot open '/dev/tty' : No such device or address". I tryed to change the access in 666 and no change. Thanks for you help. -- ___________________________ Medincell Bastien Laporte-Riou Email : bastien.laporte-riou@medincell.com Web : http://www.medincell.com Sent date : 01.19.2005 ___________________________ Disclaimer - This email and any files transmitted with it are confidential and contain privileged or copyright information. You must not present this message to another party without gaining permission from the sender. If you are not the intended recipient you must not copy, distribute or use this email or the information contained in it for any purpose other than to notify us. If you have received this message in error, please notify the sender immediately, and delete this email from your system. We do not guarantee that this material is free from viruses or any other defects although due care has been taken to minimise the risk. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Medincell. From shaun.lipscombe at gmsl.co.uk Wed Jan 19 10:47:54 2005 From: shaun.lipscombe at gmsl.co.uk (Shaun Lipscombe) Date: Wed Jan 19 10:46:12 2005 Subject: GnuPG 1.4.0 and PGP/MIME signatures In-Reply-To: <20050118202452.GB19466@jabberwocky.com> References: <20050118202452.GB19466@jabberwocky.com> Message-ID: <20050119094754.GE31389@mail.gasops.co.uk> * David Shaw wrote: > Shortly after the release of GnuPG 1.4.0, an unexpected problem was > reported while using it with mail programs that support PGP/MIME. > After some research, it turned out that some mail programs did not > perfectly follow the PGP/MIME specification, RFC-3156. The end result Hrm... I think that answers my question ..... :-) From dshaw at jabberwocky.com Wed Jan 19 15:36:00 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Jan 19 15:33:01 2005 Subject: [Fwd: OpenPGP javacard implementation] In-Reply-To: <20050110092833.GC27919@cypress.com> References: <20050110092833.GC27919@cypress.com> Message-ID: <20050119143600.GB9556@jabberwocky.com> On Mon, Jan 10, 2005 at 09:28:33AM +0000, gnupg-users-owner@gnupg.org wrote: > I have written a prototype OpenPGP applet for the Javacard > platform. The ~ homepage of the project is: > > http://www.core-dump.com.hr/index.pl?node_id=421 > > In the package are all relevant instructions on how to test it > against the gpg and Sun's emulated reference Javacard > implementation. That's pretty cool. The Java Ring is really a Java card underneath, so you could carry the applet around on your finger. David From erwan at rail.eu.org Wed Jan 19 15:21:19 2005 From: erwan at rail.eu.org (Erwan David) Date: Wed Jan 19 16:19:24 2005 Subject: Gnupg with ThunderBird In-Reply-To: <20050119130605.GA19702@mail.gasops.co.uk> References: <41ED70A8.6070805@sagraluzzatto.com.br> <41EDC679.60608@comcast.net> <20050119130605.GA19702@mail.gasops.co.uk> Message-ID: <41EE6CDF.702@rail.eu.org> Le 19.01.2005 14:06, Shaun Lipscombe a ?crit: > * John Clizbe wrote: > >>You may want to take a look at http://enigmail.mozdev.org/gpgconf.html >> >>Perhaps you could help us localize the site to Portugese? > > > Had never heard of enigmail but its now being used in place of PGP 8.0.2 > thanks to your post. We use Thunderbird but so far there has been a > manual process between extracting attachments and decrypting them since > there is only plugin support with this product for Outlook etc. Now we > have fully functional OpenPGP support directly from within Thunderbird > and it's easier for our users to use. Wohoo. :-) Alas, gnupg is not usable under windows on a multi-user machine. It cannot handle one keyring per user, but has a global keyring... (or may be it is no more the case with gnupg 1.4 ?) -- Erwan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 256 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050119/3caba21b/signature.pgp From JPClizbe at comcast.net Wed Jan 19 19:29:05 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Wed Jan 19 19:25:55 2005 Subject: Gnupg with ThunderBird In-Reply-To: <41EE6CDF.702@rail.eu.org> References: <41ED70A8.6070805@sagraluzzatto.com.br> <41EDC679.60608@comcast.net> <20050119130605.GA19702@mail.gasops.co.uk> <41EE6CDF.702@rail.eu.org> Message-ID: <41EEA6F1.3010408@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Erwan David wrote: > > Alas, gnupg is not usable under windows on a multi-user machine. It > cannot handle one keyring per user, but has a global keyring... (or may > be it is no more the case with gnupg 1.4 ?) GnuPG is PERFECTLY usable on a multi-user Windows machine, as long as 'multi-user' is limited to WinNT, Win2000, & WinXP - 'multi-user' on Win9x/ME was after-market bolt-on chrome. It depends on how it is installed and configured. Storing GnuPG's programs and keyrings in the DOS-inspired C:\GnuPG is indeed not shareable on a multi-user machine. But that is a flaw committed by the installing person, not the GnuPG software. Take a look at http://enigmail.mozdev.org/gpgconf.html for a guide on installing GnuPG in a multi-user manner on a Windows machine: Programs located under %ProgramFiles% and user preferences and keyrings in %APPDATA%\GnuPG. It is even possible to create a global registry setting to default HomeDir for all users. Advanced configs are quite possible with user's keyrings stored on a network share. This has been my experience since I began using GnuPG with 1.2.1. Nothing in this regard is new in 1.4 - it's been there all along. - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1-cvs-2005-01-14 (Windows 2000 Pro SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Annoy John Asscraft -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFB7qbwHQSsSmCNKhARAnubAKC0o/lQNpM7uSPMvPAAIf6iz0/P5QCgwmho jsjiCNglGoEysyPk0LoRvM0= =1yTp -----END PGP SIGNATURE----- From jharris at widomaker.com Wed Jan 19 20:05:34 2005 From: jharris at widomaker.com (Jason Harris) Date: Wed Jan 19 20:38:15 2005 Subject: [Fwd: OpenPGP javacard implementation] In-Reply-To: <20050119143600.GB9556@jabberwocky.com> References: <20050110092833.GC27919@cypress.com> <20050119143600.GB9556@jabberwocky.com> Message-ID: <20050119190533.GA31686@wilma.widomaker.com> On Wed, Jan 19, 2005 at 09:36:00AM -0500, David Shaw wrote: > On Mon, Jan 10, 2005 at 09:28:33AM +0000, gnupg-users-owner@gnupg.org wrote: > > > I have written a prototype OpenPGP applet for the Javacard > > platform. The ~ homepage of the project is: > > > > http://www.core-dump.com.hr/index.pl?node_id=421 > > > > In the package are all relevant instructions on how to test it > > against the gpg and Sun's emulated reference Javacard > > implementation. > > That's pretty cool. The Java Ring is really a Java card underneath, > so you could carry the applet around on your finger. > Don't forget plain iButtons. -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050119/1ff2de3e/attachment.pgp From atom at smasher.org Thu Jan 20 07:52:42 2005 From: atom at smasher.org (Atom Smasher) Date: Thu Jan 20 07:44:17 2005 Subject: auto sign files In-Reply-To: <20050119082421.GB4079@frogger.jeffnet> References: <200501161101.03872.linux@codehelp.co.uk> <200501181233.21400.linux@codehelp.co.uk> <20050118200503.GA4079@frogger.jeffnet> <200501182248.16786.linux@codehelp.co.uk> <20050119082421.GB4079@frogger.jeffnet> Message-ID: <20050120064805.22760.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 there seems to be something that's being overlooked in this thread... what key is being used to auto-sign with? i personally have scripts that generate signed files without me typing a passphrase (this is facilitated by a key with no passphrase). normally this would be considered incredibly stupid, but there's one thing about it that make it OK by my standards: i'm not using *my* key. sure, i'm using a key that's exclusively under my control, but that key is not part of *my* key (0xD9F57808) or the WoT. as a matter of fact, the key isn't even distributed publicly. the UID is meaningless to anyone who doesn't know what it is, and the key has no third party signatures. if i have any reason to suspect that an auto-signing key is compromised i can replace it with a new key. assuming that the public part of that key is only being used by a small group of people it's probably overkill to formally revoke it... just replace it. i would *NEVER* use _my_ key or any subkey for signing on auto-pilot, but for a key that's only used for a specific purpose it *can* increase overall security... one example is a remote IDS scan that's run from my desktop... every night it generates a report for each server that it scans, and then emails the report to my mail server. the report then sits on my mail server waiting to be read... but what if the mail server is hacked? a hacker could change the report before i see it. by auto-signing the report on my desktop before mailing it out, i will know immediately if the report was altered in any way (after leaving my desktop). IMHO the net effect is an increase in security. and if my desktop is hacked? in that case i would have to consider *my* compromised, strong passphrase and all. this reminds me of a true story: someone from an unnamed internet bank wanted a custom version of the "gpg_encrypt" php script that would add a signature to the encrypted email. i tried to explain that it would be creating a _sense_ of security, while probably not _actually_ increasing security. they insisted that they required the signature. i gave them what they wanted, and everything seemed fine on my end but they were having problems getting it to work on their end. after a few rounds of tests that i had them perform on their server, it turned out that they're running their internet bank on a SHARED SERVER that's maintained by their hosting company!!! they have *ZERO* control over the administration of the server! i tried to explain that this was not only the cause of their problems but also HORRIBLY INSECURE, but they just didn't get it. all of the strong crypto in the world can't keep their customers' banking information secure. - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "We cannot simply suspend or restrict civil liberties until the War of Terror is over, because the War on Terror is unlikely ever to be truly over... September 11, 2001, already a day of immeasurable tragedy, cannot be the day liberty perished in this country." -- Judge Gerald Tjoflat, 16 Oct 2004 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJB71VAAAoJEAx/d+cTpVciMqwIAL3xqMbIYuigGboy8047xO+s C7AtLWk0m3OsaBlVw3ddzz9mEWvNmnkMy4MsB4LDrHkI+RN2XlDt13hEgSGBAood cfVe8lWGsNdhRz3pZsxcIPxPVKXyDCKjs5FcNKFz+NybQiX+1n/a96n3u5lmQQDU ZZhh3QEQGcc9XfE9PDWt3+iD61Qlait5lDjogMLNx1EME0FcdwIi/DSO5ffwwG+C iKDZuyKcoVAuajbk7N2TlVJqhyDWkZoXdZ869DQa3bBZpNdObYhnweUq7oEK7+eO /PHVfk8dzjOjgMSK39Q24dSKzpd7cdHznNlep8X6RfatnPXQx4ronZVwev2gLgw= =QiH6 -----END PGP SIGNATURE----- From radier289 at gmail.com Wed Jan 19 07:36:51 2005 From: radier289 at gmail.com (USB Dev) Date: Thu Jan 20 07:59:02 2005 Subject: GnuPG on a USB device Message-ID: <453f8fe3050118223665fce5f5@mail.gmail.com> Hi, I wrote a front end for GnuPG a while ago for use on a flash drives I would like ot modify the gpg source to either remove the registry check and look in the locale drive or add something to the gpg.conf file to make it look locally, Could somene give me a hint where to look in the source code for this Kind Regards C From Claude.Bernable at alcatel.fr Wed Jan 19 14:49:52 2005 From: Claude.Bernable at alcatel.fr (Claude.Bernable@alcatel.fr) Date: Thu Jan 20 07:59:07 2005 Subject: GnuPG present a the French Linux Expo Message-ID: From wk at gnupg.org Thu Jan 20 08:25:09 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Jan 20 08:25:24 2005 Subject: Gnupg with ThunderBird In-Reply-To: <41EEA6F1.3010408@comcast.net> (John Clizbe's message of "Wed, 19 Jan 2005 12:29:05 -0600") References: <41ED70A8.6070805@sagraluzzatto.com.br> <41EDC679.60608@comcast.net> <20050119130605.GA19702@mail.gasops.co.uk> <41EE6CDF.702@rail.eu.org> <41EEA6F1.3010408@comcast.net> Message-ID: <87brbk5zqi.fsf@wheatstone.g10code.de> On Wed, 19 Jan 2005 12:29:05 -0600, John Clizbe said: > installing GnuPG in a multi-user manner on a Windows machine: Programs > located under %ProgramFiles% and user preferences and keyrings in Which will be the default for 1.4.1 > %APPDATA%\GnuPG. It is even possible to create a global registry > setting and that too. Unless you are using the old configuration via registry. Werner From wren at hunt.org Thu Jan 20 12:14:13 2005 From: wren at hunt.org (J. Wren Hunt) Date: Thu Jan 20 12:59:47 2005 Subject: [Fwd: OpenPGP javacard implementation] In-Reply-To: <20050119190533.GA31686__27399.5460047901$1106164038$gmane$org@wilma.widomaker.com> References: <20050110092833.GC27919@cypress.com> <20050119143600.GB9556@jabberwocky.com> <20050119190533.GA31686__27399.5460047901$1106164038$gmane$org@wilma.widomaker.com> Message-ID: Jason Harris wrote: > On Wed, Jan 19, 2005 at 09:36:00AM -0500, David Shaw wrote: > >>On Mon, Jan 10, 2005 at 09:28:33AM +0000, gnupg-users-owner@gnupg.org wrote: >> >> >>>I have written a prototype OpenPGP applet for the Javacard >>>platform. The ~ homepage of the project is: >>> >>>http://www.core-dump.com.hr/index.pl?node_id=421 >>> >>>In the package are all relevant instructions on how to test it >>>against the gpg and Sun's emulated reference Javacard >>>implementation. >> >>That's pretty cool. The Java Ring is really a Java card underneath, >>so you could carry the applet around on your finger. >> > > > Don't forget plain iButtons. > > Anyone know of any information on how to access these devices via *nix? Thx! Wren From dshaw at jabberwocky.com Thu Jan 20 15:04:00 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Jan 20 15:01:03 2005 Subject: [Fwd: OpenPGP javacard implementation] In-Reply-To: References: <20050110092833.GC27919@cypress.com> <20050119143600.GB9556@jabberwocky.com> <20050119190533.GA31686__27399.5460047901$1106164038$gmane$org@wilma.widomaker.com> Message-ID: <20050120140400.GB22212@jabberwocky.com> On Thu, Jan 20, 2005 at 06:14:13AM -0500, J. Wren Hunt wrote: > Jason Harris wrote: > >On Wed, Jan 19, 2005 at 09:36:00AM -0500, David Shaw wrote: > > > >>On Mon, Jan 10, 2005 at 09:28:33AM +0000, gnupg-users-owner@gnupg.org > >>wrote: > >> > >> > >>>I have written a prototype OpenPGP applet for the Javacard > >>>platform. The ~ homepage of the project is: > >>> > >>>http://www.core-dump.com.hr/index.pl?node_id=421 > >>> > >>>In the package are all relevant instructions on how to test it > >>>against the gpg and Sun's emulated reference Javacard > >>>implementation. > >> > >>That's pretty cool. The Java Ring is really a Java card underneath, > >>so you could carry the applet around on your finger. > >> > > > > > >Don't forget plain iButtons. > > > > > Anyone know of any information on how to access these devices via *nix? They're serial devices underneath it all. There are drivers for various platforms, including *nix, here: http://www.maxim-ic.com/products/ibutton/jibkit/index.cfm David From jason.barnett at telesuite.com Thu Jan 20 15:55:30 2005 From: jason.barnett at telesuite.com (Jason Barnett) Date: Thu Jan 20 16:08:25 2005 Subject: Web of trust in Southwest Ohio, USA Message-ID: Although I have read through the man page as well as a few web sites, I am still quite new to GPG. I searched a bit and found this newsgroup and hope that you folks can help me with these questions. - Can someone give me some advice on how to get started building my "web of trust?" I think I understand the basic concept; meet someone in real life, verify they are who they say they are and exchange signatures. But can someone give me some practical tips to get started? (BTW I live in southwest Ohio, USA). - Is there a site where I can search *all* of the archives at once? I found http://lists.gnupg.org/pipermail/gnupg-users/?1106184443 but I can only search within a one month time frame (and I hate to post questions that have already been answered). - I realize that not every person I email is going to use GPG / PGP so I'd like to at least sign every email that I send. What exactly is supposed to be in my signature? Is it the encrypted version of the email I am sending? Thanks in advance for whatever help you can send my way. And if any of you are PHP developers feel free to drop me a line some time. :) From jason.barnett at telesuite.com Thu Jan 20 16:58:28 2005 From: jason.barnett at telesuite.com (Jason Barnett) Date: Thu Jan 20 16:56:46 2005 Subject: Web of trust in Southwest Ohio, USA In-Reply-To: References: Message-ID: Jason Barnett wrote: > Although I have read through the man page as well as a few web sites, I > am still quite new to GPG. I searched a bit and found this newsgroup > and hope that you folks can help me with these questions. > > - Can someone give me some advice on how to get started building my "web > of trust?" I think I understand the basic concept; meet someone in real > life, verify they are who they say they are and exchange signatures. But > can someone give me some practical tips to get started? (BTW I live in > southwest Ohio, USA). > > - Is there a site where I can search *all* of the archives at once? I > found http://lists.gnupg.org/pipermail/gnupg-users/?1106184443 but I can > only search within a one month time frame (and I hate to post questions > that have already been answered). > > - I realize that not every person I email is going to use GPG / PGP so > I'd like to at least sign every email that I send. What exactly is > supposed to be in my signature? Is it the encrypted version of the > email I am sending? > > Thanks in advance for whatever help you can send my way. And if any of > you are PHP developers feel free to drop me a line some time. :) After I wrote this I thought of one other question. I submitted my first public key to several keyservers (you can find it by going to http://keyserver.veridis.com:11371/pks/lookup?op=get&search=0x74D2856A). As I understand it one person will often use multiple private keys (perhaps one for personal, one for work, one for when you get fired and start working somewhere else). - Should I create a personal key and use that as my "primary" private key... and then assign other keys as "secondary" keys as needed? I'm asking this mostly from a management perspective. I understand how to do what I'm asking, I'm just asking if my line of thinking is correct or if I should be managing my keys in some other way. Thanks again! From om at skillsearch.co.uk Thu Jan 20 17:31:54 2005 From: om at skillsearch.co.uk (Oliver Marshall) Date: Thu Jan 20 18:03:03 2005 Subject: Leaving the list Message-ID: Hi, Can anyone tell me how to go about leaving the list ? Thanks Olly From og at pre-secure.de Thu Jan 20 15:42:33 2005 From: og at pre-secure.de (Olaf Gellert) Date: Thu Jan 20 18:10:40 2005 Subject: gpg-agent and trusted root certificates Message-ID: <41EFC359.90103@pre-secure.de> Hi all, I was just trying out the X.509 stuff of recent GPG versions and I was wondering, on what occasions the gpg-agent will ask the user to verify new root certificates. I already included the option "allow-mark-trusted" into the configuration. When I include the hash of a root certificate manually into the trustlist.txt, everything works. When I tell kleopatra to validate the root certificate, kleopatra queries the agent to do the job. When gpg-agent logs the following, should it not ask the user to verify the root certificate? 7 - 2005-01-20 15:37:56 gpg-agent[4598.0x8085e78] DBG: <- HAVEKEY FB982E01EF2FE327A450FA5EB12B6172FBEBCD2F 7 - 2005-01-20 15:37:56 gpg-agent[4598.0x8085e78] DBG: -> ERR 208 no secret key 7 - 2005-01-20 15:37:56 gpg-agent[4598.0x8085e78] DBG: <- ISTRUSTED 0701EF37D0568429C057453D804646C3D016E660 7 - 2005-01-20 15:37:56 gpg-agent[4598.0x8085e78] DBG: -> ERR 304 not trusted 6 - 2005-01-20 15:37:56 gpgsm[6011.0x807d9c0] DBG: -> D crt:i:2048:1:804646C3D016E660:20050112T123638:20070112T123638:00::1.2.840.113549.1.9.1=#636140746573746F72672D622E6F7267,CN=Test Root CA B1,O=Test Organization B,C=DE::cC:%0Afpr:::::::::0701EF37D0568429C057453D804646C3D016E660:::0701EF37D0568429C057453D804646C3D016E660:%0Auid:i::::::::1.2.840.113549.1.9.1=#636140746573746F72672D622E6F7267,CN=Test Root CA B1,O=Test Organization B,C=DE::%0Auid:i::::::::::%0A 6 - 2005-01-20 15:37:56 gpgsm[6011.0x807d9c0] DBG: -> OK 6 - 2005-01-20 15:37:56 gpgsm[6011.0x807d9c0] DBG: <- BYE 6 - 2005-01-20 15:37:56 gpgsm[6011.0x807d9c0] DBG: -> OK closing connection [client at fd 6 disconnected] 7 - 2005-01-20 15:37:56 gpg-agent[4598.0x8085e78] DBG: <- [EOF] 7 - 2005-01-20 15:37:56 gpg-agent[4598]: handler for fd 6 terminated Cheers, Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE og@pre-secure.de A daily view on Internet Attacks https://www.ecsirt.net/sensornet From turner_bill at sbcglobal.net Thu Jan 20 17:23:58 2005 From: turner_bill at sbcglobal.net (Bill Turner) Date: Thu Jan 20 18:21:27 2005 Subject: Mozilla List Mail In-Reply-To: <20050106203636.GA7024@dantooine> References: <41DCA692.6060206@sillydog.org> <41DCF839.60403@gmx.li> <41DD1211.4020606@sillydog.org> <41DD2899.4040701@gmx.li> <20050106145358.GA5259@dantooine> <41DD9830.8060105@sillydog.org> <20050106203636.GA7024@dantooine> Message-ID: <41EFDB1E.4010005@sbcglobal.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, markus reichelt wrote: | David Vallier wrote: | |>>Sorry folks I just realized that this list doesn't have a proper |>>reply to header, so when I click on reply it's sent to the |>>_originator_ of the message. I use Mozilla Mail, but this ought to be pretty much the same for T-Bird as well. I used 'reply all' and set you as a 'cc' while I used the 'newsgroup' setting for the group email. hope this works as I am expecting. haven't yet managed to find a place to setup an address specifically as a 'newsgroup' for the replys. Hope this helps. | sorry, I'm a die-hard mutt fan ;-) mutt does rock... :) _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users - -- "Whatever you do will be insignificant, but it is very important that you do it." Mahatma Gandhi. "All that is necessary for the triumph of evil is for good men to do nothing." Edmund Burke. "What have you done to make the world a better place today? Got 30 seconds? Feed somebody. " Bill Turner ~ -- The following information is from a key which has been compromised. Please contact me directly via email to obtain an updated and current key. "Bill Turner " Type bits /keyID Date User ID pub 1024D/89F6CC2B 2002/10/18 Bill Turner Key fingerprint = 2AC6 D850 97A0 5D3A FB22 9237 24DA 6DCC 89F6 CC2B sig 89F6CC2B Bill Turner ~ -- My current (and valid) GPG Public key info follows: "Bill Turner " Type bits /keyID Date User ID pub 1024D/7A85CF68 2004/04/28 Bill Turner (Tux Rox!) Key fingerprint = 763D 95D2 CB20 7763 5303 8097 A7D7 6B5D 7A85 CF68 sig 7A85CF68 Bill Turner (Tux Rox!) ~ -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQFB79sap9drXXqFz2gRAiRyAJ4lnVxP+2lHr6TjMSmA3QijG7oXEwCggkgO tx3oqlcjc8NjV6RaUfZv650= =9BNk -----END PGP SIGNATURE----- -------------- next part -------------- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.2.4 (MingW32) mQGiBECPm7YRBAChISjonsRuhgBJIx3JQ3H64Ej/cXV2RpV00nTlKe8e/N6vlu6z GUgPQm1SfgcZ61+92oppgRL55wanUcY39feg9YgZmjwEtngScz+rODfENlZT8nCu ZQifM/lVEq6Oyhhv9mUD4iX6FcsMjp9eEAyLw8vHX4vVOlE5kH2ztOqaRwCg9h2o nS2sYDH74lm3Vh3PDp8TOk8EAJfSFd3ck5FpdYxGVF+5oFsX4RrtSYc6DxVBA9eh w9igrQoWC62GZrvZSZ9yNGB0TYKu/vp9D6g8c5XUiw1aHsIFcRRbQtGoNBUY4JN4 0/2056HkAv7jG4oxXWlKBOqUcc/hhouF6W37bWDEeU3QysRbuisG9NDShkff356/ FO9GA/4v8uwd1hACh//I1x3KG+Y0meuEEdjGcEZNvlFdgF/D00Km/vvETrvyA12j dEcKFb/YBpzevjZxJoDav1Ac3bdrkEm0wahD+uiXsRLM+l9VpB/DDgLdBPO0z0X/ /je1KB6YFUf12+6d9B3gkf/MM+YJAYD8ApmhTo2kZxg4Dx7OErQyQmlsbCBUdXJu ZXIgKFR1eCBSb3ghKSA8dHVybmVyX2JpbGxAc2JjZ2xvYmFsLm5ldD6IXgQTEQIA HgUCQI+btgIbAwYLCQgHAwIDFQIDAxYCAQIeAQIXgAAKCRCn12tdeoXPaCrpAJ4o 32Epku53jURzlyW3UeEGyWDzHgCgvcy0Wy045onp4oCjME7eHlO0rrm5AQ0EQI+b yBAEAMoDoyWOPMxxQFLl7ng228NM6VZszjD9l9oPNYLqtUKit/sG066ynsmYN4Ez QmJPUh8Uqtwh54dsSYoc4P0QoVIeEsjzF/NDlWLqTiRkuYbXb6Ul18D98gAl1jxd Qb2Mrtkh7FfUTRDcu5iWV5nSEQykPikniFP8yieW+d0ZcZoLAAMGA/9IgfcvCxnW YJCJVroa9chXkpzeM5HBcaOVzeADYsrYiFIvseQsbBrz2MUr8OChIcUzLyffL2d7 THpiZSYu34VouAZhVMfc5Np6aEzYWsXYxey3cGKCA3qfa98hKeXXgL40OHy9oLOZ NFYu+pYiFzqfUY6BkobVBLd+xP7xysdES4hJBBgRAgAJBQJAj5vIAhsMAAoJEKfX a116hc9oKPoAoKCmf2HRcP2aA3rWA6IinW6dXgz5AJoCK91mSOfDLA8xcwNH89w1 es8KQpkBogQ9a32vEQQA+ezBmafwTtIpNXEDdicjm3IkwFb7MydTZys1hUTulhav +f51Wo1PfnU4CA2Imfg/BOkJCr2gIp8cI/Qgqc0lNMXGKocLDaGoUGo4wdrpo1HD G/y/E78qi0YLCP3YojY2BINQjcCdEPyPpR9gvRuHzQ17Rhsj5HAoQM0jizx/3UMA oP8tZKqrQnepXICXnGQNzbRZ+HutA/9yldx9bmSlzd44G38QRS/yk6wip/NB+jkU kio3mEFjMxifYsm0aZc+ugl3LWc92B94o4dR3oVH1tnqzS7bAh9E+SK9JJrDV9N4 8otTR0wnrvB0yp1JGNCZvCHp0Lj9DHySw9td28KaADehjVcXmQR8aArvYQT5PRDf vrdiWu6vpwP/aN3bM0/tDUFmtRSBEl43xzEdloXmmjM8Xi/Pt6ImtAkegpk/x+h3 kVePCqP1IJGrladbs6sHPpJ2r/lNwqUc8FvxagyOIZrj4xhjnifrDkbn9cQIUAwM Ug+QI53QWvJMS0frcmQTs3SiNsygYM2Aw8Ngc8jjQJOnrHeB1j4RSva0I0JyZW5k YW4gS2lkd2VsbCA8YnJlbmRhbkBnbHVtcC5uZXQ+iFgEEBECABgFAj1rfa8ICwMJ CAcCAQoCGQEFGwMAAAAACgkQ4lxlBKPKA3i/QQCfeq90eipHejX5dKKRl5I3sfr6 0UcAnAmhCAtBf/tcE7usBRr6h2S+F+dBuQINBD1rfa8QCAD2Qle3CH8IF3Kiutap QvMF6PlTETlPtvFuuUs4INoBp1ajFOmPQFXz0AfGy0OplK33TGSGSfgMg71l6RfU odNQ+PVZX9x2Uk89PY3bzpnhV5JZzf24rnRPxfx2vIPFRzBhznzJZv8V+bv9kV7H AarTW56NoKVyOtQa8L9GAFgr5fSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxb LY7288kjwEPwpVsYjY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyE pwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1Xp Mgs7AAICCAC0KIKI2jb3yCNzYIerVwp7lzorZRQocph2dAzSliTSKg27WpTu9ljQ LqGnYA1XtdcpQrgCB/D0TqFmkkZitJTe5d5g4uAgdUuq9foWLPZmFhI3xINcyo5E p3uKLS9PRG9M8pehlMPT3TeiaglEr5HaswOFFadqVDSKmkG4Qql6SbC+5UKlbcoJ T4wNyktpGPhpyEqkREqO/SvsstJI9y5qmeBdnFdLbvfFJJ0PIQ5Y4OevhpaIeJxu 8qt7u348kuQ5vVU6jeeRTTiwyZEeY8Xp0HM/gZwMq2z4Hu6rfbSEyeLHPguOlBoh E27050d4Eo/iru9/PMvnG82xBcP95J/piEwEGBECAAwFAj1rfa8FGwwAAAAACgkQ 4lxlBKPKA3gM9QCeOMtfPhlNvIixDuToe//5lE4UjOUAoKRziBXMrgnzR276R9sn 9DZpXjrw =jP2v -----END PGP PUBLIC KEY BLOCK----- From jason.barnett at telesuite.com Thu Jan 20 18:31:35 2005 From: jason.barnett at telesuite.com (Jason Barnett) Date: Thu Jan 20 18:29:58 2005 Subject: Mozilla List Mail In-Reply-To: <41EFDB1E.4010005__2309.18825041062$1106242141$gmane$org@sbcglobal.net> References: <41DCA692.6060206@sillydog.org> <41DCF839.60403@gmx.li> <41DD1211.4020606@sillydog.org> <41DD2899.4040701@gmx.li> <20050106145358.GA5259@dantooine> <41DD9830.8060105@sillydog.org> <20050106203636.GA7024@dantooine> <41EFDB1E.4010005__2309.18825041062$1106242141$gmane$org@sbcglobal.net> Message-ID: Bill Turner wrote: > Hello, > > markus reichelt wrote: > | David Vallier wrote: > | > |>>Sorry folks I just realized that this list doesn't have a proper > |>>reply to header, so when I click on reply it's sent to the > |>>_originator_ of the message. > > I use Mozilla Mail, but this ought to be pretty much the same for T-Bird > as well. I used 'reply all' and set you as a 'cc' while I used the T-bird does indeed allow you to reply to newsgroups. Just change the To: header from the dropdown box. > 'newsgroup' setting for the group email. hope this works as I am > expecting. haven't yet managed to find a place to setup an address > specifically as a 'newsgroup' for the replys. Hope this helps. > > | sorry, I'm a die-hard mutt fan ;-) > > mutt does rock... :) > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From richard at sheflug.co.uk Thu Jan 20 18:16:00 2005 From: richard at sheflug.co.uk (Richard Ibbotson) Date: Thu Jan 20 18:45:23 2005 Subject: Leaving the list In-Reply-To: References: Message-ID: <200501201716.00304.richard@sheflug.co.uk> Hi > Can anyone tell me how to go about leaving the list ? >>> http://lists.gnupg.org/mailman/listinfo/gnupg-users<<< :)) -- Richard www.sheflug.co.uk From pt at radvis.nu Thu Jan 20 15:04:42 2005 From: pt at radvis.nu (Per Tunedal Casual) Date: Thu Jan 20 18:58:42 2005 Subject: Encryption algos Message-ID: <6.1.2.0.2.20050120142331.02d31e58@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I just checked the list of algos in GnuPG v. 1.4: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH The list is rather long, what about making it a bit longer? Rational: When AES starts to become questioned (10 years from now? sooner?) we have an other secure algo to fall back upon. We have got basically two modern algos: AES and TWOFISH. Both are created with an emphasis on speed, rather than on security. What about including an algo with emphasis on security? I can see at least two suitable algos among the AES-candidates: Serpent (2:nd best to Rijndael=AES in the final evaluation round) CAST256 (beaten by Serpent in the first evaluation round) CAST256 is an improved version of CAST5 and might be a natural choice for OpenPGP. I don't know if the algo is used in any software or if it is studied by cryptographers any more. It might not be a good idea to include a cipher that isn't well studied (cf TWOFISH!). Serpent is considered secure due to "a conservative design" and many rounds. I think it is used in some software. This cipher might be of more interest to cryptographers and thus might be well studied. The drawback might be that the design is somewhat similar to Rijndael=AES and thus can be attacked in similar ways. Any way. There isn't any need to hurry. Better make a wise decision (cf TWOFISH). Per Tunedal Keyid: 0xAE053BE0 Fingerprint: D70D 9057 A985 4944 2191 995A 2D74 F09D AE05 3BE0 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) - GPGrelay v0.955 Comment: Vad är en PGP-signatur? www.clipanish.com/PGP/pgp.html iD8DBQFB77qWaDDfzFT+2PIRAklaAJsHlEvp6Q/yw31TIc/EYNaW4mpenQCePKHH n0NmbZSFI3qUGufc81Fn7WE= =2szK -----END PGP SIGNATURE----- From swright at physics.adelaide.edu.au Thu Jan 20 18:17:36 2005 From: swright at physics.adelaide.edu.au (Stewart V. Wright) Date: Thu Jan 20 18:59:53 2005 Subject: Leaving the list In-Reply-To: References: Message-ID: <20050120171736.GD26677@anl.gov> G'day Oliver, * Oliver Marshall [050120 11:14]: > Can anyone tell me how to go about leaving the list ? Look at the headers of the messages. All you need to know is listed there. Cheers, S. From areiner at tph.tuwien.ac.at Thu Jan 20 18:21:14 2005 From: areiner at tph.tuwien.ac.at (Albert Reiner) Date: Thu Jan 20 19:01:37 2005 Subject: Leaving the list In-Reply-To: References: Message-ID: ["Oliver Marshall" , Thu, 20 Jan 2005 16:31:54 -0000]: > Can anyone tell me how to go about leaving the list ? By reading the mail headers? A From dshaw at jabberwocky.com Thu Jan 20 19:12:20 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Thu Jan 20 19:09:22 2005 Subject: Encryption algos In-Reply-To: <6.1.2.0.2.20050120142331.02d31e58@localhost> References: <6.1.2.0.2.20050120142331.02d31e58@localhost> Message-ID: <20050120181220.GA10744@jabberwocky.com> On Thu, Jan 20, 2005 at 03:04:42PM +0100, Per Tunedal Casual wrote: > Hi, > I just checked the list of algos in GnuPG v. 1.4: > 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH > > The list is rather long, what about making it a bit longer? > Rational: When AES starts to become questioned (10 years from now? sooner?) > we have an other secure algo to fall back upon. The algorithm list is defined by OpenPGP. If the OpenPGP standard gets more algorithms, we'll likely support them. I don't think it it likely to happen (I'd argue against it) but you can make a proposal to the OpenPGP working group if you like: http://www.imc.org/ietf-openpgp/index.html David From linux at codehelp.co.uk Thu Jan 20 20:05:40 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Thu Jan 20 20:01:36 2005 Subject: Web of trust in Southwest Ohio, USA In-Reply-To: References: Message-ID: <200501201905.43520.linux@codehelp.co.uk> On Thursday 20 January 2005 2:55 pm, Jason Barnett wrote: > - Can someone give me some advice on how to get started building my "web > of trust?" 1. Advertise that you use GnuPG by signing emails, putting your key in ASCII armour on your webpage, linking to that page in your email sig, . . . 2. Get yourself onto biglumber (ref in my sig) to help people in your area to find you. 3. Join local user groups, especially (GNU/)Linux User Groups (GLUG or LUG). 4. Start with your own friends and contacts. > - Is there a site where I can search *all* of the archives at once? I > found http://lists.gnupg.org/pipermail/gnupg-users/?1106184443 but I can > only search within a one month time frame (and I hate to post questions > that have already been answered). The practical reason for that is that multi-month searches require lots of server time and unless you've got the power of Google, the scripts time out. Google will search particular sites - check the advanced search options. > - I realize that not every person I email is going to use GPG / PGP so > I'd like to at least sign every email that I send. What exactly is > supposed to be in my signature? Is it the encrypted version of the > email I am sending? It's a checksum of the content of the email. It is calculated from your key and the email text and each signature is unique. Your email client will do the calculations for you. Your standard email sig (the plain text bit) should just mention your keyid or a webpage that holds a copy of your key plus sundry other contact details. You don't write a digital / GnuPG signature yourself. You're using Thunderbird so you'll need the Enigmail plugin to sign using GnuPG. It's very simple to configure. http://enigmail.mozdev.org/ It will allow you to sign all outgoing messages or just the ones you select. > Thanks in advance for whatever help you can send my way. And if any of > you are PHP developers feel free to drop me a line some time. :) http://sourceforge.net/projects/isbnsearch/ Atom has also written a GnuPG encryption routine for PHP: http://business-php.com/opensource/gpg_encrypt/ -- Neil Williams ============= http://www.dcglug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050120/92c1038b/attachment.pgp From jason.barnett at telesuite.com Thu Jan 20 21:36:53 2005 From: jason.barnett at telesuite.com (Jason Barnett) Date: Thu Jan 20 21:35:16 2005 Subject: Web of trust in Southwest Ohio, USA In-Reply-To: <200501201905.43520.linux__15577.7703658261$1106248181$gmane$org@codehelp.co.uk> References: <200501201905.43520.linux__15577.7703658261$1106248181$gmane$org@codehelp.co.uk> Message-ID: Neil Williams wrote: > On Thursday 20 January 2005 2:55 pm, Jason Barnett wrote: > >>- Can someone give me some advice on how to get started building my "web >>of trust?" > > > 1. Advertise that you use GnuPG by signing emails, putting your key in ASCII > armour on your webpage, linking to that page in your email sig, . . . > 2. Get yourself onto biglumber (ref in my sig) to help people in your area to > find you. Someone else emailed me off list and I'm signing up for that right now. > 3. Join local user groups, especially (GNU/)Linux User Groups (GLUG or LUG). > 4. Start with your own friends and contacts. No one in my family uses it (I'm actually trying to convince my sister to start), but I'll give my friends a try. > > >>- Is there a site where I can search *all* of the archives at once? I >>found http://lists.gnupg.org/pipermail/gnupg-users/?1106184443 but I can >>only search within a one month time frame (and I hate to post questions >>that have already been answered). > > > The practical reason for that is that multi-month searches require lots of > server time and unless you've got the power of Google, the scripts time out. > > Google will search particular sites - check the advanced search options. Thanks for the tip! I've done this before for other sites, but I just didn't think of it this time around. > > >>- I realize that not every person I email is going to use GPG / PGP so >>I'd like to at least sign every email that I send. What exactly is >>supposed to be in my signature? Is it the encrypted version of the >>email I am sending? > > > It's a checksum of the content of the email. It is calculated from your key > and the email text and each signature is unique. Your email client will do > the calculations for you. Your standard email sig (the plain text bit) should > just mention your keyid or a webpage that holds a copy of your key plus > sundry other contact details. You don't write a digital / GnuPG signature > yourself. > > You're using Thunderbird so you'll need the Enigmail plugin to sign using > GnuPG. It's very simple to configure. > http://enigmail.mozdev.org/ I downloaded / installed it. I'll be setting that up shortly. > > It will allow you to sign all outgoing messages or just the ones you select. > > >>Thanks in advance for whatever help you can send my way. And if any of >>you are PHP developers feel free to drop me a line some time. :) > > > http://sourceforge.net/projects/isbnsearch/ > > Atom has also written a GnuPG encryption routine for PHP: > http://business-php.com/opensource/gpg_encrypt/ > > Many, many good tips here. Thank you! > > > ------------------------------------------------------------------------ > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users From wk at gnupg.org Thu Jan 20 22:55:22 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Jan 20 22:55:28 2005 Subject: gpg-agent and trusted root certificates In-Reply-To: <41EFC359.90103@pre-secure.de> (Olaf Gellert's message of "Thu, 20 Jan 2005 15:42:33 +0100") References: <41EFC359.90103@pre-secure.de> Message-ID: <87oefjzrxx.fsf@wheatstone.g10code.de> On Thu, 20 Jan 2005 15:42:33 +0100, Olaf Gellert said: > When gpg-agent logs the following, should it not > ask the user to verify the root certificate? Add allow-mark-trusted to your gpg-agent.conf It allow clients to mark keys as trusted, i.e. put them into the trustlist.txt file. This is by default not allowed to make it harder for users to inadvertly accept Root-CA keys. Shalom-Salam, Werner From wk at gnupg.org Thu Jan 20 22:58:56 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Jan 20 22:55:37 2005 Subject: GnuPG on a USB device In-Reply-To: <453f8fe3050118223665fce5f5@mail.gmail.com> (USB Dev's message of "Wed, 19 Jan 2005 14:36:51 +0800") References: <453f8fe3050118223665fce5f5@mail.gmail.com> Message-ID: <87k6q7zrrz.fsf@wheatstone.g10code.de> On Wed, 19 Jan 2005 14:36:51 +0800, USB Dev said: > Could somene give me a hint where to look in the source code for this Huh? ftp://ftp.gnupg.org/gcrypt/gnupg/ Note that there is --homedir. Further gnupg also looks at $GNUPGHOME (1.4.1 will do so even under Windows). Salam-Shalom, Werner From sk at intertivity.com Thu Jan 20 22:46:16 2005 From: sk at intertivity.com (Kiefer, Sascha) Date: Thu Jan 20 23:19:50 2005 Subject: Gpg and batch Message-ID: <000201c4ff39$78617c50$f300a8c0@HOME> Hi. I know it is possible to do something like this: Step 1: Save parameters to a file i.e. "def.inc" Key-Type: DSA Key-Length: 1024 Subkey-Type: ELG-E Subkey-Length: 1024 Name-Real: Joe Tester Name-Comment: this is a test Name-Email: joe@test.com Expire-Date: 0 Passphrase: abcdefg Step 2: From the command prompt issue the following: gpg --batch --key-gen def.inc Is this possible for every gpg command? If yes, where can i find a list of those parameters like "Key-Type", "Key-Length", "Passphrase" and so on? Thanks for any help. --sk From og at pre-secure.de Fri Jan 21 00:47:00 2005 From: og at pre-secure.de (Olaf Gellert) Date: Fri Jan 21 00:45:29 2005 Subject: gpg-agent and trusted root certificates In-Reply-To: <87oefjzrxx.fsf@wheatstone.g10code.de> References: <41EFC359.90103@pre-secure.de> <87oefjzrxx.fsf@wheatstone.g10code.de> Message-ID: <41F042F4.7080604@pre-secure.de> Werner Koch wrote: > Add > > allow-mark-trusted > > to your gpg-agent.conf Well, as I said: >>I already included the option "allow-mark-trusted" >>into the configuration. When I include the hash of >>a root certificate manually into the trustlist.txt, >>everything works. When I tell kleopatra to validate >>the root certificate, kleopatra queries the agent to >>do the job. So I do have the entry in the config, but the agent still does not query me. After some fiddling on another system (importing certs, deleting them, rebooting, ...) at some point it worked, but on a clean new SuSE install, it does not. So the question is: Are there any other conditions that may prevent the agent from asking the user? Cheers, Olaf P.S.: By the way, I was really impressed by the new X.509 functionality, OCSP, LDAP, GUI, wow! -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE og@pre-secure.de A daily view on Internet Attacks https://www.ecsirt.net/sensornet From erpo41 at hotpop.com Fri Jan 21 03:45:41 2005 From: erpo41 at hotpop.com (Erpo) Date: Fri Jan 21 04:17:01 2005 Subject: dual signatures Message-ID: <1106275541.1655.19.camel@andry> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Every so often on this list there's a discussion about the two main methods for signing an email: clearsigning (BEGIN PGP SIGNED MESSAGE style) and PGP/MIME (attachment style). Personally, I find clearsigning annoying because I use Evolution which only reads PGP/MIME. Other people find PGP/MIME annoying since their mail clients only read clearsigned messages. Here's a suggestion I haven't seen before: why not sign both ways? As a test, I'm going to clearsign this message with gpg before I paste it into evolution's message window. If it works, you can all enjoy seeing your mail client not be able to verify my message because I'm not on your keyring. Clearsign-only clients will ignore the "extra" meaningless attachment. PGP/MIME-only clients will verify the clearsigned text (including the "extra" PGP headers) using the attachment. Is there a good reason for mail clients not to do this automatically? - -- Erpo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFB8GyvTHFDLY02QhYRAvlNAKCM5k1dsP1q43h33zJ8XATscaeycwCfet3h DDdX/2zNMf1h/5+lMQ1YDS8= =M3BM -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : /pipermail/attachments/20050120/196f4ba1/attachment.pgp From shavital at mac.com Fri Jan 21 06:25:10 2005 From: shavital at mac.com (Charly Avital) Date: Fri Jan 21 06:55:25 2005 Subject: dual signatures In-Reply-To: <1106275541.1655.19.camel@andry> References: <1106275541.1655.19.camel@andry> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Using Apple's Mail.app, that with the proper modules, can verify both clearsigned and PGP/MIME signed messages. Your message came with both signature modes. Both signatures were properly checked but couldn't be verified because your public key couldn't be found on six different keyservers that both GnuPG and PGP searched. Sorry. Charly On Jan 20, 2005, at 9:45 PM, Erpo wrote: > [...] > Here's a suggestion I haven't seen before: why not sign > both ways? As a test, I'm going to clearsign this message > with gpg before I paste it into evolution's message > window. If it works, you can all enjoy seeing your mail > client not be able to verify my message because I'm not > on your keyring. Clearsign-only clients will ignore the > "extra" meaningless attachment. PGP/MIME-only clients will > verify the clearsigned text (including the "extra" PGP > headers) using the attachment. > > Is there a good reason for mail clients not to do this > automatically? > [...] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (Darwin) Comment: GnuPG for Privacy iD8DBQFB8JJD8SG5rMkbCF4RAinYAJ9lZrQX1usqXypotSc87TFu2zcylACggSA+ WB6uPMbDf6kLhUBjvhLbrY4= =wMfI -----END PGP SIGNATURE----- From JPClizbe at comcast.net Fri Jan 21 07:33:40 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Fri Jan 21 07:30:32 2005 Subject: Leaving the list In-Reply-To: References: Message-ID: <41F0A244.6060404@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Oliver Marshall wrote: > Hi, > > Can anyone tell me how to go about leaving the list ? > > Thanks > > Olly > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > You /could/ check that little link that's in the footer appended to EVERY list message. I think there are some helpful bits and clues there. Did you try sending a message to gnupg-users-request@gnupg.org with a message body of 'unsubscribe'? That tends to work quite a bit of the time. Sending it to gnupg-users however will get you sniggered at. - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1-cvs-2005-01-14 (Windows 2000 Pro SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Annoy John Asscraft -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFB8KJDHQSsSmCNKhARAn0SAKCbeQ6PqC2cqElKh428pa3+vNrcxgCgma9w KG3NM0jUB97Z94QDmNLilYE= =8Dhq -----END PGP SIGNATURE----- From JPClizbe at comcast.net Fri Jan 21 07:38:11 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Fri Jan 21 07:34:53 2005 Subject: GnuPG on a USB device In-Reply-To: <453f8fe3050118223665fce5f5@mail.gmail.com> References: <453f8fe3050118223665fce5f5@mail.gmail.com> Message-ID: <41F0A353.5030701@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 USB Dev wrote: > Hi, > > I wrote a front end for GnuPG a while ago for use on a flash drives > I would like ot modify the gpg source to either remove the registry > check and look in the locale drive or add something to the gpg.conf > file to make it look locally, > > Could somene give me a hint where to look in the source code for this Get the 1.4.1-cvs code. It's already there. Or just wait for its release. - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1-cvs-2005-01-14 (Windows 2000 Pro SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Annoy John Asscraft -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFB8KNSHQSsSmCNKhARAvZRAKCcRr1Fzv+DyiWtPobhvRxJ0koMoQCgrxIR 3MQHWFJNf5A0PWCnjM+kHU8= =79cv -----END PGP SIGNATURE----- From JPClizbe at comcast.net Fri Jan 21 07:50:26 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Fri Jan 21 08:24:35 2005 Subject: Web of trust in Southwest Ohio, USA In-Reply-To: References: Message-ID: <41F0A632.9080803@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jason Barnett wrote: > Although I have read through the man page as well as a few web sites, I > am still quite new to GPG. I searched a bit and found this newsgroup > and hope that you folks can help me with these questions. We'll do our best. > - Can someone give me some advice on how to get started building my "web > of trust?" I think I understand the basic concept; meet someone in real > life, verify they are who they say they are and exchange signatures. > But can someone give me some practical tips to get started? (BTW I live > in southwest Ohio, USA). http://www.biglumber.com > > - Is there a site where I can search *all* of the archives at once? I > found http://lists.gnupg.org/pipermail/gnupg-users/?1106184443 but I can > only search within a one month time frame (and I hate to post questions > that have already been answered). http://lists.gnupg.org/pipermail/gnupg-users.mbox/gnupg-users.mbox Will download the entire list archive, in mbox format. This is the same format Mozilla mail, Thunderbird, Netscape and many other mailers use. When I first subscribed, I downloaded the full archive to my mail directory, deleted the mbox extension and directed new postings to that location. I can search the archive with any tool I wish. - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1-cvs-2005-01-14 (Windows 2000 Pro SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Annoy John Asscraft -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFB8KYyHQSsSmCNKhARAvXUAKDENvbtZJZEJ4xSTKFIWaOmCYcVUwCg1b8V +XwMDbbAFbhGdk8k+3njc9k= =n/5B -----END PGP SIGNATURE----- From JPClizbe at comcast.net Fri Jan 21 07:57:52 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Fri Jan 21 08:24:45 2005 Subject: Web of trust in Southwest Ohio, USA In-Reply-To: References: <200501201905.43520.linux__15577.7703658261$1106248181$gmane$org@codehelp.co.uk> Message-ID: <41F0A7F0.8010507@comcast.net> Jason Barnett wrote: > Neil Williams wrote: >> >> You're using Thunderbird so you'll need the Enigmail plugin to sign using >> GnuPG. It's very simple to configure. >> http://enigmail.mozdev.org/ > > I downloaded / installed it. I'll be setting that up shortly. > See http://enigmail.mozdev.org/gpgconf.html for an excellent guide to installing GnuPG and Enigmail on windows. The Enigmail list at enigmail@mozdev.org is a great resource for getting Enigmail installed and working. Most problems have been seen by us before. ObDisclaimer: Yes, I'm biased. -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Gir-r-r-r-rl" is like this Universal Gay term, like 'Aloha' or 'Shalom'. - Margaret Cho "Only the truly intelligent know when they are being stupid." -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 451 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20050121/ca735ba8/signature.pgp From atom at smasher.org Fri Jan 21 08:46:38 2005 From: atom at smasher.org (Atom Smasher) Date: Fri Jan 21 08:38:06 2005 Subject: Gpg and batch In-Reply-To: <000201c4ff39$78617c50$f300a8c0@HOME> References: <000201c4ff39$78617c50$f300a8c0@HOME> Message-ID: <20050121074154.69546.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, 20 Jan 2005, Kiefer, Sascha wrote: > I know it is possible to do something like this: > > Step 1: Save parameters to a file i.e. "def.inc" > Key-Type: DSA > Key-Length: 1024 > Subkey-Type: ELG-E > Subkey-Length: 1024 > Name-Real: Joe Tester > Name-Comment: this is a test > Name-Email: joe@test.com > Expire-Date: 0 > Passphrase: abcdefg > > Step 2: From the command prompt issue the following: > gpg --batch --key-gen def.inc > > > Is this possible for every gpg command? > If yes, where can i find a list of those parameters like "Key-Type", > "Key-Length", "Passphrase" and so on? =================== i'm not sure what you're trying to automate with every command, but the details for "Unattended key generation" are in the "DETAILS" file installed with gnupg documentation. it includes a list of parameters. - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "The proper time to influence the character of a child is about a hundred years before he's born." -- William R. Inge (1913-1973) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJB8LNkAAoJEAx/d+cTpVciDXYH/R3B1yTB21iR9RPunuhtna1J q+Tci6dkcI8aopUHcyhqUI/4I/mlnwuDxcaJ4j7gscDoIQe0cRlLYnzrwzrKe/gx vmqViAn2HdKAqx0r6svEmWGsHbWKjBaxkGVwVx+eKkWb4bbn44hvb+FiAoNZ2hqR y3xSl/1X25qO2mDwznqaieJ3DWblY3WNekGAT5Ls/2SNG77cB64qdo+UOfD0N8wj F2Mqc0+y/84/myucmXCCRGmo0iFGq1xWYVztaSkC+04Me5GDa6Rtg1FEvqVahTR2 H++EoG+vsVkApN+j+EQiDMKLjLcKA6U7jqIPz9jGGYati+yqzBIIZXwnG/wE350= =9mYI -----END PGP SIGNATURE----- From wk at gnupg.org Fri Jan 21 10:08:05 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Jan 21 10:05:31 2005 Subject: gpg-agent and trusted root certificates In-Reply-To: <41F042F4.7080604@pre-secure.de> (Olaf Gellert's message of "Fri, 21 Jan 2005 00:47:00 +0100") References: <41EFC359.90103@pre-secure.de> <87oefjzrxx.fsf@wheatstone.g10code.de> <41F042F4.7080604@pre-secure.de> Message-ID: <87k6q7xi8a.fsf@wheatstone.g10code.de> On Fri, 21 Jan 2005 00:47:00 +0100, Olaf Gellert said: > a clean new SuSE install, it does not. So the question > is: Are there any other conditions that may prevent > the agent from asking the user? You need all the certificates up to the root before gpgsm will ask you. Another way to force it to ask is by using gpgsm --list-keys --with-validation Salam-Shalom, Werner From wk at gnupg.org Fri Jan 21 10:13:25 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Jan 21 10:10:29 2005 Subject: dual signatures In-Reply-To: <1106275541.1655.19.camel@andry> (erpo41@hotpop.com's message of "Thu, 20 Jan 2005 18:45:41 -0800") References: <1106275541.1655.19.camel@andry> Message-ID: <87fz0vxhze.fsf@wheatstone.g10code.de> On Thu, 20 Jan 2005 18:45:41 -0800, Erpo said: > Here's a suggestion I haven't seen before: why not sign > both ways? As a test, I'm going to clearsign this message In fact Thomas Roessler once wrote an ID multisig to allow parallel S/MIME and PGP/MIME signature. You won't find it in the IETF archive anymore but the Mutt ML archives should have hints. Mutt also has peparations in the code for this. Shalom-Salam, Werner From sk at intertivity.com Fri Jan 21 12:47:39 2005 From: sk at intertivity.com (Sascha Kiefer) Date: Fri Jan 21 12:43:54 2005 Subject: Gpg and batch Message-ID: <149843ffeaeeabcf9a16f6388d5e967d.sk@intertivity.com> well, i hoped that there is a way to easy sign keys and stuff like that. But i guess there is not. :( Thanks anyway. --sk Atom Smasher wrote: >On Thu, 20 Jan 2005, Kiefer, Sascha wrote: > >> I know it is possible to do something like this: >> >> Step 1: Save parameters to a file i.e. "def.inc" >> Key-Type: DSA >> Key-Length: 1024 >> Subkey-Type: ELG-E >> Subkey-Length: 1024 >> Name-Real: Joe Tester >> Name-Comment: this is a test >> Name-Email: joe@test.com >> Expire-Date: 0 >> Passphrase: abcdefg >> >> Step 2: From the command prompt issue the following: >> gpg --batch --key-gen def.inc >> >> >> Is this possible for every gpg command? >> If yes, where can i find a list of those parameters like "Key-Type", >> "Key-Length", "Passphrase" and so on? >=================== >i'm not sure what you're trying to automate with every command, but the >details for "Unattended key generation" are in the "DETAILS" file >installed with gnupg documentation. it includes a list of parameters. > > >- -- > ...atom From grayd at extenza-turpin.com Fri Jan 21 13:00:44 2005 From: grayd at extenza-turpin.com (David Gray) Date: Fri Jan 21 12:50:27 2005 Subject: 2.6.3i Message-ID: <5155685DF4FC004297C9F5D769CBF51C01CAA8B6@kashmir.extenza-turpin.com> Hi all, Does anyone know if GnuPG v1.2.3 on OpenVMS can decrypt files encrypted with 2.6.3i on a PC? Dave. From og at pre-secure.de Fri Jan 21 13:13:04 2005 From: og at pre-secure.de (Olaf Gellert) Date: Fri Jan 21 13:11:35 2005 Subject: gpg-agent and trusted root certificates In-Reply-To: <87k6q7xi8a.fsf@wheatstone.g10code.de> References: <41EFC359.90103@pre-secure.de> <87oefjzrxx.fsf@wheatstone.g10code.de> <41F042F4.7080604@pre-secure.de> <87k6q7xi8a.fsf@wheatstone.g10code.de> Message-ID: <41F0F1D0.6070109@pre-secure.de> Werner Koch wrote: > You need all the certificates up to the root before gpgsm will ask > you. Another way to force it to ask is by using > > gpgsm --list-keys --with-validation Have a look at this log: ############################################################################# ranum@ranum:~> ps aux | grep agent ranum 5391 0.0 0.1 3324 1004 ? S 12:59 0:00 gpg-agent --daemon --no-detach --allow-mark-trusted --keep-display /bin/bash /etc/X11/xinit/xinitrc ranum 5791 0.0 0.1 2660 736 pts/2 S+ 13:05 0:00 grep agent ############################################################################# So gpg-agent is running with --allow-mark-trusted. And then: ############################################################################# ranum@ranum:~> gpgsm --list-keys --with-validation 07:01:EF:37:D0:56:84:29:C0:57:45:3D:80:46:46:C3:D0:16:E6:60 Secure memory is not locked into core gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION! gpgsm: It is only intended for test purposes and should NOT be gpgsm: used in a production environment or with production keys! /home/ranum/.gnupg/pubring.kbx ------------------------------ Serial number: 00 Issuer: /CN=Test Root CA B1/O=Test Organization B/C=DE/EMail=ca@testorg-b.org Subject: /CN=Test Root CA B1/O=Test Organization B/C=DE/EMail=ca@testorg-b.org aka: ca@testorg-b.org validity: 2005-01-12 12:36:38 through 2007-01-12 12:36:38 key type: 2048 bit RSA key usage: certSign chain length: unlimited fingerprint: 07:01:EF:37:D0:56:84:29:C0:57:45:3D:80:46:46:C3:D0:16:E6:60 gpgsm: DBG: connection to agent established [Das Wurzelzertifikat ist nicht als vertrauensw?rdig markiert] [certificate is bad: Nicht vertrauensw?rdig] secmem usage: 1344/16384 bytes in 2 blocks ############################################################################# No request window. Hmmm... The version is GPG 1.9.10. Cheers, Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE og@pre-secure.de A daily view on Internet Attacks https://www.ecsirt.net/sensornet From wk at gnupg.org Fri Jan 21 14:23:33 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Jan 21 14:20:30 2005 Subject: Gpg and batch In-Reply-To: <149843ffeaeeabcf9a16f6388d5e967d.sk@intertivity.com> (Sascha Kiefer's message of "Fri, 21 Jan 2005 11:47:39 UT") References: <149843ffeaeeabcf9a16f6388d5e967d.sk@intertivity.com> Message-ID: <87k6q6x6ei.fsf@wheatstone.g10code.de> On Fri, 21 Jan 2005 11:47:39 UT, Sascha Kiefer said: > well, i hoped that there is a way to easy sign keys and stuff like that. > But i guess there is not. :( signing a key is an interactive process so you can't use canned parameters. Have a look at --status-fd and --command-fd. Werner From wk at gnupg.org Fri Jan 21 14:25:55 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Jan 21 14:25:29 2005 Subject: 2.6.3i In-Reply-To: <5155685DF4FC004297C9F5D769CBF51C01CAA8B6@kashmir.extenza-turpin.com> (David Gray's message of "Fri, 21 Jan 2005 12:00:44 -0000") References: <5155685DF4FC004297C9F5D769CBF51C01CAA8B6@kashmir.extenza-turpin.com> Message-ID: <87fz0ux6ak.fsf@wheatstone.g10code.de> On Fri, 21 Jan 2005 12:00:44 -0000, David Gray said: > Does anyone know if GnuPG v1.2.3 on OpenVMS can decrypt files encrypted with > 2.6.3i on a PC? It won't be able to do this because PGP uses IDEA which is a patented algorithm and distribution of gnupg with IDEA support is not allowed. I presume that GnuPG runs in the POSIX subsytem of VMS, right? Werner From xwck at oreka.com Fri Jan 21 10:30:14 2005 From: xwck at oreka.com (Alain Bench) Date: Fri Jan 21 16:34:56 2005 Subject: unconvertable chars display glitches In-Reply-To: <87fz0yspp9.fsf@wheatstone.g10code.de> References: <20050114091946.GA29125@oreka.com> <873bx3vpx4.fsf@wheatstone.g10code.de> <20050115133614.GA1192@oreka.com> <87fz0yspp9.fsf@wheatstone.g10code.de> Message-ID: <20050121093014.GA13216@oreka.com> On Tuesday, January 18, 2005 at 4:48:50 PM +0100, Werner Koch wrote: > On Sat, 15 Jan 2005 14:36:15 +0100 (CET), Alain Bench said: >> [display unconv warning] fills the screen when printed repeatedly > Won't get printed more than one time now. Good enough: Thanks. Doing same on input to UTF unconvertability might ease user inputing garbage to UIDs, isn't it? >> --with-colons [escapes] byte \x93 > Because 0x80-0x9F are not defined and might be used for control > characters. There \x93 is well defined and printable, both in the locale's charset CP-1252, and in UTF-8 (as part of a sequence). | /x93 LEFT DOUBLE QUOTATION MARK ? | /xc5/x93 LATIN SMALL LIGATURE OE ? Escaping \x93 breaks display even in an UTF-8 locale. But I seem to understand that whatever locale, --with-colons display is secondary. And parsers might perhaps at some level work in Latin-1. Is it what you meant? BTW another minor glitch, on Woody, GnuPG 1.4, Latin-1 locale, real key 0x426D29E3 on keyservers (snipped addy): | $ gpg --list-keys 426D29E3 | pub 1024D/426D29E3 2004-12-17 | uid Melchior de Contades (Cl\xe9\x20PGP; no password) [...] | sub 2048g/6C0FE01D 2004-12-17 The UID comment is invalid: It contains raw "Cl? PGP" as Latin-1, not UTF-8. GnuPG escapes the invalid UTF-8 one byte sequence \xe9, fine. But the following \x20 is perfectly valid alone, is not (and can't be) part of any UTF-8 sequence. It should be printed as a space. Bye! Alain. -- When you want to reply to a mailing list, please avoid doing so with Hotmail. This lacks necessary references and breaks threads. From xwck at oreka.com Fri Jan 21 12:56:29 2005 From: xwck at oreka.com (Alain Bench) Date: Fri Jan 21 16:35:47 2005 Subject: current charset guessing In-Reply-To: <87k6qaspru.fsf@wheatstone.g10code.de> References: <20050103002657.GA32265@oreka.com> <874qhudcos.fsf@wheatstone.g10code.de> <20050107172334.GA14032@oreka.com> <87vfa49ft8.fsf@wheatstone.g10code.de> <20050115001710.GA31744@oreka.com> <87k6qaspru.fsf@wheatstone.g10code.de> Message-ID: <20050121115628.GB13216@oreka.com> On Tuesday, January 18, 2005 at 4:47:17 PM +0100, Werner Koch wrote: > On Sat, 15 Jan 2005 01:17:10 +0100 (CET), Alain Bench said: >> in the tarball: gnupg-1.4.0/intl/localcharset.c > Onmost systems it is not used and it will raise problems when > installing with --disable-nls. What about adopting it directly, not as a lib? >> LC_ALL, LC_CTYPE, and LANG are unset [...] then charset = Latin-1. > GNU also defines LANGUAGE Out of the game: LANGUAGE Gnuism is sort of multi-LC_MESSAGES. Not involved in charset selection, even if it better should follow what's selected elsewhere. BTW a loosely related Win32 glitch with straight binary gnupg-w32cli-1.4.0a.zip from gnupg.org, on Win2000sp4 in default "French_France.1252" locale, and default CP850 charset in cmd.exe: | C:\>gpg --verify gettext-0.14.1.tar.gz.sig | gpg: Signature faite le 01/29/04 20:21:41 CET avec la cl? DSA ID 09718317 | gpg: Bonne signature de ? Bruno Haible (Open Source Development) [...] ? The date is not localized on Win32: It should probably be "29/01/2004 20:21:41 CET", or "29 janv. 2004", or whatever the locale defines. Note I had to setlocale(LC_ALL, ".850") to get it OK. Bye! Alain. -- Give your computer's unused idle processor cycles to a scientific goal: The Folding@home project at . From grinny3004 at yahoo.com Fri Jan 21 15:43:39 2005 From: grinny3004 at yahoo.com (lord grinny) Date: Fri Jan 21 16:40:16 2005 Subject: Proxy trouble Message-ID: <20050121144339.16363.qmail@web61203.mail.yahoo.com> Hi everyone, I'm trying to get Gnu-pg working over a proxy server, but can't get it to work. I'm using Windows 2000 SP 4 and have tried both verion 1.4.0a and 1.4.1 (cvs build) which both gave the same error. I've also tried 1.4.0.2 for cygwin which also gave me the same error. I've added the option 'keyserver-options honor-http-proxy' to my gpg.conf, have set the environment variable 'http_proxy', to http://proxy.wleideb.net:3128 and gpg.exe is on my PATH. Now when I try to receive a key from the keyserver, it tells me it can't find the keyserver. > C:\Documents and Settings\Administrator.GRINNY>gpg --keyserver x-hkp://keyserver > .kjsl.com --keyserver-options honor-http-proxy --recv-keys 0xBB36BA75 > gpg: requesting key BB36BA75 from hkp server keyserver.kjsl.com > Host: keyserver.kjsl.com > Command: GET > gpgkeys: HTTP URL is `hkp://keyserver.kjsl.com/pks/lookup?op=get&options=mr&sear > ch=0xBB36BA75' > ?: keyserver.kjsl.com: Host not found: ec=10065 > gpgkeys: HKP fetch error: No error > gpg: no valid OpenPGP data found. > gpg: Total number processed: 0 I know my proxy settings are good, cause I use the same HTTP proxy for firefox. The weirdest thing is, if I repeat the command above with an IP address in stead of a hostname, it also fails, but with a different message: > C:\Documents and Settings\Administrator.GRINNY>ping keyserver.kjsl.com > > Pingen naar keyserver.kjsl.com [69.36.241.130] met 32 byte gegevens: > > Control-C > ^C > C:\Documents and Settings\Administrator.GRINNY>gpg --keyserver x-hkp://69.36.241 > .130 --keyserver-options honor-http-proxy --recv-keys 0xBB36BA75 > gpg: requesting key BB36BA75 from hkp server 69.36.241.130 > Host: 69.36.241.130 > Command: GET > gpgkeys: HTTP URL is `hkp://69.36.241.130/pks/lookup?op=get&options=mr&search=0x > BB36BA75' > gpgkeys: HKP fetch error: No error > gpg: no valid OpenPGP data found. > gpg: Total number processed: 0 My proxy only allows access to port 80 (HTTP) and port 443 (SSL). Is this a known bug that hasn't been fixed yet, or am I doing something really stupid? Thanks, Grinny __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From jharris at widomaker.com Fri Jan 21 17:18:05 2005 From: jharris at widomaker.com (Jason Harris) Date: Fri Jan 21 17:14:32 2005 Subject: Proxy trouble In-Reply-To: <20050121144339.16363.qmail@web61203.mail.yahoo.com> References: <20050121144339.16363.qmail@web61203.mail.yahoo.com> Message-ID: <20050121161805.GA46378@wilma.widomaker.com> On Fri, Jan 21, 2005 at 06:43:39AM -0800, lord grinny wrote: > I'm trying to get Gnu-pg working over a proxy server, > but can't get it to work. > My proxy only allows access to port 80 (HTTP) and port > 443 (SSL). Is this a In that case, try using port 80: %gpg --keyserver hkp://keyserver.kjsl.com:80 --recv BB36BA75 gpg: requesting key BB36BA75 from hkp server keyserver.kjsl.com Host: keyserver.kjsl.com Port: 80 Command: GET gpgkeys: HTTP URL is `hkp://keyserver.kjsl.com:80/pks/lookup?op=get&options=mr&search=0xBB36BA75' gpg: key BB36BA75: public key "Barry Porter " imported gpg: Total number processed: 1 gpg: imported: 1 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050121/2df773a8/attachment.pgp From grayd at extenza-turpin.com Fri Jan 21 16:36:18 2005 From: grayd at extenza-turpin.com (David Gray) Date: Fri Jan 21 18:10:42 2005 Subject: 2.6.3i Message-ID: <5155685DF4FC004297C9F5D769CBF51C01CAA8C8@kashmir.extenza-turpin.com> Hi, I was under the impression that PGP could use alternate algorithms? I was hoping to generate a key pair on VMS and pass the public key onto one of suppliers who uses PGP. The GnuPG features page mentions that it can decrypt file encrypted with PGP 5, 6 & 7 so I guess that answers my question... Hmmm, back to the drawing board. I'm not sure about the POSIX subsystem, is it relevant? Regards Dave. -----Original Message----- From: Werner Koch [mailto:wk@gnupg.org] Sent: 21 January 2005 13:26 To: David Gray Cc: GnuPG Users List Subject: Re: 2.6.3i On Fri, 21 Jan 2005 12:00:44 -0000, David Gray said: > Does anyone know if GnuPG v1.2.3 on OpenVMS can decrypt files encrypted with > 2.6.3i on a PC? It won't be able to do this because PGP uses IDEA which is a patented algorithm and distribution of gnupg with IDEA support is not allowed. I presume that GnuPG runs in the POSIX subsytem of VMS, right? Werner From wk at gnupg.org Fri Jan 21 18:37:14 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Jan 21 18:35:29 2005 Subject: gpg-agent and trusted root certificates In-Reply-To: <41F0F1D0.6070109@pre-secure.de> (Olaf Gellert's message of "Fri, 21 Jan 2005 13:13:04 +0100") References: <41EFC359.90103@pre-secure.de> <87oefjzrxx.fsf@wheatstone.g10code.de> <41F042F4.7080604@pre-secure.de> <87k6q7xi8a.fsf@wheatstone.g10code.de> <41F0F1D0.6070109@pre-secure.de> Message-ID: <87is5qvg39.fsf@wheatstone.g10code.de> On Fri, 21 Jan 2005 13:13:04 +0100, Olaf Gellert said: >> You need all the certificates up to the root before gpgsm will ask >> you. Another way to force it to ask is by using >> >> gpgsm --list-keys --with-validation I was wrong. You won't get ask when doing a --with-validation. In fact that would be a bad idea because it is used wth a list command and thus you might get ask for many certificates. I recall that this was an annoying mproblem when I implemented --with-validation. Either do an encryption ro signing. I just tested it using encryption of a end certificate and it works as expected. Note that when manually changing trustlist.txt or gpg-agent.conf, you need to give gpg-agent a HUP. Salam-Shalom, Werner From wk at gnupg.org Fri Jan 21 18:38:29 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Jan 21 18:35:40 2005 Subject: gpg-agent and trusted root certificates In-Reply-To: <41F0F1D0.6070109@pre-secure.de> (Olaf Gellert's message of "Fri, 21 Jan 2005 13:13:04 +0100") References: <41EFC359.90103@pre-secure.de> <87oefjzrxx.fsf@wheatstone.g10code.de> <41F042F4.7080604@pre-secure.de> <87k6q7xi8a.fsf@wheatstone.g10code.de> <41F0F1D0.6070109@pre-secure.de> Message-ID: <87ekgevg16.fsf@wheatstone.g10code.de> On Fri, 21 Jan 2005 13:13:04 +0100, Olaf Gellert said: > No request window. Hmmm... The version is GPG 1.9.10. I used 1.9.15. Shouldn't make a difference, though. Shalom-Salam, Werner From johanw at vulcan.xs4all.nl Fri Jan 21 18:50:09 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Fri Jan 21 19:15:10 2005 Subject: 2.6.3i In-Reply-To: <5155685DF4FC004297C9F5D769CBF51C01CAA8C8@kashmir.extenza-turpin.com> from David Gray at "Jan 21, 2005 03:36:18 pm" Message-ID: <200501211750.SAA00899@vulcan.xs4all.nl> David Gray wrote: >I was under the impression that PGP could use alternate algorithms? pgp 2.6.3i uses only IDEA and RSA. However, there exist pgp 2 versions that support other algorithms. Such a version is pgp263iamulti-06. Because the author died in a tragical accident I'm not sure if it can be easily found on the net, but I can mail it to you if you like. That said, there exist an IDEA extension module for GnuPG which solves the problem too. If you can compile that module on your system, or recompile GnuPG with idea.c copied into the cipher/ directory, it will work with pgp 2.6.3i encrypted messages and vice versa. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From sk at intertivity.com Fri Jan 21 19:25:36 2005 From: sk at intertivity.com (Kiefer, Sascha) Date: Fri Jan 21 19:21:39 2005 Subject: Gpg and batch In-Reply-To: <87k6q6x6ei.fsf@wheatstone.g10code.de> Message-ID: <001201c4ffe6$9bae0310$f300a8c0@HOME> Okay... I check it... Thanks. That problem i had is i have an interface for all that for gnupg 1.2.4. (for windows) but i noticed that the output of gpg has changed in 1.4.0 so i have to redo my parsing and Interacting with the program when asked for input. > From: Werner Koch [mailto:wk@gnupg.org] > On Fri, 21 Jan 2005 11:47:39 UT, Sascha Kiefer said: > > > well, i hoped that there is a way to easy sign keys and stuff like > > that. But i guess there is not. :( > > signing a key is an interactive process so you can't use > canned parameters. Have a look at --status-fd and --command-fd. > > Werner > From cedar at 3web.net Fri Jan 21 20:20:52 2005 From: cedar at 3web.net (C. D. Rok) Date: Fri Jan 21 23:41:25 2005 Subject: 2.6.3i multi In-Reply-To: <200501211750.SAA00899@vulcan.xs4all.nl> References: <200501211750.SAA00899@vulcan.xs4all.nl> Message-ID: <41F15614.8070605@3web.net> Johan Wevers wrote: > pgp 2.6.3i uses only IDEA and RSA. However, there exist pgp 2 versions that > support other algorithms. Such a version is pgp263iamulti-06. Because the > author died in a tragical accident I'm not sure if it can be easily found on > the net, but I can mail it to you if you like. Still has a large number of users. Search the net for the filename "pgp263iamulti06.zip". md5sum on my copy (from way back) is: 3838cdaad19ec5a8014a9bcbf2e02092 *pgp263iamulti06.zip It matches the copy currently available from: http://www.informatik.hu-berlin.de/~cakruege/ It is also appropriate to mention here the author: http://www.mail-archive.com/cypherpunks-moderated@minder.net/msg04887.html CD Rok From freebsd at usol.com Sat Jan 22 02:56:30 2005 From: freebsd at usol.com (Eric Buchanan) Date: Sat Jan 22 03:55:29 2005 Subject: Shell script question for GnuPG on FreeBSD Message-ID: <200501211756.36027.freebsd@usol.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all, I'm trying to migrate a shell script to use gnupg instead of PGP 5.0i on FreeBSD. I can't seem to convert this line: pgpe -r root -sta (long list of files to encrypt with one command.) Is there any easy way to do this with gnupg? My efforts to change it reading the man page aren't working. gpg --encrypt-files -r root -sta (long list of files to encrypt with one command.) doesn't work with multiple files, but it does with single files. I want to use gnupg once in the script to encrypt a large number of large files in one directory with just one command. I need to access these files on Windows XP and OpenBSD so I use ascii armoring. Any help would be appreciated. Eric Buchanan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFB8bLR//GaROrFlAkRAv2PAJ9KihIMboYP0JMuyjIFQIPrQ+B69ACfYUjk usjwUwa2BeswW6W8ZmxCu3A= =JeRa -----END PGP SIGNATURE----- From atom at smasher.org Sat Jan 22 06:33:16 2005 From: atom at smasher.org (Atom Smasher) Date: Sat Jan 22 06:24:44 2005 Subject: Shell script question for GnuPG on FreeBSD In-Reply-To: <200501211756.36027.freebsd@usol.com> References: <200501211756.36027.freebsd@usol.com> Message-ID: <20050122052826.11152.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Fri, 21 Jan 2005, Eric Buchanan wrote: > I'm trying to migrate a shell script to use gnupg instead of PGP 5.0i on > FreeBSD. I can't seem to convert this line: > > pgpe -r root -sta (long list of files to encrypt with one command.) > > Is there any easy way to do this with gnupg? My efforts to change it > reading the man page aren't working. ===================== --multifile This modifies certain other commands to accept multiple files for processing on the command line or read from stdin with each filename on a separate line. This allows for many files to be processed at once. --multifile may currently be used along with --verify, --encrypt, and --decrypt. Note that `--multifile --verify' may not be used with detached signatures. hehe... the man page is a bit of a bear... you have to know what your looking for. - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Next time you hear a scientist asserting that gene splicing is safe, remind yourself that there is no scientific evidence for that statement." -- Donella H. Meadows, adjunct professor of environmental studies, Dartmouth College -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJB8eWiAAoJEAx/d+cTpVciKeUH/09B7ANC39LYAept5zLqxy0Z peTOQej7qJrSnWLGxrheVomAsIBRV4nZ3Q283AdjTPhACstngdE6oo+lHPqr7ENT DCarEaUc9mvVrT83Q85CODkzBQi0Ri+1x6VZOXxldjwtAWrryr5fgMkDibWFys+r vFzjqsUfyyzvkIfUTKeRX8tItHzRQHoRXr91ye8GLpHsoNKBQnsry1vG2ErqTbb8 mFaqW5ZLSUWoEkKqogdFYngt++YPkcqWy8MhCeWWjkjYJ5JZjjshjYFlAp1plELk ho9MfOVZFj0Ra3Bhb+n+vRI93N3D96gi1ODEGVoRs4WG8vf1v+yPJLdSkbiG8g4= =V3Fm -----END PGP SIGNATURE----- From freebsd at usol.com Sat Jan 22 07:18:49 2005 From: freebsd at usol.com (Eric Buchanan) Date: Sat Jan 22 08:30:11 2005 Subject: Shell script question for GnuPG on FreeBSD In-Reply-To: <20050122052826.11152.qmail@smasher.org> References: <200501211756.36027.freebsd@usol.com> <20050122052826.11152.qmail@smasher.org> Message-ID: <200501212219.10036.freebsd@usol.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Right you are about the man page. I piped the whole man page into an .asc file, and searched through it with Xemacs. I have got it working with multifile as long as I drop the -s. Thanks, Eric Buchanan El Vie 21 Ene 2005 09:33 PM, Atom Smasher escribi?: > On Fri, 21 Jan 2005, Eric Buchanan wrote: > > I'm trying to migrate a shell script to use gnupg instead of PGP 5.0i on > > FreeBSD. I can't seem to convert this line: > > > > pgpe -r root -sta (long list of files to encrypt with one command.) > > > > Is there any easy way to do this with gnupg? My efforts to change it > > reading the man page aren't working. > > ===================== > > --multifile > This modifies certain other commands to accept multiple files for > processing on the command line or read from stdin with each > filename on a separate line. This allows for many files to be > processed at once. --multifile may currently be used along with > --verify, --encrypt, and --decrypt. Note that `--multifile > --verify' may not be used with detached signatures. > > hehe... the man page is a bit of a bear... you have to know what your > looking for. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFB8fBc//GaROrFlAkRAt0lAKDCciCEotqslNRmu4BQhYwrkbfUeACgtDr/ 5MgPr7gnMf57uT79rCfGV0A= =Lsx4 -----END PGP SIGNATURE----- From xwck at oreka.com Fri Jan 21 20:49:03 2005 From: xwck at oreka.com (Alain Bench) Date: Sat Jan 22 09:30:36 2005 Subject: Web of trust in Southwest Ohio, USA In-Reply-To: <41F0A632.9080803@comcast.net> References: <41F0A632.9080803@comcast.net> Message-ID: <20050121194903.GA15296@oreka.com> Hi John, On Friday, January 21, 2005 at 12:50:26 AM -0600, John P. Clizbe wrote: > http://lists.gnupg.org/pipermail/gnupg-users.mbox/gnupg-users.mbox > Will download the entire list archive, in mbox format. This big archive is really fine, thank you. A pity the server disallows continued download (wget -c). And the month archives from in text format are nearly unreadable due to over-munging. Bye! Alain. -- You know what I would like to do? COMPLY. I would LOVE to COMPLY. But, you know what, Pat? I don't know where the h_ll that frickin 2-dash stupid stinkin line is coming from, okay? Comply... Greg K. in ??Scarface III -- The Return Of The Evil Sigdashes?? From kabads at gmail.com Sat Jan 22 09:21:17 2005 From: kabads at gmail.com (Adam Cripps) Date: Sat Jan 22 11:12:08 2005 Subject: Web of trust in Southwest Ohio, USA In-Reply-To: References: Message-ID: On Thu, 20 Jan 2005 10:58:28 -0500, Jason Barnett wrote: > Jason Barnett wrote: > After I wrote this I thought of one other question. I submitted my > first public key to several keyservers (you can find it by going to > http://keyserver.veridis.com:11371/pks/lookup?op=get&search=0x74D2856A). > As I understand it one person will often use multiple private keys > (perhaps one for personal, one for work, one for when you get fired and > start working somewhere else). > > - Should I create a personal key and use that as my "primary" private > key... and then assign other keys as "secondary" keys as needed? > > I'm asking this mostly from a management perspective. I understand how > to do what I'm asking, I'm just asking if my line of thinking is correct > or if I should be managing my keys in some other way. Thanks again! I currently have one keypair and I use this on two machines - my secure personal machine, owned by me, and a laptop owned by my employer. When I use my key on my employer's machine, I store my private key on my usb storage device. Adam -- http://www.monkeez.org GPG key: 7111B833 From grinny3004 at yahoo.com Sat Jan 22 12:42:53 2005 From: grinny3004 at yahoo.com (lord grinny) Date: Sat Jan 22 12:39:40 2005 Subject: Proxy trouble Message-ID: <20050122114254.69384.qmail@web61208.mail.yahoo.com> Thanks for your response Jason, Jason Harris wrote: > In that case, try using port 80: > > %gpg --keyserver hkp://keyserver.kjsl.com:80 --recv BB36BA75 > gpg: requesting key BB36BA75 from hkp server keyserver.kjsl.com > Host: keyserver.kjsl.com > Port: 80 > Command: GET > gpgkeys: HTTP URL is `hkp://keyserver.kjsl.com:80/pks/lookup?op=get&options=mr&search=0xBB36BA75' > gpg: key BB36BA75: public key "Barry Porter " imported > gpg: Total number processed: 1 > gpg: imported: 1 > D:\>gpg --keyserver hkp://keyserver.kjsl.com:80 --recv-keys 0xBB36BA75 gpg: requesting key BB36BA75 from hkp server keyserver.kjsl.com Host: keyserver.kjsl.com Port: 80 Command: GET gpgkeys: HTTP URL is `hkp://keyserver.kjsl.com:80/pks/lookup?op=get&options=mr&s earch=0xBB36BA75' ?: keyserver.kjsl.com: Host not found: ec=10065 gpgkeys: HKP fetch error: No error gpg: no valid OpenPGP data found. gpg: Total number processed: 0 I don't know what this is. My proxy is set up correctly (works for Firefox) and I think I've setup gnu-pg correctly... - Grinny - __________________________________ Do you Yahoo!? Yahoo! Mail - Easier than ever with enhanced search. Learn more. http://info.mail.yahoo.com/mail_250 From david.lorch at gmx.de Sat Jan 22 16:57:37 2005 From: david.lorch at gmx.de (David Lorch) Date: Sat Jan 22 19:12:58 2005 Subject: OpenPGP card issues Message-ID: <41F277F1.40407@gmx.de> Hi, I bought an OpenPGP smart card and generated new keys on it (using gpg v1.4.0a). I have three questions concerning this process: 1) During key generation, gpg says "signing failed: wrong secret key used" -- this results in a non-self-signed user id in the new key. (See full gpg output at the end of this email). 2) Apart from the card's PIN, the program also asks for a passphrase for the new key. What use is this with a card key? I afterwards tried signing a file with the card and was only asked for the card's PIN, not for this passphrase? 3) During key generation, gpg asked whether to make an off-card backup of the encryption key, which I told it to do. Now I've got a file called "sk_[something].gpg" that contains the secret encryption key in case I ever lose the card. I would like to test this functionality before I rely on it, so I told gpg to import the file, however this fails: gpg: key [mynewkeyid]: no user ID gpg: Total number processed: 1 gpg: secret keys read: 1 I cannot get gpg to import the backup of my secret encryption subkey. This especially worries me because I really want a working backup of the encryption key. Can anyone tell me what I have done wrong? Thanks in advance, David ================================================================= full gpg output follows ================================================================= Command> generate Make off-card backup of encryption key? (Y/n) y gpg: DBG: asking for PIN 'PIN' PIN Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) " Real name: Testing Email address: testing@example.org Comment: card-key-01 You selected this USER-ID: "Testing (card-key-01) " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o gpg: 3 Admin PIN attempts remaining before card is permanently locked gpg: DBG: asking for PIN '|A|Admin PIN' Admin PIN gpg: please wait while key is being generated ... gpg: key generation completed (21 seconds) gpg: signing failed: wrong secret key used gpg: make_keysig_packet failed: wrong secret key used You need a Passphrase to protect your secret key. +++++ .+++++ gpg: NOTE: backup of card key saved to `[gnupgdir]\sk_02084506A612DA19.gpg' gpg: signatures created so far: 0 gpg: signatures created so far: 0 gpg: please wait while key is being generated ... gpg: key generation completed (58 seconds) gpg: signatures created so far: 2 gpg: signatures created so far: 2 gpg: key 133C3BF9 marked as ultimately trusted public and secret key created and signed. pub 1024R/133C3BF9 2005-01-22 Key fingerprint = 66CA 95CF 4D2C 00F2 05E3 86AE C514 9E94 133C 3BF9 uid Testing (card-key-01) sub 1024R/A612DA19 2005-01-22 sub 1024R/93456831 2005-01-22 ================================================================= From jaboles at fastmail.fm Fri Jan 21 13:29:28 2005 From: jaboles at fastmail.fm (Jonathan Boles) Date: Mon Jan 24 15:39:53 2005 Subject: 2.6.3i In-Reply-To: <5155685DF4FC004297C9F5D769CBF51C01CAA8B6@kashmir.extenza-turpin.com> References: <5155685DF4FC004297C9F5D769CBF51C01CAA8B6@kashmir.extenza-turpin.com> Message-ID: <181FFD48-6BA8-11D9-8E4B-000A959E0734@fastmail.fm> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 21/01/2005, at 11:00 PM, David Gray wrote: > Hi all, > > Does anyone know if GnuPG v1.2.3 on OpenVMS can decrypt files > encrypted with > 2.6.3i on a PC? Why not try it and see? :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFB8PWvr/NM+QSmMkQRAtaEAJ41QOVE4b5LHxN6Ylm0hTsGFd79DQCfTBDA B+oT5LYPLXIBBKrexjpxpJI= =p9/M -----END PGP SIGNATURE----- From scc4funPLUSnospam at spamcop.net Sat Jan 22 05:31:55 2005 From: scc4funPLUSnospam at spamcop.net (Sean) Date: Mon Jan 24 15:40:05 2005 Subject: GPG 1.4.0 vs. 1.4.0a Message-ID: <41F1D73B.5050805@spamcop.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm relatively new to GPG and I noticed that I installed version 1.4.0 and not 1.4.0a. If I want to change it, can I just change the executables or is there anything else? Thanks, Sean -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB8dc0RuOsNo+q2bkRAh+sAKC05P/7EB5IQEolaOdeFZuLHJ7aEACgtoDo uFvwmnN+diuWtTc85XfPr18= =bFeL -----END PGP SIGNATURE----- From wk at gnupg.org Mon Jan 24 10:49:10 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Jan 24 20:26:01 2005 Subject: OpenPGP card issues In-Reply-To: <41F277F1.40407@gmx.de> (David Lorch's message of "Sat, 22 Jan 2005 16:57:37 +0100") References: <41F277F1.40407@gmx.de> Message-ID: <87hdl7rwbt.fsf@wheatstone.g10code.de> On Sat, 22 Jan 2005 16:57:37 +0100, David Lorch said: > 1) During key generation, gpg says "signing failed: wrong secret key > used" -- this results in a non-self-signed user id in the new key. > (See full gpg output at the end of this email). We have a solution for this but its not yet in the CVS. The scary thing is that it never happened to me > 2) Apart from the card's PIN, the program also asks for a passphrase for > the new key. What use is this with a card key? I afterwards tried > signing a file with the card and was only asked for the card's PIN, not > for this passphrase? The default is to create a backup key; you might have seen the prompt. That backup key is stored encrypted on disk; it should be moved to another medium of course. > 3) During key generation, gpg asked whether to make an off-card backup > of the encryption key, which I told it to do. > Now I've got a file called "sk_[something].gpg" that contains the secret > encryption key in case I ever lose the card. I should read the entire mail first ;-) > I cannot get gpg to import the backup of my secret encryption subkey. > This especially worries me because I really want a working backup of the > encryption key. Well, there is no real support for it yet. The workaround is complicated but it should do it: 1. Create a dummy user ID using gpgsplit or use the attached one. 2. mkdir dummy1 3. cd dummy1 4. cat somewhere/sk_1234567890bcdef.key dummy.user_id >x.key (For Windows you need to use: copy /b somewhere\sk_1234567890bcdef.key+dummy.user_id x.key) 5. gpg --homedir . -v --import --allow-non-selfsigned-uid x.key 6. gpg --key-edit 1234567890bcdef 7. On the edit command prompt do: toggle keytocard y 2 8. Follow the prompts. The key will be transferred to the card. 9. Delete the temporary cruft (i.e. the entire dummy1 directory) 10. Ready. Agreed, that's not easy - I will add an appropriate command ASAP. Shalom-Salam, Werner -------------- next part -------------- A non-text attachment was scrubbed... Name: dummy.user_id Type: application/octet-stream Size: 46 bytes Desc: not available Url : /pipermail/attachments/20050124/43aae5bd/dummy.obj From jharris at widomaker.com Mon Jan 24 00:36:15 2005 From: jharris at widomaker.com (Jason Harris) Date: Mon Jan 24 20:26:28 2005 Subject: new (2005-01-23) keyanalyze results (+sigcheck) Message-ID: <20050123233615.GQ684@wilma.widomaker.com> New keyanalyze results are available at: http://keyserver.kjsl.com/~jharris/ka/2005-01-23/ Signatures are now being checked using keyanalyze+sigcheck: http://dtype.org/~aaronl/ Earlier reports are also available, for comparison: http://keyserver.kjsl.com/~jharris/ka/ Even earlier monthly reports are at: http://dtype.org/keyanalyze/ SHA-1 hashes and sizes for all the "permanent" files: 24e7b5d077f8e236d41c190dee65922c27e69b81 11241882 preprocess.keys b36ff7cabe5da89c4a136349819ec3b00d7b9b17 7132706 othersets.txt 3c45973ed0b5f68ec5673bfb0465d4e4337119b2 2840462 msd-sorted.txt b0f152cbac2bff77aeed70a933fec6d7ac3e7b71 1484 index.html 1fe37e8899fdb1cc53d8549adb100eba55f69613 2290 keyring_stats e57ad5635e6388ec90d03f5bf59ccb929d6a793c 1117542 msd-sorted.txt.bz2 197561c75a8cb0733e7df9ff3a6cee954d7a0485 26 other.txt 31505c29379f4aef4290b321de290509a57c3635 1531714 othersets.txt.bz2 fa1d2b3638c0d4774ba1c19718a4e913916df480 4540178 preprocess.keys.bz2 cfa0238963b7d375afd54c9230d508edc2f84bbb 11415 status.txt e649a93ef3c2f93f75f04f98d0b8f1b8e96a194c 211680 top1000table.html 14ba3abd7ed0b2aa876cd40fc67c64532458f304 30525 top1000table.html.gz f9903dbbec735028fe0a7d95052830a1009379e3 10995 top50table.html d23a52b274a52a98df3b8f9af20a59d6705c042c 2409 D3/D39DA0E3 -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050123/123d3a26/attachment.pgp From jason.barnett at telesuite.com Mon Jan 24 15:56:30 2005 From: jason.barnett at telesuite.com (Jason Barnett) Date: Mon Jan 24 20:48:51 2005 Subject: Web of trust in Southwest Ohio, USA In-Reply-To: References: Message-ID: Adam Cripps wrote: > On Thu, 20 Jan 2005 10:58:28 -0500, Jason Barnett > wrote: > >>Jason Barnett wrote: > > > >>After I wrote this I thought of one other question. I submitted my >>first public key to several keyservers (you can find it by going to >>http://keyserver.veridis.com:11371/pks/lookup?op=get&search=0x74D2856A). >> As I understand it one person will often use multiple private keys >>(perhaps one for personal, one for work, one for when you get fired and >>start working somewhere else). >> >>- Should I create a personal key and use that as my "primary" private >>key... and then assign other keys as "secondary" keys as needed? >> >>I'm asking this mostly from a management perspective. I understand how >>to do what I'm asking, I'm just asking if my line of thinking is correct >>or if I should be managing my keys in some other way. Thanks again! > > > I currently have one keypair and I use this on two machines - my > secure personal machine, owned by me, and a laptop owned by my > employer. When I use my key on my employer's machine, I store my > private key on my usb storage device. > > Adam > Thank you for this tip. Now I need to go find my local GLUG and ask them what filesystem format to use on the USB... I currently am using Windows machines, but next time I get a new computer at home (which will be relatively soon) I'm not even going to bother with MS anymore. At least not more than I have to. :-/ From wk at gnupg.org Mon Jan 24 08:45:23 2005 From: wk at gnupg.org (Werner Koch) Date: Mon Jan 24 21:28:36 2005 Subject: 2.6.3i In-Reply-To: <5155685DF4FC004297C9F5D769CBF51C01CAA8C8@kashmir.extenza-turpin.com> (David Gray's message of "Fri, 21 Jan 2005 15:36:18 -0000") References: <5155685DF4FC004297C9F5D769CBF51C01CAA8C8@kashmir.extenza-turpin.com> Message-ID: <87wtu3s224.fsf@wheatstone.g10code.de> On Fri, 21 Jan 2005 15:36:18 -0000, David Gray said: > I was under the impression that PGP could use alternate algorithms? PGP >=5 can. PGG 2 is hardwired to MD5, RSA and IDEA. There is an inofficial 2.6 version my disastry which allows for most of the OpenPGP algorithms. > of suppliers who uses PGP. The GnuPG features page mentions that it can > decrypt file encrypted with PGP 5, 6 & 7 so I guess that answers my > question... Hmmm, back to the drawing board. PGP >= 6.5.8 (or was it 6.5.3?) works fine althought it is not OpenPGP compatible. > I'm not sure about the POSIX subsystem, is it relevant? No. I was just wondering how it is possible to build GnuPG on plain VMS? Werner From grinny3004 at yahoo.com Mon Jan 24 12:21:34 2005 From: grinny3004 at yahoo.com (lord grinny) Date: Mon Jan 24 22:22:19 2005 Subject: Gnupg-users Digest, Vol 16, Issue 34 Message-ID: <20050124112134.39292.qmail@web61205.mail.yahoo.com> Thank you for your response Henry, one day I'll get it to work and then I'll send you all an encrypted e-mail :-). Henry Hertz Hobbit wrote: >>------------------------------ >> >>Message: 9 >>Date: Sat, 22 Jan 2005 03:42:53 -0800 (PST) >>From: lord grinny >>Subject: Re: Proxy trouble >>To: gnu-pg mailing >>Message-ID: <20050122114254.69384.qmail@web61208.mail.yahoo.com> >>Content-Type: text/plain; charset=us-ascii >> >> >>Thanks for your response Jason, >> >>Jason Harris wrote: >> >>>In that case, try using port 80: >>> >>> %gpg --keyserver hkp://keyserver.kjsl.com:80 >> >>--recv BB36BA75 >> >>> gpg: requesting key BB36BA75 from hkp server >> >>keyserver.kjsl.com >> >>> Host: keyserver.kjsl.com >>> Port: 80 >>> Command: GET >>> gpgkeys: HTTP URL is >> >>`hkp://keyserver.kjsl.com:80/pks/lookup?op=get&options=mr&search=0xBB36BA75' >> >>> gpg: key BB36BA75: public key "Barry Porter > >>bpuk.net>" imported >> >>> gpg: Total number processed: 1 >>> gpg: imported: 1 >>> >> >>D:\>gpg --keyserver hkp://keyserver.kjsl.com:80 >>--recv-keys 0xBB36BA75 >>gpg: requesting key BB36BA75 from hkp server >>keyserver.kjsl.com >>Host: keyserver.kjsl.com >>Port: 80 >>Command: GET >>gpgkeys: HTTP URL is >>`hkp://keyserver.kjsl.com:80/pks/lookup?op=get&options=mr&s >>earch=0xBB36BA75' >>?: keyserver.kjsl.com: Host not found: ec=10065 >>gpgkeys: HKP fetch error: No error >>gpg: no valid OpenPGP data found. >>gpg: Total number processed: 0 >> >>I don't know what this is. My proxy is set up >>correctly (works for Firefox) and >>I think I've setup gnu-pg correctly... > > > I don't think GPG is at fault here. Please type the following > in a command prompt: > > nslookup keyserver.kjsl.com I tried this, but my DNS is definitly set up okee. C:\Documents and Settings\Administrator.GRINNY>nslookup keyserver.kjsl.com *** Can't find server name for address 192.168.0.1: Non-existent domain *** Default servers are not available Server: UnKnown Address: 192.168.0.1 Non-authoritative answer: Name: keyserver.kjsl.com Address: 69.36.241.130 192.168.0.1 is my gateway (A windows 98 box serving as a router) > > If it doesn't give you an IP address, your failure is either in your > DNS setup, or you don't have a connection to the Internet. Until that > is resolved you don't know if gpg is causing the problem or not. I just > typed the command he gave, and it got the keys INSTANTLY. Here is what > gpg --list-keys gives me: > > pub 1024D/BB36BA75 2003-11-11 Barry Porter > uid Barry Porter > uid Barry Porter > uid Barry Porter > sub 4096g/1F5A0D8B 2003-11-11 > > To test the your connection to the internet, find some host you can > ping and do a (it would be ping -c on Unix, but it looks like you are > using MS Windows): > > ping -n 1 hostname.com My proxy server doesn't allow me to ping. But I do have connection to the internet, only not directly. I know my connection is okee, cause I'm still surfing the internet with firefox, and have set up my mail to run via the http proxy too. > > Jason's advice is generally good, but gpg keyservers are notorious for > handing off a key request to another key server. That creates a problem > for my DLink DI-604e broadband firewall, because if the request is handed > off, the response is now coming from another server that I didn't request > things from. Now, if it was just port 11371 that would be fine, but I > have observed some of them sending back ICMP packets on port 10, and I > don't know how many ports they want open. So far, the only alternatives > I can see are: > > [1] Don't allow the return to come back from any server other than one > you sent the request to, much like a DNS server. I could care less if > one key server talks to another key server - the only one that should > be talking to me though, is the one I sent the request to. All > unsolicited responses on ALL ports to IPs I didn't establish a connection > with are BLOCKED. This is the DEFAULT for most of these broadband > routers. I don't care if it is port 11371 or port 80. If I sent it out, > a connection is established. If they hand it off to another keyserver, > the connection is broken. It makes no difference what port is being > used. The transfer broke the connection. > Yeah, since I can't open ports on my side, I can only get a direct response from the keyserver I asked for it (like HTTP). > [2] Okay, they said to hell with me and they are going to allow the > response to come back from ANY server, not necessarily the one I sent > the request to. FINE. I have only one request if they do that, and > that is they better peg ALL traffic to and from the keyservers to the > port already allocated for GP which is 11371. I don't want to see an > ICMP packet on port 10! The reason why is that on my side I have to do > the following things: > > (a) Punch a hole through my firewall for port 11371 to come in from > anybody. This would be permanent, since the firewalls running on > the machines (iptables with Linux, ZoneAlarm with Windows, and PF > with OpenBSD) will stop it cold anyway. > (b) Put my machine into the DI-604e's DMZ. > (c) Turn off iptables (it blocks it just as fast as the DI-604e or any > other broadband router / switch / NAT / firewall will. I do my > encryption / signing email on Linux. > (d) NOW, send out the request, but it better be a WELL documented way > in how this is done. As it stands now, I am NOT the only one that > has problems. > (e) If the request is successful, I can just start iptables and move > myself back out of the DMZ. > > I don't want ANY other port other than 11371 opened up though, and I will > NOT open up port 10. For that matter you can't ping my WAN port. > I really wish I could open up more ports.... But I'm not the owner/admin of the proxy server. So the only thing it will ever allow are outgoing requests to port 80. > You will note that I am NOT a subscriber to the main list. Please forward > this on to Jason Harris since I cannot see his email address anywhere in > the digest. > Done > Also, if you read the --multifile BS don't believe it. It isn't part of > gpg (GnuPG) 1.2.3. It MAY be a part of newer versions. If he were on > Windows I would understand it. He isn't. On BSD or Linux all you have to > do in a shell script on 'nix machines is to type (everything after a '#' > to the end of the line is a comment): > > for FILE in file1.txt file2.txt file3.doc # etcetera > do > if [ -s $FILE ] > then > gpg -a --encrypt -r KEYID < $FILE > ${FILE}.crypt > fi > done > > # or if you want the actual files themselves to be encrypted, > # and since he is on BSD he has the srm command which Securely > # ReMoves the files: > > for FILE in file1.txt file2.txt file3.doc # etcetera > do > if [ -s $FILE ] > then > gpg -a --encrypt -r KEYID < $FILE > ${FILE}.crypt > if [ -s ${FILE}.crypt ] > then > srm $FILE ; sync ; sync > mv ${FILE}.crypt $FILE > fi > fi > done > > Cheerio > > HHH > > Do you think I have a better chance on FreeBSD? (I do have a dualboot FreeBSD 5.1 and Windows 2000, but I use windows for checking my email with thunderbird). - Grinny - Real programmers don't comment their code. It was hard to write, it should be hard to understand. __________________________________ Do you Yahoo!? Yahoo! Mail - now with 250MB free storage. Learn more. http://info.mail.yahoo.com/mail_250 From mconahan at iotest.org Mon Jan 24 21:47:43 2005 From: mconahan at iotest.org (mconahan@iotest.org) Date: Mon Jan 24 22:48:56 2005 Subject: GnuPG ME: How do we use the --keyring GnuPG option via GnuPG ME? Message-ID: <41F55EEF.7020301@iotest.org> Hi everyone, I was wondering if anyone had a clue on how to access the --keyring GnuPG option via GnuPG ME? Thanks, MC From johanw at vulcan.xs4all.nl Mon Jan 24 22:38:01 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Mon Jan 24 22:52:56 2005 Subject: GPG 1.4.0 vs. 1.4.0a In-Reply-To: <41F1D73B.5050805@spamcop.net> from Sean at "Jan 21, 2005 11:31:55 pm" Message-ID: <200501242138.WAA03439@vulcan.xs4all.nl> Sean wrote: >I'm relatively new to GPG and I noticed that I installed version 1.4.0 >and not 1.4.0a. If I want to change it, can I just change the >executables Yes. >or is there anything else? The config files and registry settings are the same for 1.4.0 and 1.4.0a. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From DBSMITH at OhioHealth.com Mon Jan 24 23:02:04 2005 From: DBSMITH at OhioHealth.com (DBSMITH@OhioHealth.com) Date: Mon Jan 24 22:58:16 2005 Subject: GPG 1.4.0 vs. 1.4.0a In-Reply-To: <200501242138.WAA03439@vulcan.xs4all.nl> Message-ID: does this apply to UNIX systems as well? Derek B. Smith OhioHealth IT UNIX / TSM / EDM Teams Johan Wevers To Sent by: gnupg-users@gnupg.org (GnuPG users) gnupg-users-bounc cc es@gnupg.org Subject Re: GPG 1.4.0 vs. 1.4.0a 01/24/2005 04:38 PM Sean wrote: >I'm relatively new to GPG and I noticed that I installed version 1.4.0 >and not 1.4.0a. If I want to change it, can I just change the >executables Yes. >or is there anything else? The config files and registry settings are the same for 1.4.0 and 1.4.0a. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From JPClizbe at comcast.net Mon Jan 24 23:34:49 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Mon Jan 24 23:31:34 2005 Subject: GPG 1.4.0 vs. 1.4.0a In-Reply-To: References: Message-ID: <41F57809.7030905@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 DBSMITH@OhioHealth.com wrote: > does this apply to UNIX systems as well? 1.4.0a addressed a windows-Only problem. - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1-cvs-2005-01-21 (Windows 2000 Pro SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Annoy John Asscraft -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFB9XgHHQSsSmCNKhARAsIYAKC91VdUwFuUCmqUEse9iCtD4Y5J9gCg0mub RXrF3HFV2K+eaoR9f2aUGZg= =xGJU -----END PGP SIGNATURE----- From DBSMITH at OhioHealth.com Mon Jan 24 23:49:23 2005 From: DBSMITH at OhioHealth.com (DBSMITH@OhioHealth.com) Date: Mon Jan 24 23:45:35 2005 Subject: GPG 1.4.0 vs. 1.4.0a In-Reply-To: <41F57809.7030905@comcast.net> Message-ID: ok but what I really wanted was when I do an upgrade, is that all I have to do is replace the binary on a UNIX system for gpg? Derek B. Smith OhioHealth IT UNIX / TSM / EDM Teams John Clizbe To Sent by: gnupg-users-bounc cc es@gnupg.org GnuPG users Subject Re: GPG 1.4.0 vs. 1.4.0a 01/24/2005 05:34 PM -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 DBSMITH@OhioHealth.com wrote: > does this apply to UNIX systems as well? 1.4.0a addressed a windows-Only problem. - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1-cvs-2005-01-21 (Windows 2000 Pro SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Annoy John Asscraft -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFB9XgHHQSsSmCNKhARAsIYAKC91VdUwFuUCmqUEse9iCtD4Y5J9gCg0mub RXrF3HFV2K+eaoR9f2aUGZg= =xGJU -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From JPClizbe at comcast.net Tue Jan 25 00:15:43 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Tue Jan 25 00:12:29 2005 Subject: Gnupg-users Digest, Vol 16, Issue 34 In-Reply-To: <20050124112134.39292.qmail@web61205.mail.yahoo.com> References: <20050124112134.39292.qmail@web61205.mail.yahoo.com> Message-ID: <41F5819F.8080107@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 lord grinny wrote: >> >> I don't think GPG is at fault here. Please type the > following >> in a command prompt: >> >> nslookup keyserver.kjsl.com > > I tried this, but my DNS is definitly set up okee. > > C:\Documents and > Settings\Administrator.GRINNY>nslookup > keyserver.kjsl.com > *** Can't find server name for address 192.168.0.1: > Non-existent domain > *** Default servers are not available > Server: UnKnown > Address: 192.168.0.1 > > Non-authoritative answer: > Name: keyserver.kjsl.com > Address: 69.36.241.130 > > 192.168.0.1 is my gateway (A windows 98 box serving as > a router) > That response to nslookup tells me your DNS setup is NOT ok. You could be getting a DNS resolver timeout causing the lookup to fail. The D-Link 604-e is wonderfully dodgy at doing DNS forwarding - at least that my experience with ours. Try this to see if it's DNS that's the problem: list keyserver.kjsl.com in your hosts file (%winDir%\system32\drivers\etc\hosts on Win2k, /etc/hosts on *nix): 69.36.241.130 keyserver.kjsl.com See if your problem 'resolves' itself. You'll need to flush the name cache on Windows after changing the hosts file (ipconfig /flushdns). Check your router, see http://http://192.168.0.1/st_devic.html, and setup your Windows box(es) to use the DNS servers your broadband provider supplies to the router in the DHCP setup. I'd suggest some, but I don't know who's your ISP. Just setup your Windows box to use a static address on 192.168.0/24, netmask 255.255.255.0, gateway 192.168.0.1, and whatever DNS servers your ISP says to use. >> > Do you think I have a better chance on FreeBSD? (I do > have a dualboot FreeBSD > 5.1 and Windows 2000, but I use windows for checking > my email with thunderbird). > I think FreeBSD would have the same problems. Your problem looks to be DNS resolver related. If *BSD was configured with 'nameserver 192.168.0.1' in resolv.conf, you'd probably get the same lookup failures. - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1-cvs-2005-01-21 (Windows 2000 Pro SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Annoy John Asscraft -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFB9YGdHQSsSmCNKhARAsc6AKDqY9+T3ipIZ0i2VPoBEy3JqVwlSACgojlq UII6ZzPmymC01LV1DGY0QPY= =QuXj -----END PGP SIGNATURE----- From JPClizbe at comcast.net Tue Jan 25 00:21:06 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Tue Jan 25 00:17:53 2005 Subject: GPG 1.4.0 vs. 1.4.0a In-Reply-To: References: Message-ID: <41F582E2.3000702@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 DBSMITH@OhioHealth.com wrote: > ok but what I really wanted was when I do an upgrade, is that all I have to > do is replace the binary on a UNIX system for gpg? > In an English install, that /should/ work. My preference would be also to replace the localization files and the man pages. But remember, there is NO 1.4.0a for any system other than windows. All other systems use 1.4.0. - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1-cvs-2005-01-21 (Windows 2000 Pro SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Annoy John Asscraft -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFB9YLgHQSsSmCNKhARAq1LAJwLmXOs+HYlViwTCjAg695cfg+NlwCgo4+3 dicjAsO5YryH+XPW0cDVeiA= =9huh -----END PGP SIGNATURE----- From JPClizbe at comcast.net Tue Jan 25 00:24:34 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Tue Jan 25 00:21:17 2005 Subject: Web of trust in Southwest Ohio, USA In-Reply-To: References: Message-ID: <41F583B2.6090600@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jason Barnett wrote: > Adam Cripps wrote: >> I currently have one keypair and I use this on two machines - my >> secure personal machine, owned by me, and a laptop owned by my >> employer. When I use my key on my employer's machine, I store my >> private key on my usb storage device. >> >> Adam >> > > Thank you for this tip. Now I need to go find my local GLUG and ask > them what filesystem format to use on the USB... I currently am using > Windows machines, but next time I get a new computer at home (which will > be relatively soon) I'm not even going to bother with MS anymore. At > least not more than I have to. :-/ FAT/VFAT would be the most flexible format for the USB device. I use a FAT formatted PCMCIA card for key and X.509 cert storage. - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1-cvs-2005-01-21 (Windows 2000 Pro SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Annoy John Asscraft -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFB9YOwHQSsSmCNKhARAjo8AKDOYQzLfJ9Bd0/YvQCxY6jHZYjcnwCeMCEn dhnXzAY/j3rYxf1qUYS4D0s= =jbWm -----END PGP SIGNATURE----- From JPClizbe at comcast.net Tue Jan 25 00:33:09 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Tue Jan 25 00:29:57 2005 Subject: GnuPG ME: How do we use the --keyring GnuPG option via GnuPG ME? In-Reply-To: <41F55EEF.7020301@iotest.org> References: <41F55EEF.7020301@iotest.org> Message-ID: <41F585B5.1030208@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 mconahan@iotest.org wrote: > Hi everyone, > > I was wondering if anyone had a clue on how to access the --keyring > GnuPG option via GnuPG ME? Include it in gpg.conf? From my Win2k development box: no-default-keyring keyring pubring.gpg secret-keyring O:\GnuPG\secring.gpg - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1-cvs-2005-01-21 (Windows 2000 Pro SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Annoy John Asscraft -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFB9YW0HQSsSmCNKhARAnUvAJ9+Z8a57ouF6bWM0ycTVn1E6+XCbACgjJWe Z6AuwdjGfepGaTb3Y3Mql0I= =wIQT -----END PGP SIGNATURE----- From johanw at vulcan.xs4all.nl Mon Jan 24 23:16:10 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Tue Jan 25 05:51:38 2005 Subject: GPG 1.4.0 vs. 1.4.0a In-Reply-To: from "DBSMITH@OhioHealth.com" at "Jan 24, 2005 05:02:04 pm" Message-ID: <200501242216.XAA03903@vulcan.xs4all.nl> DBSMITH@OhioHealth.com wrote: >does this apply to UNIX systems as well? There is no difference between 1.4.0 and 1.4.0a in Unix since the change from 1.4.0 to 1.4.0a is something that only matters in win32 (has to do with pointer arithmic without type, the code change casts them to char* which Unix does by default already). -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From grayd at extenza-turpin.com Tue Jan 25 12:50:23 2005 From: grayd at extenza-turpin.com (David Gray) Date: Tue Jan 25 12:40:10 2005 Subject: 2.6.3i Message-ID: <5155685DF4FC004297C9F5D769CBF51C01CAA8E8@kashmir.extenza-turpin.com> Hello Johan, Thanks for your response. I'm interested to read that PGP2 can use RSA as well as IDEA. The people at the other end of this project are saying (without too much conviction) that they can ONLY use IDEA. I cannot rebuild GnuPG on VMS as I don't have a C compiler and don't have the time at present to install Gnu C. Cheers David. -----Original Message----- From: Johan Wevers [mailto:johanw@vulcan.xs4all.nl] Sent: 21 January 2005 17:50 To: gnupg-users@gnupg.org Subject: Re: 2.6.3i David Gray wrote: >I was under the impression that PGP could use alternate algorithms? pgp 2.6.3i uses only IDEA and RSA. However, there exist pgp 2 versions that support other algorithms. Such a version is pgp263iamulti-06. Because the author died in a tragical accident I'm not sure if it can be easily found on the net, but I can mail it to you if you like. That said, there exist an IDEA extension module for GnuPG which solves the problem too. If you can compile that module on your system, or recompile GnuPG with idea.c copied into the cipher/ directory, it will work with pgp 2.6.3i encrypted messages and vice versa. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From grayd at extenza-turpin.com Tue Jan 25 12:56:45 2005 From: grayd at extenza-turpin.com (David Gray) Date: Tue Jan 25 12:55:26 2005 Subject: 2.6.3i Message-ID: <5155685DF4FC004297C9F5D769CBF51C01CAA8E9@kashmir.extenza-turpin.com> Hi Werner, Thanks for your response. Reading on the net it seems like PGP has had an interesting history and this would account for the disparate versions. I've now taken a slightly different approach. I've created a new key pair using PGP 8.1 and then imported both into my GnuPG keyring on VMS - all works fine. Just need the supplier to try importing my new 8.1 public key into their 2.6.3 keyring... Regards David. -----Original Message----- From: Werner Koch [mailto:wk@gnupg.org] Sent: 24 January 2005 07:45 To: David Gray Cc: GnuPG Users List Subject: Re: 2.6.3i On Fri, 21 Jan 2005 15:36:18 -0000, David Gray said: > I was under the impression that PGP could use alternate algorithms? PGP >=5 can. PGG 2 is hardwired to MD5, RSA and IDEA. There is an inofficial 2.6 version my disastry which allows for most of the OpenPGP algorithms. > of suppliers who uses PGP. The GnuPG features page mentions that it can > decrypt file encrypted with PGP 5, 6 & 7 so I guess that answers my > question... Hmmm, back to the drawing board. PGP >= 6.5.8 (or was it 6.5.3?) works fine althought it is not OpenPGP compatible. > I'm not sure about the POSIX subsystem, is it relevant? No. I was just wondering how it is possible to build GnuPG on plain VMS? Werner From mail at mark-kirchner.de Tue Jan 25 13:06:19 2005 From: mail at mark-kirchner.de (Mark Kirchner) Date: Tue Jan 25 13:02:24 2005 Subject: 2.6.3i In-Reply-To: <5155685DF4FC004297C9F5D769CBF51C01CAA8E8@kashmir.extenza-turpin.com> References: <5155685DF4FC004297C9F5D769CBF51C01CAA8E8@kashmir.extenza-turpin.com> Message-ID: <133726031.20050125130619@mark-kirchner.de> Hello David, On Tuesday, January 25, 2005, 12:50:23 PM, David wrote: > Thanks for your response. I'm interested to read that PGP2 can use > RSA as well as IDEA. Well, RSA is the asymmetrical cipher that PGP2 uses, IDEA is the symmetrical one. Doing a "normal" encryption, both are used: RSA for encrypting the symmetrical IDEA-key (which is used to encrypt the actual message). So you can't encrypt a message using RSA only. (Theoretically it's possible of course, but PGP won't do that - IIRC). > The people at the other end of this project are saying (without too > much conviction) that they can ONLY use IDEA. They are right, as long as they are not using a (earlier by others mentioned) modified Version of PGP. Regards, Mark Kirchner -- _____________________________________________________________ Key (0x19DC86D3): http://www.mark-kirchner.de/keys/key-mk.asc From huehn-ml at arcor.de Tue Jan 25 13:04:19 2005 From: huehn-ml at arcor.de (=?ISO-8859-1?Q?Thomas_H=FChn?=) Date: Tue Jan 25 13:55:03 2005 Subject: OpenPGP card issues In-Reply-To: <87hdl7rwbt.fsf@wheatstone.g10code.de> References: <41F277F1.40407@gmx.de> <87hdl7rwbt.fsf@wheatstone.g10code.de> Message-ID: <41F635C3.7080603@arcor.de> Werner Koch wrote: >>1) During key generation, gpg says "signing failed: wrong secret key >>used" -- this results in a non-self-signed user id in the new key. >>(See full gpg output at the end of this email). > > We have a solution for this but its not yet in the CVS. The scary > thing is that it never happened to me I observe the same behaviour. Perhaps I should create keys with a UID of "Werner Koch"? ;-) Thomas From sk at intertivity.com Tue Jan 25 14:33:53 2005 From: sk at intertivity.com (Sascha Kiefer) Date: Tue Jan 25 14:30:05 2005 Subject: --list-keys --with-colons Message-ID: <994135eeae3d3e98ec85b29867a363ef.sk@intertivity.com> Hi, if i run gpg.exe --list-keys --with-colons i get something like tru::1:1106658621:0:3:1:5 pub:-:1024:17:B08719A2FF50BAD1:2005-01-20:::-:Sascha Kiefer (Test 2) ::scaESCA: sub:-:2048:16:0A4DFB4128388F68:2005-01-20::::::e: can you explain the different fields? e.g. what does 17 (or 16) mean after the key size? thanks in advance! esskar From bruno.chalons at wanadoo.fr Sun Jan 23 16:49:57 2005 From: bruno.chalons at wanadoo.fr (CHALONS Bruno) Date: Tue Jan 25 14:44:35 2005 Subject: Pb with my passphrase Message-ID: <41F3C7A5.8080805@wanadoo.fr> Hello, I installed OpenPGP on my computer but i don't remenber my passphrase, what can I do ? Redo a new KeyID et how to revoke the last one ? Thanks From wk at gnupg.org Tue Jan 25 16:43:35 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Jan 25 17:01:00 2005 Subject: OpenPGP card issues In-Reply-To: <41F635C3.7080603@arcor.de> ( =?utf-8?q?Thomas_H=C3=BChn's_message_of?= "Tue, 25 Jan 2005 13:04:19 +0100") References: <41F277F1.40407@gmx.de> <87hdl7rwbt.fsf@wheatstone.g10code.de> <41F635C3.7080603@arcor.de> Message-ID: <87llahjyzc.fsf@wheatstone.g10code.de> On Tue, 25 Jan 2005 13:04:19 +0100, Thomas H?hn said: > I observe the same behaviour. Perhaps I should create keys with a UID > of "Werner Koch"? ;-) Please try the CVS version. Werner From wk at gnupg.org Tue Jan 25 16:42:35 2005 From: wk at gnupg.org (Werner Koch) Date: Tue Jan 25 17:52:21 2005 Subject: --list-keys --with-colons In-Reply-To: <994135eeae3d3e98ec85b29867a363ef.sk@intertivity.com> (Sascha Kiefer's message of "Tue, 25 Jan 2005 13:33:53 UT") References: <994135eeae3d3e98ec85b29867a363ef.sk@intertivity.com> Message-ID: <87psztjz10.fsf@wheatstone.g10code.de> On Tue, 25 Jan 2005 13:33:53 UT, Sascha Kiefer said: > can you explain the different fields? > e.g. what does 17 (or 16) mean after the key size? Please check out doc/DETAILS. You should fix your MUA; it is unreadable without applying gnus-article-remove-cr. The line endings are all messed up; look at the raw mail: Hi,=0Dif i run gpg.exe -[...]hing like=0D=0D= QP-encoding must not be applied to the line endings and those should be CR,LF and not just CR. Salam-Shalom, Werner From grayd at extenza-turpin.com Tue Jan 25 16:57:51 2005 From: grayd at extenza-turpin.com (David Gray) Date: Tue Jan 25 17:53:21 2005 Subject: --homedir Message-ID: <5155685DF4FC004297C9F5D769CBF51C01CAA8EE@kashmir.extenza-turpin.com> Hello all, OpenVMS 7.3-2 GnuPG 1.2.3 Another question :-) Can I make the GnuPG home directory & therefore the pubring & secring the same for all users? At present my key rings are created in a subdirectory from my root directory Directory TD1:[GRAYD.GNUPG] PUBRING.GPG;1 0KB/0KB 25-JAN-2005 15:27:06.28 SECRING.GPG;1 0KB/0KB 25-JAN-2005 15:35:59.97 And for another user... Directory TD1:[APP_SUPPORT.GNUPG] PUBRING.GPG;1 0KB/0KB 25-JAN-2005 15:48:15.75 SECRING.GPG;1 0KB/0KB 25-JAN-2005 15:48:20.93 The only documentation I can find on the --homedir command is for when listing the key rings... Thanks in advance. Dave. From linux at codehelp.co.uk Tue Jan 25 15:06:12 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Tue Jan 25 17:53:35 2005 Subject: Pb with my passphrase In-Reply-To: <41F3C7A5.8080805@wanadoo.fr> References: <41F3C7A5.8080805@wanadoo.fr> Message-ID: <200501251406.17280.linux@codehelp.co.uk> On Sunday 23 January 2005 3:49 pm, CHALONS Bruno wrote: > Hello, > > I installed OpenPGP on my computer but i don't remenber my passphrase, > what can I do ? Did you create a revocation certificate - as you were advised? If not, you can only delete the key - providing you haven't already sent it to a keyserver. If it's already on a keyserver, it is now orphaned and joins many similar keys - there is nothing you can do about that. > Redo a new KeyID et how to revoke the last one ? Nobody can revoke that key as the passphrase is required, along with the secret key itself. If you haven't sent it to a keyserver, revocation isn't an issue anyway - just delete it from your keyring. If you create a new key: 1. Create a revocation certificate immediately. http://www.dcglug.org.uk/linux_doc/startgnupg.html#generate 2. You won't get the same keyid or fingerprint but you can use the same UID: name, comment and email. -- Neil Williams ============= http://www.dcglug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.neil.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050125/7eeabb80/attachment.pgp From sbt at megacceso.com Tue Jan 25 16:49:56 2005 From: sbt at megacceso.com (Sergi Blanch i =?ISO-8859-1?Q?Torn=E9?=) Date: Tue Jan 25 18:09:18 2005 Subject: Pb with my passphrase In-Reply-To: <41F3C7A5.8080805@wanadoo.fr> References: <41F3C7A5.8080805@wanadoo.fr> Message-ID: <1106668196.4380.14.camel@quark.calcurco.org> El dg 23 de 01 del 2005 a les 16:49 +0100, en/na CHALONS Bruno va escriure: > Hello, > > I installed OpenPGP on my computer but i don't remenber my passphrase, > what can I do ? Your passphrase is the last bastion of your key. Your secret key are protected with this string. If you forget it, you are in the same situation that an eavesdroper. > Redo a new KeyID et how to revoke the last one ? Without your secret key, or access to it, you cannot revoke it. I always advise to generate a generic revoke cert, and save it (like in paper); but normally i will forget where i save it. You nonsingle you have lose your access to the secret, you lose access to all the messeges encrypted for you with this key. > > Thanks > > /Sergi. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: =?ISO-8859-1?Q?Aix=F2?= =?ISO-8859-1?Q?_=E9s?= una part d'un missatge, signada digitalment Url : /pipermail/attachments/20050125/4ef8efc1/attachment.pgp From sk at intertivity.com Tue Jan 25 18:41:30 2005 From: sk at intertivity.com (Kiefer, Sascha) Date: Tue Jan 25 18:37:25 2005 Subject: --homedir In-Reply-To: <5155685DF4FC004297C9F5D769CBF51C01CAA8EE@kashmir.extenza-turpin.com> Message-ID: <000201c50305$1aaa85f0$f300a8c0@HOME> Hi. Can use --homedir for all commands supported by gnupg! Have fun esskar > -----Original Message----- > From: gnupg-users-bounces@gnupg.org > [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of David Gray > Sent: Dienstag, 25. Januar 2005 16:58 > To: gnupg-users > Subject: --homedir > > > > Hello all, > > OpenVMS 7.3-2 > GnuPG 1.2.3 > > > Another question :-) > > Can I make the GnuPG home directory & therefore the pubring & > secring the same for all users? > > At present my key rings are created in a subdirectory from my > root directory > > > Directory TD1:[GRAYD.GNUPG] > PUBRING.GPG;1 0KB/0KB 25-JAN-2005 15:27:06.28 > SECRING.GPG;1 0KB/0KB 25-JAN-2005 15:35:59.97 > > > And for another user... > > Directory TD1:[APP_SUPPORT.GNUPG] > > PUBRING.GPG;1 0KB/0KB 25-JAN-2005 15:48:15.75 > SECRING.GPG;1 0KB/0KB 25-JAN-2005 15:48:20.93 > > > The only documentation I can find on the --homedir command is > for when listing the key rings... > > Thanks in advance. > > Dave. > > > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From eocsor at gmail.com Tue Jan 25 15:17:21 2005 From: eocsor at gmail.com (Roscoe) Date: Tue Jan 25 19:01:29 2005 Subject: Pb with my passphrase In-Reply-To: <41F3C7A5.8080805@wanadoo.fr> References: <41F3C7A5.8080805@wanadoo.fr> Message-ID: OpenPGP is a standard, you probably installed gpg or pgp. If you dont know your passwd all you can do is generate a new key, delete the old one, and upload whatever revokation cert you had for the old one. You cant --gen-revoke without knowing the passwd by the way. On Sun, 23 Jan 2005 16:49:57 +0100, CHALONS Bruno wrote: > Hello, > > I installed OpenPGP on my computer but i don't remenber my passphrase, > what can I do ? > Redo a new KeyID et how to revoke the last one ? > > Thanks > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From johanw at vulcan.xs4all.nl Tue Jan 25 12:56:20 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Tue Jan 25 19:04:42 2005 Subject: 2.6.3i In-Reply-To: <5155685DF4FC004297C9F5D769CBF51C01CAA8E8@kashmir.extenza-turpin.com> from David Gray at "Jan 25, 2005 11:50:23 am" Message-ID: <200501251156.MAA09680@vulcan.xs4all.nl> David Gray wrote: >Thanks for your response. I'm interested to read that PGP2 can use RSA as >well as IDEA. The people at the other end of this project are saying >(without too much conviction) that they can ONLY use IDEA. PGP has always been a hybrid cipher system: the data is encrypted with a symmetric cipher (IDEA in this case), and the key of this encryption is sent with the message, encrypted with an asymmetric cipher (RSA here). This is done because RSA and El Gamal are too slow for bulk data. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From grinny3004 at yahoo.com Tue Jan 25 15:45:41 2005 From: grinny3004 at yahoo.com (lord grinny) Date: Tue Jan 25 19:07:11 2005 Subject: Gnupg-users Digest, Vol 16, Issue 34 Message-ID: <20050125144541.33872.qmail@web61203.mail.yahoo.com> John Clizbe wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > lord grinny wrote: > > >>>I don't think GPG is at fault here. Please type the >> >>following >> >>>in a command prompt: >>> >>>nslookup keyserver.kjsl.com >> >>I tried this, but my DNS is definitly set up okee. >> >>C:\Documents and >>Settings\Administrator.GRINNY>nslookup >>keyserver.kjsl.com >>*** Can't find server name for address 192.168.0.1: >>Non-existent domain >>*** Default servers are not available >>Server: UnKnown >>Address: 192.168.0.1 >> >>Non-authoritative answer: >>Name: keyserver.kjsl.com >>Address: 69.36.241.130 >> >>192.168.0.1 is my gateway (A windows 98 box serving as >>a router) >> > > > That response to nslookup tells me your DNS setup is NOT ok. You could be > getting a DNS resolver timeout causing the lookup to fail. > > The D-Link 604-e is wonderfully dodgy at doing DNS forwarding - at least > that my experience with ours. > > Try this to see if it's DNS that's the problem: list keyserver.kjsl.com in > your hosts file (%winDir%\system32\drivers\etc\hosts on Win2k, /etc/hosts > on *nix): > > 69.36.241.130 keyserver.kjsl.com > > See if your problem 'resolves' itself. You'll need to flush the name cache > on Windows after changing the hosts file (ipconfig /flushdns). > > Check your router, see http://http://192.168.0.1/st_devic.html, and setup > your Windows box(es) to use the DNS servers your broadband provider > supplies to the router in the DHCP setup. I'd suggest some, but I don't > know who's your ISP. Just setup your Windows box to use a static address > on 192.168.0/24, netmask 255.255.255.0, gateway 192.168.0.1, and whatever > DNS servers your ISP says to use. > I'm sorry, I don't think I have explained it correctly. My normal box (just called 'Grinny') is connected to the win98 router. The win98 is a normal pc setup with Internet Connection Sharing so it acts as gateway and as DHCP server. The win98 box is called 'mentor5'. 'Mentor5' routes all incoming connections to the wireless pci card that's connected to a free wireless network that spans the entire city (http://www.wirelessleiden.nl). So I don't actually have an ISP, I internet for free :-). So 'mentor5' gets it's IP address from a local wireless node that's connected (wireless) to the proxy server, that also seems to run the DNS server for the entire network (When connection to the proxy is lost, I can't ping the local node by it's name, only by its ip). I did what you asked me, and put the line in 'hosts' and ran 'ipconfig /flushdns', but the result is exactly the same. Allthough it does complain about not knowing the name for 192.168.0.1, it does answer my question and gives me the _correct_ ip address of the server. If I do a ping to the same server, it fails because the proxy server won't allow pings to the internet, but it does resolve the ip address correctly. Do you really think this could still be a DNS problem, would I then still be able to browse the internet with my browser? By the way do you know how I can tell 'Grinny' that the name for 192.168.0.1, is 'mentor5'? It does know that 'mentor5' is 192.168.0.1. Thanks for all your help, I know you must be getting tired of it (I know I am), but one day I'll get it to work, this is personal now. - Grinny - Real programmers don't write in BASIC. Actually, no programmers write in BASIC after reaching puberty. __________________________________ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250 From gnupg at kubieziel.de Tue Jan 25 15:50:26 2005 From: gnupg at kubieziel.de (Jens Kubieziel) Date: Tue Jan 25 19:07:55 2005 Subject: Pb with my passphrase In-Reply-To: <41F3C7A5.8080805@wanadoo.fr> References: <41F3C7A5.8080805@wanadoo.fr> Message-ID: <20050125145026.GG5276@kubieziel.de> * CHALONS Bruno schrieb am 2005-01-23 um 16:49 Uhr: > I installed OpenPGP on my computer but i don't remenber my passphrase, > what can I do ? There is apparently nothing you can do, except you have a revocation certificate. > Redo a new KeyID et how to revoke the last one ? If you have a revocation certificate you could import it. Without it you're lost. -- Jens Kubieziel http://www.kubieziel.de FdI#9: GUI Ein Hintergrundbild und 12 Xterms (Kristian K?hntopp) From mconahan at iotest.org Tue Jan 25 17:59:04 2005 From: mconahan at iotest.org (mconahan@iotest.org) Date: Tue Jan 25 19:08:04 2005 Subject: GnuPG ME: How do we use the --keyring GnuPG option via GnuPG ME? In-Reply-To: <41F585B5.1030208@comcast.net> References: <41F55EEF.7020301@iotest.org> <41F585B5.1030208@comcast.net> Message-ID: <41F67AD8.2000503@iotest.org> I could see that your solution would work for an app with a single process, but I need to avoid process collision in my application. In short, I am using GPGME, and each process must have its own "--keyring" and "--secret-keyring". I'm playing with the idea of modifying the GPGME source, or have my application use GPGME where supported (and use GnuPG directly otherwise...ugh). ...I'm hoping that GPGME will support me on what I need to do. Michael John Clizbe wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >mconahan@iotest.org wrote: > > >>Hi everyone, >> >> I was wondering if anyone had a clue on how to access the --keyring >>GnuPG option via GnuPG ME? >> >> > >Include it in gpg.conf? From my Win2k development box: > > no-default-keyring > keyring pubring.gpg > secret-keyring O:\GnuPG\secring.gpg > > >- -- >John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet >Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 >"Be who you are and say what you feel because those who mind don't matter >and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.1-cvs-2005-01-21 (Windows 2000 Pro SP4) >Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG >Comment: Annoy John Asscraft -- Use Strong Encryption. >Comment: It's YOUR right - for the time being. >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > >iD8DBQFB9YW0HQSsSmCNKhARAnUvAJ9+Z8a57ouF6bWM0ycTVn1E6+XCbACgjJWe >Z6AuwdjGfepGaTb3Y3Mql0I= >=wIQT >-----END PGP SIGNATURE----- > > > From mconahan at iotest.org Tue Jan 25 19:14:11 2005 From: mconahan at iotest.org (mconahan@iotest.org) Date: Tue Jan 25 19:10:18 2005 Subject: Using the --edit-key GnuPG command via GPGME Message-ID: <41F68C73.4000700@iotest.org> Hi everyone, Does anyone have a snippet of code (besides t-edit.c) that uses the --edit-key functionality of GnuPG via GPGME? Currently, my app is using the undocumented GPGME function "gpgme_op_edit", and when my app uses the function, sometimes the function works, and sometimes it doesn't. ...There seems to be a race somewhere in "gpgme_op_edit"...any help with this problem would be great. Basically, I am trying to add a userID to a PGP key via GPGME. I think this is a pretty tough problem, though. Michael From grayd at extenza-turpin.com Tue Jan 25 16:49:03 2005 From: grayd at extenza-turpin.com (David Gray) Date: Tue Jan 25 19:10:50 2005 Subject: 2.6.3i Message-ID: <5155685DF4FC004297C9F5D769CBF51C01CAA8ED@kashmir.extenza-turpin.com> Hi Mark, Thanks for the clarification even if it's not good news. I guess the only thing I can get them to do is upgrade to a newer version of PGP or use a modified version. Dave. -----Original Message----- From: Mark Kirchner [mailto:mail@mark-kirchner.de] Sent: 25 January 2005 12:06 To: gnupg-users Subject: Re: 2.6.3i Hello David, On Tuesday, January 25, 2005, 12:50:23 PM, David wrote: > Thanks for your response. I'm interested to read that PGP2 can use > RSA as well as IDEA. Well, RSA is the asymmetrical cipher that PGP2 uses, IDEA is the symmetrical one. Doing a "normal" encryption, both are used: RSA for encrypting the symmetrical IDEA-key (which is used to encrypt the actual message). So you can't encrypt a message using RSA only. (Theoretically it's possible of course, but PGP won't do that - IIRC). > The people at the other end of this project are saying (without too > much conviction) that they can ONLY use IDEA. They are right, as long as they are not using a (earlier by others mentioned) modified Version of PGP. Regards, Mark Kirchner -- _____________________________________________________________ Key (0x19DC86D3): http://www.mark-kirchner.de/keys/key-mk.asc _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From johanw at vulcan.xs4all.nl Tue Jan 25 15:21:22 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Tue Jan 25 19:20:55 2005 Subject: 2.6.3i In-Reply-To: <5155685DF4FC004297C9F5D769CBF51C01CAA8E9@kashmir.extenza-turpin.com> from David Gray at "Jan 25, 2005 11:56:45 am" Message-ID: <200501251421.PAA10917@vulcan.xs4all.nl> David Gray wrote: >I've now taken a slightly different approach. I've created a new key pair >using PGP 8.1 and then imported both into my GnuPG keyring on VMS - all >works fine. Just need the supplier to try importing my new 8.1 public key >into their 2.6.3 keyring... That won't work. With some work you can import the key if it's an v3 RSA key not larger than 2048 bits (don't use idea for key encryption then or you won't be able to import the secret key). I don't know if pgp 8.1 creates v3 RSA keys, pgp 2.x can't import v4 keys. GnuPG can't create them without a patch (so without a recompile). However, the messages encrypted with pgp 2.6.3i to such a key will still use the IDEA symmetric algorithm. If you want to communicate with users of unpatched pgp 2.x versions, you'll really need to get IDEA integrated in GnuPG. On win32 a dll is sufficient, but I don't know if the dynamic loading of algorithms works on VMS. If it does, compiling the module and adding a line in gpg.conf will suffice. Otherwise, you'll have to recompile. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From gnupg at kubieziel.de Tue Jan 25 15:48:50 2005 From: gnupg at kubieziel.de (Jens Kubieziel) Date: Tue Jan 25 19:46:23 2005 Subject: --list-keys --with-colons In-Reply-To: <994135eeae3d3e98ec85b29867a363ef.sk@intertivity.com> References: <994135eeae3d3e98ec85b29867a363ef.sk@intertivity.com> Message-ID: <20050125144850.GF5276@kubieziel.de> * Sascha Kiefer schrieb am 2005-01-25 um 14:33 Uhr: > if i run gpg.exe --list-keys --with-colons i get something like > pub:-:1024:17:B08719A2FF50BAD1:2005-01-20:::-:Sascha Kiefer (Test 2) ::scaESCA: > can you explain the different fields? There is a file DETAILS.gz which explains all those fields. > e.g. what does 17 (or 16) mean after the key size? from DETAILS.gz: 4. Field: Algorithm: 1 = RSA 16 = Elgamal (encrypt only) 17 = DSA (sometimes called DH, sign only) 20 = Elgamal (sign and encrypt) (for other id's see include/cipher.h) -- Jens Kubieziel http://www.kubieziel.de Die Einsetzung einer Kommission ist meistens das stillschweigende Eingest?ndnis, da? ein Problem nicht zu l?sen ist. Michel Jean-Pierre Debr? From JPClizbe at comcast.net Tue Jan 25 20:26:06 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Tue Jan 25 20:23:01 2005 Subject: --homedir In-Reply-To: <5155685DF4FC004297C9F5D769CBF51C01CAA8EE@kashmir.extenza-turpin.com> References: <5155685DF4FC004297C9F5D769CBF51C01CAA8EE@kashmir.extenza-turpin.com> Message-ID: <41F69D4E.70606@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Gray wrote: > Hello all, > > OpenVMS 7.3-2 > GnuPG 1.2.3 > > > Another question :-) > > Can I make the GnuPG home directory & therefore the pubring & secring the > same for all users? > > At present my key rings are created in a subdirectory from my root directory > > > Directory TD1:[GRAYD.GNUPG] > PUBRING.GPG;1 0KB/0KB 25-JAN-2005 15:27:06.28 > SECRING.GPG;1 0KB/0KB 25-JAN-2005 15:35:59.97 > > > And for another user... > > Directory TD1:[APP_SUPPORT.GNUPG] > > PUBRING.GPG;1 0KB/0KB 25-JAN-2005 15:48:15.75 > SECRING.GPG;1 0KB/0KB 25-JAN-2005 15:48:20.93 > > > The only documentation I can find on the --homedir command is for when > listing the key rings... Well, not sure of the implementation on VMS, but try setting GNUPGHOME DEFINE/SYS GNUPGHOME TD1:[.GNUPG] Of course, You'll need sysprv in order to do that Is there a good reason for wanting ALL users to use the same keyrings? - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1-cvs-2005-01-21 (Windows 2000 Pro SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the 133t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFB9p1NHQSsSmCNKhARAq+WAKDOCbOmOPoR62rLY0yGa+a7jSqonQCdGO/h aWW+jT3P7O/M7g1cfwVym2w= =Wyue -----END PGP SIGNATURE----- From JPClizbe at comcast.net Tue Jan 25 20:49:02 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Tue Jan 25 20:45:46 2005 Subject: --homedir In-Reply-To: <41F69D4E.70606@comcast.net> References: <5155685DF4FC004297C9F5D769CBF51C01CAA8EE@kashmir.extenza-turpin.com> <41F69D4E.70606@comcast.net> Message-ID: <41F6A2AE.20804@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John Clizbe wrote: >>> >>> >>> The only documentation I can find on the --homedir command is for when >>> listing the key rings... > > Well, not sure of the implementation on VMS, but try setting GNUPGHOME > > DEFINE/SYS GNUPGHOME TD1:[.GNUPG] > > Of course, You'll need sysprv in order to do that D'oh. SYSNAM not SYSPRV. But hey, there are only 30+ privilege bits to remember the names of. > Is there a good reason for wanting ALL users to use the same keyrings? - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1-cvs-2005-01-21 (Windows 2000 Pro SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the 133t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFB9qKtHQSsSmCNKhARAnRpAKCs8dPHEdNXWWB65OTQ1u04+PjoqACeNOas j83ZaXBMo6HBIjXbzpv8pIo= =/ezK -----END PGP SIGNATURE----- From JPClizbe at comcast.net Tue Jan 25 21:27:38 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Tue Jan 25 21:24:37 2005 Subject: gpg version 1.4.0a on w2kp and winxp In-Reply-To: <87k6qhxvel.fsf@wheatstone.g10code.de> References: <87k6qhxvel.fsf@wheatstone.g10code.de> Message-ID: <41F6ABBA.6030506@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Werner Koch wrote: > On Thu, 13 Jan 2005 07:08:49 -0500, Frank Hubeny said: > >> I was perhaps unclear about the debugging. Is there a debug feature >> that I may use on my PC to help ? If so I would be glad to do so. > > I am pretty sure that I will be able to replicate it. It is most > likely an attempt to double open a file or to rename to an existing > file. Werner, I made a ZIP of my 1.4.1-cvs (20050121) build available to Frank, and he reported back that all the file renaming issues seem to have been cleared up. If anyone else is having file renaming errors with 1.4.0a (windows ONLY), and a) You *UNDERSTAND* that there are risks to testing software, and take responsibility for your own backups, etc, b) you're willing to furnish feedback more detailed than "It doesn't work", c) you would like to try this early version of 1.4.1, Please contact me off-list. - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1-cvs-2005-01-21 (Windows 2000 Pro SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the 133t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFB9qu4HQSsSmCNKhARAr/2AJ4tEfHnaqkTzBqiihMI/2/aEBBUxgCg8eBp 0lrhUtjFUgIJtmGG1e+fa8k= =gALx -----END PGP SIGNATURE----- From adam00f at ducksburg.com Tue Jan 25 22:08:27 2005 From: adam00f at ducksburg.com (Adam Funk) Date: Wed Jan 26 00:18:41 2005 Subject: Are all the UIDs on a key supposed to be equal? Message-ID: <200501252108.27862.adam00f@ducksburg.com> Are all the user-ids (combinations of name, e-mail address and comment) equal, or can one be the "primary" one? I started to generate a new key because the old has several obsolete e-mail addresses in the UIDs. I gave my "main" e-mail address and comment in response to the "gpg --gen-key" prompts, then used "gpg --edit-key" to add UIDs. When I then listed the key, they were out of order. I had been under the impression (maybe it was just coincidence with my previous key) that the first UID is the main one. From dshaw at jabberwocky.com Wed Jan 26 01:35:14 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Jan 26 01:32:00 2005 Subject: Are all the UIDs on a key supposed to be equal? In-Reply-To: <200501252108.27862.adam00f@ducksburg.com> References: <200501252108.27862.adam00f@ducksburg.com> Message-ID: <20050126003514.GA29817@jabberwocky.com> On Tue, Jan 25, 2005 at 09:08:27PM +0000, Adam Funk wrote: > Are all the user-ids (combinations of name, e-mail address and comment) > equal, or can one be the "primary" one? > > I started to generate a new key because the old has several obsolete > e-mail addresses in the UIDs. I gave my "main" e-mail address and > comment in response to the "gpg --gen-key" prompts, then used "gpg > --edit-key" to add UIDs. When I then listed the key, they were out of > order. I had been under the impression (maybe it was just coincidence > with my previous key) that the first UID is the main one. No, you generally designate the UID you want to be primary by using the --edit-key command "primary". If you don't pick one, then the primary is assumed to be the most recently added UID. David From erwan at rail.eu.org Wed Jan 26 07:40:01 2005 From: erwan at rail.eu.org (Erwan David) Date: Wed Jan 26 08:38:53 2005 Subject: Are all the UIDs on a key supposed to be equal? In-Reply-To: <200501252108.27862.adam00f@ducksburg.com> References: <200501252108.27862.adam00f@ducksburg.com> Message-ID: <20050126064001.GB26330@nez-casse.depot.rail.eu.org> Le Tue 25/01/2005, Adam Funk disait > Are all the user-ids (combinations of name, e-mail address and comment) > equal, or can one be the "primary" one? > > I started to generate a new key because the old has several obsolete > e-mail addresses in the UIDs. I gave my "main" e-mail address and > comment in response to the "gpg --gen-key" prompts, then used "gpg > --edit-key" to add UIDs. When I then listed the key, they were out of > order. I had been under the impression (maybe it was just coincidence > with my previous key) that the first UID is the main one. You can also revoke uids on your key; which indicates juste a change of address, but you keep being the same person. If you look at my key (0xF7001FC7 on public servers), you see it bears following Ids: gpg: using classic trust model pub 1024D/F7001FC7 1998-12-14 uid Erwan David uid [ revoked] Erwan David uid [ revoked] Erwan David uid [ revoked] Erwan David (Adresse Perso) sub 2048g/016C3D2F 1998-12-14 -- Erwan From linux at codehelp.co.uk Wed Jan 26 10:27:19 2005 From: linux at codehelp.co.uk (Neil Williams) Date: Wed Jan 26 12:22:54 2005 Subject: Are all the UIDs on a key supposed to be equal? In-Reply-To: <200501252108.27862.adam00f@ducksburg.com> References: <200501252108.27862.adam00f@ducksburg.com> Message-ID: <200501260927.19893.linux@codehelp.co.uk> On Tuesday 25 January 2005 9:08 pm, Adam Funk wrote: > Are all the user-ids (combinations of name, e-mail address and comment) > equal, or can one be the "primary" one? gpg --edit-key Command> uid 3 Command> primary primary is only available when the secret key is also available. > I started to generate a new key because the old has several obsolete > e-mail addresses in the UIDs. I gave my "main" e-mail address and > comment in response to the "gpg --gen-key" prompts, then used "gpg > --edit-key" to add UIDs. When I then listed the key, they were out of > order. I had been under the impression (maybe it was just coincidence > with my previous key) that the first UID is the main one. GnuPG assumes the most recent on (IIRC) unless primary is used. -- Neil Williams ============= http://www.dcglug.org.uk/ http://www.nosoftwarepatents.com/ http://sourceforge.net/projects/isbnsearch/ http://www.neil.williamsleesmill.me.uk/ http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20050126/30897dfe/attachment.pgp From grayd at extenza-turpin.com Wed Jan 26 13:57:47 2005 From: grayd at extenza-turpin.com (David Gray) Date: Wed Jan 26 13:55:22 2005 Subject: --homedir Message-ID: <5155685DF4FC004297C9F5D769CBF51C01CAA901@kashmir.extenza-turpin.com> Hello John, Thanks for that. There's no mention of that logical name in the VMS help file but I'll give it a try. The reason for one shared key ring is that the encrypt/decrypt job will normally be run under the overnight batch account but in the event of a failure support staff need to re-run jobs under their own accounts. The key ring should be the same for all. Yeah I know, there are a lot of VMS Privs to remember. All the accounts that use this process are system type accounts. Cheers Dave. -----Original Message----- From: John Clizbe [mailto:JPClizbe@comcast.net] Sent: 25 January 2005 19:26 Cc: gnupg-users Subject: Re: --homedir -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Gray wrote: > Hello all, > > OpenVMS 7.3-2 > GnuPG 1.2.3 > > > Another question :-) > > Can I make the GnuPG home directory & therefore the pubring & secring the > same for all users? > > At present my key rings are created in a subdirectory from my root directory > > > Directory TD1:[GRAYD.GNUPG] > PUBRING.GPG;1 0KB/0KB 25-JAN-2005 15:27:06.28 > SECRING.GPG;1 0KB/0KB 25-JAN-2005 15:35:59.97 > > > And for another user... > > Directory TD1:[APP_SUPPORT.GNUPG] > > PUBRING.GPG;1 0KB/0KB 25-JAN-2005 15:48:15.75 > SECRING.GPG;1 0KB/0KB 25-JAN-2005 15:48:20.93 > > > The only documentation I can find on the --homedir command is for when > listing the key rings... Well, not sure of the implementation on VMS, but try setting GNUPGHOME DEFINE/SYS GNUPGHOME TD1:[.GNUPG] Of course, You'll need sysprv in order to do that Is there a good reason for wanting ALL users to use the same keyrings? - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1-cvs-2005-01-21 (Windows 2000 Pro SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the 133t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFB9p1NHQSsSmCNKhARAq+WAKDOCbOmOPoR62rLY0yGa+a7jSqonQCdGO/h aWW+jT3P7O/M7g1cfwVym2w= =Wyue -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From ml at charliesangels.biz Wed Jan 26 11:18:02 2005 From: ml at charliesangels.biz (ml@charliesangels.biz) Date: Wed Jan 26 14:01:54 2005 Subject: How to automatically sign emails Message-ID: Hello everyone, I need your help. We do use a Strange Pearl-Script to automatically sign emails. Basically our MTA (Exim) saves every mail to a maildir. Every mail ist then piped to the Script. However, whenever an attachement is included, the complete body of the email is removed. Is there an easy way to sign mails w/o the attachement ? I would like to use something different than the Pearl-Script we use now. Thanks and regards Sascha From grayd at extenza-turpin.com Wed Jan 26 13:34:56 2005 From: grayd at extenza-turpin.com (David Gray) Date: Wed Jan 26 14:26:36 2005 Subject: --homedir Message-ID: <5155685DF4FC004297C9F5D769CBF51C01CAA8FD@kashmir.extenza-turpin.com> Cheers. Dave. -----Original Message----- From: Kiefer, Sascha [mailto:sk@intertivity.com] Sent: 25 January 2005 17:42 To: gnupg-users@gnupg.org Subject: RE: --homedir Hi. Can use --homedir for all commands supported by gnupg! Have fun esskar > -----Original Message----- > From: gnupg-users-bounces@gnupg.org > [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of David Gray > Sent: Dienstag, 25. Januar 2005 16:58 > To: gnupg-users > Subject: --homedir > > > > Hello all, > > OpenVMS 7.3-2 > GnuPG 1.2.3 > > > Another question :-) > > Can I make the GnuPG home directory & therefore the pubring & > secring the same for all users? > > At present my key rings are created in a subdirectory from my > root directory > > > Directory TD1:[GRAYD.GNUPG] > PUBRING.GPG;1 0KB/0KB 25-JAN-2005 15:27:06.28 > SECRING.GPG;1 0KB/0KB 25-JAN-2005 15:35:59.97 > > > And for another user... > > Directory TD1:[APP_SUPPORT.GNUPG] > > PUBRING.GPG;1 0KB/0KB 25-JAN-2005 15:48:15.75 > SECRING.GPG;1 0KB/0KB 25-JAN-2005 15:48:20.93 > > > The only documentation I can find on the --homedir command is > for when listing the key rings... > > Thanks in advance. > > Dave. > > > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From wk at gnupg.org Wed Jan 26 13:02:43 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Jan 26 14:47:40 2005 Subject: gpg version 1.4.0a on w2kp and winxp In-Reply-To: <41F6ABBA.6030506@comcast.net> (John Clizbe's message of "Tue, 25 Jan 2005 14:27:38 -0600") References: <87k6qhxvel.fsf@wheatstone.g10code.de> <41F6ABBA.6030506@comcast.net> Message-ID: <873bwoflek.fsf@wheatstone.g10code.de> On Tue, 25 Jan 2005 14:27:38 -0600, John Clizbe said: > I made a ZIP of my 1.4.1-cvs (20050121) build available to Frank, and he > reported back that all the file renaming issues seem to have been cleared up. Good. We should a release candidate ASAP; hopefully this week. Thanks, Werner From grayd at extenza-turpin.com Wed Jan 26 13:47:14 2005 From: grayd at extenza-turpin.com (David Gray) Date: Wed Jan 26 14:58:57 2005 Subject: 2.6.3i Message-ID: <5155685DF4FC004297C9F5D769CBF51C01CAA8FE@kashmir.extenza-turpin.com> The expert mode of PGP8.1 new key generation lists RSA, RSA-Legacy or Diffie-Hellman/DSS as key types. If I create a key using RSA on PGP8.1 and import into GnuPG then exchange it with a site using PGP8.x this works fine... am I missing something? There's quite a lot more to this than first meets the eye :-) Cheers Dave. PS - Is this a text only list-serv? -----Original Message----- From: Johan Wevers [mailto:johanw@vulcan.xs4all.nl] Sent: 25 January 2005 14:21 To: gnupg-users@gnupg.org Subject: Re: 2.6.3i David Gray wrote: >I've now taken a slightly different approach. I've created a new key pair >using PGP 8.1 and then imported both into my GnuPG keyring on VMS - all >works fine. Just need the supplier to try importing my new 8.1 public key >into their 2.6.3 keyring... That won't work. With some work you can import the key if it's an v3 RSA key not larger than 2048 bits (don't use idea for key encryption then or you won't be able to import the secret key). I don't know if pgp 8.1 creates v3 RSA keys, pgp 2.x can't import v4 keys. GnuPG can't create them without a patch (so without a recompile). However, the messages encrypted with pgp 2.6.3i to such a key will still use the IDEA symmetric algorithm. If you want to communicate with users of unpatched pgp 2.x versions, you'll really need to get IDEA integrated in GnuPG. On win32 a dll is sufficient, but I don't know if the dynamic loading of algorithms works on VMS. If it does, compiling the module and adding a line in gpg.conf will suffice. Otherwise, you'll have to recompile. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users From wk at gnupg.org Wed Jan 26 15:14:10 2005 From: wk at gnupg.org (Werner Koch) Date: Wed Jan 26 15:09:59 2005 Subject: 2.6.3i In-Reply-To: <200501251421.PAA10917@vulcan.xs4all.nl> (Johan Wevers's message of "Tue, 25 Jan 2005 15:21:22 +0100 (MET)") References: <200501251421.PAA10917@vulcan.xs4all.nl> Message-ID: <871xc8e0r1.fsf@wheatstone.g10code.de> On Tue, 25 Jan 2005 15:21:22 +0100 (MET), Johan Wevers said: > won't be able to import the secret key). I don't know if pgp 8.1 creates v3 > RSA keys, pgp 2.x can't import v4 keys. GnuPG can't create them without a > patch (so without a recompile). Actually support for v3 keys will be dropped from the next OpenPGP revision due to security reasons. Werner From grinny3004 at yahoo.com Wed Jan 26 19:03:53 2005 From: grinny3004 at yahoo.com (lord grinny) Date: Wed Jan 26 20:35:18 2005 Subject: gpg --keyserver Message-ID: <20050126180353.76834.qmail@web61206.mail.yahoo.com> Thanks very much for your response, I tried your suggestion but with no effect. I don't think it's a problem in my network setup, but that the problem lies with (my installation of) gpg. Henry Hertz Hobbit wrote: > > > You wrote: > > >>I tried this, but my DNS is definitly set up okee. >> >>C:\Documents and Settings\Administrator.GRINNY>nslookup >>keyserver.kjsl.com >>*** Can't find server name for address 192.168.0.1: >>Non-existent domain >>*** Default servers are not available >>Server: UnKnown >>Address: 192.168.0.1 >> >>Non-authoritative answer: >>Name: keyserver.kjsl.com >>Address: 69.36.241.130 >> >>192.168.0.1 is my gateway (A windows 98 box serving as >>a router) > > > OH! Did you see my comment about what you have to do with > a router? I advise you to copy the files over to the > Windows 98 box that is doing the service as a router and > retrieve the key. If you have an auto install, just install > it, and then copy the following files from your present > machine into the same folder on the new machine: > > REM there are SEVERAL pubring files > pubring.* > secring.gpg > trustdb.gpg > Gpg still gives the same result: gpg: requesting key BB36BA75 from hkp server keyserver.kjsl.com Host: keyserver.kjsl.com Port: 80 Command: GET gpgkeys: HTTP URL is `hkp://keyserver.kjsl.com:80/pks/lookup?op=get&options=mr&s earch=0xBB36BA75' ?: keyserver.kjsl.com: Host not found: ec=10065 gpgkeys: HKP fetch error: No error gpg: no valid OpenPGP data found. gpg: Total number processed: 0 I've setup firefox too use the same proxy configuration and I can reach the site http://keyserver.kjsl.com:80/pks/lookp?op=get&options=mr&search=0xBB36BA75 without any problem. Allthough nslookup complaint about not knowing the host name of the router, it did give the correct result. Ping also translates the hostname to a correct ip address, so I really don't think this is a DNS problem. The weirdest thing is that I get a different error message when I use the ip address.... Since I know the rest of my applications are setup correctly, so I know the network is okee, this leads me to believe that either I'm _that_ stupid and fucked up my settings again (this has happened before :-) ), or this is a bug in gpg. gpg: requesting key BB36BA75 from hkp server 69.36.241.130 Host: 69.36.241.130 Command: GET gpgkeys: HTTP URL is `hkp://69.36.241.130/pks/lookup?op=get&options=mr&search=0x BB36BA75' gpgkeys: HKP fetch error: No error gpg: no valid OpenPGP data found. gpg: Total number processed: 0 > BTW, are you using actual gpg or WinPT? I advise that > you use WinPT, but copy the executable files in the > Program Files area to some place in your path, e.g., > into C:\Windows. It offers hot key support and does a > lot more. WinPT stores the above files in: > > C:\Documents and Settings\Administrator.GRINNY\Applications\GnuPG > > I have played around long enough with GPGOE that I can > NOT advise it. It cannot sign email messages, and the > automation for encryption is only outward bound. When > it comes in, you have to select all of the encrypted > email, CTRL+C it, and then do a CTRL+ALT+D to decrypt > the Clipboard, then open some sort of editor and then > CTRL+V (paste) it into the editor. I advise moving to > Thunderbird. It will encrypt INLINE (what GPGOE does), > and MIME (the default for a lot of other email programs, > and most importantly, it will allow you do SIGN your > messages. That is the only part of gpg I need a lot. > I allready use Thunderbird, I also have enigmail installed, but since fetching keys didn't work, I went back to basic and tried to retrieve a key from the console. Since that too failed I know the problem lies with gpg. Thanks, - Grinny - the source of my problems is in the source... __________________________________ Do you Yahoo!? Yahoo! Mail - 250MB free storage. Do more. Manage less. http://info.mail.yahoo.com/mail_250 From sk at intertivity.com Wed Jan 26 20:20:03 2005 From: sk at intertivity.com (Kiefer, Sascha) Date: Wed Jan 26 21:47:59 2005 Subject: How to automatically sign emails In-Reply-To: Message-ID: <001601c503dc$09b284f0$f300a8c0@HOME> Hi. Well i do it by parsing the output of the gpg and Interacting with it when asked for input. I do it using C on Windows but it actually doesn't matter which programming language you are using (and i think you mean Perl :) ) Have fun esskar > -----Original Message----- > From: gnupg-users-bounces@gnupg.org > [mailto:gnupg-users-bounces@gnupg.org] On Behalf Of > ml@charliesangels.biz > Sent: Mittwoch, 26. Januar 2005 11:18 > To: gnupg-users@gnupg.org > Subject: How to automatically sign emails > > > > Hello everyone, > > I need your help. > > We do use a Strange Pearl-Script to automatically sign > emails. Basically our MTA (Exim) saves every mail to a > maildir. Every mail ist then piped to the Script. However, > whenever an attachement is included, the complete body of the > email is removed. > > Is there an easy way to sign mails w/o the attachement ? > I would like to use something different than the Pearl-Script > we use now. > > Thanks and regards > Sascha > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From torduninja at mail.pf Wed Jan 26 21:57:39 2005 From: torduninja at mail.pf (Maxine Brandt) Date: Wed Jan 26 21:58:18 2005 Subject: gpg version 1.4.0a on w2kp and winxp Message-ID: <41F80443.7020409@mail.pf> On Wed, 26 Jan 2005 13:02:43 +0100 Werner Koch wrote > On Tue, 25 Jan 2005 14:27:38 -0600, John Clizbe said: >> I made a ZIP of my 1.4.1-cvs (20050121) build available to Frank, and he >> reported back that all the file renaming issues seem to have been cleared up. > Good. > We should a release candidate ASAP; hopefully this week. > Thanks, I struck the renaming issue with 1.4.0a on only two occasions, once after importing a key which had been signed by one of the keys already on the keyring, and once when assigning trust to a key. I spent four hours trying to reproduce the error with the same actions using John's CVS version, without success, so it seems this bug has been fixed. The other good news is that the GNUPGHOME environment variable resolves the problems of using GPG on removable drives. I think it would be a good idea if Windows binaries were made available for release candidates in future. Is this possible? Salut Maxine -- OpenPGP keys: http://www.torduninja.tk From sk at intertivity.com Wed Jan 26 20:23:56 2005 From: sk at intertivity.com (Kiefer, Sascha) Date: Wed Jan 26 22:18:50 2005 Subject: Extracting UserAttribute (photo) Message-ID: <001701c503dc$94ab4d30$f300a8c0@HOME> Hi. Is it possible to retrieve the photo from an key? I know the showphoto command unter --edit-key but That is not what i want! I want to have a savephoto like command which writes the image to a file. I modified the source to get the functionalty but that is just not nice. Have fun. esskar From dshaw at jabberwocky.com Wed Jan 26 23:02:25 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Wed Jan 26 22:59:08 2005 Subject: Extracting UserAttribute (photo) In-Reply-To: <001701c503dc$94ab4d30$f300a8c0@HOME> References: <001701c503dc$94ab4d30$f300a8c0@HOME> Message-ID: <20050126220225.GB11478@jabberwocky.com> On Wed, Jan 26, 2005 at 08:23:56PM +0100, Kiefer, Sascha wrote: > Hi. > > Is it possible to retrieve the photo from an key? > I know the showphoto command unter --edit-key but > That is not what i want! I want to have a savephoto > like command which writes the image to a file. > I modified the source to get the functionalty but > that is just not nice. photo-viewer "cat > ~/photoid-for-key-%k.%t" Then view the photo. David From bdesham at gmail.com Wed Jan 26 22:19:00 2005 From: bdesham at gmail.com (Benjamin Esham) Date: Wed Jan 26 23:15:39 2005 Subject: Are all the UIDs on a key supposed to be equal? In-Reply-To: <20050126064001.GB26330@nez-casse.depot.rail.eu.org> References: <200501252108.27862.adam00f@ducksburg.com> <20050126064001.GB26330@nez-casse.depot.rail.eu.org> Message-ID: On Jan 26, 2005, at 1:40 AM, Erwan David wrote: > You can also revoke uids on your key; which indicates juste a change > of address, but you keep being the same person. If you look at my key > (0xF7001FC7 on public servers), you see it bears following Ids: > > gpg: using classic trust model > pub 1024D/F7001FC7 1998-12-14 > uid Erwan David > uid [ revoked] Erwan David > uid [ revoked] Erwan David > uid [ revoked] Erwan David (Adresse Perso) > > sub 2048g/016C3D2F 1998-12-14 Recently I changed e-mail addresses. In order to update my GPG keys, should I just generate a new subkey and revoke the old ones? What effect(s) will revoking my old subkeys have? Thanks for the info! -- Benjamin D. Esham { http://bdesham.net bdesham@gmail.com } AIM: bdesham 1 2 8 Six Gmail invites -- e-mail me if you're interested. From ISMAEVAL at terra.es Wed Jan 26 21:36:55 2005 From: ISMAEVAL at terra.es (Ismael Valladolid Torres) Date: Wed Jan 26 23:18:07 2005 Subject: How to automatically sign emails In-Reply-To: References: Message-ID: <20050126203654.GA5368@buddha> ml@charliesangels.biz escribe: > We do use a Strange Pearl-Script to automatically sign emails. Basically > our MTA (Exim) saves every mail to a maildir. Every mail ist then piped > to the Script. However, whenever an attachement is included, the > complete body of the email is removed. Digitally signing mail messages without the user intervention doesn't look like a Good Idea(TM). Cordially, Ismael From JPClizbe at comcast.net Thu Jan 27 00:03:07 2005 From: JPClizbe at comcast.net (John Clizbe) Date: Wed Jan 26 23:59:56 2005 Subject: gpg version 1.4.0a on w2kp and winxp In-Reply-To: <41F80443.7020409@mail.pf> References: <41F80443.7020409@mail.pf> Message-ID: <41F821AB.7030106@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Maxine Brandt wrote: > On Wed, 26 Jan 2005 13:02:43 +0100 Werner Koch wrote >> On Tue, 25 Jan 2005 14:27:38 -0600, John Clizbe said: >>> I made a ZIP of my 1.4.1-cvs (20050121) build available to Frank, and he >>> reported back that all the file renaming issues seem to have been cleared up. >> Good. > >> We should a release candidate ASAP; hopefully this week. > >> Thanks, > > I struck the renaming issue with 1.4.0a on only two occasions, once after > importing a key which had been signed by one of the keys already on the > keyring, and once when assigning trust to a key. I spent four hours trying to > reproduce the error with the same actions using John's CVS version, without > success, so it seems this bug has been fixed. > > The other good news is that the GNUPGHOME environment variable resolves the > problems of using GPG on removable drives. > > I think it would be a good idea if Windows binaries were made available for > release candidates in future. Is this possible? I recall a Win32 RC back with 1.2.3 and then for 1.3.6 and 1.3.92. I'll volunteer to do it if needed. - -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1-cvs-2005-01-21 (Windows 2000 Pro SP4) Comment: When cryptography is outlawed, b25seSBvdXRsYXdzIHdpbGwgdXNlIG Comment: Be part of the ?33t ECHELON -- Use Strong Encryption. Comment: It's YOUR right - for the time being. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFB+CGqHQSsSmCNKhARAjMyAKDofIw2E0IQZniGucMGMeKsJDeTGQCg/QLD v/PVEqm2nYbtvNYjRGCZN4I= =0IYK -----END PGP SIGNATURE----- From sk at intertivity.com Thu Jan 27 00:11:46 2005 From: sk at intertivity.com (Kiefer, Sascha) Date: Thu Jan 27 00:07:58 2005 Subject: How to automatically sign emails In-Reply-To: <20050126203654.GA5368@buddha> Message-ID: <000101c503fc$6b401190$f300a8c0@HOME> Well, it depends on the security policy! :) > -----Original Message----- > From: gnupg-users-bounces+sk=intertivity.com@gnupg.org > [mailto:gnupg-users-bounces+sk=intertivity.com@gnupg.org] On > Behalf Of Ismael Valladolid Torres > Sent: Mittwoch, 26. Januar 2005 21:37 > To: gnupg-users@gnupg.org > Subject: Re: How to automatically sign emails > > > ml@charliesangels.biz escribe: > > We do use a Strange Pearl-Script to automatically sign emails. > > Basically our MTA (Exim) saves every mail to a maildir. > Every mail ist > > then piped to the Script. However, whenever an attachement is > > included, the complete body of the email is removed. > > Digitally signing mail messages without the user intervention > doesn't look like a Good Idea(TM). > > Cordially, Ismael > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From johanw at vulcan.xs4all.nl Thu Jan 27 00:21:04 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Jan 27 00:20:14 2005 Subject: 2.6.3i In-Reply-To: <871xc8e0r1.fsf@wheatstone.g10code.de> from Werner Koch at "Jan 26, 2005 03:14:10 pm" Message-ID: <200501262321.AAA00946@vulcan.xs4all.nl> Werner Koch wrote: >Actually support for v3 keys will be dropped from the next OpenPGP >revision due to security reasons. Does that mean GnuPG will drop support as well? As I understand it, IDEA support for 1.9.x is already dropped, or is it easy to compile IDEA support into libgcrypt the same way as into gpg 1.x? -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From johanw at vulcan.xs4all.nl Thu Jan 27 00:18:46 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Jan 27 00:20:27 2005 Subject: 2.6.3it In-Reply-To: <5155685DF4FC004297C9F5D769CBF51C01CAA8FE@kashmir.extenza-turpin.com> from David Gray at "Jan 26, 2005 12:47:14 pm" Message-ID: <200501262318.AAA00925@vulcan.xs4all.nl> David Gray wrote: >The expert mode of PGP8.1 new key generation lists RSA, RSA-Legacy or >Diffie-Hellman/DSS as key types. If I create a key using RSA on PGP8.1 and >import into GnuPG then exchange it with a site using PGP8.x this works >fine... am I missing something? Yes: it won't work with pgp 2.x. I assume you need to select RSA-legacy for that. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From henkdebruijn at wanadoo.nl Thu Jan 27 05:25:52 2005 From: henkdebruijn at wanadoo.nl (Henk de Bruijn) Date: Thu Jan 27 06:18:55 2005 Subject: gpg version 1.4.0a on w2kp and winxp In-Reply-To: <41F80443.7020409@mail.pf> References: <41F80443.7020409@mail.pf> Message-ID: <1252991525.20050127052552@wanadoo.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 26 Jan 2005 10:57:39 -1000GMT (26-1-2005, 21:57 +0100, where I live), Maxine Brandt wrote: > On Wed, 26 Jan 2005 13:02:43 +0100 Werner Koch wrote >> On Tue, 25 Jan 2005 14:27:38 -0600, John Clizbe said: >>> I made a ZIP of my 1.4.1-cvs (20050121) build available to Frank, and he >>> reported back that all the file renaming issues seem to have been cleared up. >> We should a release candidate ASAP; hopefully this week. ... > I think it would be a good idea if Windows binaries were made available for > release candidates in future. Is this possible? I second this! - -- Henk ______________________________________________________________________ The Bat!? Natural Email System v3.0.1.33nl Professional on Windows XP SP2 PGPkey available at http://www.biglumber.com/x/web?qs=0x12069B93DBE6E678 Gossamer Spider Web of Trust GSWoT http://gswot.dyndns.org/ A Progressive and Innovative Web of Trust -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1-cvs-2005-01-21 (Windows 2000 Pro SP4) - GPGrelay v0.955 iD8DBQFB+G1aEgabk9vm5ngRArKgAJ9K2S1rnJ1C84YDD0Sh5MD17DGoiwCg+0pN epYDKHJ6jPChStJNG8xLH6o= =BdaA -----END PGP SIGNATURE----- From wk at gnupg.org Thu Jan 27 10:39:13 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Jan 27 11:59:29 2005 Subject: gpg version 1.4.0a on w2kp and winxp In-Reply-To: <41F80443.7020409@mail.pf> (Maxine Brandt's message of "Wed, 26 Jan 2005 10:57:39 -1000") References: <41F80443.7020409@mail.pf> Message-ID: <87acqvb48u.fsf@wheatstone.g10code.de> On Wed, 26 Jan 2005 10:57:39 -1000, Maxine Brandt said: > I think it would be a good idea if Windows binaries were made available for > release candidates in future. Is this possible? Will do so if there are changes to the Windows code. And there are quite some in 1.4.1. Werner From wk at gnupg.org Thu Jan 27 10:37:18 2005 From: wk at gnupg.org (Werner Koch) Date: Thu Jan 27 12:16:59 2005 Subject: 2.6.3i In-Reply-To: <200501262321.AAA00946@vulcan.xs4all.nl> (Johan Wevers's message of "Thu, 27 Jan 2005 00:21:04 +0100 (MET)") References: <200501262321.AAA00946@vulcan.xs4all.nl> Message-ID: <87ekg7b4c1.fsf@wheatstone.g10code.de> On Thu, 27 Jan 2005 00:21:04 +0100 (MET), Johan Wevers said: > Does that mean GnuPG will drop support as well? As I understand it, IDEA No. Unless you use --openpgp. > support for 1.9.x is already dropped, or is it easy to compile IDEA support > into libgcrypt the same way as into gpg 1.x? libgcrypt features a generic mechanism to load and unload new algorithms; so after the expiration of the patent you may do that. However I doubt why you still want a cipher using 64 bit blocks at that time. Anyway don't let us heat up the discussion again ;-) Shalom-Salam, Werner From ml at charliesangels.biz Thu Jan 27 08:06:01 2005 From: ml at charliesangels.biz (ml@charliesangels.biz) Date: Thu Jan 27 13:25:33 2005 Subject: How to automatically sign emails Message-ID: Ismael Valladolid Torres schrieb am 26.01.2005, 21:36:55: > ml@charliesangels.biz escribe: > > We do use a Strange Pearl-Script to automatically sign emails. Basically > > our MTA (Exim) saves every mail to a maildir. Every mail ist then piped > > to the Script. However, whenever an attachement is included, the > > complete body of the email is removed. > > Digitally signing mail messages without the user intervention doesn't > look like a Good Idea(TM). Yes, I know. But in this case we have no other choice. Any ideas ? Kind regards Sascha From johanw at vulcan.xs4all.nl Thu Jan 27 12:02:39 2005 From: johanw at vulcan.xs4all.nl (Johan Wevers) Date: Thu Jan 27 14:12:19 2005 Subject: 2.6.3i In-Reply-To: <87ekg7b4c1.fsf@wheatstone.g10code.de> from Werner Koch at "Jan 27, 2005 10:37:18 am" Message-ID: <200501271102.MAA00834@vulcan.xs4all.nl> Werner Koch wrote: >> Does that mean GnuPG will drop support as well? As I understand it, IDEA >No. Unless you use --openpgp. Then how do I compile it in exactly? >libgcrypt features a generic mechanism to load and unload new >algorithms; How does this work when I want to add IDEA? >so after the expiration of the patent you may do that. Oh well, I treat software patents the same as copyright on mucic CD's: I completely ignore them. Besides, for personal use I'm allowed to use it anyway. >However I doubt why you still want a cipher using 64 bit blocks at >that time. Technical issues aremn't the point, compatibility with pgp 2.x is. -- ir. J.C.A. Wevers // Physics and science fiction site: johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html From markivs2003 at yahoo.com Thu Jan 27 19:00:26 2005 From: markivs2003 at yahoo.com (Mark Ivs) Date: Thu Jan 27 20:52:42 2005 Subject: gpg return value problem Message-ID: <20050127180026.33107.qmail@web50704.mail.yahoo.com> Hello, I am trying to capture the return value from the gpg command. Documentation says, gpg will return 0 if successful or return 1 if there's an error. $errorval = 0; $errorval = 'gpg --recipient "XXX" --output $rootpath\\output\\$filepgp --encrypt $rootpath\\encrypted\\$file'; The value of $errorval is always blank(even if there is an error in the encryption). When I try to print $errorval, it is blank. Any help will be very much appreciated. Thanks. -Mark __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From og at pre-secure.de Thu Jan 27 15:58:03 2005 From: og at pre-secure.de (Olaf Gellert) Date: Thu Jan 27 20:53:30 2005 Subject: gpgsm for Windows Message-ID: <41F9017B.10108@pre-secure.de> Just a short question, I did not find anything like this on my first short search: Is there already a binary/port of gpgsm for windows? Cheers, Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE og@pre-secure.de A daily view on Internet Attacks https://www.ecsirt.net/sensornet From areiner at tph.tuwien.ac.at Thu Jan 27 17:34:07 2005 From: areiner at tph.tuwien.ac.at (Albert Reiner) Date: Thu Jan 27 22:14:38 2005 Subject: Are all the UIDs on a key supposed to be equal? In-Reply-To: References: <200501252108.27862.adam00f@ducksburg.com> <20050126064001.GB26330@nez-casse.depot.rail.eu.org> Message-ID: [Benjamin Esham , Wed, 26 Jan 2005 16:19:00 -0500]: > > gpg: using classic trust model > > pub 1024D/F7001FC7 1998-12-14 > > uid Erwan David > > uid [ revoked] Erwan David > > uid [ revoked] Erwan David > > uid [ revoked] Erwan David (Adresse Perso) > > > > sub 2048g/016C3D2F 1998-12-14 > > Recently I changed e-mail addresses. In order to update my GPG keys, > should I just generate a new subkey and revoke the old ones? What > effect(s) will revoking my old subkeys have? Look closely: those are revoked user IDs (UID), not revoked subkeys (SUB). Look at --edit-key and the ADDUID and REVUID commands. Albert. From vedaal at hush.com Thu Jan 27 21:39:06 2005 From: vedaal at hush.com (vedaal@hush.com) Date: Thu Jan 27 22:26:01 2005 Subject: feature request // starting gnupg for symmetric decryption before secring is present Message-ID: <200501272039.j0RKd7Y5027468@mailserver3.hushmail.com> would it be possible to have gnupg start without the keyrings present, with just an alert message that the keyrings were not found? for those of use who keep the secring.gpg on a floppy, symmetrically encrypted, it would be very convenient to be able to start gnupg , decrypt symmetrically, and then continue as it is now, the workaround is not too bad, to have a backup 'dummy' secring.gpg, and trustdb in gnupg, and replace them each time with the symmetrically decrypted ones, and then wipe/secure-erase the decrypted 'real'secring.gpg when leaving (still, it is a little tedious,) as there is no security problem in having gnupg be able to symmetrically encrypt and decrypt without keyrings present, then could this be considered as a possible future feature? Thanks, vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From boldyrev+nospam at cgitftp.uiggm.nsc.ru Fri Jan 28 07:23:59 2005 From: boldyrev+nospam at cgitftp.uiggm.nsc.ru (Ivan Boldyrev) Date: Fri Jan 28 07:30:36 2005 Subject: gpg return value problem References: <20050127180026.33107.qmail__6138.68249715797$1106857701$gmane$org@web50704.mail.yahoo.com> Message-ID: On 9003 day of my life Mark Ivs wrote: > Hello, > I am trying to capture the return value from the gpg > command. Documentation says, gpg will return 0 if > successful or return 1 if there's an error. > > $errorval = 0; > $errorval = 'gpg --recipient "XXX" --output > $rootpath\\output\\$filepgp --encrypt > $rootpath\\encrypted\\$file'; gpg --recipient "XXX" --output bla-bla-bla erroroval=$? echo $errorval Returned value is stored by shell in variable '$?'. And when you assign to variable, don't prepend its name with dollar sign. -- Ivan Boldyrev Today is the first day of the rest of your life. From jeff+gnupg at jeffenstein.dyndns.org Fri Jan 28 08:48:42 2005 From: jeff+gnupg at jeffenstein.dyndns.org (Jeff Fisher) Date: Fri Jan 28 11:31:51 2005 Subject: gpg return value problem In-Reply-To: <20050127180026.33107.qmail@web50704.mail.yahoo.com> References: <20050127180026.33107.qmail@web50704.mail.yahoo.com> Message-ID: <20050128074842.GC21241@frogger.jeffnet> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, Jan 27, 2005 at 10:00:26AM -0800, Mark Ivs wrote: > Hello, > I am trying to capture the return value from the gpg > command. Documentation says, gpg will return 0 if > successful or return 1 if there's an error. > > $errorval = 0; > $errorval = 'gpg --recipient "XXX" --output > $rootpath\\output\\$filepgp --encrypt > $rootpath\\encrypted\\$file'; > It looks like you're doing this in perl, so it's a bit off-topic for the list, but... This will only catch the output: $output = `cmd`; What you want to do is to check the $? variable after running the command, like this: $output = `cmd`; if( $? ){ print "gpg returned: $?\n"; # error handling } You'll probably want to look at 'perldoc -f system' on what to do with $? to get meaningful information. - -- jeff@jeffenstein.org http://www.jeffenstein.org/ "Men occasionally stumble on the truth, but most of them pick themselves up and hurry off as if nothing had happened." - Winston Churchill -----BEGIN PGP SIGNATURE----- iQIVAwUBQfnuWhwPMBUZyYf1AQiXwRAArTHQSUjaLCVtuiqGZcTNqEMgv198ljMq D964bBSH7tvW0q52MMPxaY43JEaGO8pX3wVM8mpymuaGaSixSK1c5M+xEklZpt9f GNxgxKKhHJ6GBxqX+Yehcyu6nBrDN41kZxJvllZNXo7EgRqRzM3P2YV4+7Zm+XO+ 4eTseVcSi4nWbH6RQzoXGCS0V5QsAMow7FPVlVpe3/xN5iW/eu1mJKihNL/X8uSZ F/Woi1QyIk04RR6ZH9S2jxU3HI5OzgzrmwAgCgwvVRVQl9mq8gQH3S7gSZ4B9gnx FiHb4Tlgc16R6DUU7AI+Y8DNFKAX0jx0BTsJrWwe9CZQ6OJdZYyYTaxcgPuTqmkY I3J7h6nQgTuMQPEPsfQaAMdN9SdD+vknB2J620ateZLpXxo/pdihNAeJvt4yFKco VLk92hqATnDMMp0suWGL243FKkXPr/zjmhYieefJjumWWjkz8t2pS7rJsJNc1QOQ L2brL8ImiiAYWgtDP1kI+ym8HORSBEM0EU0ieLVd6wpL4Jjouw7duB8fsryyjn5Q xEAimX7WD/ksNy+mDfAtgaDMkHjnftTXJKCjumDoXuAyPH4wqin0s+DAhvWgAeHo ru6/R5HKtBUnPShUNPHISgAHlTqxeYx4ikj33dMrQSlBINJIIbp/CjlAB9YJbD38 +McIv8apsfw= =NA/V -----END PGP SIGNATURE----- From bastien.laporte-riou at medincell.com Fri Jan 28 12:08:03 2005 From: bastien.laporte-riou at medincell.com (Bastien Laporte-Riou) Date: Fri Jan 28 12:03:52 2005 Subject: Pb Gnupg with cron Message-ID: <136483d40c363d7e6431306634dd8074@www.medincell.com> Hello, I'm recently work with gnupg to encrypt my data on my server. I want to encrypt my data on a bakup script use in crontab, when i use it manually no problem the data was encrypt but when i use it on the cron the data wasn't encrypt. Here the following command i use: gpg -r bastien.laporte-riou@medincell.com --encrypt-files essai.txt.tar.gz I have previously create my key and when i use it on the console no problem where can the problem come? Please if someone have an idea. Thanks a lot. -- ___________________________ Medincell Bastien Laporte-Riou Email : bastien.laporte-riou@medincell.com Web : http://www.medincell.com Sent date : 01.28.2005 ___________________________ Disclaimer - This email and any files transmitted with it are confidential and contain privileged or copyright information. You must not present this message to another party without gaining permission from the sender. If you are not the intended recipient you must not copy, distribute or use this email or the information contained in it for any purpose other than to notify us. If you have received this message in error, please notify the sender immediately, and delete this email from your system. We do not guarantee that this material is free from viruses or any other defects although due care has been taken to minimise the risk. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Medincell. From samuel at Update.UU.SE Fri Jan 28 13:35:10 2005 From: samuel at Update.UU.SE (Samuel ]slund) Date: Fri Jan 28 14:29:55 2005 Subject: Pb Gnupg with cron In-Reply-To: <136483d40c363d7e6431306634dd8074@www.medincell.com> References: <136483d40c363d7e6431306634dd8074@www.medincell.com> Message-ID: <20050128123510.GA6621@Update.UU.SE> On Fri, Jan 28, 2005 at 12:08:03PM +0100, Bastien Laporte-Riou wrote: > Hello, > > I'm recently work with gnupg to encrypt my data on my server. I want to > encrypt my data on a bakup script use in crontab, when i use it manually no > problem the data was encrypt but when i use it on the cron the data wasn't > encrypt. > Here the following command i use: > gpg -r bastien.laporte-riou@medincell.com --encrypt-files essai.txt.tar.gz > > I have previously create my key and when i use it on the console no problem > where can the problem come? Does the cronjob have exactly the same environment? Especially homedir, user and permissions. There was some talk about cronjobs on this list roughly half a year ago. (The whole archive can be found at http://lists.gnupg.org/pipermail/gnupg-users.mbox/?1106915328 ) I hope you have some good ways to restore your private key if you ever need te backup ;-) HTH //Samuel From FHubeny at wittbiomedical.com Fri Jan 28 14:44:58 2005 From: FHubeny at wittbiomedical.com (Frank Hubeny) Date: Fri Jan 28 14:49:54 2005 Subject: Bug reporting question Message-ID: Hello Group; I would like some information on what to send you all in a bug report. It perhaps would be a aid to people like myself who are just not very helpfull with what we do send. Then get upset when we do not get any replies. I ask this because if Window binaries for release candidates do start comeing out. I would like to test them. If problems do occur I sure do not want to send in alot of usless stuff. I do appreciate the Windows binaries you all do, and just sending in a understandable bug report, if any, would most likely help. Frank Hubeny RMA Technician Manufacturing Dept. Witt Biomedical Corp. 800.669.1328 ext. 179 fhubeny@wittbiomedical.com From wk at gnupg.org Fri Jan 28 17:13:46 2005 From: wk at gnupg.org (Werner Koch) Date: Fri Jan 28 17:10:38 2005 Subject: gpgsm for Windows In-Reply-To: <41F9017B.10108@pre-secure.de> (Olaf Gellert's message of "Thu, 27 Jan 2005 15:58:03 +0100") References: <41F9017B.10108@pre-secure.de> Message-ID: <87vf9h1qh1.fsf@wheatstone.g10code.de> On Thu, 27 Jan 2005 15:58:03 +0100, Olaf Gellert said: > Is there already a binary/port of gpgsm for windows? Yes. The 1.9.14 has been released along with binaries for Windows. Its mainly useful for unattended applications and CRL checking is not done. There exists a pinentrey which basically works, but its all not very well tested. You find the binaries at ftp.gnupg.org/gcrypt/alpha/binary/ Salam-Shalom, Werner From wren at hunt.org Fri Jan 28 21:07:41 2005 From: wren at hunt.org (J. Wren Hunt) Date: Fri Jan 28 21:04:02 2005 Subject: Smartcard In-Reply-To: <20050128161743.GA20391__12784.3568604023$1106942141$gmane$org@mail.gasops.co.uk> References: <20050128161743.GA20391__12784.3568604023$1106942141$gmane$org@mail.gasops.co.uk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Shaun Lipscombe wrote: | If I buy one of these: | | http://www.g10code.de/p-card.html | | Will it work with gpg.. ? | | Will gpg work with cards that actually perform the encryption? With GnuPG 1.4.x, there are some card-related commands that will allow you to manipulate all aspects of the OpenPGP card: GnuPG OpenPGP card commands: ~ --card-status print the card status ~ --card-edit change data on a card ~ --change-pin change a card's PIN Wren -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB+puNA/qR4Uok1vQRAr9eAJ9gChACzhZVbPATq8BL6sYNpmErqwCfXyev C0r8kBo826kFas8THXhhHAQ= =d/65 -----END PGP SIGNATURE----- From erwan at rail.eu.org Fri Jan 28 21:20:42 2005 From: erwan at rail.eu.org (Erwan David) Date: Fri Jan 28 21:16:53 2005 Subject: Smartcard In-Reply-To: References: <20050128161743.GA20391__12784.3568604023$1106942141$gmane$org@mail.gasops.co.uk> Message-ID: <20050128202042.GA5054@nez-casse.depot.rail.eu.org> Le Fri 28/01/2005, J. Wren Hunt disait > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Shaun Lipscombe wrote: > | If I buy one of these: > | > | http://www.g10code.de/p-card.html > | > | Will it work with gpg.. ? > | > | Will gpg work with cards that actually perform the encryption? > > > With GnuPG 1.4.x, there are some card-related commands that will allow > you to manipulate all aspects of the OpenPGP card: > > GnuPG OpenPGP card commands: > > ~ --card-status print the card status > ~ --card-edit change data on a card > ~ --change-pin change a card's PIN Is there somewhere a specification of this card ? (set of APDUs etc...) -- Erwan From grinny3004 at yahoo.com Fri Jan 28 21:31:07 2005 From: grinny3004 at yahoo.com (lord grinny) Date: Fri Jan 28 22:27:45 2005 Subject: tempout.txt Message-ID: <20050128203108.9105.qmail@web31101.mail.mud.yahoo.com> Hi everyone, Could someone please send me a copy of tempout.txt (you can get this with the '--keyserver-options keep-temp-files' options). I'd like to know the fileformat. Thanks, - Grinny - __________________________________ Do you Yahoo!? Yahoo! Mail - 250MB free storage. Do more. Manage less. http://info.mail.yahoo.com/mail_250 From og at pre-secure.de Fri Jan 28 19:13:02 2005 From: og at pre-secure.de (Olaf Gellert) Date: Sat Jan 29 00:17:16 2005 Subject: gpgsm for Windows In-Reply-To: <87vf9h1qh1.fsf@wheatstone.g10code.de> References: <41F9017B.10108@pre-secure.de> <87vf9h1qh1.fsf@wheatstone.g10code.de> Message-ID: <41FA80AE.2040803@pre-secure.de> Thanx, Werner. :-) Werner Koch wrote: > Its mainly useful for unattended applications and CRL checking is not > done. No worries, in this special case we are only abusing it as a very simple solution to store and retrieve certificates... Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE og@pre-secure.de A daily view on Internet Attacks https://www.ecsirt.net/sensornet From bdesham at gmail.com Sat Jan 29 00:55:20 2005 From: bdesham at gmail.com (Benjamin Esham) Date: Sat Jan 29 00:51:36 2005 Subject: Are all the UIDs on a key supposed to be equal? In-Reply-To: References: <200501252108.27862.adam00f@ducksburg.com> <20050126064001.GB26330@nez-casse.depot.rail.eu.org> Message-ID: <111C1DDE-7188-11D9-8274-00306583B8BC@gmail.com> On Jan 27, 2005, at 11:34 AM, Albert Reiner wrote: > [Benjamin Esham , Wed, 26 Jan 2005 16:19:00 -0500]: > >> Recently I changed e-mail addresses. In order to update my GPG keys, >> should I just generate a new subkey and revoke the old ones? What >> effect(s) will revoking my old subkeys have? > > Look closely: those are revoked user IDs (UID), not revoked subkeys > (SUB). Look at --edit-key and the ADDUID and REVUID commands. Okay, I had a look at the manual, and I think I know what to do now. However, the manual didn't really make clear what will happen after I revoke my old UID. If I just revoke the old UID and then distribute my updated public key, will people will be able to use it without a hitch? Thanks! -- Benjamin D. Esham { http://bdesham.net bdesham@gmail.com } AIM: bdesham 1 2 8 Six Gmail invites -- e-mail me if you're interested. From atom at smasher.org Sat Jan 29 07:59:48 2005 From: atom at smasher.org (Atom Smasher) Date: Sat Jan 29 07:50:24 2005 Subject: How to automatically sign emails In-Reply-To: References: Message-ID: <20050129065412.44051.qmail@smasher.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Wed, 26 Jan 2005 ml@charliesangels.biz wrote: > We do use a Strange Pearl-Script to automatically sign emails. Basically > our MTA (Exim) saves every mail to a maildir. Every mail ist then piped > to the Script. However, whenever an attachement is included, the > complete body of the email is removed. ============ i've never seen a perl script that wasn't strange. > Is there an easy way to sign mails w/o the attachement ? I would like to > use something different than the Pearl-Script we use now. ============= look into ripmime. it can be used to take apart the different pieces of a MIME message. you can then sign just the text and re-attach everything else. is that what you're trying to do? - -- ...atom _________________________________________ PGP key - http://atom.smasher.org/pgp.txt 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Cryptography is like literacy in the Dark Ages. Infinitely potent, for good and ill... yet basically an intellectual construct, an idea, which by its nature will resist efforts to restrict it to bureaucrats and others who deem only themselves worthy of such Privilege." -- Vin McLellan, A Thinking Man's Creed for Crypto -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: What is this gibberish? Comment: http://atom.smasher.org/links/#digital_signatures iQEcBAEBCAAGBQJB+zRqAAoJEAx/d+cTpVcisRIIAIMiepLEM8N+yH6SYrH8zlBV CD1HzGd0TEEBc/lAMzUGi+Q0hHCrjwKDVEVd6AOjbeiWA16kaxxlVRokjEMdOgp6 8KFsKXnaLeHyWYuQcycCOyEG2nTxnY04Dh+lw3QgYjGwEEU2gJ8AtPk+xW8UxtwO MiIKCX2qB7ngYX4hiGKR7coIqqgHA9zZgb5Rm4srN0yoR7joegU9rB/nogpg7w6O 6uaoAv2jZoGjKM5WCArfnLZavQ0iDczAkkmwBIMeXVqwJDlW78YmQNlmjFfQXqbg rUoX2praUoylqfK5HVI+hCsxxAafZoHRMDZUbUuBHD5MPJEbD0hAXM74OxorRAo= =5v8U -----END PGP SIGNATURE----- From jgentil at sebistar.net Sat Jan 29 08:18:19 2005 From: jgentil at sebistar.net (Jon-Pierre Gentil) Date: Sat Jan 29 08:52:52 2005 Subject: tempout.txt In-Reply-To: <20050128203108.9105.qmail@web31101.mail.mud.yahoo.com> References: <20050128203108.9105.qmail@web31101.mail.mud.yahoo.com> Message-ID: <41FB38BB.2070607@sebistar.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 lord grinny wrote: > Could someone please send me a copy of tempout.txt > (you can get this with the > '--keyserver-options keep-temp-files' options). I'd > like to know the fileformat. Why can't you do it yourself? Seems suspicious to me. - -- _________________________________________________________ Jon-Pierre Gentil PGP: 0xA21BC30E jabber: jgentil@sebistar.net web: www.sebistar.net "If you think education is expensive, try ignorance." _________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iEYEAREDAAYFAkH7OLsACgkQOrVFmaIbww4vtwCfd34Osq2GtV77yy74ui19K39Y 3r4AmgKmlJq0tM307CkXw8joA1kaLZ4D =tDIZ -----END PGP SIGNATURE----- From grinny3004 at yahoo.com Sat Jan 29 13:08:46 2005 From: grinny3004 at yahoo.com (lord grinny) Date: Sat Jan 29 13:05:29 2005 Subject: tempout.txt Message-ID: <20050129120847.30714.qmail@web31102.mail.mud.yahoo.com> > Why can't you do it yourself? It doesn't work for me, since the 'helper' application gpgkeys_http doesn't work for me, and I know it's very easy to write one myself I would really like to know how tempout is supposed to look, this is mine: VERSION 1 PROGRAM 1.4.1-cvs-2005-01-21 KEY 0xBB36BA75 BEGIN KEY 0xBB36BA75 FAILED 9 > > Seems suspicious to me. > Does it really...? - Grinny - __________________________________ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail From dshaw at jabberwocky.com Sat Jan 29 15:00:00 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Jan 29 14:56:45 2005 Subject: tempout.txt In-Reply-To: <20050129120847.30714.qmail@web31102.mail.mud.yahoo.com> References: <20050129120847.30714.qmail@web31102.mail.mud.yahoo.com> Message-ID: <20050129140000.GB3938@jabberwocky.com> On Sat, Jan 29, 2005 at 04:08:46AM -0800, lord grinny wrote: > > Why can't you do it yourself? > It doesn't work for me, since the 'helper' application > gpgkeys_http doesn't work > for me, and I know it's very easy to write one myself > I would really like to > know how tempout is supposed to look, this is mine: > > > VERSION 1 > PROGRAM 1.4.1-cvs-2005-01-21 > > KEY 0xBB36BA75 BEGIN > KEY 0xBB36BA75 FAILED 9 This is a general thing for everyone: If you're going to post things to get help, please don't "sanitize" them for "security" to the point where they are useless as diagnostic tools. You've removed at least 4-5 lines from that. David From grinny3004 at yahoo.com Sat Jan 29 15:05:11 2005 From: grinny3004 at yahoo.com (lord grinny) Date: Sat Jan 29 15:02:03 2005 Subject: tempout.txt Message-ID: <20050129140511.13120.qmail@web31101.mail.mud.yahoo.com> Thanks Henry, This wasn't exactly what I meant, but it is nice to finaly see it do something it is supposed too. Importing your key worked without any problem. The temp file I was asking for is where the gpgkeys_* helper programs store their output. Gpg creates a temporary file, fills it with parameters and calls the gpgkeys_* program. The helper program reads the parameters from the temporary inputfile and then puts the result in the temporary output file. Gpg reads the output file and extracts the key. Because my network is a little complicated and nobody else seems to have the problem I have. I decided to write a new version of gpgkeys_http. This shouldn't be very hard, when I know what the exact output should be. - Grinny - Oh, I am a C programmer and I'm okay I muck with indices and structs all day And when it works, I shout hoo-ray Oh, I am a C programmer and I'm okay Henry Hertz Hobbit wrote: > hhhobbit7 wrote: > > >>lord grinny wrote: >> >> >>>Thanks again for your response Henry, >>> >>>I forgot to mention you can find out where these files >>>are stored with the >>>'--debug-all' option. >> >>Okee Dokee. I deleted Atom Smasher and then got it >>again with the following command: >> >>gpg --debug-all --keyserver pgp.mit.edu -keyserver-options \ >> keep-temp-files --recv-keys D9F57808 > 2log.txt 2>&1 >> >>That is something you can NOT do on Windows, which is redirect >>both STDOUT and STDERR to the same file. I am attaching 2log.txt, >>zipped. I am still looking at the 2292 line 2log.txt file >>and am at line 535. So far I see no reference to the file >>that is supposedly saved. I will let you know if I see it. >>In the mean time I will give you this file so that you can >>see the log at least. > > > I just finished looking at the log of the transaction, and > what I think that you would be referring to is the > pubring.gpg.tmp file. What gpg does is make a copy of the > pubring.gpg file as pubring.gpg.tmp. If there is something > added it deleted the pubring.gpg~ file, and renames the > pubring.gpg.tmp file pubring.gpg~. If it didn't get anything, > it deletes the pubring.gpg file, and renames the pubring.gpg.tmp > file back to pubring.gpg. > > I don't see how this helps you. > > Why don't you try the following with my attached pub/sub key? > (I will show a "C:\GnuPG> " in front of everything you should type: > > C:\GnuPG> md5sum hhhskey.asc > REM it should give: > REM 66f39128c7e990cdb1a0163d821359d8 hhhskey.asc > > C:\GnuPG> gpg --import hhhskey.asc > C:\GnuPG> gpg --list-keys > > REM I should be there at the end of the output. If I am not, you > REM have something seriously wrong. On the other hand if I am > REM there you should see something like: > REM > REM pub 1024D/0164F7D5 2004-03-25 Henry Hertz Hobbit \ > REM (AKA David Alexander Harvey) > REM sub 1024g/564E3DED 2004-03-25 > REM > REM Now fingerprint my key > > C:\GnuPG> gpg --fingerprint hhhobbit@comcast.net > > REM This should give you the following fingerprint: > 924E BE61 1ACF B87A DCA9 009E E74C 183D 0164 F7D5 > > This is just another way of verifying that the key is > what it is meant to be, which assures that it is okay. > It is just another way of doing what md5sum does. You > can download the md5sum program for Windows from: > > http://www.etree.org/md5com.html > > Now all you have to do is sign me: > > C:\GnuPG> gpg --edit-key 'Henry Hertz Hobbit' > Command> sign > > Give me the level you think I should have. > > One of the problems I had with all of this was, WHERE SHOULD THE > KEYS BE? That is why I encouraged you to shift to WinPT. It > takes a little jockeying to get it working, but it works MUCH > better, since they modify gpg to store the keys in the GnuPG > folder under the Applications in your Documents and Settings > folder. Here is where you get info on WinPT and download the > install file: > > http://help.helpem.com/docs/winpt/winpt_oe_plugin_install.html > http://tinyurl.com/4al9p > > The latest version is WinPT 1.0rc2 and it includes GPGOE. > > HHH > __________________________________ Do you Yahoo!? The all-new My Yahoo! - What will yours do? http://my.yahoo.com From grinny3004 at yahoo.com Sat Jan 29 15:14:40 2005 From: grinny3004 at yahoo.com (lord grinny) Date: Sat Jan 29 15:11:20 2005 Subject: tempout.txt Message-ID: <20050129141440.8596.qmail@web31104.mail.mud.yahoo.com> I did _NOT_ remove anything from the file the contents I send is the only thing that's in the output (See the 'FAILED 9'). That's the reason I was requesting the file, I want to know what's wrong and how it is supposed to look. I wouldn't even know what to "sanitize" :-). - Grinny - David Shaw wrote: > On Sat, Jan 29, 2005 at 04:08:46AM -0800, lord grinny wrote: > >>>Why can't you do it yourself? >> >>It doesn't work for me, since the 'helper' application >>gpgkeys_http doesn't work >>for me, and I know it's very easy to write one myself >>I would really like to >>know how tempout is supposed to look, this is mine: >> >> >>VERSION 1 >>PROGRAM 1.4.1-cvs-2005-01-21 >> >>KEY 0xBB36BA75 BEGIN >>KEY 0xBB36BA75 FAILED 9 > > > This is a general thing for everyone: If you're going to post things > to get help, please don't "sanitize" them for "security" to the point > where they are useless as diagnostic tools. You've removed at least > 4-5 lines from that. > > David > __________________________________ Do you Yahoo!? Yahoo! Mail - Easier than ever with enhanced search. Learn more. http://info.mail.yahoo.com/mail_250 From dshaw at jabberwocky.com Sat Jan 29 15:21:29 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Jan 29 15:18:11 2005 Subject: Smartcard In-Reply-To: <20050128202042.GA5054@nez-casse.depot.rail.eu.org> References: <20050128161743.GA20391__12784.3568604023$1106942141$gmane$org@mail.gasops.co.uk> <20050128202042.GA5054@nez-casse.depot.rail.eu.org> Message-ID: <20050129142129.GF3938@jabberwocky.com> On Fri, Jan 28, 2005 at 09:20:42PM +0100, Erwan David wrote: > Le Fri 28/01/2005, J. Wren Hunt disait > > Shaun Lipscombe wrote: > > | If I buy one of these: > > | > > | http://www.g10code.de/p-card.html > > | > > | Will it work with gpg.. ? > > | > > | Will gpg work with cards that actually perform the encryption? > > > > > > With GnuPG 1.4.x, there are some card-related commands that will allow > > you to manipulate all aspects of the OpenPGP card: > > > > GnuPG OpenPGP card commands: > > > > ~ --card-status print the card status > > ~ --card-edit change data on a card > > ~ --change-pin change a card's PIN > > Is there somewhere a specification of this card ? (set of APDUs > etc...) It's on the page mentioned above. http://www.g10code.de/docs/openpgp-card-1.0.pdf David From dshaw at jabberwocky.com Sat Jan 29 15:33:33 2005 From: dshaw at jabberwocky.com (David Shaw) Date: Sat Jan 29 16:22:09 2005 Subject: tempout.txt In-Reply-To: <20050129141440.8596.qmail@web31104.mail.mud.yahoo.com> References: <20050129141440.8596.qmail@web31104.mail.mud.yahoo.com> Message-ID: <20050129143333.GG3938@jabberwocky.com> On Sat, Jan 29, 2005 at 06:14:40AM -0800, lord grinny wrote: > I did _NOT_ remove anything from the file the contents > I send is the only thing > that's in the output (See the 'FAILED 9'). That's the > reason I was requesting > the file, I want to know what's wrong and how it is > supposed to look. There is a whole other file that will have lines like "COMMAND", "HOST" and the like. David From jharris at widomaker.com Sat Jan 29 21:43:18 2005 From: jharris at widomaker.com (Jason Harris) Date: Sat Jan 29 21:39:39 2005 Subject: tempout.txt In-Reply-To: <20050129143333.GG3938@jabberwocky.com> References: <20050129141440.8596.qmail@web31104.mail.mud.yahoo.com> <20050129143333.GG3938@jabberwocky.com> Message-ID: <20050129204318.GV684@wilma.widomaker.com> On Sat, Jan 29, 2005 at 09:33:33AM -0500, David Shaw wrote: > On Sat, Jan 29, 2005 at 06:14:40AM -0800, lord grinny wrote: > > I did _NOT_ remove anything from the file the contents > > I send is the only thing > > that's in the output (See the 'FAILED 9'). That's the > > reason I was requesting > > the file, I want to know what's wrong and how it is > > supposed to look. > > There is a whole other file that will have lines like "COMMAND", > "HOST" and the like. Sure, but the OP has only been asking about tempout.txt since the start of the thread. Presumably, this is because they still can't get their keyserver helper(s) to actually contact a keyserver. Anyway, to hopefully put this to rest, here is a sample tempout.txt: VERSION 1 PROGRAM 1.4.0 KEY 0xD39DA0E3 BEGIN -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 5.0 Comment: PGP Key Server 0.9.4+patch2+JHpatch2 mQGiBDme0W4RBACEqgcs93kIkUt9ImZ8EtJ4UAyLmD66tVOGjAslZHquVFClGTIv VjAYfuGIrMutDm8ePbzqMd/Bdc4910RQi3WtmiNuekkdiMXkz/4qLSo2pGLp4n9W AugFcSEBIX7xPGmwiTz1K3x+aJFpXo5UX9WP8LfBZEsOiUodmveBb8A4kwCg2Xpp SbT/6V5gg84ibyxyd3GyPFsD/1lADGkkbXkYCiIu6KKnILA9uKad9IWUgpm6K0hW g2zpe2DIBo5wII9kT46xoRcWB7h3EelkqNSqNElNtui/DBidy1yn7bB9YlYZfHBL AX5Ni9iRwAAelT2+wfqIUtFYpaALTf6vdrygR6WQ+rBV9SYYW8svd4suYSwrJG2I ePqyA/9EE4zh2StivotcGYWZMDJknc3AzP3CtkcjOklUr8kCRZPzQo9OUoin6djy nTS4d+t42uE0nx82B7Oyi+MKtM3ASQctKbeTAkYHxEuDTCdZ3n0Kcr+jZsOjibuQ 12nuG4x1zC5WJeotGXDeb+IJtSnvlGdpr8PpllO1dEo2egnx2ohhBB8RAgAhBQI/ l0t2FwyAAdYxuGRPQRkWJx55i+hpfkxGduqvAgcAAAoJEEsqSJfTnaDjsdEAn2Hk 0D80atTZLAcmwJRjU+ZSztgsAKCw68Yww9YWLWP9EYd/TTYY0VyG0ohhBB8RAgAh BQI/l0u2FwyAAdYxuGRPQRkWJx55i+hpfkxGduqvAgcAAAoJEEsqSJfTnaDjoZgA oIvFk2/KuKP7MEkT6YhA12LroWbnAJ4xF/JJDG5ab09r7cdeTy6cu4zwerYAAAAk SmFzb24gSGFycmlzIDxqaGFycmlzQHdpZG9tYWtlci5jb20+iQCVAwUQPEZ62wTU YW8CngvlAQEp9AP+Mv8Qx9DPVHOWI+jj82mgdMOYxsAKeetfJ+zHsJjgK4Y/VEKZ OWKEJIIQPSMszryVVUEL7/wOrXxiraGx4zHyNrtaEroAigb+rBLOzrypMx+leI/1 IpEeoHYA0yCjGgwm4GLAmllGQgZ0WsbcUenGNROYIviB2zg1NxreDCHuLCOIRgQR EQIABgUCQLIMYQAKCRAYtrIyAv9xskOoAJ9YxaDalHGsIX1jWDW+IsgpoqfkJACg 4LxQK2CZz7vSoQGghxNqfrWbFdyISQQwEQIACQUCQLE3lAIdAAAKCRAYtrIyAv9x sicPAKDyWY0qgoWva8klMod4ezSukkQ5pQCg6AaMa/wwpJKivh4Lj6JA7V3SL4eI RgQSEQIABgUCQLEbKQAKCRAYtrIyAv9xsjoXAKC7bqhy7NzfAvoc658HLbK8VVQl WACeNjM3TBWpcxRi+VpxDlfL4cP8fP6IRgQQEQIABgUCPLpxvAAKCRBBoiUnBy+s icCBAJwNQltxNG4BXCOJR4WI+AB47ys3XQCbBMmFJMG09nRdJo844jJuwQmhExOI RgQQEQIABgUCPLsZdQAKCRAIBXUxEzAHMUUaAJ96h+bx/bEv7zuHwWiGlrwIjMr0 lwCgsgghu2pN/PBBvkG8RCM6N2EIjPSIRgQQEQIABgUCPLjAFwAKCRDO7lIcE5o+ P1o4AJ9s2vywRX+aballiby3Ok9iX5K70QCdFoE7aDs5QJ3o36aa1ddjalyezCuI RgQTEQIABgUCPy6AegAKCRC8m5BnFJZKyHbLAJwOQulXmcRt75d9hciPmO44Cjus EACgwY1gY2fbPVq+b8bikjVZNWWeKKKIRgQREQIABgUCQGfuCwAKCRCNAm5VKjGo RA5NAJ9xPNJNKAXbtvbKBEGsJNNRpiQ0xgCgsI/ww5HFlBSUqd15VzD/OVirrzmI RgQSEQIABgUCQORx6gAKCRDnTSm4K+FtAag0AKCSqBM7yKVP6M+C0U1kOsErqnXi ugCgqEbcqnaJuO9f9C7WIaLY5xGPBwaIRgQQEQIABgUCPLmp5QAKCRC3xQdALRI2 ksP0AKCRkzmLvAZJK8MaGL3gpSqqBco9mgCfU8LEOwE/6mc1XGm4DZpmvgqdewyI RgQQEQIABgUCPW9umQAKCRDqMUWrLk6lLyaQAKCKo/AU2Kfj7ifusXzKwK/WsXng FwCfeFMk/MMBVMsP3H6+agbnjXgmt6WIRgQQEQIABgUCPL4vWQAKCRBkJ6goNYQE /l+rAJ9tfO4u8/93T3LUEAOzdUVRJmtdQwCg5TVm0fCpiZhwPk0ReEEpVEagzEyI RgQREQIABgUCQEuKCwAKCRB+cY0OPr8Qp2acAJ4lYxyNw8Lk2mx4/yrpEmOwf1Wh sgCdHZJfd+VKphVp3bw/tB8qvDhaG1GJAhwEEwEIAAYFAj+XUfwACgkQ6Gl+TEZ2 6q+z8A//T+GcK57eUKMIJHAG/+toW5pxH+I+YQBEir2Xg9e/E8DaNceA8PdBF5FL Ym80AKZJvIsVzSPBsF3jjeyk9Qi4aOh47YvulZpAe/03y/IW094u7P6ihWpzgWY3 vyE8FwWmXBcCsNzoQ0wwKJXoNh39wmzvug/70Zzmjo5SD83dkhLSShBmIKuPLC5y MfwGnq6QP2cJcO+N2e8xygZ7ZZW31s71JJT0cMkqgktRpG61/b9zAym019D3eihM TBzZYJ9pOu+0GZi2YfxGReOWSLN3SJ1TI8bhEbwKWt3q3m2fwAgEtuYrnEez3YzB 6V311PfuKfJRG36X2N3xJ24bQYy9HccT31anWSpb9JRGhCZd15Blk3C1A03IEmKw 2VBK04Ul/7P3Dt2aE3j5tffWuRfQqlIau4npEjT0XmE947DmjqbToMf0SMz5QYiF GiSwRyXisXLRhVypVIQFoQDAti+U+0FRqzPQuVrmqSfuIquof+ZBs/wDbzlXesyQ XosphMfqc3Nm+Vyuy2ccIYhTu/ITvWVWhPus754OteMEjBq6MK86i/wEQf9E8/6E HiUvu2wFUvnjhInYI+OLK3jrkp9+SDZUjbcFJ0PoLpPO/Y1ZIiJDJRf26Ys5Z2yT Xf2pG7EcH6Rlvyu7EkEBOxthmddRRd5tR3GJkGaeEo317qKTFVKIRgQREQIABgUC PdVyZAAKCRBBVcMFWZoinVl0AKCyZMTzShl7ckcJeCB0fvG6eU8yDACcDz/fPYp1 m4jEnwyhvqnxqBfZbW+IRgQSEQIABgUCPaCXsQAKCRBt9Tq5Xh8bzpoLAJwKSvZw eP+JjBajYP0ZuWrP/KG8mgCcDiaZJQv6pdHXxSfE+eUq8Z0hp3+IRgQREQIABgUC Pu75nQAKCRBeFzrxayl0sMSBAJ40oWH5FCqX04j2Vn/W+23IBmTlRACeOOc6AcKg LZMjw9C3VCGrg8GEOeyIRgQQEQIABgUCPjdRqgAKCRBO+IORbyaHJ7DvAJ4kEQ+F aJeurvoaQYhN3glTtoWGawCffVse4t9G+FoGxHOgBBZKabjeUDSJAJUDBRA8Rm+L srXlfXbbIpkBARcKBACDY5/hNWGZAgFgrtThccJpaNShmG7Yi8kGF5Hr98SvLqT+ kQ9YobvkanBwmtQ3pl1UTHErxvAHeExlqUHKaKD8cwYs7SHyyfm4M37rk2ONnlT0 KOXwsZYfRrgzImv2CbbC2habEnymjcwE8xWpi3fGtIq0Ru8ZpuEWU7wTwZpR8ohG BBIRAgAGBQI87Eo7AAoJEEzQzUSb+I7lwAIAoLvkV7hMQ5C428IacF0YVPMIaNpv AJ99bSjNK6A7gq0pWB78iCaBssdKH4kAlQMFEDz7gzczUEFFo9yDdQEB+RkEAKPn EIyQGMvEKp30EURjmbOZpzF8qMLFizBqdDH2AzOVI4ZwKUMBmUzrd0OXw5lZnGke SIIpjrp8+xpKBLTf2NQkKQN5I/UPwuQ8bioISUDkmn5pLvbOAILfUO2Pn9vWFk/Z tnTa/1LN1OQtzWY2tr1/OYGI53C8k3DUHsTZ+45YiEYEEhECAAYFAj3+1dIACgkQ YG9JFqgeXDX2wQCgiZR0GSlI44JJ1omikS72eFleux0AoKdraDkLEEaAn06rMlJM Knc5BQHMiEYEEBECAAYFAjz5R7MACgkQcC3lWbTT17D9ywCgg6Me2PNy0jPSTCIt YVVlT1kihggAoO71YgMrADdysq2Tr74rX7ZDOz9QiEYEERECAAYFAj3xdnkACgkQ EFgWhcUhCX57YgCcCPQ0Y14wsWMjrSExUT6XcCDK5RMAnidac7kYyHq1baTmJsBg vMaaM/eWiEYEEBECAAYFAjy6bRwACgkQt5YHPclUH7IUWACgr9CaB6vpFIMr1Ooy tEylZ3L1aKEAoLM5v1QkMViIxC+m2JJVGeZsi+JniFsEExECABsCF4AFAkC+LSgG CwkIBwMCAxUCAwMWAgECHgEACgkQSypIl9OdCRDf7wCdG0DWf2cu5pibxvKFkzGU JzGjxMUAoJ7csa+fLOZu9OeXpQ/OJNEs+dbTiFsEExECABsCF4AFAkC+LSgGCwkI BwMCAxUCAwMWAgECHgEACgkQSypIl9OdoOPf7wCdG0DWf2cu5pibxvKFkzGUJzGj xMUAoJ7csa+fLOZu9OeXpQ/OJNEs+dbTiGMEExECABsCF4AFAkC+LSgGCwkIBwMC AxUCAwMWAgECHgEAEgdlR1BHAAEBCRBLKkiX052g49/vAJ0bQNZ/Zy7mmJvG8oWT MZQnMaPExQCgntyxr58s5m7055elD84k0Sz51tOIVgQTEQIAFgUCOZ7RbgQLCgQD AxUDAgMWAgECF4AACgkQSypIl9OdoOP3xwCghkOyTSaNNAiyM2CFcQGi9wHjGU0A n07SbPV6CpwbqQsmvpz2CrJAnRZyiF4EExECABYFAjme0W4ECwoEAwMVAwIDFgIB AheAABIJEEsqSJfTnaDjB2VHUEcAAQH3xwCghkOyTSaNNAiyM2CFcQGi9wHjGU0A n07SbPV6CpwbqQsmvpz2CrJAnRZyiEYEERECAAYFAkAyg2cACgkQfNipntqSsjQC jQCcCggV/EQ4Iq0PO5+BCoyMGYJr4YkAn3YcpFuJ2JIHTS+YDixaDa0qVaPMiEYE EBECAAYFAjshedIACgkQr2/ivtydSbE15wCeM/Hvo1MIZMajBSfehy672pjFagcA n0KLcrSrV1Fsby/Nqsq71pdGg4juiEYEEBECAAYFAjz6lWwACgkQxshy4ONJOMdX WwCbB/VcevCElCZwQShPxxSWsUqa5QAAniLCSUxybga2ZE4Sz7TRBQaIAJXmiEYE EBECAAYFAjy4+NUACgkQx+yU3uQx8M4WeACeNuqwvqfyeDEYe2k9cAxxi+/UDfYA oLGC+kBBfE2DcqNB8/gfh1/tjP8YiHkEERECADkFAj68/GkyGmh0dHA6Ly93d3cu bHlzYXRvci5saXUuc2UvfmpjL3NpZ25pbmctcG9saWN5Lmh0bWwACgkQATxQg+jI DDTS1QCggV/tjhe8VhMm6nmOZUDqWGqjNe4AoJRVi8RzALcyp9dsMOZkoQl63s3g iEYEExECAAYFAkDkc3oACgkQUaJVGPQNXAPNeACcDgjx3Krm9wMBiBSqDt0U/cKa xI8AoK+CstTpUuMR8WplOChsQ1HJ+bI3iEYEExECAAYFAkDkeJMACgkQl4mNkvSR vSGSuACgvLDPk8g++HhKvb3qi9R540D7T7cAoMOAij347LJUTRGeC6A9OAibvidr iEYEEBECAAYFAjy5qdYACgkQZxiiRvTzl6g7OwCdEIxtT4YXvw2t7mETNzPxAFtY iSYAoK9+ZcbVLmYFL3I8FAjxLhlZhbNciEYEEBECAAYFAjy4+NYACgkQSeRbV/op 2s6JsQCfefA3UfQkBddfNrDAgbbKIXZDwh4Anj/wOr7nyzNmz3pQ/dkT6v5lgfKp uQINBDme0hAQCACUh1Jva4sg+v6rjgoS4hUmK6JZ5opTZ7C0eBwKS8/piyQC9n6R kD5l0JtpfRP5FDYhDh28AgsfFWnewWqgm/Umd058XhKTLP6wulpRtC0nC5Y/FYPb dfl9ry3+Lxv1tIlXs04W+qymZrMqeRVB3yPFw56J4Scl1EYt0UzC8ZbbD+MAPnro 6Cy5+GN1y/TY117I5ScTKmvWlMqx4YkiD0L6ISWeq3EmC9WHvtaQoHxXWEzZmmuB 7foWIZE6NYFYRnRoa7OOklQGLD9ARVNwVv4Mtg7s6YExh8WfTWXTnc0r1xJjYfTq 8EMPK2iHlCluZXhfBHWLSznnaCe6VcHAnFCfAAMFB/9QMMe+GcBUHZ4hRZS3Y8JJ HaN+kc7TG74j6RdROsOOqoqcoJNlf++vLSEKnSpKRO+ZVzc+6Y265b/m2O2XOoH7 lse9miEjeRuTpBjQYNexbaRtl7ByJF0ZEXNtOl5zuS/9kGpsalre+sWpVfpos1OU A/32V/Ta2ZIhpmoIqfzDKayVDDEQJCGXJ380lmnypOW2EUCSRBvz/TjUqxnY8FAJ FhKuxAB8xBoy9UIfhCxwBw4zTFn/jApcNmrpFBf6umg33UHZvhEvFNhTaTNKjyf4 ZFY4o3FEA4pyeUzdGflSFsDV/jXHtIz2XXcFwhK1FRRlrnVoZTN7y1n5tCK7lXVd iEYEGBECAAYFAjme0hAACgkQSypIl9OdoOM7mgCfXPL/qB+G2lRPJcyCJlNmxQVN tfwAnA/hNQr0ianlSBJ75uHgoHWeKw2niE4EGBECAAYFAjme0hAAEgkQSypIl9Od oOMHZUdQRwABATuaAJ9c8v+oH4baVE8lzIImU2bFBU21/ACcD+E1CvSJqeVIEnvm 4eCgdZ4rDac= =YNLX -----END PGP PUBLIC KEY BLOCK----- KEY 0xD39DA0E3 END -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris@widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 309 bytes Desc: not available Url : /pipermail/attachments/20050129/5fcfdec9/attachment-0001.pgp From yraffah at gmail.com Sun Jan 30 17:23:58 2005 From: yraffah at gmail.com (Yousef Raffah) Date: Sun Jan 30 17:46:58 2005 Subject: GnuPG+GPGShell+GData+Outlook2002 signing binaries problem Message-ID: Hello Everyone, I just started to use GnuPG recently under Linux but I have a windows box that has Outlook 2002+GnuPG+GData+GPGShell installed on it. I can sign and encrypt messages very successfully, however, when I try to signed any binary attached file in M$ Outlook, it gets corrupted somehow! This problem does not persist with text attachments. I have tried to google a bit but couldn't get an answer, so I thought of contacting the mailing list! Thanks in advance for your answers Application Versions: Outlook: 2002 GnuPG: gpg (GnuPG) 1.2.5 GData: 0.9.1 (not sure) GPGShell: V.3.30 -- ========= Sincerely, Yousef Raffah Join FSF as an Associate Member at: Get Firefox! From yraffah at gmail.com Sun Jan 30 17:10:42 2005 From: yraffah at gmail.com (Yousef Raffah) Date: Sun Jan 30 18:07:00 2005 Subject: GnuPG+GPGShell+GData+Outlook2002 signing binaries problem Message-ID: Hello Everyone, I just started to use GnuPG recently under Linux but I have a windows box that has Outlook 2002+GnuPG+GData+GPGShell installed on it. I can sign and encrypt messages very successfully, however, when I try to signed any binary attached file in M$ Outlook, it gets corrupted somehow! This problem does not persist with text attachments. I have tried to google a bit but couldn't get an answer, so I thought of contacting the mailing list! Thanks in advance for your answers Application Versions: Outlook: 2002 GnuPG: gpg (GnuPG) 1.2.5 GData: 0.9.1 (not sure) GPGShell: V.3.30 -- ========= Sincerely, Yousef Raffah Join FSF as an Associate Member at: Get Firefox! From barry at bpuk.net Sun Jan 30 18:41:40 2005 From: barry at bpuk.net (Barry Porter) Date: Sun Jan 30 19:39:04 2005 Subject: GnuPG+GPGShell+GData+Outlook2002 signing binaries problem In-Reply-To: References: Message-ID: <41FD1C54.8050100@bpuk.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 30/01/2005 16:23, Yousef Raffah wrote: > I just started to use GnuPG recently under Linux but I have a windows > box that has Outlook 2002+GnuPG+GData+GPGShell installed on it. > > I can sign and encrypt messages very successfully, however, when I try > to signed any binary attached file in M$ Outlook, it gets corrupted > somehow! See the message below from Timo Schulz regarding an updated release of the G-Data plugin. I use this version with Outlook 2003, GnuPG v1.4.1-cvs and GPGshell all with no problem sending binaries as attachments. - -- Regards Barry On 09/11/2004 15:56, Timo Schulz wrote: > > Hi! > > g10 Code released an update of the Outlook GPG plugin (originally > written by G-DATA). > > All users who have problems with their current Outlook GPG version might > want to update their files to see if this version fixes the problems. > You can download the zip archive and the digital signature here: > > ftp://ftp.g10code.com/g10code/outlgpg/outlgpg-0.94.zip (99k) > ftp://ftp.g10code.com/g10code/outlgpg/outlgpg-0.94.zip.sig > > MD5 checksums for the files are: > > 9e81aafab5b14c55129a218be2893d94 outlgpg-0.94.zip > a95fa1cc0b484d3073f528627766a7e6 outlgpg-0.94.zip.sig > > > Noteworthy changes in version 0.94 > ================================== > > - Allow to parse messages generated by older mailers which > uses the application/pgp content type. > > - By default use PGP as the extension for attachments to > allow easier PGP decryption. > > > That's it. > > g10 Code GmbH (http://www.g10code.com) of course also provides > commercial support for the plugin and other GPG components. > > Timo > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1-cvs (Windows XP Pro SP2) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB/RxP3wKVPLs2unURAgoKAJ9POZV3I/iw3w2nSig4WZO5rr8ClgCeLMVG 1C+sbCgzI6JraXewjVYJZ/A= =6SPp -----END PGP SIGNATURE----- From markivs2003 at yahoo.com Mon Jan 31 00:35:51 2005 From: markivs2003 at yahoo.com (Mark Ivs) Date: Mon Jan 31 00:32:27 2005 Subject: gpg return value problem In-Reply-To: Message-ID: <20050130233551.94870.qmail@web50704.mail.yahoo.com> Thanks a lot for the response. Since I am using perl I tried the following... gpg --recipient "XXX" --output bla-bla-bla $errorval=$?; print $errorval; When there is an error, it prints 512. When the encryption is successful it prints 0. That's great. I was trying to find out more documentation about error codes. But couldn't find anything. I intentionally mis-spelled receipient or output or recipient name but always got 512 error code. I was assuming I will get different error codes. Is this the correct behaviour or am I missing something? Can someone please explain? Thanks a lot in advance. -Mark --- Ivan Boldyrev wrote: > On 9003 day of my life Mark Ivs wrote: > > Hello, > > I am trying to capture the return value from the > gpg > > command. Documentation says, gpg will return 0 if > > successful or return 1 if there's an error. > > > > $errorval = 0; > > $errorval = 'gpg --recipient "XXX" --output > > $rootpath\\output\\$filepgp --encrypt > > $rootpath\\encrypted\\$file'; > > gpg --recipient "XXX" --output bla-bla-bla > erroroval=$? > echo $errorval > > Returned value is stored by shell in variable '$?'. > And when you > assign to variable, don't prepend its name with > dollar sign. > > -- > Ivan Boldyrev > > Today is the first day of > the rest of your life. > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > __________________________________ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo From yraffah at gmail.com Mon Jan 31 09:57:57 2005 From: yraffah at gmail.com (Yousef Raffah) Date: Mon Jan 31 09:54:06 2005 Subject: GnuPG+GPGShell+GData+Outlook2002 signing binaries problem In-Reply-To: <41FD1C54.8050100@bpuk.net> References: <41FD1C54.8050100@bpuk.net> Message-ID: Thanks Barry, I tried the update but still didn't fix the problem, however, I noticed now the attachments are signed with *.png.pgp extension instead of *.png.gpg. I guess this means the patch is working fine for me but it didn't fix the problem on binary attachments yet! What do you think? On Sun, 30 Jan 2005 17:41:40 +0000, Barry Porter wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 30/01/2005 16:23, Yousef Raffah wrote: > > > I just started to use GnuPG recently under Linux but I have a windows > > box that has Outlook 2002+GnuPG+GData+GPGShell installed on it. > > > > I can sign and encrypt messages very successfully, however, when I try > > to signed any binary attached file in M$ Outlook, it gets corrupted > > somehow! > > See the message below from Timo Schulz regarding an updated release of > the G-Data plugin. I use this version with Outlook 2003, GnuPG > v1.4.1-cvs and GPGshell all with no problem sending binaries as attachments. > > - -- > Regards > Barry > > On 09/11/2004 15:56, Timo Schulz wrote: > > > > > Hi! > > > > g10 Code released an update of the Outlook GPG plugin (originally > > written by G-DATA). > > > > All users who have problems with their current Outlook GPG version might > > want to update their files to see if this version fixes the problems. > > You can download the zip archive and the digital signature here: > > > > ftp://ftp.g10code.com/g10code/outlgpg/outlgpg-0.94.zip (99k) > > ftp://ftp.g10code.com/g10code/outlgpg/outlgpg-0.94.zip.sig > > > > MD5 checksums for the files are: > > > > 9e81aafab5b14c55129a218be2893d94 outlgpg-0.94.zip > > a95fa1cc0b484d3073f528627766a7e6 outlgpg-0.94.zip.sig > > > > > > Noteworthy changes in version 0.94 > > ================================== > > > > - Allow to parse messages generated by older mailers which > > uses the application/pgp content type. > > > > - By default use PGP as the extension for attachments to > > allow easier PGP decryption. > > > > > > That's it. > > > > g10 Code GmbH (http://www.g10code.com) of course also provides > > commercial support for the plugin and other GPG components. > > > > Timo > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1-cvs (Windows XP Pro SP2) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFB/RxP3wKVPLs2unURAgoKAJ9POZV3I/iw3w2nSig4WZO5rr8ClgCeLMVG > 1C+sbCgzI6JraXewjVYJZ/A= > =6SPp > -----END PGP SIGNATURE----- > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- ========= Sincerely, Yousef Raffah Join FSF as an Associate Member at: Get Firefox! From grinny3004 at yahoo.com Mon Jan 31 14:36:02 2005 From: grinny3004 at yahoo.com (lord grinny) Date: Mon Jan 31 19:05:42 2005 Subject: tempout.txt Message-ID: <20050131133602.24367.qmail@web31108.mail.mud.yahoo.com> Thank you very much, I've been trying to get gpg to work for weeks now, finally gave up and decided to hack it by replacing the http helper to fetch a key through my (restrictive) proxy server. This file was exactly what I needed to get it to work. My only regret is I didn't start hacking sooner :-). If anybody still has proxy trouble and wants to try my hack, mail me and I'll send you the source. It doesn't accept all the options yet, but if someone's interrested I could add them. Now if I could only get enigmail to work I could actually sign this message.... - Grinny - Oh, I am a C programmer and I'm okay I muck with indices and structs all day And when it works, I shout hoo-ray Oh, I am a C programmer and I'm okay > Sure, but the OP has only been asking about tempout.txt since the > start of the thread. Presumably, this is because they still can't > get their keyserver helper(s) to actually contact a keyserver. > > Anyway, to hopefully put this to rest, here is a sample tempout.txt: > __________________________________ Do you Yahoo!? The all-new My Yahoo! - Get yours free! http://my.yahoo.com From barry at bpuk.net Mon Jan 31 19:48:30 2005 From: barry at bpuk.net (Barry Porter) Date: Mon Jan 31 19:45:42 2005 Subject: GnuPG+GPGShell+GData+Outlook2002 signing binaries problem In-Reply-To: References: <41FD1C54.8050100@bpuk.net> Message-ID: <41FE7D7E.1070209@bpuk.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 31/01/2005 08:57, Yousef Raffah wrote: Hi Yousef, > Thanks Barry, > > I tried the update but still didn't fix the problem, however, I > noticed now the attachments are signed with *.png.pgp extension > instead of *.png.gpg. I guess this means the patch is working fine for > me but it didn't fix the problem on binary attachments yet! > > What do you think? What format are you trying to write your emails in in Outlook? If you are using anything other than plain text that will cause problems too. - -- Regards Barry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1-cvs (Windows XP Pro SP2) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB/n183wKVPLs2unURAr8ZAKCdFctQ6vq7hXV5kIj1RuM/n+Q2rQCfafXV SsYiZA2cT2JU6CUK7qlA8PI= =Kwxa -----END PGP SIGNATURE----- From PSRarey at Pacbell.Net Sat Jan 29 10:47:47 2005 From: PSRarey at Pacbell.Net (Paul Rarey) Date: Mon Jan 31 20:14:08 2005 Subject: GnuGP 1.4a & G DATA Outlook Plugin Message-ID: I've got GnuPG 1.4a working just fine with the Enigmail 0.90.0.0 in Firefox 1.0 & Mozilla 1.7.5. When I install the G-DATA Outlook plugin .91 (just the plugin option - not the full install) the G-DATA plugin fails. Won't sign and/or encrypt (posts blank body), Nor does the Key Manager work. Anyone solved this or have a similar problem? Cheers -Paul From edson.ueda at ge.com Mon Jan 31 03:19:53 2005 From: edson.ueda at ge.com (Ueda, Edson (GE Commercial Finance, NonGE)) Date: Mon Jan 31 20:14:18 2005 Subject: Information about GNUPG Message-ID: <66F5E9657FDC044E9189775375F858AC035B554B@TYOMLVEM02.e2k.ad.ge.com> Hi. We would like to know more details about GNUPG application. a) Wich Company should us contact in Japan (Osaka or Tokyo) b) We would like to know more details about installation process In advance, thank you very much. Edson Ueda GE Real Estate Application Analyst From PSRarey at Pacbell.Net Mon Jan 31 21:26:35 2005 From: PSRarey at Pacbell.Net (Paul Rarey) Date: Wed Feb 2 17:56:16 2005 Subject: GnuGP 1.4a & G DATA Outlook Plugin Message-ID: Never mind... Found the code10 Outlook plugin (.94) that works great with 1.4.0a -----Original Message----- From: gnupg-users-bounces+psr2020=yahoo.com@gnupg.org [mailto:gnupg-users-bounces+psr2020=yahoo.com@gnupg.org] On Behalf Of Paul Rarey Sent: Saturday, January 29, 2005 1:48 AM To: GnuPG User Discussions Subject: GnuGP 1.4a & G DATA Outlook Plugin I've got GnuPG 1.4a working just fine with the Enigmail 0.90.0.0 in Firefox 1.0 & Mozilla 1.7.5. When I install the G-DATA Outlook plugin .91 (just the plugin option - not the full install) the G-DATA plugin fails. Won't sign and/or encrypt (posts blank body), Nor does the Key Manager work. Anyone solved this or have a similar problem? Cheers -Paul _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users