From sriharivijayaraghavan at yahoo.com.au Mon Oct 1 08:48:58 2007 From: sriharivijayaraghavan at yahoo.com.au (Srihari Vijayaraghavan) Date: Mon, 1 Oct 2007 16:48:58 +1000 (EST) Subject: GPG, card reader & udev Message-ID: <464862.25412.qm@web52603.mail.re2.yahoo.com> Looking at the Installation of Card Reader page at: http://www.gnupg.org/(en)/howtos/card-howto/en/ch02s03.html I'm unable to download gnupg-ccid from that page (cos it points to a broken link or something). I've downloaded the gnupg-ccid.rules files perfectly fine though. Could somebody give me a copy of this file? (or provide a working link on that document) Thanks PS: Looks like it's needed to get the shiny new card reader & OpenPGP card going. Sick of deleting your inbox? Yahoo!7 Mail has free unlimited storage. http://au.docs.yahoo.com/mail/unlimitedstorage.html From grahamtodd2 at googlemail.com Mon Oct 1 09:29:24 2007 From: grahamtodd2 at googlemail.com (Graham) Date: Mon, 1 Oct 2007 08:29:24 +0100 Subject: GPG, card reader & udev In-Reply-To: <464862.25412.qm@web52603.mail.re2.yahoo.com> References: <464862.25412.qm@web52603.mail.re2.yahoo.com> Message-ID: <20071001082924.662304b4@graham-desktop> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 1 Oct 2007 16:48:58 +1000 (EST) Srihari Vijayaraghavan wrote: > I'm unable to download gnupg-ccid from that page (cos it points to a > broken link or something). I've downloaded the gnupg-ccid.rules files > perfectly fine though. [snipped] The link points to the page you are looking at (ch02s03.html) and not to the file gnupg-ccid. Thus the instructions on the page will not work. Could somebody change this? - -- Graham Todd -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Please sign and encrypt for internet privacy iD8DBQFHAKHpthMHx1h/UZYRAiY/AJ48xmYxwSh6xzHUENG6L14hR4daiQCfS+a2 IUl4kH2EAPdnZW2IqnWIPXw= =ezyg -----END PGP SIGNATURE----- From BrunosJunk at Bronosky.com Mon Oct 1 20:09:19 2007 From: BrunosJunk at Bronosky.com (Richard Bronosky) Date: Mon, 1 Oct 2007 14:09:19 -0400 Subject: pinentry-mac never displays any UI Message-ID: I've had no luck with the binary version that I downloaded based on Benjamin's various howtos and mailing list messages. I have downloaded the source, and poked around it in Xcode. I wanted to make sure that there was a GUI element to the pinentry-mac.app. There is. I built it and tried placing both the build and debug versions in /Applications. I've also downloaded and compiled pinentry-helper.c and placed it inside /Applications/pinentry-mac.app/Contents/MacOS/ and set ~/.gnupg/gpg-agent.conf to try it. Nothing works. Same result in all cases. The pinentry-mac icon bounces, but I have no UI to speak of. MacBookPro, Intel Core 2 Duo 2.2GHz, 2GB DDR2 uname -a Darwin IT-F1-P-RBRONOSKY 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 i386 Please advise. -- .!# RichardBronosky #!. From BrunosJunk at Bronosky.com Mon Oct 1 20:17:08 2007 From: BrunosJunk at Bronosky.com (Richard Bronosky) Date: Mon, 1 Oct 2007 14:17:08 -0400 Subject: how can I use/test pinentry? Message-ID: I have an app that is barfing trying to call pinentry. I was to try calling pinentry manually to make sure that it is doing the right thing. Information is very parse. Based on... pinentry -h Usage: pinentry [OPTION]... Ask securely for a secret and print it to stdout. --display DISPLAY Set the X display --ttyname PATH Set the tty terminal node name --ttytype NAME Set the tty terminal type --lc-ctype Set the tty LC_CTYPE value --lc-messages Set the tty LC_MESSAGES value -e, --enhanced Ask for timeout and insurance, too -g, --no-global-grab Grab keyboard only while window is focused --parent-wid Parent window ID (for positioning) -d, --debug Turn on debugging output -h, --help Display this help and exit --version Output version information and exit I would expect there to be some way for me to call it from the command line and get prompted for a password. The best I can do is get it to prompt me with: "OK Your orders please" and the only thing I have found that doesn't give an "ERR 103 unknown command" is "OPTION ..." (which I found in a mailing list post.) I cannot find any other commands. Please advise. -- .!# RichardBronosky #!. From BrunosJunk at Bronosky.com Mon Oct 1 20:29:21 2007 From: BrunosJunk at Bronosky.com (Richard Bronosky) Date: Mon, 1 Oct 2007 14:29:21 -0400 Subject: pinentry-mac never displays any UI In-Reply-To: References: Message-ID: I got a lead on how to use pinentry, and now have an error message to report: echo GETPIN|/Applications/pinentry-mac.app/Contents/MacOS/pinentry-mac OK Your orders please 2007-10-01 14:21:54.669 pinentry-mac[6312] *** _NSAutoreleaseNoPool(): Object 0x31eaf0 of class NSCFString autoreleased with no pool in place - just leaking Again, the icon appears in the dock and bounces once, but no UI. I hope that helps. On 10/1/07, Richard Bronosky wrote: > I've had no luck with the binary version that I downloaded based on > Benjamin's various howtos and mailing list messages. I have > downloaded the source, and poked around it in Xcode. I wanted to make > sure that there was a GUI element to the pinentry-mac.app. There is. > I built it and tried placing both the build and debug versions in > /Applications. I've also downloaded and compiled pinentry-helper.c > and placed it inside /Applications/pinentry-mac.app/Contents/MacOS/ > and set ~/.gnupg/gpg-agent.conf to try it. > > Nothing works. Same result in all cases. The pinentry-mac icon > bounces, but I have no UI to speak of. > > MacBookPro, Intel Core 2 Duo 2.2GHz, 2GB DDR2 > uname -a > Darwin IT-F1-P-RBRONOSKY 8.10.1 Darwin Kernel Version 8.10.1: Wed May > 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 i386 > > Please advise. > > -- > .!# RichardBronosky #!. > -- .!# RichardBronosky #!. From wk at gnupg.org Tue Oct 2 22:59:49 2007 From: wk at gnupg.org (Werner Koch) Date: Tue, 02 Oct 2007 22:59:49 +0200 Subject: how can I use/test pinentry? In-Reply-To: (Richard Bronosky's message of "Mon, 1 Oct 2007 14:17:08 -0400") References: Message-ID: <873awtnsfu.fsf@wheatstone.g10code.de> On Mon, 1 Oct 2007 20:17, BrunosJunk at Bronosky.com said: > I have an app that is barfing trying to call pinentry. I was to try > calling pinentry manually to make sure that it is doing the right > thing. Information is very parse. Based on... What about looking into the manual (pinentry.info)? > prompt me with: "OK Your orders please" and the only thing I have > found that doesn't give an "ERR 103 unknown command" is "OPTION ..." GETPIN Displays a simple dialog SETPROMPT This+is+my+prompt Changes the prompt to "This is my prompt" SETERROR Try again Display "Try again"., etc. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From sriharivijayaraghavan at yahoo.com.au Wed Oct 3 03:30:33 2007 From: sriharivijayaraghavan at yahoo.com.au (Srihari Vijayaraghavan) Date: Wed, 3 Oct 2007 11:30:33 +1000 (EST) Subject: GPG, card reader & udev In-Reply-To: <20071001082924.662304b4@graham-desktop> Message-ID: <270746.34950.qm@web52602.mail.re2.yahoo.com> --- Graham wrote: > Thus the instructions on the page will not work. Could somebody change > this? For the record, here's the link from where I could download the file from: http://www.fsfe.org/en/content/download/17248/121800/file/gnupg-ccid Thanks PS: Might help another poor soul looking for this kind of info. Who knows? Sick of deleting your inbox? Yahoo!7 Mail has free unlimited storage. http://au.docs.yahoo.com/mail/unlimitedstorage.html From sriharivijayaraghavan at yahoo.com.au Wed Oct 3 03:41:35 2007 From: sriharivijayaraghavan at yahoo.com.au (Srihari Vijayaraghavan) Date: Wed, 3 Oct 2007 11:41:35 +1000 (EST) Subject: OmniKey CardMan 6121 & OpenPGP card anyone? Message-ID: <563825.72143.qm@web52611.mail.re2.yahoo.com> If they're working fine for you, what do you see when you execute pcsc_scan. This is what I see: PC/SC device scanner V 1.4.8 (c) 2001-2006, Ludovic Rousseau Compiled with PC/SC lite version: 1.3.2 Scanning present readers 0: OmniKey CardMan 6121 00 00 Wed Oct 3 11:24:47 2007 Reader 0: OmniKey CardMan 6121 00 00 Card state: Card inserted, Unresponsive card, I'm unsure whether 'Unresponsive card' is a normal message or highlights some problem with my card. Indeed the card is no go yet, yet I've tried it on 3 different OmniKey CardMan 6121 readers with the same result. Many variables to isolate, definitely proving electrical connectivity & the integrity of the OpenPGP card are the most important tasks. Thanks Sick of deleting your inbox? Yahoo!7 Mail has free unlimited storage. http://au.docs.yahoo.com/mail/unlimitedstorage.html From k.proskurin at fxclub.org Thu Oct 4 08:37:23 2007 From: k.proskurin at fxclub.org (Proskurin Kirill) Date: Thu, 04 Oct 2007 10:37:23 +0400 Subject: LDAP PGP Keyserver Message-ID: <47048A23.705@fxclub.org> Hello all! First of all - sorry for my english. :-) Im try to solve one problem. What we have: FreeBSD 6.2 openldap-sasl-client-2.2.30 openldap-sasl-server-2.2.30 gnupg-2.0.4 PGP Desktop 9.6 (windows) slapd.conf: include /usr/local/etc/openldap/schema/pgp-keyserver.schema include /usr/local/etc/openldap/schema/pgp-recon.schema include /usr/local/etc/openldap/schema/pgp-remte-prefs.schema ... allow bind_anon_cred allow update_anon access to filter=(objectClass=pgpKeyInfo) by * write access to dn="ou=PGP Keys,dc=company,dc=org" by * write --- We have a "ou=PGP Keys,dc=company,dc=org" full of a PGP keys what work`s. PGP Desktop easy search at our Ldap keyserver and inports key`s from were. What we need: We need to add keys to a keyserver. When im try "sent to" any key to our keyserver via PGP Desktop it returns a error: "Strong authentication required" We use ldaps... More strong? :-\ Then im try to add it by a gnupg via console. % gpg --keyserver ldaps://pgp.company.org --send-keys KEYID gpgkeys: this keyserver type only supports key retrieval What is interesting, some one before me who make all this system is easy add key`s via PGP Desktop 8.x. But were is no way to ask him "how?". Im search all google. :-) And after few day`s im start to think what no one is use a Ldap keyservers.... Maybe im search bad... What in do wrong? Or what else im need to post for more information? Can someone help me? "man this" also good. :-) From wk at gnupg.org Thu Oct 4 11:10:01 2007 From: wk at gnupg.org (Werner Koch) Date: Thu, 04 Oct 2007 11:10:01 +0200 Subject: OmniKey CardMan 6121 & OpenPGP card anyone? In-Reply-To: <563825.72143.qm@web52611.mail.re2.yahoo.com> (Srihari Vijayaraghavan's message of "Wed, 3 Oct 2007 11:41:35 +1000 (EST)") References: <563825.72143.qm@web52611.mail.re2.yahoo.com> Message-ID: <87k5q3kzyu.fsf@wheatstone.g10code.de> On Wed, 3 Oct 2007 03:41, sriharivijayaraghavan at yahoo.com.au said: > If they're working fine for you, what do you see when you execute pcsc_scan. I have one on my real keyring and it works just fine with a cut down OpenPGP card. I am not using pcscd but the GnuPG internal driver. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From dshaw at jabberwocky.com Thu Oct 4 14:36:28 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 4 Oct 2007 08:36:28 -0400 Subject: LDAP PGP Keyserver In-Reply-To: <47048A23.705@fxclub.org> References: <47048A23.705@fxclub.org> Message-ID: <20071004123628.GE28566@jabberwocky.com> On Thu, Oct 04, 2007 at 10:37:23AM +0400, Proskurin Kirill wrote: > We have a "ou=PGP Keys,dc=company,dc=org" full of a PGP keys what work`s. > > PGP Desktop easy search at our Ldap keyserver and inports key`s from were. > What we need: > > We need to add keys to a keyserver. > When im try "sent to" any key to our keyserver via PGP Desktop it > returns a error: > "Strong authentication required" > We use ldaps... More strong? :-\ > > Then im try to add it by a gnupg via console. > % gpg --keyserver ldaps://pgp.company.org --send-keys KEYID > gpgkeys: this keyserver type only supports key retrieval Ah, this is a problem. What you are seeing when you request a LDAP access is a message from the "generic" keyserver handler (using curl). Are you built with LDAP support? Recompile GPG with LDAP support, and you should be in better shape. You can tell if you have LDAP support if there is a "gpgkeys_ldap" program. Note, though, that if PGP can't send keys to the keyserver without authentication, that GPG probably won't be able to either - they use essentially the same LDAP calls. One problem at a time, however. Let's get you talking LDAP at all before we debug the other problem. David From k.proskurin at fxclub.org Thu Oct 4 14:52:57 2007 From: k.proskurin at fxclub.org (Proskurin Kirill) Date: Thu, 04 Oct 2007 16:52:57 +0400 Subject: LDAP PGP Keyserver Message-ID: <4704E229.9030402@fxclub.org> David Shaw wrote: > Ah, this is a problem. What you are seeing when you request a LDAP > access is a message from the "generic" keyserver handler (using curl). > Are you built with LDAP support? Recompile GPG with LDAP support, and > you should be in better shape. You can tell if you have LDAP support > if there is a "gpgkeys_ldap" program. > > Note, though, that if PGP can't send keys to the keyserver without > authentication, that GPG probably won't be able to either - they use > essentially the same LDAP calls. One problem at a time, however. > Let's get you talking LDAP at all before we debug the other problem. > > David > Thanks for respond. Im compile gnupg with Ldap support, BUT im don`t have a "gpgkeys_ldap" program. From dshaw at jabberwocky.com Thu Oct 4 15:22:19 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 4 Oct 2007 09:22:19 -0400 Subject: LDAP PGP Keyserver In-Reply-To: <4704E229.9030402@fxclub.org> References: <4704E229.9030402@fxclub.org> Message-ID: <20071004132219.GF28566@jabberwocky.com> On Thu, Oct 04, 2007 at 04:52:57PM +0400, Proskurin Kirill wrote: > David Shaw wrote: > > Ah, this is a problem. What you are seeing when you request a LDAP > > access is a message from the "generic" keyserver handler (using curl). > > Are you built with LDAP support? Recompile GPG with LDAP support, and > > you should be in better shape. You can tell if you have LDAP support > > if there is a "gpgkeys_ldap" program. > > > > Note, though, that if PGP can't send keys to the keyserver without > > authentication, that GPG probably won't be able to either - they use > > essentially the same LDAP calls. One problem at a time, however. > > Let's get you talking LDAP at all before we debug the other problem. > > > > David > > > Thanks for respond. > > Im compile gnupg with Ldap support, BUT im don`t have a "gpgkeys_ldap" > program. When you run ./configure to build GPG, what does it say about LDAP? It would be something like this: checking whether LDAP via "-lldap" is present and sane... yes If it doesn't say 'yes', then you're not building with LDAP support. Depending on your OS, you often need to install a "devel" package for this (so, openldap-devel or similar). David From k.proskurin at fxclub.org Thu Oct 4 15:42:30 2007 From: k.proskurin at fxclub.org (Proskurin Kirill) Date: Thu, 04 Oct 2007 17:42:30 +0400 Subject: LDAP PGP Keyserver In-Reply-To: <20071004132219.GF28566@jabberwocky.com> References: <4704E229.9030402@fxclub.org> <20071004132219.GF28566@jabberwocky.com> Message-ID: <4704EDC6.3050306@fxclub.org> David Shaw wrote: > > > When you run ./configure to build GPG, what does it say about LDAP? > It would be something like this: > > checking whether LDAP via "-lldap" is present and sane... yes > > If it doesn't say 'yes', then you're not building with LDAP support. > Depending on your OS, you often need to install a "devel" package for > this (so, openldap-devel or similar). > > David > Im use FreebBSD 6.2 now. Then im run a % portupgrade -N gnupg Im put a cross on "ldap support"... It must be really compile with ldap support. --- Kirill From dshaw at jabberwocky.com Fri Oct 5 00:02:06 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 4 Oct 2007 18:02:06 -0400 Subject: LDAP PGP Keyserver In-Reply-To: <4704EDC6.3050306@fxclub.org> References: <4704E229.9030402@fxclub.org> <20071004132219.GF28566@jabberwocky.com> <4704EDC6.3050306@fxclub.org> Message-ID: <20071004220206.GA20969@jabberwocky.com> On Thu, Oct 04, 2007 at 05:42:30PM +0400, Proskurin Kirill wrote: > David Shaw wrote: > > > > > > When you run ./configure to build GPG, what does it say about LDAP? > > It would be something like this: > > > > checking whether LDAP via "-lldap" is present and sane... yes > > > > If it doesn't say 'yes', then you're not building with LDAP support. > > Depending on your OS, you often need to install a "devel" package for > > this (so, openldap-devel or similar). > > > > David > > > Im use FreebBSD 6.2 now. > Then im run a > % portupgrade -N gnupg > > Im put a cross on "ldap support"... > > It must be really compile with ldap support. I don't know how to answer that. It seems not to be the case. David From benjamin at py-soft.co.uk Fri Oct 5 01:00:11 2007 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Fri, 05 Oct 2007 00:00:11 +0100 Subject: pinentry-mac never displays any UI In-Reply-To: References: Message-ID: <4705707B.3050407@py-soft.co.uk> Richard Bronosky wrote: > I got a lead on how to use pinentry, and now have an error message to report: > echo GETPIN|/Applications/pinentry-mac.app/Contents/MacOS/pinentry-mac > OK Your orders please > 2007-10-01 14:21:54.669 pinentry-mac[6312] *** _NSAutoreleaseNoPool(): > Object 0x31eaf0 of class NSCFString autoreleased with no pool in place > - just leaking The NSAutoreleaseNoPool() message is a known harmless bug and I have a patch to fix it. > Again, the icon appears in the dock and bounces once, but no UI. I > hope that helps. What application are you using it with? Version of MacOS? Chipset? When I get time I will be releasing a updated version of the mac pinentry program. I suggest that you wait for that. Take care, Ben From BrunosJunk at Bronosky.com Fri Oct 5 01:48:48 2007 From: BrunosJunk at Bronosky.com (Richard Bronosky) Date: Thu, 4 Oct 2007 19:48:48 -0400 Subject: pinentry-mac never displays any UI In-Reply-To: <4705707B.3050407@py-soft.co.uk> References: <4705707B.3050407@py-soft.co.uk> Message-ID: On 10/4/07, Benjamin Donnachie wrote: > Richard Bronosky wrote: > > I got a lead on how to use pinentry, and now have an error message to report: > > echo GETPIN|/Applications/pinentry-mac.app/Contents/MacOS/pinentry-mac > > OK Your orders please > > 2007-10-01 14:21:54.669 pinentry-mac[6312] *** _NSAutoreleaseNoPool(): > > Object 0x31eaf0 of class NSCFString autoreleased with no pool in place > > - just leaking > > The NSAutoreleaseNoPool() message is a known harmless bug and I have a > patch to fix it. > > > Again, the icon appears in the dock and bounces once, but no UI. I > > hope that helps. > > What application are you using it with? Version of MacOS? Chipset? Application? First I tried doing the complete approach that your howto describes. Then I tried adding it as the pinentry-program in ~/.gnupg/gpg-agent.conf, and tested it via command line. Still no luck, so I tried sending the GETPIN command to it manually with the results that you responded to. Version of MacOS? Mac OS 10.4.10 What do you mean by Chipset? (did you miss my first email?) From my first email: MacBookPro, Intel Core 2 Duo 2.2GHz, 2GB DDR2 uname -a Darwin IT-F1-P-RBRONOSKY 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 i386 > > When I get time I will be releasing a updated version of the mac > pinentry program. I suggest that you wait for that. > > Take care, > > Ben > -- .!# RichardBronosky #!. From dougb at dougbarton.us Fri Oct 5 06:36:22 2007 From: dougb at dougbarton.us (Doug Barton) Date: Thu, 4 Oct 2007 21:36:22 -0700 (PDT) Subject: LDAP PGP Keyserver In-Reply-To: <4704EDC6.3050306@fxclub.org> References: <4704E229.9030402@fxclub.org> <20071004132219.GF28566@jabberwocky.com> <4704EDC6.3050306@fxclub.org> Message-ID: On Thu, 4 Oct 2007, Proskurin Kirill wrote: > Im use FreebBSD 6.2 now. > Then im run a > % portupgrade -N gnupg > > Im put a cross on "ldap support"... Kirill, Check for /usr/local/libexec/gpg2keys_ldap If you have that you should be ok. hth, Doug -- If you're never wrong, you're not trying hard enough From sundman at iki.fi Sat Oct 6 05:56:01 2007 From: sundman at iki.fi (Marcus Sundman) Date: Sat, 6 Oct 2007 06:56:01 +0300 Subject: which revoke? Message-ID: <20071006065601.665c8a08@abo.fi> Hi, How can I find out which key a revoke file revokes? I'm very new to gpg. I played around with it and thought that my keys were only on my own computer so when I was finished I deleted all but one. Turned out they were on a public server, and since I deleted the secret keys I guess there's no way to remove them. However, I found a file named "revoke.txt" in ~/.gnupg/ and I'd like to use it to revoke at least one of the test-keys unless the revoke is for the only key I still have the secret key for, but how can I know? - Marcus From breen.mullins at gmail.com Sat Oct 6 16:03:09 2007 From: breen.mullins at gmail.com (Breen Mullins) Date: Sat, 6 Oct 2007 07:03:09 -0700 Subject: which revoke? In-Reply-To: <20071006065601.665c8a08@abo.fi> References: <20071006065601.665c8a08@abo.fi> Message-ID: <20071006140309.GB28604@mehitabel.local> * Marcus Sundman [2007-10-06 06:56 +0300]: > >However, I found a file named "revoke.txt" in ~/.gnupg/ and I'd like to >use it to revoke at least one of the test-keys unless the revoke is for >the only key I still have the secret key for, but how can I know? gpg --list-packets will show the keyid that the revoke certificate belongs to. -- Breen Mullins Menlo Park, California From dshaw at jabberwocky.com Sun Oct 7 17:15:17 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 7 Oct 2007 11:15:17 -0400 Subject: which revoke? In-Reply-To: <20071006065601.665c8a08@abo.fi> References: <20071006065601.665c8a08@abo.fi> Message-ID: <20071007151517.GA23400@jabberwocky.com> On Sat, Oct 06, 2007 at 06:56:01AM +0300, Marcus Sundman wrote: > Hi, > > How can I find out which key a revoke file revokes? > > I'm very new to gpg. I played around with it and thought that my keys > were only on my own computer so when I was finished I deleted all but > one. Turned out they were on a public server, and since I deleted the > secret keys I guess there's no way to remove them. However, I found a > file named "revoke.txt" in ~/.gnupg/ and I'd like to use it to revoke > at least one of the test-keys unless the revoke is for the only key I > still have the secret key for, but how can I know? Just run 'gpg revoke.txt'. It will print out what key the revoker is for. It doesn't actually revoke the key until you do 'gpg --import revoke.txt' David From sriharivijayaraghavan at yahoo.com.au Mon Oct 8 01:37:18 2007 From: sriharivijayaraghavan at yahoo.com.au (Srihari Vijayaraghavan) Date: Mon, 8 Oct 2007 09:37:18 +1000 (EST) Subject: OmniKey CardMan 6121 & OpenPGP card anyone? In-Reply-To: <87k5q3kzyu.fsf@wheatstone.g10code.de> Message-ID: <650684.55631.qm@web52604.mail.re2.yahoo.com> Werner Koch wrote: > On Wed, 3 Oct 2007 03:41, sriharivijayaraghavan at yahoo.com.au said: > > > If they're working fine for you, what do you see when you execute > pcsc_scan. > > I have one on my real keyring and it works just fine with a cut down > OpenPGP card. I am not using pcscd but the GnuPG internal driver. Fair enough. I really don't know how to get this thing working on my up-to-date Fedora 7 system. (I've stopped pcscd service.) Now this's my .gnupg/gpg-agent: daemon enable-ssh-support write-env-file log-file gpg-agent.log debug-all debug-level guru This is what happens when I execute "gpg --card-status": winscard_clnt.c:3349:SCardCheckDaemonAvailability() PCSC Not Running gpg: pcsc_establish_context failed: no service (0x8010001d) gpg: card reader not available gpg: OpenPGP card not available: general error Here's the contents of gpg-agent.log: 2007-10-08 09:29:42 gpg-agent[3136] listening on socket `/tmp/gpg-fzpkL9/S.gpg-agent' 2007-10-08 09:29:42 gpg-agent[3136] listening on socket `/tmp/gpg-ScyGGM/S.gpg-agent.ssh' 2007-10-08 09:31:15 gpg-agent[3137] handler 0x927bcd8 for fd 8 started gpg-agent[3137.8] DBG: -> OK Pleased to meet you gpg-agent[3137.8] DBG: <- OPTION display=:0.0 gpg-agent[3137.8] DBG: -> OK gpg-agent[3137.8] DBG: <- OPTION ttyname=/dev/pts/1 gpg-agent[3137.8] DBG: -> OK gpg-agent[3137.8] DBG: <- OPTION ttytype=xterm gpg-agent[3137.8] DBG: -> OK gpg-agent[3137.8] DBG: <- OPTION lc-ctype=en_US.UTF-8 gpg-agent[3137.8] DBG: -> OK gpg-agent[3137.8] DBG: <- OPTION lc-messages=en_US.UTF-8 gpg-agent[3137.8] DBG: -> OK gpg-agent[3137.8] DBG: <- SCD SERIALNO openpgp 2007-10-08 09:31:15 gpg-agent[3137] no running SCdaemon - starting it 2007-10-08 09:31:15 gpg-agent[3137] DBG: first connection to SCdaemon established 2007-10-08 09:31:15 gpg-agent[3137] DBG: additional connections at `/tmp/gpg-rFVac9/S.scdaemon' gpg-agent[3137.8] DBG: -> ERR 100663356 Not supported gpg-agent[3137.8] DBG: <- BYE gpg-agent[3137.8] DBG: -> OK closing connection 2007-10-08 09:31:15 gpg-agent[3137] handler 0x927bcd8 for fd 8 terminated I'm unable to decipher what the problem is, are you? Would appreciate some help here. (To my untrained/inexperienced eyes, the "ERR 100663356 Not supported " looks like the problem here. Don't know how to solve it though.) Thank you. Sick of deleting your inbox? Yahoo!7 Mail has free unlimited storage. http://au.docs.yahoo.com/mail/unlimitedstorage.html From k.proskurin at fxclub.org Mon Oct 8 07:41:58 2007 From: k.proskurin at fxclub.org (Proskurin Kirill) Date: Mon, 08 Oct 2007 09:41:58 +0400 Subject: LDAP PGP Keyserver In-Reply-To: References: <4704E229.9030402@fxclub.org> <20071004132219.GF28566@jabberwocky.com> <4704EDC6.3050306@fxclub.org> Message-ID: <4709C326.6070008@fxclub.org> Doug Barton ?????: > Kirill, > > Check for /usr/local/libexec/gpg2keys_ldap > > If you have that you should be ok. > Got it. ls -l /usr/local/libexec/gpg2keys_ldap -r-xr-xr-x 1 root wheel 29172 2 oct 18:35 /usr/local/libexec/gpg2keys_ldap But im can`t add key`s... --- Kirill From wk at gnupg.org Mon Oct 8 08:54:26 2007 From: wk at gnupg.org (Werner Koch) Date: Mon, 08 Oct 2007 08:54:26 +0200 Subject: OmniKey CardMan 6121 & OpenPGP card anyone? In-Reply-To: <650684.55631.qm@web52604.mail.re2.yahoo.com> (Srihari Vijayaraghavan's message of "Mon, 8 Oct 2007 09:37:18 +1000 (EST)") References: <650684.55631.qm@web52604.mail.re2.yahoo.com> Message-ID: <87fy0mayfx.fsf@wheatstone.g10code.de> On Mon, 8 Oct 2007 01:37, sriharivijayaraghavan at yahoo.com.au said: > This is what happens when I execute "gpg --card-status": > winscard_clnt.c:3349:SCardCheckDaemonAvailability() PCSC Not Running > gpg: pcsc_establish_context failed: no service (0x8010001d) > gpg: card reader not available Eiter gpg is not build with libusb support. Check the config.h file for a line #define HAVE_LIBUSB If you have this, you need to make sure that libusb is working. Use --debug-ccid-driver to see what is going on. gpg always tries to use the internal CCID driver before falling back to pcsc. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From shavital at mac.com Mon Oct 8 17:42:44 2007 From: shavital at mac.com (Charly Avital) Date: Mon, 08 Oct 2007 10:42:44 -0500 Subject: Windows newbie In-Reply-To: <20071007151517.GA23400@jabberwocky.com> References: <20071006065601.665c8a08@abo.fi> <20071007151517.GA23400@jabberwocky.com> Message-ID: <0JPL00AW7LIVUW40@mta1.srv.hcvlny.cv.net> I''ve started running WindowsXP Pro on a Macbook using Parallels. Installed the latest GnuPG for Windows, and generated a key pair. How do I import my keyrings, created under Mac GnuPG? This is only an exercise, I'm just curious about GnuPG in Windows, have no intention to "migrate" from Mac to Windows. Thanks for your patience. Charly From trichotecene at yahoo.es Mon Oct 8 19:13:28 2007 From: trichotecene at yahoo.es (Dimitri) Date: Mon, 8 Oct 2007 19:13:28 +0200 (CEST) Subject: Windows newbie In-Reply-To: <0JPL00AW7LIVUW40@mta1.srv.hcvlny.cv.net> Message-ID: <483901.96285.qm@web27201.mail.ukl.yahoo.com> Export you key pair to a CD and... in windows import this key pair. good look --- Charly Avital escribi?: > I''ve started running WindowsXP Pro on a Macbook > using Parallels. > Installed the latest GnuPG for Windows, and > generated a key pair. How > do I import my keyrings, created under Mac GnuPG? > This is only an > exercise, I'm just curious about GnuPG in Windows, > have no intention > to "migrate" from Mac to Windows. Thanks for your > patience. > Charly > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > Dimitri.- http://es.geocities.com/trichotecene ____________________________________________________________________________________ S? un Mejor Amante del Cine ?Quieres saber c?mo? ?Deja que otras personas te ayuden! http://advision.webevents.yahoo.com/reto/entretenimiento.html From shavital at mac.com Tue Oct 9 01:08:47 2007 From: shavital at mac.com (Charly Avital) Date: Mon, 08 Oct 2007 18:08:47 -0500 Subject: Windows newbie In-Reply-To: <483901.96285.qm@web27201.mail.ukl.yahoo.com> References: <483901.96285.qm@web27201.mail.ukl.yahoo.com> Message-ID: <470AB87F.70001@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dimitri wrote: > Export you key pair to a CD and... in windows import > this key pair. > > good look > [...] Well, not exactly a CD, but it sparked an idea: I used a removable USB flash memory stick where I keep a back up of gpg settings and keyrings. I have now imported the two keyrings from MacGPG, set owner trust for secret keys, all seems to be OK. Good luck to you too. Charly -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRwq4fc3GMi2FW4PvAQKTCwf9Ff3ZXiKiLENDhBhZ+SN+9zIkv/UuA0tA +oTTR3Wj0uNKZsURe5j9iISSAwtpVhntqn5Ru4JjF73+KPXFn2l6s6XaTh2gS7YM iZ/c42XvhJ4He0aic52D3qUtBtMp3XpeLKRQ3ROztNYwAcIZgtDDB50DlrTODky4 R63UE6lktViCuHq/0co6wdMcLELyoKiukx13uYyJobx0TnE96trmtSZaYWf9Bli3 SKox23u9grKF10glL0SLqkFEex8ZQlDCpUp6wzrPvixaxlk93WHFgphkTs1Hw4du QMldyh5u6UMrZoLyIrCBVVO3oJCQ9I7VG0fnOroIEfYeQea1QMsDdg== =F/p8 -----END PGP SIGNATURE----- From sriharivijayaraghavan at yahoo.com.au Tue Oct 9 01:07:03 2007 From: sriharivijayaraghavan at yahoo.com.au (Srihari Vijayaraghavan) Date: Tue, 9 Oct 2007 09:07:03 +1000 (EST) Subject: OmniKey CardMan 6121 & OpenPGP card anyone? In-Reply-To: <87fy0mayfx.fsf@wheatstone.g10code.de> Message-ID: <848491.82097.qm@web52602.mail.re2.yahoo.com> Werner Koch wrote: > On Mon, 8 Oct 2007 01:37, sriharivijayaraghavan at yahoo.com.au said: > > > This is what happens when I execute "gpg --card-status": > > winscard_clnt.c:3349:SCardCheckDaemonAvailability() PCSC Not Running > > gpg: pcsc_establish_context failed: no service (0x8010001d) > > gpg: card reader not available > > Eiter gpg is not build with libusb support. Check the config.h file for > a line > > #define HAVE_LIBUSB > > If you have this, you need to make sure that libusb is working. Use > --debug-ccid-driver to see what is going on. gpg always tries to use > the internal CCID driver before falling back to pcsc. Thanks for your assistance. I've just then downloaded gpg 1.4.7 source from gnupg.org & have built it & have installed it. $ egrep 'HAVE_LIBUSB' config.h #define HAVE_LIBUSB 1 $ which gpg /usr/local/bin/gpg $ gpg --version gpg (GnuPG) 1.4.7 Copyright (C) 2006 Free Software Foundation, Inc. ... $ gpg --card-status gpg: detected reader `OmniKey CardMan 6121 00 00' gpg: pcsc_connect failed: proto mismatch (0x8010000f) gpg: card reader not available gpg: OpenPGP card not available: general error $ gpg --card-status --debug-ccid-driver gpg: DBG: ccid-driver: using CCID reader 0 (ID=076B:6622:X:0) gpg: DBG: ccid-driver: idVendor: 076B idProduct: 6622 bcdDevice: 0203 gpg: DBG: ccid-driver: ChipCard Interface Descriptor: gpg: DBG: ccid-driver: bLength 54 gpg: DBG: ccid-driver: bDescriptorType 33 gpg: DBG: ccid-driver: bcdCCID 1.00 gpg: DBG: ccid-driver: nMaxSlotIndex 0 gpg: DBG: ccid-driver: bVoltageSupport 7 ? gpg: DBG: ccid-driver: dwProtocols 3 T=0 T=1 gpg: DBG: ccid-driver: dwDefaultClock 4800 gpg: DBG: ccid-driver: dwMaxiumumClock 8000 gpg: DBG: ccid-driver: bNumClockSupported 4 gpg: DBG: ccid-driver: dwDataRate 10752 bps gpg: DBG: ccid-driver: dwMaxDataRate 412903 bps gpg: DBG: ccid-driver: bNumDataRatesSupp. 106 gpg: DBG: ccid-driver: dwMaxIFSD 254 gpg: DBG: ccid-driver: dwSyncProtocols 00000007 2-wire 3-wire I2C gpg: DBG: ccid-driver: dwMechanical 00000000 gpg: DBG: ccid-driver: dwFeatures 000207B2 gpg: DBG: ccid-driver: Auto configuration based on ATR gpg: DBG: ccid-driver: Auto clock change gpg: DBG: ccid-driver: Auto baud rate change gpg: DBG: ccid-driver: Auto PPS made by CCID gpg: DBG: ccid-driver: CCID can set ICC in clock stop mode gpg: DBG: ccid-driver: NAD value other than 0x00 accepted gpg: DBG: ccid-driver: Auto IFSD exchange gpg: DBG: ccid-driver: Short APDU level exchange gpg: DBG: ccid-driver: dwMaxCCIDMsgLen 271 gpg: DBG: ccid-driver: bClassGetResponse echo gpg: DBG: ccid-driver: bClassEnvelope echo gpg: DBG: ccid-driver: wlcdLayout none gpg: DBG: ccid-driver: bPINSupport 0 gpg: DBG: ccid-driver: bMaxCCIDBusySlots 1 gpg: DBG: ccid-driver: usb_claim_interface failed: -1 gpg: detected reader `OmniKey CardMan 6121 00 00' gpg: pcsc_connect failed: proto mismatch (0x8010000f) gpg: card reader not available gpg: OpenPGP card not available: general error I have it provided some clues. Thanks for your help. Thanks Sick of deleting your inbox? Yahoo!7 Mail has free unlimited storage. http://au.docs.yahoo.com/mail/unlimitedstorage.html From John at Mozilla-Enigmail.org Tue Oct 9 01:19:54 2007 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Mon, 08 Oct 2007 18:19:54 -0500 Subject: Windows newbie In-Reply-To: <470AB87F.70001@mac.com> References: <483901.96285.qm@web27201.mail.ukl.yahoo.com> <470AB87F.70001@mac.com> Message-ID: <470ABB1A.50608@Mozilla-Enigmail.org> Charly Avital wrote: > Dimitri wrote: >> Export you key pair to a CD and... in windows import >> this key pair. > > I have now imported the two keyrings from MacGPG, set owner trust for > secret keys, all seems to be OK. Charly, As it's only an exercise, I believe if you just *copy* the three *.gpg files; pubring,gpg secring.gpg, & trustdb.gpg; from one home directory to the one in Windows you'll be "Good to Go." -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 663 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20071008/d0728d4b/attachment.pgp From wk at gnupg.org Tue Oct 9 10:57:06 2007 From: wk at gnupg.org (Werner Koch) Date: Tue, 09 Oct 2007 10:57:06 +0200 Subject: OmniKey CardMan 6121 & OpenPGP card anyone? In-Reply-To: <848491.82097.qm@web52602.mail.re2.yahoo.com> (Srihari Vijayaraghavan's message of "Tue, 9 Oct 2007 09:07:03 +1000 (EST)") References: <848491.82097.qm@web52602.mail.re2.yahoo.com> Message-ID: <87tzp03btp.fsf@wheatstone.g10code.de> On Tue, 9 Oct 2007 01:07, sriharivijayaraghavan at yahoo.com.au said: > gpg: DBG: ccid-driver: bMaxCCIDBusySlots 1 > gpg: DBG: ccid-driver: usb_claim_interface failed: -1 Either you have insufficient permissions for the device or another process (e.g. pcscd) is using it. > gpg: detected reader `OmniKey CardMan 6121 00 00' Well, pcscd is up and has already claimed the device. Stop it. > gpg: pcsc_connect failed: proto mismatch (0x8010000f) I am not using pcscd so I have no experience why it does not work. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From sriharivijayaraghavan at yahoo.com.au Tue Oct 9 13:12:28 2007 From: sriharivijayaraghavan at yahoo.com.au (Srihari Vijayaraghavan) Date: Tue, 9 Oct 2007 21:12:28 +1000 (EST) Subject: OmniKey CardMan 6121 & OpenPGP card anyone? In-Reply-To: <87tzp03btp.fsf@wheatstone.g10code.de> Message-ID: <328207.78994.qm@web52602.mail.re2.yahoo.com> Werner Koch wrote: > On Tue, 9 Oct 2007 01:07, sriharivijayaraghavan at yahoo.com.au said: > > > gpg: DBG: ccid-driver: bMaxCCIDBusySlots 1 > > gpg: DBG: ccid-driver: usb_claim_interface failed: -1 > > Either you have insufficient permissions for the device or another > process (e.g. pcscd) is using it. Both conditions I've eliminated. Pls read below. > > gpg: detected reader `OmniKey CardMan 6121 00 00' > > Well, pcscd is up and has already claimed the device. Stop it. Now I've done that. It was starting between reboots. Sorry about that. Now I've disabled the pcscd service for good now. Here's the current status: [root at laptop ~]# /usr/local/bin/gpg --card-status --debug-ccid-driver gpg: DBG: ccid-driver: using CCID reader 0 (ID=076B:6622:X:0) gpg: DBG: ccid-driver: idVendor: 076B idProduct: 6622 bcdDevice: 0203 gpg: DBG: ccid-driver: ChipCard Interface Descriptor: gpg: DBG: ccid-driver: bLength 54 gpg: DBG: ccid-driver: bDescriptorType 33 gpg: DBG: ccid-driver: bcdCCID 1.00 gpg: DBG: ccid-driver: nMaxSlotIndex 0 gpg: DBG: ccid-driver: bVoltageSupport 7 ? gpg: DBG: ccid-driver: dwProtocols 3 T=0 T=1 gpg: DBG: ccid-driver: dwDefaultClock 4800 gpg: DBG: ccid-driver: dwMaxiumumClock 8000 gpg: DBG: ccid-driver: bNumClockSupported 4 gpg: DBG: ccid-driver: dwDataRate 10752 bps gpg: DBG: ccid-driver: dwMaxDataRate 412903 bps gpg: DBG: ccid-driver: bNumDataRatesSupp. 106 gpg: DBG: ccid-driver: dwMaxIFSD 254 gpg: DBG: ccid-driver: dwSyncProtocols 00000007 2-wire 3-wire I2C gpg: DBG: ccid-driver: dwMechanical 00000000 gpg: DBG: ccid-driver: dwFeatures 000207B2 gpg: DBG: ccid-driver: Auto configuration based on ATR gpg: DBG: ccid-driver: Auto clock change gpg: DBG: ccid-driver: Auto baud rate change gpg: DBG: ccid-driver: Auto PPS made by CCID gpg: DBG: ccid-driver: CCID can set ICC in clock stop mode gpg: DBG: ccid-driver: NAD value other than 0x00 accepted gpg: DBG: ccid-driver: Auto IFSD exchange gpg: DBG: ccid-driver: Short APDU level exchange gpg: DBG: ccid-driver: dwMaxCCIDMsgLen 271 gpg: DBG: ccid-driver: bClassGetResponse echo gpg: DBG: ccid-driver: bClassEnvelope echo gpg: DBG: ccid-driver: wlcdLayout none gpg: DBG: ccid-driver: bPINSupport 0 gpg: DBG: ccid-driver: bMaxCCIDBusySlots 1 gpg: DBG: ccid-driver: usb_bulk_read error: Resource temporarily unavailable gpg: DBG: ccid-driver: USB: CALLING USB_CLEAR_HALT gpg: DBG: ccid-driver: usb_bulk_read error: Resource temporarily unavailable gpg: DBG: ccid-driver: USB: RETRYING bulk_in AGAIN gpg: DBG: ccid-driver: usb_bulk_read error: Resource temporarily unavailable gpg: DBG: ccid-driver: USB: RETRYING bulk_in AGAIN gpg: DBG: ccid-driver: status: 41 error: FE octet[9]: 00 data: gpg: DBG: ccid-driver: CCID command failed: CCID timed out while talking to the ICC gpg: DBG: ccid-driver: status: 41 error: FE octet[9]: 00 data: gpg: DBG: ccid-driver: CCID command failed: CCID timed out while talking to the ICC gpg: apdu_send_simple(0) failed: card inactive gpg: DBG: ccid-driver: status: 01 error: 00 octet[9]: 01 data: gpg: DBG: ccid-driver: idVendor: 076B idProduct: 6622 bcdDevice: 0203 gpg: DBG: ccid-driver: ChipCard Interface Descriptor: gpg: DBG: ccid-driver: bLength 54 gpg: DBG: ccid-driver: bDescriptorType 33 gpg: DBG: ccid-driver: bcdCCID 1.00 gpg: DBG: ccid-driver: nMaxSlotIndex 0 gpg: DBG: ccid-driver: bVoltageSupport 7 ? gpg: DBG: ccid-driver: dwProtocols 3 T=0 T=1 gpg: DBG: ccid-driver: dwDefaultClock 4800 gpg: DBG: ccid-driver: dwMaxiumumClock 8000 gpg: DBG: ccid-driver: bNumClockSupported 4 gpg: DBG: ccid-driver: dwDataRate 10752 bps gpg: DBG: ccid-driver: dwMaxDataRate 412903 bps gpg: DBG: ccid-driver: bNumDataRatesSupp. 106 gpg: DBG: ccid-driver: dwMaxIFSD 254 gpg: DBG: ccid-driver: dwSyncProtocols 00000007 2-wire 3-wire I2C gpg: DBG: ccid-driver: dwMechanical 00000000 gpg: DBG: ccid-driver: dwFeatures 000207B2 gpg: DBG: ccid-driver: Auto configuration based on ATR gpg: DBG: ccid-driver: Auto clock change gpg: DBG: ccid-driver: Auto baud rate change gpg: DBG: ccid-driver: Auto PPS made by CCID gpg: DBG: ccid-driver: CCID can set ICC in clock stop mode gpg: DBG: ccid-driver: NAD value other than 0x00 accepted gpg: DBG: ccid-driver: Auto IFSD exchange gpg: DBG: ccid-driver: Short APDU level exchange gpg: DBG: ccid-driver: dwMaxCCIDMsgLen 271 gpg: DBG: ccid-driver: bClassGetResponse echo gpg: DBG: ccid-driver: bClassEnvelope echo gpg: DBG: ccid-driver: wlcdLayout none gpg: DBG: ccid-driver: bPINSupport 0 gpg: DBG: ccid-driver: bMaxCCIDBusySlots 1 Please insert the card and hit return or enter 'c' to cancel: I've ensured the card is inserted & pressed enter many times to no avail :-(. (I've a few extra OpenPGP cards, so if push comes to shove, I'll slice them to SIM size to check it out on this reader(s). Alas I've no other model of a card reader to rule out the readers themselves.) Thanks for your assistance. Sick of deleting your inbox? Yahoo!7 Mail has free unlimited storage. http://au.docs.yahoo.com/mail/unlimitedstorage.html From wk at gnupg.org Tue Oct 9 15:46:18 2007 From: wk at gnupg.org (Werner Koch) Date: Tue, 09 Oct 2007 15:46:18 +0200 Subject: OmniKey CardMan 6121 & OpenPGP card anyone? In-Reply-To: <328207.78994.qm@web52602.mail.re2.yahoo.com> (Srihari Vijayaraghavan's message of "Tue, 9 Oct 2007 21:12:28 +1000 (EST)") References: <328207.78994.qm@web52602.mail.re2.yahoo.com> Message-ID: <87ejg41jv9.fsf@wheatstone.g10code.de> On Tue, 9 Oct 2007 13:12, sriharivijayaraghavan at yahoo.com.au said: > gpg: DBG: ccid-driver: usb_bulk_read error: Resource temporarily unavailable > gpg: DBG: ccid-driver: USB: RETRYING bulk_in AGAIN > gpg: DBG: ccid-driver: status: 41 error: FE octet[9]: 00 > data: > gpg: DBG: ccid-driver: CCID command failed: CCID timed out while talking to > the ICC That is some low-level problem. Most likely with the card. Make sure that you sliced the card correctly and that it is inserted correclty. It may be broken. Try with a SIM card from a cell phone. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From rjh at sixdemonbag.org Wed Oct 10 02:07:43 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 09 Oct 2007 19:07:43 -0500 Subject: PGP messages getting flagged as spam Message-ID: <470C17CF.4000605@sixdemonbag.org> I just received word from one of my regular correspondents that his email server has begun flagging PGP traffic as spam. I haven't seen this come up often (ever?) in the lists before, so I'm operating on the assumption that this may be a new problem people should be aware of. SpamAssassin is giving results like this: > X-Spam-Status: Yes, score=5.6 required=5.0 > tests=BAYES_60,UNIQUE_WORDS, > UPPERCASE_25_50 autolearn=disabled version=3.0.4 > X-Spam-Report: > * 2.3 UNIQUE_WORDS BODY: Message body has many words used only > once > * 3.3 BAYES_60 BODY: Bayesian spam probability is 60 to 80% > * [score: 0.7031] > * 0.0 UPPERCASE_25_50 message body is 25-50% uppercase So, if you're running SpamAssassin, might want to see about tweaking some rules. :) From sadam at clemson.edu Wed Oct 10 02:18:01 2007 From: sadam at clemson.edu (Adam Schreiber) Date: Tue, 9 Oct 2007 20:18:01 -0400 Subject: PGP messages getting flagged as spam In-Reply-To: <470C17CF.4000605@sixdemonbag.org> References: <470C17CF.4000605@sixdemonbag.org> Message-ID: <8298be230710091718n2ff547cege0ea0577e956b4@mail.gmail.com> When my university was using SpamAssassin, GPG emails were being marked as spam because patterns were being matched by the armored text and no negative bonus was being given to GPG signed or encrypted messages. They were not willing to tweak their rules. Adam Schreiber On 10/9/07, Robert J. Hansen wrote: > I just received word from one of my regular correspondents that his > email server has begun flagging PGP traffic as spam. I haven't seen > this come up often (ever?) in the lists before, so I'm operating on the > assumption that this may be a new problem people should be aware of. > > SpamAssassin is giving results like this: > > > X-Spam-Status: Yes, score=5.6 required=5.0 > > tests=BAYES_60,UNIQUE_WORDS, > > UPPERCASE_25_50 autolearn=disabled version=3.0.4 > > X-Spam-Report: > > * 2.3 UNIQUE_WORDS BODY: Message body has many words used only > > once > > * 3.3 BAYES_60 BODY: Bayesian spam probability is 60 to 80% > > * [score: 0.7031] > > * 0.0 UPPERCASE_25_50 message body is 25-50% uppercase > > So, if you're running SpamAssassin, might want to see about tweaking > some rules. :) > > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From stormrider01 at gmail.com Wed Oct 10 07:20:39 2007 From: stormrider01 at gmail.com (Iron Sam Vane) Date: Tue, 9 Oct 2007 23:20:39 -0600 Subject: GnuPG UNC path on windows problem Message-ID: <61de8c630710092220j35a12b86hcb225919f23c6190@mail.gmail.com> I'm attempting to encrypt a file on a remote server, both machines are win2k3 server, using this command: gpg --homedir c:\gnupg ---batch --trust-model always --output \\server\backups\archive1.7z.gpg -e -r user \\server\backups\archive1.7z And I'm getting this error: gpg: can't open `\\\\server\\backups\\archive1.7z': No such file or directory gpg: \\\\\\server\\backups\\archive1.7z: encryption failed: file open error I've checked and the file (archive1.7z) isn't in use. Any ideas what's going on? Sean Lively From wk at gnupg.org Wed Oct 10 12:25:59 2007 From: wk at gnupg.org (Werner Koch) Date: Wed, 10 Oct 2007 12:25:59 +0200 Subject: GnuPG UNC path on windows problem In-Reply-To: <61de8c630710092220j35a12b86hcb225919f23c6190@mail.gmail.com> (Iron Sam Vane's message of "Tue, 9 Oct 2007 23:20:39 -0600") References: <61de8c630710092220j35a12b86hcb225919f23c6190@mail.gmail.com> Message-ID: <87d4vnw9jc.fsf@wheatstone.g10code.de> On Wed, 10 Oct 2007 07:20, stormrider01 at gmail.com said: > gpg --homedir c:\gnupg ---batch --trust-model always --output > \\server\backups\archive1.7z.gpg -e -r user > \\server\backups\archive1.7z > > And I'm getting this error: > > gpg: can't open `\\\\server\\backups\\archive1.7z': No such file or directory > gpg: \\\\\\server\\backups\\archive1.7z: encryption failed: file open error > > I've checked and the file (archive1.7z) isn't in use. Any ideas what's going on? I am not sure whether UNC works at all. Would need to test this. However you can overcome the problem easily: gpg --homedir c:\gnupg ---batch --trust-model always -e -r user <\\server\backups\archive1.7z >\\server\backups\archive1.7z.gpg This works because gpg won't see any file name but operates on the data received on stdin (connect to the input file) and sends the output to stdout (connected to the output file). Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From JPClizbe at tx.rr.com Wed Oct 10 12:48:52 2007 From: JPClizbe at tx.rr.com (John Clizbe) Date: Wed, 10 Oct 2007 05:48:52 -0500 Subject: GnuPG UNC path on windows problem In-Reply-To: <61de8c630710092220j35a12b86hcb225919f23c6190@mail.gmail.com> References: <61de8c630710092220j35a12b86hcb225919f23c6190@mail.gmail.com> Message-ID: <470CAE14.9040206@tx.rr.com> Iron Sam Vane wrote: > I'm attempting to encrypt a file on a remote server, both machines are > win2k3 server, using this command: > gpg --homedir c:\gnupg ---batch --trust-model always --output > \\server\backups\archive1.7z.gpg -e -r user > \\server\backups\archive1.7z > > And I'm getting this error: > > gpg: can't open `\\\\server\\backups\\archive1.7z': No such file or directory > gpg: \\\\\\server\\backups\\archive1.7z: encryption failed: file open error > > I've checked and the file (archive1.7z) isn't in use. Any ideas what's going on? GnuPG for Windows is built with some translation code for Posix to Win32 path conversion. The UNC paths are confusing it. The fact that backslash (\) needs to be escaped (with a \) is causing the doubling of the characters. a) Try putting the names in "double quotes", ie gpg --homedir c:\gnupg ---batch --trust-model always --output "\\server\backups\archive1.7z.gpg" -e -r user "\\server\backups\archive1.7z" b) Try reversing the slashes (This works with non-UNC paths.) gpg --homedir c:\gnupg ---batch --trust-model always --output //server/backups/archive1.7z.gpg -e -r user //server/backups/archive1.7z c) Use 'net use' and give \\server\backups a temporary drive letter net use x: \\server\backups gpg --homedir c:\gnupg ---batch --trust-model always --output x:\archive1.7z.gpg -e -r user x:\archive1.7z -- John P. Clizbe Inet: John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A "what's the key to success?" / "two words: good decisions." "what's the key to good decisions?" / "one word: experience." "how do i get experience?" / "two words: bad decisions." "Just how do the residents of Haiku, Hawai'i hold conversations?" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 663 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20071010/3439968a/attachment.pgp From bob.henson at galen.org.uk Wed Oct 10 12:59:14 2007 From: bob.henson at galen.org.uk (Bob Henson) Date: Wed, 10 Oct 2007 11:59:14 +0100 Subject: [GPGol] GPGol won't install Message-ID: <470CB082.7070908@galen.org.uk> I have been using GnuPG/Enigmail for some time. I just tried to install GPGol into my copy of Outlook 2003 SP2 using GPG4Win, with no success. GPA installed and seems to work fine using my existing keyrings. I repeated the install twice, but no trace of GPG appears in Outlook. I just checked and it appears that that GnuPG 2.x has not installed either - typing gpg --version in the gnupg directory shows 1.4.7. Where should I start looking for the problem? Regards, Bob -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 546 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20071010/a37600b2/attachment.pgp From bob.henson at galen.org.uk Wed Oct 10 15:18:23 2007 From: bob.henson at galen.org.uk (Bob Henson) Date: Wed, 10 Oct 2007 14:18:23 +0100 Subject: [GPGol] GPGol won't install In-Reply-To: <470CB082.7070908@galen.org.uk> References: <470CB082.7070908@galen.org.uk> Message-ID: <470CD11F.4030201@galen.org.uk> Apologies if I wasted anyone's time - I found the problem. The installer does not force a reboot after running and that's what it needed to get the new files to show up. A note for the developers though, it would be a good idea to add the option for an automatic reboot - most programs do that if it is necessary. I didn't see that mentioned in the instructions either - but, of course, I may have missed it somewhere. Anyway, I think I've got it all running OK now. I did hit a problem with Outlook after installing and setting up GPGol - but it may not have been connected, perhaps just a co-incidence (unless anyone knows better?). I tried to change Outlook's "send and receive" preferences, but clicking the menu item had no effect at all. I had to re-boot the computer again to restore its normal functionality. It certainly hasn't happened before. Regards, Bob > I have been using GnuPG/Enigmail for some time. I just tried to install > GPGol into my copy of Outlook 2003 SP2 using GPG4Win, with no success. > GPA installed and seems to work fine using my existing keyrings. I > repeated the install twice, but no trace of GPG appears in Outlook. I > just checked and it appears that that GnuPG 2.x has not installed either > - typing gpg --version in the gnupg directory shows 1.4.7. Where should > I start looking for the problem? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 546 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20071010/14400fc8/attachment.pgp From stormrider01 at gmail.com Wed Oct 10 19:17:40 2007 From: stormrider01 at gmail.com (Iron Sam Vane) Date: Wed, 10 Oct 2007 11:17:40 -0600 Subject: GnuPG UNC path on windows problem In-Reply-To: <470CAE14.9040206@tx.rr.com> References: <61de8c630710092220j35a12b86hcb225919f23c6190@mail.gmail.com> <470CAE14.9040206@tx.rr.com> Message-ID: <61de8c630710101017t2f51d506n15c1c0dfa5bd0b21@mail.gmail.com> Thanks guys. Double Quoting the the files didn't work, but replacing the back slashes with forward slashes did. Sean Lively On 10/10/07, John Clizbe wrote: > Iron Sam Vane wrote: > > I'm attempting to encrypt a file on a remote server, both machines are > > win2k3 server, using this command: > > gpg --homedir c:\gnupg ---batch --trust-model always --output > > \\server\backups\archive1.7z.gpg -e -r user > > \\server\backups\archive1.7z > > > > And I'm getting this error: > > > > gpg: can't open `\\\\server\\backups\\archive1.7z': No such file or directory > > gpg: \\\\\\server\\backups\\archive1.7z: encryption failed: file open error > > > > I've checked and the file (archive1.7z) isn't in use. Any ideas what's going on? > > GnuPG for Windows is built with some translation code for Posix to Win32 path > conversion. The UNC paths are confusing it. The fact that backslash (\) needs to > be escaped (with a \) is causing the doubling of the characters. > > a) Try putting the names in "double quotes", ie > gpg --homedir c:\gnupg ---batch --trust-model always --output > "\\server\backups\archive1.7z.gpg" -e -r user "\\server\backups\archive1.7z" > > b) Try reversing the slashes (This works with non-UNC paths.) > gpg --homedir c:\gnupg ---batch --trust-model always --output > //server/backups/archive1.7z.gpg -e -r user //server/backups/archive1.7z > > c) Use 'net use' and give \\server\backups a temporary drive letter > net use x: \\server\backups > gpg --homedir c:\gnupg ---batch --trust-model always --output > x:\archive1.7z.gpg -e -r user x:\archive1.7z > > > -- > John P. Clizbe Inet: John (a) Mozilla-Enigmail.org > You can't spell fiasco without SCO. PGP/GPG KeyID: 0x608D2A10/0x18BB373A > "what's the key to success?" / "two words: good decisions." > "what's the key to good decisions?" / "one word: experience." > "how do i get experience?" / "two words: bad decisions." > > "Just how do the residents of Haiku, Hawai'i hold conversations?" > > > From wk at gnupg.org Thu Oct 11 13:42:47 2007 From: wk at gnupg.org (Werner Koch) Date: Thu, 11 Oct 2007 13:42:47 +0200 Subject: [GPGol] GPGol won't install In-Reply-To: <470CD11F.4030201@galen.org.uk> (Bob Henson's message of "Wed, 10 Oct 2007 14:18:23 +0100") References: <470CB082.7070908@galen.org.uk> <470CD11F.4030201@galen.org.uk> Message-ID: <874pgxri6g.fsf@wheatstone.g10code.de> On Wed, 10 Oct 2007 15:18, bob.henson at galen.org.uk said: > Apologies if I wasted anyone's time - I found the problem. The installer > does not force a reboot after running and that's what it needed to get > the new files to show up. A note for the developers though, it would be The installer offers to reboot if a reboot is required - thatis if a file already exists and is in used (e.g. gpgex.dll which is loded by explorer or gpgol.dll wwhen outlook is running). Reboot is not required in other cases - that's the theory. If you can describe again what files don't show up, I can change the the installer to ask for a reboot. > (unless anyone knows better?). I tried to change Outlook's "send and > receive" preferences, but clicking the menu item had no effect at all. I > had to re-boot the computer again to restore its normal functionality. Sometimes an outlook instances is running for some time after beeing closed. That could be the source of your problem GnuPG is not really supported yet - we merely install the command line utilities. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From bob.henson at galen.org.uk Thu Oct 11 20:57:04 2007 From: bob.henson at galen.org.uk (Bob Henson) Date: Thu, 11 Oct 2007 19:57:04 +0100 Subject: [GPGol] GPGol won't install In-Reply-To: <874pgxri6g.fsf@wheatstone.g10code.de> References: <470CB082.7070908@galen.org.uk> <470CD11F.4030201@galen.org.uk> <874pgxri6g.fsf@wheatstone.g10code.de> Message-ID: <470E7200.6090907@galen.org.uk> Werner Koch wrote > On Wed, 10 Oct 2007 15:18, bob.henson at galen.org.uk said: > >> Apologies if I wasted anyone's time - I found the problem. The installer >> does not force a reboot after running and that's what it needed to get >> the new files to show up. A note for the developers though, it would be > > The installer offers to reboot if a reboot is required - thatis if a > file already exists and is in used (e.g. gpgex.dll which is loded by > explorer or gpgol.dll wwhen outlook is running). When I exited to the GnupG directory and ran gpg --version I did not notice the gpg2.exe files there - it may well be they were there and I did not notice them though, as I have to admit to not having looked thoroughly. From my position of ignorance I suppose I was expecting gpg.exe to be the new versions 2 file - I did not realise it was a separate file. Had I thought a bit more at the time, I would have remembered that both versions can run alongside each other hence their must have been two files. > Reboot is not required in other cases - that's the theory. If you can > describe again what files don't show up, I can change the the installer > to ask for a reboot. Rather than the files being missing (which I think I've explained above) there were no menu entries or configuration tab etc in Outlook, so I *assumed* it had not installed at all. It was after the reboot and when the GnuPG configuration tab eventually appeared in Outlook that I looked further, and in browsing for the key manager file (under "advanced") I realised the GPG 2 files were all there. >> (unless anyone knows better?). I tried to change Outlook's "send and >> receive" preferences, but clicking the menu item had no effect at all. I >> had to re-boot the computer again to restore its normal functionality. > > Sometimes an outlook instances is running for some time after beeing > closed. That could be the source of your problem That could well be - but I am well out of my depth here, so it did not occur to me. > GnuPG is not really supported yet - we merely install the command line > utilities. Well, all seems to be well now anyway, and it is a good point to thank all concerned for providing all these utilities for us. Your work is much appreciated. Regards, Bob -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 546 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20071011/7de1eb58/attachment.pgp From benjamin at py-soft.co.uk Fri Oct 12 11:04:33 2007 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Fri, 12 Oct 2007 10:04:33 +0100 Subject: pinentry-mac never displays any UI In-Reply-To: <47077A0A.7080100@py-soft.co.uk> References: <4705707B.3050407@py-soft.co.uk> <47077A0A.7080100@py-soft.co.uk> Message-ID: <470F38A1.309@py-soft.co.uk> Benjamin Donnachie wrote: > Are you using the version of pinentry that is currently bundled with > mac-gpg2? If not, try downloading from > http://www.py-soft.co.uk/~benjamin/download/mac-gpg/mac-gnupg-2.0.4-2.zip > and let me know how it goes. Did it work? Ben From email at sven-radde.de Fri Oct 12 13:06:42 2007 From: email at sven-radde.de (Sven Radde) Date: Fri, 12 Oct 2007 13:06:42 +0200 Subject: GnuPG doesn't handle filenames? Message-ID: <470F5542.8080501@sven-radde.de> Hi there! Providing filenames to GnuPG (1.4.7, gpg4win) only results in output of a syntax help, while piping the files still works. As an example, I will use one of the commands in GnuPG's help, but it is the same with other commands such as encrypt, symmetric, ...: > D:\Sven>gpg --clearsign test.txt > usage: gpg [options] --clearsign [filename] > > D:\Sven> versus > D:\Sven>gpg --clearsign -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > testtesttest > gpg: detected reader... and so on... everything fine. Using GPGee's and WinPT's GUIs works as well. GnuPGs "internal" functions such as key generation, card-status etc. are fine, too. Am I overlooking something with filenames? Thanks for any help, Sven From wk at gnupg.org Fri Oct 12 21:30:51 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 12 Oct 2007 21:30:51 +0200 Subject: GnuPG doesn't handle filenames? In-Reply-To: <470F5542.8080501@sven-radde.de> (Sven Radde's message of "Fri, 12 Oct 2007 13:06:42 +0200") References: <470F5542.8080501@sven-radde.de> Message-ID: <87odf4f7v8.fsf@wheatstone.g10code.de> On Fri, 12 Oct 2007 13:06, email at sven-radde.de said: >> D:\Sven>gpg --clearsign test.txt >> usage: gpg [options] --clearsign [filename] There is a bug in some versions of gpg4win. The gpg you use is actually a wrapper which invokes the real gpg. We do this to selective add only required programs to the PATH. Use gpg --version --version to see the real filename of gpg; for example: C:\tmp>gpg --version --version gpgwrap (Gpg4win) 1.9.0-svn558 ;C:\Programme\GNU\GnuPG\gpg.exe gpg (GnuPG) 1.4.7 Copyright (C) 2006 Free Software Foundation, Inc. So either update gpg4win or use C:\Progamme\GNU\GnuPG\gpg --clearsign test.txt or wherever the real binary is installed. Note that gpg4win 1.9 is development only and should not be used. The bug is fixed since 1.1.2. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From dougb at dougbarton.us Sun Oct 14 04:52:23 2007 From: dougb at dougbarton.us (Doug Barton) Date: Sat, 13 Oct 2007 19:52:23 -0700 (PDT) Subject: PGP messages getting flagged as spam In-Reply-To: <8298be230710091718n2ff547cege0ea0577e956b4@mail.gmail.com> References: <470C17CF.4000605@sixdemonbag.org> <8298be230710091718n2ff547cege0ea0577e956b4@mail.gmail.com> Message-ID: On Tue, 9 Oct 2007, Adam Schreiber wrote: > When my university was using SpamAssassin, GPG emails were being > marked as spam because patterns were being matched by the armored text > and no negative bonus was being given to GPG signed or encrypted > messages. They were not willing to tweak their rules. Has anyone tried contacting the SA developers about this? It seems like something fairly straightforward for them to add. Doug -- If you're never wrong, you're not trying hard enough From gr at eclipsed.net Mon Oct 15 07:54:34 2007 From: gr at eclipsed.net (gabriel rosenkoetter) Date: Mon, 15 Oct 2007 01:54:34 -0400 Subject: PGP messages getting flagged as spam In-Reply-To: References: <470C17CF.4000605@sixdemonbag.org> <8298be230710091718n2ff547cege0ea0577e956b4@mail.gmail.com> Message-ID: <20071015055434.GB85001@stow.eclipsed.net> At 2007-10-13 19:52 -0700, Doug Barton wrote: > Has anyone tried contacting the SA developers about this? It seems like > something fairly straightforward for them to add. "The SA developers" is a misconceived phrase here. You're interested in the party who wrote widely desseminated rules that happened to match PGP-enciphered messages (and it's likely to be several parties each and different parties for PGP/MIME- and clear-signed messages and for enciphered messages, whether ASCII- encoded or not). It's up o the site administrator to make use of SA rules that aren't braindamaged. It's hardly the fault of the authors of SA if some site decides to add 2.5 points to every message with a MIME attachment, though you can, perhaps, see how that might be a naive approach that works pretty well most of the time. -- gabriel rosenkoetter gr at eclipsed.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20071015/da88f836/attachment.pgp From malayter at gmail.com Mon Oct 15 13:26:08 2007 From: malayter at gmail.com (Ryan Malayter) Date: Mon, 15 Oct 2007 06:26:08 -0500 Subject: PGP messages getting flagged as spam In-Reply-To: <20071015055434.GB85001@stow.eclipsed.net> References: <470C17CF.4000605@sixdemonbag.org> <8298be230710091718n2ff547cege0ea0577e956b4@mail.gmail.com> <20071015055434.GB85001@stow.eclipsed.net> Message-ID: <5d7f07420710150426i5e2c5520p99ca70d47dd1b5ce@mail.gmail.com> On 10/15/07, gabriel rosenkoetter wrote: > It's up o the site administrator to make use of SA rules that aren't > braindamaged. It's hardly the fault of the authors of SA if some > site decides to add 2.5 points to every message with a MIME > attachment, though you can, perhaps, see how that might be a naive > approach that works pretty well most of the time. Another problem: automatically adding negative score to PGP data would make that an attractive tactic for spammers. If such a rule were popular in SpamAssasin, you'd see a lot of base64 encoded HTML spam with "fake" PGP headers, I imagine. The real solution would be for SpamAssasin to check that the PGP messages are well-formed, and verify signatures on any PGP message before altering its score. A tad CPU intensive, I think, and it poses a host of key management and trust management issues if the SpamAssasin systems serves many users (which most do). -- RPM From wk at gnupg.org Mon Oct 15 16:32:01 2007 From: wk at gnupg.org (Werner Koch) Date: Mon, 15 Oct 2007 16:32:01 +0200 Subject: PGP messages getting flagged as spam In-Reply-To: <5d7f07420710150426i5e2c5520p99ca70d47dd1b5ce@mail.gmail.com> (Ryan Malayter's message of "Mon, 15 Oct 2007 06:26:08 -0500") References: <470C17CF.4000605@sixdemonbag.org> <8298be230710091718n2ff547cege0ea0577e956b4@mail.gmail.com> <20071015055434.GB85001@stow.eclipsed.net> <5d7f07420710150426i5e2c5520p99ca70d47dd1b5ce@mail.gmail.com> Message-ID: <87myukbg9q.fsf@wheatstone.g10code.de> On Mon, 15 Oct 2007 13:26, malayter at gmail.com said: > The real solution would be for SpamAssasin to check that the PGP > messages are well-formed, and verify signatures on any PGP message > before altering its score. A tad CPU intensive, I think, and it poses FWIW, a few weeks ago I received the first PGP signed spam. The signature was good and I believe that it was sent using a trojan utilizing the local MUA which was configured to sign all outgoing mail. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From dave at brondsema.net Tue Oct 16 04:51:45 2007 From: dave at brondsema.net (Dave Brondsema) Date: Mon, 15 Oct 2007 19:51:45 -0700 (PDT) Subject: PGP messages getting flagged as spam In-Reply-To: <5d7f07420710150426i5e2c5520p99ca70d47dd1b5ce@mail.gmail.com> References: <470C17CF.4000605@sixdemonbag.org> <8298be230710091718n2ff547cege0ea0577e956b4@mail.gmail.com> <20071015055434.GB85001@stow.eclipsed.net> <5d7f07420710150426i5e2c5520p99ca70d47dd1b5ce@mail.gmail.com> Message-ID: <13225948.post@talk.nabble.com> Ryan Malayter-2 wrote: > > On 10/15/07, gabriel rosenkoetter wrote: >> It's up o the site administrator to make use of SA rules that aren't >> braindamaged. It's hardly the fault of the authors of SA if some >> site decides to add 2.5 points to every message with a MIME >> attachment, though you can, perhaps, see how that might be a naive >> approach that works pretty well most of the time. > > Another problem: automatically adding negative score to PGP data would > make that an attractive tactic for spammers. If such a rule were > popular in SpamAssasin, you'd see a lot of base64 encoded HTML spam > with "fake" PGP headers, I imagine. > > The real solution would be for SpamAssasin to check that the PGP > messages are well-formed, and verify signatures on any PGP message > before altering its score. A tad CPU intensive, I think, and it poses > a host of key management and trust management issues if the > SpamAssasin systems serves many users (which most do). > I have started an OpenPGP plugin for SpamAssassin that could be useful to assign a negative score to signed emails. See http://search.cpan.org/perldoc?Mail::SpamAssassin::Plugin::OpenPGP I am using it myself, but it is not complete and I wouldn't recommend using it in production environment without some good testing. And patches for it, probably :) -- View this message in context: http://www.nabble.com/PGP-messages-getting-flagged-as-spam-tf4597896.html#a13225948 Sent from the GnuPG - User mailing list archive at Nabble.com. From email at sven-radde.de Tue Oct 16 07:46:29 2007 From: email at sven-radde.de (Sven Radde) Date: Tue, 16 Oct 2007 07:46:29 +0200 Subject: PGP messages getting flagged as spam In-Reply-To: <87myukbg9q.fsf@wheatstone.g10code.de> References: <470C17CF.4000605@sixdemonbag.org> <8298be230710091718n2ff547cege0ea0577e956b4@mail.gmail.com> <20071015055434.GB85001@stow.eclipsed.net> <5d7f07420710150426i5e2c5520p99ca70d47dd1b5ce@mail.gmail.com> <87myukbg9q.fsf@wheatstone.g10code.de> Message-ID: <47145035.6000702@sven-radde.de> Hi! Werner Koch schrieb: > FWIW, a few weeks ago I received the first PGP signed spam. The > signature was good and I believe that it was sent using a trojan > utilizing the local MUA which was configured to sign all outgoing mail. Just out of curiosity: Does this (or, rather: should this) have implications for your trust of the signer's key? If the system is compromised, you cannot be sure of the authenticity of messages coming from there, can you? cu, Sven From rjh at sixdemonbag.org Tue Oct 16 08:58:46 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 16 Oct 2007 01:58:46 -0500 Subject: PGP messages getting flagged as spam In-Reply-To: <47145035.6000702@sven-radde.de> References: <470C17CF.4000605@sixdemonbag.org> <8298be230710091718n2ff547cege0ea0577e956b4@mail.gmail.com> <20071015055434.GB85001@stow.eclipsed.net> <5d7f07420710150426i5e2c5520p99ca70d47dd1b5ce@mail.gmail.com> <87myukbg9q.fsf@wheatstone.g10code.de> <47145035.6000702@sven-radde.de> Message-ID: <47146126.7030505@sixdemonbag.org> Sven Radde wrote: > Just out of curiosity: Does this (or, rather: should this) have > implications for your trust of the signer's key? There are two schools of thought on this. 1. "Beats me. You get to define your policy, not me." 2. "If this guy's control of his keys and passphrase is so poor that a spammer can use them, then there is no sensible policy which would consider that key uncompromised." Personally, I side with #1, but my own personal policy is #2. YMMV. From wk at gnupg.org Tue Oct 16 09:20:49 2007 From: wk at gnupg.org (Werner Koch) Date: Tue, 16 Oct 2007 09:20:49 +0200 Subject: PGP messages getting flagged as spam In-Reply-To: <47145035.6000702@sven-radde.de> (Sven Radde's message of "Tue, 16 Oct 2007 07:46:29 +0200") References: <470C17CF.4000605@sixdemonbag.org> <8298be230710091718n2ff547cege0ea0577e956b4@mail.gmail.com> <20071015055434.GB85001@stow.eclipsed.net> <5d7f07420710150426i5e2c5520p99ca70d47dd1b5ce@mail.gmail.com> <87myukbg9q.fsf@wheatstone.g10code.de> <47145035.6000702@sven-radde.de> Message-ID: <871wbv8qzy.fsf@wheatstone.g10code.de> On Tue, 16 Oct 2007 07:46, email at sven-radde.de said: > Just out of curiosity: Does this (or, rather: should this) have > implications for your trust of the signer's key? Well I assume that this guy keeps his primary key offline and thus malware would not be able to let him sign other keys ;-) > If the system is compromised, you cannot be sure of the authenticity of > messages coming from there, can you? Right. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From dan at geer.org Tue Oct 16 13:23:30 2007 From: dan at geer.org (dan at geer.org) Date: Tue, 16 Oct 2007 07:23:30 -0400 Subject: PGP messages getting flagged as spam In-Reply-To: Your message of "Tue, 16 Oct 2007 09:20:49 +0200." <871wbv8qzy.fsf@wheatstone.g10code.de> Message-ID: <20071016112330.6192633E45@absinthe.tinho.net> Werner Koch writes: | | > If the system is compromised, you cannot be sure of the | > authenticity of messages coming from there, can you? | | Right. | And therein is the issue. A year ago, I wrote an editorial where I made a semi-numeric mostly educated guess that 15-30% of all home/private systems were already compromised. I got some hate mail but in the intervening months, Vint Cert said 40%, Microsoft said 2/3rds, and IDC said 3/4ths. Whatever the true number is, real risk management must now assume that the counterparty to a conversation stands a good chance of being 0wned. That said, the discount brokerages are hurting on this as 0wned machines mean that stock pump&dump schemes can be pumped by booking real trades from real people with real money, i.e., steal the password via a key logger and then time the trade to help with the pump phase. I've another editorial on that, but suffice it to say that in at least one instance, the November 06 10-Q filing by e-Trade, the losses in question reached the level that required SEC disclosure. Which brings us to a point: Those brokerages want, and are willing to pay real money for, something like an Active-X component that at the outset of the trading session is downloaded fresh, steals the keyboard away from the operating system, and pipes keystrokes through an entirely distinct network stack direct to the trading environment, i.e., makes the home user's PC into a dumb terminal for a moment. On the one hand, that this could work is horrifying and the idea of teaching the user community to say yes to "steal my keyboard" is likewise horrifying. But on the other hand there is a coherent argument that people fall in two camps: Those who always click "YES" and those who never do. If someone always clicks "YES," then the odds are that they are alreacy 0wned and, thus, you need to 0wn them for a moment if you are going to do anything important. If someone never clicks "YES," then the odds are that they are canny and self-protecting, so you don't need to 0wn them up just to have a transaction. The times, they are a changin' --dan From daniel at benoy.name Tue Oct 16 17:28:48 2007 From: daniel at benoy.name (Daniel Benoy) Date: Tue, 16 Oct 2007 11:28:48 -0400 Subject: Trouble with keyservers Message-ID: <200710161128.57244.daniel@benoy.name> Hi. I generated my key with the assistance of an experimental program called 'gnupg-pkcs11-scd' and my Aladdin eToken and I think the key that was generated is somehow messed up. When I exchange my public key with friends manually, they can encrypt to me just fine. But when they grab from a keyserver they can't. Can someone here help me determine what's wrong with the key that comes from the keyserver, and help me narrow down the issue to the keyservers, gnupg, or gnupg-pkcs11-scd? Here's what I see: (I try the same command twice. One after using the keyserver, one after importing an armored ascii key) kos-mos dbenoy # gpg --keyserver wwwkeys.us.pgp.net --recv-keys 3E2E17A6 gpg: requesting key 3E2E17A6 from hkp server wwwkeys.us.pgp.net gpg: key 3E2E17A6: public key "Daniel Benoy " imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) kos-mos dbenoy # gpg -ae -r 3E2E17A6 gpg: 3E2E17A6: skipped: Unusable public key gpg: [stdin]: encryption failed: Unusable public key kos-mos dbenoy # gpg --delete-key 3E2E17A6 gpg (GnuPG) 2.0.6; Copyright (C) 2007 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub 1024R/3E2E17A6 2007-10-14 Daniel Benoy Delete this key from the keyring? (y/N) y kos-mos dbenoy # gpg --import -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.6 (GNU/Linux) mI0ERxGCUgEEAMfKi8XRkuazi0d2QkZ7Ql/jGJzTrIOGV1u84Hwn8941OGj6CTR6 pKTBag5AGvh3xkAKKTVG//5uJBFVyysW2kUkXjGIDWWnsSthMMwFZY/3LWdDSIUU /sXjFVP5ZTJq4Xa+fCuj7l5KX3huM/eTQVwuyXvPBfDKbYoPgDToh+XDABEBAAG0 KURhbmllbCBCZW5veSA8ZGFuaWVsLmJlbm95QGV4ZWN1bGluay5jb20+iLsEEwEC ACUFAkcRitkCGwMFCQHhM4AGCwkIBwMCBBUCCAMDFgIBAh4BAheAAAoJEOpDXYY+ LhemRaUD/05rTRzglIKOtFYuAf4bTvj0L0wRMU0fJnXFoPF8G1JMidDEI+//aRv+ pebniVgvzXcnaWdPbG++NZOPGGSx3+JjwmHDADmMGTTZ1hxLFr0JhBKpq6TVDyJe 7HrRC/BnnxhDtkO7cSuPX1/aZFCnto/b4+A3591VxMH7r9BDucjktCBHb2xkZW4g SGF3ayA8Z29sZGVuaGF3a0BtdWNrLmNhPoi6BBMBAgAlBQJHEYp/AhsDBQkB4TOA BgsJCAcDAgQVAggDAxYCAQIeAQIXgAAKCRDqQ12GPi4XpjKQA/d3m0n0+4A9XYvK zmzpP48TgUNE7KlSRXmVXZ2kZ9wCg9A0j5Vtf72oeSCncgSQ5mnQ2DzabVzU6j9i Gyl73Us76LhmqVIl5qwJSU884A6Eg+z7vsTGyoESBotq6CCVLEbkrBYov7wQ0o+Q 9DN8l959LInQ38dqGdUu4LBx/bUCtCBEYW5pZWwgQmVub3kgPGRhbmllbEBiZW5v eS5uYW1lPoi+BBMBAgAoAhsDBQkB4TOABgsJCAcDAgQVAggDAxYCAQIeAQIXgAUC RxGLPgIZAQAKCRDqQ12GPi4XplrGA/9q7eyOorvGCZ5T/GFzvWM7IcXLzTaLK8g2 ZCCXV5xnvXw1rr0LE5mI9gb5EYw0HFw8eoUGEdnMG0M/iX/FYUiTQTEknNwktPaS h7salFngg+WlqB+ZlvLQKiXmvpaqdLIjtqm0GYIiqaU3P61B/wo2e19whPaGJEB8 1s2w8Zsm5dHLP8s9ARAAAQEAAAAAAAAAAAAAAAD/2P/gABBKRklGAAEBAQBIAEgA AP/hABZFeGlmAABNTQAqAAAACAAAAAAAAP/+ABdDcmVhdGVkIHdpdGggVGhlIEdJ TVD/2wBDABYPEBMQDhYTEhMYFxYaIDYjIB4eIEIvMic2TkVSUU1FTEpWYXxpVlx1 XUpMbJNtdYCEi4yLVGiZo5eHonyIi4b/2wBDARcYGCAcID8jIz+GWUxZhoaGhoaG hoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhoaGhob/wAAR CAEgAPADASIAAhEBAxEB/8QAGgAAAwEBAQEAAAAAAAAAAAAAAAECAwQFBv/EAC4Q AAICAQQBBAEDAwUBAAAAAAABAhEDBBIhMUEFE1FhMiJxoVKBkRQjM0KxFf/EABcB AQEBAQAAAAAAAAAAAAAAAAABAgP/xAAaEQEBAQEBAQEAAAAAAAAAAAAAARExAhIh /9oADAMBAAIRAxEAPwDvAQWAAArCgAEEMBAFMTYCbCHZLn8HNm1SUW4NNJ1+4sep jJJzajfgK6VO5Ux7l8nFl1aX4Jyf/hWHUqS/XFIDsJZO+NN3wkKOWM43FgUFk3yD lS56Kir4FZCyJ/X7kvNFAa2FmK1EG+zRSUlwUUMmwsgoZFjAqwJTGihjRNh2QbAA iAABAMQAAAIAA49Tq9rlGNUuGzrbrs8TUT3Zpu+HICZTbpX0TuZDbYrA0WSS6fY1 kaMh8BW6zyqtzoSytcpmSDgDsw6n9XMmjeWoTg1av6PMUjRSdAdOTM6VdroxlNy/ Lkhtg2QOld9f3NIaiePy2vs599DUty+wPTx6hTV/wX7h5uKThNfZ2xZdRr7j+A91 mYxov3GP3JGYDRfuMN7JAmjuAQFQeQCxWABYAAHPqdSsLUIrdkl1E3b4PN/LLLM2 ufL8BWWoy5G/93Kr/pj4ORuy8jTlJ/ZmwEFhYAFgFFJWAQ5FLhhTTKrcuQqVyUpU JRadlOmuuSClJNUHhmPTLjLgCX2C7E+wKNFK+D0MTvHF/R5sUd+ndQS8MiNhiGgA YhgAAAHaACKgAAAQAICMs1GDb+Dx82ZuKh4Ts6/UM0oT2R+OTzrCwElF48e7l9AQ o34Gsbfg6Y40vBW0mrjm9plLGb7QUQuMvbKWJGm0adEMR7SEsSdmvL6KSoGOZ6cz lga6O9Rsr2wY8lxaBHflwKSbrk4pY3F0yoE0dGnk5Tr4OZI2wS2zTA7lyhiXQwgQ wAAGAAdgAFlQMQMCgE2MzzOscn9EHm+pc5VJSVVTRxorLkc5ck0KpwjukdUIpKiM MaVmpFMYhkaIdAAACQDQFIaQikFUikhItIIlxtM5tRhtWjrY3FSiEeP12OPDNtTj 2TMV8FR24pKUTQ49PkqdPydiCAYAAwEMDsEAismIBAM4/UZuOGk+zrs871Ltcgjg KirZmbYuyNN4KkUJARpS5AVhYUwEADKRI0BSGiUUgrSJqjGPBqmAflJ/RSJui1TC OfVYt0Gzzq5aPZyK4NHlZIVNssZZRbjK/KO7DPfBPycORVI00uRxnt8MqO4AGRAM QAdYCYFQMLEAAcfqMFLFufaOts8v1HK5Zdi/GP8A6VY5DXF2Yo2xGVbiFYmw0uwt fJk7Jtgb2G7kxUmi1KwutkxmaZSYFoe7kixMitVkSRSyo5mwXfYTXWppmqfBywX2 axdeQa3vjk49VBRlfhnUnwZapbsL+gleZm4kbaOm3fZjmXz2Xo0/cbvwaZd6ASYy IYAgA6hAxFAACAJdHk65R924u75Z6smeTqU3OS/p6/YEcyN8XRgaQlUfslVs3RO9 Ao/PIOkFHufEWzTHhz5VcME5J/CMLNcWsy4f+PJKNFCywnim4ZMcoyXhme8vPqJ6 ibnklul5ZjdgbxlZqmcak4M0jkyPpEXXXFWRlyKDpcsxeXNjXMUZKTrc3ywa1c5P 4Q4pvuTZjbqyoZGmVHvL07Qw9PeWTcslLlzfZwLDh/p/kxWeThTdq+i8crFI09nG uYuUX9SIy5J4otTlvxy4vyjVJMy1UH/p5v4Irjy8vjkvS/pyJkqMoNr54N8OOuys ukZKGAxiAg6hABpkCGIgGjj1enUv1rh9HYRkjujRR40oNdi27UmaZ1WRx+BtfoI2 pEyVlR5imOiDFxpicOTSXYgISpC2miiDXAGSW6aR1QVGGNXJs3iKsb+2smNr6OGE bbi10ejh6OfVYvay+4vxl39MQsc+3mjSEOeh0mXjdMqKjjUXyi6T6JnksIslWNIc MNS/9hxXcml/IOcIcykkEE82SM9rUIcq/LIMdUtuV/wXie6Cb76L1cbhddGenv23 +5Vz8ajEMrmBiGFdQgAMgQxFAJjEwjydQn78r+SkuA1H/PJfDAzXRHMeuUDn8pli aCs3NC3I02oNqAn3PhMTcpfSNKRMn4BggkkWiIo0ikFb4pUbTcZwcZK0zHFG3wXO DS4ZFck8Ki/0tpE7ZryXJvc0MqYhKb/7FxxbvylL/JUUaxQJF4sWONVBX8nQkZRV Gq6BYzzK4SX0znxLbiiv7m+d1Bv6MlwkvoF4YCGHMwAEUdQABUIAAAEABHFrcSTW T54ZznbrK9r7s4iVucAxARowBDCpZD/ItktWApy2jhOyWnZcIhHRjm4wbq3QYdRK TqaoUJJKhNRbIqMjUskmumxJlOPBD4A1ibYzljLk6cbKrpgi6oiJd8AYahbkl9mb NM1ukjLoM3hoZIwwYxWBR1iAAgEMRUAAAHPrIOWNSXO3wcPaPWZ5+rSWbjyip51HyY yy7nwGVRdM6cTOVcnRiIR2wfBVkQsvgq6wySamQ3bHldyZIYtNdjJQwigFYwOoAA 0hAAAAAAQmcOsVZE/lHcceuXMWFjlAVhZltVkT7GpEy5YVLjYthokVQGSSKUUzTa ilEKiMF8GixprouMV8G+OEa6IuuT/T34M5Qro9Ca44OSceQzWcYnVhRzx4OnGB0R +CpOkyELJKoNeWUYN2wAEGDGIZQxkjRB1gAioAAAAAEVAcuv/GL+zqOPX5IpRh57 IscbAQEbLyF8ikTYGqZaMos0TIqioklIDSJrEyiy0wLk+DDI7ZpJ8GMmBCXJ0YeX yYpm+LnoDeqRjkdyNnwh49N7q3bq/sWJbjmBHZ/8+T6mv8EZ9JLBHc5J/sXGNc6G IZFMZJRR1AAFZIAEAxClKMVcmkvs55a7DF/k3+yCuhvizxs+X3M8p/fB2ZfUIODU U7fHJ5suyLI2sDOErVF2RomyfI5E2BomXFmKZSYG6ZSZnFlkVaZomjFPke4DRszk wtg2Aqvo6cK4MMStnSvgIp8nZgpQSRxzezHKXwivTdasy9udKa6+yxn1x6cSNRDf hkvoqLL7Rpy14lUBrqYe3mkvBkR0MBDQHUFnm5PUMj4hFR/k556jJP8AKbYX5enm 1eLF3K38I5J+oyf4RS/c4mxWFkaZc88jucmzKwbFYUNgxDAV88GilZmAG3gihRlX ZfZBI12DiLoDaLNL4MYs0TAqwchMkK0T4BJt0iI23SOnHi2uyIuENq5NIrkFyWuC jLWPbppfseZhyPHkjKL5Ts7vUciWJR8tnn41yWI+pwT9zHGa/wCys3Rxemy3aOH1 wdqNOV64PUMdNT/scR6+qhvwyR5DM1ryAQAgry7ZLYyWGxYAAAIGIBghAAwAAAad MQAaKSY2jJFKYFo0jZEZJmkaAtK0VHF/gE+DSLIHCEYmi5dEJFxaQGsVROTLGCts xyaiOPt8nBlzSyy5fADz5XmyW+hRVCSHZVej6droaeLhkT2t3a8Hs4c2PNG8c1Jf R8t4KhlljkpQk4teUxrN86+rkrTPI1ENmWS8XwRp/Wckf05oqa+V2aanUYNRU8Uu fKfZax82MRoQyK8gGCEw2ABAAhDABAABDASGFAAAAAAAFxm15IGgN45WaxyHINSa A7PdSRnPUvqJzubYkrAcm5O2NISCwqrCybAC0IELyA26BSa5JGEdGPUSjw+Tohnj LzR56KTBj//ZiLsEEwECACUFAkcRihECGwMFCQHhM4AGCwkIBwMCBBUCCAMDFgIB Ah4BAheAAAoJEOpDXYY+Lhem+ZIEAK+U1K4gLM7hQvLs2xT09yLCpB2S6qmItOqz NV4OaY7vtYIMriqED2rTiwRelGShcpta8gB3UM1l1Jw+ZGMT+PWAxAAfqe45LR28 4GjE51BoBjNiyDUiuW4xXo4HENSu7ce++MaQa4O1MK7PmwEk64jf3azcM5HlyVCq /tyQeyfcuI0ERxGCUgEEAMfKi8XRkuazi0d2QkZ7Ql/jGJzTrIOGV1u84Hwn8941 OGj6CTR6pKTBag5AGvh3xkAKKTVG//5uJBFVyysW2kUkXjGIDWWnsSthMMwFZY/3 LWdDSIUU/sXjFVP5ZTJq4Xa+fCuj7l5KX3huM/eTQVwuyXvPBfDKbYoPgDToh+XD ABEBAAGIpQQYAQIADwUCRxGCUgIbIAUJAeEzgAAKCRDqQ12GPi4XpmjlA/sE4+qU V9MgybvOju/2Fq4+9WrPPqhSMg7DSNGLR0uShYvinR+x7mxAFiZxr3DARe+Y/Bzv E/teCYWxivMVB2BLuSY62uFB5WwXZkVl4erI82ZZdk84Mf9GTE60hzRpz1rRXbfA QFwAEwI2QAEhPy1vnFWw0M9EMvTKgoFunTh4o7iNBEcRglIBBADHyovF0ZLms4tH dkJGe0Jf4xic06yDhldbvOB8J/PeNTho+gk0eqSkwWoOQBr4d8ZACik1Rv/+biQR VcsrFtpFJF4xiA1lp7ErYTDMBWWP9y1nQ0iFFP7F4xVT+WUyauF2vnwro+5eSl94 bjP3k0FcLsl7zwXwym2KD4A06IflwwARAQABiKUEGAECAA8FAkcRglICGwwFCQHh M4AACgkQ6kNdhj4uF6bWtwP/Y5cR6hbUYDnk/34u+iJCa8XMW+aCy7iVn9qi1xgR mi+xHp0zREaYDXFAgLg8sa1KktIULpU+MV1laIG2WGfwDgD5EO2VPb0jTIHVnYYm 7Pic56By5CXfNnjlsYdy0P2KoHvLSFLuolEdIuTs0nbcUN8/hErXCQmqD4OPO6TX Iwo= =3uJ3 -----END PGP PUBLIC KEY BLOCK----- gpg: key 3E2E17A6: public key "Daniel Benoy " imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) kos-mos dbenoy # gpg -ae -r 3E2E17A6 gpg: 3E2E17A6: There is no assurance this key belongs to the named user pub 1024R/3E2E17A6 2007-10-14 Daniel Benoy Primary key fingerprint: 3562 2296 53CF 0B61 ECDE D473 EA43 5D86 3E2E 17A6 It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes. Use this key anyway? (y/N) y Test -----BEGIN PGP MESSAGE----- Version: GnuPG v2.0.6 (GNU/Linux) hIwD6kNdhj4uF6YBBACc3CjP7BFjPtn5tiooM3kutrAxTqwkgvPepkMPY/Q1842P aGb7RrbRa7OB29V0ml2Ssy4eck27zdnP+hOKP1lQ8TExA892qqoCkQE314gikQkZ d5xWM80WxHwFR7XrEFDRrIhmHj8iTiD3li9xWbQjAkdRSyj1FMBVfH4QTMLvYdJA AV9e2lyzAhA7bdnUqjCYIRBiQSMj/AQKQg82I/g0rMMHUyLA2j63RB0utOaxBfJk Dq5vnSRW6Z6jYYt7y1wBEg== =cNmq -----END PGP MESSAGE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: This is a digitally signed message part. Url : /pipermail/attachments/20071016/07761ce9/attachment.pgp From rjh at sixdemonbag.org Tue Oct 16 19:15:03 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 16 Oct 2007 12:15:03 -0500 Subject: PGP messages getting flagged as spam In-Reply-To: <20071016112330.6192633E45@absinthe.tinho.net> References: <20071016112330.6192633E45@absinthe.tinho.net> Message-ID: <4714F197.1080007@sixdemonbag.org> dan at geer.org wrote: > And therein is the issue. A year ago, I wrote an editorial where I > made a semi-numeric mostly educated guess that 15-30% of all > home/private systems were already compromised. I got some hate mail > but in the intervening months, Vint Cert said 40%, Microsoft said > 2/3rds, and IDC said 3/4ths. I seem to recall hearing Cerf say one in four, not two in five. Regardless, the numbers are still shockingly high. > Whatever the true number is, real risk management must now assume > that the counterparty to a conversation stands a good chance of being > 0wned. It goes a lot deeper than brokerages, although it doesn't surprise me that this industry has done a lot of thought about it. In my day job I'm finishing a Ph.D. in computer security, using electronic voting systems as a testbed for research. I am appalled at how often well-meaning people ask "well, overhauling all these DRE machines would cost a fortune, so why not just let people vote from home?" Vote-from-home over the internet is probably going to happen sooner or later in some jurisdiction, if only because it is possible for a vendor to claim huge cost savings and convenience increases. And what do we do once we've turned the machinery of democracy over to a network which is increasingly owned lock, stock and barrel by botnets? In a similar vein, I have two close relatives who are judges. It scares me... I mean, it downright _terrifies me_... that they are unaware of just how many machines are compromised, or the likelihood that their own machines are compromised. Whenever I visit either of them--which I do with some frequency--the first thing I do is scour their PCs for traces of infestation. It's a substantial amount of work, but I would much rather do this than run the risk of a felon's conviction being overturned on the grounds of the judge's PC was part of a botnet and thus we can't trust that the entered opinion was accurate. The implications of botnets are both wide-ranging and bone-chilling. I am quite concerned about the potential impacts of botnets upon the world at large. From gr at eclipsed.net Wed Oct 17 03:30:58 2007 From: gr at eclipsed.net (gabriel rosenkoetter) Date: Tue, 16 Oct 2007 21:30:58 -0400 Subject: PGP messages getting flagged as spam In-Reply-To: <87myukbg9q.fsf@wheatstone.g10code.de> <13225948.post@talk.nabble.com> <5d7f07420710150426i5e2c5520p99ca70d47dd1b5ce@mail.gmail.com> References: <8298be230710091718n2ff547cege0ea0577e956b4@mail.gmail.com> <20071015055434.GB85001@stow.eclipsed.net> <5d7f07420710150426i5e2c5520p99ca70d47dd1b5ce@mail.gmail.com> <13225948.post@talk.nabble.com> <470C17CF.4000605@sixdemonbag.org> <8298be230710091718n2ff547cege0ea0577e956b4@mail.gmail.com> <20071015055434.GB85001@stow.eclipsed.net> <5d7f07420710150426i5e2c5520p99ca70d47dd1b5ce@mail.gmail.com> Message-ID: <20071017013058.GP85001@stow.eclipsed.net> At 2007-10-15 06:26 -0500, Ryan Malayter wrote: > The real solution would be for SpamAssasin to check that the PGP > messages are well-formed, and verify signatures on any PGP message > before altering its score. A tad CPU intensive, I think, and it poses > a host of key management and trust management issues if the > SpamAssasin systems serves many users (which most do). It's still a worthwhile check, assuming an appropriately weighted system (valid PGP signatures don't necessarily mean I want to read the email, so it's worth a few points, but definitely a less-than-1 fraction of my "not spam, deliver it" number). Given that the default install of SA in most package distributions makes use of various DNS[/RBL] checks, I'm pretty sure that CPU time isn't the compelling factor. I'm happy to accept a 10 minute lag in my email delivery (from or two, really) for a 95%+ reduction in email I didn't want to have to delete manually. At 2007-10-15 19:51 -0700, Dave Brondsema wrote: > I have started an OpenPGP plugin for SpamAssassin that could be useful to > assign a negative score to signed emails. See > http://search.cpan.org/perldoc?Mail::SpamAssassin::Plugin::OpenPGP I am interested in your project and excited by the concept, but I'm pretty sure it will reach the point of Works Good Enough before I have the free time to help. Good luck, though! At 2007-10-15 16:32 +0200, Werner Koch wrote: > FWIW, a few weeks ago I received the first PGP signed spam. The > signature was good and I believe that it was sent using a trojan > utilizing the local MUA which was configured to sign all outgoing mail. It was only a matter of time. -- gabriel rosenkoetter gr at eclipsed.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : /pipermail/attachments/20071016/7c023124/attachment.pgp From rjh at sixdemonbag.org Wed Oct 17 06:31:26 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 16 Oct 2007 23:31:26 -0500 Subject: PGP messages getting flagged as spam In-Reply-To: <20071017013058.GP85001@stow.eclipsed.net> References: <8298be230710091718n2ff547cege0ea0577e956b4@mail.gmail.com> <20071015055434.GB85001@stow.eclipsed.net> <5d7f07420710150426i5e2c5520p99ca70d47dd1b5ce@mail.gmail.com> <13225948.post@talk.nabble.com> <470C17CF.4000605@sixdemonbag.org> <8298be230710091718n2ff547cege0ea0577e956b4@mail.gmail.com> <20071015055434.GB85001@stow.eclipsed.net> <5d7f07420710150426i5e2c5520p99ca70d47dd1b5ce@mail.gmail.com> <20071017013058.GP85001@stow.eclipsed.net> Message-ID: <4715901E.5080505@sixdemonbag.org> gabriel rosenkoetter wrote: > It's still a worthwhile check, assuming an appropriately weighted > system (valid PGP signatures don't necessarily mean I want to read > the email, so it's worth a few points, but definitely a less-than-1 > fraction of my "not spam, deliver it" number). Given that the default Not really. The instant spammers figure they can sneak past SpamAssassin a fractional bit more by having a good PGP signature, we're going to see an explosion of PGP/MIME. The main body will be random text and have a valid signature; the attachment will be the permuted-per-recipient image, and will not. They need to sign one message and send it to ten million people. Ten million people then need to have their spamfilters parse the PGP signature to see whether to give it the fractional point deduction. This is classic asymmetric warfare. In very short order so many spammers will be using PGP/MIME that just using PGP/MIME legitimately will raise the point value of your traffic. Which means that six months after people start marking down PGP-signed emails, people start marking the scores way, way up. I don't feel like sacrificing my ability to send encrypted emails to someone just to get an additional six months delay in the spam war. From snoken at tunedal.nu Wed Oct 17 09:00:33 2007 From: snoken at tunedal.nu (Snoken) Date: Wed, 17 Oct 2007 09:00:33 +0200 Subject: PGP messages getting flagged as spam In-Reply-To: <87myukbg9q.fsf@wheatstone.g10code.de> References: <470C17CF.4000605@sixdemonbag.org> <8298be230710091718n2ff547cege0ea0577e956b4@mail.gmail.com> <20071015055434.GB85001@stow.eclipsed.net> <5d7f07420710150426i5e2c5520p99ca70d47dd1b5ce@mail.gmail.com> <87myukbg9q.fsf@wheatstone.g10code.de> Message-ID: <200710170700.l9H70gWX020197@www11.aname.net> At 16:32 2007-10-15, Werner Koch wrote: >On Mon, 15 Oct 2007 13:26, malayter at gmail.com said: > >> The real solution would be for SpamAssasin to check that the PGP >> messages are well-formed, and verify signatures on any PGP message >> before altering its score. A tad CPU intensive, I think, and it poses > >FWIW, a few weeks ago I received the first PGP signed spam. The >signature was good and I believe that it was sent using a trojan >utilizing the local MUA which was configured to sign all outgoing mail. > > >Shalom-Salam, > > Werner The good news is that this makes it fairly easy to locate the compromised computer and alert the user. Snoken From rjh at sixdemonbag.org Wed Oct 17 09:39:27 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 17 Oct 2007 02:39:27 -0500 Subject: PGP messages getting flagged as spam In-Reply-To: <4715BB0A.7070904@sven-radde.de> References: <8298be230710091718n2ff547cege0ea0577e956b4@mail.gmail.com> <20071015055434.GB85001@stow.eclipsed.net> <5d7f07420710150426i5e2c5520p99ca70d47dd1b5ce@mail.gmail.com> <13225948.post@talk.nabble.com> <470C17CF.4000605@sixdemonbag.org> <8298be230710091718n2ff547cege0ea0577e956b4@mail.gmail.com> <20071015055434.GB85001@stow.eclipsed.net> <5d7f07420710150426i5e2c5520p99ca70d47dd1b5ce@mail.gmail.com> <20071017013058.GP85001@stow.eclipsed.net> <4715901E.5080505@sixdemonbag.org> <4715BB0A.7070904@sven-radde.de> Message-ID: <4715BC2F.9060407@sixdemonbag.org> Sven Radde wrote: > Probably true, but how will spammers get signatures on their stuff that > are valid *for me*? So, what, the plan then is to discard any message that's signed by an unknown or untrusted key? Or consider that to be a spam indicator? These cures are just as lousy as the disease. > Looks like a template for a nice Spamassassin filtering rule ("signed > body + unsigned attachment") to at least offset the bonus received from > the valid sig. ;-) So _more_ valid OpenPGP data gets discarded? This plan gets better and better. From email at sven-radde.de Wed Oct 17 09:45:35 2007 From: email at sven-radde.de (Sven Radde) Date: Wed, 17 Oct 2007 09:45:35 +0200 Subject: PGP messages getting flagged as spam In-Reply-To: <4715BC2F.9060407@sixdemonbag.org> References: <8298be230710091718n2ff547cege0ea0577e956b4@mail.gmail.com> <20071015055434.GB85001@stow.eclipsed.net> <5d7f07420710150426i5e2c5520p99ca70d47dd1b5ce@mail.gmail.com> <13225948.post@talk.nabble.com> <470C17CF.4000605@sixdemonbag.org> <8298be230710091718n2ff547cege0ea0577e956b4@mail.gmail.com> <20071015055434.GB85001@stow.eclipsed.net> <5d7f07420710150426i5e2c5520p99ca70d47dd1b5ce@mail.gmail.com> <20071017013058.GP85001@stow.eclipsed.net> <4715901E.5080505@sixdemonbag.org> <4715BB0A.7070904@sven-radde.de> <4715BC2F.9060407@sixdemonbag.org> Message-ID: <4715BD9F.1040803@sven-radde.de> Hi! Robert J. Hansen schrieb: > So, what, the plan then is to discard any message that's signed by an > unknown or untrusted key? > (...) > So _more_ valid OpenPGP data gets discarded? This plan gets better and > better. The plan was not to discard anything, but *deny the bonus* in some cases where valid OpenPGP data is found. I fail to see why this would be worse than the current situation where OpenPGP data does not get a bonus at all. cu, Sven From email at sven-radde.de Wed Oct 17 09:34:34 2007 From: email at sven-radde.de (Sven Radde) Date: Wed, 17 Oct 2007 09:34:34 +0200 Subject: PGP messages getting flagged as spam In-Reply-To: <4715901E.5080505@sixdemonbag.org> References: <8298be230710091718n2ff547cege0ea0577e956b4@mail.gmail.com> <20071015055434.GB85001@stow.eclipsed.net> <5d7f07420710150426i5e2c5520p99ca70d47dd1b5ce@mail.gmail.com> <13225948.post@talk.nabble.com> <470C17CF.4000605@sixdemonbag.org> <8298be230710091718n2ff547cege0ea0577e956b4@mail.gmail.com> <20071015055434.GB85001@stow.eclipsed.net> <5d7f07420710150426i5e2c5520p99ca70d47dd1b5ce@mail.gmail.com> <20071017013058.GP85001@stow.eclipsed.net> <4715901E.5080505@sixdemonbag.org> Message-ID: <4715BB0A.7070904@sven-radde.de> Hi! Robert J. Hansen schrieb: > The instant spammers figure they can sneak past SpamAssassin a > fractional bit more by having a good PGP signature, we're going to see > an explosion of PGP/MIME. Probably true, but how will spammers get signatures on their stuff that are valid *for me*? They would have to compromise one of the keys that are valid on my keyring or one that would be considered trustworthy by means of the web-of-trust. Maintaining a dedicated database of "spam-keys" that had been trustworthy but were used for spam would help, too (to assign messages signed by those keys a bad score). Note that this approach requires a per-user filtering by Spamassassin but SA already handles per-user whitelists, blacklists and even user-defined rules (not sure on the last one, though). > The main body will be random text and have a > valid signature; the attachment will be the permuted-per-recipient > image, and will not. Looks like a template for a nice Spamassassin filtering rule ("signed body + unsigned attachment") to at least offset the bonus received from the valid sig. ;-) Just my 2 cents, Sven From rjh at sixdemonbag.org Wed Oct 17 20:12:12 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 17 Oct 2007 13:12:12 -0500 Subject: PGP messages getting flagged as spam In-Reply-To: References: <20071016112330.6192633E45@absinthe.tinho.net> <4714F197.1080007@sixdemonbag.org> Message-ID: <4716507C.4090209@sixdemonbag.org> reynt0 wrote: > IIRC there was a Technische Universitaet or similar in > Austria a while ago that was going to do some student > elections by internet. A lot of institutions are doing this nowadays. I expect most universities to go this way within the next few years--and once university students get accustomed to it, a few years after that we'll see the idea gain traction in the real-world election community. For a look at the problems in the University of Iowa student government elections, take a look at: http://cs.uiowa.edu/~rjhansen/UISG.pdf After delivering this report to Student Government, their response was to bury it, never follow up with us, and the next year hired an outside contractor to provide vote-by-internet, all on the basis of "the voting research group here is not willing to be part of a productive working relationship". ObGnuPGRelevance: some of the issues pointed out in the final report could have been mitigated with GnuPG, although in the end UISG elected to ignore our recommendations. From reynt0 at cs.albany.edu Wed Oct 17 19:48:22 2007 From: reynt0 at cs.albany.edu (reynt0) Date: Wed, 17 Oct 2007 13:48:22 -0400 (EDT) Subject: PGP messages getting flagged as spam In-Reply-To: <4714F197.1080007@sixdemonbag.org> References: <20071016112330.6192633E45@absinthe.tinho.net> <4714F197.1080007@sixdemonbag.org> Message-ID: On Tue, 16 Oct 2007, Robert J. Hansen wrote: . . . > Vote-from-home over the internet is probably going to happen sooner or > later in some jurisdiction, if only because it is possible for a vendor . . . IIRC there was a Technische Universitaet or similar in Austria a while ago that was going to do some student elections by internet. Like maybe 2-3 years ago or so?? Reading their description of their plan at the time, I was not (FWIW) specially impressed that they were considering what might be all possible problems, although IIRC there was discussion of doing regular political elections the same way. I should have checked later to see what the outcome was, but did not. From 210525p42015 at denstarfarm.us Wed Oct 17 23:55:43 2007 From: 210525p42015 at denstarfarm.us (Robert D.) Date: Wed, 17 Oct 2007 17:55:43 -0400 Subject: Question about Replying to List Message-ID: <471684DF.30303@denstarfarm.us> I'm on a MacBook and using Thunderbird version 2.0.0.6 (20070728) I see no Header of "Reply To:" ... I was looking for it because when I hit "Reply" to one of the List emails, the compose window popped up with a message addressed to Robert H. as opposed to the List. Is this normal? If not, is there a setting in the List Account for me where I can set the headers appearing in emails to me? Reply-All seems not so much a good idea since two emails would be sent ... so I figure I am doing something wrong. From benjamin at py-soft.co.uk Thu Oct 18 01:50:58 2007 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Thu, 18 Oct 2007 00:50:58 +0100 Subject: Question about Replying to List In-Reply-To: <471684DF.30303@denstarfarm.us> References: <471684DF.30303@denstarfarm.us> Message-ID: <47169FE2.5050602@py-soft.co.uk> Robert D. wrote: > I'm on a MacBook and using Thunderbird version 2.0.0.6 (20070728) > Take a look at the Thunderbird reply to list extension - http://alumnit.ca/wiki/index.php?page=ReplyToListThunderbirdExtension Ben From reynt0 at cs.albany.edu Thu Oct 18 04:01:41 2007 From: reynt0 at cs.albany.edu (reynt0) Date: Wed, 17 Oct 2007 22:01:41 -0400 (EDT) Subject: professionalism, was Re: PGP messages getting flagged as spam In-Reply-To: <4716507C.4090209@sixdemonbag.org> References: <20071016112330.6192633E45@absinthe.tinho.net> <4714F197.1080007@sixdemonbag.org> <4716507C.4090209@sixdemonbag.org> Message-ID: On Wed, 17 Oct 2007, Robert J. Hansen wrote: . . . > For a look at the problems in the University of Iowa student government > elections, take a look at: > > http://cs.uiowa.edu/~rjhansen/UISG.pdf > > After delivering this report to Student Government, their response was > to bury it, never follow up with us, and the next year hired an outside . . . > ObGnuPGRelevance: some of the issues pointed out in the final report > could have been mitigated with GnuPG, although in the end UISG elected > to ignore our recommendations. Reading that report, I see another GnuPG relevance: the issue of Computer Science being a profession (occasionally debated in IEEE publications (at least a while ago), etc). The characteristics of a "profession" are supposed to include the existence of professional standards and ethics requiring adherence to the standards. Open source may be thought to finess this issue, working in the understanding (hope ?) that including direct feedback from interested community members (given the existence of community communication channels, and ideally including members with professional status or attitudes) may be a substitute for professional standards and ethics. Are there refined answers available to the question, how can someone like "salaried programmers" (p.2) best state a claim that GnuPG could serve as part of a professional solution to the problem? (I hope this isn't too far out of bounds of gnupg-users relevance.) From rjh at sixdemonbag.org Thu Oct 18 10:11:11 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 18 Oct 2007 03:11:11 -0500 Subject: professionalism, was Re: PGP messages getting flagged as spam In-Reply-To: References: <20071016112330.6192633E45@absinthe.tinho.net> <4714F197.1080007@sixdemonbag.org> <4716507C.4090209@sixdemonbag.org> Message-ID: <4717151F.3070002@sixdemonbag.org> reynt0 wrote: > Are there refined answers available to the question Yes. When giving a software evaluation, you always specify sources and methods. Each and every assertion needs a source and a method: who is your source, and how does your source know this? With proprietary software, you're mostly stuck relying on your vendor for information. Compare "Microsoft says that IIS will scale up to our server load with our current server configuration" to "the Apache Foundation isn't making any promises, but I've had Apache running for the last month on a test server and it's performing flawlessly." The first statement's source is Microsoft. Their method is presumably their own internal testing. The second statement's source is you-the-engineer. Your method is your own internal testing. Neither evaluation is necessarily better or worse than the other. Management might trust Microsoft more than you, or you more than Microsoft. You're not responsible for making sure Management makes the right choices--you're only responsible for giving Management accurate information with which to make their choices. From malayter at gmail.com Thu Oct 18 14:07:23 2007 From: malayter at gmail.com (Ryan Malayter) Date: Thu, 18 Oct 2007 07:07:23 -0500 Subject: professionalism, was Re: PGP messages getting flagged as spam In-Reply-To: <4717151F.3070002@sixdemonbag.org> References: <20071016112330.6192633E45@absinthe.tinho.net> <4714F197.1080007@sixdemonbag.org> <4716507C.4090209@sixdemonbag.org> <4717151F.3070002@sixdemonbag.org> Message-ID: <5d7f07420710180507r686df541i2440b7fd4241da42@mail.gmail.com> On 10/18/07, Robert J. Hansen wrote: > With proprietary software, you're mostly stuck relying on your vendor > for information. Compare "Microsoft says that IIS will scale up to our > server load with our current server configuration" to "the Apache > Foundation isn't making any promises, but I've had Apache running for > the last month on a test server and it's performing flawlessly." > > The first statement's source is Microsoft. Their method is presumably > their own internal testing. Why wouldn't you set up a test lab with the Microsoft products as well? They offer zero-cost trial and developer editions of their products for that express purpose. You should never rely on the word of a vendor if there is an alternative. You can always find proprietary vendors that will give you a trial of some sort. At my company, we've had months-long trial installations of $1M+ vertical market software packages before signing any agreement to purchase. -- RPM From rjh at sixdemonbag.org Thu Oct 18 17:23:46 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 18 Oct 2007 10:23:46 -0500 Subject: professionalism, was Re: PGP messages getting flagged as spam In-Reply-To: <5d7f07420710180507r686df541i2440b7fd4241da42@mail.gmail.com> References: <20071016112330.6192633E45@absinthe.tinho.net> <4714F197.1080007@sixdemonbag.org> <4716507C.4090209@sixdemonbag.org> <4717151F.3070002@sixdemonbag.org> <5d7f07420710180507r686df541i2440b7fd4241da42@mail.gmail.com> Message-ID: <47177A82.2050305@sixdemonbag.org> Ryan Malayter wrote: > Why wouldn't you set up a test lab with the Microsoft products as > well? It's a hypothetical. There do exist vendors that are infamously stingy with evaluation versions and heavily rely on "trust us". From gnupg at mockies.de Thu Oct 18 16:53:45 2007 From: gnupg at mockies.de (Christoph Mockenhaupt) Date: Thu, 18 Oct 2007 16:53:45 +0200 Subject: pinentry-mac never displays any UI [seems to be solved] Message-ID: <200710181654.05689.gnupg@mockies.de> Hi, I stumbled over the same problem. I am using mac-gnupg-2.0.4-2 from Ben. echo GETPIN | /Applications/pinentry-mac.app/Contents/MacOS/pinentry-mac shows the pinentry dialog, though. But testing it together with gpg-agent didn't work (using something like 'echo "test" | gpg -ase -r KEY | gpg'). The pinentry icon bounced in the dock but no UI is shown (this seems to be the same problem Richard had). I was able to solve the problem by simply deleting the "no-grab" option from gpg-agent.conf (*hehe* "simply", took me ages to figure that out). Everything works fine, now. Thanks Ben for your work. Since kde-3.5.6 I was not able to use gpg in kmail because the usage of gpg-agent is not optional any longer. And I wasn't able to get this working till now. -- Christoph From benjamin at py-soft.co.uk Fri Oct 19 02:13:02 2007 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Fri, 19 Oct 2007 01:13:02 +0100 Subject: Question about Replying to List In-Reply-To: <47169FE2.5050602@py-soft.co.uk> References: <471684DF.30303@denstarfarm.us> <47169FE2.5050602@py-soft.co.uk> Message-ID: <4717F68E.2070105@py-soft.co.uk> Benjamin Donnachie wrote: > Take a look at the Thunderbird reply to list extension - > http://alumnit.ca/wiki/index.php?page=ReplyToListThunderbirdExtension > If you don't want to use Thunderbird v3, take a look at the ReplyToList extension at http://cweiske.de/misc_extensions.htm Ben From BrunosJunk at Bronosky.com Fri Oct 19 03:43:02 2007 From: BrunosJunk at Bronosky.com (Richard Bronosky) Date: Thu, 18 Oct 2007 21:43:02 -0400 Subject: pinentry-mac never displays any UI [seems to be solved] In-Reply-To: <200710181654.05689.gnupg@mockies.de> References: <200710181654.05689.gnupg@mockies.de> Message-ID: By God, he's right! it was no-grab that was doing it. Thanks all! On 10/18/07, Christoph Mockenhaupt wrote: > Hi, > > I stumbled over the same problem. I am using mac-gnupg-2.0.4-2 from Ben. > echo GETPIN | /Applications/pinentry-mac.app/Contents/MacOS/pinentry-mac shows > the pinentry dialog, though. > > But testing it together with gpg-agent didn't work (using something > like 'echo "test" | gpg -ase -r KEY | gpg'). The pinentry icon bounced in the > dock but no UI is shown (this seems to be the same problem Richard had). > > I was able to solve the problem by simply deleting the "no-grab" option from > gpg-agent.conf (*hehe* "simply", took me ages to figure that out). > > Everything works fine, now. Thanks Ben for your work. Since kde-3.5.6 I was > not able to use gpg in kmail because the usage of gpg-agent is not optional > any longer. And I wasn't able to get this working till now. > -- > Christoph > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- .!# RichardBronosky #!. From jharris at widomaker.com Fri Oct 19 05:56:59 2007 From: jharris at widomaker.com (Jason Harris) Date: Thu, 18 Oct 2007 23:56:59 -0400 Subject: PGP messages getting flagged as spam In-Reply-To: <4715BB0A.7070904@sven-radde.de> References: <5d7f07420710150426i5e2c5520p99ca70d47dd1b5ce@mail.gmail.com> <13225948.post@talk.nabble.com> <470C17CF.4000605@sixdemonbag.org> <8298be230710091718n2ff547cege0ea0577e956b4@mail.gmail.com> <20071015055434.GB85001@stow.eclipsed.net> <5d7f07420710150426i5e2c5520p99ca70d47dd1b5ce@mail.gmail.com> <20071017013058.GP85001@stow.eclipsed.net> <4715901E.5080505@sixdemonbag.org> <4715BB0A.7070904@sven-radde.de> Message-ID: <20071019035659.GA4074@wilma.widomaker.com> On Wed, Oct 17, 2007 at 09:34:34AM +0200, Sven Radde wrote: > Probably true, but how will spammers get signatures on their stuff that > are valid *for me*? They would have to compromise one of the keys that > are valid on my keyring or one that would be considered trustworthy by > means of the web-of-trust. Why not just take some signed content from a key in the strong set, like this message, and add some unsigned spam to it? It would be a great way to ruin keys by making them "spam-keys." > Maintaining a dedicated database of "spam-keys" that had been > trustworthy but were used for spam would help, too (to assign messages > signed by those keys a bad score). (These are best revoked by their owners, of course.) Unfortunately, these databases might be naively implemented as keyservers, or existing keyservers could start being burdened with "votes" in the form of signatures and/or revocations from any number of signers (voters). At most, you would only want to publish fingerprints of such keys rather than helping propagate and/or bloat them. Worse, how do you determine that some replayed signed content was indeed replayed? Does everyone now have to start publishing lists of the hashes for all their unencrypted, signed messages and the intended recipient(s) for each message? How would these lists be verified? -- Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it? jharris at widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/ Got photons? (TM), (C) 2004 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 313 bytes Desc: not available Url : /pipermail/attachments/20071018/3bf2f79e/attachment.pgp From benjamin at py-soft.co.uk Fri Oct 19 12:06:47 2007 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Fri, 19 Oct 2007 11:06:47 +0100 Subject: pinentry-mac never displays any UI [seems to be solved] In-Reply-To: References: <200710181654.05689.gnupg@mockies.de> Message-ID: <471881B7.9070703@py-soft.co.uk> Richard Bronosky wrote: > By God, he's right! it was no-grab that was doing it. Fantastic stuff! I'm a bit pushed for time at the moment, but hope to release a new version with the latest copy of gpg2 and pinentry soon. Take care, Ben From malayter at gmail.com Fri Oct 19 14:06:10 2007 From: malayter at gmail.com (Ryan Malayter) Date: Fri, 19 Oct 2007 07:06:10 -0500 Subject: PGP messages getting flagged as spam In-Reply-To: <20071019035659.GA4074@wilma.widomaker.com> References: <13225948.post@talk.nabble.com> <470C17CF.4000605@sixdemonbag.org> <8298be230710091718n2ff547cege0ea0577e956b4@mail.gmail.com> <20071015055434.GB85001@stow.eclipsed.net> <5d7f07420710150426i5e2c5520p99ca70d47dd1b5ce@mail.gmail.com> <20071017013058.GP85001@stow.eclipsed.net> <4715901E.5080505@sixdemonbag.org> <4715BB0A.7070904@sven-radde.de> <20071019035659.GA4074@wilma.widomaker.com> Message-ID: <5d7f07420710190506m18a6ff94o9f47802851c2362a@mail.gmail.com> You advocate a (x) technical ( ) legislative ( ) market-based ( ) vigilante approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.) ( ) Spammers can easily use it to harvest email addresses (x) Mailing lists and other legitimate email uses would be affected ( ) No one will be able to find the guy or collect the money (x) It is defenseless against brute force attacks (x) It will stop spam for two weeks and then we'll be stuck with it (x) Users of email will not put up with it (x) Microsoft will not put up with it ( ) The police will not put up with it (x) Requires too much cooperation from spammers (x) Requires immediate total cooperation from everybody at once ( ) Many email users cannot afford to lose business or alienate potential employers ( ) Spammers don't care about invalid addresses in their lists (x) Anyone could anonymously destroy anyone else's career or business Specifically, your plan fails to account for ( ) Laws expressly prohibiting it (x) Lack of centrally controlling authority for email ( ) Open relays in foreign countries ( ) Ease of searching tiny alphanumeric address space of all email addresses (x) Asshats ( ) Jurisdictional problems ( ) Unpopularity of weird new taxes ( ) Public reluctance to accept weird new forms of money ( ) Huge existing software investment in SMTP (x) Susceptibility of protocols other than SMTP to attack ( ) Willingness of users to install OS patches received by email ( ) Armies of worm riddled broadband-connected Windows boxes (x) Eternal arms race involved in all filtering approaches ( ) Extreme profitability of spam (x) Joe jobs and/or identity theft ( ) Technically illiterate politicians ( ) Extreme stupidity on the part of people who do business with spammers ( ) Extreme stupidity on the part of people who do business with Microsoft ( ) Extreme stupidity on the part of people who do business with Yahoo (x) Dishonesty on the part of spammers themselves (x) Bandwidth costs that are unaffected by client filtering (x) Outlook and the following philosophical objections may also apply: (x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical ( ) Any scheme based on opt-out is unacceptable ( ) SMTP headers should not be the subject of legislation ( ) Blacklists suck (x) Whitelists suck ( ) We should be able to talk about Viagra without being censored ( ) Countermeasures should not involve wire fraud or credit card fraud ( ) Countermeasures should not involve sabotage of public networks (x) Countermeasures must work if phased in gradually (x) Sending email should be free ( ) Why should we have to trust you and your servers? ( ) Incompatiblity with open source or open source licenses ( ) Feel-good measures do nothing to solve the problem ( ) Temporary/one-time email addresses are cumbersome ( ) I don't want the government reading my email ( ) Killing them that way is not slow and painful enough Furthermore, this is what I think about you: (x) Sorry dude, but I don't think it would work. ( ) This is a stupid idea, and you're a stupid jerk for suggesting it. ( ) Nice try, assh0le! I'm going to find out where you live and burn your house down! From mwood at IUPUI.Edu Fri Oct 19 15:11:19 2007 From: mwood at IUPUI.Edu (Mark H. Wood) Date: Fri, 19 Oct 2007 09:11:19 -0400 Subject: PGP messages getting flagged as spam In-Reply-To: <20071019035659.GA4074@wilma.widomaker.com> References: <13225948.post@talk.nabble.com> <470C17CF.4000605@sixdemonbag.org> <8298be230710091718n2ff547cege0ea0577e956b4@mail.gmail.com> <20071015055434.GB85001@stow.eclipsed.net> <5d7f07420710150426i5e2c5520p99ca70d47dd1b5ce@mail.gmail.com> <20071017013058.GP85001@stow.eclipsed.net> <4715901E.5080505@sixdemonbag.org> <4715BB0A.7070904@sven-radde.de> <20071019035659.GA4074@wilma.widomaker.com> Message-ID: <20071019131119.GA24070@IUPUI.Edu> On Thu, Oct 18, 2007 at 11:56:59PM -0400, Jason Harris wrote: > On Wed, Oct 17, 2007 at 09:34:34AM +0200, Sven Radde wrote: > > Probably true, but how will spammers get signatures on their stuff that > > are valid *for me*? They would have to compromise one of the keys that > > are valid on my keyring or one that would be considered trustworthy by > > means of the web-of-trust. > > Why not just take some signed content from a key in the strong set, > like this message, and add some unsigned spam to it? It would be > a great way to ruin keys by making them "spam-keys." Why? I mean, what evidence is there that the owner of the key used to sign the signed content had anything to do with the unsigned content? Signed content in the interior of a message conveys no information about the trust one might choose to assign to the rest of the message. A properly written rule shouldn't care that there is signed content inside an unsigned message. -- Mark H. Wood, Lead System Programmer mwood at IUPUI.Edu Typically when a software vendor says that a product is "intuitive" he means the exact opposite. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20071019/3a88fd38/attachment.pgp From dshaw at jabberwocky.com Sun Oct 21 20:30:38 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 21 Oct 2007 14:30:38 -0400 Subject: Trouble with keyservers In-Reply-To: <200710161128.57244.daniel@benoy.name> References: <200710161128.57244.daniel@benoy.name> Message-ID: <20071021183038.GA8977@jabberwocky.com> On Tue, Oct 16, 2007 at 11:28:48AM -0400, Daniel Benoy wrote: > Hi. I generated my key with the assistance of an experimental program > called 'gnupg-pkcs11-scd' and my Aladdin eToken and I think the key that was > generated is somehow messed up. When I exchange my public key with friends > manually, they can encrypt to me just fine. But when they grab from a > keyserver they can't. The problem with your key on the keyserver is that you have a primary key that is tagged for Signing (signing data) and Certification (signing keys), and a subkey tagged for Authentication (proving you are you). You don't have any key or subkey for encryption. Or to be more accurate, you DO have a key for encryption, but the keyserver isn't storing it. This is a well-known keyserver bug with the pksd keyserver software, but many sites refuse to stop running it, despite this and other bugs. If you use a keyerver running sks software, you'll be fine. I believe that pool.sks-keyservers.net has only sks servers in its mix. David From dougb at dougbarton.us Mon Oct 22 06:45:56 2007 From: dougb at dougbarton.us (Doug Barton) Date: Sun, 21 Oct 2007 21:45:56 -0700 (PDT) Subject: Trouble with keyservers In-Reply-To: <20071021183038.GA8977@jabberwocky.com> References: <200710161128.57244.daniel@benoy.name> <20071021183038.GA8977@jabberwocky.com> Message-ID: On Sun, 21 Oct 2007, David Shaw wrote: > Or to be more accurate, you DO have a key for encryption, but the > keyserver isn't storing it. This is a well-known keyserver bug with > the pksd keyserver software, Out of curiosity, what software are the subkeys.pgp.net servers running? I've had pretty good luck with that pool but I would hate to think I'm not getting the complete picture. (Not to mention if I ever decide to generate a key with subkeys ...) > but many sites refuse to stop running it, despite this and other bugs. > If you use a keyerver running sks software, you'll be fine. I believe > that pool.sks-keyservers.net has only sks servers in its mix. Is there a way for us to tell that remotely? Doug -- If you're never wrong, you're not trying hard enough From impulze at impulze.org Sat Oct 6 14:26:14 2007 From: impulze at impulze.org (Daniel Mierswa) Date: Sat, 06 Oct 2007 12:26:14 -0000 Subject: gnupg refuses to work on a read-only filesystem Message-ID: <4707686E.9070309@impulze.org> What do i have to pass to gpg to work on a read-only filesystem and a homedir which is not available? Meaning to be forced to not create anything except messages on stdout and stderr and to be forced to not read anything except the key i want to decrypt. I tried passing the switches --keyring /dev/null (though i think this is not the right way to do it) --no-random-seed-file and --lock-never. Thanks in advance. -- Mierswa, Daniel If you still don't like it, that's ok: that's why I'm boss. I simply know better than you do. --- Linus Torvalds, comp.os.linux.advocacy, 1996/07/22 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20071006/a15365f1/attachment.pgp From dl1eec at t-online.de Sun Oct 7 18:35:08 2007 From: dl1eec at t-online.de (Hermann F. Schulze) Date: Sun, 07 Oct 2007 18:35:08 +0200 Subject: GnuPG incompatible with windows-vista ? References: 873b48jlmf.fsf__28062.0411308066$1173860404$gmane$org@wheatstone.g10code.de Message-ID: <47090ABC.2040301@t-online.de> Sorry Sir, unfortunaltely I cannot download the patched gpg.exe. May You help me? Thanks -- ---- Hermann F. Schulze Obere Waldstr. 13 D-42929 Wermelskirchen FON: +49-2196-95460 MOBIL: +49-177-88-27788 EMail: dl1eec at t-online.de Bank:Volksbank RS-SG BLZ: 340 600 94 KTO: 930 875 ----- From sven at radde.name Wed Oct 10 08:42:26 2007 From: sven at radde.name (Sven Radde) Date: Wed, 10 Oct 2007 08:42:26 +0200 Subject: PGP messages getting flagged as spam In-Reply-To: <470C17CF.4000605@sixdemonbag.org> References: <470C17CF.4000605@sixdemonbag.org> Message-ID: <470C7452.5090406@radde.name> Hi! Quite some tima ago a have seen Spams with a (obviously bogus) "---BEGIN PGP SIGNATURE---" + garbage part at the end of the mails. This might have had negative influence on some Bayesian databases. Apart from creating a special Spamassassin module which actually verifies incoming emails, I would not know what to do about it. So long, Sven From cklein at gmx.com Fri Oct 19 14:47:51 2007 From: cklein at gmx.com (Pitigrilli) Date: Fri, 19 Oct 2007 05:47:51 -0700 (PDT) Subject: Separate Fingerprint for elGamal-Subkey? Message-ID: <13293739.post@talk.nabble.com> Someone to whom I had recently sent my public key just called me to verify the Fingerprint of my key, created with gpg4win-1.1.3. I chose my key pair in the Windows privacy Tray and double clicked on it to tell him the fingerprint, and he confirmed it. The guy then told me "Now let's check the fingerprint of the elGamal-key." My reaction: "???". I could not find a separate fingerprint for the elGamal subkey (though threre is a respective subkey in my public key), neither with this software nor in the GNU privacy assistant. I did some research on the web and did not find any references to a separate "elGamal-fingerprint". Thus the guy insisted that his PGP-Software does display it (unfortunately I do not know which SW he uses). I thought that there is only one fingerprint and that this would be sufficient to confirm the integrity of the public key. Can any please provide me with some information? Thanks, Pitigrilli -- View this message in context: http://www.nabble.com/Separate-Fingerprint-for-elGamal-Subkey--tf4652924.html#a13293739 Sent from the GnuPG - User mailing list archive at Nabble.com. From twy2shcn61kzj4d at mx0.wwwnew.eu Fri Oct 19 17:39:04 2007 From: twy2shcn61kzj4d at mx0.wwwnew.eu (christopher dubois) Date: Fri, 19 Oct 2007 08:39:04 -0700 (PDT) Subject: Public/Private Keys - Consequences Message-ID: <13297247.post@talk.nabble.com> Sorry I don't know much about this as I am just beginning, but what are the dangers if you submit your key to a keyserver and make at available to the public? I am aware that users who want to communicate with me securely can import my key from a keyserver and add it to their keyring. But I want to know what are the dangers of this, if there's any. Can users use my key to forge/alter email documents and the likes? Also, what is the difference between your public key and private key? What if someone has your private key, what can they do with it? Thanks in advance. -- View this message in context: http://www.nabble.com/Public-Private-Keys---Consequences-tf4654112.html#a13297247 Sent from the GnuPG - User mailing list archive at Nabble.com. From Werner.Dittmann at t-online.de Sun Oct 21 14:47:16 2007 From: Werner.Dittmann at t-online.de (Werner Dittmann) Date: Sun, 21 Oct 2007 14:47:16 +0200 Subject: Question regarding libgcrypt and openSuse 10.3 Message-ID: <471B4A54.30102@t-online.de> All, after updating to openSuse 10.3 I tried to rebuild a project that uses libgcrypt as a shared library. Using 10.2 I had no problems so far. When linking my own shared library I get the following error message from libtool: /bin/sh ../libtool --tag=CXX --mode=link g++ -g -O2 -D_GNU_SOURCE -I/usr/local/include -version-info 1:0:0 -release 0.9 -o libzrtpcpp.la -rpath /usr/local/lib ZIDFile.lo ZIDRecord.lo ZRtp.lo ZrtpCrc32.lo ZrtpPacketCommit.lo ZrtpPacketConf2Ack.lo ZrtpPacketConfirm.lo ZrtpPacketDHPart.lo ZrtpPacketGoClear.lo ZrtpPacketClearAck.lo ZrtpPacketHelloAck.lo ZrtpPacketHello.lo ZrtpPacketError.lo ZrtpPacketErrorAck.lo ZrtpStateClass.lo ZrtpTextData.lo Base32.lo ZrtpQueue.lo -L/usr/local/lib -pthread -lccgnu2 -ldl -lrt -L/usr/local/lib -pthread -lccrtp1 -lccgnu2 -ldl -lrt -L/lib64 -lgcrypt -L/lib64 -lgpg-error -lpthread grep: /usr/lib64/libgcrypt.la: No such file or directory /usr/bin/sed: can't read /usr/lib64/libgcrypt.la: No such file or directory libtool: link: `/usr/lib64/libgcrypt.la' is not a valid libtool archive seems that libgcrypt.la file is missing. During ./configure the libgrypt was found. I've tried several versions during ./configure but none helped to solve the problem. Is this a problem of libgcrypt or a problem of the openSuse 10.3 package. Of course I installed the devel packages :-) Regards, Werner D. From rjh at sixdemonbag.org Mon Oct 22 12:14:18 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 22 Oct 2007 05:14:18 -0500 Subject: Separate Fingerprint for elGamal-Subkey? In-Reply-To: <13293739.post@talk.nabble.com> References: <13293739.post@talk.nabble.com> Message-ID: <471C77FA.3030805@sixdemonbag.org> Pitigrilli wrote: > I thought that there is only one fingerprint and that this would be > sufficient to confirm the integrity of the public key. Can any please > provide me with some information? Thanks, Pitigrilli rjh at chronicles:~$ gpg --fingerprint --fingerprint --list-key 0x5b8709eb pub 1024D/5B8709EB 2004-05-20 Key fingerprint = B3FE 45FB 64FD 9C26 8D7D A064 7AE5 1D9C 5B87 09EB << uid lines snipped >> sub 1024g/D0C6AAE4 2004-05-20 Key fingerprint = AB04 6B60 C352 390A BE98 F44D C8F7 33D0 D0C6 AAE4 sub 2048g/71E177DB 2007-03-20 Key fingerprint = 1946 3571 6DB0 8689 ECBA 3F9D 0083 E95E 71E1 77DB sub 2048D/8D02BBB3 2007-03-20 Key fingerprint = 400D F79C 49B5 2F00 8EC8 225D 7F65 C1CA 8D02 BBB3 Hope this example helps. From rjh at sixdemonbag.org Mon Oct 22 12:17:42 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 22 Oct 2007 05:17:42 -0500 Subject: Public/Private Keys - Consequences In-Reply-To: <13297247.post@talk.nabble.com> References: <13297247.post@talk.nabble.com> Message-ID: <471C78C6.4020709@sixdemonbag.org> christopher dubois wrote: > Sorry I don't know much about this as I am just beginning, but what are the > dangers if you submit your key to a keyserver and make at available to the > public? Short answer: "dwarfed by the benefits" is the best answer. Long answer: there's a marginal risk of increased spam. Most people agree that it will increase the amount of spam you get, but most also agree that you are unlikely to notice it unless you're _really_ paying attention. > What if someone has your private key, what can they do with it? If they have your private key and your passphrase, then they can do anything you can do. If they have one or the other, they're out of luck. If you want a more detailed answer than this, I'd recommend reading some documentation on how OpenPGP works. E.g.: http://en.wikipedia.org/wiki/Pretty_Good_Privacy From dave.smith at st.com Mon Oct 22 12:33:33 2007 From: dave.smith at st.com (David SMITH) Date: Mon, 22 Oct 2007 11:33:33 +0100 Subject: Public/Private Keys - Consequences In-Reply-To: <13297247.post@talk.nabble.com> References: <13297247.post@talk.nabble.com> Message-ID: <20071022103333.GC2308@bristol.st.com> On Fri, Oct 19, 2007 at 08:39:04AM -0700, christopher dubois wrote: > > Sorry I don't know much about this as I am just beginning, but what are the > dangers if you submit your key to a keyserver and make at available to the > public? When you "submit your key to a keyserver", you only submit the public part. You keep the private part to yourself. The private part is the bit that you need to sign messages with your signature, or to decrypt messages that have been encrypted with your public key. You never give your private key away. By default, GnuPG's options are organised intelligently so that GnuPG doesn't give away private keys without a fight - the normal "send" or "export" commands will only send or export public keys. Secret keys can only be obtained using different options which make it clear that you are dealing with secret keys rather than public ones. e.g. compare the "--export" option with the "--export-secret-keys" one. > I am aware that users who want to communicate with me securely can import my > key from a keyserver and add it to their keyring. But I want to know what > are the dangers of this, if there's any. Can users use my key to forge/alter > email documents and the likes? No, you need the private key to do that, which you don't give away. > Also, what is the difference between your public key and private key? To put it simply, the private key is used for generating signatures and for decrypting messages encrypted with the public key. The public key is used for encrypting messages (that can then only be decrypted with the private key), and for checking signatures that were generated with the private key. > What if someone has your private key, what can they do with it? Thanks > in advance. Sign messages as you, and decrypt all messages sent to you. Don't give it away. -- David Smith | Tel: +44 (0)1454 462380 Home: +44 (0)1454 616963 STMicroelectronics | Fax: +44 (0)1454 462305 Mobile: +44 (0)7932 642724 1000 Aztec West | TINA: 065 2380 GPG Key: 0xF13192F2 Almondsbury | Work Email: Dave.Smith at st.com BRISTOL, BS32 4SQ | Home Email: David.Smith at ds-electronics.co.uk From dshaw at jabberwocky.com Mon Oct 22 13:53:00 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 22 Oct 2007 07:53:00 -0400 Subject: Trouble with keyservers In-Reply-To: References: <200710161128.57244.daniel@benoy.name> <20071021183038.GA8977@jabberwocky.com> Message-ID: <20071022115300.GB11277@jabberwocky.com> On Sun, Oct 21, 2007 at 09:45:56PM -0700, Doug Barton wrote: > On Sun, 21 Oct 2007, David Shaw wrote: > > > Or to be more accurate, you DO have a key for encryption, but the > > keyserver isn't storing it. This is a well-known keyserver bug with > > the pksd keyserver software, > > Out of curiosity, what software are the subkeys.pgp.net servers running? > I've had pretty good luck with that pool but I would hate to think I'm not > getting the complete picture. (Not to mention if I ever decide to generate > a key with subkeys ...) subkeys.pgp.net is running a mix of sks and pksd. The history of pgp keyservers is a little messy, but essentially subkeys.pgp.net means "won't destroy your key with multiple subkeys" and not "stores the complete key and all subkeys". The distinction is crucial. ;) I suspect the reason this hasn't been a bigger problem is that most people have only one subkey, so they never see this. > > but many sites refuse to stop running it, despite this and other bugs. > > If you use a keyerver running sks software, you'll be fine. I believe > > that pool.sks-keyservers.net has only sks servers in its mix. > > Is there a way for us to tell that remotely? One way is to add "--keyserver-options debug" to your command when you hit a keyserver. GPG will print out some information, including a line like: Server: sks_www/1.0.10 Server: pks_www/0.9.6 sks is sks, and pks is pksd. David From dshaw at jabberwocky.com Mon Oct 22 14:03:02 2007 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 22 Oct 2007 08:03:02 -0400 Subject: Separate Fingerprint for elGamal-Subkey? In-Reply-To: <13293739.post@talk.nabble.com> References: <13293739.post@talk.nabble.com> Message-ID: <20071022120302.GC11277@jabberwocky.com> On Fri, Oct 19, 2007 at 05:47:51AM -0700, Pitigrilli wrote: > > Someone to whom I had recently sent my public key just called me to verify > the Fingerprint of my key, created with gpg4win-1.1.3. I chose my key pair > in the Windows privacy Tray and double clicked on it to tell him the > fingerprint, and he confirmed it. The guy then told me "Now let's check the > fingerprint of the elGamal-key." My reaction: "???". I could not find a > separate fingerprint for the elGamal subkey (though threre is a respective > subkey in my public key), neither with this software nor in the GNU privacy > assistant. I did some research on the web and did not find any references to > a separate "elGamal-fingerprint". Thus the guy insisted that his > PGP-Software does display it (unfortunately I do not know which SW he uses). > I thought that there is only one fingerprint and that this would be > sufficient to confirm the integrity of the public key. Can any please > provide me with some information? Thanks, Pitigrilli To list both primary and subkey fingerprints, just list --fingerprint twice: gpg --fingerprint --fingerprint However, you are correct that (outside of some special circumstances) the primary key fingerprint is sufficient. When you identify an OpenPGP key, you are really identifying the primary key. The user IDs are attached to the primary. When you sign a key for someone, you are signing the primary and user ID. Subkeys get their 'trust' via a signature from the primary key, not directly. David From email at sven-radde.de Mon Oct 22 14:24:39 2007 From: email at sven-radde.de (Sven Radde) Date: Mon, 22 Oct 2007 14:24:39 +0200 Subject: Separate Fingerprint for elGamal-Subkey? In-Reply-To: <13293739.post@talk.nabble.com> References: <13293739.post@talk.nabble.com> Message-ID: <471C9687.7000404@sven-radde.de> Hi! Pitigrilli schrieb: > I thought that there is only one fingerprint and that this would be > sufficient to confirm the integrity of the public key. All your subkeys are signed by your primary key (see "gpg --list-sigs", the lines with "sig" after each "sub" line). Therefore, verifying the fingerprints of subkeys is not necessary (or particularly sensible - IMHO) if the main fingerprint and its signatures on the subkeys are OK. cu, Sven From shavital at mac.com Mon Oct 22 20:11:37 2007 From: shavital at mac.com (Charly Avital) Date: Mon, 22 Oct 2007 14:11:37 -0400 Subject: For Mac users: the oncoming Mac OS X 10.5 "Leopard" Message-ID: <471CE7D9.70300@mac.com> Thanks in advance for any information from any Mac user or Mac developer that has already tested GnuPG, and gpg2, as well as Thunderbird+Enigmail under the new operating system. I have read that users of PGP (PGP Corporation) expect unpleasant surprises. Charly From rjh at sixdemonbag.org Mon Oct 22 20:24:25 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 22 Oct 2007 13:24:25 -0500 Subject: For Mac users: the oncoming Mac OS X 10.5 "Leopard" In-Reply-To: <471CE7D9.70300@mac.com> References: <471CE7D9.70300@mac.com> Message-ID: <471CEAD9.9030407@sixdemonbag.org> Charly Avital wrote: > Thanks in advance for any information from any Mac user or Mac developer > that has already tested GnuPG, and gpg2, as well as Thunderbird+Enigmail > under the new operating system. I will eat my own hat if GnuPG has any problems whatsoever with Leopard. From all that I know of Leopard, GnuPG will continue to work just fine. I will be getting Leopard very soon after release. If there are any problems, I will (a) post them to the list and (b) post my favorite recipes involving hats. From bahamut at digital-signal.net Mon Oct 22 21:26:51 2007 From: bahamut at digital-signal.net (Andrew Berg) Date: Mon, 22 Oct 2007 14:26:51 -0500 Subject: For Mac users: the oncoming Mac OS X 10.5 "Leopard" In-Reply-To: <471CEAD9.9030407@sixdemonbag.org> References: <471CE7D9.70300@mac.com> <471CEAD9.9030407@sixdemonbag.org> Message-ID: <471CF97B.7040303@digital-signal.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Robert J. Hansen wrote: > I will eat my own hat if GnuPG has any problems whatsoever with > Leopard. From all that I know of Leopard, GnuPG will continue to > work just fine. > > I will be getting Leopard very soon after release. If there are > any problems, I will (a) post them to the list and (b) post my > favorite recipes involving hats. I think (if there are problems) you should post a video of yourself eating the hat. However, we should should have a vote for recipes, with the winning recipe being the one you'd use. Also, what kind of hat is it? - -- Windows NT 5.1.2600.2180 | Thunderbird 2.0.0.6 | Enigmail 0.95.3 | GPG 1.4.7 Key ID: 0xF88E034060A78FCB - available on major keyservers and upon request Fingerprint: 4A84 CAE2 A0D3 2AEB 71F6 07FD F88E 0340 60A7 8FCB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRxz5eviOA0Bgp4/LAQPOAwgAxHkBHufReM7xCVEi1PyQel1kTWiAdVHR GIa4LFeymzbGWHS7cPbuK12seCHx+briTLPB8fuu45GHUyMyZTEmVre0HbTYK8Dl 1o0TZhFl2aD4KY1r8PKZ2E6rT09NlOWymGYa/TjkZ9NZyqEDT1kW6Ubegn+vPfNC cHNa03LtSoHU8H/6j1Dhz4CEub3G6tvda7v4BO1MzKwjnSWTbFmtgeROaUcu6+RE HKlX9h2lUhaSbK0mSwLFbEklCS0WIcLyXen3qsF4A11UziBEPLCFHXD4o66wZ5ke uKsQfrJIsG9/PIstAp6apHrNT4PC1X2ooJfYbOB8dbZa0OrtMsbvrQ== =NVTG -----END PGP SIGNATURE----- From rah at shipwright.com Tue Oct 23 00:52:00 2007 From: rah at shipwright.com (R.A. Hettinga) Date: Mon, 22 Oct 2007 18:52:00 -0400 Subject: For Mac users: the oncoming Mac OS X 10.5 "Leopard" In-Reply-To: <471CF97B.7040303@digital-signal.net> References: <471CE7D9.70300@mac.com> <471CEAD9.9030407@sixdemonbag.org> <471CF97B.7040303@digital-signal.net> Message-ID: At 2:26 PM -0500 10/22/07, Andrew Berg wrote: >However, we should should have a vote for recipes, >with the winning recipe being the one you'd use. Somebody break out the Bass-o-Matic '76's (no, not *that* Bass-o-Matic) rag-trade cousin, the fabulous Hat-o-Matic 2000 or H2K, to its friends... Not to be confused, of course, with Metcalfe's Pulp-o-Matic... Cheers, RAH Who's waiting for the dust to settle on Panther, himself... -- ----------------- R. A. Hettinga The Internet Bearer Underwriting Corporation 44 Farquhar Street, Boston, MA 02131 USA "Externalities are the last refuge of the dirigistes." -- Friedrich Hayek From noiano at x-privat.org Fri Oct 26 17:00:32 2007 From: noiano at x-privat.org (Noiano) Date: Fri, 26 Oct 2007 17:00:32 +0200 Subject: Multiple recipients encryption Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello everybody I was wondering about how gnupg works when I encrypt a message for multiple recipients. As long as I know public-key encryption works as described in this image http://upload.wikimedia.org/wikipedia/commons/f/f9/Public_key_encryption.svg. But how about using multiple public keys? I really cannot figure it out. Thanks for your time Noiano -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iE8DBQFHIgEQ+JjGoasQ6NIRCIhwAOCayUyjrBF6+63GBC1hT0Rp2gKjBcTGQyNV B3/fAN4wBSk6Oxg8nkgBNlYMp+V+YFF9yzXiMn4ntehS =/wHf -----END PGP SIGNATURE----- From sadam at clemson.edu Fri Oct 26 19:03:01 2007 From: sadam at clemson.edu (Adam Schreiber) Date: Fri, 26 Oct 2007 13:03:01 -0400 Subject: Multiple recipients encryption In-Reply-To: References: Message-ID: <8298be230710261003q41a1ccdfy230ad3ec9b15d356@mail.gmail.com> On 10/26/07, Noiano wrote: > I was wondering about how gnupg works when I encrypt a message for > multiple recipients. As long as I know public-key encryption works as > described in this image > http://upload.wikimedia.org/wikipedia/commons/f/f9/Public_key_encryption.svg. > But how about using multiple public keys? I really cannot figure it out. When you encrypt data a session key is generated to encrypt the data and the session key is then encrypted with the recipient's public key. When there are multiple recipients, the session key is encrypted with each one's public key. Cheers, Adam From wk at gnupg.org Fri Oct 26 16:14:26 2007 From: wk at gnupg.org (Werner Koch) Date: Fri, 26 Oct 2007 16:14:26 +0200 Subject: [Announce] Libgcrypt 1.3.1 released Message-ID: <87tzoem08t.fsf@wheatstone.g10code.de> Hello! We are pleased to announce the availability of Libgcrypt 1.3.1. This is the second release of a series of development versions ebentually leading to a new stable 1.4 series. Libgcrypt is a general purpose library of cryptographic building blocks. It is originally based on code used by GnuPG. It does not provide any implementaion of OpenPGP or other protocols. Thorough understanding of applied cryptography is required to use libgcrypt. Changes compared to 1.3.1 are: * The entire library is now under the LGPLv2. The helper programs and the manual are under the GPLv2. Kudos to Peter Gutmann for giving permissions to relicense the rndw32 and rndunix modules. * The Camellia cipher is now under the LGPL and build by default. * Fixed a bug in the detection of symbol prefixes which inhibited the build of optimzied assembler code on certain systems. * Updated the entropy gatherer for W32. Source code is hosted at the GnuPG FTP server and its mirrors as listed at http://www.gnupg.org/download/mirrors.html . On the primary server the source file and its digital signature is: ftp://ftp.gnupg.org/gcrypt/alpha/libgcrypt/libgcrypt-1.3.1.tar.bz2 (930k) ftp://ftp.gnupg.org/gcrypt/alpha/libgcrypt/libgcrypt-1.3.1.tar.bz2.sig This file is bzip2 compressed. The SHA-1 checksum is: eea6aea27d7e12297630de6b4fcba1b486c809c8 libgcrypt-1.3.1.tar.bz2 For help on developing with Libgcrypt you should send mail to the grcypt-devel mailing list [1]. Improving Libgcrypt is costly, but you can help! We are looking for organizations that find Libgcrypt useful and wish to contribute back. You can contribute by reporting bugs, improve the software [2], or by donating money. Commercial support contracts for Libgcrypt are available [3], and they help finance continued maintenance. g10 Code GmbH, a Duesseldorf based company, is currently funding Libgcrypt development. We are always looking for interesting development projects. Happy hacking, Werner [1] See http://www.gnupg.org/documentation/mailing-lists.html . [2] Note that copyright assignments to the FSF are required. [3] See the service directory at http://www.gnupg.org/service.html . -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 196 bytes Desc: not available Url : /pipermail/attachments/20071026/8e127367/attachment.pgp -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From dougb at dougbarton.us Sat Oct 27 01:59:21 2007 From: dougb at dougbarton.us (Doug Barton) Date: Fri, 26 Oct 2007 16:59:21 -0700 (PDT) Subject: Multiple recipients encryption In-Reply-To: References: Message-ID: On Fri, 26 Oct 2007, Noiano wrote: > Hello everybody > I was wondering about how gnupg works when I encrypt a message for > multiple recipients. Imagine that "the encryption" of your message is a giant fence built around it. In the fence is a gate, and the gate is secured by a chain. If you encrypt the message to only one recipient, one lock is attached to the chain, and only the person who has the key to that lock can open it. Now imagine that you add a second lock, but you add it between the first lock and the chain. In other words, the shackle of the second lock passes through the chain on one side, and the shackle of the first lock on the other. Now the person with key to the first lock can open it, and a person with a key to the second lock can open that one. Either person can get access to the message by opening their lock, but neither person can open the other's lock. Make sense? Doug -- If you're never wrong, you're not trying hard enough From rjh at sixdemonbag.org Sat Oct 27 04:14:07 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Fri, 26 Oct 2007 21:14:07 -0500 Subject: GnuPG 1.4.7 and OS X 10.5 Message-ID: <47229EEF.9060805@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I'm currently running GnuPG 1.4.7 on OS X 10.5 (Leopard). While I haven't done any serious regression testing, routine operations appear to work just fine. Thunderbird 2.0.0.6 + Enigmail 0.95.4 also work without problem. I know some people were concerned about possible problems with the OS X upgrade. So far, it appears to be a nonissue. Some plugins which depend on Mail.app internals (such as GPGMail) may or may not work; for those plugins you'll have to ask the developers directly. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iFYEAREIAAYFAkcinu4ACgkQf2XByo0Cu7MKKADfViTqU50VdFrA5uK2SK9szgxF 07qm7L6l7b7rjQDfVQyxe/oTs8aTW+oy0o/J8ounABPaXG8/qtJ9TIkBHAQBAQgA BgUCRyKe7gAKCRC3APSC/q+BCe+LB/9fVEB+YbxaSbkL8w0eGiL7VqobDTzDF8eK Gkqkh6LF5U83smSK2lxe+cB+nntlufzIhE0uS+60oZxrNgtNN6GsYN2kTKc1L3S/ YUFJMRU2WEVnmvnNL0wgo4Ryf5V5TH4uickYi3shUpex3VuO7EoF+M+Ibwod+Cb+ LwtmOJJimGFBhCKFvWUY8LhDzgKkoWoZfkHKFhsrYjzY4Y5KeHVquBfqp67R5YIp qQ7E7v7OC2lQvgb8y3DjIgK+9MpWKdubaGW5BiyhZbW1zT1Vq5rUmJzFPj6H2gfv /GuLdllqxxA/ai0Fy4BavHUPcz/UPLImgvkQ6nblj7R8tdTkRNxG =XcsZ -----END PGP SIGNATURE----- From bahamut at digital-signal.net Sat Oct 27 04:45:07 2007 From: bahamut at digital-signal.net (Andrew Berg) Date: Fri, 26 Oct 2007 21:45:07 -0500 Subject: GnuPG 1.4.7 and OS X 10.5 In-Reply-To: <47229EEF.9060805@sixdemonbag.org> References: <47229EEF.9060805@sixdemonbag.org> Message-ID: <4722A633.4080609@digital-signal.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Robert J. Hansen wrote: > I'm currently running GnuPG 1.4.7 on OS X 10.5 (Leopard). While I > haven't done any serious regression testing, routine operations > appear to work just fine. Damn. And I was hoping you'd get your fiber for the day. *still hoping for a hat-py ending* Grr... forgot to change the recipient. - -- Windows NT 5.1.2600.2180 | Thunderbird 2.0.0.6 | Enigmail 0.95.4 | GPG 1.4.7 Key ID: 0xF88E034060A78FCB - available on major keyservers and upon request Fingerprint: 4A84 CAE2 A0D3 2AEB 71F6 07FD F88E 0340 60A7 8FCB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBRyKmMviOA0Bgp4/LAQOxMwf/TE3FnVWf8+qr1kSPypO7Lh9z/Y36pi/A VY+wRDzDS2krK3bCnsL8ijqBSQ2uCFS2iCP3u0/a67pXa4v5Jk8okxzDWKz+PlN9 kdXuM15t4RIaHN9F78sg5V1IcHhatd8DX84pSrUPaqPWGkK1ycVeB2LID76sgWJw 8kBqfEQe32FHw/pHtAptuZ+qoPdOG6x1daZQxkPVKSz4oV+K8G2RJV9aO0/mqIVS PdB1N/xrOeD0MMT++LRLZ82ZlA3WFvX9/VqfVhkLoVDG6Nufx6hOLWMgRkZmbdWd 7nKmAJcC+CASR6laqYf40lx47XJUOY1CytJAlL7QaFW0naFfdhYOXQ== =pgno -----END PGP SIGNATURE----- From nicolas.pillot at gmail.com Sun Oct 28 01:34:47 2007 From: nicolas.pillot at gmail.com (Nicolas Pillot) Date: Sun, 28 Oct 2007 01:34:47 +0200 Subject: Key safety vs Backup : History of a bad day (key-restoration problem) Message-ID: <9f76a5860710271634i2e516e6djb2600650c7a90b9c@mail.gmail.com> [ Disclaimer ] This post is at the same time a real-life story, and a request for ideas. I hope the tone of it won't be too boring, and well, if you're impatient, just skip to the end ! (namely [ Enter the questions ]) [ Intro ] Good evening to all of you. This is my first post on this list, so don't hesitate if it's the wrong place to ask for what i'll discuss here. I hope i've hit the most general list, as my question isn't exaclty linked to gnupg, though it has been my tool of choice for some years now. I come tonight, because, as you could guess, i have a "small" problem. "Small" in that it's not ?ber-vital, but problematic enough for me be open for any kind of solution, whatever it might be. Let me explain my situation and questions, for if you could give any hint, it'll make my day. Ages back, i installed some linux distribution. Later on, i heard about public key encryption schemes. Enters gnupg, which generated my very first pair of keys, on 24th april 2001. As all newbies are tempted to, i had it to never expire, and published it on a keyserver. I have been using it ever since, without any trouble, until this god-forgotten 21st october 2007. A bloody sunday, as the song says. On that very day, my hard drive gave an unexpected error and died a horrible death. All in all, not a surprise, as it was quite old. data-wise, it was no big trouble as my data are carefully backed up. The day after, i bought two news drives, set them as raid (this is my first raid setup) and installed a new system, restored my data. Everything was almost perfect. [ Back to the problem ] Even though my "normal" data are backed up twice (once on a distant server, and once on removable media), the "immensly valuable/sensitive/priceless/unique" data (ie, my key) is not backed up on the same scheme. Instead, when i created the key pair, i immediately generated a revocation certificate. I then exported the private and public keys, along with fingerprint, in an ascii file. I stored the .gnupg folder, the revocation certificate, and the exported ascii versions on a brand new, dedicated, wooping 32MB usb stick. I printed the revocation certificate and put it in an archive box by my grandmother (separate building 450km away), and stored the USB stick in a box on a shelf in my basement. You might call me paranoid, but i just did so to avoid the potential trouble some people were having on the forum. It was an effortless process at that time, and i thought i'd be safe. On 5th may 2002, about one year later, i lost my hard drive due to a corrupted FAT and started to panick until i remembered the usb-stick., which gave me my keys back after an system re-install. I was happy i did a backup. So, this monday, 23rd oct, i walked confidently down to the basement, opened the box, picked the stick, and walked back to the pc, almost whistling. I mounted it, read-only, or, well.... tried to mount it. After a big *shrug*, i realized it wouldn't mount whatever i tried to do. I tried on a windows laptop, and went to a friend's place to see if his OSX had better chance to access my data. Nothing helped. My .gnupg folder and ascii keys are unavailable. And as such, my encrypted data seems to be lost. After a while, i realized there was not many solutions, and the only thing i could do to get things done in any kind of right way was to get my hands back on the revocation certificate. It might even be a good reason to drive all the way and pay a visit to my grand'ma, after all. That's what i did today. She was happy to see me, and in good shape, but it's out of topic. After a while, i climbed in the attic, where the family treasures lie, and among them, the so-sought revocation certificate. I opened the archive box, searched various papers, and found it. Then cursed myself. The paper was starting to turn yellowish on the edges, and the (black) ink had turned dim, even gray in some areas, and well, the document wasn't in outstanding shape. And though most of it was perfectly readable, there are some small parts, which are quite blurred (due to humidity ?) and well, i suddenly wondered if there was any curse hanging over my head. I made a mental note : don't ever, ever, ever print something important on a cheap bubble-jet printer using discount ink cartridge. Either do that and then xerox it, or print it on a laser printer. Using large font-size, and finally, don't use "courrier" as i did even if you initially thought it'd be ok. Because now, i'm stuck with a bunch of c/o, I/1, 0/O, and even some h/b i can't for the love of god figure out who is who. After careful reading, and although it's very short, i have exactly 8-9 characters i can't read at all, as the others can be guessed. Had i printed it via something like "DejaVu sans mono", where small L and ones look different, and where zeros have an inside center dot, well, the task wouldn've been easy. Or i could have printed it twice, or even five times on the same sheet using different fonts ! Here comes the Sad-result-of-a-cursed-day : - i have lost the digital versions of my .gnupg, ascii pub/priv keys due to a failing usb stick which hadn't been used for 5+ years. - this means i have lost all my encrypted data (mainly accounting information, real-life & web password database, and some old work-related documents important enough to keep a personnal encrypted version at home). - i have a partial printed revocation certificate with 8 unreadable characters, which means i can't disable the published key. - this means, furthermore, that even if there are only few people who were using my public key, they could still use it to encrypt, even if it's quite useless. - It seems like i offered the world another confusing key which would never expire. Hurray ! If i'm wrong on any of these 5 points, don't hesitate to say so ! Even if the double failure is quite irritating, i can do nothing but accept murphy's law. But i'm not here to cry, however tempting it might be ;) After all this, i created a new pair of keys, expiring in 1 year, for which i'll change the expiration regularly. I made a revocation certificate, i backed everything up in 3 different places/medium, and printed it 3 times. parano?d, eh ? Now, i just wait to see if i could get some answers to the questions below before publishing the new public key. [ Enter the questions ] Q1: I have the public key (0x26A2F0AE if it's of any use), i know the secret key passphrase perfectly. Is there any way i could re-compute / restore / whatever the secret part using this information ? I browsed the list up to feb 2006, and didn't find any "Lost private key with known passphrase"-like post. So i guess it's not possible. Q2: To try and make things straight, i would like to at least revoc the key. The 8 characters cannot be guessed at any price, as they are completly blurred. This means there are theoretically 64^8 possible combinations. If i import only the public key into my keyring, and then brute-force change the 8 unknown bytes in the certificate, and each time try to import it, gpg will tell me "read error: invalid keyring" a zillion times, but in the end it'll finds the good one. My question is : can a revocation certificate be applied into the keyring if you only have the public key. I guess so, as the keyservers only have the public key. Note that while the answer to Q1 is of immense value, Q2 is only a ground for a "practical exercice", which might be undertaken to make things clean, as my data is lost forever. [ Conclusion ] This post might be long, but i wanted to share my feelings and thoughts with the community, namely these points : - You have to balance the amount of key backups vs the security of the given backup locations - Always make a revocation certificate. Back it up using the same scheme as for keys. - Additionally, print all the invaluable data (private keys, certificate). Using different fonts. Using laser/xerox. Even make a non-digital (optical/film) photograph of it. These last decades ;) - ... Pray. - And remember that even if it looks like you're overly-safe, everything might fail. And will. Thanks for reading, i wish you all good night. -- Nicolas Pillot (nicolas.pillot at gmail.com) From atom at smasher.org Sun Oct 28 07:51:51 2007 From: atom at smasher.org (Atom Smasher) Date: Sun, 28 Oct 2007 19:51:51 +1300 (NZDT) Subject: Key safety vs Backup : History of a bad day (key-restoration problem) In-Reply-To: <9f76a5860710271634i2e516e6djb2600650c7a90b9c@mail.gmail.com> References: <9f76a5860710271634i2e516e6djb2600650c7a90b9c@mail.gmail.com> Message-ID: <20071028065154.22608.qmail@smasher.org> On Sun, 28 Oct 2007, Nicolas Pillot wrote: > You might call me paranoid, but i just did so to avoid the potential > trouble some people were having on the forum. ================= seems like reasonable things to do... > I mounted it, read-only, or, well.... tried to mount it. After a big > *shrug*, i realized it wouldn't mount whatever i tried to do. I tried on > a windows laptop, and went to a friend's place to see if his OSX had > better chance to access my data. Nothing helped. My .gnupg folder and > ascii keys are unavailable. And as such, my encrypted data seems to be > lost. ================= i wouldn't count on it, but there might be a chance that you can read from it using dd, copy it to a file, then try to recover data from that. worth a shot, but in all likelihood, you're beat. > Q1: I have the public key (0x26A2F0AE if it's of any use), i know the > secret key passphrase perfectly. Is there any way i could re-compute / > restore / whatever the secret part using this information ? I browsed > the list up to feb 2006, and didn't find any "Lost private key with > known passphrase"-like post. So i guess it's not possible. =================== if that was feasible, pgp wouldn't be worth much. > question is : can a revocation certificate be applied into the keyring > if you only have the public key. I guess so, as the keyservers only have > the public key. =================== yes. other thoughts... in theory, if you're *really* using a strong pass-phrase, you can publish your private key in a public place and rest secure in the knowledge that no known technology can break your 100+ character pass-phrase... and if a hard drive or several go up in smoke you can recover a copy from google's cache ;) one thing i've thought about is using a one-time-pad to break a private key into 2 (or more) shares. then send (using secure channels) each share to one or more trusted persons who don't know each other. maybe put one of the shares in a bank safe. if all of your hard drives explode on the same day you can collect the shares and reconstruct your key. -- ...atom ________________________ http://atom.smasher.org/ 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- Bob Woodward: "How do you think history will regard the war in Iraq?" George "dubya" Bush: "It won't matter. We'll all be dead." From email at sven-radde.de Sun Oct 28 10:07:04 2007 From: email at sven-radde.de (Sven Radde) Date: Sun, 28 Oct 2007 10:07:04 +0100 Subject: Key safety vs Backup : History of a bad day (key-restoration problem) In-Reply-To: <9f76a5860710271634i2e516e6djb2600650c7a90b9c@mail.gmail.com> References: <9f76a5860710271634i2e516e6djb2600650c7a90b9c@mail.gmail.com> Message-ID: <47245138.9020402@sven-radde.de> Hi! Nicolas Pillot schrieb: > Here comes the Sad-result-of-a-cursed-day : > - i have lost the digital versions of my .gnupg, ascii pub/priv keys > due to a failing usb stick which hadn't been used for 5+ years. > - this means i have lost all my encrypted data (mainly accounting > information, real-life & web password database, and some old > work-related documents important enough to keep a personnal encrypted > version at home). > - i have a partial printed revocation certificate with 8 unreadable > characters, which means i can't disable the published key. > - this means, furthermore, that even if there are only few people who > were using my public key, they could still use it to encrypt, even if > it's quite useless. > - It seems like i offered the world another confusing key which would > never expire. Hurray ! > If i'm wrong on any of these 5 points, don't hesitate to say so ! You are quite right with all of the 5 points. > Q1: I have the public key (0x26A2F0AE if it's of any use), i know the > secret key passphrase perfectly. Is there any way i could re-compute / > restore / whatever the secret part using this information ? No. The passphrase is in no way connected to the actual private key material. It is only used to encrypt that key material. This would be an ideal compression scheme, if it was possible to do ;-) > Q2: To try and make things straight, i would like to at least revoc > the key. (...) My > question is : can a revocation certificate be applied into the keyring > if you only have the public key. If you can get the revocation cert working again, then yes, you can revoke the key. Just import your public key from a keyserver, import the revocation cert ("gpg --import ...") and the re-submit the key to the keyserver. If you cannot recover the certificate, you are out of luck again. Revocating a key is essentially a special kind of signature and you would need the private key for that. Maybe the developers can come up with some special hints that would save you the hassle of brute-force-importing the revocation cert into GnuPG. The ASCII-armored GnuPG outputs contain CRC information which could be used to speed up the process using a suitably smart algorithm. NB: This is an example where setting an expiration date on your key would have helped (which is about the only thing you did 'wrong' in your key safety preparations). Regarding the secure long-term storage of key material and/or revocation certs, you might want to search the archives for the subjects "Printing Keys and using OCR." and "Proofreadable base64" which could be interesting. HTH, Sven From rjh at sixdemonbag.org Sun Oct 28 10:10:24 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 28 Oct 2007 04:10:24 -0500 Subject: Key safety vs Backup : History of a bad day (key-restoration problem) In-Reply-To: <20071028065154.22608.qmail@smasher.org> References: <9f76a5860710271634i2e516e6djb2600650c7a90b9c@mail.gmail.com> <20071028065154.22608.qmail@smasher.org> Message-ID: <47245200.7060507@sixdemonbag.org> Atom Smasher wrote: > in theory, if you're *really* using a strong pass-phrase, you can > publish your private key in a public place and rest secure in the > knowledge that no known technology can break your 100+ character > pass-phrase... and if a hard drive or several go up in smoke you can > recover a copy from google's cache ;) This is true in practice, too, as long as some caveats are met. > one thing i've thought about is using a one-time-pad to break a > private key into 2 (or more) shares. then send (using secure > channels) each share to one or more trusted persons who don't know > each other. maybe put one of the shares in a bank safe. if all of > your hard drives explode on the same day you can collect the shares > and reconstruct your key. Ack! Ack! One time pads! Ack! I really, really wish the Vernam cipher was either lesser known or better known. If it was lesser known, fewer people would advise ever using it. If it was better known, more people would understand its phenomenal shortcomings. Point blank: unless you can spend a lot of money on training and infrastructure, you are almost always better off using conventional crypto. The Vernam cipher is /expensive/ to use properly, precisely because it is so unforgiving of any kind of failing. The secret sharing idea isn't a bad one, but using the Vernam cipher to do it is a very bad idea. The Shamir Secret-Sharing Protocol works much, much better for this purpose. From rjh at sixdemonbag.org Sun Oct 28 10:25:39 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 28 Oct 2007 04:25:39 -0500 Subject: Key safety vs Backup : History of a bad day (key-restoration problem) In-Reply-To: <47245138.9020402@sven-radde.de> References: <9f76a5860710271634i2e516e6djb2600650c7a90b9c@mail.gmail.com> <47245138.9020402@sven-radde.de> Message-ID: <47245593.8030004@sixdemonbag.org> Just to head a question off at the pass... Sven Radde wrote: >> Q1: I have the public key (0x26A2F0AE if it's of any use), i know the >> secret key passphrase perfectly. Is there any way i could re-compute / >> restore / whatever the secret part using this information ? > > No. The passphrase is in no way connected to the actual private key > material. It is only used to encrypt that key material. I said "yes, it's possible, but totally impractical". Sven has said "no, it's not". As is often the case when talking about crypto, both answers are totally correct. Sven is answering the question of "can I recover the private key, knowing the passphrase". He's right. The passphrase doesn't help you here. I'm answering the question of "can I recover the private key, knowing the public key". I'm right. The task moves from categorically impossible to theoretically possible. However, the practical difficulties are presently insurmountable. From email at sven-radde.de Sun Oct 28 10:37:55 2007 From: email at sven-radde.de (Sven Radde) Date: Sun, 28 Oct 2007 10:37:55 +0100 Subject: Key safety vs Backup : History of a bad day (key-restoration problem) In-Reply-To: <20071028065154.22608.qmail@smasher.org> References: <9f76a5860710271634i2e516e6djb2600650c7a90b9c@mail.gmail.com> <20071028065154.22608.qmail@smasher.org> Message-ID: <47245873.2030401@sven-radde.de> Atom Smasher schrieb: > in theory, if you're *really* using a strong pass-phrase, you can publish > your private key in a public place and rest secure in the knowledge that > no known technology can break your 100+ character pass-phrase... and if a > hard drive or several go up in smoke you can recover a copy from google's > cache ;) A few thoughts on this: - You could use the very long passphrase, upload to secret key to somewhere and then change the passphrase back to a shorter one for daily use. - Instead of doing this, you could just take your secring.gpg, encrypt it using "gpg --symmetric" with a really long passphrase and publish the result. - You don't really have to publish the so-encrypted file. Just storing it at one place (or more than one) that is unlikely to fail at the same time when your local hard disk does will do, too. Think of your work PC, your webhosters server, some other remote server or whatever. Having the thing in Google's cache is not necessary (there are no guarantees that this really is a persistent storage). - To ensure the accessibility you might schedule a daily cronjob that does an MD5-calculation on the backup file and compares this against the known good value. Once things differ, you know that your backup is in danger. In fact, this is the thing that failed with Nicolas' backup strategy: The backup became corrupted without him noticing and thus he could not recover from the subsequent failure of the primary copy. cu, Sven From atom at smasher.org Sun Oct 28 11:05:55 2007 From: atom at smasher.org (Atom Smasher) Date: Sun, 28 Oct 2007 23:05:55 +1300 (NZDT) Subject: Key safety vs Backup : History of a bad day (key-restoration problem) In-Reply-To: <47245873.2030401@sven-radde.de> References: <9f76a5860710271634i2e516e6djb2600650c7a90b9c@mail.gmail.com> <20071028065154.22608.qmail@smasher.org> <47245873.2030401@sven-radde.de> Message-ID: <20071028100558.91492.qmail@smasher.org> On Sun, 28 Oct 2007, Sven Radde wrote: > Atom Smasher schrieb: > >> in theory, if you're *really* using a strong pass-phrase, you can >> publish your private key in a public place and rest secure in the >> knowledge that no known technology can break your 100+ character >> pass-phrase... and if a hard drive or several go up in smoke you can >> recover a copy from google's cache ;) > > A few thoughts on this: - You could use the very long passphrase, upload > to secret key to somewhere and then change the passphrase back to a > shorter one for daily use. ============ and then inevitably forget what you used for the *really* secure 100+ character pass-phrase, because you never use it. > - Instead of doing this, you could just take your secring.gpg, encrypt > it using "gpg --symmetric" with a really long passphrase and publish the > result. =============== see above. but this has me thinking... why not combine the "hidden in plain sight" part with the encrypted part using steganography... use a reasonably strong passphrase ("reasonable" depends on the needs of the end user) for your secret key, then hide it in a JPG and post it in a public place. if you use `outguess` (i'm not sure about other tools) you can even require a pass-phrase to get the data in/out of the image file, not to mention that outguess provides a plausible deniability feature. i know... to many people on this list steganography, like one time pads, is more of a toy than a real crypto solution, but compared to posting a secret key in a public (or even an insecure non-public) place i'd say it's "better than nothing". even with a reasonably strong pass-phrase i wouldn't want to walk around with my secret key on a flash-drive with my physical keys, but hidden in a JPG of family/friends/pets it would be easily overlooked if i lost possession of the flash-drive. and if all of my drives picked the same day to die, i'd have a recoverable copy of the secret key. -- ...atom ________________________ http://atom.smasher.org/ 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "They have computers, and they may have other weapons of mass destruction." -- Janet Reno, US Attorney General, 27 Feb 1998 From atom at smasher.org Sun Oct 28 11:42:48 2007 From: atom at smasher.org (Atom Smasher) Date: Sun, 28 Oct 2007 23:42:48 +1300 (NZDT) Subject: Key safety vs Backup : History of a bad day (key-restoration problem) In-Reply-To: <47245200.7060507@sixdemonbag.org> References: <9f76a5860710271634i2e516e6djb2600650c7a90b9c@mail.gmail.com> <20071028065154.22608.qmail@smasher.org> <47245200.7060507@sixdemonbag.org> Message-ID: <20071028104249.13786.qmail@smasher.org> On Sun, 28 Oct 2007, Robert J. Hansen wrote: > Ack! Ack! One time pads! Ack! > > I really, really wish the Vernam cipher was either lesser known or > better known. If it was lesser known, fewer people would advise ever > using it. If it was better known, more people would understand its > phenomenal shortcomings. > > Point blank: unless you can spend a lot of money on training and > infrastructure, you are almost always better off using conventional > crypto. The Vernam cipher is /expensive/ to use properly, precisely > because it is so unforgiving of any kind of failing. > > The secret sharing idea isn't a bad one, but using the Vernam cipher to > do it is a very bad idea. The Shamir Secret-Sharing Protocol works > much, much better for this purpose. ================== used for general purpose crypto; yeah, it sucks. as you mentioned the training and infrastructure required to deploy it make it impractical. but the only skill required to hold a share of a secret is to not lose it, and maybe to destroy it if needed. training and infrastructure issues don't apply. 1) there are some very simple OTP applications that let you use your favorite random sources (lava-lamp, cosmic-ray detector, CCD camera watching traffic, etc) and generate cipher text. maybe someone is using an RSS from slashdot as a random source, but it's just as easy to use a decent source of entropy. 2) AFAIK the shamir secret sharing protocol is great in theory, but there just aren't any practical ways to use it (read: applications). i really don't want to do all that math by hand any time a want to break a secret into shares, or reassemble them. i wouldn't generally advocate a vernam cipher for encrypting messages, but i think it is the best real-world-practical way to do secret sharing (at least until someone builds an application that ~uses~ a real secret sharing algorithm). the only practical drawback is that it doesn't support thresholds... if one share is missing the secret cannot be recovered. the only way around this is to make sure that each share is held by more than one person. -- ...atom ________________________ http://atom.smasher.org/ 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "The hottest places in hell are reserved for those who in times of great moral crises maintain their neutrality." -- Dante Aleghieri (1265-1321) From atom at smasher.org Sun Oct 28 12:00:17 2007 From: atom at smasher.org (Atom Smasher) Date: Mon, 29 Oct 2007 00:00:17 +1300 (NZDT) Subject: Key safety vs Backup : History of a bad day (key-restoration problem) In-Reply-To: <20071028100558.91492.qmail@smasher.org> References: <9f76a5860710271634i2e516e6djb2600650c7a90b9c@mail.gmail.com> <20071028065154.22608.qmail@smasher.org> <47245873.2030401@sven-radde.de> <20071028100558.91492.qmail@smasher.org> Message-ID: <20071028110019.30318.qmail@smasher.org> On Sun, 28 Oct 2007, Atom Smasher wrote: responding to self... > even with a reasonably strong pass-phrase i wouldn't want to walk around > with my secret key on a flash-drive with my physical keys, but hidden in > a JPG of family/friends/pets it would be easily overlooked if i lost > possession of the flash-drive. and if all of my drives picked the same > day to die, i'd have a recoverable copy of the secret key. ================= now this has me thinking.... take a picture with your digital camera; hide your secret key in it; put the image back on the camera's flash-card. no one would ever think of looking for your key there. unless they're reading this thread. oh-well. -- ...atom ________________________ http://atom.smasher.org/ 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man." -- George Bernard Shaw From rjh at sixdemonbag.org Sun Oct 28 12:08:18 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 28 Oct 2007 06:08:18 -0500 Subject: Key safety vs Backup : History of a bad day (key-restoration problem) In-Reply-To: <20071028100558.91492.qmail@smasher.org> References: <9f76a5860710271634i2e516e6djb2600650c7a90b9c@mail.gmail.com> <20071028065154.22608.qmail@smasher.org> <47245873.2030401@sven-radde.de> <20071028100558.91492.qmail@smasher.org> Message-ID: <47246DA2.7070801@sixdemonbag.org> Atom Smasher wrote: > but this has me thinking... why not combine the "hidden in plain sight" > part with the encrypted part using steganography... use a reasonably > strong passphrase ("reasonable" depends on the needs of the end user) for > your secret key, then hide it in a JPG and post it in a public place. A couple of years ago there was some smoke from reliable sources that the USG was concerned about the possibility of terror cells communicating steganographically, and for that reason funding would be available to researchers tackling the problem. I don't know if the funding ever took off, but I did see a handful of papers published on the subject. Clearly, steganography is on academia's radar. It's probably on the NSA's radar, too. If you are comfortable with the NSA and/or GCHQ wondering why you've got AES-encrypted data hidden in a JPEG that's floating around the internet, then go ahead with this. > i know... to many people on this list steganography, like one time pads, > is more of a toy than a real crypto solution It's a dangerous toy. There is a paper I enthusiastically recommend every time this subject comes up. To my knowledge, this is the first paper that establishes formal mathematical limits for steganography--what it can do, what it can't, what tradeoffs there are, how optimizing a system for one part of the steganography problem cripples it for another. As you can imagine, it is a really, really important paper for anyone who wants to take steganography seriously. And without exception, I have yet to meet any designer of a steganographic system who has read it. This does not fill me with much confidence for the steganographic systems out there. Moulin, P., and O'Sullivan, J. _Information-Theoretic Analysis of Information Hiding_. IEEE Transactions on Information Theory, Vol. 49, No. 3., pp. 563-593 incl. Available online at: http://www.essrl.wustl.edu/~jao/Papers/JournalPublications/01184136.pdf > even with a reasonably strong pass-phrase i wouldn't want to walk around > with my secret key on a flash-drive with my physical keys, but hidden in a > JPG of family/friends/pets it would be easily overlooked if i lost > possession of the flash-drive. Why not? I do not understand this irrational belief that people have in the inadequacy of AES to protect their private keys. Will it make people feel better if I post my own private key to the list? (I'm perfectly willing to, if that's what's necessary to prove a point.) From rjh at sixdemonbag.org Sun Oct 28 12:21:22 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 28 Oct 2007 06:21:22 -0500 Subject: Key safety vs Backup : History of a bad day (key-restoration problem) In-Reply-To: <20071028104249.13786.qmail@smasher.org> References: <9f76a5860710271634i2e516e6djb2600650c7a90b9c@mail.gmail.com> <20071028065154.22608.qmail@smasher.org> <47245200.7060507@sixdemonbag.org> <20071028104249.13786.qmail@smasher.org> Message-ID: <472470B2.3060303@sixdemonbag.org> Atom Smasher wrote: > i wouldn't generally advocate a vernam cipher for encrypting messages, but > i think it is the best real-world-practical way to do secret sharing (at > least until someone builds an application that ~uses~ a real secret > sharing algorithm). See _The Art of Computer Programming_, Volume 2, section 4.6.4, "Evaluation of Polynomials". In my copy it's on page 505; YMMV if you have a different edition. Knuth characterizes it as "an important and somewhat surprising application of polynomial interpolation", as well as "amazingly simple". I can vouch for the "amazingly simple" part. I volunteer at a local elementary school and help teach their talented-and-gifted fourth graders. One of the first things we do each year is go over the Shamir protocol. PGP Corporation also uses it to divide up key shares, if I recall correctly. From atom at smasher.org Sun Oct 28 12:27:48 2007 From: atom at smasher.org (Atom Smasher) Date: Mon, 29 Oct 2007 00:27:48 +1300 (NZDT) Subject: Key safety vs Backup : History of a bad day (key-restoration problem) In-Reply-To: <47246DA2.7070801@sixdemonbag.org> References: <9f76a5860710271634i2e516e6djb2600650c7a90b9c@mail.gmail.com> <20071028065154.22608.qmail@smasher.org> <47245873.2030401@sven-radde.de> <20071028100558.91492.qmail@smasher.org> <47246DA2.7070801@sixdemonbag.org> Message-ID: <20071028112749.52303.qmail@smasher.org> On Sun, 28 Oct 2007, Robert J. Hansen wrote: > If you are comfortable with the NSA and/or GCHQ wondering why you've got > AES-encrypted data hidden in a JPEG that's floating around the internet, > then go ahead with this. ============= i wouldn't be any more concerned than i am now, with non-hidden cipher-texts coming in/out of my mailbox. >> even with a reasonably strong pass-phrase i wouldn't want to walk >> around with my secret key on a flash-drive with my physical keys, but >> hidden in a JPG of family/friends/pets it would be easily overlooked if >> i lost possession of the flash-drive. > > Why not? ============= paranoia, maybe...? or just making sure that my secret key isn't low hanging fruit. > I do not understand this irrational belief that people have in the > inadequacy of AES to protect their private keys. Will it make people > feel better if I post my own private key to the list? (I'm perfectly > willing to, if that's what's necessary to prove a point.) ============== i'll agree that it's somewhat irrational, but it does give me a warm fuzzy feeling that my 2048/4096 bit secret keys are not only encrypted with a reasonably strong pass-phrase, but also stored on an encrypted file system and not publicly available, and all backup copies are also double encrypted. regarding my faith in AES, just check out the preferences on my public key. -- ...atom ________________________ http://atom.smasher.org/ 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "Since trade ignores national boundaries and the manufacturer insists on having the world as a market, the flag of his nation must follow him, and the doors of the nations which are closed against him must be battered down. Concessions obtained by financiers must be safeguarded by ministers of state, even if the sovereignty of unwilling nations be outraged in the process. Colonies must be obtained or planted, in order that no useful corner of the world may be overlooked or left unused." -- Woodrow Wilson, President of the United States, 1919 From atom at smasher.org Sun Oct 28 12:35:06 2007 From: atom at smasher.org (Atom Smasher) Date: Mon, 29 Oct 2007 00:35:06 +1300 (NZDT) Subject: Key safety vs Backup : History of a bad day (key-restoration problem) In-Reply-To: <472470B2.3060303@sixdemonbag.org> References: <9f76a5860710271634i2e516e6djb2600650c7a90b9c@mail.gmail.com> <20071028065154.22608.qmail@smasher.org> <47245200.7060507@sixdemonbag.org> <20071028104249.13786.qmail@smasher.org> <472470B2.3060303@sixdemonbag.org> Message-ID: <20071028113507.58148.qmail@smasher.org> On Sun, 28 Oct 2007, Robert J. Hansen wrote: > Atom Smasher wrote: >> i wouldn't generally advocate a vernam cipher for encrypting messages, >> but i think it is the best real-world-practical way to do secret >> sharing (at least until someone builds an application that ~uses~ a >> real secret sharing algorithm). > > See _The Art of Computer Programming_, Volume 2, section 4.6.4, > "Evaluation of Polynomials". In my copy it's on page 505; YMMV if you > have a different edition. Knuth characterizes it as "an important and > somewhat surprising application of polynomial interpolation", as well as > "amazingly simple". > > I can vouch for the "amazingly simple" part. I volunteer at a local > elementary school and help teach their talented-and-gifted fourth > graders. One of the first things we do each year is go over the Shamir > protocol. > > PGP Corporation also uses it to divide up key shares, if I recall > correctly. ================= would that be the same PGP(tm) Corporation that, last i checked, made source code available for review but only licensed the use of pre-compiled binaries? i hate to sound paranoid (hhmm, actually i don't mind anymore) but where's the open source application(s) that do that? especially if it's so easy. -- ...atom ________________________ http://atom.smasher.org/ 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "This is Radio Clash On pirate satellite Orbiting your living room Everybody hold on tight" -- The Clash From rjh at sixdemonbag.org Sun Oct 28 13:03:13 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 28 Oct 2007 07:03:13 -0500 Subject: Key safety vs Backup : History of a bad day (key-restoration problem) In-Reply-To: <20071028113507.58148.qmail@smasher.org> References: <9f76a5860710271634i2e516e6djb2600650c7a90b9c@mail.gmail.com> <20071028065154.22608.qmail@smasher.org> <47245200.7060507@sixdemonbag.org> <20071028104249.13786.qmail@smasher.org> <472470B2.3060303@sixdemonbag.org> <20071028113507.58148.qmail@smasher.org> Message-ID: <47247A81.1030907@sixdemonbag.org> Atom Smasher wrote: > would that be the same PGP(tm) Corporation that, last i checked, made > source code available for review but only licensed the use of pre-compiled > binaries? This would be the PGP Corporation that allows you to download and compile their source code so that you can run your own tests to ensure there are no back doors, yes. It's not open-source, but it's certainly not a closed-source product. > i hate to sound paranoid (hhmm, actually i don't mind anymore) You should. There's a great quote from the movie _Strange Days_: "The question isn't whether you're paranoid, but whether you're paranoid enough." There's a sweet spot to hit, paranoia-wise. Being too paranoid is just as bad as not being paranoid enough. > but where's the open source application(s) that do that? especially if > it's so easy. At this point it's abundantly clear to me that you've never learned how Shamir's scheme works. I don't know how to make a case for Shamir's scheme to someone who doesn't care how it works, only that their prejudice is that it's bad. So far I have given you references to PGP Corporation's use of it, to Don Knuth's inclusion of it in _The Art of Computer Programming_, to how fourth-graders in rural Iowa are using it to keep secrets from their teacher. It's mentioned quite favorably in _Applied Cryptography_, _Practical Cryptography_ and the _Handbook of Applied Cryptography_. At some point, I have to call a halt to it. If you value warm fuzzies over math, if you trust James Bond gadgetry ideas over solid and proven algorithms, then there's nothing I can say to that. From atom at smasher.org Sun Oct 28 13:53:00 2007 From: atom at smasher.org (Atom Smasher) Date: Mon, 29 Oct 2007 01:53:00 +1300 (NZDT) Subject: Key safety vs Backup : History of a bad day (key-restoration problem) In-Reply-To: <47247A81.1030907@sixdemonbag.org> References: <9f76a5860710271634i2e516e6djb2600650c7a90b9c@mail.gmail.com> <20071028065154.22608.qmail@smasher.org> <47245200.7060507@sixdemonbag.org> <20071028104249.13786.qmail@smasher.org> <472470B2.3060303@sixdemonbag.org> <20071028113507.58148.qmail@smasher.org> <47247A81.1030907@sixdemonbag.org> Message-ID: <20071028125301.26993.qmail@smasher.org> On Sun, 28 Oct 2007, Robert J. Hansen wrote: > At this point it's abundantly clear to me that you've never learned how > Shamir's scheme works. I don't know how to make a case for Shamir's > scheme to someone who doesn't care how it works, only that their > prejudice is that it's bad. > > So far I have given you references to PGP Corporation's use of it, to > Don Knuth's inclusion of it in _The Art of Computer Programming_, to how > fourth-graders in rural Iowa are using it to keep secrets from their > teacher. It's mentioned quite favorably in _Applied Cryptography_, > _Practical Cryptography_ and the _Handbook of Applied Cryptography_. > > At some point, I have to call a halt to it. If you value warm fuzzies > over math, if you trust James Bond gadgetry ideas over solid and proven > algorithms, then there's nothing I can say to that. ===================== not having a particular aptitude towards higher math, and not being fluent at programming C are more reasonable criticisms of me. i have a very good understanding of most crypto primitives, protocol wise, but i often have to take it for granted the math does what it's supposed to. i can pick from a few one time pad applications that do pretty much exactly what i want, and produce real-world verifiably and provably secure output. i'm not about to write an application that implements a secret sharing protocol, but if someone else writes one that's open source i'd be interested in checking it out. in the meantime, i consider the vernam cipher a very reasonable and practical way to implement secret sharing. you've mentioned, and i've agreed with you, several reasons why OTP sucks as an encryption algorithm. but other than referring to it as "James Bond gadgetry" you haven't given any reason not to use it for secret sharing, other than your own flavor of warm and fuzzy which seems to be that another algorithm was designed just for secret sharing and 4th graders can use it. after a few minutes of googling - http://point-at-infinity.org/ssss/ i'll check it out. still, the _only_ reason not to use OTP for secret sharing is that it doesn't work as a threshold (t,n) scheme. the only way around that is to make sure that each share is held by more than one player... with shares A B and C; alice holds shares AB, bob holds shares BC, charlie holds shares AC. if any one of them gets hit by a bus, the secret can still be recovered. problem solved. maybe some 4th graders can understand the math behind shamir's secret sharing but *i* can understand (and prove and verify) the math behind vernam's cipher... and understanding the math certainly adds to the warm and fuzzy feeling. -- ...atom ________________________ http://atom.smasher.org/ 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- God is dead. - Nietzsche 1882 Nietzsche is dead. - God 1900 From email at sven-radde.de Sun Oct 28 15:37:47 2007 From: email at sven-radde.de (Sven Radde) Date: Sun, 28 Oct 2007 15:37:47 +0100 Subject: Key safety vs Backup : History of a bad day (key-restoration problem) In-Reply-To: <20071028104249.13786.qmail@smasher.org> References: <9f76a5860710271634i2e516e6djb2600650c7a90b9c@mail.gmail.com> <20071028065154.22608.qmail@smasher.org> <47245200.7060507@sixdemonbag.org> <20071028104249.13786.qmail@smasher.org> Message-ID: <47249EBB.3020202@sven-radde.de> Atom Smasher schrieb: > 2) AFAIK the shamir secret sharing protocol is great in theory, but there > just aren't any practical ways to use it (read: applications). IIRC it is implemented in PGP. (Maybe in the commercial/corporate versions only, and maybe not that particular protocol but they have a way to divide secret keys.) cu, Sven From vedaal at hush.com Sun Oct 28 15:37:04 2007 From: vedaal at hush.com (vedaal at hush.com) Date: Sun, 28 Oct 2007 09:37:04 -0500 Subject: Key safety vs Backup Message-ID: <20071028143704.A80A122840@mailserver9.hushmail.com> >Message: 7 >Date: Mon, 29 Oct 2007 00:27:48 +1300 (NZDT) >From: Atom Smasher >Subject: Re: Key safety vs Backup : History of a bad day > (key-restoration problem) >>> even with a reasonably strong pass-phrase i wouldn't want to >walk >>> around with my secret key on a flash-drive with my physical >keys, but >>> hidden in a JPG of family/friends/pets it would be easily >overlooked if >>> i lost possession of the flash-drive. >i'll agree that it's somewhat irrational, but it does give me a >warm fuzzy >feeling that my 2048/4096 bit secret keys are not only encrypted >with a >reasonably strong pass-phrase, but also stored on an encrypted >file system >and not publicly available, and all backup copies are also double >encrypted. > >regarding my faith in AES, just check out the preferences on my >public >key. ***************************************** so why not keep your keys in a hidden true-crypt container on a flashdrive with usb flashdrives becoming less and less expensive, a 4gb flashdrive, with a 2gb truecrypt volume, and a 200 mb hidden volume, there should be more than enough space for keyrings, secrets, backups, etc. and you don't need to use aes, if you have some dislike for it (i don't, and personally, my truecrypt containers use the triple encryption option of rijndael-twofish-serpent) the only difficulty i have with truecrypt, is opening a windows generated truecrypt fat-32 volume on a linux system (i use xp-pro and ubuntu) but i think that's just my inexperience with ubuntu and truecrypt vedaal From rjh at sixdemonbag.org Sun Oct 28 19:30:16 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 28 Oct 2007 13:30:16 -0500 Subject: Key safety vs Backup : History of a bad day (key-restoration problem) In-Reply-To: <20071028125301.26993.qmail@smasher.org> References: <9f76a5860710271634i2e516e6djb2600650c7a90b9c@mail.gmail.com> <20071028065154.22608.qmail@smasher.org> <47245200.7060507@sixdemonbag.org> <20071028104249.13786.qmail@smasher.org> <472470B2.3060303@sixdemonbag.org> <20071028113507.58148.qmail@smasher.org> <47247A81.1030907@sixdemonbag.org> <20071028125301.26993.qmail@smasher.org> Message-ID: <4724D538.7000407@sixdemonbag.org> Atom Smasher wrote: > not having a particular aptitude towards higher math Shamir's protocol revolves around being given two points on a grid and drawing a line between them. This is not higher math. This is why it's described as "amazingly simple". > and not being fluent at programming C Nobody's talking about C. I despise C, honestly. It's a very useful language for kernels. Outside of that I prefer other, better options be used. > i have a very good understanding of most crypto primitives, protocol > wise Shamir's algorithm is a very basic crypto primitive. If it's not part of your corpus of knowledge, it should be. > but i often have to take it for granted the math does what it's > supposed to. If you don't understand the math behind a crypto primitive, you don't understand the primitive. There is a big difference between saying "people I trust say this primitive achieves this objective" and saying "I've seen the math work for myself". > i can pick from a few one time pad applications that do pretty much > exactly what i want Except that you don't know C, and thus cannot say these applications actually do what you want. > and produce real-world verifiably and provably secure output. The Vernam cipher is not a verifiable system. That's the entire /point/ of it: it has no way to verify anything. If there was a way to verify any part of the Vernam cipher, then it would lose its provably-secure properties. You could just try one key after another saying "is this the right key?" and, as soon as you received verification that it was, you'd be done. Not that even without verifiability the Vernam cipher is a very good system. Look into the history of Project Venona. "Provable security" is a great buzzword, but in practice it means very little. IBM had an algorithm a few years ago (Atjai-Dwork?) which offered provable security, but it was broken within a year by someone who figured out a way to throw the hidden assumptions of Atjai-Dwork on its head. As I once said, "proofs of security are nice--they give us something to point and laugh at." > in the meantime, i consider the vernam cipher a very reasonable and > practical way to implement secret sharing. You are free to use whatever you like. However, please do not recommend it as a method to other people when I cannot find one single authority in either cryptography or software engineering who endorses this method. > you've mentioned, and i've agreed with you, several reasons why OTP > sucks as an encryption algorithm. but other than referring to it as > "James Bond gadgetry" you haven't given any reason not to use it for > secret sharing, The "James Bond gadgetry" was a reference to ideas of steganographically encoding a key inside a JPEG and letting Google cache it, or keeping it in your camera, or... etc. These ideas are infeasible for various reasons. Insofar as why not to use it for secret sharing, I would think that reason would be obvious: it cannot be used to implement a general {k, n} threshold scheme which preserves information secrecy. If you want to advocate that it be used for secret sharing, the burden is on you to establish that it's a safe and effective alternative to Shamir's and/or Blakley's schemes, both of which have long pedigrees in the literature attesting to their efficiency, generality and privacy. > other than your own flavor of warm and fuzzy which seems to be that > another algorithm was designed just for secret sharing and 4th > graders can use it. This is not "warm and fuzzy". This is following the best practices of the field. The more complex an algorithm becomes, the more difficult it becomes to implement it successfully. This is why so few people implement Elgamal signatures; while the math works beautifully, the algorithm is so complex and subtle that implementing it is perilous. The complexity of the Vernam cipher is what doomed it during Project Venona. Etc. > still, the _only_ reason not to use OTP for secret sharing is that it > doesn't work as a threshold (t,n) scheme. the only way around that > is to make sure that each share is held by more than one player... > with shares A B and C; alice holds shares AB, bob holds shares BC, > charlie holds shares AC. if any one of them gets hit by a bus, the > secret can still be recovered. problem solved. Great. Let's break up the letters ABC among Alice, Bob and Charlie. Under Shamir and Blakley's scheme, Alice, Bob and Charlie have no knowledge whatsoever of the ultimate answer: the odds of them successfully choosing the secret is no better than random. (In this case, 26**-3, about 5 * 10**-5.) Under your scheme, Alice, Bob and Charlie each have two-thirds of the ultimate answer. Discovering the secret requires guessing just one letter... odds of about 4%, making it 800 times more likely that they'll be able to guess your secret. I would not consider you to have solved the problem. This is why the Vernam cipher is such a disastrous failure for secret sharing. You're giving away huge parts of the secret. There's no provision in it for hiding the secret--only for breaking it up. From hs2412 at gmail.com Mon Oct 29 18:35:23 2007 From: hs2412 at gmail.com (Hardeep Singh) Date: Mon, 29 Oct 2007 23:05:23 +0530 Subject: ECC - how does it compare Message-ID: Hi All I recently looked at software called 'seccure' which is available for linux. Its a tool for public key encryption using ECC rather than prime number factoring. http://www.nsa.gov/ia/industry/crypto_elliptic_curve.cfm Here NSA is making a case for ECC. One advantage that does seem to exist is that there is no need to persistently store any part of the key - so the threat of someone meddling with your key on the pen drive seems to be removed. What do you all think about this? Should we start building an ECC WOT? :-) Regards Hardeep Singh From seanccraig at gmail.com Mon Oct 29 18:16:36 2007 From: seanccraig at gmail.com (Sean Craig) Date: Mon, 29 Oct 2007 13:16:36 -0400 Subject: subscribe Message-ID: <47261574.6040504@gmail.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3249 bytes Desc: S/MIME Cryptographic Signature Url : /pipermail/attachments/20071029/922724d1/attachment-0001.bin From seanccraig at gmail.com Mon Oct 29 18:13:02 2007 From: seanccraig at gmail.com (Sean Craig) Date: Mon, 29 Oct 2007 13:13:02 -0400 Subject: No subject Message-ID: <4726149E.5090602@gmail.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3249 bytes Desc: S/MIME Cryptographic Signature Url : /pipermail/attachments/20071029/faafe2ba/attachment.bin From rjh at sixdemonbag.org Mon Oct 29 21:07:04 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 29 Oct 2007 15:07:04 -0500 Subject: ECC - how does it compare In-Reply-To: References: Message-ID: <47263D68.5030506@sixdemonbag.org> Hardeep Singh wrote: > What do you all think about this? Should we start building an ECC > WOT? :-) As soon as it gets added to the OpenPGP RFC, then we should. Until then, it's premature. From bjr149 at hotmail.com Tue Oct 23 17:45:27 2007 From: bjr149 at hotmail.com (bjr149) Date: Tue, 23 Oct 2007 08:45:27 -0700 (PDT) Subject: beginner to gnupg Message-ID: <13366377.post@talk.nabble.com> I am very new to PGP. I understand the concept of a public key and a private key. I worked with a client who sent me their public key which was a nice text file. Im trying to export my public key to a text file but everytime I run it I get a bunch of jumble garbage. C:\GNU\GnuPG>gpg --export "key name" > C:\GNU\GnuPG\public.key I tried to pass the -a parameter with a username but that didnt work either. I guess im also not sure what user name should go there? Can you have more than one key with the same name and a different user name? In my pubring and secring there are keys. I want to be able to extact them so I can send someone my public key. Thanks. -- View this message in context: http://www.nabble.com/beginner-to-gnupg-tf4678117.html#a13366377 Sent from the GnuPG - User mailing list archive at Nabble.com. From sven at radde.name Fri Oct 26 20:14:48 2007 From: sven at radde.name (Sven Radde) Date: Fri, 26 Oct 2007 20:14:48 +0200 Subject: Multiple recipients encryption In-Reply-To: References: Message-ID: <47222E98.6090407@radde.name> Hi! Noiano schrieb: > I was wondering about how gnupg works when I encrypt a message for > multiple recipients. As long as I know public-key encryption works as > described in this image > http://upload.wikimedia.org/wikipedia/commons/f/f9/Public_key_encryption.svg. This image is a simplified view on public key encryption. Actually, GnuPG (and practically all other implementations) use a "hybrid" cryptosystem and not "pure" public key encryption. A hybrid system first generates a random key for a symmetric algorithm (say, AES) and encrypts the message itself with this key (called the "session key"). The session key is then encrypted with the public key of each recipient and all those encrypted session keys are sent along with the message. The recipient then finds the session key packet that was encrypted for his private key, decrypts the session key and uses the session key to decrypt the message itself. Apart from the nice property that you can encrypt for multiple recipients, this has major advantages in efficiency: The bulk of the data is encrypted with a relatively fast symmetric algorithm and only the short key for that (say, 256 bit = 32 bytes) is encrypted with the very slow asymmetric algorithms. You really wouldn't want to wait for a pure RSA encryption of a few megabytes (and I'm not even sure whether that would be a good idea, security-wise). cu, Sven From eirik at finvold.org Sun Oct 28 13:27:41 2007 From: eirik at finvold.org (_fr0st) Date: Sun, 28 Oct 2007 05:27:41 -0700 (PDT) Subject: GPG: Suddenly lost access to encryptet file Message-ID: <13452858.post@talk.nabble.com> Hello, A couple of days ago, I startet a process to create a new encrypted LVM-partition, and move everything I got from the regular LVM to the encrypted one. Btw, I use loop-aes to encrypt my partition. Now, after some days, some unmounts/mounts, I suddenly gets "Error: gpg key file decryption failed" every time I try to mount. If I try to decrypt manually with "gpg -vvv -d ./keyfile.gpg" all I get is: ----------------------------------------------- gpg: using character set `iso-8859-1' gpg: armor: BEGIN PGP MESSAGE gpg: armor header: Version: GnuPG v1.4.7 (GNU/Linux) :symkey enc packet: version 4, cipher 3, s2k 3, hash 2 salt 625d5ec3f0310439, count 65536 (96) gpg: CAST5 encrypted data :encrypted data packet: length: unknown gpg: encrypted with 1 passphrase gpg: decryption failed: bad key ----------------------------------------------- Now, some info about how I made this. -emerged gnupg (using gentoo) -maked a new random passphrase for myself with: "head -c 65 /dec/random | uuencode -m - > mypass" -maked a keyfile for my future disk encryption: "head -c 2880 /dev/random | uuencode -m - | head -n 65 | tail -n 64 | gpg --symmetric -a > keyfile.gpg" When asked for a password, I copy&pasted the whole text from "mypass". Now, after using losetup to set up the encryption, filled the disk with random data with dd and blah blah blah, I was ready for use. I mounted the disk successfully with "mount -o encryption=aes256,gpgkey=/root/keyfile,loop=/dev/loop0 /dev/ftpcrypt/ftpcrypt1 /home/ftp". Also here just copy&pasted the data from "mypass" when mount asked me for pass. Suddenly now, today, after unmounting, adding new disks to lvm, lvextended, resized with resize_reiserfs and "losetup -R", this happends. I don't think losetup/mount/lvm can have anything to do with this.. So.. Any possible solutions? May it be because I did not create a private key to pgp before starting this? I have not use pgp before, so Im a newbie.. I've tested to copy both mypass and keyfile.gpg over to other computers, no luck there either. Oh, and one more thing: I opened my keyfile.gpg in vim, don't remember if I used ": x" or ": q" to quit.. Could vim do something with the file if I used ": x"? And of course: I am the only one with access to this server, so my mypass file is untouched.. Thanks in advance for any help! -- View this message in context: http://www.nabble.com/GPG%3A-Suddenly-lost-access-to-encryptet-file-tf4706750.html#a13452858 Sent from the GnuPG - User mailing list archive at Nabble.com. From Bushveld at gmx.de Mon Oct 29 22:46:33 2007 From: Bushveld at gmx.de (Michael) Date: Mon, 29 Oct 2007 22:46:33 +0100 Subject: script to clean my keyring Message-ID: <200710292246.34235.Bushveld@gmx.de> Hello, I like to clean my key ring automatically. I have put the attached lines together to do this. But something is wrong, the script shows the data which need to be changed but the update is not saved. Experts, what is wrong here?? for i in `gpg --list-keys --fixed-list-mode --with-colons | grep "^pub" | cut -f5 -d":"` ; do ????????????????gpg --batch --yes --edit-key $i clean done And a general Question: I like to frequently run "gpg --refresh-key" and after this the above script, in case it works, to get rid of the overhead. Do you think this is a good idea to do so? Thanks a lot Michael From sk at intertivity.com Mon Oct 29 22:28:36 2007 From: sk at intertivity.com (Sascha Kiefer) Date: Tue, 30 Oct 2007 01:28:36 +0400 Subject: Detached signature that is not one Message-ID: <003501c81a72$ab2c4be0$6501a8c0@sknb> Hi, I wrote an programm, which automatically decrypt/verifies incoming parts of an email. Actually, works pretty good. I just parse the mail, decompose it in several files, give it gpg, verify output and rebuild the email. Today there was this spam email. It only had an body which gpg recognized as an detached signature and asked me for the datafile. Which of course, i didn`t have. Please find the body of the email attached. Is this a bug in gpg? (tried ver. 1.4 and 1.4.7) How can i prevent gpg to ask for the datafile but just failing? Thank you for answers. Cheers, Sascha -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: MC_03248_AU0DFB5YOJLUXTH.txt Url: /pipermail/attachments/20071030/3b64e57a/attachment.txt From yalla at fsfe.org Mon Oct 29 22:34:21 2007 From: yalla at fsfe.org (Alexander W. Janssen) Date: Mon, 29 Oct 2007 22:34:21 +0100 Subject: Simple beginners questions about the gpg-smartcard Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, I just subsribed to the list. I'm using the gpg-smartcard and it just works for me. However, I have a couple of maybe really simple questions which weren't answered by the documentation I've read so far - yet. 1) Once I created my keypair on the smartcard and I was able to use it on that system. Now I bought several other smartcard-readers for my other machines and I learned that I need to import the secret key (which I backuped during the creation of the key on the card on the first system) on every other machine which wants to use the smartcard too. Why is that like that? I thought that the secret key remains on the smartcard, and that this is actually the benefit of the smartcard. Why do I need to import the secret-key from disk to some local gpg to that it can recognize the key on the smartcard at all? I'm probably doing something wrong. Any pointers? 2) I bought a couple of SCM SPR-532 cardreaders. I learned that the pin-pads are currently only experimentally supported by gpg 2.something. Is there any chance that the pin-pad support will be backported to gpg 1.4.x? Thanks a lot for your pointers & help. I probably just suck in reading documentation. Cheers, Alex. - -- "I am tired of all this sort of thing called science here... We have spent millions in that sort of thing for the last few years, and it is time it should be stopped." -- Simon Cameron, U.S. Senator, on the Smithsonian Institution, 1901. . -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: http://firegpg.tuxfamily.org iQCVAwUBRyZR0BYlVVSQ3uFxAQKIwwP/cSjvM0RATEqKRAkyLmVkNE13pnwLUZeQ 4pwU0zR8t2dvruKCe1nvscsWjhDO/7D9zD345+lrEf0PyBaoCyCTaxFS2lkWrFnh BdM6kM69uoLTXTXDiaSGyhOhUyY8+joN9etEcWgd9fXN9GM+jYGc4L+wS5STlW1/ MXJjMtDWR34= =bl6m -----END PGP SIGNATURE----- From Bushveld at gmx.de Mon Oct 29 22:46:33 2007 From: Bushveld at gmx.de (Michael) Date: Mon, 29 Oct 2007 22:46:33 +0100 Subject: script to clean my keyring Message-ID: <200710292246.34235.Bushveld@gmx.de> Hello, I like to clean my key ring automatically. I have put the attached lines together to do this. But something is wrong, the script shows the data which need to be changed but the update is not saved. Experts, what is wrong here?? for i in `gpg --list-keys --fixed-list-mode --with-colons | grep "^pub" | cut -f5 -d":"` ; do ????????????????gpg --batch --yes --edit-key $i clean done And a general Question: I like to frequently run "gpg --refresh-key" and after this the above script, in case it works, to get rid of the overhead. Do you think this is a good idea to do so? Thanks a lot Michael From r.post at sara.nl Mon Oct 29 23:32:33 2007 From: r.post at sara.nl (Remco Post) Date: Mon, 29 Oct 2007 23:32:33 +0100 Subject: ECC - how does it compare In-Reply-To: <47263D68.5030506@sixdemonbag.org> References: <47263D68.5030506@sixdemonbag.org> Message-ID: <47265F81.4010408@sara.nl> Robert J. Hansen wrote: > Hardeep Singh wrote: >> What do you all think about this? Should we start building an ECC >> WOT? :-) > > As soon as it gets added to the OpenPGP RFC, then we should. Until > then, it's premature. > So actually, you could, but you need to start lobbying to get it added to the rfc as well in that exact form or your work might be all for nothing. No of course even if it's not part of the rfc, it might be a nice exercise. -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams From sean at rima.ws Mon Oct 29 23:51:22 2007 From: sean at rima.ws (Sean Rima) Date: Mon, 29 Oct 2007 22:51:22 +0000 Subject: beginner to gnupg In-Reply-To: <13366377.post@talk.nabble.com> References: <13366377.post@talk.nabble.com> Message-ID: <472663EA.8020601@rima.ws> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 bjr149 wrote: > I am very new to PGP. I understand the concept of a public key and a private > key. > > I worked with a client who sent me their public key which was a nice text > file. Im trying to export my public key to a text file but everytime I run > it I get a bunch of jumble garbage. > > C:\GNU\GnuPG>gpg --export "key name" > C:\GNU\GnuPG\public.key > > I tried to pass the -a parameter with a username but that didnt work either. > I guess im also not sure what user name should go there? > > Can you have more than one key with the same name and a different user name? > > In my pubring and secring there are keys. I want to be able to extact them > so I can send someone my public key. > > Thanks. I use gpg --export --armour KEY-NAME > my-pub-key.asc You can have different keys with the same name but different email addresses Hope this help Sean -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Gossamer Spider Web of Trust: http://www.gswot.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHJmPqDif86V/dzTsRA/bsAJ9QfwPKm6M4m3w2ib8VCJTdHpeocgCeL7zX p+op4uwt7Rxf0AQmd/M1Nfs= =naq1 -----END PGP SIGNATURE----- From JPClizbe at tx.rr.com Tue Oct 30 01:57:53 2007 From: JPClizbe at tx.rr.com (John Clizbe) Date: Mon, 29 Oct 2007 19:57:53 -0500 Subject: script to clean my keyring In-Reply-To: <200710292246.34235.Bushveld@gmx.de> References: <200710292246.34235.Bushveld@gmx.de> Message-ID: <47268191.8080404@tx.rr.com> Michael wrote: > I like to clean my key ring automatically. I have put the attached lines > together to do this. But something is wrong, the script shows the data > which need to be changed but the update is not saved. Experts, what is > wrong here?? > > for i in `gpg --list-keys --fixed-list-mode --with-colons | > grep "^pub" | cut -f5 -d":"` ; do > gpg --batch --yes --edit-key $i clean > done How about doing it this way: cp pubring.gpg pubring.tmp gpg --import-options import-clean --import pubring.tmp > And a general Question: > I like to frequently run "gpg --refresh-key" and after this the above > script, in case it works, to get rid of the overhead. Do you think this > is a good idea to do so? gpg --keyserver-options import-clean \ --keyserver pool.sks-keyservers.org refresh-keys -- John P. Clizbe Inet: John (a) GingerBear DOT nyet Ginger Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 679 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20071029/c6318165/attachment.pgp From CronoCloud at mchsi.com Tue Oct 30 00:56:28 2007 From: CronoCloud at mchsi.com (Ron Rogers Jr.) Date: Mon, 29 Oct 2007 18:56:28 -0500 Subject: beginner to gnupg In-Reply-To: <13366377.post@talk.nabble.com> References: <13366377.post@talk.nabble.com> Message-ID: <20071029185628.2bf12761@mchsi.com> On Tue, 23 Oct 2007 08:45:27 -0700 (PDT) bjr149 wrote: > I worked with a client who sent me their public key which was > a nice text file. Im trying to export my public key to a text > file but everytime I run it I get a bunch of jumble garbage. > > C:\GNU\GnuPG>gpg --export "key name" > C:\GNU\GnuPG\public.key > I'm new to gpg too, just started using it in April. If I want to export my public key to a file using the Linux command line tools, I would do this: gpg --armor --export CronoCloud at mchsi.com > CronoCloud_public_pgp_key.asc Have you tried out GPA (Gnu Privacy Assistant)? For new users that might be easier to use and it's included in the GPG4Win builds. Using that, just select your key, hit export, choose a name for your exported key and you're done. > Can you have more than one key with the same name and a > different user name? > Sure, or you can add UID's to a key. CronoCloud (Ron Rogers Jr.) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: not available Url : /pipermail/attachments/20071029/2c2aed72/attachment.pgp From yyz01 at yahoo.com Tue Oct 30 02:11:22 2007 From: yyz01 at yahoo.com (YYZ) Date: Mon, 29 Oct 2007 18:11:22 -0700 (PDT) Subject: Subkey DSA signature changes after importing secret keyring Message-ID: <68653.60607.qm@web45510.mail.sp1.yahoo.com> Hi everyone! Can anyone exlain this strange gpg behavior, observed when I follow these steps? I use gpg to generate a key-pair using default options (1024D/2048g). Afterwards, I import the secret keyring into another account, and issue the following commands "gpg --export" and "gpg --export-secret-key" in both the accounts. I noticed that while the second command yeilds identical results, the output of the first command is slightly different in the two cases (actually, just the last 44 bytes). A little analysis reveals that the bytes that differ are really the two MPIs representing the "r" and "s" components of the DSA signature for the ELG subkey. Further, if I export my secret keyring to several different accounts/ computers, all of them end up with identical DSA signature for the exported subkey (but it's different from the original signature). Can someone please explain why is it like this? Thanks! __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From wk at gnupg.org Tue Oct 30 08:40:33 2007 From: wk at gnupg.org (Werner Koch) Date: Tue, 30 Oct 2007 08:40:33 +0100 Subject: Simple beginners questions about the gpg-smartcard In-Reply-To: (Alexander W. Janssen's message of "Mon, 29 Oct 2007 22:34:21 +0100") References: Message-ID: <87ejfd82z2.fsf@wheatstone.g10code.de> On Mon, 29 Oct 2007 22:34, yalla at fsfe.org said: > Why do I need to import the secret-key from disk to some local gpg to > that it can recognize the key on the smartcard at all? It is not the secret key but a stub for the secret key. This allows gpg to ask you for the smartcard and display the serial numbger of the card it expects. You don't need to export/import that secret key stub as gpg should create that stub automagically. > 2) I bought a couple of SCM SPR-532 cardreaders. I learned that the > pin-pads are currently only experimentally supported by gpg > 2.something. Is there any chance that the pin-pad support will be > backported to gpg 1.4.x? In my daily work I use a KAAN Advanced but the SPR 532 works as well. Backporting is somewhat problematic as the automated passphrase interface (for GUI use) is not really able to display a notification popup to inform you that you should move your fingers over to the reader's pinpad. If you have gpg-agent (and scdaemon) installed gpg 1.4 will use the smartcard code from scdaemon can can thus utilize the popup feature provided by gpg-agent and pinentry. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Tue Oct 30 08:48:26 2007 From: wk at gnupg.org (Werner Koch) Date: Tue, 30 Oct 2007 08:48:26 +0100 Subject: Detached signature that is not one In-Reply-To: <003501c81a72$ab2c4be0$6501a8c0@sknb> (Sascha Kiefer's message of "Tue, 30 Oct 2007 01:28:36 +0400") References: <003501c81a72$ab2c4be0$6501a8c0@sknb> Message-ID: <87abq182lx.fsf@wheatstone.g10code.de> On Mon, 29 Oct 2007 22:28, sk at intertivity.com said: > Today there was this spam email. It only had an body which gpg recognized as > an detached signature > and asked me for the datafile. Which of course, i didn`t have. Please find > the body of the email attached. > > Is this a bug in gpg? (tried ver. 1.4 and 1.4.7) > How can i prevent gpg to ask for the datafile but just failing? Pass --batch to gpg and it won't ask for the data file. Also make sure that you stdin is connected to /dev/null so that gpg won't expect the data on stdin. Of course this means that you need to supply the passphrase by other means. Some applications run gpg first to check whether a passphrase is required and then re-run w/o --batch. Or use the status/command interface to decide what to do. GPGME should make things easier for you. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From sk at intertivity.com Tue Oct 30 09:11:29 2007 From: sk at intertivity.com (Sascha Kiefer) Date: Tue, 30 Oct 2007 09:11:29 +0100 Subject: Detached signature that is not one Message-ID: <5492648.115201193731889303.JavaMail.servlet@kundenserver> Hi, i actually use "--status-fd 1" but there is nothing on that that tells me that something is waiting for the datafile. in that case i would just handle that status and kill gpg if i dont have any datafile. >On Mon, 29 Oct 2007 22:28, sk at intertivity.com said: > >> Today there was this spam email. It only had an body which gpg recognized >as >> an detached signature >> and asked me for the datafile. Which of course, i didn`t have. Please find >> the body of the email attached. >> >> Is this a bug in gpg? (tried ver. 1.4 and 1.4.7) >> How can i prevent gpg to ask for the datafile but just failing? > >Pass --batch to gpg and it won't ask for the data file. Also make sure >that you stdin is connected to /dev/null so that gpg won't expect the >data on stdin. > >Of course this means that you need to supply the passphrase by other >means. Some applications run gpg first to check whether a passphrase is >required and then re-run w/o --batch. Or use the status/command >interface to decide what to do. GPGME should make things easier for >you. > > >Shalom-Salam, > > Werner > >-- >Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. > From email at sven-radde.de Tue Oct 30 09:13:10 2007 From: email at sven-radde.de (Sven Radde) Date: Tue, 30 Oct 2007 09:13:10 +0100 Subject: ECC - how does it compare In-Reply-To: References: Message-ID: <4726E796.5040009@sven-radde.de> Hi! Hardeep Singh schrieb: > Its a tool for public key encryption using ECC rather than > prime number factoring. AFAIK, some of the really efficient algorithms for the required math are patented. cu, Sven From Bushveld at gmx.de Tue Oct 30 09:52:19 2007 From: Bushveld at gmx.de (Michael) Date: Tue, 30 Oct 2007 09:52:19 +0100 (CET) Subject: script to clean my keyring In-Reply-To: <47268191.8080404@tx.rr.com> References: <200710292246.34235.Bushveld@gmx.de> <47268191.8080404@tx.rr.com> Message-ID: <1085920.59193.BlZUXl8STQs=.1193734339.squirrel@webmailer.hosteurope.de> Hi John, thank you for the answer how to clean my key ring: > How about doing it this way: > cp pubring.gpg pubring.tmp > gpg --import-options import-clean --import pubring.tmp === 1 === This will make a clean import to the current pubring.gpg but will this help? Will these keys which are imported overwrite the keys in the current pubkey.gpg? Or would I need to start whith a "striped" which only contains my selfsignature? > gpg --keyserver-options import-clean \ > --keyserver pool.sks-keyservers.org refresh-keys === 2=== I like to keep my key ring updated, what about this: I run on a frequent basis: # Assumption is that the key is currently clean cp pubring.gpg pubring.bak gpg --keyserver-options import-clean \ --keyserver pool.sks-keyservers.org refresh-keys cp pubring.gpg pubring.tmp gpg --import-options import-clean --import pubring.tmp Thanks a lot Michael From r.post at sara.nl Tue Oct 30 10:21:29 2007 From: r.post at sara.nl (Remco Post) Date: Tue, 30 Oct 2007 10:21:29 +0100 Subject: ECC - how does it compare In-Reply-To: <4726E796.5040009@sven-radde.de> References: <4726E796.5040009@sven-radde.de> Message-ID: <4726F799.4090702@sara.nl> Sven Radde wrote: > Hi! > > Hardeep Singh schrieb: >> Its a tool for public key encryption using ECC rather than >> prime number factoring. > AFAIK, some of the really efficient algorithms for the required math are > patented. > in that case these patents are only valid inside the US, since no EU country accepts patents on software or mathematical algorithms. > cu, Sven > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- Met vriendelijke groeten, Remco Post SARA - Reken- en Netwerkdiensten http://www.sara.nl High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167 PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16 B3F6 048A 02BF DC93 94EC "I really didn't foresee the Internet. But then, neither did the computer industry. Not that that tells us very much of course - the computer industry didn't even foresee that the century was going to end." -- Douglas Adams From wk at gnupg.org Tue Oct 30 10:48:12 2007 From: wk at gnupg.org (Werner Koch) Date: Tue, 30 Oct 2007 10:48:12 +0100 Subject: Detached signature that is not one In-Reply-To: <5492648.115201193731889303.JavaMail.servlet@kundenserver> (Sascha Kiefer's message of "Tue, 30 Oct 2007 09:11:29 +0100") References: <5492648.115201193731889303.JavaMail.servlet@kundenserver> Message-ID: <871wbd7x2b.fsf@wheatstone.g10code.de> On Tue, 30 Oct 2007 09:11, sk at intertivity.com said: > i actually use "--status-fd 1" but there is nothing on that that tells me that something is waiting for the datafile. in that case i would just handle that status and kill gpg if i dont have any datafile. Dup stdin to /dev/null and you will get an error. You should always know in advance whether you are going to verify a detached signature or an embedded signature. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From 210525p42015 at denstarfarm.us Tue Oct 30 12:03:44 2007 From: 210525p42015 at denstarfarm.us (Robert D.) Date: Tue, 30 Oct 2007 07:03:44 -0400 Subject: Smartcards and Mac OS/X Message-ID: <47270F90.7010004@denstarfarm.us> Seeing a thread about smart-cards finally got me to ask a couple of questions In a general question, what are the main reasons I would want to buy one? Are there decent Smart-Cards for Apple MacBooks ? thank you From rjh at sixdemonbag.org Tue Oct 30 14:54:43 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 30 Oct 2007 08:54:43 -0500 Subject: Smartcards and Mac OS/X In-Reply-To: <47270F90.7010004@denstarfarm.us> References: <47270F90.7010004@denstarfarm.us> Message-ID: <472737A3.2080900@sixdemonbag.org> Robert D. wrote: > In a general question, what are the main reasons I would want to buy one? Legal or employment reasons. Some people have smart card usage mandated to them. These people tend to be the primary users. Some people believe storing private keys on smart cards leads to better physical security than storing them on easily-stolen laptops or PCs. Others like to be able to carry their private key with them, so they can use it at whichever computer they happen to be at (as long as that computer has a card reader attached). The major drawbacks are that if your card reader breaks, your private key is inaccessible, and most smart cards are limited to RSA-1024 and a ridiculously small amount of supporting data. You will not be able to carry your keyring around with you on the card. > Are there decent Smart-Cards for Apple MacBooks ? Smart cards are (mostly) interchangeable; there's a standard for how they're laid out and how they interface with smart card readers. The real question is whether there are good card readers for OS X. I can't help you with this; I don't use card readers, so I can't give any recommendations. However, a quick Google search for 'smart card reader "OS X"' returned some useful results in the first few links. From rjh at sixdemonbag.org Tue Oct 30 15:40:48 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 30 Oct 2007 09:40:48 -0500 Subject: beginner to gnupg In-Reply-To: <13366377.post@talk.nabble.com> References: <13366377.post@talk.nabble.com> Message-ID: <47274270.4030109@sixdemonbag.org> bjr149 wrote: > C:\GNU\GnuPG>gpg --export "key name" > C:\GNU\GnuPG\public.key By default, GnuPG will export keys in binary format. This is more space-efficient, but is not readable to humans. (I don't think that's a big loss, given that the human-readable version isn't all that readable to humans, either.) Try: gpg --armor --export "key name" > C:\GNU\GnuPG\public.key ... and it should work. Note that it's "--armor --export", not "--export --armor". The former will work fine. The latter will try to export a key named "--armor", which will probably not work fine, unless your keyring has far more interesting people than mine. :) > Can you have more than one key with the same name and a different user name? Yes. From wk at gnupg.org Tue Oct 30 17:58:46 2007 From: wk at gnupg.org (Werner Koch) Date: Tue, 30 Oct 2007 17:58:46 +0100 Subject: beginner to gnupg In-Reply-To: <47274270.4030109@sixdemonbag.org> (Robert J. Hansen's message of "Tue, 30 Oct 2007 09:40:48 -0500") References: <13366377.post@talk.nabble.com> <47274270.4030109@sixdemonbag.org> Message-ID: <873avs7d4p.fsf@wheatstone.g10code.de> On Tue, 30 Oct 2007 15:40, rjh at sixdemonbag.org said: > Note that it's "--armor --export", not "--export --armor". The former > will work fine. The latter will try to export a key named "--armor", That is not correct. The ordering of options and commands does not matter. However mixing arguments ("key name") and options/commands does not work as soon as the first non-option/command has been detected all following items are considered arguments. There is one caveat: If the first argument start with a dash it will be viewed as an option. To avoid this the sepcial option "--" may be used which explicitly declares that all waht follows are arguments. Note that some options have option-arguments, e.g. gpg -r Alice -r Bob --encrypt file.txt Here Alice and Bob are arguments of the -r option. -r (or --recipient) requires an option and thus gpg expects this. As an alternative you may use gpg --recipient=Alice --recipient=Bob --encrypt file.txt And in scripts you would use gpg --recipient=Alice --recipient=Bob --encrypt -- $FILE so that you can even encrypt files with names like '--armor'. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From shavital at mac.com Tue Oct 30 20:25:31 2007 From: shavital at mac.com (Charly Avital) Date: Tue, 30 Oct 2007 15:25:31 -0400 Subject: GnuPG in Linux Message-ID: <1193772331.16380.27.camel@Ubuntu7.04> Hi, In the pursuit of complicating my life with some fun, I have installed Linux Ubuntu 7.04 under Parallels 3.0 Mac build 5160 (in addition to Windows XP Pro). The current release of Ubuntu, 7.10 is not [yet] digested by Parallels, but eventually it will. Ubuntu 7.04 distribution came with GnuPG 1.4.6 already installed. After much searching and installing I finally got: - compiled 1.4.7 from source after installing 'build-essential', because the C compiler that came with that Ubuntu release was not suitable, by itself, to compile gnupg. - installed GPA and KGpg - imported my keyrings from gnupg/MacOS 10.4.10 (Leopard is still wandering in the jungle on its to my home), and reset the trust. My question, please help: where, how can I find and open, actually open and edit as required, gpg.conf? A ls search in .gnupg lists 'options'. I remember that gnupg.options was the ancestor of gpg.conf (probably before gnupg 1.2.*). Sorry if the question seems [is] silly, but I have a block. I have tried to use pico (nano), but I don't seem to strike the right commands. Thanks! Charly From rjh at sixdemonbag.org Tue Oct 30 20:56:47 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 30 Oct 2007 14:56:47 -0500 Subject: GnuPG in Linux In-Reply-To: <1193772331.16380.27.camel@Ubuntu7.04> References: <1193772331.16380.27.camel@Ubuntu7.04> Message-ID: <47278C7F.6060403@sixdemonbag.org> Charly Avital wrote: > My question, please help: where, how can I find and open, actually open > and edit as required, gpg.conf? A ls search in .gnupg lists 'options'. Dunno what that's doing there. You're right, it should be gpg.conf. The good news is most of your OS X Terminal.app skills will apply here. OS X 10.4 and 10.5 both use a program called 'bash' to provide a command line. So does Ubuntu. Prior to 10.4, OS X used tcsh instead of bash; if you're more comfortable with 10.0-10.3 behavior, talk to me off-list and we can get Ubuntu set up with tcsh. I'd suggest doing 'gedit ~/.gnupg/gpg.conf &' and just editing it that way. Gedit is the standard GNOME editor and should be much friendlier than using nano. From shavital at mac.com Tue Oct 30 18:46:55 2007 From: shavital at mac.com (Charly Avital) Date: Tue, 30 Oct 2007 13:46:55 -0400 Subject: GnuPG in Linux Message-ID: <1193766415.16380.23.camel@Ubuntu7.04> Hi, In the pursuit of complicating my life with some fun, I have installed Linux Ubuntu 7.04 under Parallels 3.0 Mac build 5160 (in addition to Windows XP Pro). The current release of Ubuntu, 7.10 is not [yet] digested by Parallels, but eventually it will. Ubuntu 7.04 distribution came with GnuPG 1.4.6 already installed. After much searching and installing I finally got: - compiled 1.4.7 from source after installing 'build-essential', because the C compiler that came with that Ubuntu release was not suitable, by itself, to compile gnupg. - installed GPA and KGpg - imported my keyrings from gnupg/MacOS 10.4.10 (Leopard is still wandering in the jungle on its to my home), and reset the trust. My question, please help: where, how can I find and open, actually open and edit as required, gpg.conf? A ls search in .gnupg lists 'options'. I remember that gnupg.options was the ancestor of gpg.conf (probably before gnupg 1.2.*). Sorry if the question seems [is] silly, but I have a block. I have tried to use pico (nano), but I don't seem to strike the right commands. Thanks! Charly -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: This is a digitally signed message part Url : /pipermail/attachments/20071030/761cd85f/attachment.pgp From bahamut at digital-signal.net Tue Oct 30 21:14:02 2007 From: bahamut at digital-signal.net (Andrew Berg) Date: Tue, 30 Oct 2007 14:14:02 -0600 Subject: GnuPG in Linux In-Reply-To: <1193772331.16380.27.camel@Ubuntu7.04> References: <1193772331.16380.27.camel@Ubuntu7.04> Message-ID: <4727908A.3040002@digital-signal.net> Charly Avital wrote: > My question, please help: where, how can I find and open, actually open > and edit as required, gpg.conf? You have to create the file yourself and place it in ~/.gnupg. Robert suggested gedit, but if you have KDE (you mentioned that you installed kgpg), you can use Kate or KWrite (personally, I like Kate because KDE is pretty and GNOME is ugly IMO), but any of these (or a terminal-based editor if you want, or really, pretty much any text editor at all) will work. -- Windows NT 5.1.2600.2180 | Thunderbird 2.0.0.6 | Enigmail 0.95.5 | GPG 1.4.7 Key ID: 0xF88E034060A78FCB - available on major keyservers and upon request Fingerprint: 4A84 CAE2 A0D3 2AEB 71F6 07FD F88E 0340 60A7 8FCB From tmz at pobox.com Tue Oct 30 21:07:47 2007 From: tmz at pobox.com (Todd Zullinger) Date: Tue, 30 Oct 2007 16:07:47 -0400 Subject: GnuPG in Linux In-Reply-To: <1193772331.16380.27.camel@Ubuntu7.04> References: <1193772331.16380.27.camel@Ubuntu7.04> Message-ID: <20071030200746.GC6102@psilocybe.teonanacatl.org> Charly Avital wrote: > My question, please help: where, how can I find and open, actually > open and edit as required, gpg.conf? A ls search in .gnupg lists > 'options'. I remember that gnupg.options was the ancestor of > gpg.conf (probably before gnupg 1.2.*). Just rename (mv) options to gpg.conf. Even that isn't strictly necessary AFAIK, as gpg will read the options file if no gpg.conf is found. > Sorry if the question seems [is] silly, but I have a block. I have > tried to use pico (nano), but I don't seem to strike the right > commands. Does running "nano ~/.gnupg/options" fail in some way? -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Now, now my good man, this is no time for making enemies. -- Voltaire, on his deathbed in response to a priest asking that he renounce Satan. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 542 bytes Desc: not available Url : /pipermail/attachments/20071030/75d902c7/attachment-0001.pgp From oryann9 at yahoo.com Wed Oct 31 00:05:35 2007 From: oryann9 at yahoo.com (oryann9) Date: Tue, 30 Oct 2007 16:05:35 -0700 (PDT) Subject: script to clean my keyring Message-ID: <582652.72339.qm@web63405.mail.re1.yahoo.com> What causes your key-ring to become "dirty" or "fragmented?" > Michael wrote: > I like to clean my key ring automatically. I have put the attached lines > together to do this. But something is wrong, the script shows the data > which need to be changed but the update is not saved. Experts, what is > wrong here?? > > for i in `gpg --list-keys --fixed-list-mode --with-colons | > grep "^pub" | cut -f5 -d":"` ; do > gpg --batch --yes --edit-key $i clean > done > How about doing it this way: > cp pubring.gpg pubring.tmp > gpg --import-options import-clean --import pubring.tmp > And a general Question: > I like to frequently run "gpg --refresh-key" and after this the above > script, in case it works, to get rid of the overhead. Do you think this > is a good idea to do so? gpg --keyserver-options import-clean \ --keyserver pool.sks-keyservers.org refresh-keys __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From yyz01 at yahoo.com Wed Oct 31 02:59:12 2007 From: yyz01 at yahoo.com (YYZ) Date: Tue, 30 Oct 2007 18:59:12 -0700 (PDT) Subject: A note to Atom Smasher [WAS: Subkey DSA signature changes...] In-Reply-To: <68653.60607.qm@web45510.mail.sp1.yahoo.com> Message-ID: <414316.31578.qm@web45509.mail.sp1.yahoo.com> Atom, Going through the list archives, I came across a few of your postings that seem to indicate that you have more insight into the way subkey self-signatures are generated than what I can gather from the RFC. Arguably, it's one of the most confusing sections... http://lists.gnupg.org/pipermail/gnupg-users/2004-May/022511.html However, i didn't find any more posts from you explaining how did you manage to generate the missing self-signatures on your subkeys. I'd appreciate if you could share that knowledge with us... Since the signatures are computed from the hash of the key material (which differs in the secret and the public key packets), I'd suppose the secret subkey signature to be different from the public subkey signature. However, that doesn't seem to be the case. I found out that they actually have the same hash value. For some weird reason though, the signature itself is different in case of newly generated keys. But when importing from an exported private key or the secret keyring, the secret subkey signature is just copied over to the private keyring. Appreciate if you could offer some insight into this. Thanks! --- YYZ wrote: > > Hi everyone! > > Can anyone exlain this strange gpg behavior, observed when I follow > these steps? > > I use gpg to generate a key-pair using default options (1024D/2048g). > Afterwards, I import the secret keyring into another account, and > issue > the following commands "gpg --export" and "gpg --export-secret-key" > in > both the accounts. > > I noticed that while the second command yeilds identical results, the > output of the first command is slightly different in the two cases > (actually, just the last 44 bytes). A little analysis reveals that > the > bytes that differ are really the two MPIs representing the "r" and > "s" > components of the DSA signature for the ELG subkey. > > Further, if I export my secret keyring to several different accounts/ > computers, all of them end up with identical DSA signature for the > exported subkey (but it's different from the original signature). Can > someone please explain why is it like this? > > Thanks! > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From JPClizbe at tx.rr.com Wed Oct 31 08:21:59 2007 From: JPClizbe at tx.rr.com (John Clizbe) Date: Wed, 31 Oct 2007 02:21:59 -0500 Subject: script to clean my keyring In-Reply-To: <1085920.59193.BlZUXl8STQs=.1193734339.squirrel@webmailer.hosteurope.de> References: <200710292246.34235.Bushveld@gmx.de> <47268191.8080404@tx.rr.com> <1085920.59193.BlZUXl8STQs=.1193734339.squirrel@webmailer.hosteurope.de> Message-ID: <47282D17.1090102@tx.rr.com> Michael wrote: > Hi John, > > thank you for the answer how to clean my key ring: > >> How about doing it this way: >> cp pubring.gpg pubring.tmp >> gpg --import-options import-clean --import pubring.tmp Don't use pubring.tmp. I remembered that gpg uses that name (and also pubring.bak) as part of the importing. Try pubring.sav > > === 1 === > This will make a clean import to the current pubring.gpg but will this > help? Will these keys which are imported overwrite the keys in the current > pubkey.gpg? Or would I need to start whith a "striped" which only contains > my selfsignature? No, what is happening is that the import will merge both copies of each key and then apply the cleaning algorithm. Since the imported keyring is a copy of the original, all that effectively happens is the cleaning. >> gpg --keyserver-options import-clean \ >> --keyserver pool.sks-keyservers.org refresh-keys > > > === 2=== > I like to keep my key ring updated, what about this: I run on a frequent > basis: > > # Assumption is that the key is currently clean > cp pubring.gpg pubring.bak > > gpg --keyserver-options import-clean \ > --keyserver pool.sks-keyservers.org refresh-keys > > cp pubring.gpg pubring.tmp > gpg --import-options import-clean --import pubring.tmp A reimport after refreshing with import-clean is unnecessary. After you initially clean a keyring (above), if you set import-clean as both a keyserver-option and an import-option in gpg.conf, whenever a key is added and whenever you refresh your keyring, keys will automatically be cleaned. You shouldn't need to re-import your keyring to clean it again. Example lines from gpg.conf: keyserver-options auto-key-retrieve include-subkeys include-revoked \ import-clean export-clean import-options import-clean -- John P. Clizbe Inet: JPClizbe(a)comcast DOT nyet Golden Bear Networks PGP/GPG KeyID: 0x608D2A10 "Be who you are and say what you feel because those who mind don't matter and those who matter don't mind." - Dr Seuss, "Oh the Places You'll Go" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 679 bytes Desc: OpenPGP digital signature Url : /pipermail/attachments/20071031/885f75ce/attachment.pgp From eocsor at gmail.com Wed Oct 31 08:29:29 2007 From: eocsor at gmail.com (Roscoe) Date: Wed, 31 Oct 2007 16:59:29 +0930 Subject: Key safety vs Backup : History of a bad day (key-restoration problem) In-Reply-To: <9f76a5860710271634i2e516e6djb2600650c7a90b9c@mail.gmail.com> References: <9f76a5860710271634i2e516e6djb2600650c7a90b9c@mail.gmail.com> Message-ID: Not answering your questions but two handy tools I like :) A while ago we had a big discussion regarding printing out keys for backup, which (I think) prompted David Shaw to write a following small program to assist those wanting to do so, here's part of the description of that program: "Due to metadata and redundancy, OpenPGP secret keys are significantly larger than just the "secret bits". In fact, the secret key contains a complete copy of the public key. Since the public key generally doesn't need to be escrowed (most people have many copies of it on various keyservers, web pages, etc), only extracting the secret parts can be a real advantage. Paperkey extracts just those secret bytes and prints them. To reconstruct, you re-enter those bytes (whether by hand or via OCR) and paperkey can use them to transform your existing public key into a secret key." -- http://www.jabberwocky.com/software/paperkey/ The author of seccure [ECC implementation mentioned recently on this list] also wrote an implementation of shamirs secret sharing scheme named ssss which is quite easy to use and maybe a good idea for those wanting to keep some paper record of their password for when their memory fails them. (I think splitting a password into a few shares and distributing them in suitable places is a sane way of writing down passwords. Other people may disagree.) http://www.point-at-infinity.org/ssss/ BW laser printers are pretty cheap now :) -- Roscoe On 10/28/07, Nicolas Pillot wrote: > [ Disclaimer ] > This post is at the same time a real-life story, and a request for ideas. > I hope the tone of it won't be too boring, and well, if you're impatient, > just skip to the end ! (namely [ Enter the questions ]) > > [ Intro ] > Good evening to all of you. This is my first post on this list, so > don't hesitate if it's the wrong place to ask for what i'll discuss > here. I hope i've hit the most general list, as my question isn't > exaclty linked to gnupg, though it has been my tool of choice for some > years now. > > I come tonight, because, as you could guess, i have a "small" problem. > "Small" in that it's not ?ber-vital, but problematic enough for me be > open for any kind of solution, whatever it might be. Let me explain my > situation and questions, for if you could give any hint, it'll make my > day. > > Ages back, i installed some linux distribution. Later on, i heard > about public key encryption schemes. Enters gnupg, which generated my > very first pair of keys, on 24th april 2001. As all newbies are > tempted to, i had it to never expire, and published it on a keyserver. > I have been using it ever since, without any trouble, until this > god-forgotten 21st october 2007. A bloody sunday, as the song says. On > that very day, my hard drive gave an unexpected error and died a > horrible death. All in all, not a surprise, as it was quite old. > data-wise, it was no big trouble as my data are carefully backed up. > The day after, i bought two news drives, set them as raid (this is my > first raid setup) and installed a new system, restored my data. > Everything was almost perfect. > > [ Back to the problem ] > Even though my "normal" data are backed up twice (once on a distant > server, and once on removable media), the "immensly > valuable/sensitive/priceless/unique" data (ie, my key) is not backed > up on the same scheme. Instead, when i created the key pair, i > immediately generated a revocation certificate. I then exported the > private and public keys, along with fingerprint, in an ascii file. I > stored the .gnupg folder, the revocation certificate, and the exported > ascii versions on a brand new, dedicated, wooping 32MB usb stick. I > printed the revocation certificate and put it in an archive box by my > grandmother (separate building 450km away), and stored the USB stick > in a box on a shelf in my basement. You might call me paranoid, but i > just did so to avoid the potential trouble some people were having on > the forum. It was an effortless process at that time, and i thought > i'd be safe. On 5th may 2002, about one year later, i lost my hard > drive due to a corrupted FAT and started to panick until i remembered > the usb-stick., which gave me my keys back after an system re-install. > I was happy i did a backup. > > So, this monday, 23rd oct, i walked confidently down to the basement, > opened the box, picked the stick, and walked back to the pc, almost > whistling. I mounted it, read-only, or, well.... tried to mount it. > After a big *shrug*, i realized it wouldn't mount whatever i tried to > do. I tried on a windows laptop, and went to a friend's place to see > if his OSX had better chance to access my data. Nothing helped. My > .gnupg folder and ascii keys are unavailable. And as such, my > encrypted data seems to be lost. > > After a while, i realized there was not many solutions, and the only > thing i could do to get things done in any kind of right way was to > get my hands back on the revocation certificate. It might even be a > good reason to drive all the way and pay a visit to my grand'ma, after > all. That's what i did today. She was happy to see me, and in good > shape, but it's out of topic. After a while, i climbed in the attic, > where the family treasures lie, and among them, the so-sought > revocation certificate. I opened the archive box, searched various > papers, and found it. Then cursed myself. > > The paper was starting to turn yellowish on the edges, and the (black) > ink had turned dim, even gray in some areas, and well, the document > wasn't in outstanding shape. And though most of it was perfectly > readable, there are some small parts, which are quite blurred (due to > humidity ?) and well, i suddenly wondered if there was any curse > hanging over my head. I made a mental note : don't ever, ever, ever > print something important on a cheap bubble-jet printer using discount > ink cartridge. Either do that and then xerox it, or print it on a > laser printer. Using large font-size, and finally, don't use > "courrier" as i did even if you initially thought it'd be ok. > > Because now, i'm stuck with a bunch of c/o, I/1, 0/O, and even some > h/b i can't for the love of god figure out who is who. After careful > reading, and although it's very short, i have exactly 8-9 characters i > can't read at all, as the others can be guessed. Had i printed it via > something like "DejaVu sans mono", where small L and ones look > different, and where zeros have an inside center dot, well, the task > wouldn've been easy. Or i could have printed it twice, or even five > times on the same sheet using different fonts ! > > Here comes the Sad-result-of-a-cursed-day : > - i have lost the digital versions of my .gnupg, ascii pub/priv keys > due to a failing usb stick which hadn't been used for 5+ years. > - this means i have lost all my encrypted data (mainly accounting > information, real-life & web password database, and some old > work-related documents important enough to keep a personnal encrypted > version at home). > - i have a partial printed revocation certificate with 8 unreadable > characters, which means i can't disable the published key. > - this means, furthermore, that even if there are only few people who > were using my public key, they could still use it to encrypt, even if > it's quite useless. > - It seems like i offered the world another confusing key which would > never expire. Hurray ! > If i'm wrong on any of these 5 points, don't hesitate to say so ! > > Even if the double failure is quite irritating, i can do nothing but > accept murphy's law. > But i'm not here to cry, however tempting it might be ;) > > After all this, i created a new pair of keys, expiring in 1 year, for > which i'll change the expiration regularly. I made a revocation > certificate, i backed everything up in 3 different places/medium, and > printed it 3 times. parano?d, eh ? Now, i just wait to see if i could > get some answers to the questions below before publishing the new > public key. > > [ Enter the questions ] > > Q1: I have the public key (0x26A2F0AE if it's of any use), i know the > secret key passphrase perfectly. Is there any way i could re-compute / > restore / whatever the secret part using this information ? I browsed > the list up to feb 2006, and didn't find any "Lost private key with > known passphrase"-like post. So i guess it's not possible. > > Q2: To try and make things straight, i would like to at least revoc > the key. The 8 characters cannot be guessed at any price, as they are > completly blurred. This means there are theoretically 64^8 possible > combinations. If i import only the public key into my keyring, and > then brute-force change the 8 unknown bytes in the certificate, and > each time try to import it, gpg will tell me "read error: invalid > keyring" a zillion times, but in the end it'll finds the good one. My > question is : can a revocation certificate be applied into the keyring > if you only have the public key. I guess so, as the keyservers only > have the public key. > > Note that while the answer to Q1 is of immense value, Q2 is only a > ground for a "practical exercice", which might be undertaken to make > things clean, as my data is lost forever. > > [ Conclusion ] > This post might be long, but i wanted to share my feelings and > thoughts with the community, namely these points : > - You have to balance the amount of key backups vs the security of the > given backup locations > - Always make a revocation certificate. Back it up using the same > scheme as for keys. > - Additionally, print all the invaluable data (private keys, > certificate). Using different fonts. Using laser/xerox. Even make a > non-digital (optical/film) photograph of it. These last decades ;) > - ... Pray. > - And remember that even if it looks like you're overly-safe, > everything might fail. And will. > > Thanks for reading, i wish you all good night. > > -- > Nicolas Pillot (nicolas.pillot at gmail.com) > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > From Bushveld at gmx.de Wed Oct 31 09:31:07 2007 From: Bushveld at gmx.de (Michael) Date: Wed, 31 Oct 2007 09:31:07 +0100 (CET) Subject: script to clean my keyring In-Reply-To: <582652.72339.qm@web63405.mail.re1.yahoo.com> References: <582652.72339.qm@web63405.mail.re1.yahoo.com> Message-ID: <1085920.51953.BlZUXl8STQs=.1193819467.squirrel@webmailer.hosteurope.de> Hi, On Mi, Oktober 31, 2007 00:05, oryann9 wrote: > What causes your key-ring to become "dirty" or "fragmented?" I have imported many keys which have lots of duplicated key as well as no more valid uids. Michael From nicolas.pillot at gmail.com Wed Oct 31 09:47:34 2007 From: nicolas.pillot at gmail.com (Nicolas Pillot) Date: Wed, 31 Oct 2007 09:47:34 +0100 Subject: Key safety vs Backup : History of a bad day (key-restoration problem) In-Reply-To: References: <9f76a5860710271634i2e516e6djb2600650c7a90b9c@mail.gmail.com> Message-ID: <9f76a5860710310147w7e78c421tb61cf4e5261bd55d@mail.gmail.com> > [All the above posts] Thanks a lot for your input, everyone. Lots of information ! > Paperkey After giving it a look, it seams reasonable to use it. But i'm not confident enough to add another *semi* blackbox tool in my key backup scheme, as i'll depend of its possible future evolutions and incompatibility. Moreover, i _think_ that spending time (even an hour if necessary) typing ALL the relevant data is well worth it if you can get your key back. Simple things are usually the best ! > BW laser printers are pretty cheap now :) Yeah, now i own one *grin* -- Nicolas Pillot (nicolas.pillot at gmail.com) From atom at smasher.org Wed Oct 31 12:09:13 2007 From: atom at smasher.org (Atom Smasher) Date: Thu, 1 Nov 2007 00:09:13 +1300 (NZDT) Subject: A note to Atom Smasher [WAS: Subkey DSA signature changes...] In-Reply-To: <414316.31578.qm@web45509.mail.sp1.yahoo.com> References: <414316.31578.qm@web45509.mail.sp1.yahoo.com> Message-ID: <20071031110916.20027.qmail@smasher.org> On Tue, 30 Oct 2007, YYZ wrote: > Going through the list archives, I came across a few of your postings > that seem to indicate that you have more insight into the way subkey > self-signatures are generated than what I can gather from the RFC. > Arguably, it's one of the most confusing sections... > > http://lists.gnupg.org/pipermail/gnupg-users/2004-May/022511.html > > However, i didn't find any more posts from you explaining how did you > manage to generate the missing self-signatures on your subkeys. I'd > appreciate if you could share that knowledge with us... =================== don't try this at home - http://atom.smasher.org/gpg/gpg-migrate.txt it's an ugly hack, there's really no reason you should ever have to do it, and last i checked it didn't even work with gpg since 1.2.4. > Since the signatures are computed from the hash of the key material > (which differs in the secret and the public key packets), I'd suppose > the secret subkey signature to be different from the public subkey > signature. ================= it's been a while since i've dug through the RFC... RFC2440:11.2. Key IDs and Fingerprints; A V4 fingerprint is the 160-bit SHA-1 hash of the one-octet Packet Tag, followed by the two-octet packet length, followed by the entire _Public_ Key packet starting with the version field. fingerprint are calculated using just the public parts of the [sub]key. -- ...atom ________________________ http://atom.smasher.org/ 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808 ------------------------------------------------- "If there is anything the nonconformist hates worse than a conformist it's another nonconformist who doesn't conform to the prevailing standards of nonconformity." -- Bill Vaughan From pbonna at militarycars.com Tue Oct 30 14:14:46 2007 From: pbonna at militarycars.com (pbonna at militarycars.com) Date: Tue, 30 Oct 2007 08:14:46 -0500 Subject: AS400 PGP Message-ID: ANYONE USING PGP ON AS400 ............... ? IF SO WHAT PKGS & COST, SETUP ISSUES ETC. From wlbradshaw at yahoo.com Wed Oct 31 00:04:58 2007 From: wlbradshaw at yahoo.com (William Bradshaw) Date: Tue, 30 Oct 2007 16:04:58 -0700 (PDT) Subject: GPG fails to encrypt Message-ID: <990711.73653.qm@web54306.mail.re2.yahoo.com> When calling the GPG command from within a Vitria Businessware automator process, files larger than 20MB fail to encrypt. Files smaller than 20MB encrypt just fine. If I run the GPG command outside of the Vitria Businessware process the large (20MB plus) files encrypt just fine. The GPG command being called by Vitria is: /usr/local/bin/gpg --always-trust -e -r "FFFFF" /vitria/bw3dev1/encrypt/FSA/$FSA.560167.$FHP.cere07110938.txt.01102007_11-13-08 Thanks! __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From frank at ezprintsolutions.com Wed Oct 31 15:43:40 2007 From: frank at ezprintsolutions.com (jramro) Date: Wed, 31 Oct 2007 07:43:40 -0700 (PDT) Subject: GNuPG Newb Message-ID: <13510878.post@talk.nabble.com> Hi, I'm trying to send a php mail form and not able to get it to encrypt or do much of anything. The mail form works on its own ,but when trying to add the GNuPG it doesnt work. I have the private and public key pair generated. My host has the GnuPG keys generated and the .gnupg bin etc. I was a bit confused because i heard that PGP can intercept a mail form through SMTP and encrypt it , but that GnuPG can not? Do i have to first output my mail form into a temp folder as a .txt file, and then encrypt the .txt file? the overview of the mail form , is that its coded in PHP, and the information in the mail will be populated by $_SESSION and $_POST information. It's an auto form that will automatically send the mail when user submits the last form, and is transferred to that last page. When reaching last page, the mail form is assembled and populated and sent. Currently it all works when using regular non-encryption mail) Is there an easy way to take the existing mail form thats already working, and attach some code to have it encrypt with the private and public key pair? Thank You! -- View this message in context: http://www.nabble.com/GNuPG-Newb-tf4725529.html#a13510878 Sent from the GnuPG - User mailing list archive at Nabble.com. From rjh at sixdemonbag.org Wed Oct 31 22:48:06 2007 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 31 Oct 2007 16:48:06 -0500 Subject: AS400 PGP In-Reply-To: References: Message-ID: <4728F816.6050704@sixdemonbag.org> pbonna at militarycars.com wrote: > ANYONE USING PGP ON AS400 ............... ? IF SO WHAT PKGS & COST, SETUP > ISSUES ETC. This mailing list is for the GNU Privacy Guard, not PGP. GnuPG is a product of g10 Code GmbH and the GnuPG community; PGP is a product of PGP Corporation. I would suggest asking this question either on PGP Corporation's user forums or on the Yahoo Groups PGP-Basics list. Also, as a netiquette issue, the use of all caps is discouraged. It tends to come across as screaming and hostility. PGP Corporation's Knowledge Base: https://pgp.custhelp.com/cgi-bin/pgp.cfg/php/enduser/std_alp.php PGP-Basics on Yahoo! Groups: http://tech.groups.yahoo.com/group/PGP-Basics/