From dshaw at jabberwocky.com Mon Dec 1 03:04:20 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 30 Nov 2008 21:04:20 -0500 Subject: Rare condition incompatibility of public key In-Reply-To: <20081130201908.7e69a4cc@sdf.lonestar.org> References: <20081130201908.7e69a4cc@sdf.lonestar.org> Message-ID: <308D756B-A2B8-4C1D-A581-2C4ED3E19CAC@jabberwocky.com> On Nov 30, 2008, at 2:19 PM, Myckel Habets wrote: > Hello list, > > Last week I had contact with someone who said that my public key was > "bad" according his validation program. I've mailed with many people > before while using this key, but he was the first to tell me that. > When > I checked with a friend he said that the key was valid for him. > > The key was created in 2005 and at creation time I added an expiration > date of the same day 2 years later. However within some time I thought > this was not really needed, so I removed that expiration date (gpg let > me do that, so I thought it was ok) and kept using that key without > any > problems. > > Currently my key looks like this: > > pub 1024D/9A3D206F created: 2005-12-10 expires: never > usage: SC > trust: ultimate validity: ultimate > sub 2048g/D5904978 created: 2005-12-10 expires: never > usage: E > [ultimate] (1). Myckel Habets (E-mail key) > > The person who said to me that the key validates as bad uses the > PGPkeys > program from the PGP corporation software (version 6.58, last version > that was released when Phil Zimmerman worked there, he doesn't trust > later versions) to do the validation. > > To sum this up I have two questions: > > 1) What is causing this problem? Is my key really bad or is this an > incompatibility between PGPkeys version 6.58 and GPG? Incompatibility. PGP 6.5.8 is too old for use in the modern age. Yes, you can more or less make things work properly by persuading everyone you communicate with to downgrade their clients, but even so 6.5.8 will occasionally pull the rug out from under you. This is one of those times. > 2) Do I need to create new keys and revoke this key? No. You need to tell your friend to upgrade. 6.5.8 predates OpenPGP, and will thus have problems interoperating with most of the modern clients (including PGP). David From rjh at sixdemonbag.org Mon Dec 1 05:40:25 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 30 Nov 2008 23:40:25 -0500 Subject: Rare condition incompatibility of public key In-Reply-To: <20081130201908.7e69a4cc@sdf.lonestar.org> References: <20081130201908.7e69a4cc@sdf.lonestar.org> Message-ID: <49336AB9.9020503@sixdemonbag.org> Myckel Habets wrote: > The person who said to me that the key validates as bad uses the PGPkeys > program from the PGP corporation software (version 6.58, last version > that was released when Phil Zimmerman worked there, he doesn't trust > later versions) to do the validation. This is factually untrue. Phil Z. left PGP Security, a branch of Network Associates, in early 2001. This would've been just after the PGP 7.1 release. Phil himself has sworn to the solidness of the PGP 7.0 and 7.1 releases. Despite there being no source release, most people -- myself included -- consider Phil's word to be good. Network Associates shut down PGP Security in early 2001. PGP Corporation was formed as a completely separate business entity which purchased the desktop PGP products from Network Associates. Most of the key players from PGP Security came on board at the new PGP Corporation. Phil Z. has officially left PGP Corporation to pursue other interests, if memory serves. This doesn't surprise me in the least. After a decade and a half at the same job, he's entitled to do other things. As of late, secure internet telephony has been his object of interest. That said, Phil is still in close contact with many of the principal people at PGP Corporation. > 1) What is causing this problem? Is my key really bad or is this an > incompatibility between PGPkeys version 6.58 and GPG? Toyota has a philosophy that when investigating failures, one should ask "why?" multiple times. Q. Why is this failure occurring? A. Your friend is using an antique version of PGP. Q. Why is your friend using an antique version of PGP? A. Your friend doesn't trust versions Phil hasn't worked on. Q. Why does your friend mistakenly think Phil hasn't worked on 7.0 and later versions? A. ... I don't know. You may want to look into this. As far as engineering maxims go, the Toyota school of thought is pretty good. Find the deepest level of failure and fix that, rather than fixing superficial problems. Other people have suggested convincing your friend to use a more recent version of PGP, or a recent version of GnuPG. It's good advice, as far as it goes. I think the problem goes deeper than that, however. From dshaw at jabberwocky.com Mon Dec 1 06:23:27 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 1 Dec 2008 00:23:27 -0500 Subject: Rare condition incompatibility of public key In-Reply-To: <49336AB9.9020503@sixdemonbag.org> References: <20081130201908.7e69a4cc@sdf.lonestar.org> <49336AB9.9020503@sixdemonbag.org> Message-ID: <0C0FC30B-94BB-4AFB-9EBD-CD3FFC7EC052@jabberwocky.com> On Nov 30, 2008, at 11:40 PM, Robert J. Hansen wrote: > Myckel Habets wrote: >> The person who said to me that the key validates as bad uses the >> PGPkeys >> program from the PGP corporation software (version 6.58, last version >> that was released when Phil Zimmerman worked there, he doesn't trust >> later versions) to do the validation. > > This is factually untrue. > > Phil Z. left PGP Security, a branch of Network Associates, in early > 2001. This would've been just after the PGP 7.1 release. Phil > himself > has sworn to the solidness of the PGP 7.0 and 7.1 releases. Despite > there being no source release, most people -- myself included -- > consider Phil's word to be good. > > Network Associates shut down PGP Security in early 2001. PGP > Corporation was formed as a completely separate business entity which > purchased the desktop PGP products from Network Associates. Most of > the > key players from PGP Security came on board at the new PGP > Corporation. > > Phil Z. has officially left PGP Corporation to pursue other interests, > if memory serves. This doesn't surprise me in the least. After a > decade and a half at the same job, he's entitled to do other > things. As > of late, secure internet telephony has been his object of interest. > That said, Phil is still in close contact with many of the principal > people at PGP Corporation. > >> 1) What is causing this problem? Is my key really bad or is this an >> incompatibility between PGPkeys version 6.58 and GPG? > > Toyota has a philosophy that when investigating failures, one should > ask > "why?" multiple times. > > Q. Why is this failure occurring? > A. Your friend is using an antique version of PGP. > > Q. Why is your friend using an antique version of PGP? > A. Your friend doesn't trust versions Phil hasn't worked on. > > Q. Why does your friend mistakenly think Phil hasn't worked on > 7.0 and later versions? > A. ... I don't know. You may want to look into this. > > > As far as engineering maxims go, the Toyota school of thought is > pretty > good. Find the deepest level of failure and fix that, rather than > fixing superficial problems. I think that last question is irrelevant, as it follows from the "doesn't trust versions that Phil hasn't worked on", which makes it derived from a false premise. It does not matter whether Phil has worked on 7.0 and later, or indeed any version of PGP, because Phil being involved does not ipso facto cause PGP to be good (for whatever value of "good" you like). If the equation is "Phil involved == good PGP", and "Phil not involved == bad PGP" then the battle for making intelligent decisions about PGP has been lost from the start. Phil is a good guy, and he did start something huge, but his involvement is not magic pixie dust that causes crypto goodness to spring into being. > Other people have suggested convincing your friend to use a more > recent > version of PGP, or a recent version of GnuPG. It's good advice, as > far > as it goes. I think the problem goes deeper than that, however. I think it does as well. Once upon a time, I spent a lot of hours coding various workarounds in GnuPG for old versions of PGP. This is where the --pgp2, --pgp6, --pgp7, etc, flags in GnuPG came from. Now, years later, I sometimes wonder if I made a mistake. Perhaps it would have been wiser to bite the bullet and let these things break. David From rjh at sixdemonbag.org Mon Dec 1 07:00:29 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 01 Dec 2008 01:00:29 -0500 Subject: Rare condition incompatibility of public key In-Reply-To: <0C0FC30B-94BB-4AFB-9EBD-CD3FFC7EC052@jabberwocky.com> References: <20081130201908.7e69a4cc@sdf.lonestar.org> <49336AB9.9020503@sixdemonbag.org> <0C0FC30B-94BB-4AFB-9EBD-CD3FFC7EC052@jabberwocky.com> Message-ID: <49337D7D.3050302@sixdemonbag.org> David Shaw wrote: > I think that last question is irrelevant, as it follows from the > "doesn't trust versions that Phil hasn't worked on", which makes it > derived from a false premise. It does not matter whether Phil has > worked on 7.0 and later, or indeed any version of PGP, because Phil > being involved does not ipso facto cause PGP to be good (for whatever > value of "good" you like). Warning to all: I am going to be even more blunt and direct than usual. If my usual level bothers you, as I know it does for some people, you may wish to just hit 'delete' and move on. It does if your definition of "good" is "Phil Z. worked on it." I agree that the axiom is crazy, but it doesn't do much good to tell someone "your axiom is crazy, change it" if they're not capable of either (a) understanding why their axiom is crazy or (b) how to apply their new axioms in a consistent way. In my experience it works better to say "well, assuming /arguendo/ that you're right and nothing non-PRZ related should be trusted, why aren't you trusting these things PRZ is involved in?". That gets people thinking logically and critically about how their policy decisions evolve from their axioms. Once they have some experience at critical thinking with respect to trust, then it's time to say "so, if we were going to draft new axioms from scratch, what should they be and why?" I fully agree that the axiom is somewhere between "crazy" and "grossly misinformed." Unfortunately, in my experience the overwhelming majority of users don't understand trust, don't want to understand trust, and run away screaming when asked to think about trust in a logical manner. You have to bring them to rationality slowly and in infinitesimally small doses. From dshaw at jabberwocky.com Mon Dec 1 07:23:11 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 1 Dec 2008 01:23:11 -0500 Subject: Rare condition incompatibility of public key In-Reply-To: <49337D7D.3050302@sixdemonbag.org> References: <20081130201908.7e69a4cc@sdf.lonestar.org> <49336AB9.9020503@sixdemonbag.org> <0C0FC30B-94BB-4AFB-9EBD-CD3FFC7EC052@jabberwocky.com> <49337D7D.3050302@sixdemonbag.org> Message-ID: <34674E9E-1E3C-461A-8DB2-A4D39A5AEF00@jabberwocky.com> On Dec 1, 2008, at 1:00 AM, Robert J. Hansen wrote: > David Shaw wrote: >> I think that last question is irrelevant, as it follows from the >> "doesn't trust versions that Phil hasn't worked on", which makes it >> derived from a false premise. It does not matter whether Phil has >> worked on 7.0 and later, or indeed any version of PGP, because Phil >> being involved does not ipso facto cause PGP to be good (for whatever >> value of "good" you like). > > Warning to all: I am going to be even more blunt and direct than > usual. > If my usual level bothers you, as I know it does for some people, you > may wish to just hit 'delete' and move on. > > > > > > > It does if your definition of "good" is "Phil Z. worked on it." > > I agree that the axiom is crazy, but it doesn't do much good to tell > someone "your axiom is crazy, change it" if they're not capable of > either (a) understanding why their axiom is crazy or (b) how to apply > their new axioms in a consistent way. > > In my experience it works better to say "well, assuming /arguendo/ > that > you're right and nothing non-PRZ related should be trusted, why aren't > you trusting these things PRZ is involved in?". That gets people > thinking logically and critically about how their policy decisions > evolve from their axioms. Once they have some experience at critical > thinking with respect to trust, then it's time to say "so, if we were > going to draft new axioms from scratch, what should they be and why?" > > I fully agree that the axiom is somewhere between "crazy" and "grossly > misinformed." Unfortunately, in my experience the overwhelming > majority > of users don't understand trust, don't want to understand trust, and > run > away screaming when asked to think about trust in a logical manner. > You > have to bring them to rationality slowly and in infinitesimally > small doses. I strongly disagree. Explaining to them that PRZ was present for other versions of PGP feeds their "grossly misinformed" world view. It's not a "small dose" of reality: it's an irrelevant (despite being factual) statement that just corroborates their misunderstanding. This leaves them with the belief that their understanding was correct all along, and thus makes the situation worse. How much harder is it to bring reality to a situation once someone has "fed" the misunderstanding? I've had my share of conversations with the PGP True Believers over the past 10 years. After much painful experience, the method that has always worked best for me is to state: 1) This is reality. Full stop. 2) I will help you understand why this is true if you want me to (but if you aren't interested, that's fine too). 3) If you keep doing what you're doing, you're going to break something. Usually this only hurts you, but sometimes you can hurt people other than yourself. 4) Keep this up long enough, and you will isolate yourself. Nobody will be able to communicate with you reliably. That tends to resolve statement #3. David From rjh at sixdemonbag.org Mon Dec 1 09:05:24 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 01 Dec 2008 03:05:24 -0500 Subject: Teaching crypto to newbies (was: incompat.) In-Reply-To: <34674E9E-1E3C-461A-8DB2-A4D39A5AEF00@jabberwocky.com> References: <20081130201908.7e69a4cc@sdf.lonestar.org> <49336AB9.9020503@sixdemonbag.org> <0C0FC30B-94BB-4AFB-9EBD-CD3FFC7EC052@jabberwocky.com> <49337D7D.3050302@sixdemonbag.org> <34674E9E-1E3C-461A-8DB2-A4D39A5AEF00@jabberwocky.com> Message-ID: <49339AC4.70901@sixdemonbag.org> David Shaw wrote: > How much harder is it to bring reality to a situation once someone > has "fed" the misunderstanding? Should we forbid high schools from teaching Newtonian physics? The notions of absolute space and absolute time are gross misunderstandings of reality. How much harder is it to bring reality to physics once a well-meaning teacher has fed these misunderstandings? We use Newtonian physics to teach the scientific method. Students are taught to observe, to hypothesize, to create models, to test them, and so forth. Once the students have a good grasp of the tools, the teacher says "... oh, and by the way, Mercury's precession is off. Hmm. Maybe we should look into that." [*] Similarly, I think there's value in developing the skill of "given these trust axioms, what actions should we take?" first, and then challenging people to re-evaluate their axioms. That said, reasonable people can certainly disagree on this -- we left objective fact behind us a long time ago, and are pretty far into the realm of personal opinion. :) [*] Well, _good_ physics teachers do, anyway. (Thank you, Professor Lichty.) From jmoore3rd at bellsouth.net Mon Dec 1 10:47:00 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Mon, 01 Dec 2008 04:47:00 -0500 Subject: Rare condition incompatibility of public key In-Reply-To: <49337D7D.3050302@sixdemonbag.org> References: <20081130201908.7e69a4cc@sdf.lonestar.org> <49336AB9.9020503@sixdemonbag.org> <0C0FC30B-94BB-4AFB-9EBD-CD3FFC7EC052@jabberwocky.com> <49337D7D.3050302@sixdemonbag.org> Message-ID: <4933B294.40107@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Robert J. Hansen wrote: > Unfortunately, in my experience the overwhelming majority > of users don't understand trust, don't want to understand trust, and run > away screaming when asked to think about trust in a logical manner. You > have to bring them to rationality slowly and in infinitesimally small doses. "Bring them to rationality slowly & infinitesimally?" I'd rather hit My thumb with a hammer. Frustration relief is more easily accomplished. Discussions of 'Trust' rank up there with those surrounding Sex, Religion & Politics; as soon as views on Trust are introduced a subjective minefield has been entered. As soon as beliefs are challenged the other party lays their ears back and closes their mind. I am reminded of the ancient axiom "A man convinced against His will remains unchanged forever still." Just My 2 cents worth. JOHN ;) Timestamp: Monday 01 Dec 2008, 04:46 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4878: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJM7J9AAoJEBCGy9eAtCsPJ3AH/i9X/nugRu6Aa5VlBaypM9XU TIj+6gy0/2hlPAbTl64mWRUeTmc1hklmfHsgz0ywT/tiUqwrgWImSnIqdbFhD0N6 Vg7J/ajoSm0aUrEBl7rpZJEWgCweV40n5sEquaD+rxVqdXtV/03/bS21l3YcOwQi LGesGDQtqw+wGmKOEWkP+BWf92aqBO9Mo7Qc/4Kw2/oeEecXxmTZFDrtO+sADIK/ J3sNkSXAaqAb2Qvw3DcWjYC1YUQOxVQqwpk7c+s89w4M2PUxlKhR5t+L9FQDWyAj 4W8cOCCQZYqcJiHssedstU5jIyDlbF8+ZUO+jMeJHV2GPR8aqSXGKyavNBOm3Xk= =K9x5 -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Mon Dec 1 13:48:29 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 01 Dec 2008 07:48:29 -0500 Subject: Rare condition incompatibility of public key In-Reply-To: <4933B294.40107@bellsouth.net> References: <20081130201908.7e69a4cc@sdf.lonestar.org> <49336AB9.9020503@sixdemonbag.org> <0C0FC30B-94BB-4AFB-9EBD-CD3FFC7EC052@jabberwocky.com> <49337D7D.3050302@sixdemonbag.org> <4933B294.40107@bellsouth.net> Message-ID: <4933DD1D.2030904@sixdemonbag.org> John W. Moore III wrote: > "Bring them to rationality slowly & infinitesimally?" I'd rather hit My > thumb with a hammer. Frustration relief is more easily accomplished. Agreed. > Discussions of 'Trust' rank up there with those surrounding Sex, > Religion & Politics; as soon as views on Trust are introduced a > subjective minefield has been entered. As soon as beliefs are > challenged the other party lays their ears back and closes their mind. Agreed. > I am reminded of the ancient axiom "A man convinced against His will > remains unchanged forever still." Agreed. This is why I believe in the "small doses" approach: over time, they get the idea that they're changing their own minds. There's a thoroughly mediocre movie, _The Way of the Gun_, which has a scene in which two criminals talking with each other sum up my basic view of human nature: Longbaugh: But, you know, then you got the other side [of the cops and robbers equation]: these trigger-happy [expletive] all about the shooting and posturing and "you don't know who I am" kind of thing, the "I been to prison..." Sarno: Yeah, because you got _caught_, you dumb -- Longbaugh: These days, it's almost like they want to be criminals more than they want to commit crime! Sarno: Well, that's... that's not just crime, you know. That's the way of the world. ... There are a lot of people in the world who want to be seen as smart, savvy people who know how to keep their communications secure from unwarranted intrusion. There are a lot fewer people who want to make the investment of time and effort required to actually _be_ smart, savvy people who know how to keep their communications secure from unwarranted intrusion. I find that learning how to tell the two apart is extraordinarily useful. From dshaw at jabberwocky.com Mon Dec 1 16:25:36 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 1 Dec 2008 10:25:36 -0500 Subject: Teaching crypto to newbies (was: incompat.) In-Reply-To: <49339AC4.70901@sixdemonbag.org> References: <20081130201908.7e69a4cc@sdf.lonestar.org> <49336AB9.9020503@sixdemonbag.org> <0C0FC30B-94BB-4AFB-9EBD-CD3FFC7EC052@jabberwocky.com> <49337D7D.3050302@sixdemonbag.org> <34674E9E-1E3C-461A-8DB2-A4D39A5AEF00@jabberwocky.com> <49339AC4.70901@sixdemonbag.org> Message-ID: On Dec 1, 2008, at 3:05 AM, Robert J. Hansen wrote: > David Shaw wrote: >> How much harder is it to bring reality to a situation once someone >> has "fed" the misunderstanding? > > Should we forbid high schools from teaching Newtonian physics? The > notions of absolute space and absolute time are gross > misunderstandings > of reality. How much harder is it to bring reality to physics once a > well-meaning teacher has fed these misunderstandings? Did your teacher begin by saying "This is fact. This is true." Then much later, "Actually... this wasn't true. Please un-learn things now." Or did he say "This isn't actually fact, but it's a good enough assumption for today. You don't yet have enough knowledge to really understand, but pretending this is true for now simplifies the learning process. Pretty soon you'll understand more, and you'll even understand why the assumption we are making today is a useful one." ? For me, it was the latter. A teacher who lies, even with the best of intention, loses his students. The poor student never knows if he is being told the truth or not. > That said, reasonable people can certainly disagree on this -- we left > objective fact behind us a long time ago, and are pretty far into the > realm of personal opinion. :) Suits me. The person who needs education regarding the (thankfully dying out) belief that no version of PGP past (insert version here) should be used isn't even on this list. In an effort to drag this back to OpenPGP relevance, a sum-up for the archives: * No, it is not true that PGP 2.6 or 6.5.8 or some other version is the "last good" version. * Some variants of this belief involve Phil Zimmermann being present for those versions but not others. Mr. Zimmermann is a nice guy, and very devoted to PGP, but his presence does not automatically mean the version of PGP is secure, and similarly his absence does not automatically mean the version of PGP is suspect. Read his own words on this belief: http://www.philzimmermann.com/EN/faq/index.html * You can, of course, keep using whatever version of PGP you like. Nobody can force you to do anything. However, understand that these early versions predate the OpenPGP standard (first published in 1998, and later updated in 2007). Because of this, they generally don't interoperate perfectly with true OpenPGP clients. In other words, you make it difficult for people to communicate with you securely. Since you're using PGP, we can assume that your intent was to communicate securely, so making it harder to do so is, shall we say, less than optimal. This situation is getting steadily (though slowly) worse as crypto technology evolves. * There are many people on this list who would be happy to help you understand any of these points. David From barry at fantasymail.de Mon Dec 1 17:43:24 2008 From: barry at fantasymail.de (Barry) Date: Mon, 01 Dec 2008 17:43:24 +0100 Subject: New GnuPT-Version and new WinPT-Website Message-ID: <4934142C.4070907@fantasymail.de> Hello, a new version GnuPT has been published. New in this version: WinPT was updated to version 1.3.1 . There were many small bug fixes. Also an update for GnuPT-Portable . Barry From myckel at sdf.lonestar.org Mon Dec 1 21:05:24 2008 From: myckel at sdf.lonestar.org (Myckel Habets) Date: Mon, 1 Dec 2008 21:05:24 +0100 Subject: Rare condition incompatibility of public key In-Reply-To: <20081130201908.7e69a4cc@sdf.lonestar.org> References: <20081130201908.7e69a4cc@sdf.lonestar.org> Message-ID: <20081201210524.6098c628@sdf.lonestar.org> Hello everybody, Thank you for all the replies, I'll point my friend to the archives of this list in the hope that he starts upgrading (but that is up to him). I had one more quick question, more technical I guess. The screenshot he showed (the one where my key validated bad) showed still the old expiration date. Is this somewhere stored in the key itself? (it kept showing up even after he removed my public key and re-fetched it from the key I send him.) Regards, Myckel On Sun, 30 Nov 2008 20:19:08 +0100 Myckel Habets wrote: > Hello list, > > Last week I had contact with someone who said that my public key was > "bad" according his validation program. I've mailed with many people > before while using this key, but he was the first to tell me that. > When I checked with a friend he said that the key was valid for him. > > The key was created in 2005 and at creation time I added an expiration > date of the same day 2 years later. However within some time I thought > this was not really needed, so I removed that expiration date (gpg let > me do that, so I thought it was ok) and kept using that key without > any problems. > > Currently my key looks like this: > > pub 1024D/9A3D206F created: 2005-12-10 expires: never usage: > SC trust: ultimate validity: ultimate > sub 2048g/D5904978 created: 2005-12-10 expires: never usage: > E [ultimate] (1). Myckel Habets (E-mail key) > > The person who said to me that the key validates as bad uses the > PGPkeys program from the PGP corporation software (version 6.58, last > version that was released when Phil Zimmerman worked there, he > doesn't trust later versions) to do the validation. > > To sum this up I have two questions: > > 1) What is causing this problem? Is my key really bad or is this an > incompatibility between PGPkeys version 6.58 and GPG? > > 2) Do I need to create new keys and revoke this key? > > Thank you in advance. > > Myckel Habets -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From rjh at sixdemonbag.org Mon Dec 1 22:05:51 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 01 Dec 2008 16:05:51 -0500 Subject: Teaching crypto to newbies In-Reply-To: References: <20081130201908.7e69a4cc@sdf.lonestar.org> <49336AB9.9020503@sixdemonbag.org> <0C0FC30B-94BB-4AFB-9EBD-CD3FFC7EC052@jabberwocky.com> <49337D7D.3050302@sixdemonbag.org> <34674E9E-1E3C-461A-8DB2-A4D39A5AEF00@jabberwocky.com> <49339AC4.70901@sixdemonbag.org> Message-ID: <493451AF.1030907@sixdemonbag.org> David Shaw wrote: > Did your teacher begin by saying "This is fact. This is true." Then > much later, "Actually... this wasn't true. Please un-learn things > now." My high school physics teacher was an awful teacher, and was a big believer in this. My college physics professor was a great teacher, and was a big believer in teaching process and letting the results evolve from the teaching of process. I would much rather be a Lyle Lichty than an Al Craig. > For me, it was the latter. A teacher who lies, even with the best of > intention, loses his students. The poor student never knows if he is > being told the truth or not. I found enough errors in my math textbooks as a child to always suspect every instructor of misleading me out of their own ignorance. I got along very well with instructors who taught process and rigorous examination of things which were claimed to be true, and very poorly with instructors who taught facts. Quite often, the facts they were teaching were not facts at all. From dshaw at jabberwocky.com Mon Dec 1 23:01:47 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Mon, 1 Dec 2008 17:01:47 -0500 Subject: Rare condition incompatibility of public key In-Reply-To: <20081201210524.6098c628@sdf.lonestar.org> References: <20081130201908.7e69a4cc@sdf.lonestar.org> <20081201210524.6098c628@sdf.lonestar.org> Message-ID: <20081201220146.GA34626@jabberwocky.com> On Mon, Dec 01, 2008 at 09:05:24PM +0100, Myckel Habets wrote: > Hello everybody, > > Thank you for all the replies, I'll point my friend to the archives of > this list in the hope that he starts upgrading (but that is up to him). > > I had one more quick question, more technical I guess. > > The screenshot he showed (the one where my key validated bad) showed > still the old expiration date. Is this somewhere stored in the key > itself? (it kept showing up even after he removed my public key and > re-fetched it from the key I send him.) It is stored on the key (in one of the self-signatures of the key, to be precise). The problem is that pgp 6.5.8 doesn't handle expiration properly, so it is not understanding that your key (having two expiration dates, the original one and the new one) was un-expired. David From reynt0 at cs.albany.edu Tue Dec 2 00:20:44 2008 From: reynt0 at cs.albany.edu (reynt0) Date: Mon, 1 Dec 2008 18:20:44 -0500 (EST) Subject: Teaching crypto to newbies (was: incompat.) In-Reply-To: <49337D7D.3050302@sixdemonbag.org> References: <20081130201908.7e69a4cc@sdf.lonestar.org> <49336AB9.9020503@sixdemonbag.org> <0C0FC30B-94BB-4AFB-9EBD-CD3FFC7EC052@jabberwocky.com> <49337D7D.3050302@sixdemonbag.org> Message-ID: [quoted from the "incompat..." thread, but replying under RJH's new Subject] On Mon, 1 Dec 2008, Robert J. Hansen wrote: . . . > misinformed." Unfortunately, in my experience the overwhelming majority > of users don't understand trust, don't want to understand trust, and run > away screaming when asked to think about trust in a logical manner. You > have to bring them to rationality slowly and in infinitesimally small doses. My own belief is that an aversion to thinking in terms of "trust" may have some basis in common sense, given the wide meanings and usual grammar of (the English language word) "trust". [self advertisement] To quote a book [which I wrote FWIW; complaints, comments, criticisms welcome :) ], because it's not too wordy and says just what I want to say here: Risk is objective; security is subjective. ... Looking for risk is being awake; feeling secure is being asleep. . . . Trust is psychology. "Stop Thinking, Be Happy, Trust Us" is a sales slogan. Risk is the objective reality of a situation. The only connection between risk and trust is hope, or maybe confidence one can evaluate and judge always correctly. A newbie who is aware they don't know much, may well *feel* the reason they need crypto is because not much is trustable, and they *feel* a healthy anxiety. And though it may well happen to be that what is called "Web of Trust" is among useful tools for dealing with the problems, one is not teaching newbies psychological skills of telling how they can trust or not, one is (should be) teaching how to *think* weighing "risks" and showing how crypto is a tool to reduce risk. So newbies may be due some slack when they don't do well with learning "trust" as logic, because it isn't logic. From rjh at sixdemonbag.org Tue Dec 2 01:16:14 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 01 Dec 2008 19:16:14 -0500 Subject: Teaching crypto to newbies In-Reply-To: References: <20081130201908.7e69a4cc@sdf.lonestar.org> <49336AB9.9020503@sixdemonbag.org> <0C0FC30B-94BB-4AFB-9EBD-CD3FFC7EC052@jabberwocky.com> <49337D7D.3050302@sixdemonbag.org> Message-ID: <49347E4E.4030209@sixdemonbag.org> reynt0 wrote: > So newbies may be due some slack when they don't do well with > learning "trust" as logic, because it isn't logic. On the contrary, it _is_ logic. It's an exercise in theorem proving. "Given: I trust Alice to sign keys; Alice has signed Bob's key. Prove: I trust the correctness of Bob's key." The fact we so rarely think of trust in terms of math does not diminish the fact that in order to accurately talk about trust we need math. It's kind of like catching a baseball. Anyone can do it, but if you want to accurately talk about trajectories and velocities you're going to need either some really advanced algebra or some elementary differential calculus. Most people decide trust issues by intuition. What I would very much like to see is for people to take the next step, and determine trust on the basis of deductive logic. From reynt0 at cs.albany.edu Tue Dec 2 02:20:29 2008 From: reynt0 at cs.albany.edu (reynt0) Date: Mon, 1 Dec 2008 20:20:29 -0500 (EST) Subject: Teaching crypto to newbies In-Reply-To: <49347E4E.4030209@sixdemonbag.org> References: <20081130201908.7e69a4cc@sdf.lonestar.org> <49336AB9.9020503@sixdemonbag.org> <0C0FC30B-94BB-4AFB-9EBD-CD3FFC7EC052@jabberwocky.com> <49337D7D.3050302@sixdemonbag.org> <49347E4E.4030209@sixdemonbag.org> Message-ID: On Mon, 1 Dec 2008, Robert J. Hansen wrote: > reynt0 wrote: >> So newbies may be due some slack when they don't do well with >> learning "trust" as logic, because it isn't logic. > > On the contrary, it _is_ logic. It's an exercise in theorem proving. > "Given: I trust Alice to sign keys; Alice has signed Bob's key. Prove: > I trust the correctness of Bob's key." > > The fact we so rarely think of trust in terms of math does not diminish > the fact that in order to accurately talk about trust we need math. > It's kind of like catching a baseball. Anyone can do it, but if you > want to accurately talk about trajectories and velocities you're going > to need either some really advanced algebra or some elementary > differential calculus. > > Most people decide trust issues by intuition. What I would very much > like to see is for people to take the next step, and determine trust on > the basis of deductive logic. (First, understand I'm not claiming what I have to say about this is any kind of perfect analysis, etc, rather it's like trying to get hold of a bag of wriggling snakes and I'm looking for the top of the bag so it can be twisted together and grabbed hold of. So FWIW:) To a newbie that exercise may sound like (in quasi-logic terms, and conflating all concepts which are like trust to "T"): - I T Alice to T keys. - I T that Alice has T'd Bob's key. - How can I T that the key being presented to me as Bob's is T? Compare something like, off the top of my head: - I understand there's this key signing technique. - There's always risk that someone will sign a bad person's key, but Alice is pretty reliable (ie low risk). - Via the key signing technique, I have info that Alice has signed Bob's key (where experts have figured the risk is really low that the key signing technique will produce bad signs). - How can I calculate the risk that this isn't really Bob's key? The former seems to ask for logical certainty, with "T" referring to people, processes, and things, and seemingly concatenated to boot. Perhaps very confusing to a newbie: "I mean, who is really certain of anything?; and who can you really trust these days, anyhow?". The latter reduces everything to an evaluation which a lot of people have experience with. There are studies about how poorly people may estimate actual risks, but they do make such estimates. So some of the problem might be reducible to the general one of improving estimates of risk. And for crypto, that can be at least partly stuff like FAQ and rules of thumb and reports of experiences, etc, the usual stories people go by when there is not science. And there is math of risk, though not at a level where most likely newbies can do the math. And risk is an idea that's involved anyhow in the discussion of crypto techniques, as mentioned above re bad signing. From markr-gnupg at signal100.com Tue Dec 2 03:09:59 2008 From: markr-gnupg at signal100.com (Mark Rousell) Date: Tue, 02 Dec 2008 02:09:59 +0000 Subject: New GnuPT-Version and new WinPT-Website In-Reply-To: <4934142C.4070907@fantasymail.de> References: <4934142C.4070907@fantasymail.de> Message-ID: <493498F7.2040103@signal100.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Barry wrote: > Hello, > > a new version GnuPT has been published. > > New in this version: > > WinPT was updated to version 1.3.1 . There were many small bug fixes. > Also an update for GnuPT-Portable > . > > Barry Do you have the URL for the website? - -- MarkR PGP public key: http://www.signal100.com/markr/publickey Key ID: C9C5C162 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkk0mPcACgkQJQGogsnFwWJgfACfR6WIQxbPh50Jq26HQzqwwFy3 6x0AoI9b5m4am3SjZxz2IdoC8/y3tn/H =QcR1 -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Tue Dec 2 03:37:00 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 01 Dec 2008 21:37:00 -0500 Subject: New GnuPT-Version and new WinPT-Website In-Reply-To: <493498F7.2040103@signal100.com> References: <4934142C.4070907@fantasymail.de> <493498F7.2040103@signal100.com> Message-ID: <49349F4C.2010901@sixdemonbag.org> Mark Rousell wrote: > Do you have the URL for the website? In the future, please try Google first. You'll get answers much more quickly that way. http://www.gnupt.de/wp/index.php?lang=en From markr-gnupg at signal100.com Tue Dec 2 11:44:59 2008 From: markr-gnupg at signal100.com (Mark Rousell) Date: Tue, 02 Dec 2008 10:44:59 +0000 Subject: New GnuPT-Version and new WinPT-Website In-Reply-To: <49349F4C.2010901@sixdemonbag.org> References: <4934142C.4070907@fantasymail.de> <493498F7.2040103@signal100.com> <49349F4C.2010901@sixdemonbag.org> Message-ID: <493511AB.1090306@signal100.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Most kind of you Robert, however I posted my message to prompt Barry to perhaps provide the URL which he apparently missed out of his announcement. - -- MarkR PGP public key: http://www.signal100.com/markr/publickey Key ID: C9C5C162 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkk1EasACgkQJQGogsnFwWKdeQCfe6XAMDvUqnkJf8IhmQiFWSfZ tl8An2p3JDY3r0x07b1SC/D+ww5eimW9 =J35i -----END PGP SIGNATURE----- From jmoore3rd at bellsouth.net Tue Dec 2 14:17:26 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Tue, 02 Dec 2008 08:17:26 -0500 Subject: Teaching crypto to newbies In-Reply-To: References: <20081130201908.7e69a4cc@sdf.lonestar.org> <49336AB9.9020503@sixdemonbag.org> <0C0FC30B-94BB-4AFB-9EBD-CD3FFC7EC052@jabberwocky.com> <49337D7D.3050302@sixdemonbag.org> Message-ID: <49353566.4050803@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 reynt0 wrote: > Risk is objective; security is subjective. > ... > Looking for risk is being awake; feeling secure is being > asleep. Well said. One also wonders if You also sell Insurance. :) > A newbie who is aware they don't know much, may well *feel* > the reason they need crypto is because not much is trustable, > and they *feel* a healthy anxiety. And though it may well > happen to be that what is called "Web of Trust" is among > useful tools for dealing with the problems, one is not > teaching newbies psychological skills of telling how they > can trust or not, one is (should be) teaching how to *think* > weighing "risks" and showing how crypto is a tool to reduce risk. > So newbies may be due some slack when they don't do well with > learning "trust" as logic, because it isn't logic. Sadly, teaching 'how to think' is the most difficult task imaginable. Everyone has a 'WoT' but they don't realize it most of the time. All a 'Web of Trust' means is Who do You rely upon to consistently behave/act in any given situation. Most folks utilize their 'brain housing group' to preform 'Trust Calculations' each & every time they interact with another Human Being. They just don't realize that this is what they are doing. "Weighing Risks" is done with every transaction with another individual. I feel that every encounter with another person is a 'trust calculation' and is based upon the logic of past experience applied to '1st impression' re-calculated with increased observation of behavior. This is why the majority of people will kill to defend "Mom" because She is assigned Ultimate Trust through lifetime experience. Therefore, I disagree with Your assertion that trust isn't based upon 'logic' since all logic is the application of experience in the present moment. JOHN ;) Timestamp: Tuesday 02 Dec 2008, 08:17 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4878: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJNTVjAAoJEBCGy9eAtCsP5REH/1JlgocBtZL+7DIoBkwoggvo arwQYizWpK5WHdXhj0CI97xvWsRtVlT/3QgKV034GtK/AU4KHrRQWFLnf8BMVsKL v52ZC7fc0kcE3C0y5QaxFSqR5MMPQMGrR8c15pN/u66greWQvdwF/ZErq04G3dX2 mRDZbyhbI4vlH/jEWXzSS9BykHA0zFOPI0U4iLAKrvarprBevSe355y3iVbyUCRW /D+IXBfWLJHyfMtBR1pUvdgOzHw0HKcyQUuI2/yvN+rInmDmPpTAOq1iJ3mhgKJY UvzzJjNdVKne4H4agW5JgT8HSgwQYYzQsGGazsb0znRGtc9UAZuFylExlgNKZNU= =mNdv -----END PGP SIGNATURE----- From Matthew561 at aol.com Tue Dec 2 15:48:34 2008 From: Matthew561 at aol.com (Matthew561 at aol.com) Date: Tue, 2 Dec 2008 09:48:34 EST Subject: New GnuPT-Version and new WinPT-Website Message-ID: In a message dated 12/1/2008 8:41:27 P.M. Central Standard Time, rjh at sixdemonbag.org writes: Mark Rousell wrote: > Do you have the URL for the website? In the future, please try Google first. You'll get answers much more quickly that way. _http://www.gnupt.de/wp/index.php?lang=en_ (http://www.gnupt.de/wp/index.php?lang=en) Let us know if you update. I tried using the zip file and overwriting the old Winpt files like I have done for years with updates and Winpt 1.3.1 would NOT work for me. DOA, nada - totally nothing, no error messages, no crash - just a void.. I than used their installer which did work but would not install to the directories as I wanted it to and so I would have had to change my path statement if I wanted other programs to work or use the command line. Finally I just restored and went back to 1.3.0 - this all became too much hassle. Matthew -------------- next part -------------- An HTML attachment was scrubbed... URL: From faramir.cl at gmail.com Tue Dec 2 16:38:10 2008 From: faramir.cl at gmail.com (Faramir) Date: Tue, 02 Dec 2008 12:38:10 -0300 Subject: Rare condition incompatibility of public key In-Reply-To: <20081201220146.GA34626@jabberwocky.com> References: <20081130201908.7e69a4cc@sdf.lonestar.org> <20081201210524.6098c628@sdf.lonestar.org> <20081201220146.GA34626@jabberwocky.com> Message-ID: <49355662.6070500@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 David Shaw escribi?: > On Mon, Dec 01, 2008 at 09:05:24PM +0100, Myckel Habets wrote: >> The screenshot he showed (the one where my key validated bad) showed >> still the old expiration date. Is this somewhere stored in the key >> itself? (it kept showing up even after he removed my public key and ... > It is stored on the key (in one of the self-signatures of the key, to > be precise). The problem is that pgp 6.5.8 doesn't handle expiration > properly, so it is not understanding that your key (having two > expiration dates, the original one and the new one) was un-expired. Maybe "cleaning" the public key before sending it would help... or am I wrong? IIRC, the clean command would remove the old signature, since it has been superseded by the new one... Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJNVZiAAoJEMV4f6PvczxA2YAH/3176R8PW9oL5eDdpz8jfGTl l4epVhGPwQO5O5O0kTc6ds14dDbrqUaQaDtP4O6oUdLqET0GSOAGeItTbM2MkZoW 6T4a9SHNkq5sxJiSoCFkSgz0szKYbmxpubVTDYFR9Qd2cB1ec6/1aDeehaOZYbz7 cY5oohuUyQC32VMUiDH7rlnRjU5ZKY6ASd7fzSMYwV+bJCHEQR9ZznTe5y2N8Tkr HXOgsIeGuVZYQCr0JcXruoSy+RvSM7IS67oI/OTlPMVMIpHfp5kdOfv9H8mYpstj yFX7/iNp6X+f/LEGGjNP6Oaj6hIhKzG2psnji3du+eYl681DeLNDssbFIacZQ2g= =SqOP -----END PGP SIGNATURE----- From jmoore3rd at bellsouth.net Tue Dec 2 19:15:34 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Tue, 02 Dec 2008 13:15:34 -0500 Subject: New GnuPT-Version and new WinPT-Website In-Reply-To: <49353FDC.1080609@sixdemonbag.org> References: <4934142C.4070907@fantasymail.de> <493498F7.2040103@signal100.com> <49349F4C.2010901@sixdemonbag.org> <49351092.2040603@signal100.com> <49353FDC.1080609@sixdemonbag.org> Message-ID: <49357B46.4090501@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Robert J. Hansen wrote: > Mark Rousell wrote: >> I rather think it's up to someone posting an announcement about "new >> WinPT-Website" to provide the URL, don't you? > Which dodges both the question and responsibility. > He's already doing you a favor Gotta agree with Robert. If My 81 y/o Mother can point out to Me that She could easily 'change Her mind' and poison Me with a meal then I gotta admit; clicking on a Link from a 'Trusted' [there's that nasty word again] List is dangerous. Having been Alerted that an Application is available then it is up to You [the Interested Party] to obtain more information. Would You like Me to 'provide a Link' that directs You to a Site that appeases Your laziness and at the same time uses Your preferred Browser to install a Trojan, Key Logger, etc.? JOHN ;) Timestamp: Tuesday 02 Dec 2008, 13:14 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4878: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJNXtDAAoJEBCGy9eAtCsPrMwH/jR5QwFu3qXzEcNzskKpIkDx jQ3+B7qas35+pSJ7/frDSHSsV0uy2+u2I1tN3iXy67yyKtWQY2dAQYybCtZ3SVPa zi7ufWM0o/JYwvUL4d+X7Uo1tsehnzCMyw1x4VRE20EXWLotiFbABMcCfYLi3HRt TlrXi9bovb7d47GHw3vCN9s300JFL2nn03VBYARTU85LR3xGnqPng3ftbLJ5kQ5z DQ91XGjFuwdpG/vjVeBSBQVOPORFDSp9ju8rIWlV/6Vz7w9rAwmZEgvFhcyKmk8n gX+kSDF3LjVe1BMHb8U40oTemuEDu/r1LGBxSOsdQwQkBO1zP5QWPxE25p5Sdcw= =zrsp -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Tue Dec 2 19:32:31 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 2 Dec 2008 13:32:31 -0500 Subject: Rare condition incompatibility of public key In-Reply-To: <49355662.6070500@gmail.com> References: <20081130201908.7e69a4cc@sdf.lonestar.org> <20081201210524.6098c628@sdf.lonestar.org> <20081201220146.GA34626@jabberwocky.com> <49355662.6070500@gmail.com> Message-ID: <20081202183231.GA37690@jabberwocky.com> On Tue, Dec 02, 2008 at 12:38:10PM -0300, Faramir wrote: > David Shaw escribi??: > > On Mon, Dec 01, 2008 at 09:05:24PM +0100, Myckel Habets wrote: > > >> The screenshot he showed (the one where my key validated bad) showed > >> still the old expiration date. Is this somewhere stored in the key > >> itself? (it kept showing up even after he removed my public key and > ... > > It is stored on the key (in one of the self-signatures of the key, to > > be precise). The problem is that pgp 6.5.8 doesn't handle expiration > > properly, so it is not understanding that your key (having two > > expiration dates, the original one and the new one) was un-expired. > > Maybe "cleaning" the public key before sending it would help... or am > I wrong? IIRC, the clean command would remove the old signature, since > it has been superseded by the new one... It probably would help, yes, since that removes the older selfsig that contains the expiration. It doesn't really solve the problem though - as soon as the 6.5.8 person updates keys, the problem selfsig will come back again. They could keep a copy of GPG around to clean keys for 6.5.8, but then it does raise the question why they don't just use the GPG that is sitting there... This is a perfect example of why 6.5.8 is bad: it more or less can be made to work, but requires special steps to be taken which raises the difficulty level of using PGP. It removes the "it just works" and replaces it with "it sort of works, but you have to ask lots of questions on mailing lists and hit Google regularly". That turns people off from using PGP. One of the great things that I think that the PGP company did in their new system is spend a lot of effort to make it "just work". I like the idea behind GPGrelay (http://sites.inka.de/tesla/gpgrelay.html) for the same reason. I don't use it - it's not targeted at me - but the idea is a nice one. David From barry at fantasymail.de Tue Dec 2 19:53:39 2008 From: barry at fantasymail.de (Barry) Date: Tue, 02 Dec 2008 19:53:39 +0100 Subject: New GnuPT-Version and new WinPT-Website In-Reply-To: References: Message-ID: <49358433.6000202@fantasymail.de> Matthew561 at aol.com schrieb am 02.12.2008 15:48: > I than used their installer which did work GnuPT the installer works, but the WinPT-Zipfile not? But this is very strange (on your system) The paths accordingly, would be the smallest problem... Sorry for not posting the link. A little Mistake, but... Google is eberybody's friend, I see. Barry From avi.wiki at gmail.com Tue Dec 2 20:51:43 2008 From: avi.wiki at gmail.com (Avi) Date: Tue, 2 Dec 2008 14:51:43 -0500 Subject: Rare condition incompatibility of public key Message-ID: <27ee9bfb0812021151i7f563d4mba5e7abebcfa677a@mail.gmail.com> 2008/12/2 > > ---------- Forwarded message ---------- > From: Faramir > To: "gnupg-users at gnupg.org" > Date: Tue, 02 Dec 2008 12:38:10 -0300 > Subject: Re: Rare condition incompatibility of public key > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > David Shaw escribi?: > > On Mon, Dec 01, 2008 at 09:05:24PM +0100, Myckel Habets wrote: > > >> The screenshot he showed (the one where my key validated bad) showed > >> still the old expiration date. Is this somewhere stored in the key > >> itself? (it kept showing up even after he removed my public key and > ... > > It is stored on the key (in one of the self-signatures of the key, to > > be precise). The problem is that pgp 6.5.8 doesn't handle expiration > > properly, so it is not understanding that your key (having two > > expiration dates, the original one and the new one) was un-expired. > > Maybe "cleaning" the public key before sending it would help... or am > I wrong? IIRC, the clean command would remove the old signature, since > it has been superseded by the new one... > > Best Regards > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iQEcBAEBCAAGBQJJNVZiAAoJEMV4f6PvczxA2YAH/3176R8PW9oL5eDdpz8jfGTl > l4epVhGPwQO5O5O0kTc6ds14dDbrqUaQaDtP4O6oUdLqET0GSOAGeItTbM2MkZoW > 6T4a9SHNkq5sxJiSoCFkSgz0szKYbmxpubVTDYFR9Qd2cB1ec6/1aDeehaOZYbz7 > cY5oohuUyQC32VMUiDH7rlnRjU5ZKY6ASd7fzSMYwV+bJCHEQR9ZznTe5y2N8Tkr > HXOgsIeGuVZYQCr0JcXruoSy+RvSM7IS67oI/OTlPMVMIpHfp5kdOfv9H8mYpstj > yFX7/iNp6X+f/LEGGjNP6Oaj6hIhKzG2psnji3du+eYl681DeLNDssbFIacZQ2g= > =SqOP > -----END PGP SIGNATURE----- > > -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 It may remove it from the copy sent, but it won't remove it from copy stored on keyservers. Goodness knows I've tried to clean my key a bunch of times, but evidence of my uber-n00bness vis-a-vis the PGP Global Directory remains to haunt me in perpetuity :D - --Avi -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.70 iEYEAREDAAYFAkk1kbkACgkQy6A/RnheoillZgCfRRh5CRkDMVjzdb4ZOfZs021f xykAnjM6n737Gnllji0+Eq063BvAw7U4 =Mr01 -----END PGP SIGNATURE----- -- en:User:Avraham ---- pub 1024D/785EA229 3/6/2007 Avi (Wikipedia-related) Primary key fingerprint: D233 20E7 0697 C3BC 4445 7D45 CBA0 3F46 785E A229 -------------- next part -------------- An HTML attachment was scrubbed... URL: From faramir.cl at gmail.com Tue Dec 2 22:02:35 2008 From: faramir.cl at gmail.com (Faramir) Date: Tue, 02 Dec 2008 18:02:35 -0300 Subject: Rare condition incompatibility of public key In-Reply-To: <27ee9bfb0812021151i7f563d4mba5e7abebcfa677a@mail.gmail.com> References: <27ee9bfb0812021151i7f563d4mba5e7abebcfa677a@mail.gmail.com> Message-ID: <4935A26B.9090109@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Avi escribi?: > It may remove it from the copy sent, but it won't remove it from > copy stored on keyservers. Goodness knows I've tried to clean my > key a bunch of times, but evidence of my uber-n00bness vis-a-vis > the PGP Global Directory remains to haunt me in perpetuity :D Well, right, there is no way to remove a key from keyservers. However, you can upload you cleaned key to a website, to allow your friend to download it each time he needs it... But it would be better if he upgrades his software :-P Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJNaJrAAoJEMV4f6PvczxAnS4H+QG55YqDnaXcy1+OJ7LfM08u rvYzbMd3w1WlhxIfSvauqJcabeQVa2tT+la5wQxNjV8vInQ+A2TEFyuruRiS7usP fEN9X+uVh0IHoaHlhA8PRhK5Aj+KxyYN4RgJuuy+e8kH086zw8JPUXp7SuDhsRkm 45e6fNeNOAvxMZp3sN6CIF7xfXjwhUcnngGAfFFMgpOTwuvS6KhEMuZbjWWBQf4X v/bT7HdhlHg+b8ZZJGrIAbLUTfV+Q/lkDEJijnU+NbR3EzA7j5K4iOH4md+A1AP4 cDDf2KDGJp+KgH5NEiyWWPTYB8yiffwEKjAoAz91HAXEYc7G2uB0dpXMNY5bVHk= =jTVt -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Tue Dec 2 22:28:54 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Tue, 2 Dec 2008 16:28:54 -0500 Subject: Keyserver mangling (was: Rare condition incompatibility of public key) In-Reply-To: <27ee9bfb0812021151i7f563d4mba5e7abebcfa677a@mail.gmail.com> References: <27ee9bfb0812021151i7f563d4mba5e7abebcfa677a@mail.gmail.com> Message-ID: <20081202212853.GC38198@jabberwocky.com> On Tue, Dec 02, 2008 at 02:51:43PM -0500, Avi wrote: > It may remove it from the copy sent, but it won't remove it from > copy stored on keyservers. Goodness knows I've tried to clean my > key a bunch of times, but evidence of my uber-n00bness vis-a-vis > the PGP Global Directory remains to haunt me in perpetuity :D Yes, this is a headache in the common keyserver design. It is just a aesthetic problem, really, but when you have old code like 6.5.8 that doesn't handle keys properly, then the aesthetic problem becomes an operational problem. The funny thing about the Global Directory is that it solves the problem on the one hand (as it only puts into the keyserver what you send it, and thus you can delete any old signatures you like), but makes the problem worse on the other (as it adds its own signatures periodically). A nice way to handle this is to use the "preferred keyserver" functionality in GnuPG to tag your key with the place you like to store it. This doesn't deal with the initial problem of locating a key, but once located, it will make sure that your key is refreshed from a place that you choose. David From wanquan at gmail.com Wed Dec 3 02:19:45 2008 From: wanquan at gmail.com (Toh Wan Quan) Date: Wed, 3 Dec 2008 09:19:45 +0800 Subject: Storing of PGP keys in OpenLDAP Message-ID: Hi, I have the following observation while using "gpg --send-keys" to insert PGP keys to OpenLDAP. I have noticed that "gpg --send-keys" insert the key's detail in alphabetical order to "ou=PGP Keys,dc=example,dc=com" (ie. Distinguished Name: pgpCertID=5B41FBAB4BC73374,ou=PGP Keys,dc=example,dc=com) I was wondering if it is possible to insert as Distinguished Name: pgpUserID=william,ou=PGP Keys,dc=example,dc=com instead as it would faciliate easy maintanence of keys later on as it grows. I have been google-ling for the past couple of days but to no avail. Any tips for me is appreciated. Thanks. Regards, Wan Quan From markr-gnupg at signal100.com Wed Dec 3 05:35:42 2008 From: markr-gnupg at signal100.com (Mark Rousell) Date: Wed, 03 Dec 2008 04:35:42 +0000 Subject: New GnuPT-Version and new WinPT-Website In-Reply-To: <49357B46.4090501@bellsouth.net> References: <4934142C.4070907@fantasymail.de> <493498F7.2040103@signal100.com> <49349F4C.2010901@sixdemonbag.org> <49351092.2040603@signal100.com> <49353FDC.1080609@sixdemonbag.org> <49357B46.4090501@bellsouth.net> Message-ID: <49360C9E.6030909@signal100.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John W. Moore III wrote: > Robert J. Hansen wrote: >> Mark Rousell wrote: >>> I rather think it's up to someone posting an announcement about "new >>> WinPT-Website" to provide the URL, don't you? > >> Which dodges both the question and responsibility. > >> He's already doing you a favor The text of mine that you are quoting above was sent to Robert privately, not to the list. If Robert replied to the list as well as to me personally then I only saw his direct reply and I didn't see it via the list. Anyway, the following point you make (which is essentially the same as the core point that Robert was making)... > Gotta agree with Robert. If My 81 y/o Mother can point out to Me > [snip] > preferred Browser to install a Trojan, Key Logger, etc.? ...is a good one. As I said to Robert in private mail, the issue of trust and of taking personal responsibility for the verification of information is obviously important. But the point I was making to Robert, which is that in general in my view it's quite a good idea for an announcement to include such basic information as how to find the thing that the announcement is promoting, is orthogonal to (i.e. does not conflict with) your and Robert's point. Read on for why. The thing to remember is in this context is that taking personal responsibility for verifying information received is a valid and relevant principle regardless of how much or how little information you have available to you to begin with. In this specific case it would still have been an important and relevant principle even if the original announcement had included a URL (as, you must surely admit, is normal and common practice for promotional announcements in this type of environment). Thus there is no logical basis (in terms of personal responsibility for information verification) to intentionally avoid including a URL. In other words, including a URL would have done no harm (since the issue of personal information verification would be the same as if no link was included) and furthermore it would tend to align with the common and every-day idea of making promotional announcements, i.e. to tell people what they need to know to find the thing you're promoting! You also quote Robert's comment about an announcement being a favour to the audience. As I said in my reply to Robert, it may well be the case that making such an announcement is doing the audience a favour but it's not the only way to look at it: The audience may well be doing the announcer (or the entity that is being promoted) a favour by reading the website or by trying the software that the announcement is promoting. This being so you might think that it could benefit the announcer to make it as easy as possible for the audience to accurately and quickly find what is being promoting without having to go through any extra steps to get there. Whether or not the audience /choose/ to go through those extra steps to personally verify the information provided to them in the announcement is, of course, entirely up to them. Anyway, I've said enough on this issue. I don't with to further pollute the list with this off-topic discussion. If you don't agree with my view on this then we'll just have to agree to differ. :-) The only reason I posted my initial comment to the list in this thread was simply because I thought Barry had accidentally overlooked including a URL in his announcement. - -- MarkR PGP public key: http://www.signal100.com/markr/publickey Key ID: C9C5C162 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkk2DJ4ACgkQJQGogsnFwWLOMQCgjV8vq3NqfyMFpc8ZJ6HEZnoA XIMAoKSxL8rZTI0QohFSoYmr55f7VFhY =c4Cg -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Wed Dec 3 05:45:27 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Tue, 02 Dec 2008 23:45:27 -0500 Subject: New GnuPT-Version and new WinPT-Website In-Reply-To: <49360C9E.6030909@signal100.com> References: <4934142C.4070907@fantasymail.de> <493498F7.2040103@signal100.com> <49349F4C.2010901@sixdemonbag.org> <49351092.2040603@signal100.com> <49353FDC.1080609@sixdemonbag.org> <49357B46.4090501@bellsouth.net> <49360C9E.6030909@signal100.com> Message-ID: <49360EE7.50003@sixdemonbag.org> Mark Rousell wrote: > Thus there is no logical basis (in terms of personal responsibility > for information verification) to intentionally avoid including a URL. Absurd. You're assuming the very thing you're trying to prove. You're starting by saying "there's no reason for him not to have done it, therefore he should have." We're saying "he's already doing you a favor, so take some responsibility and just Google it already." > In other words, including a URL would have done no harm People are under no obligation to do you favors just because you think it's easy and painless for them to do so. There are dozens of reasons why he may have made that email as terse as he did. I've been known to respond to email on my iPod Touch when the need is great and it's the only email communication device I have -- trust me, I keep my emails very short when on that cramped touchscreen keyboard. Just because you think it's a no-cost proposition for the original poster to have included more information doesn't mean it actually was. From dshaw at jabberwocky.com Wed Dec 3 06:10:20 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 3 Dec 2008 00:10:20 -0500 Subject: Storing of PGP keys in OpenLDAP In-Reply-To: References: Message-ID: <99E95036-22B1-4A61-B55B-C632571D1FDC@jabberwocky.com> On Dec 2, 2008, at 8:19 PM, Toh Wan Quan wrote: > Hi, > > I have the following observation while using "gpg --send-keys" to > insert PGP keys to OpenLDAP. > > I have noticed that "gpg --send-keys" insert the key's detail in > alphabetical order to "ou=PGP Keys,dc=example,dc=com" (ie. > Distinguished Name: pgpCertID=5B41FBAB4BC73374,ou=PGP > Keys,dc=example,dc=com) > > I was wondering if it is possible to insert as Distinguished Name: > pgpUserID=william,ou=PGP Keys,dc=example,dc=com instead as it would > faciliate easy maintanence of keys later on as it grows. Unfortunately, it's not really possible. The Distinguished Name needs to be unique in LDAP, and a pgpUserID is not guaranteed to be unique (say, a single person who happens to have two keys). There can also be a single key with multiple pgpUserIDs on it, so it is not clear which user ID should be in the DN. Currently, we use the pgpCertID (the 64-bit "long" key ID) to help ensure that the Distinguished Name is unique. You'll have a 64-bit collision eventually if you keep trying, but this is at least as good as OpenPGP itself (which also relies on the 64-bit key ID being very close to unique). Incidentally, for those people who store keys in LDAP servers - Jon Callas told me recently that the Hushmail system now follows the "ldap://keys.example.com " method for finding keys via LDAP. This means that if you make your LDAP server visible to the net at large, PGP, GPG, and now Hushmail can automatically find keys for people in your domain. The feature is on by default in PGP Universal and Hushmail. For GPG, stick a "auto- key-locate ldap" in your gpg.conf to turn it on. If you are encrypting to (for example) person at example.com, and GPG does not have a key for that user, it will try to retrieve it from ldap://keys.example.com . David From reynt0 at cs.albany.edu Wed Dec 3 07:44:15 2008 From: reynt0 at cs.albany.edu (reynt0) Date: Wed, 3 Dec 2008 01:44:15 -0500 (EST) Subject: New GnuPT-Version and new WinPT-Website In-Reply-To: <49358433.6000202@fantasymail.de> References: <49358433.6000202@fantasymail.de> Message-ID: On Tue, 2 Dec 2008, Barry wrote: . . . > Sorry for not posting the link. A little Mistake, but... Google is > eberybody's friend, I see. Well, maybe not people who worry about Google's mega-info-vacuum adding more information to Google's profile of them. Or (in maximum paranoid mode), googling for the WinPT url gives someone a clue how to prepare to try to attack you. From reynt0 at cs.albany.edu Wed Dec 3 07:52:31 2008 From: reynt0 at cs.albany.edu (reynt0) Date: Wed, 3 Dec 2008 01:52:31 -0500 (EST) Subject: New GnuPT-Version and new WinPT-Website In-Reply-To: <49360C9E.6030909@signal100.com> References: <4934142C.4070907@fantasymail.de> <493498F7.2040103@signal100.com> <49349F4C.2010901@sixdemonbag.org> <49351092.2040603@signal100.com> <49353FDC.1080609@sixdemonbag.org> <49357B46.4090501@bellsouth.net> <49360C9E.6030909@signal100.com> Message-ID: On Wed, 3 Dec 2008, Mark Rousell wrote: . . . > The thing to remember is in this context is that taking personal > responsibility for verifying information received is a valid and > relevant principle regardless of how much or how little information you > have available to you to begin with. In this specific case it would > still have been an important and relevant principle even if the original > announcement had included a URL (as, you must surely admit, is normal . . . Seeing a url in a post is always a nice convenience, and having it available to compare to googling results can be just one more little way to verify what's what as one takes proper personal responsibility. (You have responsibility, whether you take it or not, anyhow. :-) ) From shavital at mac.com Wed Dec 3 17:02:27 2008 From: shavital at mac.com (Charly Avital) Date: Wed, 03 Dec 2008 11:02:27 -0500 Subject: GnuPG 2.0,9 - Error when trying to compile in Linux. Message-ID: <1228320147.20117.6.camel@MacBookAL> >From ./configure: configure: checking for libraries checking for gpg-error-config... /usr/local/bin/gpg-error-config checking for GPG Error - version >= 1.4... yes (1.7) checking for libgcrypt-config... /usr/local/bin/libgcrypt-config checking for LIBGCRYPT - version >= 1.2.2... yes (1.4.3) checking LIBGCRYPT API version... okay checking for libassuan-config... /usr/local/bin/libassuan-config checking for LIBASSUAN - version >= 1.0.4... yes (1.0.5) checking LIBASSUAN API version... okay checking for libassuan-config... (cached) /usr/local/bin/libassuan-config checking for LIBASSUAN pth - version >= 1.0.4... yes (1.0.5) checking LIBASSUAN pth API version... okay checking for libassuan-config... (cached) /usr/local/bin/libassuan-config checking for LIBASSUAN - version >= 1.0.1... yes (1.0.5) checking LIBASSUAN API version... okay checking for ksba-config... /usr/local/bin/ksba-config checking for KSBA - version >= 1.0.2... yes (1.0.4) checking KSBA API version... okay checking for usb_bulk_write in -lusb... no checking for usb_create_match... no checking for library containing dlopen... -ldl checking for openpty in -lutil... yes checking for shred... /usr/bin/shred checking for pth-config... /usr/local/bin/pth-config checking for PTH - version >= 1.3.7... yes checking whether PTH installation is sane... yes ..... GnuPG v2.0.9 has been configured as follows: Platform: GNU/Linux (x86_64-unknown-linux-gnu) OpenPGP: yes S/MIME: yes Agent: yes Smartcard: yes (without internal CCID driver) Protect tool: (default) Default agent: (default) Default pinentry: (default) Default scdaemon: (default) Default dirmngr: (default) From: make ess.Tpo -c -o compress.o compress.c compress.c:34:18: error: zlib.h: No such file or directory compress.c:59: error: expected declaration specifiers or ?...? before ?z_stream? compress.c: In function ?init_compress?: compress.c:74: error: ?Z_DEFAULT_COMPRESSION? undeclared (first use in this function) compress.c:74: error: (Each undeclared identifier is reported only once compress.c:74: error: for each function it appears in.) compress.c:80: warning: implicit declaration of function ?deflateInit2? compress.c:80: error: ?zs? undeclared (first use in this function) compress.c:80: error: ?Z_DEFLATED? undeclared (first use in this function) compress.c:81: error: ?Z_DEFAULT_STRATEGY? undeclared (first use in this function) compress.c:82: warning: implicit declaration of function ?deflateInit? compress.c:83: error: ?Z_OK? undeclared (first use in this function) compress.c:85: error: ?Z_MEM_ERROR? undeclared (first use in this function) compress.c:86: error: ?Z_VERSION_ERROR? undeclared (first use in this function) compress.c: At top level: compress.c:95: error: expected declaration specifiers or ?...? before ?z_stream? compress.c: In function ?do_compress?: compress.c:102: error: ?zs? undeclared (first use in this function) compress.c:107: warning: implicit declaration of function ?deflate? compress.c:108: error: ?Z_STREAM_END? undeclared (first use in this function) compress.c:108: error: ?Z_FINISH? undeclared (first use in this function) compress.c:110: error: ?Z_OK? undeclared (first use in this function) compress.c: At top level: compress.c:132: error: expected declaration specifiers or ?...? before ?z_stream? compress.c: In function ?init_uncompress?: compress.c:146: warning: implicit declaration of function ?inflateInit2? compress.c:146: error: ?zs? undeclared (first use in this function) compress.c:147: warning: implicit declaration of function ?inflateInit? compress.c:147: error: ?Z_OK? undeclared (first use in this function) compress.c:149: error: ?Z_MEM_ERROR? undeclared (first use in this function) compress.c:150: error: ?Z_VERSION_ERROR? undeclared (first use in this function) compress.c: At top level: compress.c:160: error: expected declaration specifiers or ?...? before ?z_stream? compress.c: In function ?do_uncompress?: compress.c:167: error: ?zs? undeclared (first use in this function) compress.c:196: warning: implicit declaration of function ?inflate? compress.c:196: error: ?Z_SYNC_FLUSH? undeclared (first use in this function) compress.c:200: error: ?Z_STREAM_END? undeclared (first use in this function) compress.c:202: error: ?Z_OK? undeclared (first use in this function) compress.c:202: error: ?Z_BUF_ERROR? undeclared (first use in this function) compress.c: In function ?compress_filter?: compress.c:223: error: ?z_stream? undeclared (first use in this function) compress.c:223: error: ?zs? undeclared (first use in this function) compress.c:229: error: too many arguments to function ?init_uncompress? compress.c:236: warning: passing argument 3 of ?do_uncompress? from incompatible pointer type compress.c:236: error: too many arguments to function ?do_uncompress? compress.c:254: error: too many arguments to function ?init_compress? compress.c:260: error: ?Z_NO_FLUSH? undeclared (first use in this function) compress.c:260: error: too many arguments to function ?do_compress? compress.c:264: warning: implicit declaration of function ?inflateEnd? compress.c:272: error: ?Z_FINISH? undeclared (first use in this function) compress.c:272: error: too many arguments to function ?do_compress? compress.c:273: warning: implicit declaration of function ?deflateEnd? make[2]: *** [compress.o] Error 1 ========= It seems that zlib has not been installed? The distro came with gpg 2.0.7, shows: shavital at MacBookAL:~$ gpg2 --version gpg (GnuPG) 2.0.7 Copyright (C) 2007 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ELG Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 -------- Thanks in advance for your help. Charly Ubuntu 8.04 under virtual ware. Macbook AL Unibody Late 2008 - OSX 10.5.5 From rjh at sixdemonbag.org Wed Dec 3 18:28:42 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 03 Dec 2008 12:28:42 -0500 Subject: GnuPG 2.0,9 - Error when trying to compile in Linux. In-Reply-To: <1228320147.20117.6.camel@MacBookAL> References: <1228320147.20117.6.camel@MacBookAL> Message-ID: <4936C1CA.5020201@sixdemonbag.org> Charly Avital wrote: > Thanks in advance for your help. The problem is fairly simple, but I can't give a complete fix since I don't have an Ubuntu 8.04 system handy. The root of it is that you have the files zlib needs to run, but not the files you need to compile applications which use zlib. These are probably going to be found in something named zlib-dev, or something similar. (E.g., on my Ubuntu 8.10 system I think it's actually named zlib1g-dev.) "sudo apt-get install zlib1g-dev" might be useful to you, assuming it's named the same on an 8.04 system. From dshaw at jabberwocky.com Wed Dec 3 18:42:20 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Wed, 3 Dec 2008 12:42:20 -0500 Subject: GnuPG 2.0,9 - Error when trying to compile in Linux. In-Reply-To: <1228320147.20117.6.camel@MacBookAL> References: <1228320147.20117.6.camel@MacBookAL> Message-ID: <20081203174220.GB41491@jabberwocky.com> On Wed, Dec 03, 2008 at 11:02:27AM -0500, Charly Avital wrote: > From: make > > ess.Tpo -c -o compress.o compress.c > compress.c:34:18: error: zlib.h: No such file or directory You're missing the development files for zlib. Most distros break libraries into two main pieces: the library itself, and the information needed to compile programs using that library. This lets people who aren't compiling stuff not install the second package. > Ubuntu 8.04 under virtual ware. I don't know offhand what Ubuntu calls it, but look for a package called something like "zlib-dev" or "zlib-devel". David From shavital at mac.com Wed Dec 3 19:15:45 2008 From: shavital at mac.com (Charly Avital) Date: Wed, 03 Dec 2008 13:15:45 -0500 Subject: GnuPG 2.0,9 - Error when trying to compile in Linux. In-Reply-To: <4936C1CA.5020201@sixdemonbag.org> References: <1228320147.20117.6.camel@MacBookAL> <4936C1CA.5020201@sixdemonbag.org> Message-ID: <4936CCD1.4010508@mac.com> Robert J. Hansen wrote: [...] > "sudo apt-get install zlib1g-dev" might be useful to you, assuming it's > named the same on an 8.04 system. Thanks Robert, it worked impeccably. -- ~$ gpg2 --version gpg (GnuPG) 2.0.9 Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB Used libraries: gcrypt(1.4.3) ----- I had already upgraded to 8.10 (Intrepid Ibex), but had to downgrade to 8.04, because till now, neither Parallels nor VMware have released builds that enable to install "Tools" (Parallel Tools, or VMware Tools) on 8.10. Those tools make life much easier when in OSX one wants to shuttle from host to guest and back. Thanks again for your prompt answer. Charly From kevhilton at gmail.com Fri Dec 5 05:25:52 2008 From: kevhilton at gmail.com (Kevin Hilton) Date: Thu, 4 Dec 2008 22:25:52 -0600 Subject: GnuPG 2.0,9 - Error when trying to compile in Linux. Message-ID: <96c450350812042025l5eaa4c1cg96445af6ad1d0892@mail.gmail.com> I've composed a How-To for compiling GnuPG and GnuPG2. I used Ubuntu 8.10 as my testing platform. I have also verified the installation on cygwin, although the process with cygwin was slightly more complicated, having to download individual libraries rather than using a package management system. Hopefully others may find these instructions useful: http://ubuntuforums.org/showthread.php?t=649466 -- Kevin Hilton -------------- next part -------------- An HTML attachment was scrubbed... URL: From SeidlS at schneider.com Fri Dec 5 17:11:58 2008 From: SeidlS at schneider.com (Seidl, Scott) Date: Fri, 5 Dec 2008 10:11:58 -0600 Subject: gpg 1.4.9 (Unix) textmode file size limit Message-ID: <1F1743D578302F4E8E698B09863791F20F8F913D94@WSCMS022.Dom1.Schneider.Com> I ran into an issue today when trying to encrypt a large file (18 MB) with the --textmode option. We received the following error message from GNUPG: gpg: can't handle text lines longer than 19995 characters. Can someone explain more about this error and if there are any other limits I need to know about? I understand the cause of this error (18MB file without any CR/LFs), and that we really shouldn't use it. I just want to understand more about this limit in case I ever encounter a need to have large records and the - -textmode option. Thanks Scott -------------- next part -------------- An HTML attachment was scrubbed... URL: From dshaw at jabberwocky.com Fri Dec 5 22:38:13 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Fri, 5 Dec 2008 16:38:13 -0500 Subject: gpg 1.4.9 (Unix) textmode file size limit In-Reply-To: <1F1743D578302F4E8E698B09863791F20F8F913D94@WSCMS022.Dom1.Schneider.Com> References: <1F1743D578302F4E8E698B09863791F20F8F913D94@WSCMS022.Dom1.Schneider.Com> Message-ID: <20081205213813.GA48909@jabberwocky.com> On Fri, Dec 05, 2008 at 10:11:58AM -0600, Seidl, Scott wrote: > I ran into an issue today when trying to encrypt a large file (18 > MB) with the --textmode option. We received the following error > message from GNUPG: gpg: can't handle text lines longer than 19995 > characters. Can someone explain more about this error and if there > are any other limits I need to know about? > > I understand the cause of this error (18MB file without any CR/LFs), > and that we really shouldn't use it. I just want to understand more > about this limit in case I ever encounter a need to have large > records and the - -textmode option. --textmode turns on the RFC-4880 text processing which canonicalizes line endings. When it is enabled, all local line endings are converted to CRLF pairs when encrypting, and similarly converted from CRLF to local when decrypting. Note that "local" is different depending on what your local platform is. Unix-ish machines tend to use LF as their line ending. Windows uses CRLF. Other platforms may use a bare CR, or a null or whatever they like. So, let's say that you have a Unix-ish text file (so LF line endings). You encrypt it using --textmode, so the encrypted file contains CRLF. You then decrypt it using --textmode on a Unix box, so the line endings are transformed back to LF. If you had decrypted it on a Windows box, the line endings would be CRLF. An obvious side effect of --textmode is that you may not get out exactly what the sender put in (as the line endings may have been changed). Aside from the 19995 characters per line limit, there aren't any other limitations you need to know about. In general, unless you're moving text files, you don't need --textmode. David From akindejujt at yahoo.co.uk Sat Dec 6 23:39:58 2008 From: akindejujt at yahoo.co.uk (Taiwo Akindeju) Date: Sat, 6 Dec 2008 22:39:58 +0000 (GMT) Subject: Recursive Directory encryption for Windows - gpgwindir In-Reply-To: <617209.82570.qm@web26005.mail.ukl.yahoo.com> Message-ID: <341797.95038.qm@web26005.mail.ukl.yahoo.com> Hi everyone, ? 'Happy to introduce the version 2.0.0 of gpgwindir.? This latest version now does recursive?encryption and decryption of?windows directory.? The option to delete or not to delete unencrypted source file still exists. ? Get current version of gpgwindir and previous versions at: http://www21.brinkster.com/taiwoakindeju/gpgwindir.htm ? Regards Gabriel --- On Sun, 9/11/08, Taiwo Akindeju wrote: From: Taiwo Akindeju Subject: Recursive Directory encryption for Windows - gpgwindir To: gnupg-users at gnupg.org Date: Sunday, 9 November, 2008, 3:03 AM Hi, ? I have been using the gpg for a while and have developed a recursive directory encryption for windows environment. You download this at http://www21.brinkster.com/taiwoakindeju/gpgwindir.htm ? Regards to all Akindeju _______________________________________________ Gnupg-users mailing list Gnupg-users at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From lyngly at ymail.com Sun Dec 7 20:59:52 2008 From: lyngly at ymail.com (No Spam) Date: Sun, 7 Dec 2008 11:59:52 -0800 (PST) Subject: Automating, passwd command replies, "Need the secret key to do this." Message-ID: <513083.13402.qm@web111105.mail.gq1.yahoo.com> Hello, I saw the following thread unanswered and am having the same problem when I try generate revoke keys, adduid and many other commands. I'm never prompted for my secret key, and these commands don't take them as arguments. > I tried it again. The problem is the response to "passwd" doesn't > appear to be a prompt. It's only a complaint, and the "passwd" command > doesn't seem to take an argument. > > John W. Moore III wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA512 >> >> Thomas Gagn? wrote: >> >> >>> Command> passwd >>> Need the secret key to do this. >>> >> >> the Command passwd is for changing the passphrase. Of course, it is >> possible to change the passphrase to nothing but first the Secret Key >> needs to be unlocked. Otherwise, anyone could change Your passphrase to >> anything or nothing. >> >> The "Need Secret Key to do this" is the prompt to enter the passphrase >> in order to unlock the Secret Key. >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From faramir.cl at gmail.com Mon Dec 8 00:04:47 2008 From: faramir.cl at gmail.com (Faramir) Date: Sun, 07 Dec 2008 20:04:47 -0300 Subject: Automating, passwd command replies, "Need the secret key to do this." In-Reply-To: <513083.13402.qm@web111105.mail.gq1.yahoo.com> References: <513083.13402.qm@web111105.mail.gq1.yahoo.com> Message-ID: <493C568F.9090007@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 No Spam escribi?: > Hello, I saw the following thread unanswered and am having the same > problem when I try generate revoke keys, adduid and many other commands. > I'm never prompted for my secret key, and these commands don't take them > as arguments. > >> I tried it again. The problem is the response to "passwd" doesn't >> appear to be a prompt. It's only a complaint, and the "passwd" command >> doesn't seem to take an argument. Could you please give more details about what was you doing (and how)?, and maybe the operating system you are using... I make my revocation certificates using a GUI, so maybe it would help you... Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJPFaPAAoJEMV4f6PvczxAnxMH/3ceVsSKSwz6zMq8SyQ6rrFW m2XKt3/nuqquZ/QJS62kQbPCiJbDjZQLUXbL2cgs4la87qqc7Z+tGXcElcxgK9p8 MvlQ3n5XR87VfZzbSyNZ2lMsMHnDLYHfoo0PMCPOjGMb6wV/A6Qjna1NPOdwzrQA MyX1jPJYWTBkhgTTxLQZ4BomqZRYDFbbtV6qJ0gs5AkhDcc3NVcI7TRryp9slxUM gQNE33LNU0xCmmTKu5wMxEIE3/KqHZf55rhTaTdinBfUf7k8MCdRiKnpr59U3fEB K5H4khXWlIlduYKHkwLawUnumwjt1j7he13BqGpDzuApUbD7fEJsBGWlYvNIdOk= =VSUy -----END PGP SIGNATURE----- From hongxueyu at gmail.com Thu Dec 4 07:21:31 2008 From: hongxueyu at gmail.com (Xueyu Hong) Date: Thu, 4 Dec 2008 14:21:31 +0800 Subject: error: mpi too large,help me please! Message-ID: hi, I am trying to signature and then verify some executable file through gpg, bsign and digsig. Firstly, i start the following commands in order: 1. gpg ?Cgen-key 2. gpg ?Cexports >> my_pubkey.key 3. bsign ?Cs ps_test; bsign ?CV ps_test 4. digsig.init start my_pubkey.key 5. ./ps_test Here, the program ps_test is killed, and error information shows that "Signature verification failed because of: -1 for ps_test", also "mpi too large" is showed too. I have no idea about this. Could you tell me how i can do? thank you! Yours, Sincerely, Xueyu.hong 2008/12/04 -------------- next part -------------- An HTML attachment was scrubbed... URL: From magnus at therning.org Thu Dec 4 11:42:11 2008 From: magnus at therning.org (Magnus Therning) Date: Thu, 4 Dec 2008 10:42:11 +0000 Subject: Way to split MD and signing Message-ID: Is there any way of splitting the two actions of getting an MD and signing this MD? I have an automated system that generates a lot of large files. I want to sign these files, but I want to keep the secret key on a more secure system and I want to avoid having to send the generated files over the network. I've found the --print-md command, but there doesn't seem to be a --sign-md command :( /M PS I'm not subscribed to the list, so please CC any answer to my personal email. -- Magnus Therning (OpenPGP: 0xAB4DFBA4) magnus?therning?org Jabber: magnus?therning?org http://therning.org/magnus identi.ca|twitter: magthe From RNufer at wakemed.org Fri Dec 5 15:17:17 2008 From: RNufer at wakemed.org (REX NUFER) Date: Fri, 5 Dec 2008 09:17:17 -0500 Subject: sig help Message-ID: I'm trying to download and install GPG. I've downloaded the files I need. The readme's all say I should verify the file by running sha1sum.exe against the tar files I've downloaded. They say to use the value in the *.sig file to compare the output against. But I can't read the *.sig file. How to I view that file? Does it need to be converted in some way? Thanks in advance. Rex Nufer ------------------------------------------------------------------------------- WakeMed Confidentiality Notice: This message, including any attachments, is for the sole use of the individual or entity to whom it is addressed and may contain confidential and/or legally privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorized review, use, copying, disclosure, or distribution of this message and attachments is strictly prohibited. ------------------------------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.gif Type: image/gif Size: 1089 bytes Desc: image001.gif URL: From wk at gnupg.org Mon Dec 8 12:48:18 2008 From: wk at gnupg.org (Werner Koch) Date: Mon, 08 Dec 2008 12:48:18 +0100 Subject: Way to split MD and signing In-Reply-To: (Magnus Therning's message of "Thu, 4 Dec 2008 10:42:11 +0000") References: Message-ID: <87skoysxa5.fsf@wheatstone.g10code.de> On Thu, 4 Dec 2008 11:42, magnus at therning.org said: > I have an automated system that generates a lot of large files. I > want to sign these files, but I want to keep the secret key on a more You are not the first to ask about it. IIRC, there is even a feature request in the tracker. The problem is that with OpenPGP you don't just sign the plain message digest of the data but the message digest also includes some trailer data. Thus you can't just pass gpg a message digest but you need to pass it the internal context of the hash algorithm (chaining variable and length of already hased data). This is in the theory possible but there has not been enough demand to do implement that. The usual workaround is to create a file with the digest, send to the otehr box and sign that file. Another approach would be to extend gpg's channel to gpg-agent's to allow for a remote connection. Along with the envisioned gpg which uses gpg-agent to perform all operations involving the secret key, this woul make up a nice solution. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From faramir.cl at gmail.com Mon Dec 8 19:32:52 2008 From: faramir.cl at gmail.com (Faramir) Date: Mon, 08 Dec 2008 15:32:52 -0300 Subject: sig help In-Reply-To: References: Message-ID: <493D6854.8070906@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 REX NUFER escribi?: > I?m trying to download and install GPG. I?ve downloaded the files I > need. The readme?s all say I should verify the file by running > sha1sum.exe against the tar files I?ve downloaded. They say to use the > value in the *.sig file to compare the output against. But I can?t read > the *.sig file. How to I view that file? Does it need to be converted > in some way? Thanks in advance. Hello Sha1sum.exe would calculate the sha1 hash value for the tar file. BUT the *.sig file, is not a sha1 hash, it is a GnuPG signature for the tar file, so you would need GPG to check the tar file against the signature file... The *.sig file is useful in case you are upgrading GPG , or if you have access to a computer with gpg already installed on it. If this is not the case, then you can't check the tar file by using the *sig file, and you must look for the hash value to compare with the sha1sum.exe file... Take a look at http://www.gnupg.org/download/integrity_check.en.html There are the instructions about checking the downloaded package, and also a list of files and sha1 values to compare. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJPWhUAAoJEMV4f6PvczxAX80IAIR4n8cJSdATsNo0h2dz+cBY ogcZB8HAKZhs2+NeqUw+7HIGcIrDzLsq05KwLuvzRYDKyXSsyCWqJMjBRViwD18u a7Ofzd2m0W2BcpFR8fe9sydhb/FCfHlcR1I86/oEJYvM6BpSXz2N6ppORQm6G9di pggbZPt9pkjujwChTM2jsWp4Lud5xvfeD/4vveYCl7AdZ7p167dWDbHpIc6fPLLg vwXfSm3HaQ5720wcZGkNFaNuoQ7PiZB9JegwYMSwxbf2H37MdcSpI5SqPa39+HkT WmOkjmYeD8LyTUlZfvx+cRYkCvz43q879I3hS/wIAPp4XoqRxxjPuhYE7ZrzZzg= =8w8k -----END PGP SIGNATURE----- From lyngly at ymail.com Tue Dec 9 05:16:09 2008 From: lyngly at ymail.com (No Spam) Date: Mon, 8 Dec 2008 20:16:09 -0800 (PST) Subject: Gnupg-users Digest, Vol 63, Issue 6 References: Message-ID: <209215.38174.qm@web111107.mail.gq1.yahoo.com> Thanks for the reply. I'm using OpenSuSE-11.0 and performing this from the command line. $ gpg --edit-key myID at the new command prompt, I try to perform actions such as: $ Command> adduid Need the secret key to do this. $ Command> toggle Need the secret key to do this. $ Command> expire Need the secret key to do this. $ Command> But I am never prompted for my passphrase. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 No Spam escribi?: > Hello, I saw the following thread unanswered and am having the same > problem when I try generate revoke keys, adduid and many other commands. > I'm never prompted for my secret key, and these commands don't take them > as arguments. > >> I tried it again. The problem is the response to "passwd" doesn't >> appear to be a prompt. It's only a complaint, and the "passwd" command >> doesn't seem to take an argument. Could you please give more details about what was you doing (and how)?, and maybe the operating system you are using... I make my revocation certificates using a GUI, so maybe it would help you... Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJPFaPAAoJEMV4f6PvczxAnxMH/3ceVsSKSwz6zMq8SyQ6rrFW m2XKt3/nuqquZ/QJS62kQbPCiJbDjZQLUXbL2cgs4la87qqc7Z+tGXcElcxgK9p8 MvlQ3n5XR87VfZzbSyNZ2lMsMHnDLYHfoo0PMCPOjGMb6wV/A6Qjna1NPOdwzrQA MyX1jPJYWTBkhgTTxLQZ4BomqZRYDFbbtV6qJ0gs5AkhDcc3NVcI7TRryp9slxUM gQNE33LNU0xCmmTKu5wMxEIE3/KqHZf55rhTaTdinBfUf7k8MCdRiKnpr59U3fEB K5H4khXWlIlduYKHkwLawUnumwjt1j7he13BqGpDzuApUbD7fEJsBGWlYvNIdOk= =VSUy -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From faramir.cl at gmail.com Tue Dec 9 06:54:50 2008 From: faramir.cl at gmail.com (Faramir) Date: Tue, 09 Dec 2008 02:54:50 -0300 Subject: Gnupg-users Digest, Vol 63, Issue 6 In-Reply-To: <209215.38174.qm@web111107.mail.gq1.yahoo.com> References: <209215.38174.qm@web111107.mail.gq1.yahoo.com> Message-ID: <493E082A.9080200@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 No Spam escribi?: > Thanks for the reply. I'm using OpenSuSE-11.0 and performing this from > the command line. I just know Windows environment, so probably I am unable to try to detect what is the error cause... but other people in this list surely knows enough to help you > > $ gpg --edit-key myID After entering that command, do you get a "private key is available" message (I get that message in spanish, so maybe the words are not the same...). I get that message, and some details about my key. If you don't get that answer, maybe gpg is unable to locate your keyring... > > at the new command prompt, I try to perform actions such as: > > $ Command> adduid > Need the secret key to do this. .... > But I am never prompted for my passphrase. Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJPggqAAoJEMV4f6PvczxAehQH/2MpsAA9pZl1Y1FeHgDCSM7E mGv7drfMCzQ80iZX3e64UANSCuwY4GTSfeoXbQ6ZUveBolGL8+9LYakVnpErohrx IXir57X8INouDGB9vZg9HsjTM+aOA6oOKqFNJ9+926dTAqgns6YG/nSFybJptEZG l6pOz0bH3dQs3pIfktONxoCcn9lEmzwz3Ao0w0A/mJF10ZPiIDAvXbWiZfShCCVk tqKZs9Y9V771FGS/0JYzQ+DXWnC760+18uAkwip78FFo/Ai8lRjbyMOYMY17oDA2 8W1qjJrMGls7ZXI+gDs6riJQs/GT9aaIQbyY2G1cj7a8W5aYK/0Q+y21FnixGCU= =aB2d -----END PGP SIGNATURE----- From lyngly at ymail.com Tue Dec 9 07:03:18 2008 From: lyngly at ymail.com (No Spam) Date: Mon, 8 Dec 2008 22:03:18 -0800 (PST) Subject: Automating, passwd command replies, "Need the secret key to do this." Message-ID: <825855.94171.qm@web111110.mail.gq1.yahoo.com> Yes, I do get all the info about my key listed when I enter gpg --edit-key. There doesn't seem to be any issue locating it. Many other linux users have an idea. Thanks for your help though! >> >> $ gpg --edit-key myID > > After entering that command, do you get a "private key is available" > message (I get that message in spanish, so maybe the words are not the > same...). I get that message, and some details about my key. If you > don't get that answer, maybe gpg is unable to locate your keyring... -------------- next part -------------- An HTML attachment was scrubbed... URL: From wk at gnupg.org Tue Dec 9 13:00:47 2008 From: wk at gnupg.org (Werner Koch) Date: Tue, 09 Dec 2008 13:00:47 +0100 Subject: [Announce] First release candidate for GnuPG 2.0.10 Message-ID: <87skoxsgls.fsf@wheatstone.g10code.de> Hi, I just uploaded a release candidate for GnuPG 2.0.10: ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-2.0.10rc1.tar.bz2 ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-2.0.10rc1.tar.bz2.sig Note that the language files are not all updated; the known translators have been informed about this release candidate. If everything works out fine, the release is planned for end of December. Noteworthy changes in version 2.0.10 (unreleased) ------------------------------------------------- * [gpg] New keyserver helper gpg2keys_kdns as generic DNS CERT lookup. Run with --help for a short description. Requires the ADNS library. * [gpg] New mechanisms "local" and "nodefault" for --auto-key-locate. Fixed a few problems with this option. * [gpg] New command --locate-keys. * [gpg] New options --with-sig-list and --with-sig-check. * [gpg] The option "-sat" is no longer an alias for --clearsign. * [gpg] The option --fixed-list-mode is now implicitly used and obsolete. * [gpg] New control statement %ask-passphrase for the unattended key generation. * [gpgsm] Now uses AES by default. * [gpgsm] Made --output option work with --export-secret-key-p12. * [gpg-agent] Terminate process if the own listening socket is not anymore served by ourself. * [scdaemon] Made it more robust on W32. * [gpg-connect-agent] Accept commands given as command line arguments. * [w32] Initialized the socket subsystem for all keyserver helpers. * [w32] The sysconf directory has been moved from a subdirectory of the installation directory to %CSIDL_COMMON_APPDATA%/GNU/etc/gnupg. * [w32] The gnupg2.nls directory is not anymore used. The standard locale directory is now used. * [w32] Fixed a race condition bteween gpg and gpgsm in the use of temporary file names. * The gpg-preset-passphrase mechanism works again. An arbitrary string may now be used for a custom cache ID. * Admin PINs are cached again (bug in 2.0.9). * Support for version 2 OpenPGP cards. * Libgcrypt 1.4 is now required. There is a small bug I noticed too late: The libgcrypt version is always printed by gpg2 unless --batch is used. Happy hacking, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 205 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ Gnupg-announce mailing list Gnupg-announce at gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-announce From akindejujt at yahoo.co.uk Tue Dec 9 18:05:43 2008 From: akindejujt at yahoo.co.uk (Taiwo Akindeju) Date: Tue, 9 Dec 2008 17:05:43 +0000 (GMT) Subject: gpgwindir In-Reply-To: <96c450350812080545q6f3540e5le3af63027c9f1d3d@mail.gmail.com> Message-ID: <224840.66232.qm@web26006.mail.ukl.yahoo.com> Hi, ? The script you posted ("gpgwindir -r 483DC811 -e ~/src -p hilton") ?instructed gpgwindir to encrypt directory ~/src?with key 483DC811 and at the same time to attempt a decrypt with a passphrase hilton.? The program would be confused and not do anything. ? There are 2 streams of functions encryption: the syntax is gpgwindir [-o "path"] -r "key" -e "path" ? or ? gpgwindir/d [-o "path"] -r "key" -e "path"?? if you want to delete unencrypted source file. ? Note [-o "path"] is optional.? If not provided, gpgwindir will encrypt to the same directory as source. ? decrypt: the syntax is gpgwindir [-o "path"] -p "passphrase" -d "path" ? Note [-o "path"] is optional.? If not provided, gpgwindir will decrypt to the same directory as encrypted source. General note: Ensure that paths are quoted Ensure keys and passphrases are quoted?or properly escaped if they have the space character. ? I will happy to help you further if there still any issues. ? Regards ? --- On Mon, 8/12/08, Kevin Hilton wrote: From:?user Subject: gpgwindir To: akindejujt at yahoo.co.uk Date: Monday, 8 December, 2008, 1:45 PM How does this program work? Here is what I tried: gpgwindir -r 483DC811 -e ~/src -p hilton Nothing happened ?? Where is the encrypted directory? I also tried this: gpgwindir -o ~/src-encrypt -r 483DC811 -e ~/src -p hilton The syntax of the command is incorrect. Invalid number of parameters /home/Vibdog/src-encrypt was unexpected at this time. Strange things going on here! -- Kevin -------------- next part -------------- An HTML attachment was scrubbed... URL: From RNufer at wakemed.org Tue Dec 9 20:05:11 2008 From: RNufer at wakemed.org (REX NUFER) Date: Tue, 9 Dec 2008 14:05:11 -0500 Subject: Installing gnupg 2.0.[89] on AIX 5.3 Message-ID: I hope there is someone who can help me with the install problems I'm having. I'm trying to install on an AIX 5.3 box. Please CC me with any response. I'm wondering if using an old version of gcc may be part of my problem. Thank you for any help you can provide. First I tried to install gnupg 2.0.9 and got the following errors from the 'make check': Making check in m4 Target "check" is up to date. Making check in gl make check-am Target "check-am" is up to date. Making check in include Target "check" is up to date. Making check in jnlib gcc -I/usr/local/include -g -O2 -Wall -Wpointer-arith -o t-stringhelp t-stringhelp.o t-support.o libjnlib.a ld: 0711-317 ERROR: Undefined symbol: .iconv_open ld: 0711-317 ERROR: Undefined symbol: .iconv_close ld: 0711-317 ERROR: Undefined symbol: .iconv ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information. collect2: ld returned 8 exit status make: 1254-004 The error code from the last command is 1. Stop. make: 1254-004 The error code from the last command is 1. Stop. After making no headway with version 2.0.9, I backed up a version and tried to install 2.0.8. I got a lot further in the 'make' before it finally errored. The 'make' generated the following error: Target "all-am" is up to date. Making all in tests Making all in openpgp ./gpg_dearmor > ./plain-2 < ./plain-2o.asc ./gpg_dearmor[2]: 286864 Segmentation fault(coredump) make: 1254-004 The error code from the last command is 139. Stop. make: 1254-004 The error code from the last command is 1. Stop. make: 1254-004 The error code from the last command is 1. Stop. make: 1254-004 The error code from the last command is 2. Stop. ------------------------------------------------------------------------------- WakeMed Confidentiality Notice: This message, including any attachments, is for the sole use of the individual or entity to whom it is addressed and may contain confidential and/or legally privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorized review, use, copying, disclosure, or distribution of this message and attachments is strictly prohibited. ------------------------------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.gif Type: image/gif Size: 1089 bytes Desc: image001.gif URL: From RNufer at wakemed.org Tue Dec 9 20:41:02 2008 From: RNufer at wakemed.org (REX NUFER) Date: Tue, 9 Dec 2008 14:41:02 -0500 Subject: GNUPG - do I really need this? Message-ID: Nothing like killing a fly with a sledgehammer! I have a (seemingly) simple task. My employers tell me I need to encrypt a file before I ftp it off site. To perform this task I'm trying to install gnupg 2.0.9. Do I need to install this release to do what I need to do, or can I use a 1.4.* version to get this done? Or are there any suggestions of any other software packages I can use to accomplish this? Thanks. ------------------------------------------------------------------------------- WakeMed Confidentiality Notice: This message, including any attachments, is for the sole use of the individual or entity to whom it is addressed and may contain confidential and/or legally privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorized review, use, copying, disclosure, or distribution of this message and attachments is strictly prohibited. ------------------------------------------------------------------------------- From John at Mozilla-Enigmail.org Tue Dec 9 20:55:11 2008 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Tue, 09 Dec 2008 13:55:11 -0600 Subject: GNUPG - do I really need this? In-Reply-To: References: Message-ID: <493ECD1F.2000902@Mozilla-Enigmail.org> REX NUFER wrote: > Nothing like killing a fly with a sledgehammer! I have a (seemingly) simple > task. My employers tell me I need to encrypt a file before I ftp it off site. > To perform this task I'm trying to install gnupg 2.0.9. Do I need to install > this release to do what I need to do, or can I use a 1.4.* version to get > this done? Or are there any suggestions of any other software packages I can > use to accomplish this? Thanks. 1.4.9 will work fine. Prebuilt windows binaries are available on the web site download page. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 680 bytes Desc: OpenPGP digital signature URL: From RNufer at wakemed.org Tue Dec 9 21:00:42 2008 From: RNufer at wakemed.org (REX NUFER) Date: Tue, 9 Dec 2008 15:00:42 -0500 Subject: GNUPG - do I really need this? In-Reply-To: <493ECD1F.2000902@Mozilla-Enigmail.org> References: <493ECD1F.2000902@Mozilla-Enigmail.org> Message-ID: I supposed I should have mentioned earlier, I'm installing in AIX 5.3. Thanks for your response. -----Original Message----- From: gnupg-users-bounces at gnupg.org [mailto:gnupg-users-bounces at gnupg.org] On Behalf Of John Clizbe Sent: Tuesday, December 09, 2008 2:55 PM To: GnuPG Users Subject: Re: GNUPG - do I really need this? REX NUFER wrote: > Nothing like killing a fly with a sledgehammer! I have a (seemingly) > simple task. My employers tell me I need to encrypt a file before I ftp it off site. > To perform this task I'm trying to install gnupg 2.0.9. Do I need to > install this release to do what I need to do, or can I use a 1.4.* > version to get this done? Or are there any suggestions of any other > software packages I can use to accomplish this? Thanks. 1.4.9 will work fine. Prebuilt windows binaries are available on the web site download page. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" ------------------------------------------------------------------------------- WakeMed Confidentiality Notice: This message, including any attachments, is for the sole use of the individual or entity to whom it is addressed and may contain confidential and/or legally privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorized review, use, copying, disclosure, or distribution of this message and attachments is strictly prohibited. ------------------------------------------------------------------------------- From ramon.loureiro at upf.edu Wed Dec 10 09:18:06 2008 From: ramon.loureiro at upf.edu (Ramon Loureiro) Date: Wed, 10 Dec 2008 09:18:06 +0100 Subject: GnuPG + PSI Portable Message-ID: <493F7B3E.8050506@upf.edu> Hi! I've found a great solution for my GPG home&work installation: * GnuPG Portable * ThunderBird Portable * (Firefox+FireGPG) Portable * GPGShell (Portable) * PSI Portable The only tip I've not solved is how to make PSI-Portable to use my portable keyring (it checks the registry and uses the local machine installation, if available) Any help is welcome Best regards -- Ramon Loureiro GPG BE8E 5136 6A32 B5EF 0105 0DFB C559 2ACB 80C7 D647 GPG 19F0 4F06 F367 0976 1C3D 30CA 7FD1 3810 8C89 A6F6 Thawte Notary GSWot ES:66 -Gossamer Web of Trust-http://www.gswot.org CAcert Assurer _____________________________________________________________ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3911 bytes Desc: S/MIME Cryptographic Signature URL: From kevhilton at gmail.com Wed Dec 10 13:29:04 2008 From: kevhilton at gmail.com (Kevin Hilton) Date: Wed, 10 Dec 2008 06:29:04 -0600 Subject: GnuPG + PSI Portable Message-ID: <96c450350812100429k252adb88rf72b55a07aa55bea@mail.gmail.com> Did you alter your path statement and put your USB drive directories first in the path? -- Kevin Hilton From rjh at sixdemonbag.org Wed Dec 10 13:30:11 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 10 Dec 2008 07:30:11 -0500 Subject: GnuPG feature suggestion In-Reply-To: <20865565.post@talk.nabble.com> References: <20865565.post@talk.nabble.com> Message-ID: <493FB653.5010001@sixdemonbag.org> (Moved to gnupg-users, where it belongs) gline wrote: > I believe the addition of a secure file shredding application with > GnuPG (particularly the windows version) would increase the > application's robustness. What do you think? Isn't going to happen. This proposal gets floated periodically: I'd suggest checking the archives of gnupg-users for more detailed reasons than "isn't going to happen." From shavital at mac.com Wed Dec 10 17:19:09 2008 From: shavital at mac.com (Charly Avital) Date: Wed, 10 Dec 2008 11:19:09 -0500 Subject: Release candidate for GnuPG 2.0.10: - In-Reply-To: <87skoxsgls.fsf@wheatstone.g10code.de> References: <87skoxsgls.fsf@wheatstone.g10code.de> Message-ID: <493FEBFD.8030904@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Werner Koch wrote: > Hi, > > I just uploaded a release candidate for GnuPG 2.0.10: > > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-2.0.10rc1.tar.bz2 > ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-2.0.10rc1.tar.bz2.sig [...] Configured, compiled and installed for GNU/Linux x86_64-linux-gnu Running correctly, including gpg-agent. Thanks for your work. Charly -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJP+v2AAoJEM3GMi2FW4Pv610H/17AJlHfI07tMxJcx2d3ML3d DrvDoJw/cq5FlmyDVyZWg8ky3I5V1JR87ZX8AxAiLlEgexdaW0UASWRj1Awv/V/W 4pON00NMXpqQ7BcUERhbqC3AC9YcATi9IdMxLyfOUSB9q8/KmlDAgXX12566nBwd LftkTxR97XPoG6ykRY/yYfQ1tPmJ6wvTrs+FWfbz/bkRLtASa0aQvfE+40lgVxbf BsfE+cPSsclAUvpatUiembcyzGXRK4t5z5xIeeo3MZhZWBuXge2OQmLi6+FvLaxu gsAHNNWioo6rmTrUfbt/Kdsn0AvepDu2GSjxCAHtf/jsNL+tQ3576kvaeOp9brE= =9iWO -----END PGP SIGNATURE----- From John at Mozilla-Enigmail.org Wed Dec 10 20:46:46 2008 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Wed, 10 Dec 2008 13:46:46 -0600 Subject: GnuPG feature suggestion In-Reply-To: <20865565.post@talk.nabble.com> References: <20865565.post@talk.nabble.com> Message-ID: <49401CA6.7020405@Mozilla-Enigmail.org> gline wrote: > I believe the addition of a secure file shredding application with GnuPG > (particularly the windows version) would increase the application's > robustness. What do you think? Robustness? HOW? Please explain how bolting on non-related features increase robustness? It doesn't. It's just another thing to break. The philosophy of design in the POSIX world is to Do One Thing Well. GnuPG's "One Thing" is to be an encryption tool. It's not to be a Security Suite Swiss Army Knife. Bad Idea and not likely to happen. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 680 bytes Desc: OpenPGP digital signature URL: From ramon.loureiro at upf.edu Thu Dec 11 19:24:24 2008 From: ramon.loureiro at upf.edu (Ramon Loureiro) Date: Thu, 11 Dec 2008 19:24:24 +0100 Subject: Description of why an UID is revoked Message-ID: <49415AD8.4010805@upf.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! I recently have revoked one of my user IDs for some technical reasons... When doing that. I have selected to input a description of why have I revoked it... The question is: where is that information stored? How can I or anyone check it? salut! - -- Ramon Loureiro Universitat Pompeu Fabra e-Confidential Project http://www.itea-econfidential.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJJQVrYAAoJEMVZKsuAx9ZHdV4H/RB3MmOyiUOFWk7tjvH/tFX8 DxAHg4dJgddNldl/TP1kGVbiFUxThn3tdQh20eOX6w2aLP9jtevjgBiwitF6Nld7 GglgDDqgxf9zTOIWkcE/duPm5Zglt7BAUrcl5U5L36IYsT9q4tf+4fb+ryWNZJEB MdrIxEAAywDXu9E9hMY7iDX8tQsx3kSGQWug2X7baachkQhRi1tP72ADi0WiLNjS vw1lxJbVNXQWYwRdtoWr9cQc+AIN2fegNgrsPxHl5sHldD+7sb+LDm+4HLBYkSSa 6aa26rQ/QClJbJsW+Bse+GjKzxwpRyISyqUfibM1oiabQTgu/P1hgUStSUPB3AA= =syDR -----END PGP SIGNATURE----- From dshaw at jabberwocky.com Thu Dec 11 20:19:00 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 11 Dec 2008 14:19:00 -0500 Subject: Description of why an UID is revoked In-Reply-To: <49415AD8.4010805@upf.edu> References: <49415AD8.4010805@upf.edu> Message-ID: <20081211191900.GA703@jabberwocky.com> On Thu, Dec 11, 2008 at 07:24:24PM +0100, Ramon Loureiro wrote: > Hi! > > I recently have revoked one of my user IDs for some technical reasons... > When doing that. I have selected to input a description of why have I > revoked it... > > The question is: where is that information stored? How can I or anyone > check it? A user ID (generally) has a self-signature that "binds" it to the key and marks it as a real UID. A UID revocation is just another self-sig that tells anyone who cares that this user ID is no longer valid. The description line for why a UID was revoked is contained in this revocation self-sig. It is not usually visible - probably the easiest way to see it is via: gpg --export (thekey) | gpg --list-packets David From munish_ch at hotmail.com Fri Dec 12 11:56:50 2008 From: munish_ch at hotmail.com (Munish Chauhan) Date: Fri, 12 Dec 2008 16:26:50 +0530 Subject: How to Append an Encrypted file with new data(file). Message-ID: Hello After executing several applications, any file appearing in some X folder I am encrypting them and keeping them in some other folder Y. But Let's say I have File.Doc.gpg there in Y folder and I got new file with same name(File.Doc) at X folder. Now instead of creating another encrypted file in Y folder, I want my existing encrypted file (File.Doc.gpg) should be appened with the new data arrived in new File.Doc file. M _________________________________________________________________ Wish to Marry Now? Join MSN Matrimony FREE! http://in.msn.com/matrimony -------------- next part -------------- An HTML attachment was scrubbed... URL: From munish_ch at hotmail.com Fri Dec 12 12:16:24 2008 From: munish_ch at hotmail.com (Munish Chauhan) Date: Fri, 12 Dec 2008 16:46:24 +0530 Subject: How to Append an Encrypted file with new data(file). In-Reply-To: References: Message-ID: Just addon information on this.. I am doing this with one Dos Batch file. M _________________________________________________________________ Chose your Life Partner? Join MSN Matrimony FREE http://in.msn.com/matrimony -------------- next part -------------- An HTML attachment was scrubbed... URL: From roam at ringlet.net Fri Dec 12 14:53:28 2008 From: roam at ringlet.net (Peter Pentchev) Date: Fri, 12 Dec 2008 15:53:28 +0200 Subject: How to Append an Encrypted file with new data(file). In-Reply-To: References: Message-ID: <20081212135328.GA1061@straylight.m.ringlet.net> On Fri, Dec 12, 2008 at 04:26:50PM +0530, Munish Chauhan wrote: > > Hello > After executing several applications, any file appearing in some X > folder I am encrypting them and keeping them in some other folder Y. But > Let's say I have File.Doc.gpg there in Y folder and I got new file with > same name(File.Doc) at X folder. Now instead of creating another > encrypted file in Y folder, I want my existing encrypted file > (File.Doc.gpg) should be appened with the new data arrived in new > File.Doc file. This was discussed on this list last month; the short answer is, "you can't do this". A slightly longer answer is "you might be able to do something like that by ASCII-armoring the separate files (encrypted) and then appending them to the .gpg file". This ought to be doable even with MS-DOS batch files, if they have grown the capability to test if a file exists; granted, I've not looked at the extensions to the MS-DOS batch file language since sometime around version 4.0 or so, and my memories are a bit stale. For the full discussion, take a look at http://lists.gnupg.org/pipermail/gnupg-users/2008-November/035022.html G'luck, Peter -- Peter Pentchev roam at ringlet.net roam at space.bg roam at FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If you think this sentence is confusing, then change one pig. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: not available URL: From mycbx at lavabit.com Sun Dec 14 20:18:49 2008 From: mycbx at lavabit.com (Marc Young) Date: Sun, 14 Dec 2008 17:18:49 -0200 Subject: How to remove "Version: GnuPG v1.4.9 (MingW32)" using enigmail? Message-ID: <49455C19.9030602@lavabit.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 How? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAklFXBkACgkQNVj7kppeKVTtpgCgrhxEdZ8H6GtSfDn5Z4gqfkdP OMYAoI/8BHthjaLRHn+k2/GJt5sMYwVA =tRpx -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Sun Dec 14 20:55:26 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 14 Dec 2008 14:55:26 -0500 Subject: How to remove "Version: GnuPG v1.4.9 (MingW32)" using enigmail? In-Reply-To: <49455C19.9030602@lavabit.com> References: <49455C19.9030602@lavabit.com> Message-ID: <494564AE.7020601@sixdemonbag.org> Marc Young wrote: > How? Easiest way is to add "no-comment" to your gpg.conf file. From shavital at mac.com Sun Dec 14 20:58:31 2008 From: shavital at mac.com (Charly Avital) Date: Sun, 14 Dec 2008 14:58:31 -0500 Subject: How to remove "Version: GnuPG v1.4.9 (MingW32)" using enigmail? In-Reply-To: <49455C19.9030602@lavabit.com> References: <49455C19.9030602@lavabit.com> Message-ID: <49456567.90909@mac.com> Marc Young wrote the following on 12/14/08 2:18 PM: > How? Thus: OpenPGP Security Info Good signature from Marc Young (Marc Young) Key ID: 0x9A5E2954 / Signed on: 12/14/08 2:18 PM Key fingerprint: BFC7 7839 0799 EE09 7079 60EA 3558 FB92 9A5E 2954 ----- Take care, Charly From mycbx at lavabit.com Sun Dec 14 22:18:29 2008 From: mycbx at lavabit.com (Marc Young) Date: Sun, 14 Dec 2008 19:18:29 -0200 Subject: Which is the path to gpg.conf in windows? Message-ID: <49457825.207@lavabit.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In my directory C:\Documents and Settings\user\Application Data\gnupg have: pubring.bak random_seed trustdb.gpg pubring.gpg secring.gpg But no gpg.conf -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAklFd/8ACgkQNVj7kppeKVQwaACbBaP8dltOU7xytuTxkCI/sPvG v94AnRlZUAS1Cr6Q2VB+AlCjKhQ+Xvg5 =QkTe -----END PGP SIGNATURE----- From faramir.cl at gmail.com Sun Dec 14 22:46:47 2008 From: faramir.cl at gmail.com (Faramir) Date: Sun, 14 Dec 2008 18:46:47 -0300 Subject: Which is the path to gpg.conf in windows? In-Reply-To: <49457825.207@lavabit.com> References: <49457825.207@lavabit.com> Message-ID: <49457EC7.4060203@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Marc Young escribi?: > In my directory C:\Documents and Settings\user\Application Data\gnupg have: > > pubring.bak > random_seed > trustdb.gpg > pubring.gpg > secring.gpg > > > But no gpg.conf In my experience, gnupg doesn't create a gpg.conf file by default when it installs. But, IIRC, you must place your gpg.conf file in the folder you have showed us... Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJRX7HAAoJEMV4f6PvczxAScwH/2BEHdeE+f/OZEKk2v90rQwJ c1geC6zgd8y3NWcSv/6hGVIrOpmNyDODVeUGra8ClDrHB0PAKKDlqnbOwUixtOLh T1Uo5saqVH0p6FdKlGqC3dvmmGqOSehHvpIZd0yY7avoiKyBUXrzVyKc0tZiD17W 8tgQ7j1HAVjY7OYNqh24ktGiXKT/zi8/a8vo4X4uI4FYJjDpyvxJC5rOE5gy1kwy 0yci1+F4i7dc7KGETTaI1E1co65chpt1J2BD7UqfO6yk5yS7vMhMsTKvtYy0/5xk dOdxaPeE7/scAVWhgXB0NJ5WeKFChNmtUsDU64Z9fkE3t3LKfICdQW0aqDJ8VNA= =hIa6 -----END PGP SIGNATURE----- From John at Mozilla-Enigmail.org Sun Dec 14 22:52:29 2008 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Sun, 14 Dec 2008 15:52:29 -0600 Subject: Which is the path to gpg.conf in windows? In-Reply-To: <49457825.207@lavabit.com> References: <49457825.207@lavabit.com> Message-ID: <4945801D.5010906@Mozilla-Enigmail.org> Marc Young wrote: > In my directory C:\Documents and Settings\user\Application Data\gnupg have: > > pubring.bak random_seed trustdb.gpg pubring.gpg secring.gpg > > But no gpg.conf Create it with the text editor of your choice. Be warned, if you specify conflicting options between Enigmail and gpg.conf, Enigmail will win. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 680 bytes Desc: OpenPGP digital signature URL: From John at Mozilla-Enigmail.org Sun Dec 14 23:02:51 2008 From: John at Mozilla-Enigmail.org (John Clizbe) Date: Sun, 14 Dec 2008 16:02:51 -0600 Subject: How to remove "Version: GnuPG v1.4.9 (MingW32)" using enigmail? In-Reply-To: <494564AE.7020601@sixdemonbag.org> References: <49455C19.9030602@lavabit.com> <494564AE.7020601@sixdemonbag.org> Message-ID: <4945828B.9070208@Mozilla-Enigmail.org> Robert J. Hansen wrote: > Marc Young wrote: >> How? Please don't do Subject line only messages. If nothing else, repeat your query in the body of the message. Many indexing and search functions do not treat the subject line as part of the message body when searching. > Easiest way is to add "no-comment" to your gpg.conf file. Better to clear the check box 'Add Enigmail comment in OpenPGP signature' on the Advanced tab of Enigmail's Advanced Preferences. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 680 bytes Desc: OpenPGP digital signature URL: From rjh at sixdemonbag.org Sun Dec 14 23:07:28 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Sun, 14 Dec 2008 17:07:28 -0500 Subject: Which is the path to gpg.conf in windows? In-Reply-To: <49457EC7.4060203@gmail.com> References: <49457825.207@lavabit.com> <49457EC7.4060203@gmail.com> Message-ID: <494583A0.4080300@sixdemonbag.org> Faramir wrote: > In my experience, gnupg doesn't create a gpg.conf file by default when > it installs. But, IIRC, you must place your gpg.conf file in the folder > you have showed us... I should also add for the OP that Enigmail has an option (in the Advanced tab of the Preferences window) to add its own comment to the signature. As John Clizbe said, in conflicts between gpg.conf and the Enigmail preferences, Enigmail wins. Leaving that option checked means you'll still get a comment block. You must uncheck that comment block _and_ set "no-comment" in gpg.conf in order for all comments to be suppressed. Further Enigmail questions should probably go to the Enigmail mailing list. From jmoore3rd at bellsouth.net Sun Dec 14 23:08:50 2008 From: jmoore3rd at bellsouth.net (John W. Moore III) Date: Sun, 14 Dec 2008 17:08:50 -0500 Subject: Which is the path to gpg.conf in windows? In-Reply-To: <4945801D.5010906@Mozilla-Enigmail.org> References: <49457825.207@lavabit.com> <4945801D.5010906@Mozilla-Enigmail.org> Message-ID: <494583F2.6060908@bellsouth.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 John Clizbe wrote: > Be warned, if you specify conflicting options between Enigmail and gpg.conf, > Enigmail will win. 'Win' indicates a contest or struggle. Enigmail simply passes the Commands set via 'Preferences' to GPG first so that they override any similar ones in gpg.conf. I have sent a 'Sample' gpg.conf to Marc directly in hopes of jump starting Him. JOHN ;) Timestamp: Sunday 14 Dec 2008, 17:08 --500 (Eastern Standard Time) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10-svn4901: (MingW32) Comment: Public Key at: http://tinyurl.com/8cpho Comment: Gossamer Spider Web of Trust: https://www.gswot.org Comment: Homepage: http://tinyurl.com/yzhbhx iQEcBAEBCgAGBQJJRYPwAAoJEBCGy9eAtCsP+IYIAI+uOxXWMQO29P2JiSPC38PD /ioyyOyAOQhXdYiNnSit4nvhY+SUICfCKQVT3xCzghVh15qKqRlgfnWzpZXqT2KY GnpRXGZrYjBhGjaI6odvrStpgEy0aXO3wZsn7PG2Ic+lyGsX8TtOMXFNYKVP54up n1Dl3StunGl5lrts7FuJsqxR7tIaYSizazTs//I5FTMIMBofq31wmaTUnmJrSdIX qqPfqwexUEawRNAXrjjTtcm+COfNV0E2AuVmK9Ls+yOtCP64PaXCxHUDcbV25l4y FXOeohTE8uNfoX+30JoOsRgcANizcpsDlm07iRVl47ce0w3WyD8yN2zazR/xLM8= =Thb9 -----END PGP SIGNATURE----- From j-001 at ottosson.nu Wed Dec 17 15:51:42 2008 From: j-001 at ottosson.nu (J. Ottosson) Date: Wed, 17 Dec 2008 15:51:42 +0100 Subject: GPA "Sign only locally" missing Message-ID: <4949200E.14700.1562AF78@j-001.ottosson.nu> Hi, I just performed two identical installs of GPG4WIN 1.1.3 on two different Win OSes, one 2003 server standard and one XP Pro. After everything is set and some keys are imported etc in both GPG (1.4.7) I used GPA to try to sign a key in both. Then I noticed that the window coming up when pressing 'right click - Sign keys' are different. In one (XP) I get the option to "sign only locally" and in the other I don't get this option. The text are identical, the only diference being that the white checkbox and the text "Sign only locally" is completely absent. (I assume this option is identical to the 'non-exportable' signature in PGP.) Since I performed the installs in parallell, used the exact same install exe and haven't made any adjustments to any config I really am wondering what causes these different behaviors. Am I missing something? There were an earlier install of GPG 1.4.9 on the 2003 PC but it was uninstalled before the install of GPG4WIN started. Any ideas? TIA /JO From sattva at pgpru.com Wed Dec 17 19:22:03 2008 From: sattva at pgpru.com (Vlad "SATtva" Miller) Date: Thu, 18 Dec 2008 00:22:03 +0600 Subject: How to remove "Version: GnuPG v1.4.9 (MingW32)" using enigmail? In-Reply-To: <49455C19.9030602@lavabit.com> References: <49455C19.9030602@lavabit.com> Message-ID: <4949434B.5@pgpru.com> Marc Young (15.12.2008 01:18): > How to remove "Version: GnuPG v1.4.9 (MingW32)" using enigmail? Open Enigmail preferences, make sure the "Display expert settings" is set in Basic tab, open Advanced tab, and add this to "Additional parameters for GnuPG" field: --no-emit-version Alternatively, you can put a line in your gpg.conf file: no-emit-version -- SATtva | security & privacy consulting www.vladmiller.info | www.pgpru.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 513 bytes Desc: OpenPGP digital signature URL: From mycbx at lavabit.com Wed Dec 17 20:13:15 2008 From: mycbx at lavabit.com (Marc Young) Date: Wed, 17 Dec 2008 17:13:15 -0200 Subject: How to remove "Version: GnuPG v1.4.9 (MingW32)" using enigmail? In-Reply-To: <4949434B.5@pgpru.com> References: <49455C19.9030602@lavabit.com> <4949434B.5@pgpru.com> Message-ID: <49494F4B.8090801@lavabit.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Apparently it worked. I like EnigMail. Vlad "SATtva" Miller wrote: > Marc Young (15.12.2008 01:18): >> How to remove "Version: GnuPG v1.4.9 (MingW32)" using enigmail? > > Open Enigmail preferences, make sure the "Display expert settings" is > set in Basic tab, open Advanced tab, and add this to "Additional > parameters for GnuPG" field: > > --no-emit-version > > Alternatively, you can put a line in your gpg.conf file: > > no-emit-version > -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAklJTygACgkQNVj7kppeKVTQdACfcF2Ob0Q3uhZhOopywy8gTc29 QrIAoKNArtwkRn2vs4w5tsSBTKIFkGbK =VABe -----END PGP SIGNATURE----- From jmsachs at gmail.com Wed Dec 17 21:37:40 2008 From: jmsachs at gmail.com (arghman) Date: Wed, 17 Dec 2008 12:37:40 -0800 (PST) Subject: using gpg with private keys from openssl certificates? Message-ID: <21057804.post@talk.nabble.com> I'm experimenting w/ using the "freemail" certificates from thawte & was just wondering if there is a way I can use them with gpg (openpgp, NOT S/MIME). I can figure out how to use openssl to extract the rsa public key / private key from the exported PKCS12 file, but I'm not sure how (or if) there was a way to import that to gpg. I'm also missing some big picture issues, e.g.: * is this a bad idea? * if I sign a message with that key pair, and someone challenges my identity, what's the best/easiest way for me to prove my identity? do I just send them the certificate or a portion extracted thereof? * is there a tutorial on openpgp, S/MIME, openssl certificates as to what the different cryptographic assertion primitives are, from the standpoint of a user who treats the algorithms/tools as a black box? (I've been interested in RSA & public key encryption for 20+ years from a math standpoint, but as a software user I just want to do things correctly) e.g.: "a certificate is {a public key, identity information corresponding to that public key} signed by a well-known Certificate Authority (CA) to assert that the Certificate Authority asserts the public key belongs to the entity designated in the certificate", "to verify a certificate, you use {program X with these command-line options} to verify that CA's signature is valid" This is as confusing as looking at plumbing pipes/fittings to me: I know what the individual pieces do, I just have trouble understanding their function in an overall cryptographic framework. -- View this message in context: http://www.nabble.com/using-gpg-with-private-keys-from-openssl-certificates--tp21057804p21057804.html Sent from the GnuPG - User mailing list archive at Nabble.com. From rjh at sixdemonbag.org Wed Dec 17 23:03:46 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 17 Dec 2008 17:03:46 -0500 Subject: using gpg with private keys from openssl certificates? In-Reply-To: <21057804.post@talk.nabble.com> References: <21057804.post@talk.nabble.com> Message-ID: <49497742.6050200@sixdemonbag.org> arghman wrote: > * is this a bad idea? It is a _hard_ idea. It is not necessarily a bad or stupid idea. Like most things, whether it's inspired lunacy or just insane depends a lot on your particular problem domain. :) X.509 (the standard used by freemail certs) and OpenPGP use the same underlying algorithms, but the protocols are dramatically different. Making them interoperate is hard, and is usually not worth it. > * if I sign a message with that key pair, and someone challenges my > identity, what's the best/easiest way for me to prove my identity? You can't. Identity cannot be proven. Evidence can be presented, but someone can always say, "no, no, I don't accept that as a form of ID." Just because some people accept a given method doesn't make the method good, and just because some people refuse a given method doesn't make it bad. As an example, I recently needed to get a driver's license for a new state. The unhelpful people at the Motor Vehicle Administration told me I needed two forms of government-issued photographic ID, a copy of my lease, and a utility bill in my name. I asked what they were going to do with my lease and utility bill. "Just check to see the name matches." You don't call the utility company, or call my landlord, or do anything else to check? "No. The law doesn't allow us to. Your privacy is respected." So -- I stopped myself just in time before I said "-- given that pretty much everyone has a desktop publishing setup nowadays and can forge these documents in an hour, why do you bother demanding them if you're not even going to check them?" But I decided that would probably get me some Quality Time with a state trooper, so I shut up. > * is there a tutorial on openpgp, S/MIME, openssl certificates as to what > the different cryptographic assertion primitives are, from the standpoint of > a user who treats the algorithms/tools as a black box? The best I've found is PGP Corporation's "Introduction to Cryptography." From jmsachs at gmail.com Wed Dec 17 23:34:40 2008 From: jmsachs at gmail.com (arghman) Date: Wed, 17 Dec 2008 14:34:40 -0800 (PST) Subject: using gpg with private keys from openssl certificates? In-Reply-To: <49497742.6050200@sixdemonbag.org> References: <21057804.post@talk.nabble.com> <49497742.6050200@sixdemonbag.org> Message-ID: <21063072.post@talk.nabble.com> >> * if I sign a message with that key pair, and someone challenges my >> identity, what's the best/easiest way for me to prove my identity? > >You can't. > >Identity cannot be proven. Evidence can be presented, but someone can s/prove/assert (at least I think assert is the right word... I couldn't think of the right word when I wrote that) I don't need them to interoperate, I would just like to use the same key pair. WoT is fine but it would be nice to have a way to assert that [X = the person in possession of private key K_pr = me + anyone I'm stupid enough to share my private key with] is both trustable via Wot, *or* by trusting a certificate authority. "trustable" probably not the right word but I'm a bit shaky on the protocol vocabulary. -- View this message in context: http://www.nabble.com/using-gpg-with-private-keys-from-openssl-certificates--tp21057804p21063072.html Sent from the GnuPG - User mailing list archive at Nabble.com. From rjh at sixdemonbag.org Thu Dec 18 00:26:31 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 17 Dec 2008 18:26:31 -0500 Subject: using gpg with private keys from openssl certificates? In-Reply-To: <21063072.post@talk.nabble.com> References: <21057804.post@talk.nabble.com> <49497742.6050200@sixdemonbag.org> <21063072.post@talk.nabble.com> Message-ID: <49498AA7.8020207@sixdemonbag.org> arghman wrote: > I don't need them to interoperate, I would just like to use the same key > pair. If they're using the same keypair, then they're interoperating. (For at least some definitions of 'interoperability.' Total interoperability is probably infeasible.) What you want to do is very hard to do and, in general, not worth it. From decouk at gmail.com Thu Dec 18 00:24:00 2008 From: decouk at gmail.com (Andre Amorim) Date: Wed, 17 Dec 2008 23:24:00 +0000 Subject: using gpg with private keys from openssl certificates? In-Reply-To: <21063072.post@talk.nabble.com> References: <21057804.post@talk.nabble.com> <49497742.6050200@sixdemonbag.org> <21063072.post@talk.nabble.com> Message-ID: >X.509 (the standard used by freemail certs) and OpenPGP use the same >underlying algorithms, but the protocols are dramatically different. >Making them interoperate is hard, and is usually not worth it. Robert did you already check this: FREEICP.ORG: FREE TRUSTED CERTIFICATES BY COMBINING THE X.509 HIERARCHY AND THE PGP WEB OF TRUST THROUGH A COLLABORATIVE TRUST SCORING SYSTEM http://middleware.internet2.edu/pki03/presentations/02.pdf [s] Andre Amorim 2008/12/17 arghman : > >>> * if I sign a message with that key pair, and someone challenges my >>> identity, what's the best/easiest way for me to prove my identity? >> >>You can't. >> >>Identity cannot be proven. Evidence can be presented, but someone can > > s/prove/assert > > (at least I think assert is the right word... I couldn't think of the right > word when I wrote that) > > I don't need them to interoperate, I would just like to use the same key > pair. WoT is fine but it would be nice to have a way to assert that [X = the > person in possession of private key K_pr = me + anyone I'm stupid enough to > share my private key with] is both trustable via Wot, *or* by trusting a > certificate authority. "trustable" probably not the right word but I'm a bit > shaky on the protocol vocabulary. > -- > View this message in context: http://www.nabble.com/using-gpg-with-private-keys-from-openssl-certificates--tp21057804p21063072.html > Sent from the GnuPG - User mailing list archive at Nabble.com. > > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users at gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- Andre Amorim GnuPG KEY: 2048R/3E10FF47 Download: http://pgp.zdv.uni-mainz.de:11371/pks/lookup?op=get&search=0x7C3B77763E10FF47 From rjh at sixdemonbag.org Thu Dec 18 05:16:00 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Wed, 17 Dec 2008 23:16:00 -0500 Subject: using gpg with private keys from openssl certificates? In-Reply-To: References: <21057804.post@talk.nabble.com> <49497742.6050200@sixdemonbag.org> <21063072.post@talk.nabble.com> Message-ID: <4949CE80.9040706@sixdemonbag.org> Andre Amorim wrote: >> X.509 (the standard used by freemail certs) and OpenPGP use the same >> underlying algorithms, but the protocols are dramatically different. >> Making them interoperate is hard, and is usually not worth it. > > Robert did you already check this: The paper does not propose a way to allow X.509 and OpenPGP to interoperate. It's instead proposing something much different, which is unrelated to the original poster's request. From decouk at gmail.com Thu Dec 18 05:35:22 2008 From: decouk at gmail.com (Andre Amorim) Date: Thu, 18 Dec 2008 04:35:22 +0000 Subject: using gpg with private keys from openssl certificates? In-Reply-To: <4949CE80.9040706@sixdemonbag.org> References: <21057804.post@talk.nabble.com> <49497742.6050200@sixdemonbag.org> <21063072.post@talk.nabble.com> <4949CE80.9040706@sixdemonbag.org> Message-ID: >It's instead proposing something much different, which is > unrelated to the original poster's request sorry bob, rigth, I misunderstood what he had said. It is whiskey fault. :-) I'll read it again tom. kind regards, A.A. 2008/12/18 Robert J. Hansen : > Andre Amorim wrote: >>> X.509 (the standard used by freemail certs) and OpenPGP use the same >>> underlying algorithms, but the protocols are dramatically different. >>> Making them interoperate is hard, and is usually not worth it. >> >> Robert did you already check this: > > The paper does not propose a way to allow X.509 and OpenPGP to > interoperate. It's instead proposing something much different, which is > unrelated to the original poster's request. > > -- Andre Amorim GnuPG KEY: 2048R/3E10FF47 Download: http://pgp.zdv.uni-mainz.de:11371/pks/lookup?op=get&search=0x7C3B77763E10FF47 From faramir.cl at gmail.com Thu Dec 18 05:43:10 2008 From: faramir.cl at gmail.com (Faramir) Date: Thu, 18 Dec 2008 01:43:10 -0300 Subject: using gpg with private keys from openssl certificates? In-Reply-To: <21063072.post@talk.nabble.com> References: <21057804.post@talk.nabble.com> <49497742.6050200@sixdemonbag.org> <21063072.post@talk.nabble.com> Message-ID: <4949D4DE.7090105@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 arghman escribi?: >>> * if I sign a message with that key pair, and someone challenges my >>> identity, what's the best/easiest way for me to prove my identity? > I don't need them to interoperate, I would just like to use the same key > pair. WoT is fine but it would be nice to have a way to assert that [X = the > person in possession of private key K_pr = me + anyone I'm stupid enough to > share my private key with] is both trustable via Wot, *or* by trusting a > certificate authority. "trustable" probably not the right word but I'm a bit > shaky on the protocol vocabulary. Well... I got a x.509 certificate from CAcert.org, with my name on it. But also, I got CAcert's pgp signature on my pgp key... Also, if you have a Thawte certificate with your name on it, you can use it to sign a message containing your PGP public key, and some people would accept that as a prove the key belongs to you (unless somebody has stolen you email account, and your x.509 certificate). Rather than using the same key pair with x.509 and PGP, I would suggest to use your x.509 certificate as a "proof" of your identity, and if people accept that as a valid proof, then they would sign your pgp key too. Take a look at www.gswot.org people there accepts CAcert and Thawte certificates as valid ways to prove your identity, and can sign your key to reflect that. Of course, that would only help you if the one challenging your identity trusts GSWoT Introducers signatures... Best Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJSdTeAAoJEMV4f6PvczxATgwH/0nnx/75XBguef2Y9vnXBY+E p1oqGeh9g8flCno9FT9c026aPBK5lXU7b8ZNy4mFy9IbP9/qL7lwzMvHOf7TAnM5 D6FigfAHwvxw5ait1whrj3zIbdva5QpqLE7dLqRU8q5PPMnOBxcW7a5YUWZPK+ls B77nTUKjcGk1lEJpeHSqY4gRY0LGcvYWKWbhUxBMf+m+vIl7oFOOo38rD+D3ux9y yGscnY3csV61UHS3ugn0/Ya0h3J7I6UsxBaJJwjmbR9LDyEJMQMRjoIABepQq4/y b6jD618NmOFr5A3Xea0E6VerU3l326YPNDYHlJH934y/8rjEcW13WFYjyj4Zm1k= =zOpK -----END PGP SIGNATURE----- From donrhummy at yahoo.com Thu Dec 18 07:14:19 2008 From: donrhummy at yahoo.com (don rhummy) Date: Wed, 17 Dec 2008 22:14:19 -0800 (PST) Subject: How encrypt data/text stream instead of a file? Message-ID: <999818.64618.qm@web57803.mail.re3.yahoo.com> All the examples of using GnuPG are of giving it a local filename to encrypt or decrypt. How do I pass it data, either as a stream or byte by byte? From faramir.cl at gmail.com Thu Dec 18 10:06:29 2008 From: faramir.cl at gmail.com (Faramir) Date: Thu, 18 Dec 2008 06:06:29 -0300 Subject: using gpg with private keys from openssl certificates? In-Reply-To: <4949CE80.9040706@sixdemonbag.org> References: <21057804.post@talk.nabble.com> <49497742.6050200@sixdemonbag.org> <21063072.post@talk.nabble.com> <4949CE80.9040706@sixdemonbag.org> Message-ID: <494A1295.70805@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Robert J. Hansen escribi?: > Andre Amorim wrote: >>> X.509 (the standard used by freemail certs) and OpenPGP use the same >>> underlying algorithms, but the protocols are dramatically different. >>> Making them interoperate is hard, and is usually not worth it. >> Robert did you already check this: > > The paper does not propose a way to allow X.509 and OpenPGP to > interoperate. It's instead proposing something much different, which is > unrelated to the original poster's request. Right, but thinking about he said he wanted some explanations from an user point of view, I think we should advice him to don't try to make both standards to interoperate... at least, not at "code" level... I was accepted in GSWoT about 2 days ago, so I am still unsure how does it operate to extend the WoT, but as far as I know, the aim of GSWoT is to make a link (or bridge) between x.509 certificates and PGP keys... Of course it may be -or may not be- a solution for his problem... if the challenger doesn't trust CAcert, or Thawte, or GSWoT... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJShKVAAoJEMV4f6PvczxAYscH/1eNTDt88Ah+tlsQ95BM1QSh J2g8yBgTRkRDcelyZUGg6ZphWf5zynWhDZ8DWMsJZA4hv1GVaJ6dtErO6EFURGt7 5Ozlj4vJnw1Z6JPGXQTesdAD+e9NkQPzn3Qu10giEa40H8VCd1yyH+yxQBMgcpTu FDmOipSJ1b3Q+qkoEAWM79S2X3J41gmAzTDmnnp+ljSB7CiX6rJKAMc3cHH2PTJP TD4NZ14g8nTmA1L7gVA8fwidznXUoposfX8gwTT8q55sJC2Gdz3o+Z0aHK1l/7sD 0dAM9hGfRIsrDr/pAkqvj6B4zJ5T7EXZphIScpTXpfAL1tioLRuLGhZGHJQmDpk= =yadz -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Thu Dec 18 13:36:28 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 18 Dec 2008 07:36:28 -0500 Subject: How encrypt data/text stream instead of a file? In-Reply-To: <999818.64618.qm@web57803.mail.re3.yahoo.com> References: <999818.64618.qm@web57803.mail.re3.yahoo.com> Message-ID: <494A43CC.8010006@sixdemonbag.org> don rhummy wrote: > How do I pass it data, either as a stream or byte by byte? Painfully. While technically possible, it is almost certainly a better idea to use some other technology. From jmsachs at gmail.com Thu Dec 18 15:44:40 2008 From: jmsachs at gmail.com (arghman) Date: Thu, 18 Dec 2008 06:44:40 -0800 (PST) Subject: using gpg with private keys from openssl certificates? In-Reply-To: <4949D4DE.7090105@gmail.com> References: <21057804.post@talk.nabble.com> <49497742.6050200@sixdemonbag.org> <21063072.post@talk.nabble.com> <4949D4DE.7090105@gmail.com> Message-ID: <21074117.post@talk.nabble.com> Faramir-2 wrote: > > Rather than using the same key pair with x.509 and PGP, I would > suggest to use your x.509 certificate as a "proof" of your identity, and > if people accept that as a valid proof, then they would sign your pgp > key too. > Interesting, I'll look into that... >> The paper does not propose a way to allow X.509 and OpenPGP to >> interoperate. It's instead proposing something much different, which is >> unrelated to the original poster's request. > > Right, but thinking about he said he wanted some explanations from an > user point of view, I think we should advice him to don't try to make > both standards to interoperate... at least, not at "code" level... > hmm, let me try to restate more carefully, based on my understanding (corrections welcome if I get information/terminology wrong here) I know that X.509 and OpenPGP are "incompatible" in the sense that VHS and Betamax are (were) incompatible. I'm not looking for something that works in one to work in the other. Both, however, are based on underlying cryptographic primitives to make security/identity assertions. One of those primitives is (or can be) an RSA public/private key pair and the operations using that key pair. This is used automatically by various software tools to do different things in each of the two systems. But both rely on the principles of public-key cryptography, including that a public/private key pair, when kept secret, can be used as a security/identity assertion, by encrypting messages with the private key, since the probability that someone besides the person possessing the private key could have encrypted the message can be made sufficiently small, and anyone can verify the encryption using the public key. So (and here's where I'm less clear) if I wanted to link the assertions made by my X.509 certificates and my OpenPGP keys, there's no way to automatically do this. But if I were to use the same private/public key in both cases, I can assert to a third party that the entity in control of the certificate / keys is the same entity because they are based on the same underlying cryptographic primitive. In order to verify that assertion, that third party would either have to manually transfer the underlying public key from one system to the other, or allow a reputable software tool to perform that task automatically. Such a reputable software tool may not exist right now, and therefore this approach is not useful for third parties without the manual skills to transfer public keys from one system to the other. If there is an alternative approach that makes the same kind of assertion (the entity named in a given X.509 certificate is the same entity in possession of the OpenPGP key pair), then that would suffice for me. This could conceivably involve putting some appropriate key/signature/whatever into the X.509 certificate, if I could figure out how to make the corresponding certificate signing request with the CA. -- View this message in context: http://www.nabble.com/using-gpg-with-private-keys-from-openssl-certificates--tp21057804p21074117.html Sent from the GnuPG - User mailing list archive at Nabble.com. From rjh at sixdemonbag.org Thu Dec 18 16:04:23 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 18 Dec 2008 10:04:23 -0500 Subject: using gpg with private keys from openssl certificates? In-Reply-To: <21074117.post@talk.nabble.com> References: <21057804.post@talk.nabble.com> <49497742.6050200@sixdemonbag.org> <21063072.post@talk.nabble.com> <4949D4DE.7090105@gmail.com> <21074117.post@talk.nabble.com> Message-ID: <494A6677.8000300@sixdemonbag.org> arghman wrote: > So (and here's where I'm less clear) if I wanted to link the assertions made > by my X.509 certificates and my OpenPGP keys, there's no way to > automatically do this. But if I were to use the same private/public key in > both cases, I can assert to a third party that the entity in control of the > certificate / keys is the same entity because they are based on the same > underlying cryptographic primitive. And the answer is the same as before: this is possible although very difficult and usually not worth it. From dshaw at jabberwocky.com Thu Dec 18 16:52:44 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 18 Dec 2008 10:52:44 -0500 Subject: How encrypt data/text stream instead of a file? In-Reply-To: <999818.64618.qm@web57803.mail.re3.yahoo.com> References: <999818.64618.qm@web57803.mail.re3.yahoo.com> Message-ID: <8E547378-C9DB-4AC5-9A5D-5EBA28D22876@jabberwocky.com> On Dec 18, 2008, at 1:14 AM, don rhummy wrote: > All the examples of using GnuPG are of giving it a local filename to > encrypt or decrypt. How do I pass it data, either as a stream or > byte by byte? GnuPG is designed to be able to accept a stream or a file. To do a stream instead of a file, just don't give a filename. GnuPG will then read data from standard input. So, for example: my-pipeline-that-streams-data | gpg --encrypt | my-pipeline-that- accepts-encrypted-data You can freely mix streams and files as well: my-pipeline-that-streams-data | gpg -o output-file.gpg --encrypt Or gpg -o - --encrypt myfile | my-pipeline-that-accepts-encrypted-data Anyway, that's how you do it on the command line. If you want to do it inside a program, it depends on what language you're using and how that language deals with calling out to a command line. In general, though, you want to write data to the head of the GPG pipe, and read data from the tail of the GPG pipe. I do this frequently in C via the usual pipe/fork/exec/dup2 method. David From shavital at mac.com Thu Dec 18 18:18:22 2008 From: shavital at mac.com (Charly Avital) Date: Thu, 18 Dec 2008 12:18:22 -0500 Subject: [Enigmail] Different gpg2 versions in gpg2 --version and when signing with TB+EM - Linux Ubuntu 8.10_64bits In-Reply-To: <494A7ED8.4010405@mozilla-enigmail.org> References: <493FE2BC.7090407@mozilla-enigmail.org> <494A6CF2.90007@mac.com> <494A6FE8.60908@mozilla-enigmail.org> <494A72E7.60700@mac.com> <494A7ED8.4010405@mozilla-enigmail.org> Message-ID: <494A85DE.5010303@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Patrick Brunschwig wrote: [...] >> This is what I have found, I am not quoting all the output, just the >> beginning. > >> Initializing Enigmail service ... EnigmailAgentPath=/usr/bin/gpg2 > > I think this says it all: Enigmail uses GnuPG from /usr/bin, not from > /usr/local/bin. > -Patrick Thanks Patrick, that did it. I changed the path in OpenPGP/Preferences to /usr/local/bin/gpg2. Charly -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10rc1 (GNU/Linux) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJSoXaAAoJEM3GMi2FW4PvukAIAKjZrc7PcxJjIhKDNItUOH1m rY7i6GV4v7bDLCtl4gSQRbb5w4MSMRnWrfboUQ1D5vWmOgT5/G1Obi/ZrxBXV8Js CNIgaxwqAoZbXZbNjbLHvB1ioXRPY/p65/V0qXROzYBkWv/eltvIe92SOT//BYD+ K2F89LcAYt7ZqXgKgoiUgA4u+H4YOx0rlQAiCbgTNKj8FsgSqQNoXm7/afLLLx1D N7g9DPsa1iXnb/mLLTSNLTCk+730SYGGUJEjrUttZQBFtaLriWl8Hkgd2R0KropS 6tys5xT942k/NC4P62NHKDMdE39xEZ6ekA8IDqDqL8P8SUw9017klk4auQhnamM= =NTg9 -----END PGP SIGNATURE----- From rjh at sixdemonbag.org Thu Dec 18 18:40:41 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Thu, 18 Dec 2008 12:40:41 -0500 Subject: How encrypt data/text stream instead of a file? In-Reply-To: <8E547378-C9DB-4AC5-9A5D-5EBA28D22876@jabberwocky.com> References: <999818.64618.qm@web57803.mail.re3.yahoo.com> <8E547378-C9DB-4AC5-9A5D-5EBA28D22876@jabberwocky.com> Message-ID: <494A8B19.1010204@sixdemonbag.org> David Shaw wrote: > GnuPG is designed to be able to accept a stream or a file. My bad. I was reading that as the OP needed GnuPG to function as a stream cipher. From donrhummy at yahoo.com Thu Dec 18 18:49:41 2008 From: donrhummy at yahoo.com (don rhummy) Date: Thu, 18 Dec 2008 09:49:41 -0800 (PST) Subject: How encrypt data/text stream instead of a file? In-Reply-To: <8E547378-C9DB-4AC5-9A5D-5EBA28D22876@jabberwocky.com> Message-ID: <760365.68278.qm@web57804.mail.re3.yahoo.com> OK, so I need to put the data into the out stream. Can you give some sample code from C doing this? I'm not 100% clear on the order, etc of calling gpg and sending the data to "out." Thanks! --- On Thu, 12/18/08, David Shaw wrote: > From: David Shaw > Subject: Re: How encrypt data/text stream instead of a file? > To: donrhummy at yahoo.com > Cc: gnupg-users at gnupg.org > Date: Thursday, December 18, 2008, 10:52 AM > On Dec 18, 2008, at 1:14 AM, don rhummy wrote: > > > All the examples of using GnuPG are of giving it a > local filename to encrypt or decrypt. How do I pass it data, > either as a stream or byte by byte? > > GnuPG is designed to be able to accept a stream or a file. > To do a stream instead of a file, just don't give a > filename. GnuPG will then read data from standard input. > > So, for example: > > my-pipeline-that-streams-data | gpg --encrypt | > my-pipeline-that-accepts-encrypted-data > > You can freely mix streams and files as well: > > my-pipeline-that-streams-data | gpg -o output-file.gpg > --encrypt > > Or > > gpg -o - --encrypt myfile | > my-pipeline-that-accepts-encrypted-data > > Anyway, that's how you do it on the command line. If > you want to do it inside a program, it depends on what > language you're using and how that language deals with > calling out to a command line. In general, though, you want > to write data to the head of the GPG pipe, and read data > from the tail of the GPG pipe. I do this frequently in C > via the usual pipe/fork/exec/dup2 method. > > David From jmsachs at gmail.com Wed Dec 17 18:43:01 2008 From: jmsachs at gmail.com (arghman) Date: Wed, 17 Dec 2008 09:43:01 -0800 (PST) Subject: using gpg with private keys from openssl certificates? Message-ID: <21057804.post@talk.nabble.com> I'm experimenting w/ using the "freemail" certificates from thawte & was just wondering if there is a way I can use them with gpg (openpgp, NOT S/MIME). I can figure out how to use openssl to extract the rsa public key / private key from the exported PKCS12 file, but I'm not sure how (or if) there was a way to import that to gpg. I'm also missing some big picture issues, e.g.: * is this a bad idea? * if I sign a message with that key pair, and someone challenges my identity, what's the best/easiest way for me to prove my identity? do I just send them the certificate or a portion extracted thereof? * is there a tutorial on openpgp, S/MIME, openssl certificates as to what the different cryptographic assertion primitives are, from the standpoint of a user who treats the algorithms/tools as a black box? (I've been interested in RSA & public key encryption for 20+ years from a math standpoint, but as a software user I just want to do things correctly) e.g.: "a certificate is {a public key, identity information corresponding to that public key} signed by a well-known Certificate Authority (CA) to assert that the Certificate Authority asserts the public key belongs to the entity designated in the certificate", "to verify a certificate, you use {program X with these command-line options} to verify that CA's signature is valid" This is as confusing as looking at plumbing pipes/fittings to me: I know what the individual pieces do, I just have trouble understanding their function in an overall cryptographic framework. -- View this message in context: http://www.nabble.com/using-gpg-with-private-keys-from-openssl-certificates--tp21057804p21057804.html Sent from the GnuPG - User mailing list archive at Nabble.com. From dshaw at jabberwocky.com Thu Dec 18 19:01:48 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Thu, 18 Dec 2008 13:01:48 -0500 Subject: How encrypt data/text stream instead of a file? In-Reply-To: <760365.68278.qm@web57804.mail.re3.yahoo.com> References: <8E547378-C9DB-4AC5-9A5D-5EBA28D22876@jabberwocky.com> <760365.68278.qm@web57804.mail.re3.yahoo.com> Message-ID: <20081218180147.GA22123@jabberwocky.com> On Thu, Dec 18, 2008 at 09:49:41AM -0800, don rhummy wrote: > OK, so I need to put the data into the out stream. Can you give some sample code from C doing this? I'm not 100% clear on the order, etc of calling gpg and sending the data to "out." Thanks! I don't want to do a full pipe/fork/exec/dup2 tutorial here (it's the GnuPG list after all), but read this: http://www.cs.uleth.ca/~holzmann/C/system/pipeforkexec.html Or try "popen" (and add some error checking): FILE *my_gpg_stream; my_gpg_stream=popen("gpg -o - -r whoever -e the-file-to-encrypt ..etc...","r"); (now read from "my_gpg_stream" until you see EOF). pclose(my_gpg_stream); David From JPClizbe at tx.rr.com Thu Dec 18 19:52:50 2008 From: JPClizbe at tx.rr.com (John Clizbe) Date: Thu, 18 Dec 2008 12:52:50 -0600 Subject: using gpg with private keys from openssl certificates? In-Reply-To: <494A6677.8000300@sixdemonbag.org> References: <21057804.post@talk.nabble.com> <49497742.6050200@sixdemonbag.org> <21063072.post@talk.nabble.com> <4949D4DE.7090105@gmail.com> <21074117.post@talk.nabble.com> <494A6677.8000300@sixdemonbag.org> Message-ID: <494A9C02.5030508@tx.rr.com> Robert J. Hansen wrote: > arghman wrote: >> So (and here's where I'm less clear) if I wanted to link the assertions made >> by my X.509 certificates and my OpenPGP keys, there's no way to >> automatically do this. But if I were to use the same private/public key in >> both cases, I can assert to a third party that the entity in control of the >> certificate / keys is the same entity because they are based on the same >> underlying cryptographic primitive. > > And the answer is the same as before: this is possible although very > difficult and usually not worth it. I tried this some years ago and concur with Robert. PGP Desktop will read a X.509 cert into its keyring. What you get is a RSA key with no expiration date with a CA certification as a signature packet which has no impact on the key's functionality once it expires. That's not the way X.509 is supposed to work. This key pair may be exported and imported into GnuPG where it will be seen as a nonselfsigned key with an invalid signature packet (the CA certification). C:\WINNT>gpg --list-key 0xbe81a801 pub 2048R/BE81A801 2005-09-16 uid Thawte Freemail Member C:\WINNT>gpg --list-sigs 0xbe81a801 pub 2048R/BE81A801 2005-09-16 uid Thawte Freemail Member sig X 00000000 2005-09-16 [User ID not found] You can use the raw key material from a X.509 cert in GnuPG after you've massaged and cleaned it up a bit. But it really doesn't gain you anything. Each of the two copies have no effect on the other. The CA's certification is ignored in OpenPGP. Any additional OpenPGP signatures have no effect on the X.509 validity or trust. IMO, A lot of work for no real benefit. YMMV. -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-keys at gingerbear.net?subject=HELP Q:"Just how do the residents of Haiku, Hawai'i hold conversations?" A:"An odd melody / island voices on the winds / surplus of vowels" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 680 bytes Desc: OpenPGP digital signature URL: From classpath at arcor.de Fri Dec 19 00:04:43 2008 From: classpath at arcor.de (Morton D. Trace) Date: Fri, 19 Dec 2008 00:04:43 +0100 Subject: using gpg with private keys from openssl certificates? In-Reply-To: <21057804.post@talk.nabble.com> References: <21057804.post@talk.nabble.com> Message-ID: <494AD70B.5030306@arcor.de> arghman wrote: > I'm experimenting w/ using the "freemail" certificates from thawte & was just > wondering if there is a way I can use them with gpg (openpgp, NOT S/MIME). I > can figure out how to use openssl to extract the rsa public key / private > key from the exported PKCS12 file, but I'm not sure how (or if) there was a > way to import that to gpg. I'm also missing some big picture issues, e.g.: > Dear Mr. Arghman from here http://www.minstrel.org.uk/wot-faq/q1.html it looks like an x.509 PKCS12 Public key Cryptography Standard file can be used to sign your PGP key. Can I sign my PGP key with a Thawte Freemail certificate? Indeed you can. Although Thawte withdrew official and integrated support for signing PGP keys some time ago, there are still ways to achieve this (Thawte are looking into ways to reinstigate the process, but this may be some time away). Note that this process will only work for RSA keys, either legacy or 'new' RSA. 'New' RSA keys are only supported in the very latest versions of PGP. The steps you need to take are as follows (many thanks to Martin Bene for this description, which I have amended slightly for clarity): There are two conversion steps required: 1) Generate a certificate request from the existing key. 2) Get the certificate chain returned by Thawte into a format PGP can import. Generate Cert Request Use PGP's built-in CA support to generate the certificate request and a script on a webserver to mail it back to you. You can either use the script I've put up on my server or use your own server, mailreq script attached. [Contact me if you want a copy of this script -- Peter] 1. In PGPKeys got to Options/CA 2. Enter http://install.sime.com/mailreq.php?to=wot at fugue.org as the CA URL 3. Select "Net tools PKI Server"e; as the server type 4. To get your certificate, go to the Thawte certificate manager 5. Use "Paste-in CSR Certificate Enrollment" right at the bottom 6. Click through to the "Paste PKCS10 Certificate Here" page 7. Note the required common name, something like "dFA7F1w4vmxLxA93" 8. Copy this common name to the clipboard (don't close the browser!) 9. In PGPKeys, right-click your key and select 'Add/Certificate 10. Edit the "Full Name" field, and paste in the string you copied from the Thawte site 11. Submit by clicking OK 12. You should now get an email containing your request 13. Back in the Web browser, paste the request into the text field 14. Submit the Certificate request. Import the stuff you get back from thawte Thawte will return the finished certificate both as a Netscape Certificate chain and as a PKCS7 Certificate chain, neither of which PGP understands. So, some conversion is required - the easiest way is to split the PKCS7 chain into seperate certificates and output these in ASCII format - just save into seperate .pem files and import into PGP (using 'Key/Import' and selecting the .pem files). To split the PKCS7 chaing, either use the attached splitchain.c script [Contact me if you want a copy of this script -- Peter] (requires Peter Gutmanns Cryptlib library) or use the web interface at http://install.sime.com/split.php You'll want to verify (trust) the Thawte Root Certificate you just imported to your PGP Keyring - here are some ways to do that: * Download the "Personal Freemail Root" cert from Thawte directly, and compare Key Fingerprint/Key ID. To do this: 1. Go to https://www.thawte.com/cgi/lifecycle/roots.exe 2. Find the Root entitled "1.Thawte Personal Freemail CA, 1995.12.31 - 2020.12.31" (this should be the right one) 3. Download the root in text form, saving as a .pem file 4. Import the .pem file into PGP * Export the Freemail Root certificate the Internet Explorer Root CA database, on your computer, and compare Key ID/Fingerprint. To do this: 1. Open Internet Explorer, and select 'Tools/Internet Options/Content/Certificates...' 2. In the 'Trusted Root Certificates section, marvel first of all at how many organisations you trust completely (!), and then select 'Thawte Personal Freemail CA' 3. Click 'Export...' 4. Either: export as a PKCS7 chain and then split it as described above Or: export as Base-64 encoded X.509 5. Import the resulting file into PGP Whichever you choose, you should finish by updating signatures from your favourite PGP Keyserver, and check those. Some final thoughts on the security of this process, especially with regard to using scripts on an untrusted server (i.e. my scripts): none of the steps involved send any Private Key data over the Internet, so your Private Key can not be compromised. Consequence of a hostile script in step 1 (mailing the certificate request back to you): the certificate request is self-signed, a modified request would therefore no longer be valid. A completely new request (different Private Key) would not match your key on import. The script could get your public key, but as the name implies... I don't see any really bad possibilities here. Consequence of a hostile script in step 2 (splitting the returned Certificate chain): more room for fun here. I could return a completely bogus certificate with equaly bogus Thawte Root certificates, thereby getting you to trust my "fake Thawte" certificates. So, it's absolutely VITAL that you check the validity of the root cert before trusting it! Once the root cert is OK, the rest of the chain including your personal cert can be trivially checked. Since putting the above description in this FAQ, I have received some further advice from Steve Davies. Note that I have not yet verified any of the details here, but it seems to be a slightly simpler approach: Some additional notes for you that might help make it easier in future: a) Setting up PGP to generate a cert request. You must have chosen a root certificate in the PGP Options/CA dialog before you can request a certificate. I suggest using the export Thawte root CA from IE, import into PGP path. Note to user that the file must be named *.pem for PGP to install it. b) For generating the cert request. You do not need the step 1) webserver->email process to collect the certificate request. There is a radio button on PGP's CSR generation page that says "PKCS-10"; This copies the request straight to your clipboard, ready to be pasted into Thawte's web-page. c) Using the certificate splitter Additional advice for using the on-line certificate splitter. Only copy the final certificate from the resultant web-page, and not any of the signing certificates. This is one less thing that can be faked; Instead, import an already generated Thawte Freemail cert from IE into PGP, with the full private key and certificate chain attached, and delete that provate key from PGP straight away, leaving just a (trusted) copy of the certificate chain in PGP. d) The poor man's (easy) solution Simply generate a key for IE, export it to PGP, and use that as your PGP key (1024-bit RSA legacy only though) Cheers, Steve PGP/GPG Public Key [4096/4096 RSA] Contact The Minstrel I haven't tried splitchain.c but it is easy to do base64 encoding with openssl. I think thawte did previously offer OpenPGP certificates, but x.509 is better suited for websites and OpenPGP is better for emails. thawte certificates can be used with cacert certificates. But not all applications and operating systems support it, but they are equal x.509 conformant. signing and importing a key to your keyring is not equal, here is thawte maybe you can ask them directly? http://www.thawte.com/contact/index.html if you google for openpgp thawte.com you will find http://gswot.org/ which does this Bridging the OpenPGP, Thawte and CA Cert webs of trust. Sometimes in one single email you can S & E with x.509 and even overload this sign & encryption with an additional openpgp S & E If both secret keys were equal I would guess that the result could be plaintext, that x oring a message twice with the "same" key renders plaintext. hence I feel safe when I know that my RSA key from x.509 is created totally different than the openpgp --genkey process. You will need both ways to encode. In future we will have more voip and that is still unencrypted, but will be encrypted, just like skype GSM, SRTP ZRTP are different protocols which no one wants to use on a webserver. If you send html mail s/mine x.509 is better, Since I mostly send ascii or unicode email openpgp is better suited for me. It can encrypt large files and does the trick very well for verifying the integrity of fedora rpms. here is what you will need. ftp://ftp.pgpi.org/pub/pgp/7.0/docs/english/IntroToCrypto.pdf http://www.pgpi.org/doc/ http://www.imc.org/smime-pgpmime.html Sincerely ????????????? From jamesd at jml.net Fri Dec 19 11:26:11 2008 From: jamesd at jml.net (James Davis) Date: Fri, 19 Dec 2008 10:26:11 +0000 Subject: A question about verifying keys Message-ID: <494B76C3.7030406@jml.net> A colleague of mine asked me to send him a signed e-mail of fingerprints of some keys that I'd personally verified earlier in the day. I'd also signed the keys, and published the signatures to a public key server. I argued that my signature on the publicly available keys was as good as the signed e-mail of the fingerprints. He seemed to think that the public key server introduced the possibility of meddling with the keys (although I pointed out that if this was the case, my signatures wouldn't verify). Is a signed e-mail containing a fingerprint equivalent to signing a key? James From wk at gnupg.org Fri Dec 19 12:03:48 2008 From: wk at gnupg.org (Werner Koch) Date: Fri, 19 Dec 2008 12:03:48 +0100 Subject: How encrypt data/text stream instead of a file? In-Reply-To: <20081218180147.GA22123@jabberwocky.com> (David Shaw's message of "Thu, 18 Dec 2008 13:01:48 -0500") References: <8E547378-C9DB-4AC5-9A5D-5EBA28D22876@jabberwocky.com> <760365.68278.qm@web57804.mail.re3.yahoo.com> <20081218180147.GA22123@jabberwocky.com> Message-ID: <87ljucifzf.fsf@wheatstone.g10code.de> On Thu, 18 Dec 2008 19:01, dshaw at jabberwocky.com said: > my_gpg_stream=popen("gpg -o - -r whoever -e the-file-to-encrypt ..etc...","r"); We all now that but anyway: Please make 100% sure that you don't insert any data (filenames, user IDS, etc) you received from a user into the command line passed to popen. popen uses the shell to execute gpg and thus all kind of shell quoting tricks can be used to take over the system. If you really need to insert data received from the user, screen the data against a list of innocent characters (i.e. "[a-zA-Z0-9_.-]") and reject it if you notice any other character. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From wk at gnupg.org Fri Dec 19 12:13:26 2008 From: wk at gnupg.org (Werner Koch) Date: Fri, 19 Dec 2008 12:13:26 +0100 Subject: A question about verifying keys In-Reply-To: <494B76C3.7030406@jml.net> (James Davis's message of "Fri, 19 Dec 2008 10:26:11 +0000") References: <494B76C3.7030406@jml.net> Message-ID: <87hc50ifjd.fsf@wheatstone.g10code.de> On Fri, 19 Dec 2008 11:26, jamesd at jml.net said: > Is a signed e-mail containing a fingerprint equivalent to signing a key? No, it is different: * If you sign a key, you actually sign the concatenation of a key and a user ID. * If you sign a file with a fingerprint you merely sign the key. Thus in the latter case there is no way to check whether the key belongs to a certain user ID. Of course if you sign a file with a content like: pub 2048D/1E42B367 2007-12-31 [expires: 2018-12-31] Key fingerprint = 8061 5870 F5BA D690 3336 86D0 F2AD 85AC 1E42 B367 uid Werner Koch both methods are equivalent. However, this manual verification process is more error prone than having gpg do that for you. Shalom-Salam, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. From jamesd at jml.net Fri Dec 19 13:20:00 2008 From: jamesd at jml.net (James Davis) Date: Fri, 19 Dec 2008 12:20:00 +0000 Subject: A question about verifying keys In-Reply-To: <87hc50ifjd.fsf@wheatstone.g10code.de> References: <494B76C3.7030406@jml.net> <87hc50ifjd.fsf@wheatstone.g10code.de> Message-ID: <494B9170.5010404@jml.net> Werner Koch wrote: > Thus in the latter case there is no way to check whether the key belongs > to a certain user ID. Of course if you sign a file with a content like: > > pub 2048D/1E42B367 2007-12-31 [expires: 2018-12-31] > Key fingerprint = 8061 5870 F5BA D690 3336 86D0 F2AD 85AC 1E42 B367 > uid Werner Koch > > both methods are equivalent. However, this manual verification process > is more error prone than having gpg do that for you. Thank you. That clears things up for me. :-) James From niels at toxisch.net Sun Dec 21 22:01:18 2008 From: niels at toxisch.net (niels at toxisch.net) Date: Sun, 21 Dec 2008 22:01:18 +0100 Subject: Generating Keys by Existing Message-ID: <20081221220118.5365323e@howard> Hello together! Is it possible to merge some public keys to one? Or maybe one after another? I would like to have one key for my friends, so i can post a message to them without selecting everyones key. I searched for it in the hole internet but didn't found anything. Thanks for help Niels From dshaw at jabberwocky.com Sun Dec 21 22:49:19 2008 From: dshaw at jabberwocky.com (David Shaw) Date: Sun, 21 Dec 2008 16:49:19 -0500 Subject: Generating Keys by Existing In-Reply-To: <20081221220118.5365323e@howard> References: <20081221220118.5365323e@howard> Message-ID: <6753A954-4CA9-4FA0-B5D9-92F2FFB03C2F@jabberwocky.com> On Dec 21, 2008, at 4:01 PM, niels at toxisch.net wrote: > Hello together! > Is it possible to merge some public keys to one? > Or maybe one after another? > > I would like to have one key for my friends, so i can post a message > to > them without selecting everyones key. I think what you're looking for is a "group". When you use groups, you define a particular name, and when you encrypt to this name, you actually encrypt to everyone in the group. From the sample gpg.conf file: # Group names may be defined like this: # group mynames = paige 0x12345678 joe patti # # Any time "mynames" is a recipient (-r or --recipient), it will be # expanded to the names "paige", "joe", and "patti", and the key ID # "0x12345678". Note there is only one level of expansion - you # cannot make an group that points to another group. Note also that # if there are spaces in the recipient name, this will appear as two # recipients. In these cases it is better to use the key ID. David From rjh at sixdemonbag.org Mon Dec 22 21:30:07 2008 From: rjh at sixdemonbag.org (Robert J. Hansen) Date: Mon, 22 Dec 2008 15:30:07 -0500 Subject: 'Tis the Season Message-ID: <494FF8CF.6090409@sixdemonbag.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 'Tis the season for Hanukkah, Kwanzaa, Christmas, Winter Solstice, New Year's, or whatever your favorite holiday is. It's a time to be gracious and to remember to say "please" and "thank you", and also a time for charitable giving. It's very hard -- if not impossible -- to reward the GnuPG developers for their labors. To whom should a donation be given? To the user who first spotted a bug, the other user who tracked it down precisely, the developer who fixed it, the sysadmin who hosts the project? What about to the mailing list, where so many questions get answered by people who have no official connection with GnuPG whatsoever? There are no good answers to this. The best that can be done is to issue virtual beer tokens, to say "thank you", and maybe to do something for a charity with similar goals to that of the GnuPG crew. So: to all the developers, to all the bugfinders, to all the people who patiently answer questions on mailing lists, to everyone who contributes to signal and diminishes noise... thank you, very much, for making this community as much fun as it is, and for your role in making GnuPG as high quality a product as it is. Consider yourselves to all have a beer token issued by me, payable on demand should we ever meet face to face. There are several charitable groups that support the ideals of privacy rights and individual liberties. I've assembled three of them below. This year, I will be donating to the Electronic Frontier Foundation with a note that it's in thanks for the GnuPG project. Thank you, Werner. Thank you, David. And thank you, everyone else. :) http://www.fsf.org/associate/support_freedom http://www.fsfeurope.org/help/donate.en.html http://secure.eff.org/donate -----BEGIN PGP SIGNATURE----- iFYEAREIAAYFAklP+M8ACgkQI4Br5da5jhBpWgDgo+SPPplrZYNC4IszNkJ0kCL2 PF5/1cYzE0/7hQDfXzPZQjLOuSv7736Pm4Teq2gik9mloB9EvsVGHokBHAQBAQgA BgUCSU/4zwAKCRC3APSC/q+BCcEWB/4zlJ9MvZAocMowH2QIjYZiXi7RCQ43hPT2 iVm4uMo9dQ/NXxf74c0pVW8FQNik0uvIYUdXrCgh0CrJnKY61AhAly3qaB3LA6cp NNCznMlDEH/3Xi+sYuWpVeJrmIue8Mi/J86+l4WOnfPd53RIatr29nmUW8J+GH0N VpqZheQWJU99s5Lq4NmQ3aGFslHXgwN0gOpXERonjl/boL3Ee8P+O50cQd6GS8zL AJJ+V4y45WmshZ075KCj6tRl0lZWIYSZb6qYbSSB7Qk2ypBWsFklzQU3ZxhRMHuD H//7fotlL0KPBzxQftQGDG/4hy/ESKbT0TflUPHbYBf19tU1vZuY =Mpov -----END PGP SIGNATURE----- From shavital at mac.com Mon Dec 22 22:36:34 2008 From: shavital at mac.com (Charly Avital) Date: Mon, 22 Dec 2008 16:36:34 -0500 Subject: 'Tis the Season In-Reply-To: <494FF8CF.6090409@sixdemonbag.org> References: <494FF8CF.6090409@sixdemonbag.org> Message-ID: <49500862.7060504@mac.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Robert J. Hansen wrote the following on 12/22/08 3:30 PM: [...] > > Thank you, Werner. Thank you, David. And thank you, everyone else. :) > http://www.fsf.org/associate/support_freedom > http://www.fsfeurope.org/help/donate.en.html > http://secure.eff.org/donate I wholeheartedly concur. And Season's greetings. Charly -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) Comment: GnuPG for Privacy Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBCAAGBQJJUAhbAAoJEM3GMi2FW4Pv9ggH/RoXiSm9uIZ6j+Y04c0XnsQG Renmi9ouNw+idsbf/hcSdbRG+0IpPi2VRqrUhLRjsH0lIPDvGy9VvyhEuBql+IVa eX8Z9s8Q9WysfEZS0sTxU+iYDENAp8CqdWzI6uonFvHU5EuDpgBgP88BNbh9K2iB Hah4/+UXCoGrxjeOs0/1yT0JwDVLR5fYfqWcYN50HmqRps+4aXzVlOImbKSFDgdK F1aQnoSiS2NjS7S4O9fOE9pavpNHDXPnslUxUAHHXbeWB5RyhUC4mWLtTe424gJW NyYlZilXuSbeA0PqMEXKpRVYav//ZnXE5EKmxeqgGHUrr6tXvpaW0ZN/leHY2gc= =wVVO -----END PGP SIGNATURE----- From benjamin at py-soft.co.uk Wed Dec 24 14:05:22 2008 From: benjamin at py-soft.co.uk (Benjamin Donnachie) Date: Wed, 24 Dec 2008 13:05:22 +0000 Subject: MacGPG2 news. Message-ID: <732076a80812240505o3a42b60td9be6c1151b4816d@mail.gmail.com> The MacGPG2 project, responsible for producing a simple to use binary install package for GnuPG v2.x under MacOSX has moved to a separate project, see http://macgpg2.sourceforge.net/ MacGPG v2.0.9-BETA3 is now available to download from http://sourceforge.net/project/showfiles.php?group_id=248469 and I will be working on a fully working version ready for GnuPG v2.0.10 which is expected soon. Although I previously intended to incorporate MacGPG2 into the existing MacGPG project, it remained hosted separately on my server. Since shutting it down, it has become clear to me that MacGPG2 needed a separate home and hence the separate group. Benjamin Donnachie MacGPG2 Project From wk at gnupg.org Tue Dec 30 15:41:17 2008 From: wk at gnupg.org (Werner Koch) Date: Tue, 30 Dec 2008 15:41:17 +0100 Subject: FYI: allium.gnupg.org shutdown Message-ID: <87zlidg1yq.fsf@wheatstone.g10code.de> Hi, the new year is coming and Germany will suffer from another restriction on privacy. As some of you might now, we are running the TOR server charlesbabbage (aka allium.gnupg.org) with a throughput of about 10TB/month. Unfortunately we are forced to shut it down tomorrow. As http://allium.gnupg.org states: THIS SERVICE WILL BE SHUTDOWN ON 2008-12-31! The German data retention law requires us to save the connection information before and after they have been transformed by the TOR server. This is clearly not acceptable for this service and so we have no other choice than to shut it down. It has been stated several times by the "responsible" politicians that the law explicitly targets services to provide anonymity. In the light of these statements and several criminal investigations in the past, g10 Code GmbH (as the legal entity running this server) can't assume that there is is a reasonable chance to keep running the server without spending a lot of money on court cases or penalties. We sincerely hope that our Federal Constitutional Court will soon decide on this law and void the problematic parts of the law. As soon as that happens we will continue this service. Anyway, I wish you all a Happy New Year 2009. Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 205 bytes Desc: not available URL: From rafmav at wanadoo.fr Fri Dec 26 01:04:39 2008 From: rafmav at wanadoo.fr (=?ISO-8859-1?Q?Rapha=EBl?= Maville) Date: Fri, 26 Dec 2008 01:04:39 +0100 Subject: how-to 1) remove a key, 2) avoid spam, 3) add a principal UID when delete ? Message-ID: <1230249879.7702.9.camel@rafmav-laptop> 1) How to delete an unpublished GnuPG key from a computer when the Passphrase and the Revoke file are lost ? This key was create without revoke file. It was not published at all on internet or to my friends. 2) How to avoid spaming to my mail boxes, is it better to do not mention it on a gnuPG key ? 3) How to add a "principal" uid to a key ? I had removed the principal UID because I wanted to modify the firstname ("trema" not well prompted). And then I can only add sub-uid. Thanks -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Ceci est une partie de message num?riquement sign?e URL: From rc.china at gmail.com Mon Dec 29 14:32:34 2008 From: rc.china at gmail.com (raocheng) Date: Mon, 29 Dec 2008 21:32:34 +0800 Subject: Problem when compiling libgcrypt1.4.3 on Solaris 10 (sparc) Message-ID: When I compile libgrypt1.4.3 on Solaris 10 (sparc), there is the following error: ======================================================== /bin/bash ../libtool --tag=CC --mode=link gcc -I/usr/local/include -g -O2 -Wall -Wpointer-arith -version-info 16:1:5 -o libgcrypt.la -rpath /usr/local/lib libgcrypt_la-visibility.lo libgcrypt_la-misc.lo libgcrypt_la-global.lo libgcrypt_la-sexp.lo libgcrypt_la-hwfeatures.lo libgcrypt_la-stdmem.lo libgcrypt_la-secmem.lo libgcrypt_la-missing-string.lo libgcrypt_la-module.lo libgcrypt_la-fips.lo libgcrypt_la-hmac256.lo libgcrypt_la-ath.lo ../cipher/libcipher.la ../random/librandom.la ../mpi/libmpi.la -L/usr/local/lib -lgpg-error -lsocket -lsocket gcc -shared -Wl,-h -Wl,libgcrypt.so.11 -o .libs/libgcrypt.so.11.5.1 .libs/libgcrypt_la-visibility.o .libs/libgcrypt_la-misc.o .libs/libgcrypt_la-global.o .libs/libgcrypt_la-sexp.o .libs/libgcrypt_la-hwfeatures.o .libs/libgcrypt_la-stdmem.o .libs/libgcrypt_la-secmem.o .libs/libgcrypt_la-missing-string.o .libs/libgcrypt_la-module.o .libs/libgcrypt_la-fips.o .libs/libgcrypt_la-hmac256.o .libs/libgcrypt_la-ath.o -z allextract ../cipher/.libs/libcipher.a ../random/.libs/librandom.a ../mpi/.libs/libmpi.a -z defaultextract -R/usr/local/lib -R/usr/local/lib -L/usr/local/lib /usr/local/lib/libgpg-error.so -lsocket -lc ld: fatal: relocation error: R_SPARC_32: file ../mpi/.libs/libmpi.a(mpih-add1-asm.o): symbol : offset 0xfe65b722 is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/.libs/libmpi.a(mpih-add1-asm.o): symbol : offset 0xfe65b726 is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/.libs/libmpi.a(mpih-add1-asm.o): symbol : offset 0xfe65b72a is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/.libs/libmpi.a(mpih-lshift-asm.o): symbol : offset 0xfe65bc39 is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/.libs/libmpi.a(mpih-lshift-asm.o): symbol : offset 0xfe65bc3f is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/.libs/libmpi.a(mpih-lshift-asm.o): symbol : offset 0xfe65bc43 is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/.libs/libmpi.a(mpih-lshift-asm.o): symbol : offset 0xfe65bc47 is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/.libs/libmpi.a(mpih-rshift-asm.o): symbol : offset 0xfe65bc93 is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/.libs/libmpi.a(mpih-rshift-asm.o): symbol : offset 0xfe65bc99 is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/.libs/libmpi.a(mpih-rshift-asm.o): symbol : offset 0xfe65bc9d is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/.libs/libmpi.a(mpih-rshift-asm.o): symbol : offset 0xfe65bca1 is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/.libs/libmpi.a(udiv-asm.o): symbol : offset 0xfe65bced is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/.libs/libmpi.a(udiv-asm.o): symbol : offset 0xfe65bcf3 is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/.libs/libmpi.a(udiv-asm.o): symbol : offset 0xfe65bcf7 is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/.libs/libmpi.a(udiv-asm.o): symbol : offset 0xfe65bcfb is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/.libs/libmpi.a(mpih-add1-asm.o): symbol : offset 0xfe69e579 is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/.libs/libmpi.a(mpih-lshift-asm.o): symbol : offset 0xfe69f531 is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/.libs/libmpi.a(mpih-rshift-asm.o): symbol : offset 0xfe69f5a2 is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/.libs/libmpi.a(udiv-asm.o): symbol : offset 0xfe69f609 is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/.libs/libmpi.a(mpih-add1-asm.o): symbol : offset 0xfe6a9ebe is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/.libs/libmpi.a(mpih-lshift-asm.o): symbol : offset 0xfe6a9f5e is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/.libs/libmpi.a(mpih-rshift-asm.o): symbol : offset 0xfe6a9f7e is non-aligned ld: fatal: relocation error: R_SPARC_32: file ../mpi/.libs/libmpi.a(udiv-asm.o): symbol : offset 0xfe6a9f9e is non-aligned collect2: ld returned 1 exit status *** Error code 1 make: Fatal error: Command failed for target `libgcrypt.la' Current working directory /opt/OpenLdap/libgcrypt-1.4.3/src ======================================================== Thank you for any suggestion ! -------------- next part -------------- An HTML attachment was scrubbed... URL: